Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

StegoAd malicious Edge extension operation

Malware Activity
First reported
Last updated
Happening score
H score 19
1 unique sources, 1 articles

Summary

Hide ▲

The StegoAd operation was removed from the Edge Add-ons store after hiding payloads in images and fonts, stealing credentials, and driving ad fraud across installs that reached up to 2.6 million users. The extensions stayed dormant for days, evaded analysis checks, and expanded into session hijacking and covert telemetry.

Related Happenings

Edgecution malicious Microsoft Edge extension backdoor activity

Malware Activity
H score23 First: 24.06.2026 23:58 Last: 24.06.2026 23:58 Sources 1

About this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...

Open Happening

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

GlassWorm OpenVSX sleeper extension campaign

Campaign
H score45 First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
H score30 First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
H score38 First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

Timeline

  1. 29.06.2026 11:32 2 articles · 3h ago

    Microsoft removes 119 malicious Edge extensions

    Mitigation Patch Update

    Microsoft shut down 119 Edge Add-ons extensions linked to StegoAd and suspended the 90-plus developer accounts behind them after the extensions hid payloads in image and font files, stayed dormant through evasion checks, and later stole credentials and ran ad fraud. Microsoft also told users to compare installed add-ons against the removal list, change passwords for sensitive accounts, review recent sign-in activity, and enable strong two-factor authentication.

    Show sources
    Open in new tab
  2. 29.06.2026 11:32 1 articles · 3h ago

    Microsoft details StegoAd credential theft and ad fraud tactics

    Technical Analysis Update

    Microsoft described StegoAd as a long-running malicious extension operation active since at least 2021, with 119 extensions that hid code in PNG, WebP, and WOFF2 files, used delayed activation and server-side validation, and in some variants fetched payloads from command-and-control servers. The retrieved payloads stole Google credentials and second-factor codes, harvested WordPress admin logins, exfiltrated cookies for session hijacking, and drove ad fraud through injected ads, affiliate hijacking, and redirected searches.

    Show sources
    Open in new tab