Introduction
A long-running and highly covert malware operation known as GhostPoster has been uncovered targeting users of popular web browsers through malicious extensions. The campaign successfully infiltrated official extension stores for Google Chrome, Mozilla Firefox, and Microsoft Edge, silently compromising more than 840,000 users over a period exceeding four years.
Background and Context
GhostPoster represents a shift toward stealth-focused supply chain abuse within browser ecosystems. Instead of exploiting browser vulnerabilities directly, the threat actor weaponized trust in extension marketplaces by distributing seemingly legitimate utilities such as ad blockers, translation tools, screenshot utilities, and media helpers.
The campaign was jointly investigated by researchers from Koi Security and LayerX Security, who identified a sophisticated, multi-stage infection chain designed to evade both automated store vetting and endpoint-based detection.
Technical Details
Steganographic Payload Delivery
At the core of GhostPoster’s evasion strategy is its unconventional payload delivery mechanism. Rather than embedding malicious logic directly within JavaScript files, the extensions concealed executable code inside PNG image files used as extension icons.
During runtime, the extension parsed the binary data of these images, searching for a specific ASCII delimiter string, >>>>. All data following this marker was decoded and executed as JavaScript. This approach allowed the malware to bypass static analysis tools that focus solely on traditional script files, as the payload appeared to be harmless image data.
Delayed Execution for Detection Evasion
To further avoid behavioral detection, GhostPoster enforced a delayed activation window ranging from 48 hours to five days after installation. This dormancy period reduced the likelihood of triggering security systems that monitor for immediate post-installation network activity.
Once activated, the loader initiated command-and-control communication to fetch additional modular JavaScript payloads from remote servers.
Malicious Capabilities
After full activation, GhostPoster-enabled extensions demonstrated a wide range of malicious behaviors, including:
- Removal of security headers such as Content Security Policy and HTTP Strict Transport Security
- Hijacking affiliate marketing traffic for financial gain
- Injection of hidden iframes to generate fraudulent ad clicks
- Automated CAPTCHA solving
- Persistent tracking of user browsing activity
These capabilities enabled both monetization and long-term surveillance while maintaining a low operational profile.
Timeline of the Campaign
- 2020: Initial deployment targeting Microsoft Edge users
- 2021–2022: Expansion to Mozilla Firefox and Google Chrome
- 2023–2024: Continued operation with periodic payload updates and modular enhancements
- 2025: Campaign publicly disclosed following coordinated research efforts
The prolonged lifespan of the operation highlights systemic weaknesses in extension review and post-installation monitoring.
Affected Extensions and Scale
Researchers identified 17 confirmed malicious extensions distributed across major browsers. Collectively, these extensions accumulated approximately 840,000 installations.
Notable high-impact examples include:
- Google Translate in Right Click with over 522,000 Chrome users affected
- Translate Selected Text with Google exceeding 159,000 installations
- Ads Block Ultimate and Floating Player PiP Mode together accounting for nearly 90,000 installs
The attackers deliberately favored utility-style extensions with broad appeal to maximize reach.
Persistence and Platform Limitations
While Mozilla and Microsoft removed the malicious extensions from their stores following disclosure, the remediation effort remains incomplete. Extensions already installed on user systems continue to operate unless manually removed.
This limitation exposes a fundamental gap in browser security models, where reactive store takedowns cannot retroactively disable malicious extensions already deployed at scale.
Indicators of Compromise Overview
The campaign involved multiple extension identifiers and names spanning screenshot tools, translation utilities, ad blockers, media downloaders, and shopping helpers. Security teams are advised to review installed extensions against known indicators and remove any unapproved or suspicious entries.
MITRE ATT&CK Mapping
- Defense Evasion: Masquerading as legitimate utilities (T1036)
- Defense Evasion: Code obfuscation using steganography (T1140)
- Defense Evasion: Delayed execution to evade detection (T1678)
- Discovery: Browser information gathering (T1217)
Response and Mitigation Guidance
Organizations and individual users should take the following actions:
- Audit installed browser extensions and remove non-essential or untrusted entries
- Enforce strict extension allowlists in managed environments
- Deploy behavior-based monitoring capable of detecting suspicious network activity and DOM manipulation
- Educate users on the risks associated with installing extensions from unknown publishers
Expert Commentary and Outlook
The GhostPoster campaign underscores how browser extensions remain an attractive and under-monitored attack surface. By prioritizing stealth, modularity, and long-term persistence, the threat actor demonstrated how mature operations can thrive within trusted ecosystems for years.
As browser vendors continue to rely heavily on pre-publication checks, defenders must assume that malicious extensions can and will bypass store controls. Proactive monitoring, least-privilege extension policies, and continuous reassessment of installed add-ons will be critical in mitigating similar threats moving forward.
