Security researchers have uncovered a large malware campaign that abused popular browser extensions to infect more than 840,000 users across Chrome, Firefox, and Microsoft Edge. The campaign, known as GhostPoster, hides malicious code inside image files to evade store reviews and traditional security checks.
Researchers at Koi Security first exposed the threat after analyzing a Firefox extension that secretly embedded executable code inside a PNG icon using steganography. The extension extracted the hidden payload after installation and quietly contacted a remote command-and-control server to download more malicious scripts. This technique allowed the extension to pass automated reviews and remain undetected for long periods.
Malware Hides Inside Image Files
GhostPoster relies on a multi-stage infection chain designed to avoid detection. The extension stores its initial loader inside a PNG image. After installation, the extension reads the image file, extracts the hidden data, and delays execution for at least 48 hours before activating network communication.
See also: Cisco AsyncOS Zero-Day Patch Finally Fixes Active Attacks on Secure Email Gateway Systems
Once active, the malware downloads additional JavaScript payloads from remote servers and executes them locally. This delayed behavior reduces the chance that automated scanners flag the extension during early inspection.
What the Malware Can Do
After activation, GhostPoster gains deep control over the browser environment. The malware can:
- Strip or modify HTTP security headers such as CSP and HSTS
- Hijack affiliate traffic for monetization
- Inject invisible iframes and scripts for click fraud and tracking
- Automate CAPTCHA solving
- Load additional malicious scripts for long-term control
These capabilities show a financially motivated operation with mature evasion techniques and strong persistence mechanisms.
17 Extensions Tied to the Same Infrastructure
Investigators linked 17 different browser extensions to the same infrastructure and behavior patterns. Collectively, these extensions exceeded 840,000 installs across Chrome, Firefox, and Edge. Some of them remained available in official stores for nearly five years, dating back to 2020.
Popular names included translation tools, screenshot utilities, ad blockers, and media downloaders. Attackers used trusted utility categories to increase installs and user trust.
| Extension Name | Installs |
|---|---|
| Google Translate in Right Click | 522,398 |
| Translate Selected Text with Google | 159,645 |
| Ads Block Ultimate | 48,078 |
| Floating Player – PiP Mode | 40,824 |
| Convert Everything | 17,171 |
| Youtube Download | 11,458 |
| One Key Translate | 10,785 |
| AdBlocker | 10,155 |
| Save Image to Pinterest on Right Click | 6,517 |
| Instagram Downloader | 3,807 |
| RSS Feed | 2,781 |
| Cool Cursor | 2,254 |
| Full Page Screenshot | 2,000 |
| Amazon Price History | 1,197 |
| Color Enhancer | 712 |
| Translate Selected Text with Right Click | 283 |
| Page Screenshot Clipper | 86 |
The analysis also confirmed that the campaign started on Microsoft Edge and later expanded to Firefox and Chrome using the same backend servers and obfuscation logic.
Advanced Variant Increases Stealth
LayerX researchers later identified a more advanced variant within the campaign. This version moved the malicious staging logic into the extension’s background script and used a bundled image file as a covert payload container rather than only an icon.
At runtime, the background script scanned the image’s raw bytes for a special delimiter (>>>>), extracted the hidden data, stored it locally, Base64-decoded it, and executed it as JavaScript. The secondary payload delayed network activity for several days before contacting remote servers for updates.
This staged execution model improves dormancy, modularity, and resistance against behavioral detection systems.
Store Removals Do Not Fully Protect Users
Mozilla and Microsoft have removed the known malicious extensions from their stores. Google also confirmed that Chrome Web Store listings were taken down after disclosure. However, extensions already installed on user devices remain active unless users manually remove them.
See also: How to Fix KB5074109 Azure Virtual Desktop Authentication Error on Windows 11
Users who installed these extensions earlier may still face tracking, ad fraud, or traffic hijacking risks even after store removal.
What Users and Enterprises Should Do
Security teams and individual users should act quickly to reduce exposure:
- Review installed browser extensions and remove unfamiliar or unnecessary tools
- Monitor browser network activity for unusual outbound connections
- Avoid installing extensions outside official policy controls in enterprise environments
- Keep browsers updated and limit extension permissions where possible
GhostPoster shows how attackers increasingly weaponize trusted ecosystems like browser add-on stores. Strong visibility into extension behavior now plays a critical role in modern endpoint security.
