Security researchers have uncovered a large-scale browser extension campaign dubbed Zoom Stealer, which has impacted more than 2.2 million users across Google Chrome, Mozilla Firefox, and Microsoft Edge.
The campaign involves 18 malicious extensions designed to collect sensitive online meeting data, including meeting URLs, IDs, topics, descriptions, and even embedded passwords.
Zoom Stealer is one of three long-running malicious extension campaigns attributed to a single threat actor tracked as DarkSpectre. According to researchers, these campaigns have collectively reached over 7.8 million users over the past seven years. DarkSpectre is believed to be linked to China-based activity and is also associated with earlier operations known as GhostPoster and ShadyPanda, which previously targeted Firefox, Chrome, and Edge users with spyware.
Researchers at Koi Security found that the extensions appear legitimate and work as advertised, making detection difficult. Some popular extensions, such as Chrome Audio Capture (with around 800,000 installs) and Twitter X Video Downloader, remain available on the Chrome Web Store. Once installed, the extensions request access to at least 28 video conferencing platforms, including Zoom, Microsoft Teams, Google Meet, and Cisco WebEx, and secretly collect detailed meeting and participant information in real time.
The stolen data is sent to attacker-controlled servers via WebSocket connections and could be used for corporate espionage, sales intelligence, and social engineering attacks. Researchers warn that attackers could impersonate meeting participants, gain access to confidential calls, or sell meeting links to competitors.
While the extensions have been reported to browser vendors, several remain active, highlighting the need for users to review extension permissions carefully and remove anything unnecessary.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
