GhostPoster Malware Campaign Resurfaces With 17 New Browser Extensions and 840,000 Installs

Listen to this Post

Featured Image

Introduction: A Silent Threat Inside Trusted Browsers

Browser extensions are often marketed as harmless productivity boosters—tools for translation, ad blocking, screenshots, or media downloads. But the GhostPoster campaign proves how dangerous this trust can be. Even after being publicly exposed, the malware operation has quietly returned with a new wave of malicious extensions, spreading across Chrome, Firefox, and Microsoft Edge. With hundreds of thousands of installations and increasingly advanced concealment techniques, GhostPoster has evolved into a long-term, stealthy browser-based threat that continues to put everyday users at risk.

Overview: GhostPoster Refuses to Disappear

Security researchers have uncovered another batch of 17 malicious browser extensions linked to the GhostPoster malware campaign. These extensions collectively amassed more than 840,000 installs before being taken down. Despite earlier disclosures in late 2024, the campaign remains active, adapting its techniques to evade detection and extend its lifespan across multiple browser ecosystems.

Background: First Exposure by Koi Security

The GhostPoster operation was initially reported by Koi Security researchers in December. At that time, investigators identified 17 extensions hiding malicious JavaScript code within image files used as extension logos. This code was designed to silently monitor user activity and establish a backdoor inside the browser, turning legitimate-looking tools into surveillance and fraud instruments.

Hidden Payloads Inside Images

Rather than storing malicious code in obvious script files, GhostPoster embedded JavaScript inside image assets. These images appeared harmless but contained concealed payloads that could be extracted and executed at runtime. This method allowed the malware to bypass static security checks commonly used by browser extension stores.

Core Capabilities: What the Malware Actually Does

Once activated, the malicious code fetched an external, heavily obfuscated payload. This payload enabled multiple forms of abuse, including tracking browsing behavior, hijacking affiliate links on popular e-commerce platforms, and injecting invisible iframes. These actions powered large-scale ad fraud and click fraud operations without the user noticing any visible changes.

Ongoing Campaign Confirmed by LayerX

A new report from browser security platform LayerX confirms that GhostPoster never truly stopped. Despite public exposure and earlier takedowns, the campaign persisted, quietly distributing new extensions across official browser marketplaces. This persistence highlights both the attackers’ patience and the difficulty of policing extension ecosystems.

The Full List of Newly Identified Extensions

LayerX identified the following 17 extensions as part of the ongoing GhostPoster operation, many of which impersonated useful or popular tools:

Translation Tools as a Trojan Horse

Extensions like Google Translate in Right Click, Translate Selected Text with Google, One Key Translate, and Translate Selected Text with Right Click accounted for the majority of installations. Translation utilities are especially attractive to attackers because they require broad access to webpage content.

Ad Blockers and Media Tools Exploited

Extensions such as Ads Block Ultimate, AdBlocker, Floating Player – PiP Mode, and Youtube Download capitalized on users’ desire for ad-free and enhanced media experiences. Ironically, these tools were used to inject ads and generate fraudulent clicks.

Screenshot and Utility Extensions Abused

Seemingly harmless utilities like Full Page Screenshot, Page Screenshot Clipper, Convert Everything, and RSS Feed also carried malicious logic. Their wide permissions made them ideal for surveillance and data manipulation.

Smaller Niche Extensions Still Dangerous

Even lower-install extensions like Color Enhancer, Cool Cursor, and Amazon Price History played a role. Although their install counts were smaller, they contributed to the campaign’s overall reach and longevity.

Origin: Microsoft Edge as the Launch Point

Researchers believe the GhostPoster campaign originally began on Microsoft Edge. From there, it gradually expanded to Firefox and Chrome, adapting its packaging to meet each store’s submission requirements while retaining the same malicious core.

A Long-Term Operation Dating Back to 2020

LayerX discovered that some of the identified extensions had been present in browser add-on stores since 2020. This indicates a highly successful long-term campaign that survived multiple platform reviews, policy updates, and public disclosures.

Technical Evolution: Beyond the Original Design

While many of the evasion and post-activation techniques remained consistent with earlier findings, LayerX identified a more advanced variant embedded in the Instagram Downloader extension. This version demonstrated a clear step forward in stealth and resilience.

Background Scripts Take Center Stage

Instead of relying solely on icons or static resources, the newer variant moved its malicious staging logic into the extension’s background script. This allowed the malware to operate continuously, independent of user interaction.

Image Files as Covert Containers

The updated version used bundled image files—not just icons—as payload containers. These images stored hidden data that could be dynamically extracted, reducing the likelihood of detection during manual or automated reviews.

Runtime Extraction and Execution

At runtime, the background script scanned the raw bytes of the image file for a specific delimiter sequence. Once found, the hidden data was extracted, saved to local extension storage, Base64-decoded, and executed as JavaScript. This multi-stage process made detection significantly harder.

Expert Assessment From LayerX

LayerX described this staged execution flow as a deliberate move toward longer dormancy, modular design, and stronger resistance against both static and behavioral detection mechanisms. The evolution suggests a well-funded and technically skilled threat actor.

Store Removals Are Not the End

Mozilla and Microsoft have confirmed that the identified extensions are no longer available in their add-on stores. Google also confirmed that all affected extensions have been removed from the Chrome Web Store. However, removal from stores does not automatically protect users who already installed them.

Lingering Risk for Existing Users

Users who installed these extensions before removal may still be exposed to ongoing tracking and fraud. Unless the extensions are manually removed, the malicious code can continue operating silently in the background.

What Undercode Say:

Browser Extensions Are the New Malware Frontier

GhostPoster highlights a dangerous shift in cybercrime strategy. Instead of exploiting operating systems directly, attackers are targeting browsers—the most frequently used interface in modern computing. Extensions offer persistent access, broad permissions, and direct visibility into user behavior.

Trust Is the Weakest Link

The success of this campaign demonstrates how much users trust official extension stores. When malware hides behind familiar names and polished branding, even security-conscious users can be fooled into granting excessive permissions.

Image-Based Payloads Signal a New Era

Embedding executable logic inside image files is not just clever—it’s strategic. This technique exploits blind spots in automated scanning tools and shows how attackers are adapting faster than platform defenses.

Long Dormancy Equals Long Profit

The fact that some extensions survived for years suggests GhostPoster prioritized patience over speed. By remaining dormant or minimally active, the malware avoided raising red flags while quietly generating revenue through affiliate abuse and ad fraud.

Affiliate Hijacking Is Underrated but Powerful

Unlike ransomware or credential theft, affiliate hijacking often goes unnoticed. Yet at scale, it can generate massive profits by siphoning commissions from legitimate businesses without disrupting user workflows.

Store Vetting Still Falls Short

Even with improved review processes, extension stores struggle to detect multi-stage, obfuscated malware. GhostPoster proves that attackers can meet policy requirements while hiding malicious behavior deep inside runtime logic.

Cross-Browser Distribution Multiplies Impact

By targeting Edge, Firefox, and Chrome simultaneously, GhostPoster maximized reach while minimizing dependency on a single platform. This diversification mirrors tactics seen in advanced persistent threat operations.

Users Rarely Audit Extensions

Most users install extensions and forget about them. This lack of ongoing scrutiny allows malicious add-ons to operate indefinitely, especially when they don’t visibly disrupt browsing.

Security Tools Lag Behind Creativity

Traditional detection focuses on known signatures and suspicious network activity. GhostPoster’s modular execution and delayed activation undermine these models, forcing defenders to rethink how browser threats are identified.

Education Matters as Much as Technology

Ultimately, preventing campaigns like GhostPoster requires more than automated scanning. Users must understand the risks of over-privileged extensions and regularly review what has access to their browsers.

Fact Checker Results

Verification of Campaign Continuation ✅

Independent reports from Koi Security and LayerX confirm that the GhostPoster campaign remains active despite earlier exposure.

Accuracy of Technical Details ✅

The described techniques—image-based payloads, background script execution, and Base64 decoding—align with documented findings.

Store Removal Claims Confirmed ✅

Google, Mozilla, and Microsoft have all confirmed the removal of the identified extensions from their respective stores.

Prediction

Browser-Based Malware Will Increase 📈

As operating systems harden, attackers will increasingly target browsers and extensions as softer entry points.

Extension Store Reviews Will Become Stricter 🔍

Platforms are likely to introduce deeper runtime analysis and stricter permission controls in response to campaigns like GhostPoster.

Users Will Face More “Invisible” Threats ⚠️

Future malware will prioritize stealth, monetization, and persistence over disruption, making detection harder for both users and security tools.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon