GhostPoster Malware Campaign: 17 Malicious Browser Extensions Hit Chrome, Edge, and Firefox With 840,000+ Installs

TL;DR

GhostPoster is a long running malicious browser extension campaign that used seemingly harmless productivity add-ons to quietly monetize and surveil users. Researchers tied 17 extensions across Chrome, Edge, and Firefox to the same infrastructure and tactics, with more than 840,000 cumulative installs. The standout technique is stealthy payload delivery: a loader hidden inside a PNG icon file, delayed activation, then remote JavaScript retrieval to enable affiliate hijacking, tracking injection, weakened web security headers, and ad and click fraud.

What happened

GhostPoster was initially documented in late 2025 after researchers found malicious JavaScript embedded inside extension logo files. New analysis expanded the scope: multiple extension stores and a much larger install base. The campaign appears to have originated in the Microsoft Edge add-ons ecosystem and later spread to Chrome and Firefox, with some listings dating back years.

This is a practical reminder that official extension stores reduce friction, not risk. Store takedowns help, but they do not remove already installed extensions. If the add-on remains installed, it can stay active even after delisting.

Why GhostPoster matters

Browser extensions sit inside a privileged trust boundary:

• They can observe and manipulate webpages
• They can inject scripts and iframes
• They can persist and update silently
• They often blend into normal browsing with no obvious symptoms

GhostPoster uses that position for monetization and control. Even if the campaign is financially motivated, the same delivery path can be repurposed to stage credential theft or initial access tooling later.

How the malware hides: PNG steganography and staged execution

GhostPoster uses a multi stage chain designed to evade both store review and static scanners:

1. A loader is embedded inside the binary data of an extension PNG icon
2. After install, the extension reads the icon and extracts the hidden bytes
3. Execution is delayed for 48 hours or longer, and C2 contact only occurs under specific conditions
4. The loader then retrieves additional JavaScript payloads from remote infrastructure

LayerX also described variants that extend dormancy and modularity even further by decoding PNG embedded content into local storage, then later base64 decoding and dynamically executing the next stage. The net effect is a campaign that can survive quick inspections and behave like a sleeper.

What the payload does: monetization plus browser level control

Across reported samples, GhostPoster capabilities include:

• Affiliate hijacking on major ecommerce flows
• Tracking injection, including analytics style tracking added into browsing sessions
• Weakening web security by stripping or manipulating HTTP security headers (for example CSP and HSTS)
• Injecting hidden iframes and scripts used for ad fraud, click fraud, and tracking
• CAPTCHA bypass via multiple mechanisms, enabling automated flows and abuse

This mix of actions signals a mature operator: the goal is long lived revenue and low visibility, not noisy disruption.

Affected extensions and installs

Below is the list of the 17 extensions tied to the GhostPoster cluster and the install counts reported in the writeups.

Detection: what to hunt in enterprise telemetry

If you run managed browsers, prioritize these signals:

• Extension installs outside policy controls, especially "productivity" tools with vague publishers
• Extension behavior that reads image assets (PNG) and parses raw bytes at runtime
• Long dormancy followed by a sudden burst of network activity to unknown domains
• DOM manipulation at scale, especially hidden iframe injection and link rewriting
• Response header tampering patterns (CSP, HSTS changes) seen in browser security telemetry
• Unexpected access to storage keys that later become executable script content

If you do not centrally log browser events, consider this incident a forcing function. Endpoint telemetry alone often misses the root cause when the actor lives inside the browser.

Mitigation checklist

• Enforce extension allowlisting for Chrome, Edge, and Firefox in managed environments
• Block installs from unmanaged sources and restrict "developer mode" where applicable
• Review extension inventories for the names above and remove suspicious add-ons immediately
• Add detections for extension initiated outbound requests and dynamic script execution patterns
• Limit ecommerce and affiliate exposure for corporate browsing, especially on shared endpoints
• Train users: treat "free productivity extensions" as software, not preferences