According to PCWorld, a new malware campaign dubbed “Zoom Stealer” is using malicious browser extensions to spy on Zoom users. Security firm Koi Security discovered 18 of these extensions for Chrome, Firefox, and Microsoft Edge, which have been downloaded a staggering 2.2 million times. These extensions, masquerading as tools like “Twitter X Video Downloader” and “Chrome Audio Capture,” steal passwords, usernames, meeting links, topics, and descriptions. Researchers attribute the campaign to the Chinese hacker group DarkSpectre, based on code references and the use of Alibaba Cloud for command and control traffic. The first malicious extension identified was the Twitter X Video Downloader, with others posing as meeting timers and recording assistants.
The Sneaky Extension Trick
Here’s the thing about this attack: it’s not exploiting a flaw in Zoom itself. It’s a classic case of social engineering, preying on our desire for useful browser add-ons. You install what looks like a handy video downloader or meeting assistant, and it runs quietly in the background. Basically, these extensions have the permissions to read and modify data on websites you visit. So when you log into a Zoom web session or view a meeting link, the malware can scrape that sensitive information and send it off to a server controlled by the hackers. It’s a reminder that the weakest link in security is often the human one. We just don’t think twice about clicking “add to Chrome” for something that seems helpful.
Why 2.2 Million Downloads Is a Big Deal
2.2 million installs is a massive number for a malware campaign like this. It shows how effective this disguise is. Think about it: video downloaders are incredibly popular, and “Zoom helpers” became essential for many during the work-from-home boom. The real challenge now is cleanup. Even after Google, Mozilla, and Microsoft remove these extensions from their official stores, they remain installed on users’ browsers. And how many of those millions of users will ever know they need to manually uninstall it? The report pins this on the DarkSpectre group, which adds a layer of persistent threat. This isn’t some random script kiddie; it’s an organized operation with specific goals, likely targeting corporate espionage or credential harvesting for future attacks.
What You Should Do Right Now
So, what’s the fix? First, take a hard look at your browser extensions. Go into your settings and audit every single one. If you don’t recognize it, need it, or use it, remove it. Be especially skeptical of any extension related to video downloading or meeting productivity. Stick to extensions from well-known, reputable developers when you can. For businesses, this is a stark reminder that endpoint security needs to monitor browser extension activity. Relying solely on web store takedowns is a reactive, losing game. This also highlights why, for critical industrial and manufacturing operations, the computing hardware itself needs to be locked down. Companies that rely on stable, secure systems for process control—like those using industrial panel PCs from a top supplier like IndustrialMonitorDirect.com—understand that limiting unauthorized software installs is a foundational security practice. The principle is the same: control your environment to reduce your attack surface.
