A large-scale malicious browser extension campaign known as GhostPoster has been uncovered in the official extension stores for Google Chrome, Mozilla Firefox and Microsoft Edge. Security researchers report that at least 17 extensions tied to this operation were installed more than 840,000 times, highlighting how easily threat actors can abuse trust in official browser marketplaces.
GhostPoster campaign timeline: from Firefox to Chrome and Edge
The GhostPoster operation first came to light in December last year, when researchers from Koi Security analyzed a cluster of 17 malicious Firefox add-ons. These extensions used steganography—the practice of hiding data inside seemingly harmless files—to conceal malicious JavaScript code inside PNG logo images. At that time, the extensions had already accumulated more than 50,000 installations.
A subsequent investigation by LayerX shows that the campaign not only continued after the initial disclosure but also expanded across multiple browser ecosystems. According to their analysis, the operation appears to have originated in the Microsoft Edge extension ecosystem and was later ported to the official Firefox Add-ons and Chrome Web Store. Some of the identified extensions may have been present in the stores as early as 2020, operating undetected for a prolonged period.
Attack techniques: steganography, hidden payloads and evasion
The defining feature of GhostPoster is its steganography-based malware delivery. The malicious extensions retrieved heavily obfuscated JavaScript payloads from remote servers, which were then embedded inside images. Browser scripts within the extensions extracted, decoded and executed this hidden code locally on the victim’s machine. This approach allowed the attackers to bypass many static extension review mechanisms, which typically inspect manifest files and readable source code but may not analyze image contents in depth.
Once activated, the malicious code performed several monetization and tracking activities, including:
- Monitoring browsing activity on visited websites to build behavioral profiles.
- Hijacking affiliate links by replacing legitimate partner identifiers on major e-commerce and service platforms, diverting commissions to the attackers.
- Injecting invisible iframes to generate fraudulent ad impressions and clicks, a classic form of ad fraud that inflates advertising revenue for the threat actors.
For end users, these actions can lead to slower browser performance, privacy violations and manipulation of online purchasing journeys, while advertisers and legitimate affiliates suffer direct financial losses.
Evolution of GhostPoster: advanced variant in “Instagram Downloader”
Although the general attack pattern remained consistent with the initial Koi Security findings, LayerX documented a significant technical evolution in a malicious extension tracked as Instagram Downloader. In this iteration, the logic responsible for preparing the malicious payload was moved into a background script, and the payload carrier was no longer limited to the extension’s logo. Instead, the code was concealed inside an embedded image file shipped within the extension package itself.
The background script executed a multi-stage process:
- Scanning the image’s byte stream for a specific delimiter marker (for example, the sequence >>>>).
- Extracting the concealed data that followed this marker and storing it inside the extension’s local storage.
- Decoding the retrieved string from Base64 format and executing it dynamically as JavaScript in the browser context.
This modular, staged architecture increases the malware’s stealth and resilience. It extends the “dormant period” before malicious behavior manifests, complicating static analysis (code inspection prior to execution) and behavioral analysis (runtime monitoring). The approach also allows attackers to update or swap payload modules without changing the visible functionality of the extension.
Impact, scale of damage and browser vendors’ response
Researchers estimate that across Chrome, Firefox and Edge, GhostPoster-linked extensions reached approximately 840,000 installations. At this scale, even relatively low conversion rates can generate a steady and meaningful income stream for cybercriminals through affiliate link hijacking and ad fraud, while the collection of behavioral data creates additional opportunities for future targeting or resale on underground markets.
Following the publication of the investigation results, all known malicious extensions associated with GhostPoster were removed from the official stores of Mozilla, Microsoft and Google. However, previous incidents involving malicious browser extensions demonstrate that threat actors frequently return with rebranded add-ons, new developer accounts and slightly modified code to evade blacklists and automated checks.
This case underscores a broader challenge: official extension stores significantly reduce, but do not eliminate, risk. Sophisticated actors are increasingly designing their malware specifically to pass automated reviews, using techniques such as delayed activation, remote configuration and steganography-based payloads.
How users and organizations can defend against malicious browser extensions
To reduce exposure to campaigns like GhostPoster, both individual users and organizations should strengthen their browser extension security posture by adopting the following practices:
- Install extensions only from well-known, reputable developers and publishers, ideally with a long history and transparent contact information.
- Carefully review requested permissions (for example, access to browsing history, data on all websites or clipboard access) and avoid granting excessive rights to non-essential tools.
- Perform regular audits of installed extensions, removing outdated, unused or suspicious add-ons from all browsers.
- Use modern endpoint protection solutions (EDR/NGAV) capable of detecting anomalous browser behavior, such as mass iframe injection or unexpected network requests.
- In corporate environments, enforce extension allowlists, limiting installations to a vetted set of add-ons and applying centralized policies via browser management tools.
GhostPoster illustrates how rapidly browser extension threats are evolving, combining steganography, modular payloads and sophisticated evasion to exploit users’ trust in official stores. As reliance on extensions for productivity and convenience continues to grow, these add-ons become an increasingly attractive attack surface. Treating extensions as full-fledged software—subject to careful selection, minimal permissions, continuous monitoring and layered protection—can significantly lower the risk of compromise and help maintain a safer browsing environment.
