DarkSpectre browser extension campaign cluster targeting meeting data
Campaign
Summary
Hide ▲
Show ▼
The DarkSpectre browser-extension campaign expanded with a third operation that affected 2.2 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox. The broader cluster now spans over 8.8 million users across more than seven years of activity. The extensions impersonate videoconferencing utilities to harvest meeting details, hijack affiliate traffic, and support corporate espionage and fraud. The scale and persistence point to a long-running, trust-building operation rather than a short-lived add-on abuse spree.
Related Happenings
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
Campaign
H score36
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
About this happening:
Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
CampaignAbout this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
H score11
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Legitimate-looking Chrome extension prompt-poaching campaign
Campaign
H score49
First: 25.03.2026 13:00
Last: 25.03.2026 13:00
Sources 1
About this happening:
A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
Legitimate-looking Chrome extension prompt-poaching campaign
CampaignAbout this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
Fake AI assistant Chrome extension malware activity
Malware Activity
H score16
First: 16.02.2026 16:00
Last: 16.02.2026 16:00
Sources 1
About this happening:
A cluster of **30 malicious Chrome extensions** posing as **AI assistants** is stealing **email content** and other sensitive data from **Chrome users**, creating a broad browser-...
Fake AI assistant Chrome extension malware activity
Malware ActivityAbout this happening: A cluster of **30 malicious Chrome extensions** posing as **AI assistants** is stealing **email content** and other sensitive data from **Chrome users**, creating a broad browser-...
Timeline
-
31.12.2025 18:14 2 articles · 6mo ago
DarkSpectre browser-extension cluster attributed to Chinese threat actor
Campaign Scope UpdateKoi Security attributed DarkSpectre, a malicious browser-extension cluster targeting Google Chrome, Microsoft Edge, and Mozilla Firefox, to a Chinese threat actor after the campaign impacted 2.2 million users. The broader extension activity spanning ShadyPanda and GhostPoster affected over 8.8 million users across more than seven years, used dormant sleeper add-ons and delayed malicious updates to build trust, and culminated in The Zoom Stealer extensions that harvested meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status for corporate espionage, social engineering, and fraud.
Show sources
- DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide — thehackernews.com — 31.12.2025 18:14
- DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide — thehackernews.com — 31.12.2025 18:14