"The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre. In all, the campaigns have collectively affected over 8.8 million users spanning a period of more than seven years."
"This also includes an Edge add-on named "New Tab - Customized Dashboard" that features a logic bomb that waits for three days prior to triggering its malicious behavior. The time-delayed activation is an attempt to give the impression that it's legitimate during the review period and get it approved. Nine of these extensions are currently active, with an additional 85 "dormant sleepers" that are benign and meant to attract a user base before they are weaponized via malicious updates."
DarkSpectre, a Chinese-linked threat actor, deployed three malicious browser-extension campaigns — ShadyPanda, GhostPoster, and The Zoom Stealer — across Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, affecting a combined 8.8 million users over more than seven years. ShadyPanda affected 5.6 million users through over 100 connected extensions and used techniques like logic bombs and time-delayed activation to bypass reviews, with nine active extensions and 85 dormant sleepers weaponized via later updates. GhostPoster primarily targeted Firefox with utilities and VPNs serving malicious JavaScript for affiliate-link hijacking, tracking injection, and click/ad fraud, and included an Opera Google Translate add-on with nearly one million installs. The Zoom Stealer campaign impacted 2.2 million users and used 18 extensions.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]