top of page
perceptive_background_267k.jpg

DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide

Published:

31 December 2025 at 16:14:00

Alert date:

31 December 2025 at 17:02:09

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Ransomware & Malware, Data Breach & Exfiltration

Chinese threat actor DarkSpectre conducted three malicious browser extension campaigns (ShadyPanda, GhostPoster, and DarkSpectre) impacting 8.8 million users worldwide. The campaigns targeted Google Chrome, Microsoft Edge, and Mozilla Firefox users. DarkSpectre campaign alone affected 2.2 million users. All three campaigns are attributed to the same Chinese threat actor tracked by Koi Security. The malicious extensions represent a significant supply chain attack vector targeting browser users globally.

Technical details

DarkSpectre operates three malicious browser extension campaigns: ShadyPanda (5.6M users affected), GhostPoster (focused on Firefox users), and Zoom Stealer (18 extensions). The campaigns use legitimate-looking extensions that include logic bombs with time-delayed activation (waiting 3 days before triggering malicious behavior). Extensions collect meeting URLs with passwords, IDs, topics, descriptions, scheduled times, and registration status via WebSocket connections in real-time. They harvest webinar speaker/host details, names, titles, bios, profile photos, company affiliations, logos, and session metadata. The malware performs data theft, search query hijacking, affiliate fraud, click and ad fraud, and corporate meeting intelligence gathering across 28+ video conferencing platforms.

Mitigation steps:

Remove any of the identified malicious browser extensions listed in the IOCs. Monitor browser extensions for suspicious permissions requests, especially those requesting access to multiple video conferencing platforms unnecessarily. Be cautious of extensions with time-delayed activation patterns. Implement corporate policies for browser extension installation and review. Monitor network traffic for suspicious WebSocket connections from browser extensions.

Affected products:

Google Chrome
Microsoft Edge
Mozilla Firefox
Opera
Google Meet
Zoom
GoTo Webinar
Cisco WebEx
Microsoft Teams

Related links:

https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html
https://thehackernews.com/2025/12/ghostposter-malware-found-in-17-firefox.html
https://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers

Related CVE's:

Related threat actors:

IOC's:

kfokdmfpdnokpmpbjhjbcabgligoelgp, pdadlkbckhinonakkfkdaadceojbekep, akmdionenlnfcipmdhbhcnkighafmdha, pabkjoplheapcclldpknfpcepheldbga, aedgpiecagcpmehhelbibfbgpfiafdkm, dpdgjbnanmmlikideilnpfjjdbmneanf, kabbfhmcaaodobkfbnnehopcghicgffo, cphibdhgbdoekmkkcbbaoogedpfibeme, ceofheakaalaecnecdkdanhejojkpeai, dakebdbeofhmlnmjlmhjdmmjmfohiicn, adjoknoacleghaejlggocbakidkoifle, pgpidfocdapogajplhjofamgeboonmmj, ifklcpoenaammhnoddgedlapnodfcjpn, ebhomdageggjbmomenipfbhcjamfkmbl, ajfokipknlmjhcioemgnofkpmdnbaldi, mhjdjckeljinofckdibjiojbdpapoecj, 7536027f-96fb-4762-9e02-fdfaedd3bfb5, xtwitterdownloader@benimaddonum.com, Alibaba Cloud C2 servers, Chinese ICP registrations in Hubei province, Developer: charliesmithbons, Developer: invaliddejavu

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page