Koi Security has identified a malicious campaign targeting Firefox users via a series of extensions that rely on steganography to hide malware in their icons.
The extensions pose as free VPN services, ad blockers, translation tools, and weather forecast apps, but instead deploy a multi-stage payload that monitors users’ activities, disables security protections, and enables remote code execution (RCE).
According to Koi, which named the campaign GhostPoster, at least 17 such extensions have been published to the browser’s add-ons marketplace, and they have been installed approximately 50,000 times.
One of the extensions, named Free VPN Forever, was published in September 2025 and has been installed over 16,000 times.
Koi observed that the extension would load its logo file and then search through the raw bytes of the image for a specific marker.
The extension’s developer used steganography to hide after that marker a loader that reaches a remote command-and-control (C&C) server to retrieve an encrypted payload.
To evade detection, the GhostPoster Firefox extensions do not call the C&C immediately, and fetch a payload in only 10% of successful C&C connections.
The loader decrypts the payload, a comprehensive toolkit for user tracking and browser monetization, then encrypts it and places it in browser storage for persistence.
For evasion purposes, additional time delays ensure that the malware is activated more than 6 days after the extension was installed.
The malware, Koi discovered, monitors users’ visits to ecommerce websites to intercept clicks on affiliate links and replace them, so that the malware authors get a commission from the purchase, instead of the original affiliate.
Additionally, the malware injects Google Analytics tracking into every visited page, harvests data on all installed extensions, collects information on visited merchant networks, and injects elements into specific sites to profile users without their knowledge.
Users of the GhostPoster Firefox extensions are also exposed to clickjacking and cross-site scripting attacks, as the malware removes security headers from HTTP responses.
According to Koi, the malware can also inject hidden iframes into web pages, and includes multiple CAPTCHA bypass methods, to ensure its nefarious activities are not blocked.
Koi says it identified 17 extensions that connect to the same two C&C servers to fetch a malicious payload, some using different delivery mechanisms, but all apparently linked to the same threat actor.
“These extensions strip your browser’s security headers on every site you visit. They inject code into every page. They maintain a persistent connection to attacker-controlled servers, waiting for instructions. The payload can be updated at any time. What runs in your browser tomorrow is entirely up to them,” Koi notes.
Related: Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors
Related: New Firefox Extensions Required to Disclose Data Collection Practices
Related: Supply Chain Attack Targets VS Code Extensions With ‘GlassWorm’ Malware
Related: Browser Extensions Pose Serious Threat to Gen-AI Tools Handling Sensitive Data
