The Sleeper in Your Browser: How DarkSpectre Turned 8.8 Million Extensions into State-Aligned Spies
Ddos 
Chrome Audio Capture live in the marketplace | Image: Koi Security
In a revelation that exposes a gaping hole in the browser extension ecosystem, Koi Security has unmasked a massive, state-aligned cyber-espionage operation that has been quietly gathering intelligence for nearly a decade. Dubbed “DarkSpectre,” this Chinese threat group has infected over 8.8 million users across Chrome, Edge, and Firefox, operating a sprawling network of nearly 300 malicious extensions that functioned as sleeper cells.
The report details a level of discipline and strategic patience rarely seen in cybercrime. Unlike “scattered opportunistic criminals,” DarkSpectre operates as a “well-funded criminal organization” capable of maintaining legitimate software for years before weaponizing it.
While tracking known threats, researchers stumbled upon a new campaign. DarkSpectre had deployed a network of extensions targeting 2.2 million users specifically to steal corporate meeting intelligence.
Dubbed “The Zoom Stealer,” this campaign focused on “Corporate Meeting Intelligence,” likely harvesting sensitive audio, transcripts, and attendee data from unsuspecting businesses.
“This isn’t three separate threat actors running similar operations. This is one highly organized operation and while tracking their infrastructure, we stumbled onto something new,” the report states.
The investigation connected the dots between three major campaigns that were previously thought to be isolated:
- The Zoom Stealer: The newly discovered campaign affecting 2.2 million users.
- ShadyPanda: A massive surveillance and fraud operation impacting 5.6 million users.
- GhostPoster: A stealthy payload delivery system with 1.05 million victims.
By following shared infrastructure breadcrumbs, Koi Security realized these were all tentacles of the same beast. “We could follow the breadcrumbs from ShadyPanda to GhostPoster to The Zoom Stealer because they shared infrastructure,” the researchers explained.
DarkSpectre’s genius lies in its patience. The group publishes extensions that function legitimately for years, accumulating users and “earning badges” from browser marketplaces. Then, when the target mass is critical, they update the code to introduce malicious features.
“DarkSpectre likely has more infrastructure in place right now – extensions that look completely legitimate because they are legitimate, for now,” the report warns. “They’re still in the trust-building phase, accumulating users, earning badges, waiting”.
This tactic exploits a fundamental flaw in how browser web stores operate. “The marketplace model checks extensions once at upload. DarkSpectre updates whenever they want,” Koi Security noted.
The scope of DarkSpectre’s operations—spanning 300+ extensions and 7 years—raises chilling questions about what else is lurking in our browsers.
“How many other threat actors – Chinese, Russian, North Korean, or otherwise – are running similar long-term operations?” the report asks.
To combat this, Koi Security deployed “Wings,” a risk engine powered by “agentic AI” designed to analyze every version update of an extension, catching the moment a sleeper cell wakes up. But until systemic changes are made, millions of users remain one update away from compromise.
Donate