BLUF

A Chinese-linked threat actor, DarkSpectre, has compromised over 8.8 million users via three malicious browser extension campaigns designed to steal sensitive corporate meeting data and commit ad fraud. To date this has impacted 8.8 million users.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by malicious browser extensions (ShadyPanda, GhostPoster, Zoom Stealer variants):

• Low-end total cost: $900,000 – $1.2M
  (Limited spread, rapid detection, minimal sensitive meeting exposure)

• Typical expected range: $1.6M – $3M

• Upper-bound realistic scenarios: $4M – $5.5M
  (Widespread extension presence, prolonged exposure, legal and contractual escalation)

Key cost driver:

Costs are driven less by traditional outage and more by the assurance burden created when browsers themselves are compromised. Organizations incur sustained expense validating what meeting data, credentials, and strategic conversations were silently observed, rebuilding trust with stakeholders, and proving control effectiveness to regulators, customers, and insurers.

Targeted Sectors

·         Corporate employees using Zoom

·         Google Meet

·         Microsoft Teams

Countries

·         Global

Date of First Reported Activity

·         Early 2025 (discovered in-depth Dec 2025).

Date of Last Reported Activity Update

·         January 1, 2026

APT Names

·         DarkSpectre

IOCs

Extension IDs

·         ShadyPanda

·         GhostPoster

·         Zoom Stealer variants

C2 Domains

Primary Command & Control Domains

·         api.jt2x[.]com

o   Used for C2 operations, configuration downloads, and data exfiltration.

·         Infinitynewtab[.]com

o   Core infrastructure for the ShadyPanda cluster.

·         Infinitytab[.]com

o   Secondary infrastructure for the ShadyPanda cluster.

·         Liveupdt[.]com

o   Associated with the GhostPoster cluster (previously documented).

·         Dealctr[.]com

o   Associated with the GhostPoster cluster.

Zoom Stealer Campaign Infrastructure

The Zoom Stealer cluster, which targets corporate meeting intelligence, uses the following specialized infrastructure:

·         webinarstvus.cloudfunctions.net

o   Exfiltration domain used by all 18 extensions in the cluster.

·         zoocorder.firebaseio.com

o   Firebase Realtime Database used to collect harvested meeting data.

·         zoomcorder.com

o   A legitimate-looking recording service used as a public-facing front for the operation.

Other Infrastructure Indicators

·         zhuayuya.com

o   Used by a separate cluster with identical operational patterns.

·         muo.cc

o   Used by a separate cluster with identical operational patterns.

·         Alibaba Cloud

o   Much of the C2 infrastructure is hosted on Alibaba Cloud servers

Known Network IOCs

Domains & IPs

These command-and-control (C2) domains and IPs are associated with configuration downloads and remote script injections:

·         jt2x[.]com

o   ShadyPanda C2

·         infinitynewtab[.]com

o   ShadyPanda C2

·         extensionplay[.]com

·         yearnnewtab[.]com

·         api.cgatgpt[.]net

Campaign Breakdowns

ShadyPanda

Focus

Long-term surveillance and e-commerce affiliate fraud.

Method

Offers legitimate-looking "new tab" or translation utilities that remain dormant ("sleepers") before secretly downloading malicious configurations.

Inventory

 Includes 9 active extensions and 85 "sleeper" extensions.

GhostPoster

Focus

Targeting Firefox and Opera users.

Method

Employs steganography to conceal malicious payloads within PNG images.

Zoom Stealer

Focus

Harvesting corporate meeting intelligence (URLs, IDs, topics, and passwords).

Inventory

18 specific extensions identified across official marketplaces.

Malicious Extension Indicators

·         While security researchers have notified platform providers to remove the nearly 300+ extensions associated with this group, organizations can hunt for these general behaviors:

Tampered Versions

·         Extensions that have been updated with unauthorized code after building a large user base.

DNS Correlative Patterns

·         Outgoing requests to the known C2 domains listed above, often correlated to process user SIDs.

Anomalous Scripts

Injection of remote scripts that hijack search results or track real-time browsing activity.

Tools Used

·         Malicious Browser Extensions

·         Data Stealers

TTPs

Reconnaissance & Initial Access

·         T1589 - Gather Victim Identity Information: Targeted corporate meeting intelligence, including participant lists, speaker bios, and meeting topics.

·         T1189 - Drive-by Compromise: Used malicious browser extensions distributed through official marketplaces like the Chrome Web Store and Firefox Add-ons.

·         T1204.001 - User Execution: Malicious Link: Redirected users to fake pages claiming a "critical Zoom update" was required, tricking them into downloading additional malware.

Execution & Persistence

·         T1176 - Browser Extensions: The primary delivery mechanism. Malicious code was often added to previously "clean" versions of extensions through updates.

·         T1647 - Software Depots: Exploited official web stores to host and distribute trojanized utilities.

·         T1133 - External Remote Services: Acted as a persistent man-in-the-middle by compromising the browser itself to capture credentials and traffic without needing to compromise individual websites.

Defense Evasion

·         T1643 - Steganography: Hidden code was pulled from images on the web to avoid detection by standard security scans.

·         T1491.001 - Internal Defacement: Injected malicious JavaScript into web pages to hijack affiliate links and conduct search query hijacking.

·         T1601 - Logic Bomb / Delayed Activation: Used "time-bomb" logic to wait for a period (e.g., three days) before activating malicious behavior to bypass the initial review process of app stores.

Sleeper Extensions

Initially deployed benign extensions to build a large user base before weaponizing them through later updates.

Collection & Exfiltration

·         T1539 - Steal Web Session Cookie: Harvested session cookies and login credentials.

·         T1555.003 - Password Managers / Credentials from Web Browsers: Captured URL parameters that included embedded meeting passwords and other sensitive metadata.

·         T1071.001 - Web Protocols: Exfiltrated real-time data from over 28 conferencing platforms (including Zoom, Teams, and WebEx) via WebSocket connections to attacker-controlled C2 servers.

·         T1185 - Browser Session Hijacking: Intercepted and redirected traffic from legitimate platforms to phishing replicas.

Command and Control (C2)

·         T1071.001 - Application Layer Protocol: Web Protocols: Communicated with C2 servers typically hosted on Alibaba Cloud infrastructure.

·         T1568 - Dynamic Resolution: Used specific domains (e.g., infinitynewtab.com, jt2x.com cluster) for downloading configurations and exfiltrating data.

Malware Names

·         ShadyPanda

·         GhostPoster

·         Zoom Stealer

Malware Sample

ShadyPanda

sha256

d367f44eb907de54298314fa3e6b7c31cd04c04e070d5248ba63b9628e97900c

URL Link to sample

·         hxxps://bazaar.abuse.ch/sample/d367f44eb907de54298314fa3e6b7c31cd04c04e070d5248ba63b9628e97900c#intel

GhostPoster

sha256

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

URL link to sample

·         hxxps://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855?nocache=1

Zoom Stealer

Sha256

142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

URL Link to sample

·         hxxps://www.virustotal.com/gui/file/142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

CVEs & CVSS Vectors

·         Not applicable

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Network-Based Detection

Exfiltration to Malicious Domains

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE DarkSpectre exfiltration attempt"; content:"POST"; http_method; pcre:"/\.(xyz|top|pw|info)$/"; threshold:type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2026001; rev:1;)

Anomalous User-Agent in Extension Traffic

Extensions often use unique or hardcoded User-Agents when communicating with C2 servers.

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE DarkSpectre C2 Communication (User-Agent)"; content:"User-Agent|3a| Mozilla/5.0 (MaliciousExtension/1.0)"; http_header; classtype:trojan-activity; sid:2026002; rev:1;)

SentinelOne

Look for files written to local extension storage paths.

FileType = "Extension" OR FilePath ContainsAny ( "Extensions", "Local Extension Settings" )

Edge Specific (Logic Bomb Detection): DarkSpectre uses a specific Edge add-on.

EndpointOS = "windows" AND RegistryKey Path Contains "Microsoft\Edge\Extensions" AND RegistryValue Contains "New Tab - Customized Dashboard"

Identify Delayed "Logic Bomb" Execution

ProcessName In ( "chrome.exe", "msedge.exe", "firefox.exe" ) AND NetConnDirection = "Outbound" AND ( DNSName Not In ( [Known_Good_Domains] ) )

Monitor for Search Hijacking and Affiliate Fraud

URL Redirect Hunting

Url ContainsAny ( "affiliate", "clickserve", "ad_id" ) AND ProcessName In ( "chrome.exe", "msedge.exe", "firefox.exe" )

Splunk

Identify Suspicious Extension Permissions

index=endpoint_logs sourcetype=chrome_extensions permissions IN ("*activeTab*", "*scripting*") | stats count by extension_id, user

Detect Data Exfiltration to Suspicious TLDs

index=network_traffic (dest_category="uncategorized" OR dest_tld IN (".top", ".xyz", ".pw")) | stats sum(bytes_out) as total_out by src_ip, dest_host | where total_out > 1000000 | sort -total_out

Correlate Suricata Alerts with High Severity

index=suricata severity=high | stats count by src_ip, signature | sort -count

References

CISO Series

·         hxxps://cisoseries.com/cybersecurity-news-unleash-protocol-hackers-drain-millions-darkspectre-campaigns-exposed-shai-hulud-led-trust-wallet-heist

The Hacker News

·         hxxps://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html

KOI AI

·         hxxps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers

Astrix Security

·         hxxps://astrix.security/learn/blog/how-the-darkspectre-campaign-changes-the-browser-extension-threat-model

MalwareBazaar

·         hxxps://bazaar.abuse.ch/sample/d367f44eb907de54298314fa3e6b7c31cd04c04e070d5248ba63b9628e97900c#intel

VirusTotal

·         hxxps://www.virustotal.com/gui/file/142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

·         hxxps://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855?nocache=1