The malicious browser extension campaigns known as ShadyPanda, GhostPoster, and the newly identified DarkSpectre have collectively impacted over 8.8 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox, with DarkSpectre alone affecting 2.2 million users. This activity is attributed to a Chinese threat actor and tracked by Koi Security.
ShadyPanda was recently exposed for facilitating data theft and affiliate fraud across all three browsers, targeting 5.6 million users. One extension, “New Tab – Customized Dashboard,” includes a delay mechanism to mask its true function during adoption processes. Nine extensions remain active, with 85 dormant extensions awaiting activation.
GhostPoster targets Firefox users with seemingly harmless tools that execute malicious JavaScript, impacting affiliate links and generating ad fraud. This campaign included a malicious Google Translate extension with nearly 1 million installations.
The DarkSpectre campaign, referred to as “The Zoom Stealer,” employs 18 extensions to gather sensitive meeting information from platforms like Zoom and Google Meet. The extensions request access to over 28 conferencing platforms and are designed to collect detailed data, facilitating corporate espionage.
Researchers noted that the operation’s ties to China are supported by clues such as the use of Chinese command and control servers and links to local e-commerce targets. Koi Security emphasized that these extensions appear legitimate while enabling covert data collection, primarily for corporate intelligence and espionage purposes.
Source link
