Cybercriminals have distributed 17 malicious browser extensions across Chrome, Firefox, and Edge platforms, collectively downloading over 840,000 times and compromising user security for years.
The GhostPoster campaign, which emerged as early as 2020, used deceptive extension names like “Google Translate in Right Click,” “Youtube Download,” and “Ads Block Ultimate” to appear legitimate while quietly stealing sensitive user information.
These extensions successfully bypassed security reviews from major browser stores, remaining active for up to five years before being discovered.
The sheer scale of installations demonstrates the effectiveness of this attack and the difficulty users face distinguishing trustworthy extensions from dangerous imposters.
.webp "17 New Malicious Chrome GhostPoster Extensions with 840,000+ Installs Steals User Data 2")
The attack exploits a fundamental weakness in browser security: users trust extensions that appear in official stores.
The malicious extensions used steganography to hide malicious code inside PNG image files, a technique that conceals data in plain sight.
Once installed, the extensions extract the hidden payload and establish communication with attacker-controlled servers to download additional malicious scripts.
The malware then performs several harmful actions including hijacking affiliate links for financial gain, injecting scripts to track user behavior, manipulating HTTP headers to disable security protections, and stealing credentials and personal data.
.webp "17 New Malicious Chrome GhostPoster Extensions with 840,000+ Installs Steals User Data 4")
The sophistication of these tactics shows this is not opportunistic malware but rather a well-planned operation targeting financial gain and sustained access to user devices.
LayerX Security analysts identified the full scope of the campaign after Koi Security initially discovered one malicious Firefox extension.
Their investigation uncovered the interconnected infrastructure linking all 17 extensions, revealing that these were not isolated incidents but part of a coordinated effort.
Techniques used
The research exposed how the threat actor systematically expanded from Microsoft Edge to Firefox and then to Chrome, adapting their techniques to fit each platform’s security requirements.
The malware’s sophisticated infection mechanism relies on delayed execution to evade detection.
.webp "17 New Malicious Chrome GhostPoster Extensions with 840,000+ Installs Steals User Data 5")
When installed, the extension waits 48 hours or longer before activating, allowing it to slip past security scanning during initial review.
More advanced variants wait up to five days before connecting to remote servers, creating a window where the malware operates while detection tools remain inactive.
The malicious code remains embedded inside the extension’s background script and uses encrypted payloads that are decoded only at runtime, making static analysis nearly impossible and ensuring the threat remains hidden until fully activated on victim machines.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
