Trojan Horse Extensions: How "Zoom Stealer" Spied on Millions of Corporate Meetings

The "Zoom Stealer" Campaign

A sophisticated espionage operation has been silently targeting the corporate world’s most popular communication tools. Security researchers at Koi Security have uncovered a campaign dubbed "Zoom Stealer," which leveraged trusted browser extensions to infiltrate millions of meetings across Zoom, Microsoft Teams, and Google Meet.

Hidden in Plain Sight

Unlike typical malware that breaks things or acts suspiciously, these 18 extensions—installed on over 2.2 million browsers—were incredibly effective at their advertised jobs. Whether designed to record audio tab-by-tab or help manage schedules, they worked perfectly. This functionality was the perfect cover, allowing them to gain positive reviews and remain installed on user devices for years while quietly requesting broad permissions to access videoconferencing platforms.

Systematic Data Harvesting

Once granted access, these extensions injected malicious scripts directly into meeting dashboards and registration pages. They didn't just passively listen; they actively scraped critical data, including:

• Meeting links with embedded passwords.

• Schedules, agendas, and session descriptions.

• Detailed attendee profiles (names, job titles, biographies, and photos).

• Corporate logos and visual assets.

This data was stealthily exfiltrated to external servers the moment a user interacted with a meeting page, blending the theft into normal web traffic to avoid detection.