DarkSpectre Malware Hit 8.8M Browsers via Malicious Extensions

Security researchers at Koi have uncovered DarkSpectre, a threat actor that infected over 8.8 million users via malicious browser extensions across Chrome, Edge, and Firefox.

The campaign shows how trusted browser marketplaces can be abused at scale through patience, legitimate features, and advanced evasion.

The threat actors infected “… over 8.8 million users in over 7 years of operation,” said researchers.

The Infrastructure Linking DarkSpectre’s Campaigns

According to Koi Security’s research, the operation consisted of three major campaigns: ShadyPanda, which infected approximately 5.6 million users; Zoom Stealer, targeting 2.2 million users; and GhostPoster, affecting roughly 1.05 million users. 

What sets DarkSpectre apart is its operational discipline. 

Rather than deploying obviously malicious tools, the group published extensions that provided real functionality — such as new tab dashboards and widgets — using legitimate domains like infinitynewtab[.]com and infinitytab[.]com. 

Behind the scenes, those same domains communicated with separate command-and-control (C2) infrastructure used to deliver malicious payloads.

Researchers described the investigation as unraveling a web of interconnected extensions, publishers, and domains. 

Each discovery revealed additional tooling, eventually exposing dozens of malicious extensions operated by the same entity. 

Several extensions communicated with infrastructure previously flagged in unrelated investigations, confirming that the campaigns were linked and centrally managed.

How DarkSpectre Stayed Hidden for Years

DarkSpectre relied heavily on persistence and evasion to avoid detection. 

The group used what researchers termed “time-bomb” extensions — tools that remained dormant for days or even years before activating malicious behavior. 

One extension, New Tab – Customized Dashboard, waited three days after installation before contacting command-and-control servers, allowing it to pass marketplace security reviews undetected.

To further evade analysis, the malware activated on only about 10% of page loads, reducing the chance of detection during testing. 

Payload delivery leveraged steganography, hiding JavaScript inside PNG image files that appeared to be benign extension assets. Once extracted, the code executed silently in the background.

The JavaScript itself was heavily obfuscated using custom encoding, XOR encryption, and packed code designed to defeat automated detection tools. 

After activation, extensions downloaded additional encoded JavaScript from attacker-controlled servers, allowing operators to change behavior dynamically without issuing extension updates that would trigger renewed review.

This server-side control model represents the core innovation of DarkSpectre’s operation. 

By shifting malicious logic to backend infrastructure, defenders cannot rely on blocking a single update or signature to disrupt the campaign.

How to Reduce Browser Extension Risk

The scale and persistence of campaigns like DarkSpectre demonstrate that browser extensions have become a valuable attack vector for threat actors. 

Because malicious extensions can remain hidden for years while operating inside trusted environments, organizations need more than basic controls to manage this risk.

• Audit and inventory all installed browser extensions, restricting installations to approved allowlists and enforcing least-privilege permissions.
• Enforce centralized browser and extension management using enterprise policies to control installation, updates, and removal.
• Monitor browser and extension behavior for anomalies, including unusual network connections, delayed activation, or dynamic payload delivery.
• Apply zero-trust and conditional access controls to browser sessions to limit what compromised sessions can access.
• Strengthen identity and session protections to reduce the impact of stolen cookies or tokens that can bypass traditional MFA.
• Educate users on extension risks and maintain extended logging and threat hunting to detect long-dwell malicious activity.

Collectively, these steps improve visibility into browser activity while reducing the impact of compromised extensions.

Why Trusted Systems Are Now Targets

Attackers are increasingly shifting away from loud, easily detected exploits in favor of abusing trusted platforms and establishing long-term persistence within legitimate systems.

Browser ecosystems, software supply chains, and SaaS integrations provide adversaries with durable footholds that can remain hidden for months or even years, blending seamlessly into everyday workflows. 

This approach allows threat actors to evade traditional security controls while maintaining continuous access to sensitive data and user sessions.

As threats hide within trusted systems, organizations are turning to zero-trust to eliminate implicit trust and continuously verify access.