DarkSpectre Malware Campaign Infected 8.8 Million Chrome, Edge & Firefox Users

The security researchers at Koi have uncovered a bombshell—a coordinated spyware campaign across 100+ Google Chrome, Microsoft Edge, and Mozilla FireFox extensions, which function legitimately but (eventually) exhibit malicious behavior tied to a threat actor called DarkSpectre. This behavior includes stripping security protections, installing backdoors for remote code execution, performing surveillance, and disabling anti-fraud protections on Chinese e-commerce affiliate links.

The DarkSpectre naming comes from Koi, and their behavior has been attributed to at least three malware campaigns infecting over 8.8 million users in the past seven years—these campaigns include "The Zoom Stealer", with 2.2 million victims, "ShadyPanda", with 5.6 million victims, and "GhostPoster", with 1.05 million victims. The goals of these campaigns vary from sneaking a peek at corporate data to covert payload delivery and the aforementioned affiliate fraud, but they all use legitimate-looking extensions to do their work. In fact, they usually ...