DarkSpectre Malware Hit 8.8M Browsers via Malicious Extensions | eSecurity Planet

DarkSpectre Malware Hit 8.8M Browsers via Malicious Extensions

DarkSpectre infected over 8.8 million browser users by abusing trusted extensions and advanced evasion techniques.

Written By
Ken Underhill
Ken Underhill
Jan 2, 2026
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security researchers at Koi have uncovered DarkSpectre, a threat actor that infected over 8.8 million users via malicious browser extensions across Chrome, Edge, and Firefox.

The campaign shows how trusted browser marketplaces can be abused at scale through patience, legitimate features, and advanced evasion.

The threat actors infected “… over 8.8 million users in over 7 years of operation,” said researchers.

The Infrastructure Linking DarkSpectre’s Campaigns

According to Koi Security’s research, the operation consisted of three major campaigns: ShadyPanda, which infected approximately 5.6 million users; Zoom Stealer, targeting 2.2 million users; and GhostPoster, affecting roughly 1.05 million users. 

What sets DarkSpectre apart is its operational discipline. 

Rather than deploying obviously malicious tools, the group published extensions that provided real functionality — such as new tab dashboards and widgets — using legitimate domains like infinitynewtab[.]com and infinitytab[.]com

Behind the scenes, those same domains communicated with separate command-and-control (C2) infrastructure used to deliver malicious payloads.

Researchers described the investigation as unraveling a web of interconnected extensions, publishers, and domains. 

Each discovery revealed additional tooling, eventually exposing dozens of malicious extensions operated by the same entity. 

Several extensions communicated with infrastructure previously flagged in unrelated investigations, confirming that the campaigns were linked and centrally managed.

How DarkSpectre Stayed Hidden for Years

DarkSpectre relied heavily on persistence and evasion to avoid detection. 

The group used what researchers termed “time-bomb” extensions — tools that remained dormant for days or even years before activating malicious behavior. 

One extension, New Tab – Customized Dashboard, waited three days after installation before contacting command-and-control servers, allowing it to pass marketplace security reviews undetected.

To further evade analysis, the malware activated on only about 10% of page loads, reducing the chance of detection during testing. 

Payload delivery leveraged steganography, hiding JavaScript inside PNG image files that appeared to be benign extension assets. Once extracted, the code executed silently in the background.

The JavaScript itself was heavily obfuscated using custom encoding, XOR encryption, and packed code designed to defeat automated detection tools. 

After activation, extensions downloaded additional encoded JavaScript from attacker-controlled servers, allowing operators to change behavior dynamically without issuing extension updates that would trigger renewed review.

This server-side control model represents the core innovation of DarkSpectre’s operation. 

By shifting malicious logic to backend infrastructure, defenders cannot rely on blocking a single update or signature to disrupt the campaign.

Advertisement

How to Reduce Browser Extension Risk

The scale and persistence of campaigns like DarkSpectre demonstrate that browser extensions have become a valuable attack vector for threat actors. 

Because malicious extensions can remain hidden for years while operating inside trusted environments, organizations need more than basic controls to manage this risk.

  • Audit and inventory all installed browser extensions, restricting installations to approved allowlists and enforcing least-privilege permissions.
  • Enforce centralized browser and extension management using enterprise policies to control installation, updates, and removal.
  • Monitor browser and extension behavior for anomalies, including unusual network connections, delayed activation, or dynamic payload delivery.
  • Apply zero-trust and conditional access controls to browser sessions to limit what compromised sessions can access.
  • Strengthen identity and session protections to reduce the impact of stolen cookies or tokens that can bypass traditional MFA.
  • Educate users on extension risks and maintain extended logging and threat hunting to detect long-dwell malicious activity.

Collectively, these steps improve visibility into browser activity while reducing the impact of compromised extensions.

Why Trusted Systems Are Now Targets

Attackers are increasingly shifting away from loud, easily detected exploits in favor of abusing trusted platforms and establishing long-term persistence within legitimate systems.

Browser ecosystems, software supply chains, and SaaS integrations provide adversaries with durable footholds that can remain hidden for months or even years, blending seamlessly into everyday workflows

This approach allows threat actors to evade traditional security controls while maintaining continuous access to sensitive data and user sessions.

As threats hide within trusted systems, organizations are turning to zero-trust to eliminate implicit trust and continuously verify access.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.