Cybercriminals have distributed 17 malicious browser extensions across Chrome, Firefox, and Edge platforms, collectively downloading over 840,000 times and compromising user security for years. <\/p>\n
The GhostPoster campaign, which emerged as early as 2020, used deceptive extension names like \u201cGoogle Translate in Right Click,\u201d \u201cYoutube Download,\u201d and \u201cAds Block Ultimate\u201d to appear legitimate while quietly stealing sensitive user information. <\/p>\n
These extensions successfully bypassed security reviews<\/a> from major browser stores, remaining active for up to five years before being discovered. <\/p>\n The sheer scale of installations demonstrates the effectiveness of this attack and the difficulty users face distinguishing trustworthy extensions from dangerous imposters.<\/p>\n The attack exploits a fundamental weakness in browser security<\/a>: users trust extensions that appear in official stores. <\/p>\n The malicious extensions used steganography to hide malicious code inside PNG image files, a technique that conceals data in plain sight. <\/p>\n Once installed, the extensions extract the hidden payload and establish communication with attacker-controlled servers to download additional malicious scripts. <\/p>\n The malware then performs several harmful actions including hijacking affiliate links for financial gain, injecting scripts to track user behavior, manipulating HTTP headers to disable security protections, and stealing credentials and personal data. <\/p>\n The sophistication of these tactics shows this is not opportunistic malware but rather a well-planned operation targeting financial gain and sustained access to user devices.<\/p>\n LayerX Security analysts identified<\/a> the full scope of the campaign after Koi Security initially discovered one malicious Firefox extension. <\/p>\n Their investigation uncovered the interconnected infrastructure linking all 17 extensions, revealing that these were not isolated incidents but part of a coordinated effort. <\/p>\n The research exposed how the threat actor systematically expanded from Microsoft Edge to Firefox and then to Chrome, adapting their techniques to fit each platform\u2019s security requirements.<\/p>\n The malware\u2019s sophisticated infection mechanism<\/a> relies on delayed execution to evade detection. <\/p>\n When installed, the extension waits 48 hours or longer before activating, allowing it to slip past security scanning during initial review. <\/p>\n More advanced variants wait up to five days before connecting to remote servers, creating a window where the malware operates while detection tools<\/a> remain inactive. <\/p>\n The malicious code remains embedded inside the extension\u2019s background script and uses encrypted payloads that are decoded only at runtime, making static analysis nearly impossible and ensuring the threat remains hidden until fully activated on victim machines.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post 17 New Malicious Chrome GhostPoster Extensions with 840,000+ Installs Steals User Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"GhostPoster](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi4R09ga7eonRbKkto8L8mIiE-ig5A7GyfhMCaf5G_wXFvQSAq-TcopU18ToGGpbtOlrnPqM7l7o3OEseCw5w1YplYhXq2HV8uUJEHXI-jFEbvWK7gFwwo8EQsl2_c1vMCahJBTz4I0TLwub3wW-quFgugkdaimx7BZxeDo-Sn0d3NJgJAgKun6iwV1EMY\/s16000\/GhostPoster%2520Upload%2520to%2520Browser%2520Extension%2520Stores%2520%28Source%2520-%2520LayerX%2520Security%29.webp?ssl=1\")
![\"Firefox](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj7CC9qYYdUgwTUw-y5J64OGxNEYHvVZo7h39vhI_Wlcjtmjc9HVNC8osCypm2zjzsz5yi-9z00DH3ALxdUYxArHccONwbe5jvhrJzDkCS0diKcoYRZuloDKFUu7UKZQppBXV6UBwTJ9_LUF1geZJhByecByWwL9ywHk4l_JExv5ZFOpdKUt7eZJpevzBs\/s16000\/Firefox%2520Extension%2520Available%2520for%2520Download%2520in%2520Store%2520%28Source%2520-%2520LayerX%2520Security%29.webp?ssl=1\")
Techniques used<\/strong><\/h2>\n
![\"Decoded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiQ1-3TT1qHF84V-0hR5eNwY0Gm414KqL7AQHcFdai9WlrpmYFGtSEzLJs2YUDZr2zBp5uOzPgHVKJyqkMCzfnKvc6rOwuxDm6Vu3s4exCRZGeXKmuNnygCzLA7Tw7txdKUUd-flbRY_ZyWgFsnv2yfZdsWyuQ2bJCuE73xI3kevkxYgHek4YlxUZxCeHY\/s16000\/Decoded%2520.png%2520Payload%2520%28Source%2520-%2520LayerX%2520Security%29.webp?ssl=1\")