DarkSpectre Campaigns Target 8.8 Million Users with Malicious Browser Extensions

First reported

31.12.2025 18:14

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A Chinese threat actor, DarkSpectre, has been linked to three malicious browser extension campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—which have collectively impacted 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over seven years. The campaigns facilitate data theft, search query hijacking, affiliate fraud, and corporate espionage by exfiltrating meeting-related data from video conferencing platforms. The extensions, some of which are still active, use delayed activation and benign updates to evade detection and build trust before deploying malicious functionality.

Timeline

31.12.2025 18:14 1 articles · 23h ago

DarkSpectre Linked to Three Malicious Browser Extension Campaigns
DarkSpectre, a Chinese threat actor, has been attributed to three campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—impacting 8.8 million users. The campaigns involve data theft, affiliate fraud, and corporate espionage, with some extensions still active and others dormant, awaiting malicious updates.
Show sources

DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide — thehackernews.com — 31.12.2025 18:14
Open in new tab

Information Snippets

DarkSpectre has conducted three campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—affecting 8.8 million users.
First reported: 31.12.2025 18:14

1 source, 1 article
Show sources
- DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide — thehackernews.com — 31.12.2025 18:14
ShadyPanda targets Chrome, Edge, and Firefox users, with 5.6 million affected, including 1.3 million newly identified victims.
First reported: 31.12.2025 18:14

1 source, 1 article
Show sources
- DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide — thehackernews.com — 31.12.2025 18:14
GhostPoster focuses on Firefox users, using seemingly harmless utilities and VPN tools to commit affiliate fraud and ad fraud.
First reported: 31.12.2025 18:14

1 source, 1 article
Show sources
- DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide — thehackernews.com — 31.12.2025 18:14
The Zoom Stealer campaign involves 18 extensions across Chrome, Edge, and Firefox, targeting corporate meeting intelligence.
First reported: 31.12.2025 18:14

1 source, 1 article
Show sources
- DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide — thehackernews.com — 31.12.2025 18:14
DarkSpectre uses Alibaba Cloud for command-and-control servers and has links to Chinese provinces like Hubei.
First reported: 31.12.2025 18:14

1 source, 1 article
Show sources
- DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide — thehackernews.com — 31.12.2025 18:14

Summary

Timeline

DarkSpectre Linked to Three Malicious Browser Extension Campaigns

Information Snippets