Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

DarkSpectre browser extension campaign cluster targeting meeting data

Campaign
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The DarkSpectre browser-extension campaign expanded with a third operation that affected 2.2 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox. The broader cluster now spans over 8.8 million users across more than seven years of activity. The extensions impersonate videoconferencing utilities to harvest meeting details, hijack affiliate traffic, and support corporate espionage and fraud. The scale and persistence point to a long-running, trust-building operation rather than a short-lived add-on abuse spree.

Related Happenings

Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign

Campaign
First: 26.05.2026 10:13 Last: 26.05.2026 10:13 Sources 1

About this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Open Happening

Fake AI assistant Chrome extension malware activity

Malware Activity
First: 16.02.2026 16:00 Last: 16.02.2026 16:00 Sources 1

About this happening: A cluster of **30 malicious Chrome extensions** posing as **AI assistants** is stealing **email content** and other sensitive data from **Chrome users**, creating a broad browser-...

Open Happening

AiFrame malicious Chrome extension spraying operation

Malware Activity
First: 13.02.2026 13:25 Last: 13.02.2026 13:25 Sources 1

About this happening: The **AiFrame** operation spread fake **Chrome** AI assistants that delivered malicious extensions, putting **over 260,000 Google Chrome users** at risk of **credential theft**, e...

Open Happening

Timeline

  1. 31.12.2025 18:14 2 articles · 4mo ago

    DarkSpectre browser-extension cluster attributed to Chinese threat actor

    Campaign Scope Update

    Koi Security attributed DarkSpectre, a malicious browser-extension cluster targeting Google Chrome, Microsoft Edge, and Mozilla Firefox, to a Chinese threat actor after the campaign impacted 2.2 million users. The broader extension activity spanning ShadyPanda and GhostPoster affected over 8.8 million users across more than seven years, used dormant sleeper add-ons and delayed malicious updates to build trust, and culminated in The Zoom Stealer extensions that harvested meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status for corporate espionage, social engineering, and fraud.

    Show sources
    Open in new tab