Zoom Stealer browser extensions harvest corporate meeting intelligence

The DarkSpectre APT group is deploying Zoom Stealer browser extensions to collect sensitive corporate meeting data from 2.2 million users across major browsers. This campaign enables corporate espionage, social engineering, and potential sale of confidential meeting access, posing a significant threat to organizational security.

• •The DarkSpectre APT group, linked to China, leverages 18 functional but malicious browser extensions, including Chrome Audio Capture, to exfiltrate sensitive meeting data from 2.2 million users.
• •The extensions target 28 video-conferencing platforms, collecting meeting URLs, IDs, embedded passwords, speaker details, and company metadata in real-time via WebSocket connections.
• •Attribution to China is strengthened by Alibaba Cloud hosting, ICP registrations, Chinese code artifacts, and activity patterns matching the Chinese timezone.