%20(1).png)
On January 2, 2026, cybersecurity researchers at Koi Security published an important alert after identifying a vast malicious data collection campaign via browser extensions. This operation, called Zoom Stealer, mainly affects Google Chrome, Mozilla Firefox, and Microsoft Edge, and targets users of video conferencing platforms like Zoom, Microsoft Teams, and Google Meet.
The extensions, while presented as legitimate and useful (for example, audio capture or video download tools), require extended permissions and allow meeting information to be extracted as soon as the user interacts with registration pages or video conferencing interfaces.
Malicious extensions work under the guise of real functionality but incorporate data collection code that activates in the background. In particular, they capture:
All of this data is then transmitted via WebSocket connections to an infrastructure controlled by cybercriminals, allowing for real-time or later use.
The Zoom Stealer campaign is connected to a group of cybercriminals called DarkSpectre, who are already involved in other malicious extension campaigns like ShadyPanda and GhostPoster. These cumulative operations would have affected approximately 8.8 million users over several years.
According to experts, the objective has evolved from a theft of consumer data to a corporate espionage infrastructure, focused on business intelligence. Access to meeting information can facilitate social engineering attacks, identity theft, and confidential call intrusions.
The impact of this cyber threat goes beyond the simple theft of personal data or access to public meetings. For organizations, risks include:
The sophistication of this campaign demonstrates how seemingly benign vectors can be used for real cybercriminal intelligence operations.
Faced with this threat, several best practices are essential to reduce risks:
For businesses, implementing extension management policies and integrating advanced filtering solutions are priority steps.
