Cybersecurity

Darkspectre Browser Extension Campaigns Exposed After Impacting 8.8...

2025-12-31 0 views admin
Darkspectre Browser Extension Campaigns Exposed After Impacting 8.8...

The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox.

The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre. In all, the campaigns have collectively affected over 8.8 million users spanning a period of more than seven years.

ShadyPanda was first unmasked by the cybersecurity company earlier this month as targeting all three browser users to facilitate data theft, search query hijacking, and affiliate fraud. It has been found to affect 5.6 million users, including 1.3 newly identified victims stemming from over 100 extensions flagged as connected to the same cluster.

This also includes an Edge add-on named "New Tab - Customized Dashboard" that features a logic bomb that waits for three days prior to triggering its malicious behavior. The time-delayed activation is an attempt to give the impression that it's legitimate during the review period and get it approved.

Nine of these extensions are currently active, with an additional 85 "dormant sleepers" that are benign and meant to attract a user base before they are weaponized via malicious updates. Koi said the updates were introduced after more than five years in some cases.

The second campaign, GhostPoster, is mostly focused on Firefox users, targeting them with seemingly harmless utilities and VPN tools to serve malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. Further investigation into the activity has unearthed more browser add-ons, including a Google Translate (developer "charliesmithbons") extension for Opera with nearly one million installs.

The third campaign mounted by DarkSpectre is The Zoom Stealer, which involves a set of 18 extensions across Chrome, Edge, and Firefox that are geared towards corporate meeting intelligence by collecting online meeting-related data like meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status.

The list of identified extensions and their corresponding IDs is below -

As is evident by the names of the extensions, a majority of them are engineered to mimic tools for enterprise-oriented videoconferencing applications like Google Meet, Zoom, and GoTo Webinar to exfiltrate me

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityattackthreat

More from Cybersecurity

Hackers Drain $3.9m From Unleash Protocol After Multisig Hijack

Hackers Drain $3.9m From Unleash Protocol After Multisig Hijack

2025-12-31 0
Rondodox Botnet Exploits React2shell Flaw To Breach Next.js Servers

Rondodox Botnet Exploits React2shell Flaw To Breach Next.js Servers

2025-12-31 0
Identity Security 2026: Four Predictions And Recommendations

Identity Security 2026: Four Predictions And Recommendations

2025-12-31 0
Latest Contrarians No More: AI Skepticism Is On The Rise 2025

Latest Contrarians No More: AI Skepticism Is On The Rise 2025

2025-12-31 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views