StegoAd: 119 Malicious Edge Extensions Removed
Researchers have uncovered a network of malicious extensions inside the official Microsoft Edge store. These add-ons masqueraded as useful tools and operated for years alongside legitimate extensions. Disguised as ad blockers, weather widgets, video downloaders, PDF utilities, color pickers, and AI services, they actually stole credentials, planted browser backdoors, and ran advertising and affiliate fraud in search. Microsoft’s security team removed 119 extensions and detailed the operation, named StegoAd, in a dedicated report.
An Unusual Scale
The campaign’s scale proved unusual even for the browser add-on market. The malicious extensions appeared through more than 90 developer accounts. However, they shared common infrastructure and overlapping code fragments. Steganography became the main disguise. Specifically, the attackers hid commands and malicious code inside ordinary-looking files, so defensive systems would not immediately see the dangerous part.
StegoAd Reached Beyond Edge
StegoAd did not stop at Edge. According to Microsoft, the operators also released extensions for Chrome and Firefox. Moreover, the group’s activity traces back to at least 2021. The attackers even moved their work from the older Manifest V2 standard to the newer Manifest V3. Notably, Manifest V3 was designed in part to strengthen the security of browser add-ons.
Delayed Activation Raised the Risk
Deferred activation of the malicious code raised the danger further. After installation, an extension first behaved like a normal tool and performed its advertised function. The malicious components launched only three to five days later. Therefore, review systems might miss the second stage of the attack, while the user grew accustomed to the add-on.
A Skilled, Persistent Operator
Microsoft describes the StegoAd operators as technically advanced and highly capable attackers. The group regularly refined its evasion methods, changed its approach to managing extensions, and worked to stay invisible to the security teams of major browser makers. By the company’s estimate, more than 2.6 million users downloaded the malicious add-ons. However, the report does not clarify whether that figure covers Edge alone or every browser ecosystem. Given StegoAd’s presence in Chrome and Firefox, the real audience could be larger.
What Users Should Do
Users should review their installed extensions and remove anything unnecessary. Pay special attention to old video downloaders, ad blockers, internet “accelerators”, PDF tools, and small utility add-ons without a clear developer. If any match the list in Microsoft’s report, it is wise to change passwords, end active sessions in important services, and enable two-factor protection.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
