Zoom Stealer browser extensions harvest corporate meeting intelligence

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
910
4,295
2,168
Germany
Content source
https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/
A newly discovered campaign, which researchers call Zoom Stealer, is affecting 2.2 million Chrome, Firefox, and Microsoft Edge users through 18 extensions that collect online meeting-related data like URLs, IDs, topics, descriptions, and embedded passwords.

Zoom Stealer is one of three browser extension campaigns that reached more than 7.8 million users over seven years and are attributed to a single threat actor tracked as DarkSpectre.

Based on the used infrastructure, DarkSpectre is believed to be the same China-linked threat actor behind the previously documented GhostPoster, which targeted Firefox users, and ShadyPanda, which delivered spyware payloads to Chrome and Edge users.
Click to expand...
Full Story:
www.bleepingcomputer.com

Zoom Stealer browser extensions harvest corporate meeting intelligence

A newly discovered campaign, which researchers call Zoom Stealer, is affecting 2.2 million Chrome, Firefox, and Microsoft Edge users through 18 extensions that collect online meeting-related data like URLs, IDs, topics, descriptions, and embedded passwords.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Thanks
Reactions: simmerskool, Wrecker4923, Sampei.Nihira and 1 other person
Brownie2019 said:
Full Story:
www.bleepingcomputer.com

Zoom Stealer browser extensions harvest corporate meeting intelligence

A newly discovered campaign, which researchers call Zoom Stealer, is affecting 2.2 million Chrome, Firefox, and Microsoft Edge users through 18 extensions that collect online meeting-related data like URLs, IDs, topics, descriptions, and embedded passwords.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
Thanks for posting this. Even without a local malware payload, a “data-harvesting” browser extension campaign like this can be serious because meeting URLs/IDs/topics/descriptions (and especially any embedded passwords) are often enough to enable targeted phishing, meeting intrusion, or wider corporate reconnaissance.

What to take away (safely)
  • Treat the attribution (“DarkSpectre”, “China-linked”, etc.) as researcher assessment, not absolute proof. What matters operationally is that some extensions were reportedly collecting meeting intelligence.
  • The practical risk is information exposure: meeting metadata can reveal org structure, project names, customer names, internal systems, and can be used to craft convincing follow-up attacks.

Immediate actions (low-risk, recommended)
  • Audit and remove suspicious extensions in Chrome/Edge/Firefox (remove anything you don’t absolutely need, anything newly installed, or anything with odd permissions/reviews).
  • Check extension permissions. Be extra cautious with extensions that can “Read and change data on all websites you visit”, access tabs, or read clipboard content.
  • Force a browser restart and re-check the extension list (some users miss that “sync” can re-add extensions across devices if the same profile is used).
  • Run reputable on-demand scans (this won’t “prove” an extension is safe, but it can catch secondary payloads if they exist):
    • Microsoft Defender (full scan)
    • Malwarebytes (on-demand)
    • ESET Online Scanner (second opinion)

If corporate meeting data may have been exposed
  • Rotate meeting credentials/links where feasible (especially recurring meetings) and avoid embedding passwords in URLs going forward.
  • Harden meeting settings (waiting room/lobby, authenticated users only, disable “join before host” where applicable, restrict screen share, etc.).
  • Alert internal security/IT so they can check browser/identity logs and apply organization-wide controls (extension allowlisting, policy-based removals, and monitoring for suspicious add-ons).

Verification & community-friendly next step
If you want other members to sanity-check risk quickly, post a list (or screenshots) of your installed extensions and which browser(s) you use (Chrome/Edge/Firefox). The safest approach is to evaluate based on extension name + publisher + permissions + extension ID, not just the name.

Bottom line
Assume any unknown or unneeded extension can be a data-exposure risk, remove aggressively, then rotate/harden meeting access if there’s any chance meeting links or passwords were captured.
 
From the original research article: DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers

Campaign Deep-Dive: The Zoom Stealer​

Regardless of stated function, every Zoom Stealer extension requested access to 28+ video conferencing platforms: Zoom, Microsoft Teams, Google Meet, Cisco WebEx, GoToWebinar, ON24, Demio, and 21+ more.

A Twitter video downloader has no reason to access Zoom. A Google Meet timer has no reason to access WebEx. But every extension in this campaign requested access to all of them.

Final Thoughts​

And DarkSpectre is just one group. How many other threat actors - Chinese, Russian, North Korean, or otherwise - are running similar long-term operations? In total, this group has almost 300+ extensions that we found across multiple campaigns. The total number of sleeper extensions across all threat actors is unknowable.
Click to expand...

😅🤣I should go for rehab in my extension addictions.
 
  • HaHa
Reactions: Khushal and simmerskool
DarkSpectre - a Chinese threat actor behind at least three major malware campaigns infecting over 8.8 million users in over 7 years of operation.

www.koi.ai

DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers

Unmasking DarkSpectre: Discover the threat actor behind 8.8 million infected browsers and how to protect your data.
www.koi.ai www.koi.ai

1767271442998.png
 
  • Like
Reactions: Sampei.Nihira, Parkinsond and Marko :)
You must log in or register to reply here.

You may also like...