A new campaign named GhostPoster has leveraged logo files tied to 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code that hijacks affiliate links, injects tracking code, and carries out click and ad fraud.
Collectively, users downloaded the extensions more than 50,000 times, according to Koi Security, which uncovered the campaign. Following the disclosure, Mozilla removed the add-ons from the Firefox marketplace.
Malicious Add-Ons Masquerade as Legitimate Tools
Attackers marketed these browser programs as VPNs, screenshot tools, ad blockers, and unofficial versions of Google Translate. Notably, the oldest add-on, Dark Mode, appeared on October 25, 2024, and promised to enable a dark theme across all websites. The full list of the affected browser add-ons appears below –
- Free VPN
- Screenshot
- Weather (weather-best-forecast)
- Mouse Gesture (crxMouse)
- Cache – Fast site loader
- Free MP3 Downloader
- Google Translate (google-translate-right-clicks)
- Traductor de Google
- Global VPN – Free Forever
- Dark Reader Dark Mode
- Translator – Google Bing Baidu DeepL
- Weather (i-like-weather)
- Google Translate (google-translate-pro-extension)
- 谷歌翻译
- libretv-watch-free-videos
- Ad Stop – Best Ad Blocker
- Google Translate (right-click-google-translate)
Researchers Detail a Multi-Stage Malware Payload
“What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser’s security protections, and opens a backdoor for remote code execution,” security researchers Lotan Sery and Noga Gouldman said.
The attack chain begins when the extension loads and fetches its logo file. Next, malicious code parses the image and searches for a marker containing the “===” sign to extract hidden JavaScript. That script then deploys a loader, which contacts an external server (“www.liveupdt[.]com” or “www.dealctr[.]com“) to retrieve the main payload, waiting 48 hours between each attempt.
To further evade detection, the loader retrieves the payload only 10% of the time. This randomness deliberately helps the malware sidestep network traffic monitoring. Once delivered, the payload reveals a custom-encoded toolkit that monetizes browser activity without the victim’s knowledge in four distinct ways –
- Affiliate link hijacking, which intercepts affiliate links to e-commerce platforms like Taobao or JD.com and diverts commissions away from legitimate affiliates
- Tracking injection, which inserts Google Analytics tracking code into every visited web page to silently profile victims
- Security header stripping, which removes protections such as Content-Security-Policy and X-Frame-Options from HTTP responses, exposing users to clickjacking and cross-site scripting attacks
- Hidden iframe injection, which embeds invisible iframes into web pages to load attacker-controlled URLs and enable ad and click fraud
- CAPTCHA bypass, which uses multiple techniques to defeat CAPTCHA challenges and evade bot detection mechanisms
“Why would malware need to bypass CAPTCHAs? Because some of its operations, like the hidden iframe injections, trigger bot detection,” the researchers explained. “The malware needs to prove it’s ‘human’ to keep operating.”
Beyond probability checks, the add-ons also rely on time-based delays that prevent the malware from activating until more than six days after installation. Together, these layered evasion techniques significantly complicate detection efforts.
It’s worth emphasizing that not all the extensions above rely on the same steganographic attack chain. However, all of them exhibit identical behavior and communicate with the same command-and-control (C2) infrastructure. As a result, researchers attribute the campaign to a single threat actor or group experimenting with multiple lures and techniques.
Part of a Broader Trend in Malicious Browser Extensions
This development surfaced just days after researchers caught a popular VPN extension for Google Chrome and Microsoft Edge secretly harvesting AI conversations from ChatGPT, Claude, and Gemini and exfiltrating them to data brokers. Earlier, in August 2025, investigators observed another Chrome extension, FreeVPN.One, collecting screenshots, system information, and users’ locations.
“Free VPNs promise privacy, but nothing in life comes free,” Koi Security said. “Again and again, they deliver surveillance instead.”
Source: TheHackerNews
Read more at Impreza News
