Article Details

Zoom Stealer browser extensions harvest corporate meeting intelligence. A newly discovered campaign, which researchers call Zoom Stealer, is affecting 2.2 million Chrome, Firefox, and Microsoft Edge users through 18 extensions that collect online meeting-related data like URLs, IDs, topics, descriptions, and embedded passwords. Zoom Stealer is one of three browser extension campaigns that reached more than 7.8 million users over seven years and are attributed to a single threat actor tracked as DarkSpectre. Based on the used infrastructure, DarkSpectre is believed to be the same China-linked threat actor behind the previously documented GhostPoster, which targeted Firefox users, and ShadyPanda, which delivered spyware payloads to Chrome and Edge users. ShadyPanda remains active through 9 extensions and an additional 85 'sleepers' that build a user base before turning malicious via updates, researchers at supply-chain security company Koi Security say.  Although the China connection existed before, attribution is now clearer based on hosting servers on Alibaba Cloud, ICP registrations, code artifacts containing Chinese-language strings and comments, activity patterns that match the Chinese timezone, and monetization targeting tuned to Chinese e-commerce. Corporate meeting intelligence The 18 extensions in the Zoom Stealer campaign are not all meeting-related, and some of them can be used to download videos or as recording assistants: Chrome Audio Capture with 800,000 installations, and Twitter X Video Downloader. Both are still available on the Chrome Web Store at publishing time. Koi Security researchers note that the extensions are all functional and work as advertised. According to the researchers, all extensions in the Zoom Stealer campaign request access to 28 video-conferencing platforms (e.g., Zoom, Microsoft Teams, Google Meet, and Cisco WebEx) and collect the following data: This data is exfiltrated via WebSocket connections and streamed to the threat actors in real time. This activity is triggered when victims visit webinar registration pages, join meetings, or navigate conferencing platforms. Koi Security says this data can be used for corporate espionage and sales intelligence, which could be used in social engineering attacks or even to sell meeting links to competitors. "By systematically collecting meeting links, participant lists, and corporate intelligence across 2.2 million users, DarkSpectre has created a database that could power large-scale impersonation operations - providing attackers with credentials to join confidential calls, participant lists to know who to impersonate, and context to make those impersonations convincing," notes the report from Koi Security. Because many of these extensions operated innocuously for extended periods, users should carefully review the permissions the extensions require and limit their number to the necessary minimum. Koi Security reported the offending extensions, but many are still present on the Chrome Web Store. The researchers published the complete list of active DarkSpectre extensions. BleepingComputer has contacted InfinityNewTab and Google for a comment and we will update the article when we hear back. Break down IAM silos like Bitpanda, KnowBe4, and PathAI Broken IAM isn't just an IT problem - the impact ripples across your whole business. This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.