The threat actors behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, were behind a third attack campaign, codenamed DarkSpectre, that allegedly affected 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox.
This activity has been attributed to a Chinese threat actor and is being tracked by Koi Security under the name DarkSpectre. These campaigns have collectively impacted more than 8.8 million users over seven years.
ShadyPanda was first exposed by the cybersecurity firm earlier this month as targeting users of all three browsers to facilitate data theft, search query hijacking, and affiliate fraud. 5.6 million users were found to be affected, including 1.3 newly identified victims due to over 100 extensions flagged as connected to the same cluster.
It also includes an Edge add-on named “New Tab – Customized Dashboard” with a logic bomb that waits for three days before causing malicious behavior. Delayed activation is an attempt to appear legitimate and gain approval during the review period.
Nine of these extensions are currently active, and a further 85 “dormant sleepers” are benign and intended to attract the user base before being weaponized by malicious updates. Coy said updates were introduced after more than five years in some cases.
The second campaign, GhostPoster, primarily focuses on Firefox users, targeting users with seemingly innocuous utilities and VPN tools that deliver malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. Further investigation into this activity uncovered more browser add-ons, including an extension for Google Translate (developer “charliesmithbons”) for Opera, which has nearly 1 million installations.
The third campaign launched by DarkSpectre is The Zoom Stealer. It includes 18 extensions across Chrome, Edge, and Firefox aimed at enterprise meeting intelligence by collecting online meeting-related data such as password-embedded meeting URLs, meeting IDs, topics, descriptions, scheduled times, and registration status.
Below is a list of identified extensions and their corresponding IDs.
Google Chrome –
Chrome Audio Capture (kfokdmfpdnokpmpbjhjbcabgligoelgp) ZED: Zoom Easy Downloader (pdadlkbckhinonakkfkdaadceojbekep) Zoom.us Always Show Join from Web (aedgpiecagcpmehhelbibfbgpfiafdkm) Google Meet Timer (dpdgjbnanmmlikideilnpfjjdbmneanf) CVR: Chrome Video Recorder (kabbfhmcaaodobkfbnnehopcghicgffo) GoToWebinar and GoToMeeting Download recordings of (cphibdhgbdoekmkkcbbaoogedpfibeme) Auto-approve in Meet (ceofheakaalaecnecdkdanhejojkpeai) Adjust Google Meet (emoji, text, camera effects) (dakebdbeofhmlnmjlmhjdmmjmfohiicn) Mute everything in Meet (adjoknoacleghaejlggocbakidkoifle) Google Meet push To Talk (pgpidfocdapogajplhjofamgeboonmmj) Photo Downloader for Facebook, Instagram, + (ifklcpoenaammhnoddgedlapnodfcjpn) Zoomcoder Extension (ebhomdageggjbmomenipfbhcjamfkmbl) Google Meet Auto-Join (ajfokipknlmjhcioemgnofkpmdnbaldi)
Microsoft Edge –
Edge Audio Capture (mhjdjckeljinofckdibjiojbdpapoecj)
Mozilla Firefox –
Twiter X Video Downloader ({7536027f-96fb-4762-9e02-fdfaedd3bfb5}, published by ‘invaliddejavu’) x-video-downloader (xtwitterdownloader@benimaddonum.com, published by ‘invaliddejavu’)
As the extension’s name makes clear, most of them are designed to mimic tools in enterprise video conferencing applications like Google Meet, Zoom, and GoTo Webinar to extract meeting links, credentials, and participant lists in real-time over a WebSocket connection.
We may also collect detailed information about the webinar speaker or host, such as name, job title, bio, profile picture, and company affiliation, along with logo, promotional graphics, and session metadata, each time a user accesses a webinar registration page through a browser that has one of our extensions installed.
These add-ons have been found to request access to more than 28 video conferencing platforms, including Cisco WebEx, Google Meet, GoTo Webinar, Microsoft Teams, Zoom, and more, regardless of whether access is required in the first place.
“This is not consumer fraud. This is an infrastructure for corporate espionage,” said researchers Tubal Admoni and Gal Khachamov. “Zoom Stealer represents something more targeted, a systematic collection of corporate meeting intelligence. Users got what was advertised. The extension gained trust and positive feedback, while monitoring ran quietly in the background.”
The cybersecurity firm said the information collected could be used to facilitate corporate espionage by selling to other bad actors, and could enable social engineering and large-scale impersonation operations.
China’s connection to this operation is based on several clues. These include consistent use of command and control (C2) servers hosted on Alibaba Cloud, registration of Internet Content Providers (ICPs) linked to Chinese provinces such as Hubei, code artifacts containing Chinese strings and comments, and fraud schemes specifically targeting Chinese e-commerce platforms such as JD.com and Taobao.
“DarkSpectre likely has more infrastructure in place now. At this point, extensions are legal, so it looks completely legal,” Koi said. “They are still in the trust-building stage, gathering users, earning badges, and waiting.”
Source link
