Researchers uncover campaign using rogue browser extensions to steal online meeting data

Koi Security unmasks 'The Zoom Stealer,' a rogue extension operation targeting corporate intelligence from 28+ conferencing platforms.

Cybersecurity firm Koi Security has exposed an advanced, highly focused corporate espionage campaign, dubbed "The Zoom Stealer," which utilized a network of rogue browser extensions to steal sensitive meeting data from over 2.2 million users across Chrome, Edge, and Firefox. The operation is attributed to a sophisticated Chinese-linked threat actor tracked as DarkSpectre.

Unlike typical consumer-focused data theft, this campaign targeted corporate intelligence, demonstrating a patient, strategic approach to gathering competitor and market data.

The "Zoom Stealer" operation

The campaign involved at least 18 malicious extensions that masked themselves as innocuous productivity tools, video downloaders, or meeting assistants.

The extensions requested broad access to over 28 video conferencing platforms, including Zoom, Microsoft Teams, Google Meet, Cisco Webex, and GoTo Webinar, regardless of the extension's stated purpose.

Once installed, the malicious code scraped and exfiltrated a wealth of corporate intelligence in real-time using persistent WebSocket connections. The stolen data included:

• Meeting URLs (often containing embedded passwords/IDs).

• Meeting topics and descriptions.

• Participant lists and scheduled times.

• Speaker/host details: Names, titles, company affiliations, and bios from registration pages.

The extensions functioned exactly as advertised, earning user trust and positive reviews. Meanwhile, the surveillance ran silently in the background, making it an ideal long-term corporate intelligence gathering tool.

Scale of the Threat

The Zoom Stealer campaign is the third major operation attributed to DarkSpectre, which has collectively impacted over 8.8 million users through campaigns focused on affiliate fraud, search hijacking (ShadyPanda), and now corporate espionage.

Threat actor profile: DarkSpectre

Researchers noted that the DarkSpectre campaign exhibits hallmarks of a well-resourced actor focused on building robust, persistent espionage infrastructure:

Evidence links the operation to China, including the use of Command-and-Control (C2) servers hosted on Alibaba Cloud and code artifacts containing Chinese-language strings.

Evasion Tactics

DarkSpectre employs advanced evasion techniques, including time-delayed "logic bombs" in the extensions to bypass initial review and "sleeper" extensions that remain benign for years before being weaponized via malicious updates.

Looking forward

Security analysts emphasize that this shift to compromising trusted software, like browser extensions, requires organizations to move beyond basic security controls and adopt real-time monitoring of application behavior and network connections to mitigate the risk of long-dwell, targeted corporate espionage.