A significant cyber-espionage campaign known as “Zoom Stealer” has been uncovered, compromising over 2.2 million users by embedding malicious code into widely used browser extensions.
Researchers at Koi Security discovered that the campaign employs 18 active extensions—such as “Chrome Audio Capture” and “Twitter X Video Downloader”—to target users on Google Chrome, Firefox, and Microsoft Edge.
While these tools perform their intended functions to avoid suspicion, they secretly gather sensitive information from 28 different video-conferencing platforms, including Zoom, Microsoft Teams, and Google Meet.
The malware is highly sophisticated. When a victim visits a meeting page or registers for a webinar, the extensions activate a hidden script. This script covertly harvests critical data, including meeting URLs with embedded passwords, participant lists, speaker biographies, and scheduled times.
Crucially, this intelligence is exfiltrated through WebSocket connections, allowing data to be streamed to the attackers in real-time without alerting the user or triggering standard security alarms.
Researchers attribute this operation to a threat actor tracked as DarkSpectre, a group with a history of similar attacks and strong links to China. The attribution is supported by technical evidence: the group uses Alibaba Cloud servers, their activity patterns align with Chinese business hours, and the code contains Chinese-language strings.
Furthermore, DarkSpectre maintains a network of 85 “sleeper” extensions that build a legitimate user base before hostile updates are pushed out to activate them.
The implications are serious. According to Koi Security, DarkSpectre has amassed a database potent enough to launch extensive impersonation attacks. By illicitly obtaining valid meeting links and credentials, attackers can covertly infiltrate confidential business calls, spy on corporate rivals, or execute highly convincing social engineering scams.
Despite these alarming discoveries, many of the malicious extensions remained accessible for download at the time the report was issued.