The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, has been held responsible for a third attack campaign codenamed DarkSpectre, which has affected 2.2 million users of Google Chrome, Microsoft Edge and Mozilla Firefox.
This activity is believed to be the work of a Chinese threat actor that someone is tracking under the security alias darkspecterOverall, the campaigns have collectively impacted more than 8,8 million users over a period of more than seven years,
Earlier this month ShadyPanda was first exposed by a cybersecurity company as targeting users of all three browsers to facilitate data theft, search query hijacking, and affiliate fraud. It was found to be affecting 5.6 million users, including 1.3 newly identified victims originating from over 100 extensions linked to the same cluster.
It also includes an Edge add-on named “New Tab – Customized Dashboard” that contains a logic bomb that waits for three days before triggering its malicious behavior. The time-delayed activation is an attempt to give the impression that it is legitimate and get it approved during the review period.
Nine of these extensions are currently active, with an additional 85 “dormant sleepers” that are benign and meant to attract the user base before weaponizing them through malicious updates. Koei said that in some cases updates were introduced after more than five years.
The second campaign, Ghostposter, focuses mostly on Firefox users, targeting them with harmless utilities and VPN tools to hijack affiliate links, inject tracking code, and serve malicious JavaScript code designed to commit click and ad fraud. Further investigation of the activity revealed more browser add-ons, including a Google Translate (developer “charliesmithbon”) extension for Opera with nearly one million installs.
The third campaign launched by Darkspecter is The Zoom Stealer, which consists of a set of 18 extensions across Chrome, Edge and Firefox geared towards corporate meeting intelligence by collecting online meeting-related data such as meeting URL with embedded password, meeting ID, subject, description, scheduled time and registration status.
Below is the list of identified extensions and their respective IDs –
Google Chrome –
- Chrome Audio Capture (kfokdmfpdnokpmpbjhjbcabgligoelgp)
- ZED: Zoom Easy Downloader (pdadlkbckhinonakkfkdaadceojbekep)
- X (Twitter) Video Downloader (akmdionenlnfcipmdhbhcnkigafmdha)
- Google Meet Auto Admit (pabkjoplheapcclldpknfpcepheldbga)
- Zoom.us always show “Connect to web” (aedgpiecagcpmehhelbibfbgpfiafdkm)
- Timer for Google Meet (dpdgjbnanmmlikideilnpfjjdbmneanf)
- CVR: Chrome Video Recorder (kabbfhmcaaodobkfbnnehopcghicgffo)
- Download GoToWebinar and GoToMeeting recordings (cphibdhgbdoekmkkcbbaboogedpfibeme)
- Meet Auto Admit (ceofhealaecnecdkdanhejojkpeai)
- Google Meet tweaks (emojis, text, cam effects) (dakebdbeofhmmlnmjlmhjdmmjmfohiicn)
- mute everyone on meet (adjoknoacleghaejlggocbakidkoifle)
- Google Meet Push-to-Talk (pgpidfocdapogajplhjofamgeboonmmj)
- Photo Downloader for Facebook, Instagram, + (ifklcpoenaamhnodgedgedlapnodfcjpn)
- ZoomCoder Extension (ebhomdageggjbmomenipfbhcjamfkmbl)
- Auto-Join for Google Meet (ajfokipknlmjhcioemgnofkpmdnbaldi)
Microsoft Edge –
- Edge Audio Capture (mhjdjckeljinofckdibjiojbdpapoecj)
Mozilla Firefox –
- X-Video-Downloader (published by xtwitterdownloader@benimaddonum.com, “invaliddejavu”)
As is evident from the names of the extensions, most of them are engineered to mimic tools for enterprise-oriented videoconferencing applications like Google Meet, Zoom, and GoTo Webinar to pull out meeting links, credentials, and participant lists over a WebSocket connection in real time.
It is also able to collect details about webinar speakers and hosts, such as names, titles, bios, profile photos and company affiliations as well as logos, promotional graphics and session metadata, every time a user visits the webinar registration page via a browser with one of the extensions installed.
These add-ons have been found to request access to over 28 video conferencing platforms, including Cisco WebEx, Google Meet, GoTo Webinar, Microsoft Teams, and Zoom, regardless of whether they needed access in the first place.
Researchers Tuval Admony and Gal Hachamov said, “This is not consumer fraud – this is corporate espionage infrastructure.” “Zoom Stealer represents something much more targeted: the systematic collection of corporate meeting intelligence. Users got exactly what was advertised. The extension earned trust and positive reviews. Meanwhile, monitoring continued quietly in the background.”
The cyber security company said the information collected could be used to promote corporate espionage by selling the data to other bad actors and enable social engineering and large-scale impersonation operations.
The operation’s Chinese links are based on several clues: frequent use of command-and-control (C2) servers hosted on Alibaba Cloud, Internet content provider (ICP) registrations associated with Chinese provinces such as Hubei, code artifacts containing Chinese-language strings and comments, and fraud schemes specifically targeting Chinese e-commerce platforms such as JD.com and Taobao.
“DarkSpectre likely has more infrastructure right now — extensions that look completely legitimate because they are legitimate,” Coe said. “They’re still in the trust-building phase, accruing users, earning badges, waiting.”
