31.12.2025
2 min
441
Researchers have uncovered a large-scale campaign dubbed Zoom Stealer, in which malicious browser extensions collected sensitive online meeting data from more than 2.2 million users across Chrome, Firefox, and Microsoft Edge. The operation is attributed to the threat actor DarkSpectre and poses significant risks to corporate security and confidential communications.
According to research by Koi Security, the Zoom Stealer campaign involves at least 18 browser extensions designed to harvest meeting-related information, including URLs, meeting IDs, embedded passwords, topics, descriptions, and scheduled times.
The extensions request access to 28 video conferencing platforms such as Zoom, Microsoft Teams, Google Meet, and Cisco WebEx. The collected data is exfiltrated in real time via WebSocket connections when users register for webinars, join meetings, or browse conferencing platforms.
Crucially, the extensions are fully functional and perform as advertised, allowing them to remain installed for long periods while silently collecting corporate intelligence at scale.
Zoom Stealer is part of a broader ecosystem of malicious extension campaigns that have affected over 7.8 million users during the past seven years. Analysts link DarkSpectre to earlier campaigns such as GhostPoster and ShadyPanda, which used similar techniques to spy on browser activity.
Attribution to China is supported by multiple indicators, including the use of Alibaba Cloud infrastructure, ICP registrations, Chinese-language code artifacts, activity patterns aligned with Chinese time zones, and monetization strategies tailored to Chinese e-commerce.
The harvested data can be leveraged for corporate espionage, social engineering, targeted phishing, or even resold to competitors seeking access to confidential meetings.
The Zoom Stealer campaign highlights how seemingly legitimate browser extensions can become powerful surveillance tools. Even productivity-focused add-ons may conceal intelligence-gathering capabilities, turning everyday browsers into vectors for large-scale corporate espionage.
