Researchers uncover 17 new malicious browser extensions linked to the GhostPoster campaign that accumulated 840,000 installations across Chrome, Firefox, and Edge stores.
Security researchers have identified 17 new browser extensions associated with the ongoing GhostPoster campaign, which collectively gathered over 840,000 installations across Chrome, Firefox, and Microsoft Edge stores. This discovery comes just weeks after Koi Security's initial December report about the campaign.
The extensions conceal malicious JavaScript code within their logo image files. When activated, this code establishes communication with attacker-controlled servers to retrieve a heavily obfuscated payload. The payload performs three primary malicious activities:
- Monitors browsing behavior to harvest sensitive data
- Hijacks e-commerce affiliate links to divert commissions
- Injects invisible iframes to generate fraudulent ad clicks
Below are the identified extensions with their installation counts:
| Extension Name | Installations |
|---|---|
| Google Translate in Right Click | 522,398 |
| Translate Selected Text with Google | 159,645 |
| Ads Block Ultimate | 48,078 |
| Floating Player – PiP Mode | 40,824 |
| Convert Everything | 17,171 |
| Youtube Download | 11,458 |
| One Key Translate | 10,785 |
| AdBlocker | 10,155 |
| Save Image to Pinterest on Right Click | 6,517 |
| Instagram Downloader | 3,807 |
| RSS Feed | 2,781 |
| Cool Cursor | 2,254 |
| Full Page Screenshot | 2,000 |
| Amazon Price History | 1,197 |
| Color Enhancer | 712 |
| Translate Selected Text with Right Click | 283 |
| Page Screenshot Clipper | 86 |
According to browser security firm LayerX, the campaign originated on Microsoft Edge around 2020 before expanding to Firefox and Chrome. Their analysis reveals significant technical evolution in the latest variants, particularly in the 'Instagram Downloader' extension:
- Malicious staging logic moved to background scripts
- Bundled image files used as covert payload containers
- Payload extraction triggered by scanning for delimiter (>>>>)
- Base64-decoded JavaScript executed after storage
"This demonstrates clear evolution toward longer dormancy and modularity," LayerX researchers noted. "The techniques increase resilience against both static and behavioral detection systems."
All identified extensions have been removed from official stores. However, users who previously installed them remain at risk. Security professionals recommend:
- Immediately remove any listed extensions using browser management tools (Chrome, Firefox, Edge)
- Conduct system scans using updated security software
- Monitor financial accounts for suspicious activity
- Reset credentials saved in browsers during the extension's active period
This incident highlights the persistent threat of malicious browser extensions, particularly those leveraging legitimate functionalities like translation tools and ad blockers to gain trust. Organizations should maintain strict extension approval policies, and users should regularly audit installed browser add-ons.
Comments
Please log in or register to join the discussion