Cybersecurity firm Koi uncovered DarkSpectre, a Chinese operation that connected multiple malicious campaigns through browser extensions on Chrome, Edge, and Firefox, infecting over 8.8 million users via hundreds of seemingly legitimate add-ons over seven years.
Koi researchers first identified DarkSpectre during their investigation of ShadyPanda, a campaign that used popular Chrome and Edge extensions to infect over four million devices. Analysis showed ShadyPanda formed one part of a three-pronged operation, with all campaigns employing similar methods and pursuing aligned malicious objectives. Investigators traced ShadyPanda’s infrastructure to shared hidden domains, which linked to extensions distributed across browser marketplaces for Firefox, Edge, and Chrome.
DarkSpectre encompassed three primary campaigns:
- Zoom Stealer: infected 2.2 million users across Firefox, Chrome, and Edge.
- ShadyPanda: affected 5.6 million users on Firefox, Chrome, and Edge.
- GhostPoster: impacted 1.05 million Firefox instances.
These extensions presented a legitimate appearance, which allowed users to install them without raising suspicion. The operation delayed activation, as Chinese hackers delivered the malicious payload from command-and-control servers using concealed JavaScript code. Each of the three campaigns targeted distinct user types.
Koi determined that ShadyPanda focused on large-scale surveillance and affiliate fraud. Its extensions operated without issue for several years until hackers weaponized them. This process involved time-delayed activation combined with remote code injection.
In the Trojan Image campaign, attackers embedded a stealthy payload within a PNG icon file through steganography techniques. Affected extensions loaded this image, extracted the hidden JavaScript code from it, and executed the payload precisely 48 hours after loading.
DarkSpectre exploited a broad array of browser extensions, many related to video conferencing and media downloading. The full list includes:
- Chrome Audio Capture
- ZED: Zoom Easy Downloader
- X (Twitter) Video Downloader
- Google Meet Auto Admit
- Zoom.us Always Show “Join From Web”
- Timer for Google Meet
- CVR: Chrome Video Recorder
- GoToWebinar & GoToMeeting Download Recordings
- Meet Auto Admit
- Google Meet Tweak (Emojis, Text, Cam Effects)
- Mute All on Meet
- Google Meet Push-To-Talk
- Photo Downloader for Facebook, Instagram
- Zoomcoder Extension
- Auto-join for Google Meet
- Edge Audio Capture (Edge)
- Twitter X Video Downloader (Firefox)
- New Tab – Customized Dashboard (Edge)
- “Google Translate” by charliesmithbons
Zoom Stealer specifically aimed at corporate meeting intelligence and supported more than 28 video-conferencing platforms. It employed WebSocket-based real-time data exfiltration to access meeting links, credentials, dossiers, and other sensitive corporate information.
Indicators pointed to DarkSpectre as the work of a well-resourced Chinese state-sponsored group. The actors hosted command-and-control servers consistently on Alibaba Cloud infrastructure. They also relied on China-based internet content providers for operations. Chinese-language strings appeared throughout the codebase of the malicious components.
“The combination of patience, scale, technical sophistication, and operational diversity points to an adversary with substantial resources and long-term strategic goals,” the analysts concluded.
