Unmasking DarkSpectre: How a Browser Extension Empire Infected 8.8 Million Users

DarkSpectre, the Chinese threat actor, was responsible for infecting 8.8 million browsers through malicious extensions. Operations such as ShadyPanda, GhostPoster, and the Zoom Stealer silently hijacked Chrome, Firefox, Edge, and Opera browsers for more than seven years.

DarkSpectre: The Global Browser Extension Threat Unveiled

The malicious group is known as DarkSpectre and has carried out the biggest-ever malicious browser extension hack on a huge number of online users worldwide. The operation took a total of seven years and managed to affect more than 8.8 million users on the browsers Chrome, Firefox, Microsoft Edge, and Opera.

What at first seemed to be a number of isolated events proved in late 2025 to be a unified and well-resourced operation, carried out by a threat actor based in China. This operation had three different tactical phases:

ShadyPanda: The Long Game of Deception

ShadyPanda was the earliest campaign, infecting approximately 5.6 million users by exploiting the trust of official extension stores.

• ShadyPanda is the long-term infiltration tool of DarkSpectre which is designed slow, high-impact compromise.
• 5.6 million users were affected in this single operation.
• The attackers issue genuine-seeming extensions on Chrome, Edge, and Firefox stores.
• The extensions are always clean for a period of up to 5+ years.
• They get the “Featured” and “Verification” badges for offering value and having positive reviews.
• Trust that was built through usage is deliberately undermined once the large install base has been attained.
• A harmful update triggers the payload on all copies simultaneously that are installed.
• Time-delayed execution and remote code injection are employed as evasion techniques.
• The primary goals are mass surveillance and affiliate fraud.
• The personal information of users is harvested as the links on e-commerce sites are silently hijacked for profit.
• It affected over 100 extensions in several different browsers.
• Users numbering in the millions were part of a hidden bot-like network without even realizing it.
• Even well-rated extensions can become malicious in an instant, revealing a flaw in the supply chain.
• This is indicative of highly sophisticated strategic planning, and not opportunistic malicious software.
• It relies on the trust model of the official extension marketplaces as the primary means of exploitation.

GhostPoster: Hiding Malware in Plain Sight

Targeting primarily Firefox and Opera users, GhostPoster (over 1 million installs) utilized advanced technical trickery to bypass security scanners.

• GhostPoster is one of the main DarkSpectre campaigns, known for delivering stealthy browser-based malware.
• The aim is at Firefox users and browser extensions as a spreading channel.
• More than 1.05 million users have been infected with this malware campaign.
• Steganography is employed to conceal malicious code within the PNG icon files to evade signature detection.
• The plugin dynamically loads a seemingly normal logo but also harvests and runs hidden JavaScripts in the logo.
• A multi-stage execution chain consists of the 48-hour delay feature as well as low activation probability.
• Another malicious extension for the Opera browser named “Google Translate” that had close to a million installations was associated with the GhostPoster malware too.
• The Opera variant disables security features and uses a hidden iframe backdoor.
• DarkSpectre modifies its delivery methods according to different architectures (Firefox versus Opera).
• It shows sophisticated evasive actions and cross-platform capabilities but not traditional extension misuse.

Zoom Stealer: Corporate Espionage

• Zoom Stealer is the most dangerous of DarkSpectre’s campaigns, and it’s designed for corporate espionage rather than carrying out fraudulent transactions.
• 2.2 million users have already been affected.
• Malicious extensions claim to be video-conferencing tools.
• They demand an excessive amount of permissions on 28+ platforms such as Zoom and Microsoft Teams.
• These rights give the user access to the internal communication of the business.
• This operation creates a searchable intelligence database of corporate meetings.
• Data is exfiltrated via WebSockets.
• The attacks target high-value enterprises and not random victims.
• It highlights DarkSpectre’s transition to strategic-level intelligence gathering.
• These are being utilized as entry points into espionage.
• The metadata of meetings is considered highly valuable intelligence.
• The type of stolen information includes: Links to meetings, login credentials, lists of attendees, and speakers.

One Group, Many Tactics: Inside DarkSpectre’s Playbook

What’s most alarming about DarkSpectre’s activity is its diversity, not only in its volume of attacks. Unlike petty hackers who content themselves with the rotation of a single attack trick, DarkSpectre conducted several campaigns simultaneously with other assault strategies and sets of targets. Of course, they are controlled by the same attacker; otherwise, it wouldn’t have been noticed that there are extensions from other clusters which are communicating with the very same servers.

DarkSpectre’s activities are more akin to those of a professional spy organization rather than the usual malware crews. The important elements of their technique include:

• Adaptive Techniques: Every campaign involved a distinct modus operandi ranging from the extension of sleepers to image-based payloads and live data streaming. This highlights the capability to innovate in every objective.
• Long-Term Patience: DarkSpectre has been around for 7+ years. The extensions have been aged and nurtured (some of them even attained “Verified” status) before any malicious update was distributed.
• Evolving Goals: The aim has shifted from ad fraud and stealing consumer data to high stakes corporate espionage more recently; apparently, the group has substantial funding and resource backing.

In further support, the evidence of Chinese cloud servers, source files, and comments suggests a possible Chinese origin of the malware, giving further weight to the theory of a state-sponsored attack.

Protecting Against Malicious Browser Extensions

The DarkSpectre saga highlights how vulnerable browser add-ons can be. As a result, major browsers purged the malicious extensions and experts called for stricter vetting of new submissions on official extension stores. For everyone, the takeaway is clear: be cautious with browser extensions. A few steps can help:

Browser extensions are incredibly useful, but DarkSpectre shows they can also be Trojan horses for attackers. By learning from campaigns like ShadyPanda, GhostPoster, and Zoom Stealer, the tech community can push for stronger protections and make it harder for the next “DarkSpectre” to lurk in our browsers.

Conclusion: When Trust Becomes the Attack Vector

DarkSpectre proves that modern attacks no longer rush the perimeter. They wait patiently inside trusted platforms. For more than seven years, malicious browser extensions lived inside official stores, earned verification badges, accumulated millions of users, and then activated at scale. No exploits were required. Trust did the work for the attacker. 

Why This Threat Affects Everyone

Browser extensions now sit at the center of daily work and communication. That makes them a high-value target.

• Verified extensions can turn malicious overnight through updates
• Permissions grant access to browsing data, sessions, and credentials
• Corporate meetings, emails, and workflows are exposed through the browser
• Traditional security assumes store approval equals safety

Once execution is allowed, damage follows silently and at scale.