Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

The Zoom Stealer

The Zoom Stealer is a malicious browser-extension campaign, also described as part of DarkSpectre activity, that targeted Chrome, Microsoft Edge, and Mozilla Firefox users through 18 extensions and reportedly impacted about 2.2 million users. The extensions impersonated or mimicked enterprise videoconferencing and related tools, including Zoom, Google Meet, and GoTo Webinar, and requested access to more than 28 videoconferencing platforms such as Cisco WebEx, Microsoft Teams, ON24, and Demio. Its core capability was real-time collection and exfiltration of corporate meeting intelligence, including meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, registration status, participant lists, and webinar speaker or host details such as names, titles, bios, profile photos, company affiliations, logos, promotional graphics, and session metadata. Researchers reported exfiltration over persistent WebSocket connections, with infrastructure including webinarstvus.cloudfunctions.net, a Firebase Realtime Database at zoocorder.firebaseio.com, and Zoomcorder.com as a public-facing front. Extensions explicitly identified in the campaign include Chrome Audio Capture (kfokdmfpdnokpmpbjhjbcabgligoelgp), ZED: Zoom Easy Downloader (pdadlkbckhinonakkfkdaadceojbekep), Zoom.us Always Show "Join From Web" (aedgpiecagcpmehhelbibfbgpfiafdkm), Edge Audio Capture (mhjdjckeljinofckdibjiojbdpapoecj), and Firefox add-ons Twiter X Video Downloader ({7536027f-96fb-4762-9e02-fdfaedd3bfb5}) and x-video-downloader (xtwitterdownloader@benimaddonum.com), with some Firefox samples published by invaliddejavu. Koi Security attributed the campaign to the same threat actor behind the ShadyPanda and GhostPoster extension operations and assessed it as linked to a Chinese threat actor based on Alibaba Cloud-hosted C2 infrastructure, ICP registrations tied to Chinese provinces including Hubei, Chinese-language code artifacts, and fraud activity targeting Chinese e-commerce platforms such as JD.com and Taobao. Researchers characterized the operation as corporate-espionage infrastructure and systematic collection of corporate meeting intelligence that could support espionage, data resale, social engineering, and impersonation operations.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
DarkSpectre

"The most recent discovery, The Zoom Stealer, is the third such campaign from DarkSpectre, employing a set of 18 extensions across Chrome, Edge, and Firefox for facilitating corporate intelligence by collecting online meeting-related data like meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status."

via the hacker newsthehackernews.com
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
the hacker newsNews
Dec 31, 2025
DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide

A malicious browser-extension-based stealer/spyware set that masquerades as enterprise videoconferencing utilities (e.g., Google Meet/Zoom/GoToWebinar helpers) to exfiltrate corporate meeting intelligence (meeting links including embedded passwords, IDs, participant lists, webinar host/speaker metadata, and related assets) in real time over a WebSocket connection.

Read more
koi ai blogNews
Jan 23, 2026
DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers

Browser-extension campaign focused on corporate espionage by harvesting and exfiltrating video-conferencing and webinar intelligence (meeting links/IDs/passwords, participant/speaker details, company affiliations) from 28+ platforms, streaming data in real time via persistent WebSocket connections and using cloud infrastructure (Firebase/Cloud Functions).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.