A sophisticated new malware campaign dubbed \u201cGhostPoster\u201d has been uncovered, leveraging a clever steganography technique to compromise approximately 50,000 Firefox users.<\/p>\n
The attack vector primarily involves seemingly innocent browser extensions, such as \u201cFree VPN Forever,\u201d which conceal malicious payloads within their own interface icons.<\/p>\n
Unlike traditional malware that relies on external downloads or obvious script injections, GhostPoster embeds its initial execution logic directly in the raw bytes of a PNG file, thereby bypassing standard security scanners<\/a> and marketplace reviews that typically treat image files as benign assets.<\/p>\n The infection process begins when the compromised extension<\/a> loads its logo.png file during regular operation.<\/p>\n Instead of simply displaying the image, the extension\u2019s code reads the file\u2019s binary data and searches for a specific hidden marker, identified as the sequence 0x3D 0x3D 0x3D (== =).<\/p>\n Once triggered, this mechanism extracts concealed JavaScript code that initiates a multi-stage infection chain.<\/p>\n This stealthy approach allows the malware to persist on the victim\u2019s browser, enabling operators to execute remote commands, strip security headers, and hijack user traffic for affiliate fraud without raising alarms.<\/p>\n Koi analysts noted<\/a> that the campaign spans at least 17 extensions, all communicating with the same command-and-control infrastructure, including liveupdt.com.<\/p>\n These researchers found that the malware not only compromised user privacy by injecting tracking scripts but also disabled critical browser protections, such as Content-Security-Policy headers.<\/p>\n By removing these safeguards, the attackers exposed users to additional risks, including cross-site scripting and clickjacking, while silently generating illicit revenue through forced redirects to e-commerce sites.<\/p>\n The extensions often remained dormant for days, utilizing time-based triggers to avoid immediate detection during the initial installation phase.<\/p>\n The most technically intriguing aspect of GhostPoster is its custom decoding routine that unpacks the payload retrieved from its command-and-control servers.<\/p>\n After the initial loader retrieves the encrypted data, it applies a unique three-step transformation algorithm to reconstruct the JavaScript<\/a> executable.<\/p>\n The process involves swapping all lowercase letters to uppercase and vice versa, exchanging the numbers \u20188\u2019 and \u20189\u2019, and finally performing a Base64 decode.<\/p>\n This obfuscation<\/a> is computationally simple yet effective at evading static signature detection. Following this decoding step, the payload is further processed using XOR encryption derived from the extension\u2019s unique runtime ID.<\/p>\n This ensures the decrypted code exists only in the browser\u2019s memory, leaving no static file footprint for forensic tools to analyze.<\/p>\n The malware intentionally introduces random delays and only fetches the payload occasionally, making dynamic analysis challenging for security teams<\/a> attempting to replicate the infection in a controlled environment.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New GhostPoster Attack Leverages PNG Icon to Infect 50,000 Firefox Users<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"This](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjViJ64ekmVjs5EQNoFE-XkmAu_qlQKUxZ3_9Lvmyq3x3z5Ja7dT82B4H72uZKmM55HR90E_lRDMIYLoHl_mGZRglHa0nXmlfB0J2x8ZJqbfIHetWrcfLV3PEQ7JUTJCDdv_KqX4ix6s7niT74-OaI-HyZLeVf1rQB75YCz9ojetjKeqx6PhDpRWKPOHzQ\/s16000\/This%2520seemingly%2520harmless%2520logo%2520hides%2520a%2520very%2520dark%2520secret%2520%28Source%2520-%2520Koi%29.webp?ssl=1\")
The Decryption Mechanism<\/strong><\/h2>\n
![\"Decoding](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhubOB9yFttC7vDkPAZ7Vg32SatblDSCtV-FZDBhbDzJWQ_KFYeySboqZhhC6N6hodmuIKy8DQAZQ7YH8o-k1LSEuc4hH_renqvHXo9LYqJcyPmRJ75PboCRs6ob-61zS_JApjP1099yoy7d78HzLHR8vab267VAVyXMuYpkTQMDi2e-EeRl6j22C-gkwU\/s16000\/Decoding%2520the%2520malicious%2520payload%2520%28Source%2520-%2520Koi%29.webp?ssl=1\")
![\"Free](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjKrOpzh1UA7nw-e0-RdZ5G6FPi4Zl4B7CuQsdnnEaebr7FuFq8yhrV2uZDnLSRPOBsmTAYBy9vszPhwMcwcBhzZFF2fdShvncIjzxLB3bJinIkYY15P-bUhvY9snkw5-PSSMDoktUuFzxBq7Lhg-sU5kSrrXTOVrg2ass0Tcg5n9crG_DoruFdLPU3ZyY\/s16000\/Free%2520VPN%27s%2520page%2520on%2520Firefox%27s%2520marketplace%2520%28Source%2520-%2520Koi%29.webp?ssl=1\")