DarkSpectre
DarkSpectre is malware associated with a large-scale malicious browser-extension operation reported on 2026-01-05. The campaign is described as compromising 8.8 million browser extensions/browsers and repurposing the affected extensions into surveillance tools, implying collection of user data and broad privacy/security impact across potentially millions of users worldwide. The activity is characterized as cybercriminal in nature but also described as “state-aligned,” suggesting possible nation-state involvement or alignment. No specific infection vector beyond compromise/abuse of the browser extension ecosystem is provided, and no concrete IOCs (domains, IPs, hashes) are included in the provided content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family behind coordinated browser extension campaigns for surveillance, fraud, and espionage across multiple browsers.
DarkSpectre is a malware that compromised 8.8 million browser extensions, turning them into tools for state-aligned cyber espionage.
DarkSpectre is a browser-based malware responsible for infecting 8.8 million browsers.
Campaign involving malicious browser extension activity at very large scale (millions of infections), supported by backbone-level infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.