A Chinese-linked threat actor has been tied to a third large-scale malicious browser extension campaign that has compromised data from millions of users across major web browsers, according to new findings by cybersecurity firm Koi Security.
The latest campaign, dubbed DarkSpectre, has affected about 2.2 million users of Google Chrome, Microsoft Edge and Mozilla Firefox, the researchers said.
DarkSpectre has now been linked to two earlier campaigns known as ShadyPanda and GhostPoster, bringing the total number of impacted users across all three operations to more than 8.8 million over a period exceeding seven years.
Koi Security said the activity appears to be the work of a single Chinese threat actor that it tracks under the name DarkSpectre. The campaigns relied on seemingly legitimate browser extensions that were used to steal data, hijack search queries, manipulate affiliate links and conduct advertising fraud.
ShadyPanda, which Koi disclosed earlier this month, was found to have affected about 5.6 million users through more than 100 malicious or compromised extensions across Chrome, Edge and Firefox. Some of these extensions remained benign for years before being weaponised through updates.
One Edge extension waited three days after installation before activating its malicious code, a tactic designed to evade store review processes.
The second campaign, GhostPoster, primarily targeted Firefox users with utilities and VPN-style add-ons that injected malicious JavaScript to hijack affiliate traffic and carry out click fraud.
Investigators also identified related extensions on other browsers, including an Opera add-on masquerading as a Google Translate tool that had close to one million installs.
The newly attributed DarkSpectre campaign, also referred to by researchers as the Zoom Stealer operation, involved at least 18 extensions designed to collect sensitive data from online meetings.
These extensions harvested meeting links, embedded passwords, meeting IDs, topics, schedules and participant details from platforms such as Zoom, Google Meet, Microsoft Teams, Cisco WebEx and GoTo Webinar.
Researchers said the extensions posed as tools for recording or managing video meetings but quietly exfiltrated corporate meeting intelligence in real time using WebSocket connections.
The stolen data also included details about webinar hosts and speakers, such as names, job titles, company affiliations and promotional materials.
“This isn’t consumer fraud, this is corporate espionage infrastructure,” Koi Security researchers Tuval Admoni and Gal Hachamov said in media. They warned that the information could be sold to other threat actors or used for targeted social engineering and impersonation campaigns.
Koi Security said indicators linking the activity to China included the use of command and control servers hosted on Alibaba Cloud, Chinese-language artifacts in the code, and registrations tied to Chinese provinces.
Some fraud activity was also aimed at Chinese e-commerce platforms.
The researchers cautioned that additional extensions linked to the same actor may still be active but dormant, building trust and user bases before being turned malicious through future updates.
