For more than seven years, one network of malicious extensions It managed to run rampant in browsers like Chrome and Edgeaffecting other browsers like Firefox and Opera without raising suspicion among millions of users. What appeared to be a relatively secure ecosystem in official add-on stores has now been revealed as one of the longest-running and most widespread security incidents in recent times.
The research, recently revealed by the cybersecurity firm Koi.ai, details how an organized group, named as DarkSpectreHe managed to introduce and maintain an active network of around 300 fraudulent extensionsThese tools, installed by some 8,8 million users worldwideThey were active from 2018 until the end of 2025, stealing data, spying on online activity and exploiting the trust of official stores.
A silent attack on Chrome, Edge, and other browsers
The core of the attack relied on extensions presented as seemingly useful toolsAd blockers, productivity utilities, translators, or browser add-ons. Many of these were available in official catalogs of Google Chrome, Microsoft Edge, Mozilla Firefox and OperaThis gave users a sense of security that, over time, proved to be unfounded.
According to publicly available data, DarkSpectre has been refining its methods since 2018, so that The malicious extensions managed to pass through automated filters and regular reviews.The key was that much of the dangerous code was only activated after reaching a significant number of installations or through later updates that modified the original behavior of the complement.
In practice, this meant that an extension could arrive in stores as a legitimate tool, accumulate downloads and ratings, and only later, through a silent update, incorporate the malicious component. The attack thus managed to exploit one of the weaknesses in the trust model of official repositorieswhere updates are often assumed to be routine improvements.
Koi.ai emphasizes that Most of the victims used Chromium-based browsers, especially Chrome and Edge.due to its enormous market share in Europe and the rest of the world. However, the campaign also reached Firefox and Opera users, demonstrating that the target was not a single browser, but the entire extensions ecosystem.
Methods of deception: fake reviews and covert updates
To scale the scope of the attack, DarkSpectre resorted to artificial reputation techniquesMany of the affected extensions appeared in stores with high scores and positive reviews generated automatically or in a coordinated mannerThis placed them among the featured recommendations and increased their visibility to new users.
In addition, the group deployed a system of covert updates which gradually changed the functionality of the add-on. During the first few months of an extension's life, its behavior could be almost flawless, limited to the promised function. Once a solid base of installations was achieved, hidden modules were added, geared towards stealing data, manipulating web traffic, or inserting invasive advertising without the consent of the user.
In some documented cases, these extensions functioned as genuine “Trojan horses” in the browserAt least thirty popular add-ons—including fake ad blockers and customization tools—contained code designed to capture banking credentials, social media passwords, and autofill dataAll this information was sent in real time to servers controlled by the attackers.
Along with the direct theft of data, a component aimed at advertising injection and redirection to phishing pagesIn other words, the user could see how their searches were diverted to fraudulent websites or how ads of dubious origin appeared, generating income for the criminal network and opening the door to additional scams.
This hybrid model—a mix of economic fraud, information theft, and traffic manipulation—allowed the attack to be profitable while remaining undetected by most detection systems and, above all, by the victims themselves.
Three main campaigns: ShadyPanda, GhostPoster, and Zoom Stealer
The operation orchestrated by DarkSpectre was divided into three main lines of action, each with different objectives and methods, but with a common denominator: leverage user trust in extension stores and take full advantage of the permissions granted to the browser.
The first major phase, known as ShadyPanda, focused on extensions that pretended to be harmless utilitiesMore than a hundred of these accessories ended up infecting some 5,6 million usersespecially in Chromium-based browsers. While they kept a low profile, they delivered the promised features, but once a critical mass of installations was reached, hidden capabilities were activated to:
- Committing fraud in online purchases, modifying or intercepting forms and payment gateways.
- Stealing sensitive datafrom login credentials to card information and shipping addresses.
- Manipulating legitimate links on large e-commerce portalsredirecting the user to cloned sites or modifying the final destination of certain transactions.
The second campaign, dubbed GhostPoster, affected more than 1 million users, with special emphasis on Firefox and OperaIts most striking feature was the use of steganography, a technique that allows hide malicious code within seemingly normal imagesIn this way, the extensions could download and execute remote instructions or new malware modules without raising suspicion in traditional analysis systems.
Within the framework of GhostPoster, a particularly worrying case was discovered: a manipulated version of the popular extension of “Google Translate” for OperaThis variant included a iframe invisible that installed a backdoor cutsIt disabled the browser's anti-fraud mechanisms and sent information to servers associated with DarkSpectre. Meanwhile, the user continued to see the translator functioning as if it were normal.
The third and final major offensive became known as Zoom Stealer and it was deployed at the end of 2025This campaign used 18 extensions specifically for platforms like Zoom, Microsoft Teams, and Google Meet, even compromising some 2,2 million users, including employees of companies and public administrations.
Zoom Stealer was geared towards corporate espionage and the gathering of business intelligenceThe extensions gained access to confidential meetings, collected invitation links, login credentials, and even data associated with corporate calendars. With this information, the attackers were able to build databases containing professional data, shared documents, and strategic details of high economic value.
Impact on European users and companies
The cumulative effect of these campaigns was remarkable. Millions of users were subjected to constant surveillance, theft of personal data, and exposure to financial scamsIn many cases, users were unaware of the problem's origin. Suspicious charges, subtle changes in search results, or strange redirects could be attributed to isolated glitches, when in reality they were caused by the activity of these extensions.
In the corporate sector, especially in Spain and the rest of Europe, the consequences were even more seriousThe combination of ShadyPanda and Zoom Stealer opened doors to both outright fraud and corporate espionage: access to strategic meetings, leaking of screen-shared documents, capturing internal chats, and gathering information on projects, clients, and suppliers.
Companies with headquarters in the European Union, subject to regulations such as General Regulation of Data Protection (RGPD)They now face the challenge of assess the true extent of the information leakIt's not just about personal data of employees and customers, but also trade secrets, product roadmaps, and confidential agreements that may have been exposed for years.
The very nature of the extensions makes the impact difficult to measure: Many were installed on teleworking equipment, personal laptops, and mobile devices. used to connect to corporate networks. This blurs the lines between home and professional use, complicating both forensic investigations and organizational responses.
Meanwhile, the attack has reignited the debate in Europe about the responsibility of the major providers of browsers and app stores when it comes to filtering and monitoring content. Although review processes exist, the DarkSpectre case demonstrates that current systems have not been sufficient to stop such a well-planned, long-term operation.
How did it remain hidden for so many years?
One of the most striking aspects of this cyberattack is its unusually long durationThis is not an isolated incident, but an operation that evolved over more than seven years, adapting to changes in browsers, store policies, and security analysis tools.
DarkSpectre employed a modular structure, with distributed command and control infrastructures and domains that were rotated to make them harder to track. In many cases, the malicious code was activated only under certain conditions—for example, when visiting certain e-commerce sites, logging into banking services, or joining a video call—thus reducing the noise that could attract the attention of security tools.
Another key element was the use of obfuscation techniques and delayed component loadingInstead of including all the malware within the extension package itself, some of the malicious logic was downloaded later from remote servers or hidden within seemingly innocuous resources, such as images. This made static scans—those performed on the file before installation—less effective.
Furthermore, the operation benefited from the fragmentation of the security ecosystemWhile some extensions could be detected or reported in a specific browser or region, other variants remained active in different stores or under slightly modified names. This ability to reinvent themselves with minor changes helped keep the campaign alive despite occasional losses.
The researchers also point to the lack of widespread awareness of the real risk of extensionsMany users grant broad permissions without reviewing what access they are granting: reading and modifying all data on visited pages, accessing tabs, browsing history, or integration with other services. In the hands of groups like DarkSpectre, these authorizations become the ideal gateway for the mass exfiltration of information.
Recommendations for Chrome and Edge users
Following the publication of the research, cybersecurity experts have stressed the need for Users and organizations should thoroughly review the extensions installed in their browsers., especially in Chrome and Edge, where a substantial part of the attack has been concentrated.
As a first step, it is advisable to perform a manual audit of all add-ons present in the browser. It is advisable to remove any extensions that are not recognized, not regularly used, or whose origin is not clearly identifiable. In corporate environments, it is recommended to establish a whitelist of allowed extensions and block the installation of new tools without IT department supervision.
It is also essential to ensure that the browser is updated to the latest versionThe main suppliers have been incorporating specific patches and improvements to block attack chains like the one used by DarkSpectre, so continuing to use outdated versions unnecessarily increases the risk.
If you have installed any suspicious extensions in recent years, it is prudent to proceed with a preventative password changeStarting with email accounts, banks, social media, and critical services. Whenever possible, it is recommended to activate the two-factor authentication (2FA)which adds an extra layer of protection even if credentials have been compromised.
Finally, both at home and at work, it is important to strengthen training and awareness policies in digital security. Understanding that Not all extensions with good ratings are reliable.Carefully reviewing the permissions requested and limiting the installation of unnecessary tools as much as possible can make the difference between maintaining control of the data or exposing it to operations like DarkSpectre's.
Everything discovered about this prolonged cyberattack makes it clear that, although the official stores of Chrome, Edge, and other browsers remain the most reasonable channel for installing extensions, Trust cannot be blind or automatic.The combination of campaigns like ShadyPanda, GhostPoster, and Zoom Stealer demonstrates the extent to which a seemingly innocent add-on can be transformed into a vector for espionage, fraud, and massive information leaks, affecting both individual users and companies and institutions across Europe.