Anatomy of the Attack

DarkSpectre

DarkSpectre, a Chinese state-sponsored threat actor, maintains persistent access to enterprise environments by weaponizing legitimate browser extensions after establishing a trusted user base. Analysts currently categorize the actor as an emerging strategic threat due to its recent shift from traditional data theft toward supply chain interdiction within the semiconductor and aerospace sectors. By targeting software development environments, the actor achieves a level of access that bypasses standard perimeter defenses.

Researchers designate DarkSpectre as a Chinese state-sponsored threat operation that unifies three distinct operational clusters. The ShadyPanda, GhostPoster, and The Zoom Stealer campaigns represent different stages of activity that researchers unmasked before consolidating them under the DarkSpectre name

The Sleeper Strategy

In late 2025, Koi Security unmasked a sophisticated cyber operation that compromised an estimated 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox. This campaign utilizes a sleeper agent strategy where the actor deploys benign browser extensions that function as advertised for years. This approach allows the extensions to build a massive, trusted user base and earn official Verified badges from web stores. Once the extensions reach a critical mass of installations, the actor pushes a malicious update that weaponizes the software for data theft, corporate espionage, and affiliate fraud.

Operational Pillars

The DarkSpectre group operates through three primary sub-campaigns tailored for specific demographics and objectives. While each pillar serves a different functional purpose, all three utilize shared command and control infrastructure on Alibaba Cloud and common evasion techniques.

An operational pillar is a permanent division within a cyberattack group that stays in place even after individual attacks end. These pillars act as specialized units that focus on specific tools or targets. While a campaign is a short-term attack wave, a pillar provides the long-term organization, shared infrastructure, and leadership for the group. Security researchers identify these separate pillars and group them under a single name like Dark Spectre to better track the overall threat. DarkSpectre is affiliated with three distinct pillars to date: ShadyPanda, GhostPoster, and “The Zoom Stealer”.

• ShadyPanda represents the largest functional pillar, affecting approximately 5.6 million users. Its primary objective involves monetization through affiliate link hijacking and search fraud. When a user visits a legitimate e-commerce site, the extension replaces the organic link with an attacker-controlled affiliate link, allowing the actor to steal commissions from legitimate marketing partners.
• GhostPoster is a specialized pillar that exploits the Mozilla Firefox ecosystem through utility-based extensions and VPN tools. This pillar focuses on click fraud and user tracking by injecting malicious JavaScript into the browser to monitor activity and simulate ad clicks. This activity generates fraudulent ad revenue while slowing down the victim's browsing experience.
• The Zoom Stealer presents the most dangerous threat due to its focus on corporate intelligence. It consists of 18 extensions, including Chrome Audio Capture, which has over 800,000 installations. This cluster scrapes the browser Document Object Model (DOM) in real time during active calls on platforms like Zoom, Microsoft Teams, and Webex to exfiltrate meeting IDs, passwords, participant bios, and company affiliations.

Strategic Evasion and Detection

A hallmark of this campaign includes the use of 72-hour logic bombs (MITRE ATT&CK T1497.003) to ensure malicious code only runs after initial store review windows close. Researchers also observe DarkSpectre shifting toward supply chain (MITRE ATT&CK T1195.002) interdiction, targeting software development environments to compromise systems at the source.

The threat actor maintains access through the weaponization of legitimate, high-install-base extensions that bypass standard perimeter defenses. Identifying these threats requires deep protocol analysis to differentiate legitimate network use from attacker misuse. The network provides a critical vantage point because exfiltration often occurs within the browser session where standard firewall alerts may miss the signal.

Network Detection and Response: Defense Against DarkSpectre

Traditional security tools such as firewalls, endpoint detection and response (EDR), and SIEMs often struggle to counter the stealth and persistence of sophisticated actors like DarkSpectre. These tools frequently rely on logs or agents that adversaries can bypass or disable by leveraging the trusted nature of browser extension processes. The ExtraHop RevealX network detection and response (NDR) platform addresses these challenges by providing a real-time view of activity across the entire attack surface.

• Continuous Network Visibility: RevealX passively monitors all network traffic and provides a real-time record of activity without requiring agents on every device. This approach identifies DarkSpectre activities such as malicious browser extensions (MITRE ATT&CK T1176.001) on unmanaged devices or unmonitored browser sessions where EDR cannot be installed.
• Identifying Anomalous Behaviors: Detection requires identifying subtle deviations from baseline behavior because DarkSpectre utilizes sleeper extensions that function legitimately for years. RevealX utilizes machine learning to detect unusual protocol usage even when connections appear legitimate, surfacing indicators of supply chain compromise.
• Detecting Persistence and Command and Control: The platform identifies services running on non-standard ports and detects suspicious outbound connections. This includes identifying DarkSpectre attributed covert communication channels that use persistent WebSockets to maintain heartbeats with Alibaba Cloud C2 infrastructure. When DarkSpectre attempts to stream stolen intelligence or exfiltrate meeting credentials, the resulting data exfiltration activity (MITRE ATT&CK T1041) provides a clear signal.
• Forensics and Response Integration: Continuous network recording allows security teams to trace the entire path of an attacker and determine the full scope of a compromise. RevealX integrates with other platforms to enrich alerts with network context, enabling teams to respond to exfiltration over C2 (MITRE ATT&CK T1041) with precision.

DarkSpectre TTPs and ExtraHop Detections

The following table maps the behaviors shared across the DarkSpectre pillars to the MITRE ATT&CK framework and corresponding network detections.

Remediation and Defense

Defending against DarkSpectre requires a layered security strategy that addresses both network activity and endpoint hygiene. Security teams can disrupt command and control (MITRE ATT&CK T1071.001) and Exfiltration Over C2 (MITRE ATT&CK T1041) by monitoring for outbound WebSocket traffic directed toward Alibaba Cloud (AS45102). Implementing active TLS inspection on video conferencing join pages allows network detection tools to identify the exfiltration of sensitive metadata collected from the local system (MITRE ATT&CK T1005).

(MITRE ATT&CK T1497.003)

On the endpoint, defenders should sweep for established indicators of compromise (IOCs) such as the developer ID charliesmithbons. Identified by Koi Security, this ID is linked to a malicious Google Translate extension in the Opera browser marketplace that, despite having nearly one million installations, has been weaponized as a "sleeper agent" for the campaign's GhostPoster pillar. To evade initial behavioral analysis and automated sandboxes, this extension utilizes a 72-hour logic bomb (MITRE ATT&CK T1497.003) that remains dormant for three days post-installation. Organizations should immediately identify and remove the “New Tab - Customized Dashboard” extension to mitigate this threat.

To prevent the silent weaponization of future sleeper agents, high-value units should transition to an allow-list only model (MITRE ATT&CK T1176) for browser add-ons. Administrators can enforce these controls via Microsoft Intune or Group Policy to block unauthorized installations while conducting regular audits of extension of permissions and ownership to ensure benign tools have not been repurposed via server-side updates.

Because DarkSpectre employs evasion techniques specifically designed to bypass endpoint-based logging and perimeter controls, maintaining a sustainable security posture requires a network-centric approach. Integrating NDR into the security stack provides the necessary visibility into east-west traffic and lateral movement that other tools frequently obscure. This methodology allows for the objective identification of post-compromise activity through high-fidelity protocol analysis and machine learning.

By leveraging deep fluency in over 90+ protocols to accurately decode traffic, the platform identifies threats hiding in encrypted flows at speeds up to 100 Gbps. The system further strengthens defenses by identifying and hashing small executable files under 10MB across HTTP, FTP, and SMB, offering a definitive record of network behavior that remains independent of potentially compromised host agents.

ExtraHop Can Help - Learn More

The network provides a strong vantage point for stopping modern sleeper threats. ExtraHop NDR provides the comprehensive security intelligence that legacy tools miss, offering the clarity required to surface threats hidden in east-west traffic. Organizations can gain a critical advantage by seeing how ExtraHop NDR protects their security teams.

Ready to see how ExtraHop NDR gives your security team the critical advantage?

• Request a Personalized Demo: This demonstration shows how ExtraHop detects the specific TTPs that actors like DarkSpectre use.
• Run a Security Assessment: An NDR assessment challenges the visibility of a current security stack.

Visit our request page to schedule your personalized demo and security assessment.