For more than seven years in a rowA large-scale cybercrime operation has managed to infiltrate the main browsers on the market, including Google Chrome and Microsoft Edge, through seemingly harmless extensions. The scope of the attack is so vast that it is estimated that at least 8,8 million users People all over the world could have been affected, many of them in Europe and Spain.
The investigation, led by cybersecurity specialists such as the firm Koi.ai, has uncovered a highly organized criminal network, dubbed as DarkSpectrewho allegedly exploited trust in official extension stores to distribute malware. The most worrying aspect is that Most of those affected had no suspicions. that their bank details, credentials, or corporate information were being captured in the background.
A silent attack that exploited Chrome and Edge extensions
According to data revealed by researchers, DarkSpectre built a complex infrastructure to publish and maintain nearly 300 malicious extensions in the official Chrome, Edge, Firefox, and Opera stores. Many of these extensions were presented as very everyday utilities: from tab managers and translators, to ad blockers or tools to improve productivity.
The trick was to offer legitimate features initially, thereby gaining downloads and a good reputation based on artificially generated positive reviews and ratingsOnce the extensions reached a significant number of users, the attackers pushed covert updates that incorporated the malicious code without the user noticing any obvious changes in operation.
In the case of Chromium-based browsers, such as Google Chrome and Microsoft EdgeA network of Trojan horse-type extensions disguised as customization tools or ad blockers was detected. At least one phase of the attack identified 30 especially popular extensions capable of stealing banking credentials, social media passwords, and autofill form data, sending all that information in real time to servers under the control of cybercriminals.
In addition to data theft, several of these extensions included features of advertising injection and search redirectionThis allowed for the display of intrusive advertisements, redirecting users to phishing sites and multiplying the possibilities of fraud, including the impersonation of bank pages or payment services widely used in Spain and the rest of Europe.
More than 8,8 million victims and three major coordinated campaigns
The magnitude of the attack is reflected in the figures handled by intelligence services and cybersecurity companies: it is estimated that 8,8 million users They have been impacted worldwide by the various campaigns associated with DarkSpectre. To achieve this, the group allegedly maintained three distinct lines of attack, known as ShadyPanda, GhostPoster and Zoom Stealer.
The bell ShadyPanda It was the most aggressive in terms of volume. Through more than 100 malicious extensions, primarily aimed at manipulating e-commerce traffic, would have compromised the data of approximately 5,6 million usersOnce the hidden functions were activated, these extensions could modify links on shopping portals, redirect payments to fraudulent pages, or inject additional code to continue tracking user activity.
Experts point out that these maneuvers affected online stores and widely used payment services in the European Union, opening the door to cross-border financial fraud and potential regulatory compliance issues for platforms that did not detect traffic manipulation in time.
The second major offensive, called GhostPosterIts main target was browsers Firefox and Operawhich had somewhat less stringent security controls than Chrome and Edge. In this case, the differentiating factor was the use of steganographyThe attackers hid malicious JavaScript code inside PNG image files, allowing them to execute remote instructions and download new malware modules without raising suspicion.
One of the most striking examples was the cloning of an extension of Google Translate for Operawhich appeared to be a legitimate tool at first glance. However, behind the scenes, it installed a backdoor using a iframe Hidden, it disabled the browser's anti-fraud protections and established a connection with servers previously linked to other DarkSpectre operations, creating a permanent access channel to the victim's system.
Zoom Stealer: The leap into espionage in corporate video calls
The third phase of the attack, identified as Zoom Stealer, took a qualitative leap by focusing entirely on the Business environmentBy the end of 2025, researchers detected at least 18 specific extensions targeted at videoconferencing platforms such as Zoom, Microsoft Teams and Google Meet, with an estimated impact on 2,2 million users.
These extensions were promoted as ideal complements for teleworking and remote meetings: they promised summarize videos, save links of interest, generate participant lists or generate an automatic summary of each session. A very attractive profile for Spanish and European companies that have consolidated hybrid and remote work in recent years.
After their installation, the tools began to intercept critical information from video calls: access links, meeting IDs, guest passwords and, in some cases, shared content or metadata related to presentations and documents discussed during the sessions.
With this data, the attackers were able to access private meetings, many of them high-level, and create repositories of professional and commercial intelligence with enormous strategic value. According to the sources consulted, internal communications regarding business plans, investment agreements, market strategies, and other matters highly sensitive to the competitiveness of the companies involved were compromised.
In parallel, Zoom Stealer took advantage of the broad permissions granted to extensions to carry out real-time credential exfiltrationThis included corporate login credentials, access keys to cloud tools, and professional profiles that could then be reused in targeted attacks, such as highly customized phishing campaigns against employees of European organizations.
Impact on users and companies in Europe and Spain
The DarkSpectre case has highlighted the extent to which the trusted chain in hair extension stores This could become a vulnerability for citizens and organizations. Although the attack had a global reach, European authorities and incident response teams in several countries, including Spain, are closely monitoring the impact on local users.
For individual users, the consequences translate into covert surveillance of his online activityPossible identity theft, unauthorized charges on online purchases, and leaks of personal data that could end up on clandestine forums. Many victims won't even realize they've been targeted, as most extensions appeared to be functioning normally.
In the corporate sphere, the blow is even more serious. European companies that base a large part of their operations on cloud tools and videoconferencing are facing risks of industrial espionageLeaks of strategic agreements and exposure of confidential information about clients, suppliers, and partners. Furthermore, companies may be required to report security incidents under regulations such as the General Regulation of Data Protection (RGPD)assuming reputational costs and possible sanctions.
Preliminary reports suggest that the criminal network may have built authentic corporate data warehouses This information is obtained through private conversations, documents shared in meetings, and unauthorized access to intranets or internal services. It is extremely valuable for sale on black markets, as well as for blackmail campaigns or unfair competition.
European authorities are collaborating with technology providers to improve detection systems in hair extension shops and to strengthen controls over the use of personal data. However, experts point out that no automated system is infallible and that the last line of defense remains the user and their security habits.
How to protect yourself after the massive cyberattack on Chrome and Edge
Faced with such a prolonged and sophisticated scenario, cybersecurity experts recommend a series of immediate measures to reduce the impact of the attack and prevent further infections, especially among Chrome and Edge users in Spain and the rest of Europe.
The first step is to make a full audit of extensions These add-ons are installed on all browsers. It's advisable to review them one by one and uninstall any add-ons that aren't recognized, aren't used regularly, or don't come from a trusted developer. If in doubt, it's best to remove and reinstall only from the official provider's source if absolutely necessary.
It is also essential to check that the browser is updated to the latest version availableBoth Google and Microsoft have been incorporating patches to block some of the techniques used by DarkSpectre, so the most recent versions include specific improvements in the detection of suspicious behavior and in the management of extension permissions.
Regarding online accounts, it is recommended to change the passwords for critical services (email, online banking, social media, corporate tools) if there is any suspicion of having used a compromised extension. It's advisable to take this opportunity to use unique and strong passwords for each service, ideally with the help of a password manager.
Furthermore, specialists insist on activating the Two-factor authentication (2FA) whenever possible. This mechanism adds an extra layer of protection, so that even if an attacker obtains a password, it will be much more difficult for them to access the account without the temporary code or the second verification element.
Finally, for organizations that rely heavily on platforms like Zoom, Teams, or Google Meet, it is recommended to implement periodic inspections of installed extensions in corporate browsers, implement security policies that limit the installation of unauthorized add-ons and train employees to detect potential scams, both in extensions and in emails or links that may accompany similar campaigns.
Everything discovered about DarkSpectre and its ShadyPanda, GhostPoster, and Zoom Stealer campaigns reflects the extent to which Browser extensions have become a priority target For cybercriminals, the combination of trust in official stores, useful features, and manipulated reviews has allowed them to sustain a silent attack for years with a huge impact on individual users and companies. This forces us to rethink how we install and manage these add-ons in our daily digital lives.
