Security researchers have uncovered a new malware campaign called GhostPoster that hides malicious JavaScript code inside the image logos of Firefox browser extensions.
These extensions have been downloaded more than 50,000 times and are being used to secretly monitor browser activity and install a backdoor inside users’ browsers.
The campaign was discovered by researchers at Koi Security, who found that the malicious code is hidden inside PNG logo images using a technique called steganography. When the extension runs, it reads the raw data of the image file, extracts the hidden JavaScript, and executes it without the user knowing.
Once active, the malware gives attackers long-term, high-level access to the browser. This allows them to hijack affiliate links, inject tracking scripts, and carry out click fraud and ad fraud. While the malware does not steal passwords or directly redirect users to phishing sites, it still poses a serious privacy and security risk.
The hidden JavaScript works as a loader that connects to a remote server to download the main malicious payload. To avoid detection, the loader only attempts to download the payload about one out of every ten times. It also waits up to 48 hours before activating. If the main server is unavailable, it switches to a backup domain.
Koi Security identified 17 compromised Firefox extensions linked to this campaign. These extensions come from popular categories such as VPN services, weather tools, translators, mouse gesture utilities, ad blockers, and media downloaders. Even though the extensions use slightly different methods to load the payload, they all communicate with the same attacker-controlled infrastructure and show similar behavior.
The investigation began with the FreeVPN Forever extension after Koi Security’s AI-based system flagged it for suspicious activity. Researchers noticed the extension was reading its own logo image file and scanning its binary data to locate the hidden JavaScript code.
The downloaded payload is heavily disguised using multiple obfuscation techniques, including case changes, base64 encoding, and encryption. After decoding, it unlocks a set of capabilities that allow it to interfere with browsing sessions across all websites.
According to the researchers, the malware can redirect affiliate links on major shopping websites so commissions go to the attackers. It injects Google Analytics tracking into every webpage a user visits, removes important security headers from web traffic, bypasses CAPTCHA protections using multiple techniques, and loads invisible iframes that perform ad fraud and click fraud before deleting themselves.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Although the current payload focuses on monetization and tracking, researchers warn that the stealthy design of the loader means attackers could easily push more dangerous malware in the future without users noticing.
