GhostPoster Malware Campaign: 17 Malicious Chrome Extensions Infect Over 840,000 Users

A sophisticated malware campaign dubbed “GhostPoster” has infiltrated major browser extension stores, compromising over 840,000 users across Chrome, Firefox, and Edge through 17 malicious extensions that evaded detection for more than four years. Security researchers uncovered the operation after identifying a complex multi-stage infection chain that employs steganography, delayed execution, and modular payload delivery to maintain persistence while generating revenue through affiliate fraud and click manipulation. The GhostPoster malware demonstrates advanced operational security through its initial payload delivery mechanism. Rather than using conventional script injection, the threat actor embeds malicious code within the binary data of extension icon files, typically PNG images. When users install what appears to be legitimate browser utilities, such as ad blockers, screenshot tools, or language translators, the extension extracts hidden bytecode from the image file during runtime. This extraction process searches for specific byte delimiters represented as the ASCII string ‘>>>>’ and decodes all subsequent data as executable JavaScript. The technique effectively bypasses static analysis tools that scan only traditional code paths, as the malicious payload exists as what appears to be innocent image metadata. Delayed execution represents another critical evasion strategy. The malware implements mandatory waiting periods ranging from 48 hours to five days before initiating command-and-control communication. This behavioral-detection system for dormancy countermeasures flags immediate network activity after installation. Upon activation, the extracted loader contacts remote servers to retrieve additional JavaScript modules that enable the malware’s core functionality. These capabilities include stripping security headers like Content Security Policy and HTTP Strict Transport Security, hijacking affiliate marketing traffic for financial gain, injecting fraudulent iframes for click fraud, programmatically solving CAPTCHA challenges, and tracking user browsing patterns for extended surveillance. The campaign’s infrastructure reveals systematic cross-platform distribution. Researchers at Koi Security traced the malicious network to 17 confirmed extensions, with the threat actor initially targeting Microsoft Edge users in 2020 before expanding to Firefox and Chrome. The extensions collectively amassed 840,000 installations, with the most prolific variant, “Google Translate in Right Click,” infecting 522,398 Chrome users alone. Other high-impact extensions included “Translate Selected Text with Google” (159,645 installs), “Floating Player PiP Mode” (40,824 installs), and “Ads Block Ultimate” (48,078 installs), demonstrating the attackers’ preference for utilities with broad appeal. A more advanced variant discovered during the LayerX Security investigation exhibited enhanced modularity. This version embedded its payload within the extension’s background script rather than its content scripts, using the same PNG steganography technique and storing the decoded payloads in the browser’s local storage under obfuscated keys. The five-day activation delay and ability to fetch updated payloads from remote servers indicate a mature operational framework designed for long-term resilience against both automated scanning and manual takedown efforts. Mozilla’s and Microsoft’s store removal actions are only partially practical due to the malware’s persistence mechanism. Extensions already installed on user systems remain active unless manually uninstalled, creating an ongoing security gap. This limitation underscores fundamental challenges in browser extension security, where reactive takedowns cannot retroactively neutralize threats that have already been deployed. Indicators of Compromise Security teams should audit installed extensions across managed environments, particularly those outside organizational policy controls. Behavior-based monitoring solutions capable of detecting unauthorized network activity and suspicious DOM manipulation represent essential defensive layers against similar threats. The GhostPoster campaign serves as a critical reminder that browser extension ecosystems remain viable attack vectors for sophisticated threat actors prioritizing stealth and persistence over rapid proliferation.