breach🌐InternationalThe Hacker News
Chinese APT DarkSpectre Leverages Malicious Browser Extensions
Wednesday, December 31, 2025
What
The Chinese threat actor DarkSpectre has deployed malicious browser extensions across multiple platforms, affecting millions of users. These campaigns, including "The Zoom Stealer," are designed for corporate espionage, exfiltrating sensitive meeting data and user information.
Where
Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera browser users globally are affected, with the threat actor linked to China.
When
Activity spans over seven years, with the ShadyPanda campaign unmasked earlier this month by Koi Security.
Key Factors
- •The threat actor employs a multi-stage attack strategy, including "dormant sleeper" extensions that remain benign for years before receiving malicious updates, and logic bombs for delayed activation to evade detection.
- •The "Zoom Stealer" campaign specifically targets corporate meeting intelligence, exfiltrating sensitive data like meeting URLs, passwords, participant details, and webinar speaker information from over 28 video conferencing platforms.
- •Attribution to a Chinese threat actor is based on technical indicators such as Alibaba Cloud C2 servers, Chinese ICP registrations, and code artifacts containing Chinese language strings.
Takeaways
- →Organizations should audit browser extensions used by employees, especially those related to productivity or conferencing, and enforce strict allow-listing policies.
- →Users should exercise extreme caution when installing browser add-ons, verifying developer legitimacy and reviewing requested permissions, even for seemingly benign tools.
Read Full Article
Opens original article on The Hacker News
