GhostPoster Malware Hides in Firefox Extension Logos, Infects 50,000 Users

Security researchers at Koi have uncovered a sophisticated malware campaign that compromised 17 Firefox browser extensions, affecting more than 50,000 users through a novel technique that hides malicious code within the PNG logo files of seemingly legitimate add-ons.

The operation, dubbed "GhostPoster," demonstrates how threat actors continue to find creative ways to evade detection systems while maintaining persistent access to victim browsers.

A Creative Concealment Technique

The attack leverages steganography—the practice of hiding information within other data—to embed malicious JavaScript directly inside the PNG image files used as extension logos. When the compromised extensions load, the malware parses these image files searching for specific markers containing "===" to extract and execute the hidden JavaScript payload.

This technique is particularly clever because security scanning tools typically focus on JavaScript files and manifest configurations when reviewing browser extensions. Image files are often overlooked or only scanned for known malware signatures, not for embedded code hidden within pixel data.

Multi-Stage Infection Chain

The GhostPoster malware employs a sophisticated multi-stage infection process designed to evade detection:

Stage 1: Delayed Activation After installation, the malware remains dormant for 48 hours before attempting to contact command-and-control servers. This delay helps evade automated analysis systems that typically monitor extensions for only short periods after installation.

Stage 2: Probability-Based Payload Delivery The loader contacts external servers at domains including "www.liveupdt[.]com" and "www.dealctr[.]com" to retrieve additional payloads. However, payloads are only delivered approximately 10% of the time, further complicating analysis efforts.

Stage 3: Encryption and Obfuscation Retrieved payloads use multiple layers of protection including base64 encoding, case-swapping obfuscation, and XOR encryption derived from the extension's unique runtime ID.

Affected Extensions

The compromised add-ons impersonated legitimate productivity and utility tools that users would reasonably trust:

• VPN applications (Free VPN, Global VPN - Free Forever)
• Screenshot and productivity utilities
• Translation tools (multiple Google Translate variants)
• Media services (Free MP3 Downloader, LibreTV)
• Privacy tools (Dark Reader Dark Mode, Ad Stop - Best Ad Blocker)

The irony of an ad blocker extension being used to conduct ad fraud operations underscores how attackers target the very users most concerned about their online privacy and security.

Monetization Through Multiple Channels

Once fully activated, the GhostPoster toolkit enables four primary monetization methods:

Affiliate Hijacking: The malware intercepts e-commerce links, particularly targeting major Asian platforms like Taobao and JD.com, redirecting affiliate commissions to attacker-controlled accounts.

Tracking Injection: Every website visited by infected users has Google Analytics tracking codes injected, allowing attackers to build detailed profiles of browsing behavior for sale or targeted advertising.

Security Header Stripping: The malware removes protective HTTP headers including Content Security Policy (CSP) and X-Frame-Options, making infected users vulnerable to cross-site scripting and clickjacking attacks.

Ad Fraud Operations: Through invisible, self-deleting iframes, the malware loads attacker-controlled URLs to generate fraudulent ad impressions and clicks.

CAPTCHA Bypass Capabilities

Perhaps most concerning, the toolkit includes three distinct CAPTCHA circumvention techniques, allowing automated operations to continue even when protective measures attempt to block suspicious activity. This capability suggests the attackers have invested significant resources in maintaining persistent access to victim browsers.

Mozilla's Response

Mozilla has removed all identified malicious extensions from the Firefox Add-ons repository and updated automated detection systems to identify similar attack patterns. However, users who installed the extensions before removal may still be infected.

Protecting Yourself

For potentially affected users:

• Review installed extensions at about:addons and remove any matching the affected list
• Clear browser data including cookies and cached content
• Review recent account activity for suspicious logins or transactions
• Consider resetting browser to default settings

General extension hygiene:

• Only install extensions from verified publishers with established track records
• Regularly audit installed extensions and remove those no longer needed
• Be skeptical of extensions that request broad permissions
• Check extension reviews and user counts, though note that popularity alone does not guarantee safety

The GhostPoster campaign demonstrates that browser extensions remain an attractive attack vector for threat actors. As browsers continue to serve as the gateway to cloud applications and sensitive data, maintaining vigilance over installed extensions has become as important as traditional endpoint security.