A recently identified campaign dubbed Zoom Stealer has compromised 2.2 million users across major browsers through 18 extensions designed to harvest sensitive meeting data and passwords. This operation is part of a larger, seven-year effort by a China-linked threat actor known as DarkSpectre, which has affected a total of 7.8 million people.

Security researchers at Koi Security have linked DarkSpectre to previous operations including GhostPoster and ShadyPanda, citing shared infrastructure and Chinese-language code artifacts. The group utilizes a sophisticated strategy involving sleeper extensions that remain benign for long periods to build a large user base before delivering malicious updates. Currently, ShadyPanda remains active through nine live extensions and dozens of inactive ones waiting to be activated.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

The Zoom Stealer campaign specifically targets corporate intelligence by monitoring platforms like Zoom and Microsoft Teams. By intercepting meeting URLs, IDs, and embedded passwords, the attackers can gain unauthorized access to private corporate discussions. This data collection is hidden within functional tools that users willingly install for legitimate purposes, making the intrusion difficult to detect.

Many of the malicious extensions are still available on official web stores, including popular tools for audio capture and video downloading. One such extension has reportedly reached 800,000 installations on Chrome alone. Because these extensions actually perform the tasks they promise, such as downloading videos or recording audio, users rarely suspect that their private meeting information is being exfiltrated in the background.

Evidence linking the campaign to China includes the use of Alibaba Cloud, registration data, and activity patterns that align with Chinese working hours. Furthermore, the monetization strategies used by the threat actor are specifically tuned toward Chinese e-commerce platforms. This coordinated effort highlights a persistent risk in the browser extension ecosystem where functional utility is used as a cover for long-term espionage.

Source: Zoom Stealer Browser Extensions Harvest Corporate Meeting Intelligence