DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide

[Gandalf_The_Grey]

Content source

https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html

The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox.

The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre. In all, the campaigns have collectively affected over 8.8 million users spanning a period of more than seven years.

ShadyPanda was first unmasked by the cybersecurity company earlier this month as targeting all three browser users to facilitate data theft, search query hijacking, and affiliate fraud. It has been found to affect 5.6 million users, including 1.3 newly identified victims stemming from over 100 extensions flagged as connected to the same cluster.

This also includes an Edge add-on named "New Tab - Customized Dashboard" that features a logic bomb that waits for three days prior to triggering its malicious behavior. The time-delayed activation is an attempt to give the impression that it's legitimate during the review period and get it approved.

Nine of these extensions are currently active, with an additional 85 "dormant sleepers" that are benign and meant to attract a user base before they are weaponized via malicious updates. Koi said the updates were introduced after more than five years in some cases.

The second campaign, GhostPoster, is mostly focused on Firefox users, targeting them with seemingly harmless utilities and VPN tools to serve malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. Further investigation into the activity has unearthed more browser add-ons, including a Google Translate (developer "charliesmithbons") extension for Opera with nearly one million installs.

The most recent discovery, The Zoom Stealer, is the third such campaign from DarkSpectre, employing a set of 18 extensions across Chrome, Edge, and Firefox for facilitating corporate intelligence by collecting online meeting-related data like meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status.

DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide

A China-linked threat actor used malicious browser extensions over seven years to steal data and corporate intelligence from Chrome, Edge, and Firefox

thehackernews.com

 

[Bot]

DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide

A China-linked threat actor used malicious browser extensions over seven years to steal data and corporate intelligence from Chrome, Edge, and Firefox

thehackernews.com

These reports are a good reminder that “store-approved” browser extensions can still become malicious later (via delayed activation, remote configuration, or weaponized updates), so the safest response is to treat any listed extension as a potential account/session compromise, not “just ad fraud.” ([thehackernews.com](https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html))

What the reporting is claiming (context)

• The Hacker News (Dec 31, 2025) summarizes Koi Security’s research attributing multiple malicious extension campaigns (ShadyPanda, GhostPoster, and “The Zoom Stealer”) to one cluster they track as “DarkSpectre,” with claimed impact in the millions. ([thehackernews.com](https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html))
• Koi’s write-up (Dec 30, 2025) describes long “trust-building” periods, time-delayed activation (example: 3 days), and payload delivery techniques like hiding code in PNG resources. ([koi.ai](https://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers))

Note: Attribution (“Chinese threat actor”) here is an assessment based on infrastructure and artifacts, not absolute proof. ([thehackernews.com](https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html))

If you may have installed any of the listed extensions (home user checklist)

• Remove/disable suspicious extensions immediately (Chrome/Edge/Firefox) and restart the browser. Do not “just leave it disabled” long-term if it matches a reported malicious add-on.
• Assume browser sessions may be exposed: sign out of important websites (email, banking, social, work apps) and revoke other active sessions from the account security pages.
• Change passwords for high-value accounts (starting with email), and enable MFA if it is not already enabled. Focus on accounts you accessed while the extension was installed.
• If you use Zoom/Teams/Meet/Webex etc., rotate meeting links where possible (new meeting IDs/links) and review meeting settings (waiting room, passcodes, authentication requirements), because the “meeting intelligence” angle is specifically called out in the reporting. ([thehackernews.com](https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html))
• Run on-demand scans with reputable security software on the device. (Extensions are “in-browser,” but you still want to rule out follow-on downloads.)
• If you sync extensions across devices (Chrome/Edge/Firefox Sync), repeat the extension review on every synced device and consider temporarily turning sync off until cleaned.

If you manage endpoints (work/enterprise)

• Consider an extension allowlist policy (block unknown/unapproved extensions), especially for browsers used to access corporate meetings and SSO.
• Audit installed extensions and permissions across the fleet, and investigate browser-to-network indicators (unexpected WebSocket connections, unusual extension update behavior, suspicious domains referenced by extension code).
• If any affected extensions were present on corporate systems, treat it as an incident-response item: review SSO sessions, meeting platform access logs, and potential data exposure, then rotate credentials/tokens accordingly.

Bottom line

If any extension matches the ones named in the Koi/THN reporting, uninstall it and treat it as a potential session/credential exposure event; cleaning the browser is only step one. ([thehackernews.com](https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html))

Sources

• DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide
• DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers

 

[Divergent]

Indicators of Compromise (IOCs)
The following extension IDs have been identified as part of this campaign. Immediate removal is required.

Google Chrome Extensions

kfokdmfpdnokpmpbjhjbcabgligoelgp
(Chrome Audio Capture)

pdadlkbckhinonakkfkdaadceojbekep
(ZED: Zoom Easy Downloader)

akmdionenlnfcipmdhbhcnkighafmdha
(X (Twitter) Video Downloader)

pabkjoplheapcclldpknfpcepheldbga
(Google Meet Auto Admit)

aedgpiecagcpmehhelbibfbgpfiafdkm
(Zoom.us Always Show "Join From Web")

dpdgjbnanmmlikideilnpfjjdbmneanf
(Timer for Google Meet)

kabbfhmcaaodobkfbnnehopcghicgffo
(CVR: Chrome Video Recorder)

cphibdhgbdoekmkkcbbaoogedpfibeme
(GoToWebinar & GoToMeeting Download Recordings)

ceofheakaalaecnecdkdanhejojkpeai
(Meet auto admit)

dakebdbeofhmlnmjlmhjdmmjmfohiicn
(Google Meet Tweak)

adjoknoacleghaejlggocbakidkoifle
(Mute All on Meet)

pgpidfocdapogajplhjofamgeboonmmj
(Google Meet Push-To-Talk)

ifklcpoenaammhnoddgedlapnodfcjpn
(Photo Downloader for Facebook, Instagram, +)

ebhomdageggjbmomenipfbhcjamfkmbl
(Zoomcoder Extension)

ajfokipknlmjhcioemgnofkpmdnbaldi
(Auto-join for Google Meet)

Microsoft Edge Extensions

mhjdjckeljinofckdibjiojbdpapoecj
(Edge Audio Capture)

Mozilla Firefox Extensions

{7536027f-96fb-4762-9e02-fdfaedd3bfb5} (Twiter X Video Downloader)

xtwitterdownloader[@]benimaddonum[.]com
(x-video-downloader)

Remediation & Mitigation

Immediate Removal
Audit all browser extensions across the enterprise environment. Remove any extension matching the names or IDs listed above.

Credential Rotation
Users who had these extensions installed should be considered compromised. Reset passwords for any corporate accounts accessed via that browser, specifically focusing on conferencing tools (Zoom, Teams, Google Workspace).

Invalidate Meeting Links
Since the malware scrapes future meeting links with embedded passwords, consider regenerating links for sensitive recurring meetings.

Enterprise Policy
Enforce a "Block List" or "Allow List" policy for browser extensions.

Chrome
Use Group Policy or Chrome Enterprise Core to block extension installation by default (ExtensionInstallBlocklist: *).

Edge
Use Administrative Templates to restrict extension sources.

Review Permissions
Investigate extensions requesting broad permissions such as "Read and change all your data on the websites you visit," especially if the extension's function (e.g., a timer) does not warrant such access.

Primary Intelligence Source (The Originator)

Entity
Koi Security

Report Title
"DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers"

Role
Original discoverer of the campaign. They performed the code analysis, identified the C2 infrastructure (Alibaba Cloud), and linked the "Zoom Stealer" extensions to the previous "ShadyPanda" and "GhostPoster" actors.

Key Contribution
Identification of the WebSocket exfiltration method and the "sleeper" extension methodology.

Secondary Reporting
The Hacker News

Status
Trusted Industry Reporting