An investigative report on DarkSpectre's seven-year operation that turned common utilities into conduits for harvesting sensitive meeting intelligence from 2.2 million users.

Continue reading
A sophisticated threat actor operating under the alias DarkSpectre has successfully infiltrated the browsers of approximately 7.8 million users over seven years through malicious extensions available on official marketplaces.
Their latest campaign, dubbed "Zoom Stealer," specifically targets corporate meeting intelligence through 18 seemingly legitimate browser extensions that have infected 2.2 million Chrome, Firefox, and Edge installations.
These tools harvest real-time data from 28 conferencing platforms—including Zoom, Teams, and WebEx—streaming URLs, credentials, participant details, and proprietary corporate information directly to attacker-controlled servers.
The campaign was uncovered and documented by researchers at Koi Security, a supply-chain security firm that specializes in analyzing software dependencies and browser ecosystem threats. Their investigation, shared exclusively with BleepingComputer, reveals a connected web of three separate but related campaigns spanning nearly a decade.
"What makes this campaign particularly insidious is its patience and legitimacy facade," explained a senior Koi Security analyst who requested anonymity due to ongoing investigations. "These aren't obviously malicious tools—they're fully functional extensions that millions have voluntarily installed, often with high ratings and featured status."
The researchers identified DarkSpectre as the common thread behind:
Despite responsible disclosure by researchers, multiple identified extensions remain available on the Chrome Web Store as of publication time.
The Zoom Stealer extensions masquerade as legitimate productivity tools. Among the most popular are:
All function exactly as advertised, which forms their primary defense against detection. However, their manifest files request sweeping permissions that exceed their stated functionality—specifically, access to 28 distinct video-conferencing domains regardless of the extension's purpose.
The malicious code activates only when users navigate to targeted platforms, employing event-based triggers that include:
Data Collection Taxonomy:
| Data Type | Examples | Potential Misuse |
|---|---|---|
| Access Credentials | Meeting IDs, embedded passwords, registration tokens | Unauthorized meeting access |
| Participant Intelligence | Names, titles, biographies, profile photos | Social engineering, impersonation |
| Corporate Context | Company logos, session topics, speaker affiliations | Competitor intelligence, spear-phishing |
| Temporal Data | Scheduled times, duration, recurrence patterns |
Unlike traditional malware that stores and periodically transmits data, Zoom Stealer extensions establish persistent WebSocket connections to stream intelligence in real-time. The infrastructure employs:
_"The real-time streaming is particularly concerning,"_ noted the Koi Security report. _"It means the attackers could potentially join a meeting while it's still in progress, not just harvest data for later use."_
Koi Security researchers have connected DarkSpectre to Chinese operations based on multiple converging lines of evidence:
DarkSpectre's operations demonstrate hallmark characteristics of state-aligned cyber-espionage groups:
This campaign represents an evolution of previously documented China-nexus operations targeting collaboration tools. Industry analysts note increased focus on remote work infrastructure since 2020, with multiple nation-state groups developing capabilities to exploit the distributed enterprise.
The stolen data creates what Koi Security calls a "Corporate Intelligence Graph"—a connected database of relationships, schedules, proprietary discussions, and access credentials.
The intelligence could be weaponized in multiple ways:
"This isn't just about eavesdropping on meetings," emphasized a former intelligence official now working in corporate security. "This is about building organizational maps—understanding who makes decisions, when they meet, what they're discussing, and how to insert yourself into those conversations."
The persistent presence of these extensions on official marketplaces raises fundamental questions about store security:
Despite automated and manual review processes:
Browser stores operate on volume-based models that may inadvertently prioritize quantity over security. With millions of extensions and frequent updates, a comprehensive security review remains challenging.
Most organizations lack visibility into browser extension installations across their workforce, creating an unmanaged attack surface.
As of publication:
Critical unresolved questions include:
The Zoom Stealer campaign represents a maturation of software supply chain attacks with several concerning developments:
Traditional supply chain attacks focused on compromising development tools or update mechanisms. This campaign targets the distribution channel itself—the browser stores—exploiting trust in curated marketplaces.
The shift from obviously malicious software to weaponized legitimate tools represents a fundamental change in the threat landscape. The boundary between "trusted" and "malicious" has blurred.
The "sleeper" methodology—extensions remaining benign for extended periods—defuses traditional threat detection focused on immediate malicious behavior.
"We're witnessing the professionalization of the extension-based attack vector," concluded the Koi Security report. "What began as ad-hoc malicious extensions has evolved into a sustained, well-resourced intelligence collection operation exploiting the very foundations of browser extension trust models."
The Zoom Stealer campaign exposes systemic vulnerabilities in the browser extension ecosystem that transcend any single vendor or platform. As collaboration tools become increasingly central to business operations, and as browsers become the primary workplace interface, the security of extensions can no longer be an afterthought.
The solution requires collaborative action across multiple stakeholders:
Perhaps most importantly, organizations must recognize that meeting security extends beyond platform settings—it includes securing every endpoint and extension that might interact with those meetings.
The DarkSpectre operations demonstrate that patient, well-resourced adversaries have identified browser extensions as a high-value, low-risk attack vector. The question now is whether the broader ecosystem can implement meaningful countermeasures before this methodology becomes standardized across the threat landscape.
This report is based on technical analysis provided by Koi Security, independent verification of extension behaviors, infrastructure analysis, and interviews with cybersecurity professionals. All malicious extension identifiers have been shared with relevant platform providers prior to publication.

Backdoor.Daxin, the kernel-mode rootkit Symantec once called the most advanced tool ever tied to a China-linked espionage actor, has been found running again
| Planning physical or digital intrusion |