GhostPoster Malware Campaign Targets Chrome Users via 17 Malicious Extensions

A sophisticated malware campaign dubbed “GhostPoster” has infiltrated major browser extension stores, compromising over 840,000 users across Chrome, Firefox, and Edge through 17 malicious extensions that evaded detection for more than four years.

Security researchers uncovered the operation after identifying a complex multi-stage infection chain that employs steganography, delayed execution, and modular payload delivery to maintain persistence while generating revenue through affiliate fraud and click manipulation.

The GhostPoster malware demonstrates advanced operational security through its initial payload delivery mechanism.

Rather than using conventional script injection, the threat actor embeds malicious code within the binary data of extension icon files, typically PNG images.

When users install what appears to be legitimate browser utilities, such as ad blockers, screenshot tools, or language translators, the extension extracts hidden bytecode from the image file during runtime.

This extraction process searches for specific byte delimiters represented as the ASCII string ‘>>>>’ and decodes all subsequent data as executable JavaScript.

The technique effectively bypasses static analysis tools that scan only traditional code paths, as the malicious payload exists as what appears to be innocent image metadata.

Delayed execution represents another critical evasion strategy. The malware implements mandatory waiting periods ranging from 48 hours to five days before initiating command-and-control communication.

This behavioral-detection system for dormancy countermeasures flags immediate network activity after installation.

Upon activation, the extracted loader contacts remote servers to retrieve additional JavaScript modules that enable the malware’s core functionality.

These capabilities include stripping security headers like Content Security Policy and HTTP Strict Transport Security, hijacking affiliate marketing traffic for financial gain, injecting fraudulent iframes for click fraud, programmatically solving CAPTCHA challenges, and tracking user browsing patterns for extended surveillance.

The campaign’s infrastructure reveals systematic cross-platform distribution. Researchers at Koi Security traced the malicious network to 17 confirmed extensions, with the threat actor initially targeting Microsoft Edge users in 2020 before expanding to Firefox and Chrome.

The extensions collectively amassed 840,000 installations, with the most prolific variant, “Google Translate in Right Click,” infecting 522,398 Chrome users alone.

Other high-impact extensions included “Translate Selected Text with Google” (159,645 installs), “Floating Player  PiP Mode” (40,824 installs), and “Ads Block Ultimate” (48,078 installs), demonstrating the attackers’ preference for utilities with broad appeal.

A more advanced variant discovered during the LayerX Security investigation exhibited enhanced modularity.

This version embedded its payload within the extension’s background script rather than its content scripts, using the same PNG steganography technique and storing the decoded payloads in the browser’s local storage under obfuscated keys.

The five-day activation delay and ability to fetch updated payloads from remote servers indicate a mature operational framework designed for long-term resilience against both automated scanning and manual takedown efforts.

Mozilla’s and Microsoft’s store removal actions are only partially practical due to the malware’s persistence mechanism.

Extensions already installed on user systems remain active unless manually uninstalled, creating an ongoing security gap.

This limitation underscores fundamental challenges in browser extension security, where reactive takedowns cannot retroactively neutralize threats that have already been deployed.

Indicators of Compromise

Extension ID	Name	Installs
maiackahflfnegibhinjhpbgeoldeklb	Page Screenshot Clipper	86
kjkhljbbodkfgbfnhjfdchkjacdhmeaf	Full Page Screenshot	2,000
ielbkcjohpgmjhoiadncabphkglejgih	Convert Everything	17,171
obocpangfamkffjllmcfnieeoacoheda	Translate Selected Text with Google	159,645
dhnibdhcanplpdkcljgmfhbipehkgdkk	Youtube Download	11,458
gmciomcaholgmklbfangdjkneihfkddd	RSS Feed	2,781
fbobegkkdmmcnmoplkgdmfhdlkjfelnb	Ads Block Ultimate	48,078
onlofoccaenllpjmalbnilfacjmcfhfk	AdBlocker	10,155
bmmchpeggdipgcobjbkcjiifgjdaodng	Color Enhancer	712
knoibjinlbaolannjalfdjiloaadnknj	Floating Player – PiP Mode	40,824
jihipmfmicjjpbpmoceapfjmigmemfam	One Key Translate	10,785
ajbkmeegjnmaggkhmibgckapjkohajim	Cool Cursor	2,254
fcoongackakfdmiincikmjgkedcgjkdp	Google Translate in Right Click	522,398
fmchencccolmmgjmaahfhpglemdcjfll	Translate Selected Text with Right Click	283
amazon-price-history	Amazon Price History	1,197
save-image-to-pinterest	Save Image to Pinterest on Right Click	6,517
instagram-downloading	Instagram Downloader	3,807

Security teams should audit installed extensions across managed environments, particularly those outside organizational policy controls.

Behavior-based monitoring solutions capable of detecting unauthorized network activity and suspicious DOM manipulation represent essential defensive layers against similar threats.

Tactic	Technique
Defense Evasion	Masquerading as legitimate utilities (T1036)
Defense Evasion	Code obfuscation via steganography (T1140)
Defense Evasion	Delayed execution to evade detection (T1678)
Defense Evasion	Evading server-side store checks
Discovery	Browser information gathering (T1217)

The GhostPoster campaign serves as a critical reminder that browser extension ecosystems remain viable attack vectors for sophisticated threat actors prioritizing stealth and persistence over rapid proliferation.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post GhostPoster Malware Campaign Targets Chrome Users via 17 Malicious Extensions appeared first on Cyber Security News.