A new wave of the GhostPoster campaign has been discovered, involving 17 malicious extensions across Chrome, Firefox, and Microsoft Edge that collectively amassed 840,000 installations. These extensions, which include tools for translation, ad-blocking, and downloading, hide malicious JavaScript code within their logo images or bundled files to evade detection. Once installed, the extensions fetch an obfuscated payload that monitors browsing activity, hijacks affiliate links, and performs ad fraud using invisible iframes.
The campaign, first exposed in December, has evolved with more sophisticated techniques. A variant found in the "Instagram Downloader" extension moves its malicious logic into the background script and uses an image file as a covert payload container. The script scans the image for a specific delimiter, extracts hidden data, and executes it as JavaScript, demonstrating increased modularity and resilience against detection. Some of these extensions have been present in official stores since 2020, indicating a long-running operation.
While Mozilla and Microsoft have removed the identified extensions from their stores, and Google has confirmed their removal from the Chrome Web Store, users who previously installed them may still be at risk. The campaign highlights the persistent threat posed by malicious browser add-ons that abuse trust and employ advanced obfuscation to maintain a foothold on victims' systems.
Read more...