A stealthy malware operation, codenamed GhostPoster, has compromised the browsers of more than 840,000 individuals by exploiting a deceptive tactic embedded in legitimate-looking extensions. Unlike traditional malware that resides within the extension code itself, this campaign conceals its payload deep within the image data of extension logos—an approach that allowed it to evade detection for years.
The attack, uncovered by security researchers at Koi Security late last year, targets users across Chrome, Firefox, and Edge. The malicious extensions, which have been available in Mozilla and Microsoft’s official stores since 2020, operate under the guise of utility tools such as ad blockers, price trackers, and translation aids. Once installed, they begin monitoring user activity before deploying a secondary script—triggered by a hidden backdoor in the logo’s code—to manipulate affiliate links and redirect victims to fraudulent websites. The attackers then escalate their access, installing additional malware on compromised devices.
What makes this campaign particularly insidious is its persistence: these extensions bypassed vetting processes for over five years, infecting hundreds of thousands of systems without raising alarms. While Mozilla and Microsoft have since removed the malicious extensions from their stores, users who installed them before the takedown remain at risk unless they manually uninstall the software.
The list of compromised extensions includes familiar names like ‘AdBlock,’ ‘Amazon Price History,’ and ‘Google Translate in Right Click,’ among others. Security experts warn that the threat extends beyond financial fraud, as the malware can unlock extended control rights on affected systems, leaving them vulnerable to further exploitation. The campaign underscores a growing trend where attackers exploit the trust users place in official app stores to deliver sophisticated, long-term threats.
For users concerned about potential exposure, the immediate priority is to review installed extensions and remove any from the list of known malicious tools. While the removal process should neutralize the primary threat, security researchers caution that residual scripts or secondary infections may still pose risks, urging affected users to conduct a full system scan with reputable antivirus software.
This incident serves as a stark reminder of the evolving tactics employed by cybercriminals and the importance of vigilance in an era where even seemingly benign browser add-ons can harbor hidden dangers. As the digital ecosystem grows more complex, so too do the methods used to exploit it—demanding both user awareness and robust security measures to stay ahead.
