A large-scale malicious browser extension campaign known as GhostPoster is continuing to spread, despite being publicly exposed late last year.
Security researchers have now identified another 17 malicious extensions across the Chrome, Firefox, and Microsoft Edge add-on stores, where they amassed a combined 840,000 installations.
The GhostPoster campaign was first reported in December by Koi Security, which uncovered extensions that concealed malicious JavaScript code inside seemingly harmless image files, such as extension logos. These extensions monitored users’ browsing activity and established a backdoor for further exploitation.
The hidden code fetches a heavily obfuscated payload from external servers, enabling attackers to track browsing behavior, hijack affiliate links on major e-commerce platforms, and inject invisible iframes used for ad fraud and click fraud.
Now, a new report from browser security firm LayerX confirms that the campaign remains active and has evolved in sophistication. LayerX identified the following 17 extensions as part of the ongoing GhostPoster operation, many of which impersonate popular utilities such as translators, ad blockers, screenshot tools, and media downloaders.
Notably, the most widely installed extension—Google Translate in Right Click—alone reached over 522,000 installs, highlighting how effective the campaign has been at blending in with legitimate browser tools.
According to LayerX, the campaign originated on Microsoft Edge before expanding to Firefox and Chrome. Some of the extensions had been listed in browser add-on stores since 2020, suggesting a highly successful long-term operation that managed to evade detection for years.
While much of the evasion and post-infection behavior matches what Koi previously documented, LayerX discovered a more advanced variant within the Instagram Downloader extension. In this version, the malicious staging logic was moved into the extension’s background script, and a bundled image file—not just the extension icon—was used as a covert container for the payload.
At runtime, the extension scans the image’s raw byte data for a specific delimiter, extracts the hidden content, stores it locally, and later Base64-decodes and executes it as JavaScript. This staged execution process allows the malware to remain dormant for longer periods and makes both static and behavioral detection significantly more difficult.
“This staged execution flow demonstrates a clear evolution toward longer dormancy, modularity, and resilience against both static and behavioral detection mechanisms,” LayerX said in its analysis.
Researchers noted that the newly identified extensions have already been removed from Mozilla’s and Microsoft’s add-on stores. However, users who installed them previously may still be exposed to risk unless the extensions are manually removed.
Google confirmed to BleepingComputer that all of the identified extensions have now been removed from the Chrome Web Store as well.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The continued success of the GhostPoster campaign underscores persistent weaknesses in browser extension vetting processes and highlights how attackers are increasingly leveraging steganography and modular payloads to bypass security controls in widely trusted ecosystems.
