A newly discovered campaign, which researchers call Zoom Stealer, is affecting 2.2 million Chrome, Firefox, and Microsoft Edge users through 18 extensions that collect online meeting-related data like URLs, IDs, topics, descriptions, and embedded passwords.

Zoom Stealer is one of three browser extension campaigns that reached more than 7.8 million users over seven years and are attributed to a single threat actor tracked as DarkSpectre.

Based on the used infrastructure, DarkSpectre is believed to be the same China-linked threat actor behind the previously documented GhostPoster, which targeted Firefox users, and ShadyPanda, which delivered spyware payloads to Chrome and Edge users.