Perceptive Security
SOC/SIEM Consultancy
Zoom Stealer browser extensions harvest corporate meeting intelligence
Published:
30 december 2025 om 15:41:53
Alert date:
30 december 2025 om 17:02:29
Source:
bleepingcomputer.com
Web Technologies, Data Breach & Exfiltration, Supply Chain & Dependencies
A newly discovered campaign called Zoom Stealer is targeting 2.2 million users across Chrome, Firefox, and Microsoft Edge browsers through 18 malicious extensions. These extensions are designed to harvest corporate meeting intelligence by collecting sensitive data from online meetings including URLs, meeting IDs, topics, descriptions, and embedded passwords. The campaign represents a significant threat to corporate security as it specifically targets business communications and meeting data. The malicious extensions operate across multiple major browsers, indicating a broad and coordinated attack strategy. This type of data harvesting could lead to corporate espionage, unauthorized access to sensitive business discussions, and compromise of meeting security credentials.
Technical details
Zoom Stealer campaign affects 2.2 million users through 18 malicious browser extensions on Chrome, Firefox, and Microsoft Edge. Extensions request access to 28 video-conferencing platforms and collect meeting URLs, IDs, embedded passwords, registration status, topics, scheduled times, speaker/host information, and company metadata. Data is exfiltrated via WebSocket connections in real-time when users visit webinar registration pages or join meetings. Extensions operate as functional tools while secretly harvesting data for corporate espionage and social engineering purposes.
Mitigation steps:
Review browser extension permissions carefully and limit extensions to necessary minimum. Remove suspicious extensions that request excessive permissions to video conferencing platforms. Monitor for extensions that collect meeting data including URLs, IDs, and participant information. Check for extensions with unusual data exfiltration patterns via WebSocket connections.
Affected products:
Chrome browser extensions
Firefox browser extensions
Microsoft Edge browser extensions
Zoom
Microsoft Teams
Google Meet
Cisco WebEx
Chrome Audio Capture extension
Twitter X Video Downloader extension
Related links:
https://www.bleepingcomputer.com/news/security/ghostposter-attacks-hide-malicious-javascript-in-firefox-addon-logos/
https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
http://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers
Related CVE's:
Related threat actors:
IOC's:
18 malicious browser extensions in Zoom Stealer campaign, Chrome Audio Capture extension with 800,000 installations, Twitter X Video Downloader extension, WebSocket connections for data exfiltration, Extensions requesting access to 28 video-conferencing platforms, Hosting on Alibaba Cloud servers, Chinese-language strings and comments in code, Activity patterns matching Chinese timezone
This article was created with the assistance of AI technology by Perceptive.