Immediately remove these extensions from Chrome and Edge if you don't want to lose access to your bank accounts.
Check your browser for "sleeping" DarkSpectre agents.
Check your browser for "sleeping" DarkSpectre agents.
A hacker group operating under the name DarkSpectre has been systematically infecting computers of Chrome, Edge, and Firefox users for seven years. According to Koi Security, their victims include over 8.8 million unique devices. The large-scale operation involved three separate campaigns and was characterized by a high level of coordination and resource availability.
The investigation revealed that behind the ShadyPanda, Zoom Stealer, and GhostPoster campaigns, despite their different focuses—from stealing user data to corporate espionage—lies the same criminal organization. In total, over a hundred extensions were used, distributed through official browser stores. The attackers skillfully combined legitimate features, such as displaying weather or creating new tabs, with malicious activity that went unnoticed by most inspection systems.
Experts focused on the ShadyPanda infrastructure and discovered that two domains used for the real functions of the extensions—infinitynewtab.com and infinitytab.com—simultaneously communicated with servers controlling malicious activity. These domains became the key to linking the seemingly disparate campaigns into a single chain.
Particularly alarming is how long the attackers maintained "sleeping" extensions in browsers without any malicious payload. In some cases, the malicious code activated a week after installation. Furthermore, the malicious activity was triggered only in some instances—approximately one in ten site visits—which significantly reduced the likelihood of detection.
