Researchers have uncovered DarkSpectre, a well-funded Chinese threat actor responsible for infecting over 8.8 million users across Chrome, Edge, and Firefox browsers through a series of highly coordinated malware campaigns spanning seven years. <\/p>\n
The discovery reveals a level of operational sophistication rarely seen in the threat landscape, with the group running multiple distinct campaigns simultaneously, each targeting different objectives ranging from consumer fraud to corporate espionage.<\/p>\n
The operation consists of three major campaigns: ShadyPanda affecting 5.6 million users, the newly discovered Zoom Stealer<\/a> campaign targeting 2.2 million users, and GhostPoster impacting 1.05 million users. <\/p>\n Rather than operating as separate threat actors, investigators confirmed these represent a single, highly organized criminal organization with substantial resources and strategic planning capabilities. <\/p>\n The group demonstrates remarkable patience, maintaining legitimate-appearing browser extensions for five or more years before weaponizing them with malicious payloads.<\/p>\n Koi analysts identified<\/a> the connection between these campaigns while analyzing infrastructure linked to ShadyPanda. <\/p>\n They discovered that while the group used two legitimate domains\u2014infinitynewtab.com and infinitytab.com\u2014to power actual extension features like weather widgets and new tab pages, these same domains connected to entirely different malicious command-and-control infrastructure. <\/p>\n This clever technique of embedding legitimate functionality alongside hidden malicious code<\/a> became the thread linking all three operations together.<\/p>\n The discovery process resembled following a complex web. One domain led to extensions, which revealed new domains, which connected to additional extensions operated by publishers with dozens of other malicious tools. <\/p>\n The expansion eventually uncovered over 100 connected extensions across multiple browser marketplaces. <\/p>\n As researchers investigated further, they noticed that certain newly discovered extensions communicated with domains already flagged in previous investigations, confirming that ShadyPanda, GhostPoster, and Zoom Stealer represented a single actor operating at nation-state scale.<\/p>\n The most alarming aspect of DarkSpectre\u2019s methodology lies in their sophisticated persistence and detection-evasion techniques. <\/p>\n The group employs what researchers term \u201ctime-bomb\u201d extensions\u2014malicious tools that remain dormant for extended periods before activating their payload. <\/p>\n One extension called \u201cNew Tab \u2013 Customized Dashboard\u201d demonstrates this approach by waiting three days after installation before connecting to command-and-control servers to download its actual malicious code.<\/p>\n During the review process when marketplaces evaluate extensions for safety, this extension appears completely legitimate. Browser reviewers cannot detect the malicious behavior because it simply does not activate during testing. <\/p>\n The extension only begins its malicious activities after passing all security checks<\/a> and reaching a real user\u2019s browser. <\/p>\n To further evade detection, the malware only activates on approximately ten percent of page loads, making it exponentially harder to identify during routine testing or analysis.<\/p>\n The payload delivery itself showcases advanced obfuscation<\/a> techniques. DarkSpectre disguises malicious code as PNG image files, a method known as steganography. <\/p>\n The extension loads its own logo, extracts the hidden JavaScript code embedded within the image file, and executes it silently in the background. <\/p>\n The JavaScript is wrapped in multiple layers of protection including custom encoding, XOR encryption, and packed code designed specifically to defeat automated detection tools<\/a>. <\/p>\n Once activated, the extension downloads approximately sixty-seven kilobytes of additional encoded JavaScript from the operators\u2019 servers, giving the threat actors complete control over what executes in the user\u2019s browser without requiring an extension update that would again trigger the review process.<\/p>\n This configuration-based approach represents the true innovation in DarkSpectre\u2019s operation. Instead of pushing updates to change functionality\u2014which would alert reviewers and users\u2014the operators simply modify what their servers return when extensions phone home. <\/p>\n Defenders cannot combat the threat by blocking a single malicious update because the threat actor changes the payload on their backend servers dynamically, maintaining complete operational flexibility.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post DarkSpectre Hackers Infected 8.8 Million Chrome, Edge, and Firefox Users with Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Dark](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi10iQLhnKUzMBwj8sSNVzu2tSzw8fWmXgVoDJLNYkkFdkSaVPNdVn7blbEn24fEBqxWmk9rPWqOzdNayyK2y3mEP7MxpmEHFBUEQJzlLZ8YUQe51791OC94-K-qR5iYUoFbrWRylFQryzwHqOTSogxVn5bKtZKIjG1M1XMv5bFOphKS5Aj89bCs3N_vWA\/s16000\/Dark%2520Spectre%2520%28Source%2520-%2520Koi%29.webp?ssl=1\")
Time-Bomb Activation and Evasion Tactics<\/strong><\/h2>\n
![\"Chrome](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhEvkm4nhaRESOY2Qe_96_S9BQONHgvk_cysl7VktSqMwzstix4do4qJaqsp17mEoTzLF9Zbki23AWozQ_9vbNXjSl3edicRhZ9la9owNlPrWdJzzw7AMdBy0rTbssAtrg9DZ-v4l7OCfdvGzsnjNM4BQ7VL_luI1ivDyY0Ocoa0WFcepgINkz90wnRgJQ\/s16000\/Chrome%2520Audio%2520Capture%2520live%2520in%2520the%2520marketplace%2520%28Source%2520-%2520Koi%29.webp?ssl=1\")