THE Hacker News reports that the DarkSpectre operation has impacted 2.2 million users across Google Chrome, Microsoft Edge and Mozilla Firefox, forming part of a broader set of campaigns attributed to a Chinese threat actor tracked by Koi Security under the name DarkSpectre. Collectively, the ShadyPanda and GhostPoster campaigns, alongside DarkSpectre, have affected more than 8.8 million users over a period of more than seven years.
ShadyPanda, uncovered earlier this month, targeted the three browsers to facilitate data theft, search query hijacking and affiliate fraud, affecting 5.6 million users, including 1.3 newly identified victims linked to over 100 extensions connected to the same cluster. The report notes a second campaign, GhostPoster, which mainly targets Firefox users with ostensibly harmless utilities and VPN tools to deliver malicious JavaScript for hijacking affiliate links and injecting tracking code.
A third operation, The Zoom Stealer, spans 18 extensions across Chrome, Edge and Firefox designed to collect meeting-related data such as URLs, passwords and IDs. Researchers describe this as a targeted form of corporate espionage infrastructure, with the extensions able to harvest details from webinar pages and potentially monetise the data.
According to Koi Security, the DarkSpectre activity relies on a mix of legitimate-looking add-ons and delayed malicious functionality, including a time-delayed activation to appear trustworthy during review.