A sophisticated Chinese threat actor dubbed DarkSpectre has compromised 8.8 million users across Chrome, Edge, and Firefox through three distinct malware campaigns that have operated undetected for over seven years, researchers revealed today.
The operation represents one of the most extensive and professionally organized browser extension threats ever documented, combining long-term infrastructure investment with nation-state-level operational discipline.
The discovery emerged from an expanded investigation into the ShadyPanda campaign, initially thought to be an isolated operation affecting 4.3 million users.
Further analysis of infrastructure breadcrumbs specifically the domains infinitynewtab.com and infinitytab.com uncovered two additional campaigns linked to the same actor.
GhostPoster, which used steganographic techniques to infect 1.05 million Firefox users, and a previously undisclosed operation called The Zoom Stealer that harvested corporate meeting intelligence from 2.2 million victims.
DarkSpectre’s methodology demonstrates exceptional patience and strategic planning. The threat actor maintains parallel playbooks tailored to different objectives, each optimized for specific platforms and victim profiles.
| Campaign | Victims | Platforms | Primary Objective |
|---|---|---|---|
| The Zoom Stealer (New) | 2.2M | Chrome, Edge, Firefox | Corporate Meeting Intelligence |
| ShadyPanda (1.3M New Victims) | 5.6M | Chrome, Edge, Firefox | Surveillance + Affiliate Fraud |
| GhostPoster (1M New Victims) | 1.05M | Firefox | Stealthy Payload Delivery |
ShadyPanda, the flagship operation, deployed over 100 extensions masquerading as productivity tools new tab pages, translators, and tab managers.
These extensions operated legitimately for 3-5 years, accumulating “Featured” and “Verified” badges before weaponization through configuration-based command-and-control updates that required no extension store review.
The Zoom Stealer campaign represents DarkSpectre’s evolution toward corporate espionage.
Chrome, Edge, and Firefox Extensions Targeted
Disguised as functional meeting productivity tools including video downloaders, timers, and recording assistants the 18 extensions in this cluster requested permissions for 28 video conferencing platforms including Zoom, Microsoft Teams, Google Meet, and Cisco WebEx.
When users visited webinar registration pages, the extensions scraped meeting URLs with embedded passwords, participant lists, speaker dossiers containing professional biographies and affiliations, and corporate branding materials.
This data streamed in real-time through persistent WebSocket connections to Firebase and Google Cloud Function infrastructure, creating a searchable database of corporate meeting intelligence.
GhostPoster employed a different stealth technique, hiding malicious JavaScript inside PNG icon files using steganography.
The extensions loaded their own logos, extracted hidden code, and executed multi-stage payloads with 48-hour delays and 10% activation probability to evade detection.
This campaign infected 1.05 million users across Firefox and Opera before researchers connected it to ShadyPanda through shared C2 infrastructure domains liveupdt.com and dealctr.com.
Attribution evidence points conclusively to a well-resourced Chinese operation. Command-and-control servers consistently reside on Alibaba Cloud infrastructure in China with ICP registrations linked to Hubei province.
Code artifacts contain Chinese language strings, comments, and variable names, while affiliate fraud schemes specifically target Chinese e-commerce platforms JD.com and Taobao.
%202.png "DarkSpectre Malware Campaign Hits Chrome, Edge, and Firefox Users 2")
The operational characteristics extreme patience, multi-platform capability, and diverse objectives exceed typical cybercriminal capacity, suggesting state sponsorship or state-tolerant funding.
The scale of dormant threat remains alarming. Researchers identified 85+ “sleeper” extensions that have completed their trust-building phase, maintaining clean code and positive reviews while awaiting weaponization updates.
These extensions, combined with 9 currently active malicious tools, create a persistent risk ecosystem where yesterday’s legitimate extension becomes today’s spyware.
DarkSpectre’s discovery underscores a fundamental vulnerability in browser extension marketplaces: the review-once, update-anytime model enables threat actors to bypass security checks through time-delayed activation.
The operation’s 7-year longevity and 8.8-million-user reach demonstrate that current detection mechanisms fail against patient, well-funded adversaries operating at strategic scale.
Organizations must recognize that the extension threat landscape has evolved from opportunistic criminals to professional operations capable of maintaining decade-long campaigns with nation-state resources and discipline.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.