Zoom Stealer Campaign Exposes Millions Through Malicious Browser Extensions

Listen to this Post

Featured Image

Introduction: A Silent Threat Inside Everyday Browser Tools

A newly uncovered cyber-espionage campaign has revealed how seemingly harmless browser extensions can quietly transform into powerful surveillance tools. Known as Zoom Stealer, this operation has compromised millions of users by exploiting trust in popular Chrome, Firefox, and Microsoft Edge add-ons. While these extensions appeared to function exactly as promised, behind the scenes they were harvesting sensitive online meeting data at scale. The findings highlight a growing risk in the browser extension ecosystem—one that blends patience, stealth, and long-term planning into a highly effective intelligence-gathering operation.

Overview of the Zoom Stealer Discovery

Security researchers have identified a malicious campaign dubbed Zoom Stealer that impacted approximately 2.2 million users across major browsers. The operation relied on 18 browser extensions that secretly collected data related to online meetings. This included information from widely used platforms such as Zoom, Microsoft Teams, Google Meet, and Cisco WebEx.

The campaign did not rely on obvious malware behavior. Instead, it embedded data collection mechanisms into fully functional extensions, allowing the threat to persist unnoticed for years.

A Broader Operation Linked to DarkSpectre

Zoom Stealer is not an isolated case. Researchers determined it is part of a much larger ecosystem of malicious extensions attributed to a single threat actor tracked as DarkSpectre. Over a seven-year period, DarkSpectre-controlled extensions reached more than 7.8 million users globally.

This same actor has been previously linked to campaigns known as GhostPoster, which targeted Firefox users, and ShadyPanda, which distributed spyware through Chrome and Edge extensions.

Evidence Pointing to a China-Linked Threat Actor

Attribution to a China-linked group is now stronger than ever. Investigators identified multiple indicators supporting this conclusion, including:

Hosting infrastructure located on Alibaba Cloud

Chinese ICP registrations

Source code containing Chinese-language strings and comments

Operational patterns aligned with the Chinese time zone

Monetization strategies optimized for Chinese e-commerce ecosystems

Together, these signals form a consistent and compelling attribution profile.

ShadyPanda and the Use of “Sleeper” Extensions

One of the most concerning elements of DarkSpectre’s strategy is its use of so-called “sleeper” extensions. ShadyPanda alone maintains nine active malicious extensions and an additional 85 dormant ones.

These sleepers initially behave benignly, focusing on building trust and a large user base. Once installed widely, they can be weaponized later through automatic updates, instantly turning millions of browsers into surveillance tools.

Not All Extensions Look Suspicious

A key reason Zoom Stealer succeeded is that many of its extensions were genuinely useful. Some were marketed as audio recorders or video downloaders and worked exactly as described.

Examples include Chrome Audio Capture, which alone had around 800,000 installations, and Twitter X Video Downloader. At the time of reporting, several of these extensions were still available on the Chrome Web Store.

Permissions That Opened the Door

All 18 Zoom Stealer extensions requested access to 28 different video conferencing platforms. Once granted, they were capable of collecting a wide range of highly sensitive data, including:

Meeting URLs and IDs, often containing embedded passwords

Meeting topics, registration status, and scheduled times

Names, titles, biographies, and profile photos of hosts and speakers

Company branding elements, logos, and session metadata

This level of access effectively provided a live window into corporate communications.

Real-Time Data Exfiltration

The stolen information was not stored locally. Instead, it was exfiltrated in real time using WebSocket connections. Data transmission was triggered whenever a victim visited a webinar registration page, joined a meeting, or simply browsed within a conferencing platform.

This streaming approach reduced forensic traces and allowed threat actors to react quickly to high-value meetings.

Corporate Espionage and Sales Intelligence Risks

According to researchers, the collected data has immense value. It can be used for corporate espionage, competitive intelligence, or targeted social engineering campaigns.

Meeting links could be resold, impersonation attacks could be crafted using participant lists, and confidential discussions could be infiltrated with alarming precision.

The Scale of the Intelligence Database

By harvesting data from millions of users, DarkSpectre effectively built a massive intelligence repository. This database enables attackers to:

Join confidential meetings unnoticed

Impersonate legitimate participants convincingly

Tailor phishing and fraud campaigns with contextual accuracy

Such capabilities dramatically raise the success rate of advanced social engineering attacks.

Why Users Didn’t Notice

Many of the extensions remained harmless for long periods, performing exactly the tasks they advertised. This long-term benign behavior helped them avoid suspicion from both users and automated store reviews.

Only later did updates quietly introduce malicious data collection features, exploiting users’ trust in automatic extension updates.

Response from Security Researchers

Koi Security reported the malicious extensions to browser vendors and published a complete list of known DarkSpectre-controlled add-ons. However, a significant number of these extensions remained accessible on official extension stores at the time of disclosure.

This delay highlights ongoing challenges in monitoring and policing third-party extension ecosystems.

Mitigation Advice for Users

Security experts strongly recommend that users:

Review extension permissions regularly

Remove unnecessary or rarely used extensions

Be cautious of tools requesting broad access to unrelated websites

Monitor extension updates and behavior changes

Reducing extension sprawl is one of the simplest ways to lower exposure.

What Undercode Say: Strategic Analysis of the Zoom Stealer Operation

A Shift From Malware to Platform Abuse

Zoom Stealer reflects a broader shift in cybercrime away from traditional malware toward platform abuse. Browser extensions offer persistent access, trusted execution, and rich data streams—making them ideal for long-term intelligence operations.

Trust as the Primary Attack Vector

Rather than exploiting software vulnerabilities, DarkSpectre exploited user trust. By delivering real functionality, the attackers bypassed skepticism and security awareness entirely.

The Power of Patience in Cyber Operations

This campaign underscores how modern threat actors think in years, not weeks. Sleeper extensions demonstrate a long-game approach that maximizes impact while minimizing detection risk.

Browser Stores as High-Value Targets

Official extension marketplaces have become high-value attack surfaces. Their scale and automation make them difficult to police effectively, especially against slow-burn threats.

Corporate Intelligence Is the New Currency

The data collected goes far beyond personal privacy. It enables strategic insights into company structures, partnerships, internal priorities, and decision-makers—assets traditionally associated with espionage agencies.

Impersonation at Industrial Scale

With names, roles, and meeting context, attackers can execute impersonation attacks that are nearly indistinguishable from legitimate participation.

Why Traditional Security Tools Miss This

Endpoint protection tools often ignore browser extensions entirely. Even advanced defenses may not flag behavior that technically aligns with granted permissions.

Supply-Chain Security Blind Spots

Extensions represent a supply-chain risk that many organizations underestimate. A single compromised add-on can undermine otherwise robust security postures.

The Challenge of Attribution and Enforcement

Even with strong attribution indicators, geopolitical complexity makes enforcement slow and inconsistent, allowing campaigns like Zoom Stealer to persist.

A Warning for Remote-First Enterprises

As remote work normalizes, meeting platforms have become critical infrastructure. Any compromise at this layer carries disproportionate strategic risk.

Fact Checker Results

Attribution Confidence

Multiple infrastructure and code indicators strongly support the DarkSpectre attribution. ✅

Technical Feasibility

The described data collection and exfiltration methods align with documented browser extension capabilities. ✅

Impact Assessment

The scale and sensitivity of exposed data justify concerns around espionage and impersonation. ✅

Prediction

Increased Scrutiny on Extension Marketplaces

Browser vendors are likely to introduce stricter auditing and behavioral monitoring for extensions. 🔍

Growth of Sleeper-Based Campaigns

Threat actors will continue adopting long-term sleeper strategies due to their proven effectiveness. ⚠️

Corporate Policy Shifts

Organizations will begin restricting browser extensions as aggressively as software installations. 📉

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon