Koi Safety has recognized a malicious marketing campaign focusing on Firefox customers by way of a sequence of extensions that depend on steganography to cover malware of their icons.
The extensions pose as free VPN providers, advert blockers, translation instruments, and climate forecast apps, however as an alternative deploy a multi-stage payload that displays customers’ actions, disables safety protections, and permits distant code execution (RCE).
In line with Koi, which named the marketing campaign GhostPoster, no less than 17 such extensions have been revealed to the browser’s add-ons market, they usually have been put in roughly 50,000 instances.
One of many extensions, named Free VPN Perpetually, was revealed in September 2025 and has been put in over 16,000 instances.
Koi noticed that the extension would load its emblem file after which search by way of the uncooked bytes of the picture for a selected marker.
The extension’s developer used steganography to cover after that marker a loader that reaches a distant command-and-control (C&C) server to retrieve an encrypted payload.
To evade detection, the GhostPoster Firefox extensions don’t name the C&C instantly, and fetch a payload in solely 10% of profitable C&C connections.
The loader decrypts the payload, a complete toolkit for consumer monitoring and browser monetization, then encrypts it and locations it in browser storage for persistence.
For evasion functions, further time delays make sure that the malware is activated greater than 6 days after the extension was put in.Commercial. Scroll to proceed studying.
The malware, Koi found, displays customers’ visits to ecommerce web sites to intercept clicks on affiliate hyperlinks and change them, in order that the malware authors get a fee from the acquisition, as an alternative of the unique affiliate.
Moreover, the malware injects Google Analytics monitoring into each visited web page, harvests knowledge on all put in extensions, collects info on visited service provider networks, and injects parts into particular websites to profile customers with out their information.
Customers of the GhostPoster Firefox extensions are additionally uncovered to clickjacking and cross-site scripting assaults, because the malware removes safety headers from HTTP responses.
In line with Koi, the malware also can inject hidden iframes into internet pages, and consists of a number of CAPTCHA bypass strategies, to make sure its nefarious actions are usually not blocked.
Koi says it recognized 17 extensions that connect with the identical two C&C servers to fetch a malicious payload, some utilizing completely different supply mechanisms, however all apparently linked to the identical risk actor.
“These extensions strip your browser’s safety headers on each website you go to. They inject code into each web page. They preserve a persistent connection to attacker-controlled servers, ready for directions. The payload might be up to date at any time. What runs in your browser tomorrow is solely as much as them,” Koi notes.
Associated: Chrome, Edge Extensions Caught Monitoring Customers, Creating Backdoors
Associated: New Firefox Extensions Required to Disclose Information Assortment Practices
Associated: Provide Chain Assault Targets VS Code Extensions With ‘GlassWorm’ Malware
Associated: Browser Extensions Pose Critical Risk to Gen-AI Instruments Dealing with Delicate Information
