DarkSpectre Hackers Spread Malware To 8.8 Million Chrome, Edge, and Firefox Users (cyberpress.org) 12
An anonymous reader quotes a report from Cyber Press: A newly uncovered Chinese threat group, DarkSpectre, has been linked to one of the most widespread browser-extension malware operations to date, compromising more than 8.8 million users of Chrome, Edge, Firefox, and Opera over the past seven years. According to research by Koi.ai, the group operates three interconnected campaigns: ShadyPanda, GhostPoster, and a newly identified one named The Zoom Stealer, forming a single, strategically organized operation.
DarkSpectre's structure differs from that of ordinary cybercrime operations. The group runs separate but interconnected malware clusters, each with distinct goals. The ShadyPanda campaign, responsible for 5.6 million infections, focuses on long-term user surveillance and e-commerce affiliate fraud. Its extensions have appeared legitimate for years, offering new tab pages and translation utilities, before secretly downloading malicious configurations from command-and-control servers such as jt2x.com and infinitynewtab.com. Once activated, they inject remote scripts, hijack search results, and track browsing activity.
The second campaign, GhostPoster, spreads via Firefox and Opera extensions that conceal malicious payloads in PNG images via steganography. After lying dormant for several days, the extensions extract and execute JavaScript hidden within images, enabling stealthy remote code execution. This campaign has affected over one million users and relies on domains like gmzdaily.com and mitarchive.info for payload delivery.
The most recent discovery, The Zoom Stealer, exposes around 2.2 million users to corporate espionage. These extensions masquerade as productivity tools or video downloaders while secretly harvesting corporate meeting links, credentials, and speaker profiles from more than 28 video conferencing platforms, including Zoom, Microsoft Teams, and Google Meet. The extensions use real-time WebSocket connections to exfiltrate data to Firebase databases, such as zoocorder.firebaseio.com, and to Google Cloud functions, such as webinarstvus.cloudfunctions.net.
DarkSpectre's structure differs from that of ordinary cybercrime operations. The group runs separate but interconnected malware clusters, each with distinct goals. The ShadyPanda campaign, responsible for 5.6 million infections, focuses on long-term user surveillance and e-commerce affiliate fraud. Its extensions have appeared legitimate for years, offering new tab pages and translation utilities, before secretly downloading malicious configurations from command-and-control servers such as jt2x.com and infinitynewtab.com. Once activated, they inject remote scripts, hijack search results, and track browsing activity.
The second campaign, GhostPoster, spreads via Firefox and Opera extensions that conceal malicious payloads in PNG images via steganography. After lying dormant for several days, the extensions extract and execute JavaScript hidden within images, enabling stealthy remote code execution. This campaign has affected over one million users and relies on domains like gmzdaily.com and mitarchive.info for payload delivery.
The most recent discovery, The Zoom Stealer, exposes around 2.2 million users to corporate espionage. These extensions masquerade as productivity tools or video downloaders while secretly harvesting corporate meeting links, credentials, and speaker profiles from more than 28 video conferencing platforms, including Zoom, Microsoft Teams, and Google Meet. The extensions use real-time WebSocket connections to exfiltrate data to Firebase databases, such as zoocorder.firebaseio.com, and to Google Cloud functions, such as webinarstvus.cloudfunctions.net.
Doom! Destruction! Devestation! ... Details? (Score:5, Insightful)
Ok, great, we know all these hundred plus extensions are bad... But let's only name a single one so that users can't learn about and remove the rest.
There's useless news, then there's infuriatingly useless news.
Two guesses as which one this is.
Re: (Score:2)
Re: (Score:2)
It still is, if you don't use it to download random code from random people and run in on your machine.
In the real life, the equivalent behaviour would quickly give you a handful of STDs.
Lessons.. (Score:4, Informative)
Don't download random extension you really dont know anything about just because they may sound helpful.
Step this way (Score:3)
Hey buddy, how about you step inside my van, I have free chrome extensions for you.
Re:Step this way (Score:4, Funny)
Hey buddy, how about you step inside my van, I have free chrome extensions for you.
I'm no fool. I'm not stepping into the van until AFTER I get that free chrome extension ;)
Insufficient regulation and curation (Score:2)
List of Firefox extensions (Score:5, Informative)
(Source [tomsguide.com])
Re: (Score:2)
fuck - someone has to be that retarded to get any of these....
"Hey CoPilot, update Firefox so that I can easily use a free VPN..."
What can go wrong? :)
Browser-extension malware (Score:2)
Re:Browser-extension malware (Score:5, Insightful)
When you install a browser extension that includes its code. It just goes to show that Google, Mozilla, etc. vetting and signing extensions doesn't actually stop malware - it's primarily about controlling what extensions you can use, and your safety as maybe a distant second.