A newly uncovered Chinese threat group, DarkSpectre, has been linked to one of the most extensive browser-extension malware campaigns on record, compromising more than 8.8 million users of Chrome, Edge, Firefox, and Opera over the past seven years.
Research by cybersecurity firm Koi.ai reveals that DarkSpectre operates through three tightly coordinated campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—unified under a single strategic framework. Unlike opportunistic cybercriminals, DarkSpectre demonstrates long-term planning, infrastructure reuse, and multi-platform targeting consistent with a well-resourced, likely state-aligned operation.
Interconnected Campaigns, Shared Infrastructure
The ShadyPanda campaign accounts for approximately 5.6 million infections. It distributed seemingly benign browser extensions—such as custom new tab pages and translation tools—that remained dormant for months or even years. These extensions eventually fetched malicious configurations from command-and-control (C2) servers, including jt2x.com and infinitynewtab.com. Once activated, they injected remote scripts, manipulated search results, and covertly tracked user browsing activity to facilitate e-commerce affiliate fraud and persistent surveillance.
The GhostPoster campaign primarily targeted Firefox and Opera users. It embedded malicious JavaScript within PNG images using steganography—a technique that hides data inside seemingly harmless files. After a delay of several days to bypass initial security scans, the extensions extracted and executed the hidden payloads, enabling stealthy remote code execution. This operation affected over one million users and leveraged domains such as gmzdaily.com and mitarchive.info for payload delivery.
The most recent discovery, The Zoom Stealer, exposed roughly 2.2 million users—many of them corporate professionals-to targeted espionage. These extensions masqueraded as productivity utilities or video downloaders but secretly harvested meeting URLs, authentication tokens, and participant metadata from more than 28 video conferencing platforms, including Zoom, Microsoft Teams, and Google Meet. Exfiltration occurred in real time via WebSocket connections to Firebase instances (zoocorder.firebaseio.com) and Google Cloud Functions (webinarstvus.cloudfunctions.net).
Evidence Points to Chinese Origin
All three campaigns share overlapping digital fingerprints: identical code structures, reused C2 domains, and consistent developer identifiers. Infrastructure was largely hosted on Alibaba Cloud, and both code comments and operational timelines align with standard Chinese working hours. These indicators strongly suggest coordination by a China-based entity, possibly with state backing.
A Warning About Browser Extension Security
DarkSpectre’s success highlights a systemic weakness in browser extension ecosystems: insufficient vetting and the ability for developers to alter extension behavior post-approval via remote configuration updates. Many of the malicious add-ons maintained clean update histories and high user ratings for years, building trust before being silently weaponized.
This “time-bomb” approach allows threat actors to compromise millions of devices almost instantaneously. Users are advised to:
- Review all installed browser extensions and remove any that are unused or unfamiliar
- Avoid extensions with vague permissions or unclear functionality
- Monitor accounts for suspicious activity, especially if regularly using conferencing or collaboration tools
- Keep browsers updated to benefit from the latest security patches
Given the scale and sophistication of DarkSpectre’s operations, the incident serves as a stark reminder that even widely used and seemingly legitimate browser extensions can become vectors for large-scale data theft, surveillance, and corporate espionage.
