Threat Profile: DarkSpectre (The “Zoom Stealer” Campaign)

DarkSpectre is a sophisticated, China-linked threat actor that has been quietly operating a massive corporate espionage campaign now estimated to have compromised over 2.2 million users. While researchers initially dubbed the campaign “Zoom Stealer,” new analysis reveals a far broader scope: the group is harvesting sensitive intelligence from all major video conferencing platforms, including Microsoft Teams, Google Meet, and Cisco WebEx.

Researchers link DarkSpectre to previously documented operations known as GhostPoster and ShadyPanda. However, this campaign marks a strategic shift from simple fraud to long-term corporate espionage, utilizing “sleeper” browser extensions to build detailed dossiers on internal corporate activities.

Victimology & Affected Platforms

The campaign does not exploit software vulnerabilities in the meeting platforms themselves; rather, it exploits the user’s browser to scrape data from the web interfaces of these services.

• Affected Platforms:
  • Zoom
  • Microsoft Teams
  • Google Meet
  • Cisco WebEx
  • ON24
• Scale: 2.2 million compromised users across Chrome, Firefox, and Microsoft Edge.
• Stolen Intelligence:
  • Meeting URLs & IDs: Including “Join” links with embedded authentication tokens.
  • Participant Data: Full names, email addresses, and speaker bios scraped from sidebars.
  • Operational Intel: Meeting topics, schedules, and internal corporate branding.
  • Embedded Passwords: Passcodes visible in invite links or meeting descriptions.

Tactics, Techniques, and Procedures (TTPs)

1. Initial Access: The “Sleeper” Extension Flotilla

DarkSpectre operates a network of at least 18 malicious extensions. To maintain a low profile, these extensions are fully functional and often receive “Verified” badges. They masquerade as productivity tools, audio recorders, or social media utilities.

• Key Vectors:
  • “Chrome Audio Capture” (The most prolific vector with ~800k installs).
  • “Twitter X Video Downloader” (A primary entry point).
  • “Simple Meeting Timer” & “Auto-Admit” tools.
• Permissions: These tools request broad permissions (e.g., Read and change all your data on websites you visit) which users grant because it seems necessary for the extension’s advertised function.

2. Execution: DOM Scraping & Injection

Once a user navigates to a target domain (e.g., teams.microsoft.com or zoom.us), the extension injects a malicious content script.

• DOM Parsing: The script silently monitors the Document Object Model (DOM). It waits for specific elements to load—such as the “Invite Participants” modal or the “Meeting Details” pane—and scrapes the text fields.
• Stealth: The harvesting occurs in the background, often milliseconds after the page renders, making it invisible to the user.

3. Exfiltration: Real-Time WebSockets

The group eschews noisy HTTP POST requests in favor of a stealthier exfiltration method.

• Protocol: Captured data is streamed via WebSockets (wss://). This persistent connection allows for real-time exfiltration of meeting data as it appears on screen.
• Infrastructure:
  • Destination: Data is pushed to Firebase Realtime Database instances (*.firebaseio.com).
  • Relay Domains: Traffic is often proxied through legitimate-looking domains like zoomcorder.com to evade DNS filtering.
  • Attribution: Backend infrastructure is hosted on Alibaba Cloud (Hubei Province, China), and source code contains comments in Simplified Chinese.

Indicators of Compromise (IOCs)

Malicious Extension IDs (Partial List)

• Note: Check your browser inventory for these names immediately.
• Chrome Audio Capture
• Twitter X Video Downloader
• Zoom Auto-Joiner
• Simple Meeting Timer

Network Indicators

• C2 Domain: zoomcorder.com
• Traffic Pattern: High-volume WebSocket (wss://) connections originating from browser extension processes (not main tabs) to Firebase subdomains.
• Timing: Exfiltration spikes correlate with Chinese Standard Time (CST) business hours.

Behavioral Indicators

• Permissions Mismatch: A “Twitter Downloader” extension requesting host permissions for *.zoom.us or *.webex.com.