China-linked threat actor DarkSpectre has moved to compromise 2.2 million Google Chrome, Mozilla Firefox, and Microsoft Edge users' online meeting-related information via 18 nefarious extensions as part of the new Zoom Stealer campaign, which follows its GhostPoster and ShadyPanda attacks, according to BleepingComputer.
Access to 28 video-conferencing platforms, including Zoom, Google Meet, and Microsoft Teams, have been obtained by the extensions, which include the widely used Chrome Audio Capture and Twitter X Video Downloader add-ons, to exfiltrate meeting URLs and IDs, registration statuses, speaker and host details, corporate logos, and session metadata through WebSocket connections, a report from Koi Security showed. Such information could then be leveraged to enable corporate espionage and subsequent social engineering intrusions.
"By systematically collecting meeting links, participant lists, and corporate intelligence across 2.2 million users, DarkSpectre has created a database that could power large-scale impersonation operations providing attackers with credentials to join confidential calls, participant lists to know who to impersonate, and context to make those impersonations convincing," said Koi Security.
Access to 28 video-conferencing platforms, including Zoom, Google Meet, and Microsoft Teams, have been obtained by the extensions, which include the widely used Chrome Audio Capture and Twitter X Video Downloader add-ons, to exfiltrate meeting URLs and IDs, registration statuses, speaker and host details, corporate logos, and session metadata through WebSocket connections, a report from Koi Security showed. Such information could then be leveraged to enable corporate espionage and subsequent social engineering intrusions.
"By systematically collecting meeting links, participant lists, and corporate intelligence across 2.2 million users, DarkSpectre has created a database that could power large-scale impersonation operations providing attackers with credentials to join confidential calls, participant lists to know who to impersonate, and context to make those impersonations convincing," said Koi Security.





