CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DarkSpectre Campaigns Target 8.8 Million Users with Malicious Browser Extensions

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

A Chinese threat actor, DarkSpectre, has been linked to three malicious browser extension campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—which have collectively impacted 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over seven years. The campaigns facilitate data theft, search query hijacking, affiliate fraud, and corporate espionage by exfiltrating meeting-related data from video conferencing platforms. Additionally, five new malicious Chrome extensions impersonating HR and ERP platforms have been discovered, targeting Workday, NetSuite, and SuccessFactors to hijack accounts. These extensions steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. The extensions, some of which are still active, use delayed activation and benign updates to evade detection and build trust before deploying malicious functionality.

Timeline

  1. 16.01.2026 16:09 1 articles · 10h ago

    Five Malicious Chrome Extensions Hijack Accounts

    Five malicious Chrome extensions impersonate HR and ERP platforms to hijack accounts. The extensions steal authentication tokens, block incident response, and enable account takeover. They exfiltrate cookies to remote servers and manipulate the DOM to block security pages. Users are advised to remove the extensions, reset passwords, and review for unauthorized access.

    Show sources
    Open in new tab
  2. 31.12.2025 18:14 1 articles · 16d ago

    DarkSpectre Linked to Three Malicious Browser Extension Campaigns

    DarkSpectre, a Chinese threat actor, has been attributed to three campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—impacting 8.8 million users. The campaigns involve data theft, affiliate fraud, and corporate espionage, with some extensions still active and others dormant, awaiting malicious updates.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phantom Shuttle Chrome Extensions Steal User Credentials

Two malicious Chrome extensions named 'Phantom Shuttle' have been discovered in the Chrome Web Store, targeting users in China, particularly foreign trade workers. These extensions, active since at least 2017, hijack user traffic and steal sensitive data by routing it through attacker-controlled proxies. The extensions are promoted as proxy and network speed testing tools but contain covert data-theft functionality. They intercept HTTP authentication challenges, capture form data, steal session cookies, and extract API tokens. The extensions have been found to route traffic from over 170 targeted domains through the C2 infrastructure, capturing a wide range of sensitive information. The operation is likely China-based, and the extensions remain available in the Chrome Web Store as of the time of reporting.

Open in new tab

GhostPoster Campaign Uses Steganography in Firefox Addon Logos

A campaign named GhostPoster has been discovered, which hides malicious JavaScript code in the PNG logos of Firefox extensions. These extensions, with over 50,000 downloads, monitor browser activity and plant a backdoor. The hidden script acts as a loader that fetches the main payload from a remote server, retrieving it only 10% of the time to evade detection. The campaign involves 17 compromised extensions, primarily from popular categories like VPNs, weather, and translation tools. The payload can hijack affiliate links, inject tracking code, and commit click and ad fraud. Users are advised to remove these extensions and reset passwords for critical accounts.

Open in new tab

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. The ShadyPanda campaign used a supply-chain attack tactic by publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. The compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser's data and capabilities. The extensions could steal session cookies and tokens, allowing them to impersonate entire SaaS accounts such as Microsoft 365 or Google Workspace. The risk of malicious browser extensions extends beyond individual users, as they can access cookies, local storage, cloud auth sessions, active web content, and file downloads, blurring the line between endpoint security and cloud security. Organizations should enforce extension allow lists, treat extension access like OAuth access, audit extension permissions regularly, and monitor for suspicious extension behavior to reduce the risk of malicious extensions. Modern SaaS security platforms, such as Reco's Dynamic SaaS Security platform, can help organizations monitor and detect suspicious activity related to browser extensions in real time.

Open in new tab

Browser Sandbox Threats Bypassing Modern Security Tools

Modern browsers, despite their sandbox security model, are vulnerable to sophisticated threats that bypass traditional security tools. These threats exploit inherent browser features to conduct credential theft, deploy malicious extensions, and enable lateral movement. Enterprises face a security blind spot between endpoints and cloud environments, where traditional defenses lack visibility. The webinar 'The Browser Sandbox & Its Top 3 Threats' by Keep Aware highlights these vulnerabilities and provides insights on enhancing browser security. The three primary threats are credential theft, malicious extensions, and lateral movement. Credential theft involves social engineering and session hijacking to bypass multi-factor authentication (MFA). Malicious extensions can harvest data, inject ads, or act as malware backdoors. Lateral movement uses browser-native features to extend control beyond the browser context, leading to data loss and device compromise.

Open in new tab

TigerJack Campaign Targets Developers with Malicious VSCode Extensions

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions. A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension's malicious functionality includes file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on any event, including on installation or when launching VS Code, initializing the 'extension.js' file that contains its hardcoded variables (IP, encryption keys, command-and-control address). The extension calls a function named zipUploadAndEncrypt which checks the presence of a marker text file, and starts the encryption routine. The extension creates a .ZIP archive of the files in the defined target directory and exfiltrates them to the hardcoded C2 address. All the files are then replaced with their encrypted versions. The extension polls a private GitHub repository for commands, periodically checking an 'index.html' file that uses a PAT token for authentication, and tries to execute any commands there. The owner of the repository is likely based in Azerbaijan. The extension is an overt threat and may be the result of an experiment to test Microsoft's vetting process. Secure Annex labels susvsex an 'AI slop' with its malicious actions exposed in the README file, but notes that a few tweaks would make it far more dangerous. Microsoft ignored the report about the extension and did not remove it from the VS Code registry initially, but it was no longer available by the time the article was published. Two new malicious extensions, Bitcoin Black and Codo AI, were found on Microsoft's Visual Studio Code Marketplace. Bitcoin Black masquerades as a color theme and Codo AI as an AI assistant, both published under the developer name 'BigBlack'. Bitcoin Black features a '*' activation event that executes on every VSCode action and can run PowerShell code. Bitcoin Black uses a batch script to download a DLL file and an executable, with the activity occurring with the window hidden. Codo AI includes code assistance functionality via ChatGPT or DeepSeek but also has a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that deploys the infostealer under the name runtime.exe. The malware creates a directory in '%APPDATA%\Local\' and stores stolen data including screenshots, WiFi credentials, system information, and cryptocurrency wallets. The malware steals cookies and hijacks user sessions by launching Chrome and Edge browsers in headless mode. The malware steals cryptocurrency wallets like Phantom, Metamask, Exodus, and looks for passwords and credentials. The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total. Microsoft has removed the extensions BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme from the Marketplace. The extensions activate on every VS Code action and embed malicious functionality within a working tool to bypass detection. Earlier versions of the extensions executed a PowerShell script to download a password-protected ZIP archive from an external server. Subsequent versions of the extensions used a batch script to download the executable and DLL, hiding the PowerShell window. The legitimate Lightshot binary is used to load the rogue DLL via DLL hijacking. The rogue DLL gathers clipboard contents, installed apps, running processes, desktop screenshots, Wi-Fi credentials, and detailed system information. The malware launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions. A campaign involving 19 Visual Studio (VS) Code extensions that embed malware inside their dependency folders has been uncovered by cybersecurity researchers. Active since February 2025 but identified on December 2, the operation used a legitimate npm package to disguise harmful files and bundled malicious binaries inside an archive masquerading as a PNG image. This approach, observed by ReversingLabs (RL), enabled attackers to bypass conventional checks and target developers directly. Some extensions imitate popular tools, while others advertise new features but secretly execute unwanted code. In this new campaign, attackers embedded a modified version of the npm package path-is-absolute inside the extensions’ node_modules folders. The original package is widely used, with more than 9 billion downloads since 2021, but the altered version included a class designed to trigger malware when VS Code starts. The attackers also included a file named banner.png, which appeared harmless but opened as an archive containing two binaries. The dropper launched these files via cmstp.exe, a common living-off-the-land binary (LOLBIN). One executable closed the process by simulating a keypress, while the other was a Rust-based Trojan still being analyzed at the time of this report. Although the techniques differed, the goal remained the same: covertly execute malware through trusted components. Detecting malicious VS Code extensions has become increasingly urgent, ReversingLabs warned. The firm said detections grew from 27 in 2024 to 105 in the first 10 months of 2025. To reduce risk, teams are encouraged to inspect extensions before installation, audit all bundled dependencies, and use security tools capable of evaluating package behavior. All the mentioned extensions have been reported to Microsoft.

Open in new tab