This 7-Year Malware Campaign Infected 8.8 Million Browsers—And Stole Corporate Meeting Data

The Scale of the Operation

Security researchers at Koi Security have uncovered one of the most extensive browser extension malware operations ever documented. A threat actor group called DarkSpectre compromised over 8.8 million users across Chrome, Edge, Firefox, and Opera browsers over seven years of operation.

The operation consisted of three interconnected campaigns:

• ShadyPanda: Approximately 5.6 million infected users
• Zoom Stealer: Approximately 2.2 million infected users
• GhostPoster: Approximately 1.05 million infected users

What makes DarkSpectre particularly dangerous is its patience and sophistication. These weren't crude malware operations—they were carefully orchestrated campaigns designed to avoid detection while harvesting valuable data at scale.

Corporate Espionage Through Meeting Data

The most alarming component is the Zoom Stealer campaign. Unlike typical browser malware that steals passwords or credit cards, Zoom Stealer targeted something more valuable to certain actors: corporate meeting intelligence.

The campaign deployed 18 malicious extensions across Chrome, Edge, and Firefox that harvested data from over 28 video conferencing platforms, including Zoom, Microsoft Teams, and Google Meet. The stolen information included:

• Meeting URLs with embedded passwords
• Meeting IDs, topics, and descriptions
• Scheduled times and registration status
• Speaker names, titles, bios, and photos
• Attendee lists and participant profiles

Researchers Tuval Admoni and Gal Hachamov were direct in their assessment: "This isn't consumer fraud—this is corporate espionage infrastructure."

How the Attack Worked

DarkSpectre's extensions masqueraded as legitimate productivity tools—meeting timers, auto-admit assistants, video downloaders, and customizable new tab pages. They functioned as advertised, providing real utility to users while quietly exfiltrating data in the background.

The data streamed in real time. The moment a user joined or viewed a meeting, the information flowed to attacker controlled servers. Users had no indication that their meeting details were being harvested.

The operational infrastructure appeared legitimate on the surface. DarkSpectre used domains like infinitynewtab[.]com and infinitytab[.]com for user facing functions, while malicious command and control servers operated separately behind the scenes.

Sophisticated Evasion Techniques

DarkSpectre employed multiple techniques to avoid detection by security researchers and browser extension reviewers:

• Time bomb activation: Extensions remained dormant for days or even years before activating malicious behavior. One extension called "New Tab – Customized Dashboard" waited three full days after installation before contacting command and control servers.
• Selective triggering: Malicious behavior activated on only approximately 10% of page loads, dramatically reducing the chance of detection during security testing.
• Steganography: Malicious JavaScript was hidden inside PNG image files that appeared to be normal extension assets. The extension would load its own logo, extract the hidden code, and execute it silently.
• Heavy obfuscation: Custom encoding, XOR encryption, and packed code made reverse engineering difficult.
• Server side payloads: Malicious behavior could be changed dynamically from the server without requiring extension updates, making it harder to catch specific malicious versions.

The Value of Stolen Meeting Data

Understanding why meeting data is valuable helps explain the sophistication of this operation. The researchers identified several ways this intelligence could be monetized or exploited:

• Corporate espionage: Competitors or nation states could purchase access to strategy meetings, product roadmap discussions, and M&A negotiations
• Sales intelligence: Knowing which companies attend which webinars reveals their interests, purchasing timelines, and vendor evaluation processes
• Social engineering: Armed with speaker names, titles, bios, and photos, attackers can craft highly convincing phishing campaigns impersonating executives or meeting participants
• Credential harvesting: Meeting URLs often contain embedded passwords, providing direct access to scheduled meetings

Attribution to China

Multiple indicators point to DarkSpectre being a well-resourced Chinese operation. The researchers found that command and control servers were consistently hosted on Alibaba Cloud infrastructure, the group relied on China based internet content providers, and Chinese language strings appeared throughout the malicious code.

The focus on corporate meeting intelligence aligns with known Chinese state interests in industrial espionage. However, the operation could also serve commercial intelligence purposes, providing valuable data to competitors willing to pay for insider information on their targets.

Protecting Your Organization

The DarkSpectre campaign highlights the serious risks posed by browser extensions, particularly in corporate environments. Organizations should consider:

• Extension whitelisting: Only allow pre-approved extensions on corporate devices rather than letting employees install anything from browser stores
• Regular audits: Periodically review installed extensions across the organization and remove any that aren't strictly necessary
• Meeting security: Use meeting passwords and waiting rooms, avoid embedding passwords in URLs when possible, and be cautious about sharing meeting links broadly
• Network monitoring: Watch for unusual outbound connections from employee browsers, particularly to cloud infrastructure in unexpected regions
• Security awareness: Train employees to be suspicious of extensions requesting broad permissions, even if they appear to provide useful functionality

For Individual Users

If you use browser extensions, especially any related to video conferencing or productivity:

• Go to your browser's extension page and review everything installed
• Remove any extensions you don't actively use or don't remember installing
• Be especially suspicious of extensions that request access to "all websites" or have overly broad permissions
• Prefer official apps from video conferencing providers rather than third party browser extensions
• Check extension reviews and developer history before installing anything new

The seven year duration of this campaign demonstrates that malicious extensions can persist for remarkably long periods. The most dangerous threats aren't the ones that get caught quickly—they're the ones that operate quietly, collecting data year after year without detection.