GhostPoster malicious browser extension campaign across Chrome, Firefox, and Edge
Campaign
Summary
Hide ▲
Show ▼
The GhostPoster campaign resurfaced with 17 malicious extensions in Chrome, Firefox, and Edge, putting users at risk of browser monitoring, affiliate-link hijacking, and ad/click fraud. The cluster accumulated 840,000 installations, and some extensions may still remain installed on affected browsers.
Related Happenings
Silent Swap browser-extension clipboard clipper
Malware Activity
H score36
First: 30.06.2026 18:40
Last: 30.06.2026 18:40
Sources 1
About this happening:
The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Silent Swap browser-extension clipboard clipper
Malware ActivityAbout this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Timeline
-
17.01.2026 17:23 3 articles · 5mo ago
GhostPoster browser extension disclosure and takedown
Initial DisclosureGhostPoster malicious browser extensions were identified across Chrome, Firefox, and Edge stores, totaling 840,000 installations, and the cluster remained active despite exposure. The extensions hid JavaScript in logo or bundled image files, used a background script to extract hidden data marked by the delimiter >>>>, Base64-decode it, and execute staged payloads that tracked browsing activity, hijacked affiliate links, and injected invisible iframes for ad fraud and click fraud. Google, Microsoft, and Mozilla removed the newly identified listings, but users who had already installed them could still be exposed; LayerX also identified a more advanced Instagram Downloader variant that moved staging logic into the background script.
Show sources
- Malicious GhostPoster browser extensions found with 840,000 installs — www.bleepingcomputer.com — 17.01.2026 17:23
- Malicious GhostPoster browser extensions found with 840,000 installs — www.bleepingcomputer.com — 17.01.2026 17:23
- GhostPoster Malware Found in 17 Firefox Add-ons with 50,000+ Downloads — thehackernews.com — 17.12.2025 10:14