Cybersecurity researchers have uncovered one of the largest documented browser extension breaches worldwide, attributed to an organized threat actor known as DarkSpectre, believed to operate from China. Over more than seven years, this network has successfully infected over 8.8 million users of Chrome, Edge, Firefox, and Opera browsers through extensions that appeared completely legitimate, spreading via official browser stores without raising suspicion.
اضافة اعلان
According to a study by Koi.ai, the group runs three interconnected campaigns: ShadyPanda, GhostPoster, and a recently identified campaign called The Zoom Stealer, all forming a single strategically coordinated operation.
A Single Coordinated Operation, Not Random Attacks
Investigations indicate that DarkSpectre is not a random hacking group but a unified operation managing multiple parallel campaigns. It uses extensions with real functionality to attract users and build trust before activating malicious behavior later. These extensions were not obscure apps but popular tools that users relied on daily.
DarkSpectre’s structure differs from conventional cybercrime operations, as it manages separate but interconnected malware clusters, each with specific objectives.
The ShadyPanda campaign, responsible for about 5.6 million infections, focuses on long-term user monitoring and e-commerce affiliate marketing fraud.
Its extensions appeared legitimate for years, offering new tabs and translation tools before secretly downloading malicious configurations from command-and-control servers like jt2x.com and infinitynewtab.com.
ShadyPanda relied on widely distributed productivity extensions, including translation tools, tab managers, and new tab pages—examples include WeTab, multiple versions of “New Tab” and “Customized Dashboard,” as well as lightweight translation tools mimicking well-known services.
These extensions functioned normally for years, receiving positive ratings and “trusted” badges, before beginning to collect browsing data, track user behavior, manipulate search results, and execute affiliate link fraud—especially on platforms like Taobao and JD.com—without user knowledge.
GhostPoster: Infiltration Through Images and Translation Extensions
The GhostPoster campaign, which affected over 1 million users, used a more covert approach through Firefox and Opera extensions. One documented example was an Opera store extension called Google™ Translate, published under an unknown developer account, appearing as a simple translation tool.
In reality, the extension bypassed site protections, opened a hidden channel for remote commands, and disabled fraud detection systems. The campaign hid malicious code inside PNG images used as extension icons, which were later extracted and executed in the browser.
The Zoom Stealer: Video Download Tools Turned Spyware
The most dangerous shift occurred with The Zoom Stealer campaign, targeting around 2.2 million users. It evolved from fraud and monitoring to direct corporate espionage. This campaign reached users through seemingly harmless extensions like Twitter X Video Downloader, social media video downloaders, and browser audio recording tools such as Chrome Audio Capture, which alone had over 800,000 users.
Although these extensions performed their advertised functions, in the background they collected sensitive data from virtual meeting platforms like Zoom, Microsoft Teams, Google Meet, and WebEx. Collected data included meeting links, session IDs, passwords, participant lists, and detailed information about speakers and host companies.
Long-Term Strategy and Systematic Trust-Building
DarkSpectre relies on stealth and patience, deploying extensions that operate normally for years before activating their malicious capabilities via external commands without visible updates. Investigations show that dozens of extensions linked to this network remain active and appear clean, meaning they could turn into spyware or fraud tools at any time.
Analysis revealed that the command-and-data transfer infrastructure relies on servers hosted in China, with programming comments and variables in Chinese, and activity patterns matching local working hours. There is also a clear focus on Chinese e-commerce platforms, supporting the hypothesis of a Chinese connection.
Ongoing Threat and Browser Store Vulnerability
The DarkSpectre case exposes a critical flaw in the browser extension store model, where an extension is only examined upon publication but can later change its behavior through external commands without effective oversight. As a result, popular extensions—such as translation tools, tab managers, and video downloaders—can become gateways for large-scale breaches.
Cybersecurity experts warn that what has been revealed so far may represent only a portion of a larger network, while millions of users continue to rely daily on browser extensions without realizing the risks behind them.
