A newly identified malware campaign named GhostPoster has been uncovered abusing logo image files embedded within browser extensions to deliver malicious JavaScript code. The operation targeted users of Mozilla Firefox through at least 17 compromised add-ons that collectively recorded more than 50,000 downloads before being removed.
The findings were disclosed by Koi Security, which identified the extensions masquerading as legitimate tools such as VPN services, screenshot utilities, ad blockers, weather widgets, and unofficial translation tools. Despite their advertised functionality, the extensions were engineered to covertly monetize user activity.
Among the earliest samples was an add-on named Dark Mode, published on October 25, 2024, which claimed to enable a universal dark theme across websites. Other extensions used names associated with Google Translate, VPN software, and browser enhancement tools, increasing their appeal and credibility among users.
Security researchers Lotan Sery and Noga Gouldman explained that the extensions deploy a multi stage malware framework capable of monitoring browsing behavior, disabling built in browser protections, and establishing a backdoor that enables remote code execution.
The infection process begins when a logo image file is retrieved as part of the extension loading process. Hidden within the image is obfuscated JavaScript code marked by a specific delimiter. Once extracted, a loader script contacts attacker controlled servers such as www.liveupdt[.]com or www.dealctr[.]com to fetch the primary payload, with a built in delay of 48 hours between retrieval attempts.
To avoid detection, the loader only attempts to download the payload in roughly 10 percent of execution cases. This probabilistic behavior, combined with delayed activation, is intended to evade security monitoring and traffic analysis systems. In many cases, the malware remains dormant for more than six days after installation.
Once activated, the payload enables a comprehensive monetization toolkit that exploits browser activity through multiple techniques. These include hijacking affiliate links on e commerce platforms, injecting Google Analytics tracking identifiers into visited pages, stripping security headers such as Content Security Policy, and injecting hidden iframes that load content from attacker controlled servers to facilitate ad and click fraud.
The malware is also capable of bypassing CAPTCHA challenges using several techniques. Researchers noted that this capability is essential because some malicious actions, including hidden iframe loading, often trigger automated bot detection mechanisms.
Although not all of the identified add-ons rely on the same steganographic delivery technique, they all share identical behavioral patterns and communicate with the same command and control infrastructure. This consistency strongly suggests the involvement of a single threat actor experimenting with multiple lures and delivery variations.
The discovery follows recent incidents involving malicious browser extensions on Google Chrome and Microsoft Edge that were found harvesting conversations from ChatGPT, Claude, and Gemini. Earlier campaigns also demonstrated how so called free VPN extensions collected screenshots, system metadata, and location information.
Koi Security warned that free VPN offerings often come with hidden costs, noting that many ultimately deliver surveillance and monetization rather than privacy.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
