Browser extension malware infected 8.8M users in DarkSpectre attack

Browser extensions promise convenience. Many offer simple tools like new tab pages, translators or video helpers. 

Researchers, however, uncovered a long-running malware operation that abused that trust on a massive scale. Koi Security analysts identified the threat while analyzing suspicious infrastructure tied to a campaign known as ShadyPanda. What started as one investigation quickly revealed something far larger.

The group behind it is now known as DarkSpectre. According to Koi researchers, it infected more than 8.8 million users across Chrome, Edge and Firefox over seven years. This was not a smash-and-grab attack. It was slow, deliberate and highly organized. Instead of rushing malicious code into marketplaces, the group played the long game.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

MALICIOUS CHROME EXTENSIONS CAUGHT STEALING SENSITIVE DATA

At first, the activity looked like separate threats. That changed once Koi analysts followed the infrastructure breadcrumbs. By pivoting from domains linked to ShadyPanda, Koi researchers uncovered shared systems powering multiple extension clusters. That analysis confirmed that ShadyPanda, GhostPoster and Zoom Stealer were not separate actors. They were one coordinated operation. Together, these campaigns targeted both everyday users and corporate environments.

This campaign focused on mass surveillance and affiliate fraud. Researchers estimate it affected more than 4 million users, with some analyses suggesting the total could reach up to 5.6 million as additional related extensions were linked. In several cases, extensions remained legitimate for more than five years before quietly turning malicious.

This campaign used a clever trick. It hid malicious code inside image files to bypass security checks. It impacted 1.05 million users.

This operation targeted corporate meeting data across more than 28 conferencing platforms. It affected 2.2 million users.

Different goals. Same operator.

The breakthrough came when Koi analysts examined two domains tied to ShadyPanda. Those domains powered legitimate extension features like weather widgets and new tab pages. They were not command servers. That was the trick. Those same clean domains appeared again and again across other extensions that quietly connected to entirely different malicious infrastructure.

One domain led to extensions. Those extensions exposed new domains. Those domains were connected to even more extensions. Following that chain allowed Koi to uncover over 100 connected extensions across multiple browser marketplaces. Some extensions even reused infrastructure already flagged in earlier investigations. That overlap confirmed DarkSpectre was operating at a nation-state scale.

DarkSpectre succeeded by blending legitimate functionality with hidden malware. Users got what they expected. Meanwhile, the threat ran quietly in the background.

Some extensions waited days before activating malicious behavior. Others triggered malware on only a small percentage of page loads. This made detection during marketplace reviews extremely difficult.

The group hid JavaScript inside PNG image files. The extension loaded its own logo, extracted the hidden code and executed it silently.

Instead of pushing new extension versions, DarkSpectre controlled everything from its servers. Operators could change behavior anytime without alerting users or marketplaces. Koi researchers noted this approach gave the attackers long-term flexibility and control.

Most malware focuses on consumer fraud. Zoom Stealer focused on intelligence.

According to Koi analysts, these extensions collected the following:

Worse yet, the data streamed in real time. The moment a user joined or viewed a meeting, the information flowed out. This type of data enables phishing impersonation and corporate espionage at scale.

Extension marketplaces typically evaluate code only at submission or update. Koi's investigation shows how attackers exploit that model. Once an extension earns trust badges and positive reviews, users stop questioning it. That trust becomes a weapon. A clean extension today can become a threat tomorrow.

You do not need to avoid extensions entirely. You do need to stay cautious.

Make sure you turn on automatic updates for your browser (e.g., Chrome, Firefox, Edge) so you’re always running the latest version without thinking about it. 

Remove anything you no longer use. Fewer extensions reduce risk. CyberGuy has step-by-step guides showing how to review and remove browser extensions safely, making it easy to clean up your browser in just a few minutes. In Chrome, Edge and Firefox, open the menu, go to Extensions or Add-ons, and remove anything you do not use or trust.

 Official browser stores like the Chrome Web Store have rules and scans to catch bad actors. They’re not perfect, but they are still a better option when compared to a random website on the internet. Extensions from unknown websites or third-party downloads are far more likely to hide malware or spyware. 

FAKE AI CHAT RESULTS ARE SPREADING DANGEROUS MAC MALWARE

Strong antivirus software can warn you before you install malicious software, such as sketchy browser extensions. It can also alert you to phishing emails and ransomware scams, helping keep your personal information and digital assets safe.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

If your personal data was exposed in this security incident, it's crucial to act quickly to reduce your risk of identity theft and scams. A data removal service can help you remove all this personal information from the internet. 

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. 

It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

Some extensions overreach on purpose. A calculator tool asking for your browsing history or a weather app wanting your login data is a huge red flag. Before installing, ask: "Does this permission match the extension’s job?" If the answer’s no, don’t install it. Watch out for broad permissions like "Read and change all your data on websites you visit" unless it’s clearly justified (e.g., a password manager). If an update suddenly adds new permission requests, dig into why. It might mean the extension’s been sold or hacked.

If you’ve ever saved passwords in your browser (e.g., via the browser's built-in password manager or the "Save Password" prompt), those credentials could be at risk if a malicious extension was installed. These built-in managers store passwords locally or in your Google, Microsoft or Firefox account, and a compromised browser can give bad actors a way in.

This doesn’t typically apply to dedicated password manager extensions, which encrypt your data independently and don’t rely on browser storage. However, if you're unsure whether an extension has been compromised, it's always smart to update your master password and enable two-factor authentication. 

For maximum safety, change your most important passwords (email, bank, shopping, cloud services) from a different, secure device, such as your phone or another computer where the questionable extension was never installed. Avoid using the same browser that may have been exposed. Then, consider switching to a password manager to create and store strong, unique logins going forward. 

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

 10 SIMPLE CYBERSECURITY RESOLUTIONS FOR A SAFER 2026

Subtle changes often appear before obvious damage. Sudden redirects, new tabs opening on their own, unfamiliar search results, popups, slower browsing or websites asking you to re-log in unexpectedly can all signal a malicious or compromised extension. Pay attention if ads appear where they never did before or if your browser settings change without your input.

Koi's investigation shows how attackers rely on patience. Once an extension earns trust and sits quietly for years, users stop watching it. That makes small behavior changes easy to miss. If something feels off, do not ignore it. Disable extensions one by one to identify the culprit. If the issue disappears, remove that extension permanently.

When in doubt, trust your instincts. Browsers should not surprise you.

DarkSpectre is a reminder that online threats are getting smarter and quieter. This was not a smash-and-grab attack. It unfolded slowly, over years, and relied on trust most people never think twice about. Koi analysts connected the dots by tracking shared infrastructure across campaigns, but they also warn that some sleeper extensions may still be installed and trusted today. Browser extensions can be helpful, but every extra add-on is another door into your browser. Paying attention, cleaning house now and then and questioning what you install can make a real difference.

When was the last time you checked what your browser extensions are really doing behind the scenes? Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com. All rights reserved.