The DarkSpectre Files: How a 7-Year Extension Campaign Hijacked 8.8 Million Browsers
A hacking group operating under the name DarkSpectre has, for seven years, systematically infected the computers of users running Chrome, Edge, and Firefox browsers. According to Koi Security, more than 8.8 million unique devices fell victim to these activities. The operation spanned three distinct campaigns and was marked by a high degree of coordination and substantial resource backing.
The investigation revealed that the ShadyPanda, Zoom Stealer, and GhostPoster campaigns—despite their differing objectives, ranging from user data theft to corporate espionage—were all orchestrated by the same criminal organization. In total, more than a hundred browser extensions were deployed through official extension stores. The attackers skillfully blended legitimate features, such as weather displays or new-tab customization, with malicious behavior that remained invisible to most review and detection mechanisms.
Researchers examining the ShadyPanda infrastructure discovered that two domains used to deliver the extensions’ legitimate functionality—infinitynewtab.com and infinitytab.com—were simultaneously communicating with command-and-control servers responsible for malicious operations. These domains proved to be the crucial link that tied what initially appeared to be disparate campaigns into a single, coherent chain.
Particularly alarming is the length of time during which the attackers were able to keep “dormant” extensions installed in browsers without any overtly malicious payload. In some cases, the harmful code was activated only a week after installation. Even then, malicious behavior was triggered selectively—on roughly one out of every ten website visits—significantly reducing the likelihood of detection.
The techniques used to conceal malicious code in this operation reached an advanced level of sophistication. The extensions downloaded PNG images containing embedded, hidden JavaScript. The extension logo itself served as camouflage: upon loading, the image was decoded, the concealed code extracted, and executed without the user’s knowledge.
The additional code was further protected by multiple layers of encryption and obfuscation, including custom encoding schemes, XOR encryption, and specialized packing designed to evade automated analysis tools. Once activated, the extensions connected to remote servers and fetched up to 67 kilobytes of additional JavaScript. This allowed the attackers to remotely control extension behavior without issuing updates, thereby bypassing renewed moderation.
DarkSpectre’s approach to malware distribution proved especially effective due to an architecture in which the primary payload was swapped server-side. As a result, the threat cannot be neutralized simply by blocking a specific extension version: the malicious content is altered dynamically, without any user involvement.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
