8.8m Browser Users Hit by Chinese Malware Operation

chinese malware operation

Cybersecurity researchers have exposed a massive malware campaign linked to a Chinese threat actor known as DarkSpectre, which has infected over 8.8 million users across Chrome, Edge, Firefox, and Opera browsers through malicious extensions. This sophisticated operation, spanning seven years, evolved from simple affiliate fraud to full-scale browser surveillance and corporate espionage, exploiting trusted browser marketplaces to build massive user bases before activating hidden backdoors.

The revelation, detailed in reports from Koi Security released in late December 2025, underscores vulnerabilities in extension review processes and highlights the risks of seemingly legitimate tools turning rogue via silent updates.

Unmasking DarkSpectre: The Mastermind Behind the Campaigns

DarkSpectre stands out for its operational maturity, running parallel campaigns with distinct playbooks tailored to different browsers and objectives, all while maintaining legitimate facades for years. Researchers connected the dots through shared infrastructure like domains such as infinitynewtab.com and api.jt2x.com, which powered benign features in extensions but linked to malicious command-and-control (C2) servers hosted on Alibaba Cloud in China.

Attribution to a Chinese operation relies on multiple indicators: ICP registrations tied to provinces like Hubei, Chinese-language code artifacts, and targeting of e-commerce giants JD.com and Taobao for affiliate fraud. Unlike opportunistic hackers, DarkSpectre demonstrates nation-state-level patience, investing in long-term trust-building across 300+ extensions before weaponization.

This isn’t isolated; it builds on earlier phases where the group tested marketplace weaknesses with wallpaper apps injecting affiliate codes on sites like Amazon and eBay. By late 2025, the actor controlled backdoors capable of arbitrary code execution, turning browsers into persistent surveillance tools.

ShadyPanda: The Flagship Surveillance Empire Infecting 5.6 Million

ShadyPanda forms the core of DarkSpectre’s operations, starting with 145 extensions in 2023 disguised as wallpaper and productivity apps that siphoned commissions from user clicks on major retailers. Evolving into search hijackers like Infinity V+, these tools redirected queries through suspicious domains like trovi.com, logging keystrokes and exfiltrating cookies to servers such as nossl.dergoodting.com.

The masterstroke came in mid-2024: five extensions, including “Featured” and “Verified” Clean Master with 200,000 installs, flipped malicious after years of clean operation, affecting 300,000 users with hourly RCE checks to api.extensionplay.com. These backdoors download obfuscated JavaScript—often disguised as PNGs—granting full browser access for keystroke logging, content injection, and MITM attacks, all while evading detection by hiding when developer tools open.

Parallel to this, five Starlab Technology extensions on Edge, led by WeTab with 3 million installs, actively spy on 4 million users, capturing every URL, search query, mouse click (with pixel precision), and page interaction, streaming data to 17 Chinese servers including Baidu and WeTab endpoints. Expansions revealed 100+ extensions, with 9 active, 85 dormant “sleepers,” pushing the ShadyPanda toll to 5.6 million.

GhostPoster: Stealthy Payloads Hidden in Images Target 1 Million

GhostPoster’s playbook exploits Firefox and Opera via steganography: malicious JavaScript embedded in PNG icon files, extracted post-install with 48-hour delays and 10% activation rates to dodge reviews. Affecting 1.05 million users across 18 extensions, it shares C2 domains like liveupdt.com with ShadyPanda, confirming unified control.

A shocking extension, “Google™ Translate” by charliesmithbons on Opera (nearly 1 million installs), strips site security, injects iframes for RCE, and disables anti-fraud on Chinese shopping links, phoning home to mitarchive.info and gmzdaily.com. This cross-marketplace agility—Chrome to Opera—highlights DarkSpectre’s platform mastery, turning trusted translation tools into backdoors.

The technique’s elegance lies in its review-proof nature: benign during submission, payload-loaded later, enabling affiliate hijacks and surveillance without triggering static scans.

Zoom Stealer: Corporate Espionage via 2.2 Million Meeting Harvesters

DarkSpectre’s most insidious campaign, the Zoom Stealer, targets corporate secrets through 18 extensions like “Twitter X Video Downloader” and “Chrome Audio Capture” (800,000 installs), requesting permissions for 28 platforms including Zoom, Teams, and WebEx. These “productivity” tools scrape webinar pages for links (with passwords), IDs, topics, and real-time participant data via WebSocket streams to zoocorder.firebaseio.com.

Beyond logistics, they build speaker dossiers—names, titles, bios, photos, companies—plus logos and attendance patterns, exfiltrating via Google Cloud Functions for a searchable intelligence database. Bridged by infinitynewtab.com to ShadyPanda, this 2.2 million-user op enables espionage: selling roadmap calls, sales intel, or phishing fodder like “Sarah from the webinar.”

Unlike consumer fraud, this fuels strategic attacks—M&A intel, competitor spying—exposing how browser permissions grant outsiders network-level access without AV alerts.

Technical Arsenal: From Obfuscation to Remote Control

DarkSpectre’s code employs layered evasion: custom XOR encoding, packed JS interpreters bypassing CSP, anti-debug tricks sensing dev tools, and config-driven payloads from C2s like api.jt2x.com dictating fraud targets or surveillance depth. RCE frameworks poll hourly for updates, executing anything from Taobao link swaps to credential theft.

WeTab exemplifies intrusiveness: keystroke-monitored searches, scroll-tracked sessions, fingerprinting surviving reinstalls via sync storage, all AES-encrypted to Chinese servers. Zoom tools use persistent WebSockets for live feeds, while GhostPoster PNG stego loads multi-stage payloads probabilistically.

This modularity—remote swaps sans updates—renders static reviews obsolete, as behaviors shift post-approval.

Chinese Ties and Broader Implications for Global Security

Infrastructure screams China: Alibaba-hosted C2s, Hubei ICPs, timezone-aligned commits, and e-commerce focus on domestic platforms. Whether state-sponsored or tolerated cybercrime, the scale demands resources beyond lone wolves, echoing past ops like Fireball (250M infections) but with espionage twists.

Victims span consumers (fraud) to enterprises (meeting leaks), with 20% corporate hit rates in prior analogs. Data monetization via sales intel, impersonation kits, or state intel sharing amplifies risks, especially amid rising supply-chain worries.

For regions like South Asia and Latin America—your publishing foci—this hits home: global browsers mean local users’ data flows to China, fueling targeted scams on emerging e-com.

How Victims Got Infected and What It Means Day-to-Day

Infection starts innocently: users grab “helpful” extensions from Chrome Web Store (badges boosting trust), Edge Add-ons, Firefox Marketplace, or Opera—often “Featured” after years of fakes. Auto-updates deliver payloads silently; no phishing needed.

Daily impacts: hijacked searches inflate affiliate costs, surveillance profiles for ads/phishing, corporate users leak secrets unwittingly. Enterprises face breached repos, SaaS logins; consumers lose privacy to pixel-tracked habits.

Official Responses: Removals, But Infrastructure Lingers

Koi’s disclosures prompted Google to yank ShadyPanda Chrome extensions, Microsoft some Edge ones, but Edge laggards like WeTab persist as of early 2026, infecting anew. Firefox/Opera cleanups followed GhostPoster IOCs; no DarkSpectre arrests announced.

Browser giants tout improved behavioral monitoring, yet seven-year gaps expose flaws—reviews ignore sleepers. Koi’s Wings engine exemplifies fixes: continuous analysis catching post-approval shifts.

Protecting Yourself: Essential Steps for Users and Businesses

Scan extensions via tools like Koi or Shortwave; revoke broad permissions (all URLs, tabs) routinely. Enterprises: policy-block unknown extensions, monitor C2 IOCs (infinitynewtab.com, api.jt2x.com, etc.), deploy behavioral EDR.

Users: stick to verified devs, audit via chrome://extensions, use extension whitelists. Update browsers; consider containers isolating add-ons. For devs: minimize permissions, avoid sync storage for IDs.

The Bigger Picture: A Wake-Up Call for Browser Ecosystems

DarkSpectre’s 8.8M tally—5.6M ShadyPanda, 1M+ GhostPoster, 2.2M Zoom—proves marketplaces incentivize long-cons: trust signals aid scale, updates bypass gates. As AI aids obfuscation, expect copycats; 2026 forecasts more sleeper threats.

This saga demands overhaul: runtime vetting, user warnings on permissions, C2 blacklists. Until then, vigilance trumps convenience—your browser is the new battlefield


Subscribe to Our Newsletter

Related Articles

Top Trending

Post-Quantum Cryptography
Post-Quantum Cryptography: A Practical Guide For Nontechnical Leaders
ai slop problem an editor is checking the content
AI Slop Problem: What Working With Online Content Taught Me About Information Quality
midjourney prompts for marketing. Creative director reviewing AI generated brand visuals, showing how Midjourney prompts support professional marketing asset planning.
Top 9 Midjourney Prompts for Marketing Visuals and Stunning Graphics
best apps upper elementary
13 Best Educational Apps for Upper Elementary (Ages 8-11)
Smart Home Sustainability
Smart Home Sustainability: Which Devices Actually Help and Which Ones Just Add Clutter

Fintech & Finance

Higher 401k Limits Retirement Savers
What Do Higher 401(k) Limits Mean for Retirement Savers in 2026?
ELSS SIP Calculator
ELSS SIP Calculator: Tax Saving + Wealth Building Explained
Tracking Small-Cap Stocks on Fintechzoom.com Russell 2000
Fintechzoom.com Russell 2000: The Complete Guide to Tracking Small-Cap Stocks in 2026
Organizational Bottlenecks and How to Address Them
10 Organizational Bottlenecks: Here’s How to Address Them
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs

Sustainability & Living

Smart Home Sustainability
Smart Home Sustainability: Which Devices Actually Help and Which Ones Just Add Clutter
vote with your wallet
10 Ways to Vote With Your Wallet and Make Every Purchase Count
environment impact of plant-based diet featured image. Plant based meal with legumes, grains, vegetables, and a globe showing the environmental value of sustainable food choices.
The Environment Impact of Plant-Based Diet Choices
Swedish supply chain traceability platforms
6 Swedish Supply Chain Traceability Platforms Transforming Global Industries
Local Climate Actions
11 Local Climate Actions That Compound Beyond One Household

GAMING

Open World Fatigue. Gamer overlooking a vast open world filled with map markers, showing how open world fatigue starts when exploration becomes overwhelming
Open World Fatigue Is Real and AAA Games Caused It
Play to Earn Models Featured Image of a Gamer exploring a futuristic fantasy game economy with digital assets, rewards, characters, and collectible items, helping viewers understand how Play to Earn Models connect gameplay with ownership.
Top 10 Gaming SMEs Specializing in Play to Earn Models in the United States
Crunch Culture Coverup featured image. Exhausted game developer working late in a dark studio, showing how the crunch culture coverup hides the human cost behind AAA game production
The Crunch Culture Coverup Is Gaming’s Ugliest Secret
Mortdog left Riot Games
Mortdog Leaves Riot Games: Is This the End of TFT as We Know It?
Quality Assurance & Game Testing
Top 10 Gaming SMEs Specializing in Quality Assurance & Game Testing in India

Business & Marketing

Best Founder Resources
23 Best Founder Resources: A Practical Guide for Early-Stage Startups
Best Free Courses Aspiring Founders
The 7 Best Free Courses Aspiring Founders Should Take Before Building
best templates founders
11 Best Templates Founders Need to Build Smarter
Enter a new country without legal entity
The Fastest Way to Enter a New Country Without Establishing a Legal Entity
Promotional talent live events
How Promotional Talent Helps Brands Make an Impact at Live Events

Technology & AI

Post-Quantum Cryptography
Post-Quantum Cryptography: A Practical Guide For Nontechnical Leaders
ai slop problem an editor is checking the content
AI Slop Problem: What Working With Online Content Taught Me About Information Quality
midjourney prompts for marketing. Creative director reviewing AI generated brand visuals, showing how Midjourney prompts support professional marketing asset planning.
Top 9 Midjourney Prompts for Marketing Visuals and Stunning Graphics
ChatGPT Prompts for Content Writing. Writer collaborating with an AI assistant to research, organize, and refine content more effectively.
11 ChatGPT Prompts for Content Writing You Must Use
Open World Fatigue. Gamer overlooking a vast open world filled with map markers, showing how open world fatigue starts when exploration becomes overwhelming
Open World Fatigue Is Real and AAA Games Caused It

Fitness & Wellness

Electric Massage Ball for Spine Injury
Living With Spine Injury: How to Try an Electric Massage Ball Without Rushing It
A Complete Guide on TheLifestyleEdge com
The Lifestyle Edge: Your Complete Guide to Wellness and Modern Living
Stretching Accessories That Make a Difference
7 Stretching Accessories That Make a Difference for Flexibility, Mobility, and Recovery
air quality wellness devices
13 Air Quality and Wellness Devices Worth Considering for a Healthier Home
habits reduce stress
7 Habits That Reduce Stress Long Term and Feel Calmer Daily