GhostPoster Malware Exploits 17 Rogue Extensions to Target Browser Users

A sophisticated malware campaign has compromised users of Chrome, Firefox, and Edge by deploying 17 malicious extensions that employ advanced steganography techniques to evade detection. Collectively downloaded more than 840,000 times, the GhostPoster operation represents one of the most technically mature and persistent browser extension threats documented to date. The GhostPoster campaign leverages an uncommon attack vector: embedding malicious payloads within PNG icon files bundled with browser extensions. This steganographic approach allows threat actors to bypass traditional static analysis and security review processes employed by browser extension marketplaces. The malware operates through a multi-stage infection chain designed for maximum stealth. During installation, the extension parses its own icon file to extract hidden binary data containing the initial loader. Rather than executing immediately, the malware implements a strategic delay of 48 hours or longer before initiating command-and-control communication, allowing it to evade behavioral detection systems that monitor for suspicious post-installation activity. Once activated, the extracted loader contacts remote C2 infrastructure to download additional JavaScript payloads. This modular architecture enables threat actors to update malicious functionality without modifying the extension itself, providing operational flexibility and resilience against takedown efforts. Traffic Hijacking and Fraud Post-activation analysis reveals GhostPoster possesses sophisticated capabilities indicating financial motivation and technical maturity. The malware strips and injects HTTP headers to weaken web security policies, including Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS), creating vulnerabilities that enable further exploitation. The campaign’s primary monetization mechanism involves affiliate traffic hijacking, redirecting legitimate referral commissions to attacker-controlled accounts. Additional fraud capabilities include iframe and script injection for click fraud operations, user tracking across browsing sessions, and programmatic CAPTCHA solving to bypass security mechanisms protecting high-value targets. Following Koi Security’s December 2025 publication detailing a malicious Firefox extension, subsequent investigation revealed the campaign’s true scope. Infrastructure analysis identified 17 extensions sharing identical obfuscation patterns, C2 behavior, and delayed execution strategies across Firefox, Chrome, and Microsoft Edge platforms. Forensic evidence indicates the operation originated on Microsoft Edge as early as 2020, subsequently expanding to Firefox and Chrome. The five-year operational timeline demonstrates the campaign successfully bypassed security reviews across all major browser extension stores, highlighting significant gaps in current vetting processes. Dormancy Period Advanced variants discovered during the investigation demonstrate continued evolution of the threat actor’s techniques. One particularly sophisticated iteration embeds malicious logic within the extension’s background script, which retrieves a bundled image file and scans its raw byte sequence for the delimiter – the ASCII string “>>>>”. All data following this marker is decoded and stored in chrome.storage.local under the key “instlogo.” This secondary payload implements an extended dormancy period of approximately five days before establishing network connectivity. Upon activation, it fetches content from remote servers, extracts Base64-encoded data, and dynamically executes the decoded JavaScript. This staged execution flow provides significant advantages: more extended dormancy periods reduce detection likelihood, modular architecture enables payload updates, and persistence mechanisms ensure continued operation despite partial takedowns. While Mozilla and Microsoft have removed confirmed malicious extensions from their official marketplaces, extensions already installed on user systems remain fully operational unless explicitly removed by users. This persistence limitation underscores the inadequacy of store-level takedowns as a complete containment strategy, particularly for malware employing delayed activation and modular payload delivery mechanisms. Users should immediately audit installed browser extensions, removing any unfamiliar or unused items, and security teams should implement browser extension management policies incorporating allowlisting and continuous monitoring to detect anomalous extension behavior. IOCs