By rssfeeds-admin 
Security researchers uncovered the operation after identifying a complex multi-stage infection chain that employs steganography, delayed execution, and modular payload delivery to maintain persistence while generating revenue through affiliate fraud and click manipulation.
The GhostPoster malware demonstrates advanced operational security through its initial payload delivery mechanism.
Rather than using conventional script injection, the threat actor embeds malicious code within the binary data of extension icon files, typically PNG images.
When users install what appears to be legitimate browser utilities, such as ad blockers, screenshot tools, or language translators, the extension extracts hidden bytecode from the image file during runtime.
This extraction process searches for specific byte delimiters represented as the ASCII string ‘>>>>’ and decodes all subsequent data as executable JavaScript.
The technique effectively bypasses static analysis tools that scan only traditional code paths, as the malicious payload exists as what appears to be innocent image metadata.
Delayed execution represents another critical evasion strategy. The malware implements mandatory waiting periods ranging from 48 hours to five days before initiating command-and-control communication.
This behavioral-detection system for dormancy countermeasures flags immediate network activity after installation.
Upon activation, the extracted loader contacts remote servers to retrieve additional JavaScript modules that enable the malware’s core functionality.
These capabilities include stripping security headers like Content Security Policy and HTTP Strict Transport Security, hijacking affiliate marketing traffic for financial gain, injecting fraudulent iframes for click fraud, programmatically solving CAPTCHA challenges, and tracking user browsing patterns for extended surveillance.
The campaign’s infrastructure reveals systematic cross-platform distribution. Researchers at Koi Security traced the malicious network to 17 confirmed extensions, with the threat actor initially targeting Microsoft Edge users in 2020 before expanding to Firefox and Chrome.
The extensions collectively amassed 840,000 installations, with the most prolific variant, “Google Translate in Right Click,” infecting 522,398 Chrome users alone.
Other high-impact extensions included “Translate Selected Text with Google” (159,645 installs), “Floating Player PiP Mode” (40,824 installs), and “Ads Block Ultimate” (48,078 installs), demonstrating the attackers’ preference for utilities with broad appeal.
A more advanced variant discovered during the LayerX Security investigation exhibited enhanced modularity.
This version embedded its payload within the extension’s background script rather than its content scripts, using the same PNG steganography technique and storing the decoded payloads in the browser’s local storage under obfuscated keys.
The five-day activation delay and ability to fetch updated payloads from remote servers indicate a mature operational framework designed for long-term resilience against both automated scanning and manual takedown efforts.
Mozilla’s and Microsoft’s store removal actions are only partially practical due to the malware’s persistence mechanism.
Extensions already installed on user systems remain active unless manually uninstalled, creating an ongoing security gap.
This limitation underscores fundamental challenges in browser extension security, where reactive takedowns cannot retroactively neutralize threats that have already been deployed.
Indicators of Compromise
| Extension ID | Name | Installs |
|---|---|---|
| maiackahflfnegibhinjhpbgeoldeklb | Page Screenshot Clipper | 86 |
| kjkhljbbodkfgbfnhjfdchkjacdhmeaf | Full Page Screenshot | 2,000 |
| ielbkcjohpgmjhoiadncabphkglejgih | Convert Everything | 17,171 |
| obocpangfamkffjllmcfnieeoacoheda | Translate Selected Text with Google | 159,645 |
| dhnibdhcanplpdkcljgmfhbipehkgdkk | Youtube Download | 11,458 |
| gmciomcaholgmklbfangdjkneihfkddd | RSS Feed | 2,781 |
| fbobegkkdmmcnmoplkgdmfhdlkjfelnb | Ads Block Ultimate | 48,078 |
| onlofoccaenllpjmalbnilfacjmcfhfk | AdBlocker | 10,155 |
| bmmchpeggdipgcobjbkcjiifgjdaodng | Color Enhancer | 712 |
| knoibjinlbaolannjalfdjiloaadnknj | Floating Player – PiP Mode | 40,824 |
| jihipmfmicjjpbpmoceapfjmigmemfam | One Key Translate | 10,785 |
| ajbkmeegjnmaggkhmibgckapjkohajim | Cool Cursor | 2,254 |
| fcoongackakfdmiincikmjgkedcgjkdp | Google Translate in Right Click | 522,398 |
| fmchencccolmmgjmaahfhpglemdcjfll | Translate Selected Text with Right Click | 283 |
| amazon-price-history | Amazon Price History | 1,197 |
| save-image-to-pinterest | Save Image to Pinterest on Right Click | 6,517 |
| instagram-downloading | Instagram Downloader | 3,807 |
Security teams should audit installed extensions across managed environments, particularly those outside organizational policy controls.
Behavior-based monitoring solutions capable of detecting unauthorized network activity and suspicious DOM manipulation represent essential defensive layers against similar threats.
| Tactic | Technique |
|---|---|
| Defense Evasion | Masquerading as legitimate utilities (T1036) |
| Defense Evasion | Code obfuscation via steganography (T1140) |
| Defense Evasion | Delayed execution to evade detection (T1678) |
| Defense Evasion | Evading server-side store checks |
| Discovery | Browser information gathering (T1217) |
The GhostPoster campaign serves as a critical reminder that browser extension ecosystems remain viable attack vectors for sophisticated threat actors prioritizing stealth and persistence over rapid proliferation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post GhostPoster Malware Campaign Targets Chrome Users via 17 Malicious Extensions appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.