DarkSpecture’s Zoom Stealer: How a Silent Browser Extension Campaign Spied on Private Meetings

Aegiron 8 mins0

Executive Summary

A threat campaign tracked internally as DarkSpecture’s Zoom Stealer was identified after unusual outbound traffic and credential access patterns were detected on systems used for virtual meetings. The campaign abuses malicious browser extensions masquerading as productivity or meeting-enhancement tools to silently collect private Zoom meeting data, including meeting links, IDs, passcodes, participant details, and in some cases authentication tokens.

This was not a direct compromise of Zoom infrastructure. Instead, attackers exploited over-permissioned browser extensions installed by users, allowing them to siphon meeting data directly from the browser environment where Zoom sessions were accessed.

The impact is primarily data exposure, not service disruption. However, the stolen information enables meeting hijacking, corporate espionage, social engineering, and follow-on credential theft.

What Happened

Employees across multiple organizations installed what appeared to be legitimate browser extensions promising features like:

  • Zoom meeting enhancements
  • Calendar auto-join helpers
  • Meeting transcription or note-taking
  • Productivity overlays for video calls

Once installed, these extensions quietly monitored browser activity related to Zoom meetings and sent sensitive information back to attacker-controlled servers.

Users continued working normally, unaware that meeting data was being harvested in the background.

How the Attack Worked

1. Initial Access Vector

Primary entry point:
Malicious browser extensions installed via:

  • Fake listings on official extension stores
  • Look-alike websites mimicking productivity tools
  • Phishing emails promoting “Zoom utilities”
  • Direct messages on Slack/Teams encouraging installation

No exploit or software vulnerability was required. The attack relied on user trust and permission abuse.

2. Extension Capabilities Abused

The malicious extensions requested permissions such as:

  • tabs
  • webRequest
  • webRequestBlocking
  • cookies
  • storage
  • identity
  • https://*.zoom[.]us/*

Once granted, the extension could:

  • Read Zoom meeting URLs
  • Capture meeting IDs and passcodes from URLs and DOM elements
  • Access browser cookies related to Zoom sessions
  • Monitor keystrokes entered into Zoom web interfaces
  • Scrape participant names and email addresses from meeting pages

3. Data Collection & Exfiltration

Collected data was staged locally and exfiltrated via:

  • HTTPS POST requests to attacker-controlled domains
  • Base64-encoded JSON payloads
  • Exfil triggered on:
    • Meeting join
    • Meeting end
    • Browser close

Typical exfiltrated fields included:

  • Meeting ID
  • Meeting password
  • Host email
  • Participant list
  • Meeting topic/title
  • Start/end timestamps
  • Browser user agent
  • Extension ID and version

4. Payloads and Malware Usage

No traditional executable malware was dropped.

Payload type:

  • JavaScript-based browser extension logic

Persistence mechanism:

  • Browser extension auto-start on browser launch

Command and Control (C2):

  • Hardcoded HTTPS endpoints
  • Backup domains embedded in obfuscated JavaScript

Vulnerabilities Exploited

  • No Zoom vulnerability was exploited
  • No browser zero-day was used

This campaign abused:

  • Excessive browser extension permissions
  • Lack of user review of permission prompts
  • Inadequate extension vetting in stores
  • Absence of extension allow-listing in enterprises

Impacted Data

Data TypeExposure Risk
Zoom meeting IDsHigh
Meeting passcodesHigh
Meeting URLsHigh
Participant names/emailsMedium
Host identityMedium
Browser session metadataLow

Impacted Industries & Organizations

The campaign disproportionately affected organizations with heavy Zoom usage, including:

  • Technology companies
  • Financial services
  • Consulting firms
  • Healthcare organizations
  • Legal firms
  • Education institutions
  • Government contractors

Any organization allowing unrestricted browser extension installation is at risk.

Indicators of Compromise (IOCs)

Malicious Domains

zoom-sync[.]live
api-zoomdata[.]com
meet-log[.]net
z-capture[.]io
cloudmeet-storage[.]org

Suspicious IP Addresses

185.231.125[.]77
45.142.213[.]19
91.214.124[.]88

Malicious Extension IDs (Chrome-based)

fdpohaokaefnljpjkdcmdlhhddmmlkfo
njmcbjhlkcknndgkfpjblcfkmjhjhene

File & Artifact Indicators

  • LocalStorage keys:
    • zoom_meeting_cache
    • zSyncPayload
  • Browser IndexedDB entries containing meetingMeta

Detection Opportunities

Log Sources to Monitor

  • Browser extension installation logs
  • Endpoint web traffic logs
  • Proxy / firewall logs
  • DNS query logs
  • EDR browser telemetry
  • Identity logs for abnormal Zoom access

Splunk Detection Rules

Suspicious Zoom Data Exfiltration

index=proxy_logs
| where like(url, "%zoom.us%")
| stats count by src_ip dest_domain
| join src_ip [
    search index=proxy_logs
    | where like(dest_domain, "%.live") OR like(dest_domain, "%.io")
]
| where count > 10

Malicious Extension Network Behavior

index=network_logs
| where http_method="POST"
| where like(uri, "%/collect%") OR like(uri, "%/sync%")
| stats count by src_ip dest_ip user_agent

Microsoft Sentinel (KQL) Rules

Browser-Based Zoom Data Exfiltration

DeviceNetworkEvents
| where RemoteUrl contains "zoom"
| where InitiatingProcessFileName contains "chrome"
| where RemoteUrl has_any ("sync", "collect", "upload")
| summarize count() by DeviceName, RemoteUrl

Suspicious Extension Communication

DeviceProcessEvents
| where ProcessCommandLine contains "--load-extension"
| where InitiatingProcessFileName in ("chrome.exe","msedge.exe")
| summarize by DeviceName, ProcessCommandLine

Mitigation & Remediation

Immediate Actions

  • Remove all identified malicious extensions
  • Invalidate Zoom meeting links and passcodes
  • Rotate affected user credentials
  • Review past meetings for sensitive exposure

Preventive Controls

  • Enforce browser extension allow-listing
  • Block unknown extension IDs via policy
  • Restrict Zoom access to managed devices
  • Monitor outbound HTTPS traffic from browsers
  • Educate users on extension permissions

Final Takeaway

This campaign highlights a growing trend where attackers bypass traditional malware defenses by living entirely inside the browser. DarkSpecture’s Zoom Stealer did not rely on exploits or malware binaries. Instead, it weaponized trust, convenience, and poor visibility into browser activity.

The breach impact is subtle but dangerous: quiet loss of sensitive meeting intelligence that can fuel espionage, phishing, and follow-on attacks.

Organizations that treat browser extensions as harmless add-ons rather than executable code remain highly exposed to this attack class.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.