Trojan Horse Extensions: How "Zoom Stealer" Spied on Millions of Corporate Meetings

Trojan Horse Extensions: How "Zoom Stealer" Spied on Millions of Corporate Meetings

Trojan Horse Extensions: How "Zoom Stealer" Spied on Millions of Corporate Meetings

Trojan Horse Extensions: How "Zoom Stealer" Spied on Millions of Corporate Meetings

A new espionage campaign known as "Zoom Stealer" has compromised over 2 million browsers by using popular, functional extensions to secretly scrape sensitive data from professional meetings on Zoom, Teams, and Google Meet.

François-Henri Champagne

The "Zoom Stealer" Campaign

A sophisticated espionage operation has been silently targeting the corporate world’s most popular communication tools. Security researchers at Koi Security have uncovered a campaign dubbed "Zoom Stealer," which leveraged trusted browser extensions to infiltrate millions of meetings across Zoom, Microsoft Teams, and Google Meet.

Hidden in Plain Sight

Unlike typical malware that breaks things or acts suspiciously, these 18 extensions—installed on over 2.2 million browsers—were incredibly effective at their advertised jobs. Whether designed to record audio tab-by-tab or help manage schedules, they worked perfectly. This functionality was the perfect cover, allowing them to gain positive reviews and remain installed on user devices for years while quietly requesting broad permissions to access videoconferencing platforms.

Systematic Data Harvesting

Once granted access, these extensions injected malicious scripts directly into meeting dashboards and registration pages. They didn't just passively listen; they actively scraped critical data, including:

  • Meeting links with embedded passwords.

  • Schedules, agendas, and session descriptions.

  • Detailed attendee profiles (names, job titles, biographies, and photos).

  • Corporate logos and visual assets.

This data was stealthily exfiltrated to external servers the moment a user interacted with a meeting page, blending the theft into normal web traffic to avoid detection.

The Danger: A Blueprint for Attacks

While a single meeting link might seem harmless, the aggregate data allows attackers to build a comprehensive map of an organization's habits. This intelligence is a goldmine for "DarkSpectre," the group attributed to the attack. They can use this information to launch highly targeted phishing campaigns, impersonate executives during live calls, or simply listen in on sensitive internal strategy sessions.

The Takeaway

The incident highlights a recurring danger: functional, well-rated extensions can turn malicious overnight. Security experts advise organizations to strictly limit browser extensions and treat them with the same scrutiny as any other installed software.

Find the malwares in your browsers, and block them instantly

Most of the fleets we scan are already running a malicious extension. Ostral installs in one click, maps every extension across your company with its risk, and lets you block anything dangerous everywhere in seconds.