A group of cybercriminals called DarkSpectre is believed to be behind three campaigns spread by malicious browser extensions: ShadyPanda, GhostPoster, and Zoom Stealer. We wrote about the ShadyPanda campaign in December 2025, warning users that extensions which had behaved normally for years suddenly went rogue. After a malicious update, these extensions were able to track browsing behavior and run malicious code inside the browser. Also in December, researchers uncovered a new campaign, GhostPoster, and identified 17 compromised Firefox extensions. The campaign was found to hide JavaScript code inside the image logo of malicious Firefox extensions with more than 50,000 downloads, allowing attackers to to monitor browser activity and plant a backdoor. The use of malicious code in images is a technique called steganography. Earlier GhostPoster extensions hid JavaScript loader code inside PNG icons such as logo.png for Firefox extensions like “Free VPN Forever,” using a marker (for example, three equals signs) in the raw bytes to separate image data from payload. Newer variants moved to embedding payloads in arbitrary images inside the extension bundle, then decoding and decrypting them at runtime. This makes the malicious code much harder for researchers to detect. Based on that research, other researchers found an additional 17 extensions associated with the same group, beyond the original Firefox set. These were downloaded more than 840,000 times in total, with some remaining active in the wild for up to five years. GhostPoster first targeted Microsoft Edge users and later expanded to Chrome and Firefox as the attackers built out their infrastructure. The attackers published the extensions in each browser’s web store as seemingly useful tools with names like “Google Translate in Right Click,” “Ads Block Ultimate,” “Translate Selected Text with Google,” “Instagram Downloader,” and “Youtube Download.” The extensions can see visited sites, search queries, and shopping behavior, allowing attackers to create detailed profiles of users’ habits and interests. Combined with other malicious code, this visibility could be extended to credential theft, session hijacking, or attacks targeting online banking workflows, even if those are not the primary goal today. ## How to stay safe Although we always advise people to install extensions only from official web stores, this case proves once again that not all extensions available there are safe. That said, the risk involved in installing an extension from outside the web store is even greater. Extensions listed in the web store undergo a review process before being approved. This process, which combines automated and manual checks, assesses the extension’s safety, policy compliance, and overall user experience. The goal is to protect users from scams, malware, and other malicious activity. Mozilla and Microsoft have removed the identified add-ons from their stores, and Google has confirmed their removal from the Chrome Web Store. However, already installed extensions remain active until users manually uninstall them. If you’re worried that you may have installed one of these extensions, run a Malwarebytes Deep Scan with your browsers closed. * On the Malwarebytes **Dashboard** click on the three stacked dots to select the **Advanced Scan** option. * On the **Advanced Scan** tab, select **Deep Scan**. Note that this scan uses more system resources than usual. * After the scan, remove any found items, and then reopen your browser(s). **Manual check:** These are the names of the 17 additional extensions that were discovered: * AdBlocker * Ads Block Ultimate * Amazon Price History * Color Enhancer * Convert Everything * Cool Cursor * Floating Player – PiP Mode * Full Page Screenshot * Google Translate in Right Click * Instagram Downloader * One Key Translate * Page Screenshot Clipper * RSS Feed * Save Image to Pinterest on Right Click * Translate Selected Text with Google * Translate Selected Text with Right Click * Youtube Download Note: There may be extensions with the same names that are not malicious. * * * **We don’t just report on threats—we help safeguard your entire digital identity** Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Firefox joins Chrome and Edge as sleeper extensions spy on users Researchers found more sleeper browser extensions that spy on users and install backdoors, this time targeting Firefox users as well...

#News #Privacy #browser #extensions #DarkSpectre #GhostPoster

Origin | Interest | Match

A group of cybercriminals called DarkSpectre is believed to be behind three campaigns spread by malicious browser extensions: ShadyPanda, GhostPoster, and Zoom Stealer. We wrote about the ShadyPanda campaign in December 2025, warning users that extensions which had behaved normally for years suddenly went rogue. After a malicious update, these extensions were able to track browsing behavior and run malicious code inside the browser. Also in December, researchers uncovered a new campaign, GhostPoster, and identified 17 compromised Firefox extensions. The campaign was found to hide JavaScript code inside the image logo of malicious Firefox extensions with more than 50,000 downloads, allowing attackers to to monitor browser activity and plant a backdoor. The use of malicious code in images is a technique called steganography. Earlier GhostPoster extensions hid JavaScript loader code inside PNG icons such as logo.png for Firefox extensions like “Free VPN Forever,” using a marker (for example, three equals signs) in the raw bytes to separate image data from payload. Newer variants moved to embedding payloads in arbitrary images inside the extension bundle, then decoding and decrypting them at runtime. This makes the malicious code much harder for researchers to detect. Based on that research, other researchers found an additional 17 extensions associated with the same group, beyond the original Firefox set. These were downloaded more than 840,000 times in total, with some remaining active in the wild for up to five years. GhostPoster first targeted Microsoft Edge users and later expanded to Chrome and Firefox as the attackers built out their infrastructure. The attackers published the extensions in each browser’s web store as seemingly useful tools with names like “Google Translate in Right Click,” “Ads Block Ultimate,” “Translate Selected Text with Google,” “Instagram Downloader,” and “Youtube Download.” The extensions can see visited sites, search queries, and shopping behavior, allowing attackers to create detailed profiles of users’ habits and interests. Combined with other malicious code, this visibility could be extended to credential theft, session hijacking, or attacks targeting online banking workflows, even if those are not the primary goal today. ## How to stay safe Although we always advise people to install extensions only from official web stores, this case proves once again that not all extensions available there are safe. That said, the risk involved in installing an extension from outside the web store is even greater. Extensions listed in the web store undergo a review process before being approved. This process, which combines automated and manual checks, assesses the extension’s safety, policy compliance, and overall user experience. The goal is to protect users from scams, malware, and other malicious activity. Mozilla and Microsoft have removed the identified add-ons from their stores, and Google has confirmed their removal from the Chrome Web Store. However, already installed extensions remain active until users manually uninstall them. If you’re worried that you may have installed one of these extensions, run a Malwarebytes Deep Scan with your browsers closed. * On the Malwarebytes **Dashboard** click on the three stacked dots to select the **Advanced Scan** option. * On the **Advanced Scan** tab, select **Deep Scan**. Note that this scan uses more system resources than usual. * After the scan, remove any found items, and then reopen your browser(s). **Manual check:** These are the names of the 17 additional extensions that were discovered: * AdBlocker * Ads Block Ultimate * Amazon Price History * Color Enhancer * Convert Everything * Cool Cursor * Floating Player – PiP Mode * Full Page Screenshot * Google Translate in Right Click * Instagram Downloader * One Key Translate * Page Screenshot Clipper * RSS Feed * Save Image to Pinterest on Right Click * Translate Selected Text with Google * Translate Selected Text with Right Click * Youtube Download Note: There may be extensions with the same names that are not malicious. * * * **We don’t just report on threats—we help safeguard your entire digital identity** Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Firefox joins Chrome and Edge as sleeper extensions spy on users Researchers found more sleeper browser extensions that spy on users and install backdoors, this time targeting Firefox users as well...

#News #Privacy #browser #extensions #DarkSpectre #GhostPoster

Origin | Interest | Match

A group of cybercriminals called DarkSpectre is believed to be behind three campaigns spread by malicious browser extensions: ShadyPanda, GhostPoster, and Zoom Stealer. We wrote about the ShadyPanda campaign in December 2025, warning users that extensions which had behaved normally for years suddenly went rogue. After a malicious update, these extensions were able to track browsing behavior and run malicious code inside the browser. Also in December, researchers uncovered a new campaign, GhostPoster, and identified 17 compromised Firefox extensions. The campaign was found to hide JavaScript code inside the image logo of malicious Firefox extensions with more than 50,000 downloads, allowing attackers to to monitor browser activity and plant a backdoor. The use of malicious code in images is a technique called steganography. Earlier GhostPoster extensions hid JavaScript loader code inside PNG icons such as logo.png for Firefox extensions like “Free VPN Forever,” using a marker (for example, three equals signs) in the raw bytes to separate image data from payload. Newer variants moved to embedding payloads in arbitrary images inside the extension bundle, then decoding and decrypting them at runtime. This makes the malicious code much harder for researchers to detect. Based on that research, other researchers found an additional 17 extensions associated with the same group, beyond the original Firefox set. These were downloaded more than 840,000 times in total, with some remaining active in the wild for up to five years. GhostPoster first targeted Microsoft Edge users and later expanded to Chrome and Firefox as the attackers built out their infrastructure. The attackers published the extensions in each browser’s web store as seemingly useful tools with names like “Google Translate in Right Click,” “Ads Block Ultimate,” “Translate Selected Text with Google,” “Instagram Downloader,” and “Youtube Download.” The extensions can see visited sites, search queries, and shopping behavior, allowing attackers to create detailed profiles of users’ habits and interests. Combined with other malicious code, this visibility could be extended to credential theft, session hijacking, or attacks targeting online banking workflows, even if those are not the primary goal today. ## How to stay safe Although we always advise people to install extensions only from official web stores, this case proves once again that not all extensions available there are safe. That said, the risk involved in installing an extension from outside the web store is even greater. Extensions listed in the web store undergo a review process before being approved. This process, which combines automated and manual checks, assesses the extension’s safety, policy compliance, and overall user experience. The goal is to protect users from scams, malware, and other malicious activity. Mozilla and Microsoft have removed the identified add-ons from their stores, and Google has confirmed their removal from the Chrome Web Store. However, already installed extensions remain active until users manually uninstall them. If you’re worried that you may have installed one of these extensions, run a Malwarebytes Deep Scan with your browsers closed. * On the Malwarebytes **Dashboard** click on the three stacked dots to select the **Advanced Scan** option. * On the **Advanced Scan** tab, select **Deep Scan**. Note that this scan uses more system resources than usual. * After the scan, remove any found items, and then reopen your browser(s). **Manual check:** These are the names of the 17 additional extensions that were discovered: * AdBlocker * Ads Block Ultimate * Amazon Price History * Color Enhancer * Convert Everything * Cool Cursor * Floating Player – PiP Mode * Full Page Screenshot * Google Translate in Right Click * Instagram Downloader * One Key Translate * Page Screenshot Clipper * RSS Feed * Save Image to Pinterest on Right Click * Translate Selected Text with Google * Translate Selected Text with Right Click * Youtube Download Note: There may be extensions with the same names that are not malicious. * * * **We don’t just report on threats—we help safeguard your entire digital identity** Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Firefox joins Chrome and Edge as sleeper extensions spy on users Researchers found more sleeper browser extensions that spy on users and install backdoors, this time targeting Firefox users as well...

#News #Privacy #browser #extensions #DarkSpectre #GhostPoster

Origin | Interest | Match

Recommended Actions: Uninstall suspicious extensions, enforce allowlists, monitor browser data flows. If you used free VPN or AI extensions since 2025, assume compromise and reset credentials. #InfoSec #CyberHygiene #DarkSpectre #CyberSecurity #Privacy #AI #DataLeaks

Sleeper Agent / ShadyPanda. Sleeper extensions ran clean for 7 years before weaponized via silent updates. 8.8M users compromised worldwide. Audit permissions & remove generic “New Tab” or “Volume Booster.” #ShadyPanda #DarkSpectre #CyberThreats #CyberSecurity #Privacy #DataLeaks

Zoom Stealer / DarkSpectre. Over 2.2M users compromised: malicious extensions steal Zoom, Meet, and Webinar data in real time. Remove “New Tab,” “Emoji keyboard,” “Unlock Discord” immediately. #CyberSecurity #DarkSpectre #ZoomStealer #Privacy #DataLeaks

Zoom Stealer Extensions Harvest Meetings
Read More: buff.ly/U1mv1R1

#ZoomStealer #MaliciousExtensions #BrowserSecurity #CredentialHarvesting #ChinaLinkedAPT #DarkSpectre #ThreatResearch #AccountSecurity

DarkSpectre malware infects 8.8 million users via browser extensions Cybersecurity firm Koi uncovered DarkSpectre, a Chinese operation that connected multiple malicious campaigns through browser ex...

#News #Research #browser #darkspectre #Koi

Origin | Interest | Match

« Nous les appelons DarkSpectre » : ces outils de productivité ont espionné en silence des millions de réunions d’entreprises - Numerama Le 30 décembre 2025, les chercheurs de Koi Security ont publié les conclusions de leur dernière enquête sur l’acteur cybercriminel DarkSpectre. Identifié depuis plusieurs années, cet acteur chinois au...

« Nous les appelons #DarkSpectre » : ces outils de productivité ont espionné en silence des millions de réunions d’entreprises
👉 #ZoomStealer collecte, organise et transmet les données sensibles
www.numerama.com/cyberguerre/...

DarkSpectre Malware Campaign Infected 8.8 Million Chrome, Edge & Firefox Users DarkSpectre refers to three malware campaigns tied to malicious browser extensions, including 'sleeper' extensions that seem legit, but are not.

#DarkSpectre refers to three #malware campaigns tied to malicious browser #extensions, including 'sleeper' extensions that seem legit, but are not.

hothardware.com/news/darkspe...

DarkSpectre Hackers Spread Malware to 8.8 Million Chrome, Edge, and Firefox Users A newly uncovered Chinese threat group, DarkSpectre, has been linked to one of the most widespread browser-extens...

#Chrome #Cyber #Security #News #DarkSpectre #hackers #malware

Origin | Interest | Match

📰 Kampanye “Zoom Stealer” Serang 2,2 Juta Pengguna Browser, Curi Data Rapat Korporasi

👉 Baca artikel lengkap di sini: ahmandonk.com/2025/12/31/zoom-stealer-...

#darkspectre #ekstensi #browser #keamanan #siber #zoom #stealer

Zoom Stealer browser extensions harvest corporate meeting intelligence A newly discovered campaign, which researchers call Zoom Stealer, is affecting 2.2 million Chrome, Firefox, and Microsoft Edge users through 18 extensions that collect online meeting-related data like URLs, IDs, topics, descriptions, and embedded passwords.

#ZoomStealer browser extensions harvest corporate meeting intelligence

www.bleepingcomputer.com/news/security/zoom-steal...

#cybersecurity #DarkSpectre

Laura Dark: 25 Years of Gothic Beauty Original Contributor Interview

www.gothicbeauty.com/2025/11/laur...

Photographer:
@lauradarkphoto.bsky.social

Models:
Angela Ryan

Fashion:
Dark Spectre
Atelier Gothique

#lauradark #gothicbeautymag #gothicbeauty #angelaryan #darkspectre #ateliergothique