DarkSpectre Campaign Infected Over 8.8 Million Users via Malicious Browser Extensions
Cybersecurity researchers have uncovered DarkSpectre, a long-running and highly coordinated threat operation that infected more than 8.8 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox through seemingly legitimate browser extensions.
The investigation reveals that DarkSpectre has been active for at least seven years, operating at a level of sophistication more commonly associated with state-scale or well-resourced criminal groups.
Three campaigns, one operator
Researchers linked three major campaigns to a single threat actor:
ShadyPanda – approx. 5.6 million users
Zoom Stealer – approx. 2.2 million users
GhostPoster – approx. 1.05 million users
Infrastructure overlap, shared domains, and consistent payload delivery mechanisms confirmed that these campaigns are not independent, but part of one unified operation.
Dormant extensions and delayed activation
A defining feature of DarkSpectre is its long-term persistence strategy. Extensions maintained legitimate functionality for years before being weaponized, allowing them to build trust and pass marketplace reviews.
Some extensions delayed malicious activity for days or weeks after installation, effectively bypassing security checks during the review process.
Advanced evasion techniques
Researchers documented multiple advanced techniques:
Time-bomb activation
Partial execution on a small percentage of page loads
Steganographic payloads hidden in PNG images
Server-controlled JavaScript delivery, enabling real-time behavior changes without extension updates
This architecture gives attackers exceptional flexibility while minimizing exposure.
Impact and risk
Once activated, affected extensions can:
inject malicious scripts;
harvest browsing data;
facilitate fraud and tracking;
act as an initial access vector for broader attacks.
The case highlights browser extensions as a critical but often overlooked supply-chain risk, including in enterprise environments.
DIAMATIX Perspective
DarkSpectre underscores the need to treat browser extensions as software assets, not conveniences. Effective defense requires:
strict extension allow-listing;
behavioral monitoring;
continuous review of long-standing extensions;
awareness that longevity does not equal trust.
Sources:
Koi Security – technical investigation and attribution
CybersecurityNews – initial reporting
Corroborating infrastructure analysis shared by independent researchers
Trusted · Innovative · Vigilant
