DarkSpectre: A 7-Year Long-Game Cyber Campaign Unveiled in Browser Extensions

DarkSpectre: A 7-Year Long-Game Cyber Campaign Unveiled in Browser Extensions

Look. We’ve all seen that little pop-up: “Install this extension to organize your tabs, translate web pages, or save videos.” It looks harmless. Feels useful. Maybe even a little slick. And for years, that’s exactly how attackers have played the game—small, sneaky, one-off moves that exploit trust. But what we’re seeing now? That’s not the real threat.

This isn’t random. It’s not a fluke. It’s a long-term operation. A carefully built machine. And we’ve named it DarkSpectre.

Think about it. Over seven years. Eight million users infected. Hundreds of browser extensions—some still active, some quietly collecting data for years. Not just a few bad actors. A group with resources, patience, and a clear strategy. They don’t react to breaches. They plan them. They build trust, then wait. And when the time is right? One update. One change. And suddenly, your browser is compromised.

This isn’t just malware. This is something different. A new kind of threat. Professional. Organized. And if you ask me, it’s not just criminal—it’s state-aligned or state-adjacent. They treat browser extensions like real infrastructure. Not temporary tools. Permanent tools. And they’re not just using them—they’re designing them to last.

The Three Pillars of DarkSpectre’s Strategy

Here’s how they do it. Three distinct, but deeply connected, strategies. Each one built for a different goal. And each one shows a level of planning that most hackers simply don’t have.

Playbook A: The Long Game (ShadyPanda)
This one started back in 2018. At first, it was just a few extensions—new tab pages, translators, tab managers. Pretty standard. But over time, they evolved. Not just into spyware. Into full-blown surveillance tools.

They’ve got hundreds of extensions now—across Chrome, Edge, Firefox. Many of them have been live for five years or more. And here’s the thing: they earn "Featured" and "Verified" badges. They’re approved. They look legit. Users trust them. And that’s the point.

They quietly collect everything: your search history, what you type, where you click, even how your mouse moves. Then, when the moment is right? One update. A single change in configuration. Boom. The payload activates. No new version. No warning. Just a silent switch. And because it’s not a new release, it slips through automated scans. Detection? Nearly impossible.

Playbook B: The Trojan Image (GhostPoster)
Now, this one is sneaky. So sneaky it’s almost beautiful.

They hide malicious code inside PNG icons. Steganography. Like a secret message in a photo. When you download an extension, the icon loads. Then, after 48 hours? A hidden JavaScript payload runs.

Only about 10% of users actually get hit. That’s low. That makes it hard to catch in automated systems. And the infrastructure? Domains like liveupdt.com and dealctr.com. These were used in a prior campaign targeting Firefox—50,000 users. Now? Same domains. Same C2 servers. Reused. Repurposed.

It’s not a coincidence. It’s a shared backbone. A network that’s been built to last.

Playbook C: Corporate Intelligence (The Zoom Stealer)
And then there’s this. This one hits hard.

A new campaign—targeting 2.2 million users—has been uncovered. Extensions that look like meeting tools: video downloaders, timers, recording assistants. All of them request access to 28+ video conferencing platforms. Zoom. Teams. Google Meet. WebEx.

Once installed? They go live. They connect via real-time WebSocket streams. They pull meeting links, participant lists, speaker bios, registration statuses. All of it.

And where does it go? A Firebase Realtime Database—zoocorder.firebaseio.com. Tracked via Google Cloud Functions. This isn’t fraud. This isn’t a prank. This is corporate espionage. Systematic. Silent. Built to last.

How We Traced the Network

We started with ShadyPanda. Found over 100 extensions tied to shared infrastructure. Then we saw two domains that stood out: infinitynewtab.com and infinitytab.com.

Not command servers. Not malicious. They were real new-tab features. Weather widgets. Custom dashboards. Legit. Approved.

And DarkSpectre used them. Reused them. Across campaigns. Across platforms. It gave them a clean face. A way to pass security reviews. To build trust.

From those domains, we followed the trail. Found a network of extensions, each talking to different C2 endpoints—jt2x.com, zhuayuya.com, muo.cc. All following the same pattern. Same structure. Same patience.

One extension stood out: Twitter X Video Downloader. It looked like a simple tool. But when we dug in, we found it was also harvesting meeting data. And from that, we found the exfiltration domain: webinarstvus.cloudfunctions.net.

That domain was used by 18 other extensions in the Zoom Stealer campaign. One thread. One connection. And suddenly, we had a map. A network of tools users thought were helpful—actually, were data harvesters.

The Chinese Connection: Evidence of State-Level Resources

There’s no denying it. The signs point to China.

C2 servers hosted on Alibaba Cloud. In China. ICP registrations tied to Hubei province. Chinese language strings. Variable names. Comments in the code.

And the targeting? Specific. Chinese e-commerce platforms like JD.com and Taobao. Not random. Not broad. Purposeful.

But here’s what really stands out: the patience. The years of maintaining extensions before ever activating them. That kind of discipline? That takes more than skill. It takes stability. Money. A long-term vision.

This isn’t a group of hackers with a few laptops. This is a well-funded, organized operation. Possibly state-linked. Or at least state-adjacent.

What This Means for Users and Organizations

So what does this mean for you? For your company?

Browser extensions are no longer just tools. They’re gateways. Front doors. A simple “meeting timer” or “video downloader” can become a data pipeline. A silent pipeline. One that runs in the background, collecting sensitive information—meeting notes, client names, internal discussions.

And the security model? We review extensions once. Then we leave them alone. That’s the problem. That’s the flaw.

DarkSpectre proves it. Attackers can maintain legitimacy for years. Build trust. Then flip the switch. When the moment is right.

We don’t know how many sleeper extensions are out there. Not exactly. But the pattern is clear. Long-term. Patient. Multi-platform.

That’s why tools like Koi’s Wings matter. Not just because they scan for known threats. Because they detect the silent ones. The dormant ones. The ones waiting in the marketplace, looking like something useful.

DarkSpectre isn’t the end. It’s just the beginning.

The real danger isn’t the data that gets stolen. It’s the realization that the trust we place in browser extensions—something we take for granted—might be one of the most dangerous blind spots we’ve ever overlooked.

And if that’s true… we’re all in trouble.