DarkSpectre

DarkSpectre is a Chinese or China-linked threat actor tracked by Koi Security and described in the content as responsible for large-scale malicious browser-extension operations affecting more than 8.8 million users over more than seven years across Chrome, Edge, Firefox, and Opera. The actor is associated with at least three campaigns: ShadyPanda, GhostPoster, and Zoom Stealer (also referred to as The Zoom Stealer). Some content also describes the group as a cybercriminal group and as Chinese affiliated/China-based. ShadyPanda is described as a long-running browser-extension campaign targeting Chrome, Edge, and Firefox users for data theft, search-query hijacking, browsing surveillance, and affiliate fraud. The campaign reportedly affected about 5.6 million users. The content states that some extensions behaved normally for years before becoming malicious after an update, including time-delayed or logic-bomb activation intended to evade store review. Researchers reported 9 active malicious extensions and roughly 85 dormant or sleeper extensions intended for later weaponization. GhostPoster is described as a campaign primarily targeting Firefox users, though some reporting says it first targeted Edge and later expanded to Chrome and Firefox. It used benign-looking utility and VPN-themed extensions published in official browser stores. The campaign delivered malicious JavaScript for affiliate-link hijacking, tracking-code injection, click fraud, and ad fraud. The content states GhostPoster used steganography to hide JavaScript payloads inside extension image assets, including PNG icons, with newer variants decoding and decrypting payloads at runtime to hinder detection. An Opera extension tied to GhostPoster, presented as Google Translate and published by "charliesmithbons," is described as having nearly 1 million installs. Zoom Stealer/DarkSpectre is described as a campaign using 18 browser extensions across Chrome, Edge, and Firefox, affecting about 2.2 million users. The extensions impersonated or mimicked enterprise videoconferencing and related utility tools and requested access to more than 28 conferencing platforms, including Zoom, Microsoft Teams, Google Meet, Cisco WebEx, and GoTo Webinar. The content states the extensions exfiltrated meeting intelligence in real time over WebSockets, including meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, registration status, participant data, and webinar speaker/host details such as names, titles, bios, profile photos, company affiliations, logos, promotional graphics, and session metadata. Researchers characterized this as corporate-espionage infrastructure and systematic collection of corporate meeting intelligence. Attribution indicators cited in the content for a Chinese nexus include Alibaba Cloud-hosted command-and-control infrastructure, ICP registrations tied to Chinese provinces including Hubei, Chinese-language strings and comments in code, activity patterns matching the Chinese timezone, and fraud/monetization targeting Chinese e-commerce platforms such as JD.com and Taobao.