editorially independent. We may make money when you click on links
to our partners.
Learn More
A malicious browser extension campaign dubbed GhostPoster is showing just how quietly trusted add-ons can turn into long-running malware implants — hiding payloads inside image files and staying dormant long enough to evade store reviews.
LayerX expanded on Koi Security’s original findings, linking the activity to additional extensions and identifying hundreds of thousands of installs across major browsers.
“Typically, when a bad actor develops a malicious extension, it won’t be just a one-time effort. Rather, once they have the code case for one malicious extension, they will duplicate it and create additional malicious extensions based on the source code base,” said Michelle Levy, Head of Security Research at LayerX Security in an email to eSecurityPlanet.
She added, “This will lead to families of related malicious extensions that share the underlying infrastructure, code, functionally, communications, and more, making remediation a game of whack-a-mole.”
Michelle explained, “This campaign underscores the reality that browsers no longer sit on corporate endpoints — they are the endpoint. Enterprises need to adapt their defenses accordingly.”
Inside the GhostPoster Browser Extension Campaign
GhostPoster isn’t just one bad extension — it’s a broader campaign built to blend into normal browser behavior for long stretches of time.
LayerX researchers linked the same infrastructure and tactics that Koi had discovered to 17 additional extensions, which together saw more than 840,000 downloads and, in some cases, remained active for up to five years.
This suggests the operation wasn’t a short-lived experiment, but a long-running effort that repeatedly slipped past store screening.
At the core of the campaign is a multi-stage execution chain designed for stealth.
In the original GhostPoster sample, Koi Security found the initial loader was hidden inside the binary data of the extension’s PNG icon file using steganography.
After installation, the extension parses the icon at runtime, extracts the concealed code, and then delays activation — often 48 hours or longer — before contacting command-and-control (C2) infrastructure.
That dormancy window helps the extension avoid short behavioral sandboxes and early “new install” scrutiny.
Once active, it can pull down additional JavaScript payloads and perform actions such as injecting scripts into browsing sessions, hijacking affiliate traffic, and weakening web security protections by tampering with policies like Content Security Policy (CSP) or HTTP Strict Transport Security (HSTS).
LayerX also identified a more evasive variant that pushes the concept even further.
Instead of relying only on the icon, the malicious logic lives inside the extension’s background script and stages the payload inside another bundled image file.
The code searches the raw image bytes for a delimiter pattern — ASCII string >>>> — decodes everything after it, stores it in local extension storage, and executes it later.
In that version, the malware can “sleep” for around five days before initiating network activity, signaling a deliberate move toward longer dormancy, modular updates, and greater resistance to both static analysis and short-lived runtime detection.
How to Reduce Browser Extension Risk
Browser extensions can be a hidden security blind spot, especially when malicious add-ons blend into normal user behavior and quietly run for weeks or months.
With attackers using stealthy techniques like delayed execution and session manipulation, organizations need controls that go beyond store takedowns and basic user training.
- Audit and inventory browser extensions across managed devices, paying special attention to anything installed outside policy controls.
- Enforce extension allowlisting, block sideloading/developer mode, and restrict installs to approved sources only.
- Limit high-risk permissions and apply stricter browser baselines for privileged roles like IT admins, finance, and executives.
- Monitor for suspicious extension behavior such as delayed outbound traffic, unusual chrome.storage usage, and dynamic script execution patterns.
- Detect web-session and security policy tampering by hunting for header manipulation that weakens protections like Content Security Policy (CSP) or HTTP Strict Transport Security (HSTS).
- Reduce token theft impact by tightening conditional access, shortening session lifetimes, and enforcing strong authentication.
- Test incident response plans regularly so teams can quickly disable malicious extensions, revoke sessions, and contain affected endpoints.
These controls help limit how far an attacker can go — even if an extension is compromised.
Browser Extensions are Supply Chain Risk
GhostPoster is a reminder that extension stores aren’t a security boundary and that trusted browser add-ons can quietly become long-lived footholds for session theft and web-layer manipulation.
As attackers refine stealth tactics like steganography, delayed activation, and modular payload updates, enterprises need to treat extensions like any other software supply chain risk.
That means enforcing strong policies, monitoring extension behavior, and backing controls with rehearsed response playbooks.
To further limit what compromised extensions can access, organizations are adopting zero-trust solutions that verify every request and minimize implicit trust.
