CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DarkSpectre Campaigns Target 8.8 Million Users with Malicious Browser Extensions

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A Chinese threat actor, DarkSpectre, has been linked to three malicious browser extension campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—which have collectively impacted 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over seven years. The campaigns facilitate data theft, search query hijacking, affiliate fraud, and corporate espionage by exfiltrating meeting-related data from video conferencing platforms. Additionally, five new malicious Chrome extensions impersonating HR and ERP platforms have been discovered, targeting Workday, NetSuite, and SAP SuccessFactors to hijack accounts. These extensions steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. The extensions, some of which were recently taken down, used delayed activation and benign updates to evade detection and build trust before deploying malicious functionality. The extensions were designed to look polished and professional, with some claiming to contain security features to prevent account compromise. They engaged in a range of actions to take control of accounts, including extracting authentication cookies and uploading them to a command and control (C2) server every 60 seconds. The extensions prevented passwords from being changed to help ensure stolen access tokens remained valid indefinitely and prevented security teams from locking out compromised accounts during remediation. Administrators attempting to disable an affected user's account encountered a blank page and redirect loop. Socket recommended that organizations implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions and monitor for extensions targeting the same enterprise platforms with similar permission requests.

Timeline

  1. 16.01.2026 16:09 3 articles · 3d ago

    Five Malicious Chrome Extensions Hijack Accounts

    The extensions were designed to look polished and professional, with some claiming to contain security features to prevent account compromise. They engaged in a range of actions to take control of accounts, including extracting authentication cookies and uploading them to a command and control (C2) server every 60 seconds. The extensions prevented passwords from being changed to help ensure stolen access tokens remained valid indefinitely and prevented security teams from locking out compromised accounts during remediation. Administrators attempting to disable an affected user's account encountered a blank page and redirect loop. Socket recommended that organizations implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions and monitor for extensions targeting the same enterprise platforms with similar permission requests.

    Show sources
    Open in new tab
  2. 31.12.2025 18:14 1 articles · 19d ago

    DarkSpectre Linked to Three Malicious Browser Extension Campaigns

    DarkSpectre, a Chinese threat actor, has been attributed to three campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—impacting 8.8 million users. The campaigns involve data theft, affiliate fraud, and corporate espionage, with some extensions still active and others dormant, awaiting malicious updates.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phantom Shuttle Chrome Extensions Steal User Credentials

Two malicious Chrome extensions named 'Phantom Shuttle' have been discovered in the Chrome Web Store, targeting users in China, particularly foreign trade workers. These extensions, active since at least 2017, hijack user traffic and steal sensitive data by routing it through attacker-controlled proxies. The extensions are promoted as proxy and network speed testing tools but contain covert data-theft functionality. They intercept HTTP authentication challenges, capture form data, steal session cookies, and extract API tokens. The extensions have been found to route traffic from over 170 targeted domains through the C2 infrastructure, capturing a wide range of sensitive information. The operation is likely China-based, and the extensions remain available in the Chrome Web Store as of the time of reporting.

Open in new tab

GhostPoster Campaign Uses Steganography in Firefox Addon Logos

The GhostPoster campaign, which hides malicious JavaScript code in the PNG logos of Firefox extensions, has been discovered to have infected 17 additional extensions across Chrome, Firefox, and Edge stores, accumulating a total of 840,000 installations. The campaign, first reported by Koi Security researchers in December, involves extensions that monitor browser activity and plant a backdoor. The hidden script acts as a loader that fetches the main payload from a remote server, retrieving it only 10% of the time to evade detection. The payload can hijack affiliate links, inject tracking code, and commit click and ad fraud. The campaign originated on Microsoft Edge and expanded to Firefox and Chrome, with some extensions present in browser add-on stores since 2020. A more advanced variant of the payload was identified in the 'Instagram Downloader' extension, which uses a bundled image file as a covert payload container. The newly identified extensions have been removed from Mozilla's and Microsoft's add-on stores, but users who installed them may still be at risk. Google has confirmed the removal of all identified extensions from the Chrome Web Store.

Open in new tab

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. The ShadyPanda campaign used a supply-chain attack tactic by publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. The compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser's data and capabilities. The extensions could steal session cookies and tokens, allowing them to impersonate entire SaaS accounts such as Microsoft 365 or Google Workspace. The risk of malicious browser extensions extends beyond individual users, as they can access cookies, local storage, cloud auth sessions, active web content, and file downloads, blurring the line between endpoint security and cloud security. Organizations should enforce extension allow lists, treat extension access like OAuth access, audit extension permissions regularly, and monitor for suspicious extension behavior to reduce the risk of malicious extensions. Modern SaaS security platforms, such as Reco's Dynamic SaaS Security platform, can help organizations monitor and detect suspicious activity related to browser extensions in real time.

Open in new tab

Microsoft to Strengthen Entra ID Sign-Ins Against Script Injection Attacks

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties.

Open in new tab

Browser Sandbox Threats Bypassing Modern Security Tools

Modern browsers, despite their sandbox security model, are vulnerable to sophisticated threats that bypass traditional security tools. These threats exploit inherent browser features to conduct credential theft, deploy malicious extensions, and enable lateral movement. Enterprises face a security blind spot between endpoints and cloud environments, where traditional defenses lack visibility. The webinar 'The Browser Sandbox & Its Top 3 Threats' by Keep Aware highlights these vulnerabilities and provides insights on enhancing browser security. The three primary threats are credential theft, malicious extensions, and lateral movement. Credential theft involves social engineering and session hijacking to bypass multi-factor authentication (MFA). Malicious extensions can harvest data, inject ads, or act as malware backdoors. Lateral movement uses browser-native features to extend control beyond the browser context, leading to data loss and device compromise.

Open in new tab