{
	"id": "c8f5336a-55e9-43d0-a328-521297393d4b",
	"created_at": "2026-04-06T00:21:49.849063Z",
	"updated_at": "2026-04-10T13:12:40.665083Z",
	"deleted_at": null,
	"sha1_hash": "5f95ace76755b99a8642bc1be82cd69a0a79ffe1",
	"title": "DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3292163,
	"plain_text": "DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million\r\nInfected Browsers\r\nBy Tuval Admoni,Gal Hachamov,\r\nArchived: 2026-04-02 10:58:41 UTC\r\nOver the past year, we've encountered hundreds, if not thousands, of malicious items across numerous\r\nmarketplaces. But this is the first time we've found a well-funded criminal organization responsible for several of\r\nthe largest and most sophisticated campaigns we’ve ever uncovered.\r\nWe're calling them DarkSpectre - a Chinese threat actor behind at least three major malware campaigns infecting\r\nover 8.8 million users in over 7 years of operation. And today, we are telling their story, along with uncovering\r\nanother DarkSpectre campaign affecting 2.2M users, and a new Opera browser extension with nearly 1 million\r\ninstalls tied to GhostPoster..\r\nThis isn't three separate threat actors running similar operations. This is one highly organized operation - and\r\nwhile tracking their infrastructure, we stumbled onto something new: a 2.2-million-user campaign stealing\r\ncorporate meeting intelligence that we're disclosing for the first time.\r\nWe're publishing this because organizations need to understand: the extension threat landscape isn't scattered\r\nopportunistic criminals. It's professional operations like DarkSpectre - patient, sophisticated, and operating at\r\nnation-state scale.\r\nThe Discovery Chain: How We Connected Three Campaigns to One Actor\r\nStarting Point: ShadyPanda\r\nAfter publishing our initial ShadyPanda investigation, we went back to expand our IOC research. We expected to\r\nfind a few more connected extensions. We found over 100.\r\nOur pivot points were two domains from the original investigation: infinitynewtab.com and infinitytab.com.\r\nHere's the clever part: these weren't C2 or exfiltration domains. They were legitimate sites powering the legitimate\r\nfunctionality of the extensions - new tab features, weather widgets, the stuff users actually wanted. But\r\nDarkSpectre reused these same \"clean\" domains across other extensions that connected to completely different\r\nmalicious C2 and exfiltration infrastructure. The legitimate side of their operation became the thread that tied\r\neverything together.\r\nFirst Expansion: New Clusters Emerge\r\nFrom these domains, we identified extensions communicating with this infrastructure. Digging into their code\r\nrevealed additional hardcoded domains, API endpoints, and redirect chains. Two new clusters emerged:\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 1 of 17\n\nThe jt2x.com cluster - Extensions using api.jt2x.com for C2 operations, configuration downloads, data\r\nexfiltration, and affiliate fraud schemes.\r\nThe zhuayuya.com / muo.cc cluster - A separate group using different domains but identical operational patterns.\r\nOne domain led to extensions. Those extensions revealed new domains. Those domains connected to more\r\nextensions. Some extensions led us to publishers with dozens of other extensions using entirely different\r\ninfrastructure. The network kept expanding: 100+ extensions across Chrome, Edge, and Firefox.\r\nThe GhostPoster Connection\r\nAmong the newly discovered extensions was \"New Tab - Customized Dashboard\" - a sophisticated time-bomb\r\nextension that waits 3 days before activating. Its C2 infrastructure caught our attention:\r\nWe went to flag these domains in our system. A popup alert appeared: \"These domains are already flagged as\r\nGhostPoster.\" liveupdt.com and dealctr.com - the exact same C2 domains we documented in our GhostPoster\r\ninvestigation, which infected 50,000 Firefox users through malicious PNG icons.\r\nSame infrastructure. Same payload delivery technique (code disguised as PNG files). Different marketplace. One\r\noperator.\r\nBut the GhostPoster connection didn't end there. A SOC team reached out to us after finding one of our IOCs in\r\ntheir environment. Their discovery led us to a new extension in the Opera browser marketplace: \"Google™\r\nTranslate\" by charliesmithbons - with almost 1 million installs.\r\nWe investigated and found the same malicious behavior as GhostPoster: the extension disguises itself as a\r\ntranslation tool but strips security protections from all websites, installs a hidden iframe backdoor for remote code\r\nexecution, and disables anti-fraud protections on Chinese e-commerce affiliate links. It communicates with\r\nmitarchive.info - a domain from the original GhostPoster campaign - and a new domain: gmzdaily.com.\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 2 of 17\n\nGoogle™ Translate in Opera addons marketplace\r\nThe Zoom Stealer Connection\r\nBut we weren't done. One extension appeared in our ShadyPanda expansion that didn't fit the pattern:\r\nTwitter X Video Downloader\r\nThis extension communicated with infinitynewtab.com - core ShadyPanda infrastructure. But when we analyzed\r\nits behavior, we found something unexpected: it wasn't just running data exfiltration and user surveillance. It was\r\nharvesting meeting intelligence from 28+ video conferencing platforms.\r\nFollowing this thread led us to 17 more extensions doing the same thing - a completely separate campaign we've\r\nnamed The Zoom Stealer. Its objective is building a searchable database of corporate meeting intelligence.\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 3 of 17\n\nDarkSpectre's Arsenal: Multiple Playbooks, One Actor\r\nWhat makes DarkSpectre dangerous isn't just their scale - it's their versatility. Three distinct playbooks for three\r\ndifferent objectives:\r\nPlaybook A: The Long Game (ShadyPanda)\r\nObjective: Mass surveillance + affiliate fraud at scale\r\nUpload legitimate extensions, maintain them for 3-5+ years, earn \"Featured\" and \"Verified\" badges, then\r\nweaponize the entire install base with a single update. Time-delayed activation, remote code injection,\r\nconfiguration-based C2. Some extensions ran clean for 5+ years before flipping.\r\nScale: 5.6M users across 100+ extensions on Chrome, Edge, and Firefox\r\nPlaybook B: The Trojan Image (GhostPoster)\r\nObjective: Stealthy payload delivery to Firefox users\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 4 of 17\n\nMalicious code hidden inside PNG icon files using steganography. The extension loads its own logo, extracts\r\nhidden JavaScript, executes it. Multi-stage loading with 48-hour delays and 10% activation probability. Same C2\r\ninfrastructure as ShadyPanda.\r\nScale: 1.05M users across 18 extensions in Firefox and Opera\r\nPlaybook C: Corporate Intelligence (The Zoom Stealer)\r\nObjective: Building a database of corporate meeting intelligence\r\nExtensions disguised as meeting productivity tools, requesting permissions for 28+ video conferencing platforms.\r\nReal-time WebSocket exfiltration of meeting links, credentials, participant lists, and speaker dossiers. This isn't\r\nconsumer fraud - this is corporate espionage infrastructure.\r\nScale: 2.2M users across 18 extensions on Chrome, Edge, and Firefox\r\nWhat Three Playbooks Tell Us\r\nOpportunistic criminals don't maintain this level of operational diversity. They find one thing that works and\r\nrepeat it until it stops working.\r\nDarkSpectre operates differently:\r\nParallel campaigns across all major browser platforms\r\nDistinct techniques adapted to each platform and objective\r\nLong-term infrastructure investment (7+ years of activity)\r\nEvolving objectives (from fraud to surveillance to corporate espionage)\r\nThis is organized. This is funded. This is strategic.\r\nCampaign Deep-Dive: The Zoom Stealer\r\nThe meeting intelligence operation - 2.2 million victims\r\nA Different Objective\r\nShadyPanda and GhostPoster focused on surveillance, affiliate fraud, and RCE backdoors - monetizing user data\r\nwhile maintaining persistent access. The Zoom Stealer represents something more targeted: systematic collection\r\nof corporate meeting intelligence.\r\nThe Discovery\r\nOne extension bridged the gap: Twitter X Video Downloader.\r\nThis extension communicated with infinitynewtab.com - core ShadyPanda infrastructure. But it was also\r\naccessing video conferencing platforms and harvesting meeting data. From this extension, we found another\r\nexfiltration domain used by all 18 extensions in this cluster.\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 5 of 17\n\nThe Extensions\r\nThese weren't obvious malware. They were functional tools that delivered real value:\r\nVideo downloaders (that worked)\r\nMeeting timers (that worked)\r\nAuto-admit helpers (that worked)\r\nRecording assistants (that worked)\r\nUsers got what was advertised. The extensions earned trust and positive reviews. Meanwhile, surveillance ran\r\nsilently in the background.\r\nOne extension stands out: Chrome Audio Capture with 800,000+ installations alone.\r\nChrome Audio Capture live in the marketplace\r\nThe Permission Tell\r\nRegardless of stated function, every Zoom Stealer extension requested access to 28+ video conferencing\r\nplatforms: Zoom, Microsoft Teams, Google Meet, Cisco WebEx, GoToWebinar, ON24, Demio, and 21+ more.\r\nA Twitter video downloader has no reason to access Zoom. A Google Meet timer has no reason to access WebEx.\r\nBut every extension in this campaign requested access to all of them.\r\nThe Data Collection Engine\r\nWhen you visit a webinar registration page with one of these extensions installed, the extension's content script\r\nsprings into action, scraping the page for every piece of valuable information - meeting URLs with embedded\r\npasswords, meeting IDs, topics, descriptions, scheduled times, and registration status:\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 6 of 17\n\nBut it doesn't stop at meeting details. The extensions systematically scrape professional information from\r\nwebinar speakers and hosts - names, titles, bios, profile photos, and company affiliations:\r\nFor every webinar you registered for, the extensions built a professional dossier of the speakers. Beyond the\r\npeople, they collected company logos, promotional graphics, and session timing - tracking whether registrations\r\nsucceeded or failed.\r\nReal-Time Exfiltration\r\nThe most alarming aspect wasn't just what data was collected - it was how it was transmitted. WebSocket\r\nConnection for Live Streaming.\r\nThese aren't extensions that check in periodically. They establish a persistent WebSocket connection that streams\r\nyour meeting activity in real-time. The moment you join a meeting, open a registration page, or navigate to a\r\nvideo conferencing platform, that data flows immediately to the attacker's server.\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 7 of 17\n\nWhat Do You Do With Meeting Intelligence?\r\nDarkSpectre now has 2.2 million users' worth of meeting data. What's it worth?\r\nCorporate Espionage: Competitors could purchase access to strategy meetings, product roadmap discussions,\r\nM\u0026A negotiations. The database has the actual join links.\r\nSales Intelligence: Knowing which companies attend which webinars reveals their interests, pain points, and\r\npurchasing timelines.\r\nSocial Engineering: Armed with speaker names, titles, bios, and photos, attackers craft highly convincing\r\nphishing campaigns. \"Hi, this is Sarah from the product roadmap webinar you attended...\"\r\nDirect Access: Selling meeting links to the highest bidder. Want to listen in on a competitor's earnings preview?\r\nThe Bigger Threat\r\nImpersonation attacks and corporate espionage have surged in recent years. This campaign appears to be building\r\nthe infrastructure to enable exactly these attacks at scale.\r\nBy systematically collecting meeting links, participant lists, and corporate intelligence across 2.2 million users,\r\nDarkSpectre has created a database that could power large-scale impersonation operations - providing attackers\r\nwith credentials to join confidential calls, participant lists to know who to impersonate, and context to make those\r\nimpersonations convincing.\r\nYour meeting links are valuable to competitors, threat actors, and nation-states. Yet the security model for\r\nprotecting them - trusting browser extensions with broad permissions - remains laughably weak.\r\nCampaign Deep-Dive: ShadyPanda\r\nThe flagship operation - 5.6 million victims\r\nThe Original Discovery\r\nOur initial ShadyPanda investigation uncovered a 7-year campaign infecting 4.3 million users. Extensions\r\npresented themselves as productivity tools - new tab pages, translators, tab managers - while operating as\r\ncomprehensive spyware.\r\nThe Expansion: 100+ Extensions\r\nGoing back to expand our IOC research, we discovered an additional 100+ extensions connected to the same\r\ninfrastructure, adding 1.3 million more victims.\r\nCurrent Threat Breakdown:\r\n9 actively malicious - stealing data, hijacking searches, running affiliate fraud right now\r\n85+ dormant sleepers - legitimate today, waiting for their weaponization update\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 8 of 17\n\nThe jt2x.com Cluster (4 Active Extensions)\r\nFour extensions currently communicating with api.jt2x.com for C2 operations. Two masquerade as translation\r\ntools, while the others present themselves as tab management utilities. Beneath these helpful facades lies a\r\nsophisticated affiliate fraud and data exfiltration operation.\r\nHow It Works:\r\nWhen you install one of these extensions, it immediately reaches out to download its malicious configuration:\r\nThe C2 server responds with a JSON payload that tells the extension exactly what to do:\r\nThis configuration-based approach means the operators can change the extension's behavior without pushing an\r\nupdate - they just modify what the server returns.\r\nWhat They're Doing:\r\nRemote Code Injection: Downloads and executes JavaScript from bcaicai.com on every website visited.\r\nOperators can change this code anytime - steal passwords, log keystrokes, inject fake payment forms - no\r\nextension update needed.\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 9 of 17\n\nPersistent Tracking: Generates device/user identifiers to track across sessions and build behavioral\r\nprofiles.\r\nSearch Hijacking: Monitors 9+ search engines, modifies result links to route through affiliate tracking.\r\nE-Commerce Fraud: Targets JD.com and Taobao with URL pattern matching, replacing legitimate links\r\nwith affiliate versions.\r\nThe Time Bomb: \"New Tab - Customized Dashboard\"\r\nThis extension demonstrates DarkSpectre's sophistication with time-delayed activation:\r\nWhen you submit an extension to Chrome or Edge, reviewers test it for malicious behavior. But they don't wait 3\r\ndays. This extension looks completely legitimate during the review period, passes all checks, gets approved, and\r\nonly then activates its malicious payload. Even better - it only activates on ~10% of page loads, making it even\r\nharder to catch in testing.\r\nThe code is also heavily obfuscated to evade static analysis. The extension hides eval() calls using string\r\nconcatenation and object property access:\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 10 of 17\n\nAfter the 3-day waiting period, the extension contacts its C2 infrastructure to download the actual malicious\r\npayload:\r\nThe server responds with ~67KB of encoded JavaScript disguised as a PNG image - the same technique and the\r\nsame domains used in GhostPoster. The extension decodes and executes this payload on every website you visit.\r\nNo extension update needed, no review process to bypass. The operators control what runs in your browser by\r\nupdating what their servers return.\r\nSo what's actually in that downloaded payload? Here's what the operators are currently running (though\r\nremember, they can change this at any time):\r\nPersistent Tracking: Every page you visit, every search you make, every link you click. A persistent user\r\nID stored in both local and sync storage survives even browser reinstalls.\r\nAffiliate Fraud: Targets Taobao and JD.com affiliate links, hijacking commissions through hidden\r\nredirects.\r\nThe entire payload is wrapped in multiple layers of obfuscation - custom encoding, XOR encryption, and packed\r\nJavaScript. Every part of this extension is designed to evade detection.\r\nWeTab: The Flagship Spyware\r\nWeTab remains the most comprehensive spyware in the ShadyPanda arsenal - full browsing history collection,\r\nsearch query logging, mouse click tracking with pixel-level precision, and personal data exfiltration to 17 different\r\ndomains (8 Baidu servers in China, 7 WeTab servers in China, and Google Analytics). It maintains twin presences\r\nin the Chrome marketplace with 300,000+ combined installations. Still active. Still collecting.\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 11 of 17\n\nThe 85+ Sleeper Extensions\r\nThese extensions have completed their trust-building phase:\r\nHundreds of thousands of combined installs\r\nYears of positive reviews\r\n\"Featured\" and \"Verified\" badges\r\nClean code (for now)\r\nActive user bases with complete trust\r\nBased on the established DarkSpectre playbook, any of these could flip malicious with the next update. The\r\noperators have demonstrated they'll wait 5+ years. They'll weaponize when it serves their strategic goals.\r\nAttribution: The Chinese Connection\r\nEverything we've uncovered points in one direction - a well-resourced Chinese operation:\r\nInfrastructure\r\nC2 servers consistently hosted on Alibaba Cloud infrastructure in China\r\nICP (Internet Content Provider) registrations linked to Chinese provinces, particularly Hubei\r\nCode Artifacts\r\nChinese language strings throughout the codebase\r\nChinese comments and variable names\r\nDevelopment patterns consistent with Chinese timezone activity\r\nTargeting\r\nAffiliate fraud schemes specifically designed for Chinese e-commerce platforms (JD.com, Taobao)\r\nURL pattern matching tuned to Chinese marketplace structures\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 12 of 17\n\nOperational Characteristics\r\nExtreme patience: Maintaining legitimate extensions for 5+ years before weaponization\r\nMulti-platform capability: Simultaneous operations across Chrome, Edge, and Firefox\r\nDiverse objectives: Consumer fraud, surveillance, and corporate espionage\r\nScale: 8.8M+ victims requires significant infrastructure investment\r\nWhat This Suggests\r\nThe combination of patience, scale, technical sophistication, and operational diversity points to an adversary with\r\nsubstantial resources and long-term strategic goals.\r\nWhether DarkSpectre is state-sponsored, state-adjacent, or a well-funded criminal organization with state\r\ntolerance, they operate at a level that most threat actors cannot sustain. The discipline to maintain dozens of\r\nlegitimate extensions for years - just waiting for the right moment to weaponize - requires funding, organization,\r\nand strategic vision.\r\nFinal Thoughts\r\nWe identified DarkSpectre because we had the infrastructure IOCs to pivot from. We could follow the\r\nbreadcrumbs from ShadyPanda to GhostPoster to The Zoom Stealer because they shared infrastructure.\r\nDarkSpectre likely has more infrastructure in place right now - extensions that look completely legitimate because\r\nthey are legitimate, for now. They're still in the trust-building phase, accumulating users, earning badges, waiting.\r\nOnly time will tell what else they've been preparing while we were uncovering these three operations.\r\nAnd DarkSpectre is just one group. How many other threat actors - Chinese, Russian, North Korean, or otherwise\r\n- are running similar long-term operations? In total, this group has almost 300+ extensions that we found across\r\nmultiple campaigns. The total number of sleeper extensions across all threat actors is unknowable.\r\nThe marketplace model checks extensions once at upload. DarkSpectre updates whenever they want. That's why\r\nKoi built Wings - our risk engine that analyzes every version of every extension using static analysis, dynamic\r\nanalysis, and agentic AI. That's how you catch sleeper threats that wait years to activate.\r\nBook a demo to see how Koi's continuous monitoring catches what marketplaces miss.\r\nIOCs\r\nUpdate (February 12, 2026):\r\nAfter publication, we conducted additional validation regarding the domain meetingtv[.]us, which was originally\r\nincluded in the IOC list. While the domain appeared in code analyzed during our investigation, we have\r\ndetermined that there is no evidence that this domain is connected or related in any way to the malicious\r\ninfrastructure or the threat actor group described in this report.\r\nNew Domains - Shady Panda\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 13 of 17\n\ninfinitynewtab[.]com\r\ninfinitytab[.]com\r\njt2x[.]com\r\nzhuayuya[.]com\r\n58.144.143.27\r\nmuo[.]cc\r\nwebsiteshare[.]cn\r\ndiytab[.]com\r\nuserscss[.]top\r\nistartnewtab[.]com\r\nletsearchesp[.]com\r\npolicies.extfans[.]com\r\nNew Domains - GhostPoster\r\ngmzdaily[.]com\r\nChrome - The Zoom Stealer\r\nkfokdmfpdnokpmpbjhjbcabgligoelgp\r\npdadlkbckhinonakkfkdaadceojbekep\r\nakmdionenlnfcipmdhbhcnkighafmdha\r\npabkjoplheapcclldpknfpcepheldbga\r\naedgpiecagcpmehhelbibfbgpfiafdkm\r\ndpdgjbnanmmlikideilnpfjjdbmneanf\r\nkabbfhmcaaodobkfbnnehopcghicgffo\r\ncphibdhgbdoekmkkcbbaoogedpfibeme\r\nceofheakaalaecnecdkdanhejojkpeai\r\ndakebdbeofhmlnmjlmhjdmmjmfohiicn\r\nadjoknoacleghaejlggocbakidkoifle\r\npgpidfocdapogajplhjofamgeboonmmj\r\nifklcpoenaammhnoddgedlapnodfcjpn\r\nebhomdageggjbmomenipfbhcjamfkmbl\r\najfokipknlmjhcioemgnofkpmdnbaldi\r\nEdge - The Zoom Stealer\r\nmhjdjckeljinofckdibjiojbdpapoecj\r\nFirefox - The Zoom Stealer\r\n{7536027f-96fb-4762-9e02-fdfaedd3bfb5}\r\nxtwitterdownloader@benimaddonum.com\r\nChrome - Shady Panda\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 14 of 17\n\naikflfpejipbpjdlfabpgclhblkpaafo\r\ndbfmnekepjoapopniengjbcpnbljalfg\r\nnnnkddnnlpamobajfibfdgfnbcnkgngh\r\nppfdcmempdfjnanjegmjhanplgjicefg\r\nfmiefmaepcnjahoajkfckenfngfehhma\r\nedojphplonjclmfckdiolpahpgcanjnh\r\nbjehnpiidogpaocjjfhnopdjcahigggm\r\nkdgjiakonpbfmndaacfhamdoangincgp\r\ndihekmadkkcgnffajefocfamnpimlhah\r\neijnkinhnplaekpllmgbbfieecdhcmcp\r\nmdlkdelnchilkeedllnnjfigkhhadlff\r\nagepkkdokhlaoiaenedmjbfnblfdiboc\r\nepepbcdeelckgplpmmmnmjplbeipgllo\r\nmakeekhnfplggoaiklkphfopajegajci\r\ncahdpfhnokmnnjhoaoliabdbcbbokmgc\r\nmmpfmolbdhdfoblfggigchncdgmdnjha\r\nknejepegjmjmjlhficbikmblnbemdpke\r\ncjlabngphhjjdapemkdnpgkpebkpjbbe\r\njeaebbdndojkbnnfcaihgokhnakocbnf\r\nbajoeadpdidoahbhphmhejmbdmgnbdci\r\ngoiffchdhlcehhgdpdbocefkohlhmlom\r\ndjkddblnfgendjoklmfmocaboelkmdkm\r\ncodgofkgobbmgglciccjabipdlgefnch\r\ncicnbbdlbjaoioilpbdioeeaockgbhfi\r\nmchacgmgddefeohkjobefhihbadocneh\r\noelcnhfgpdjeocflhhfecinnpjojeokp\r\nfllcifcfhgmmfpogmpedgbjccnjalpjo\r\nfmgaogkbodhdhhbgkphhbokciiecllno\r\ndkbpkjhegfanacodkmfjeackckmehkfp\r\njooiimddfkjoomennmpjabdbbpdocjng\r\ndekjibpkbhgbnmnfibnibnjoccaphfog\r\nmnamhmcgcfflfjafflanbhbfffpmkmmm\r\nambcheakfbokmebglefpbbphbccekhhl\r\nnmaegedpdmepbkahckadmaolllgmogma\r\ndoeomodlafdbbnajjllemacdfphbbohl\r\nmeobjhkdifjealkiaanikkpajiaalcad\r\nkfdopiiledmclnopmihkclnfgdiggjna\r\ncfgiodgnkinmacjkgjgdejeciohojglp\r\nokepehobneenpbhiendcjcanjodhmcbj\r\ncdgonefipacceedbkflolomdegncceid\r\nbgkdocoihppjkdfaghndpjlfoehjcmka\r\nldmnodpmebcfcdkejkdakphbcjnmejlf\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 15 of 17\n\npdfladlchakneeclhmpoboohikpbchkj\r\ngipnpcencdgljnaecpekokmpgnhgpela\r\nidholfkkmfccbondfiabhlmdfeamnnaj\r\nbpgaffohfacaamplbbojgbiicfgedmoi\r\njdehnhjckcbfdkgnlbfjokofagpbbdgl\r\ndijcdmefkmlhnbkcejcmepheakikgpdg\r\ngndlcpbcmhbcaadppjjekgbhfhceeikm\r\nlepdjbhbkpfenckechpdfohdmkhogojf\r\nhbjeophpjnopmeheabcilmgdhnnjbmbo\r\ndlfjoijnhjeagkenhbililbdiooginng\r\nkolgdodmgnnhnijmnnidfabnghgakobl\r\nEdge - Shady Panda\r\nedohfgmjmdnibeihfcajfclmhapjkooa\r\npdjpkfbpeniinkdlmibcdebccnkimnna\r\nhmpjibmngagmkafmijncjokocepchnea\r\nkljbaedmklfnlgfmmbodnckafhllkjnd\r\nlmppkgmbapjgihlpadknmfalefnfnfnd\r\nldghoefcghcinacfneopmnechojlhldf\r\nmgjfjcimpkdjgeldkcaoboiojmlcleka\r\naghafppaelpjbjajpgcogcojcbmappoi\r\nkgdjeaonamhfooejllllfpeappcgfpod\r\nknjgknhkgmedmajpkhooaagjgfgbcndo\r\napoklfecapckgpbbcpaiebemaghmkncf\r\npodfjomopoejmlkfnhanlmlagcnlappd\r\nidngjfdlfbfgecemidnhbdcogggnjkpg\r\nkghabofklgjfnipgkjadlogcjbebkeid\r\nfmmfeaoidanfcipomjfolmchjdnhmaio\r\ncfmfokegjjljmdcdpnmlfajlddngkoah\r\neoimljninkkepafoijpgbedkkieobfek\r\nojmaccnnagaiokckbcpdldhnifkibcah\r\nbhoebgegnjoehioianjnjakeeggajanb\r\nedojphplonjclmfckdiolpahpgcanjnh\r\nleaglmohfmgdengbciphnodmcgfgdgnf\r\nljdhejdbbogemelgkihbabifpfdfomcc\r\nhfokkkgobhlkcagflcbgcokdbnknfngo\r\nhilgkhepkfjdkkdigphhcgmghefdledg\r\njipclfaahkhinbelbojjblmbcpkaipko\r\ncmckpheolajgbmhlfhgelajhhfgjbhpk\r\njjdhjfgoadphekgihokkigfghndfmffb\r\nnelegdbdfopcgkignnifhdoiapldlhpf\r\ndnojfjfegklgconkoekfkaajejmdgdkj\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 16 of 17\n\nnnceocbiolncfljcmajijmeakcdlffnh\r\ndacliiapfipnlipdmifioaijepgmhdga\r\ncpbbiepjnljbnngpepgeaojjeneacpld\r\nocopipabchoopeppmgiigphgbicocoea\r\ngfechfioaanebemclajhfgkfaopcaibo\r\nhoclolhilhbecpefaignjficiaaclpop\r\nibmdocjlknaopfecmnojomdlbeadpdnb\r\nckdbfeccfocmhdclmmofmheljglmhhne\r\ngddkghdkhhlihaabphhnjbhdoiifhcpa\r\nFirefox - Shady Panda\r\n{34b0d04c-29cf-473c-bb6c-c2fe94377b99}\r\n{7cc10397-c6f4-4a27-a1e7-83b870dd6cab}\r\nnickyfeng2@edgetranslate[.]com\r\n1305302314@qq[.]com\r\nmail@imba97[.]cn\r\n{99d4bddd-5452-4216-83bc-fcd57857b6fb}\r\n{f7d2c8aa-e06e-4117-8b99-52a145eb7d23}\r\n{5f246670-f5e2-45ff-b183-be21cbeb065a}\r\n{c257a965-0bf8-4934-bf85-9ebf761d1cf8}\r\nOpera - GhostPoster\r\nGoogle™ Translate by charliesmithbons\r\nSource: https://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nhttps://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers"
	],
	"report_names": [
		"darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2fc0f25d-a92d-4f36-bb88-aeccd320dbbf",
			"created_at": "2026-01-18T02:00:03.06809Z",
			"updated_at": "2026-04-10T02:00:03.90724Z",
			"deleted_at": null,
			"main_name": "ShadyPanda",
			"aliases": [],
			"source_name": "MISPGALAXY:ShadyPanda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a05a66b-e78a-41c0-b869-5123a4d86727",
			"created_at": "2026-01-23T02:00:03.298518Z",
			"updated_at": "2026-04-10T02:00:03.936552Z",
			"deleted_at": null,
			"main_name": "DarkSpectre",
			"aliases": [],
			"source_name": "MISPGALAXY:DarkSpectre",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f95ace76755b99a8642bc1be82cd69a0a79ffe1.pdf",
		"text": "https://archive.orkl.eu/5f95ace76755b99a8642bc1be82cd69a0a79ffe1.txt",
		"img": "https://archive.orkl.eu/5f95ace76755b99a8642bc1be82cd69a0a79ffe1.jpg"
	}
}