Find notable cyber news and cases, enriched with sources, timelines, and signals.

DarkSpectre browser extension campaign cluster targeting meeting data

Campaign
First reported
Last updated
Happening score
H score 58
1 unique sources, 1 articles

Summary

Hide ▲

The DarkSpectre browser-extension campaign expanded with a third operation that affected 2.2 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox. The broader cluster now spans over 8.8 million users across more than seven years of activity. The extensions impersonate videoconferencing utilities to harvest meeting details, hijack affiliate traffic, and support corporate espionage and fraud. The scale and persistence point to a long-running, trust-building operation rather than a short-lived add-on abuse spree.

Related Happenings

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign

Campaign
H score36 First: 26.05.2026 10:13 Last: 26.05.2026 10:13 Sources 1

About this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score11 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
H score49 First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Fake AI assistant Chrome extension malware activity

Malware Activity
H score16 First: 16.02.2026 16:00 Last: 16.02.2026 16:00 Sources 1

About this happening: A cluster of **30 malicious Chrome extensions** posing as **AI assistants** is stealing **email content** and other sensitive data from **Chrome users**, creating a broad browser-...

Timeline

  1. 31.12.2025 18:14 2 articles · 6mo ago

    DarkSpectre browser-extension cluster attributed to Chinese threat actor

    Campaign Scope Update

    Koi Security attributed DarkSpectre, a malicious browser-extension cluster targeting Google Chrome, Microsoft Edge, and Mozilla Firefox, to a Chinese threat actor after the campaign impacted 2.2 million users. The broader extension activity spanning ShadyPanda and GhostPoster affected over 8.8 million users across more than seven years, used dormant sleeper add-ons and delayed malicious updates to build trust, and culminated in The Zoom Stealer extensions that harvested meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status for corporate espionage, social engineering, and fraud.

    Show sources