A group of cybercriminals called DarkSpectre is believed to be behind three campaigns spread by malicious browser extensions: ShadyPanda, GhostPoster, and Zoom Stealer.
We wrote about the ShadyPanda campaign in December 2025, warning users that extensions which had behaved normally for years suddenly went rogue. After a malicious update, these extensions were able to track browsing behavior and run malicious code inside the browser.
Also in December, researchers uncovered a new campaign, GhostPoster, and identified 17 compromised Firefox extensions. The campaign was found to hide JavaScript code inside the image logo of malicious Firefox extensions with more than 50,000 downloads, allowing attackers to to monitor browser activity and plant a backdoor.
The use of malicious code in images is a technique called steganography. Earlier GhostPoster extensions hid JavaScript loader code inside PNG icons such as logo.png for Firefox extensions like “Free VPN Forever,” using a marker (for example, three equals signs) in the raw bytes to separate image data from payload.
Newer variants moved to embedding payloads in arbitrary images inside the extension bundle, then decoding and decrypting them at runtime. This makes the malicious code much harder for researchers to detect.
Based on that research, other researchers found an additional 17 extensions associated with the same group, beyond the original Firefox set. These were downloaded more than 840,000 times in total, with some remaining active in the wild for up to five years.
GhostPoster first targeted Microsoft Edge users and later expanded to Chrome and Firefox as the attackers built out their infrastructure. The attackers published the extensions in each browser’s web store as seemingly useful tools with names like “Google Translate in Right Click,” “Ads Block Ultimate,” “Translate Selected Text with Google,” “Instagram Downloader,” and “Youtube Download.”
The extensions can see visited sites, search queries, and shopping behavior, allowing attackers to create detailed profiles of users’ habits and interests.
Combined with other malicious code, this visibility could be extended to credential theft, session hijacking, or attacks targeting online banking workflows, even if those are not the primary goal today.
How to stay safe
Although we always advise people to install extensions only from official web stores, this case proves once again that not all extensions available there are safe. That said, the risk involved in installing an extension from outside the web store is even greater.
Extensions listed in the web store undergo a review process before being approved. This process, which combines automated and manual checks, assesses the extension’s safety, policy compliance, and overall user experience. The goal is to protect users from scams, malware, and other malicious activity.
Mozilla and Microsoft have removed the identified add-ons from their stores, and Google has confirmed their removal from the Chrome Web Store. However, already installed extensions remain active until users manually uninstall them.
If you’re worried that you may have installed one of these extensions, run a Malwarebytes Deep Scan with your browsers closed.
- On the Malwarebytes Dashboard click on the three stacked dots to select the Advanced Scan option.
- On the Advanced Scan tab, select Deep Scan. Note that this scan uses more system resources than usual.
- After the scan, remove any found items, and then reopen your browser(s).
Manual check:
These are the names of the 17 additional extensions that were discovered:
- AdBlocker
- Ads Block Ultimate
- Amazon Price History
- Color Enhancer
- Convert Everything
- Cool Cursor
- Floating Player – PiP Mode
- Full Page Screenshot
- Google Translate in Right Click
- Instagram Downloader
- One Key Translate
- Page Screenshot Clipper
- RSS Feed
- Save Image to Pinterest on Right Click
- Translate Selected Text with Google
- Translate Selected Text with Right Click
- Youtube Download
Note: There may be extensions with the same names that are not malicious.
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.