Zoom Stealer Campaign Targets Millions Through Malicious Browser Extensions

Cybersecurity researchers have uncovered a large-scale malicious campaign dubbed Zoom Stealer, which has compromised more than 2.2 million browser users through the abuse of malicious browser extensions. The operation is attributed to a China-based threat actor tracked as DarkSpectre, a group previously associated with expansive espionage and malware-driven data harvesting campaigns.

Malicious Extensions as the Infection Vector

The Zoom Stealer campaign relies on trojanized browser extensions distributed through unofficial marketplaces, deceptive download sites, and search engine manipulation. These extensions often masquerade as productivity tools, meeting assistants, or browser enhancements designed to improve video conferencing workflows.

Once installed, the extensions request broad permissions that allow them to access browser activity, stored credentials, cookies, and session data. This level of access enables attackers to quietly operate in the background without triggering visible security alerts for most users.

Harvesting Zoom and Browser-Based Meeting Data

The primary objective of Zoom Stealer is the collection of sensitive meeting-related information. This includes Zoom meeting IDs, passcodes, participant lists, chat metadata, and in some cases authentication tokens associated with enterprise collaboration platforms.

By extracting this data directly from browser sessions, the attackers can gain insight into internal meetings, corporate communications, and operational schedules. Researchers warn that such information can be used for follow-on espionage, social engineering, or targeted intrusion campaigns.

Beyond Zoom: Broader Credential and Session Theft

In addition to Zoom-specific data, the malicious extensions are capable of harvesting a wide range of browser-stored information. This includes saved login credentials, session cookies, browsing history, and form data associated with cloud services, email platforms, and internal enterprise portals.

This expanded data collection significantly increases the value of the stolen information and enables attackers to pivot into other systems using stolen sessions rather than traditional credential-based attacks.

Attribution to DarkSpectre

The campaign has been linked to the China-based threat actor DarkSpectre based on infrastructure overlap, malware code similarities, and command-and-control patterns observed in previous operations. DarkSpectre is known for conducting large-scale surveillance and data collection campaigns that prioritize long-term intelligence gathering over immediate financial gain.

The scale of the Zoom Stealer campaign aligns with the group’s historical focus on mass data harvesting and strategic intelligence collection.

Scale and Global Reach

Telemetry data indicates that more than 2.2 million browser users may have been exposed to the malicious extensions, with infections spanning multiple regions and industries. Both individual users and enterprise environments appear to be affected, particularly where browser extension policies are loosely enforced.

Researchers note that the true number of victims could be higher, as many infected users may be unaware that their browser activity is being monitored.

Stealth and Persistence Techniques

Zoom Stealer extensions are designed to blend into normal browser behavior. They avoid aggressive actions that might trigger detection and communicate with remote servers using encrypted channels that resemble legitimate web traffic.

Some variants also include update mechanisms that allow attackers to modify functionality over time, adding new data collection modules or adapting to changes in browser security controls.

Defensive Measures and Risk Mitigation

Security experts advise organizations and individuals to review installed browser extensions and remove any that are unnecessary or sourced from untrusted developers. Enforcing strict extension allowlists, limiting browser permissions, and monitoring for anomalous browser behavior are critical defensive steps.

Enterprises are also encouraged to deploy endpoint monitoring capable of detecting unusual data exfiltration patterns originating from browser processes.

Implications for Enterprise Collaboration Security

The Zoom Stealer campaign highlights the growing risk posed by browser-based threats targeting collaboration platforms. As remote work and virtual meetings remain central to business operations, attackers are increasingly focusing on tools that provide insight into organizational decision-making and internal communications.

This shift underscores the need to treat browsers as high-risk assets rather than simple user applications.

Conclusion

The Zoom Stealer campaign represents one of the largest known abuses of malicious browser extensions to date, combining mass distribution with targeted intelligence collection. By exploiting trust in browser ecosystems and collaboration tools, DarkSpectre has demonstrated how low-friction attack vectors can yield high-value intelligence at scale. The campaign serves as a warning that browser security and extension governance are now critical components of modern cyber defense.