A newly discovered campaign, which researchers call Zoom Stealer, is affecting 2.2 million Chrome, Firefox, and Microsoft Edge users through 18 extensions that collect online meeting-related data like URLs, IDs, topics, descriptions, and embedded passwords.
Zoom Stealer is one of three browser extension campaigns that reached more than 7.8 million users over seven years and are attributed to a single threat actor tracked as DarkSpectre.
Based on the used infrastructure, DarkSpectre is believed to be the same China-linked threat actor behind the previously documented GhostPoster, which targeted Firefox users, and ShadyPanda, which delivered spyware payloads to Chrome and Edge users.
ShadyPanda remains active through 9 extensions and an additional 85 'sleepers' that build a user base before turning malicious via updates, researchers at supply-chain security company Koi Security say.
Campaign discovery flow
Source: Koi Security
Although the China connection existed before, attribution is now clearer based on hosting servers on Alibaba Cloud, ICP registrations, code artifacts containing Chinese-language strings and comments, activity patterns that match the Chinese timezone, and monetization targeting tuned to Chinese e-commerce.
Corporate meeting intelligence
The 18 extensions in the Zoom Stealer campaign are not all meeting-related, and some of them can be used to download videos or as recording assistants: Chrome Audio Capture with 800,000 installations, and Twitter X Video Downloader. Both are still available on the Chrome Web Store at publishing time.
Koi Security researchers note that the extensions are all functional and work as advertised.
... continue reading