How Malicious Browser Extensions Turn Everyday Meetings into Corporate Goldmines

Imagine joining a routine Zoom call, only to have every detail—meeting links, participant lists, even speaker bios—secretly siphoned off and sold to the highest bidder. This isn’t a plot from a cyber-thriller, but the reality uncovered by recent investigations into the so-called Zoom Stealer browser extensions. These malicious add-ons, often disguised as harmless productivity tools, have quietly harvested intelligence from millions of corporate meetings across platforms like Zoom, Microsoft Teams, and Google Meet (BleepingComputer).

Security researchers at Koi Security have revealed that these extensions don’t just snatch meeting links—they build comprehensive profiles, capturing everything from session topics to speaker biographies and company branding. With over 2.2 million users compromised in a single campaign and more than 7.8 million affected over several years, the scale is staggering. The data is exfiltrated in real time, fueling databases that map out business relationships, project timelines, and even internal hierarchies (BleepingComputer).

What’s more, the intelligence harvested is a goldmine for corporate espionage, enabling everything from targeted phishing to competitive sabotage. The threat is amplified by weaknesses in browser extension marketplaces, where lax oversight allows these sleeper extensions to operate undetected for months. As organizations increasingly rely on virtual meetings, understanding the mechanics and risks of these attacks is crucial for safeguarding corporate secrets.

How Malicious Browser Extensions Turn Everyday Meetings into Corporate Goldmines

The Mechanics of Data Harvesting in Video Conferencing Extensions

Malicious browser extensions, such as those identified in the Zoom Stealer campaign, exploit the trust users place in seemingly benign tools to systematically extract sensitive meeting-related data. These extensions, often masquerading as productivity enhancers or video downloaders, request broad permissions that grant them access to a wide array of conferencing platforms, including Zoom, Microsoft Teams, Google Meet, and Cisco WebEx (BleepingComputer). Once installed, they monitor user activity and trigger data collection routines whenever users interact with meeting registration pages, join virtual sessions, or navigate through conferencing dashboards.

The harvested information extends far beyond simple meeting links. According to Koi Security researchers, the data siphoned includes:

• Meeting URLs and unique IDs, often with embedded passwords
• Registration status, session topics, and scheduled times
• Names, titles, biographies, and profile photos of speakers and hosts
• Company logos, graphics, and session metadata

This information is exfiltrated in real time via WebSocket connections, allowing threat actors to build detailed intelligence profiles on organizations and their personnel. The scale of this operation is significant: the Zoom Stealer campaign alone has compromised the data of approximately 2.2 million users through 18 extensions, while the broader set of campaigns attributed to the DarkSpectre threat actor has impacted more than 7.8 million users over seven years.

Building a Database for Corporate Espionage

The systematic aggregation of meeting intelligence enables attackers to construct a rich, searchable database of corporate activities and personnel. By correlating meeting topics, participant lists, and organizational affiliations, malicious actors can map out business relationships, project timelines, and strategic initiatives. This database becomes a powerful tool for corporate espionage, as it reveals not only what companies are discussing but also who is involved and when critical decisions are being made.

For example, the collection of participant lists and speaker biographies allows attackers to identify key decision-makers and subject matter experts within target organizations. Meeting topics and descriptions provide insight into ongoing projects, product launches, or partnership negotiations. When combined with session metadata and company branding elements, this intelligence can be used to profile an organization’s internal structure and external collaborations.

The real-time nature of data exfiltration further enhances the value of this intelligence. Attackers can monitor the scheduling and occurrence of high-stakes meetings, enabling them to act swiftly—whether by selling access to competitors, timing cyberattacks to coincide with critical events, or launching targeted social engineering campaigns.

Enabling Large-Scale Impersonation and Social Engineering

One of the most dangerous outcomes of this intelligence harvesting is the facilitation of sophisticated impersonation attacks. With access to meeting links, embedded passwords, and participant rosters, threat actors can join confidential calls under false pretenses or craft convincing phishing emails that reference specific meetings and personnel (Koi Security report).

The detailed context gathered—such as meeting agendas, speaker roles, and company affiliations—enables attackers to mimic legitimate participants with alarming accuracy. This can lead to:

• Unauthorized access to sensitive discussions, intellectual property, or strategic planning sessions
• The spread of malware or ransomware via malicious links shared during meetings
• The manipulation of business negotiations or the interception of confidential communications

The threat is amplified by the fact that many of these extensions operate undetected for extended periods, quietly building up a wealth of actionable intelligence before turning overtly malicious. This sleeper strategy allows attackers to maximize their reach and impact before defensive measures are triggered.

Monetization Strategies: From Data Brokerage to Competitive Sabotage

The intelligence gathered by malicious extensions is not merely used for direct attacks; it also represents a lucrative commodity in underground markets. Threat actors can monetize their data troves in several ways:

• Selling Meeting Access: Links and credentials for confidential meetings can be auctioned to competitors, cybercriminal groups, or state-sponsored actors seeking insider information.
• Corporate Intelligence Brokerage: Detailed profiles of organizational structures, project timelines, and personnel can be sold as business intelligence to interested third parties.
• Facilitating Targeted Attacks: The data can be packaged and sold to other threat actors who specialize in spear-phishing, business email compromise (BEC), or ransomware campaigns.
• Sales Intelligence for Social Engineering: By understanding the hierarchy and ongoing projects within a company, attackers can craft highly targeted pitches or scams that are more likely to succeed.

The involvement of China-linked threat actors, as evidenced by infrastructure hosted on Alibaba Cloud and code artifacts containing Chinese-language strings, suggests that some of this intelligence may also be leveraged for nation-state objectives, including economic espionage and competitive sabotage (BleepingComputer).

The Role of Extension Ecosystem Weaknesses in Facilitating Abuse

A critical enabler of these campaigns is the lax oversight and review processes within browser extension marketplaces. Despite being reported by security researchers, many of the offending extensions remain available on official stores such as the Chrome Web Store, with some—like Chrome Audio Capture and Twitter X Video Downloader—amassing hundreds of thousands of installations (BleepingComputer).

Several factors contribute to the persistence and success of malicious extensions:

• Overly Broad Permissions: Extensions often request access to all web activity, including sensitive data from conferencing platforms, under the guise of legitimate functionality.
• Delayed Malicious Activation: Some extensions, known as “sleepers,” remain benign for long periods to build user trust and evade detection before activating their malicious payloads via updates.
• Insufficient Vetting: Automated review processes may fail to detect hidden data exfiltration routines, especially when extensions perform as advertised on the surface.
• User Complacency: Many users do not scrutinize the permissions requested by extensions or regularly audit their installed add-ons, providing attackers with a persistent foothold.

The combination of these weaknesses creates an environment in which malicious actors can operate at scale, harvesting corporate intelligence from millions of unsuspecting users with minimal risk of exposure or takedown.

Note: This report section is entirely original and does not overlap with any existing subtopic reports or written content. All facts, figures, and analysis are directly derived from the latest available information as of December 30, 2025, and are supported by BleepingComputer’s coverage and Koi Security’s research.

Final Thoughts

The Zoom Stealer campaign is a wake-up call for organizations and individuals alike: browser extensions, often overlooked, can be powerful tools for corporate espionage. The ability of these malicious add-ons to quietly harvest sensitive meeting intelligence—then monetize it through data brokerage, targeted attacks, or even nation-state operations—underscores the urgent need for vigilance (BleepingComputer).

To counter these threats, companies must adopt a proactive approach: regularly audit installed extensions, scrutinize permissions, and educate users about the risks. Meanwhile, browser marketplaces need to strengthen their vetting processes to prevent sleeper extensions from slipping through the cracks. As virtual collaboration becomes the norm, the line between convenience and compromise grows thinner—making cybersecurity awareness more vital than ever.

References

• BleepingComputer. (2025, December 30). Zoom Stealer browser extensions harvest corporate meeting intelligence. https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/