CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GhostPoster Campaign Uses Steganography in Firefox Addon Logos

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

The GhostPoster campaign, which hides malicious JavaScript code in the PNG logos of Firefox extensions, has been discovered to have infected 17 additional extensions across Chrome, Firefox, and Edge stores, accumulating a total of 840,000 installations. The campaign, first reported by Koi Security researchers in December, involves extensions that monitor browser activity and plant a backdoor. The hidden script acts as a loader that fetches the main payload from a remote server, retrieving it only 10% of the time to evade detection. The payload can hijack affiliate links, inject tracking code, and commit click and ad fraud. The campaign originated on Microsoft Edge and expanded to Firefox and Chrome, with some extensions present in browser add-on stores since 2020. A more advanced variant of the payload was identified in the 'Instagram Downloader' extension, which uses a bundled image file as a covert payload container. The newly identified extensions have been removed from Mozilla's and Microsoft's add-on stores, but users who installed them may still be at risk. Google has confirmed the removal of all identified extensions from the Chrome Web Store.

Timeline

  1. 17.01.2026 17:23 1 articles · 23h ago

    GhostPoster Campaign Expands to Chrome and Edge with 840,000 Installs

    Another set of 17 malicious extensions linked to the GhostPoster campaign has been discovered in Chrome, Firefox, and Edge stores, accumulating a total of 840,000 installations. The campaign originated on Microsoft Edge and then expanded to Firefox and Chrome. Some of the extensions have been present in browser add-on stores since 2020. A more advanced variant of the payload was identified in the 'Instagram Downloader' extension, which moves the malicious staging logic into the extension's background script and uses a bundled image file as a covert payload container. The background script scans the image's raw bytes for a specific delimiter (>>>>), extracts and stores the hidden data in local extension storage, then later Base64-decodes and executes it as JavaScript. The newly identified extensions are no longer present in Mozilla's and Microsoft's add-on stores, but users who installed them may still be at risk. Google has confirmed the removal of all identified extensions from the Chrome Web Store.

    Show sources
    Open in new tab
  2. 17.12.2025 00:17 3 articles · 1mo ago

    GhostPoster Campaign Discovered Using Steganography in Firefox Addon Logos

    Koi Security researchers discovered the GhostPoster campaign, which hides malicious JavaScript code in the PNG logos of Firefox extensions. The hidden script acts as a loader that fetches the main payload from a remote server, retrieving it only 10% of the time to evade detection. The campaign involves 17 compromised extensions, primarily from popular categories like VPNs, weather, and translation tools. The payload can hijack affiliate links, inject tracking code, and commit click and ad fraud. The extensions have been collectively downloaded over 50,000 times. The oldest add-on, Dark Mode, was published on October 25, 2024. The loader waits 48 hours between each attempt to fetch the payload. The payload incorporates time-based delays that prevent activation until more than six days after installation. The payload removes security headers like Content-Security-Policy and X-Frame-Options from HTTP responses. The payload injects invisible iframes into pages to load URLs from attacker-controlled servers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

DarkSpectre Campaigns Target 8.8 Million Users with Malicious Browser Extensions

A Chinese threat actor, DarkSpectre, has been linked to three malicious browser extension campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—which have collectively impacted 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over seven years. The campaigns facilitate data theft, search query hijacking, affiliate fraud, and corporate espionage by exfiltrating meeting-related data from video conferencing platforms. Additionally, five new malicious Chrome extensions impersonating HR and ERP platforms have been discovered, targeting Workday, NetSuite, and SAP SuccessFactors to hijack accounts. These extensions steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. The extensions, some of which were recently taken down, used delayed activation and benign updates to evade detection and build trust before deploying malicious functionality.

Open in new tab

Phantom Shuttle Chrome Extensions Steal User Credentials

Two malicious Chrome extensions named 'Phantom Shuttle' have been discovered in the Chrome Web Store, targeting users in China, particularly foreign trade workers. These extensions, active since at least 2017, hijack user traffic and steal sensitive data by routing it through attacker-controlled proxies. The extensions are promoted as proxy and network speed testing tools but contain covert data-theft functionality. They intercept HTTP authentication challenges, capture form data, steal session cookies, and extract API tokens. The extensions have been found to route traffic from over 170 targeted domains through the C2 infrastructure, capturing a wide range of sensitive information. The operation is likely China-based, and the extensions remain available in the Chrome Web Store as of the time of reporting.

Open in new tab

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. The ShadyPanda campaign used a supply-chain attack tactic by publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. The compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser's data and capabilities. The extensions could steal session cookies and tokens, allowing them to impersonate entire SaaS accounts such as Microsoft 365 or Google Workspace. The risk of malicious browser extensions extends beyond individual users, as they can access cookies, local storage, cloud auth sessions, active web content, and file downloads, blurring the line between endpoint security and cloud security. Organizations should enforce extension allow lists, treat extension access like OAuth access, audit extension permissions regularly, and monitor for suspicious extension behavior to reduce the risk of malicious extensions. Modern SaaS security platforms, such as Reco's Dynamic SaaS Security platform, can help organizations monitor and detect suspicious activity related to browser extensions in real time.

Open in new tab

Malicious Chrome Extension 'Safery' Steals Ethereum Seed Phrases via Sui Blockchain

A fake Chrome extension named 'Safery: Ethereum Wallet' steals users' Ethereum wallet seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet. The extension was uploaded to the Chrome Web Store on September 29, 2025, and remains available as of November 13, 2025. The malware avoids traditional command-and-control (C2) servers by embedding seed phrases in blockchain transactions, allowing the attacker to decode and reconstruct the original seed phrases to drain victims' funds. The extension was updated as recently as November 12, 2025, and is still available for download. Users are advised to stick to trusted wallet extensions and scan for mnemonic encoders, synthetic address generators, and hard-coded seed phrases.

Open in new tab

ClayRat Spyware Campaign Targets Android Users in Russia

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 700 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. The latest version of ClayRat introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services. Key functions include a keylogger that captures PINs, passwords, and patterns, full screen recording through the MediaProjection API, overlays that disguise malicious activity, and automated taps designed to block users from shutting down the device or deleting the app. These enhancements make the malware more persistent than earlier versions. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Open in new tab