The new campaign, dubbed GhostPoster, utilized logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking codes, and commit click and ad fraud.
In total, the extension was downloaded more than 50,000 times, according to Koi Security, which discovered the campaign. Add-on is no longer available.
These browser programs were promoted as VPNs, screenshot utilities, ad blockers, and unofficial versions of Google Translate. The oldest add-on, Dark Mode, was launched on October 25, 2024 and provided the ability to enable a dark theme on all websites. The complete list of browser add-ons is below –
Free VPN Screenshot Weather (weather-best-forecast) Mouse Gestures (crxMouse) Caching – Fast Site Loader Free MP3 Downloader Google Translate (google-translate-right-clicks) Google Global VPN Translate – Free Forever Dark Reader Dark Mode Translation – Google Bing Baidu DeepL Weather (i-like-weather) Google Translate (google-translate-pro-extension)谷歌译libretv-watch-free-videos Ad Stop – Best Ad Blocker Google Translate (Right click to Google Translate)
“What they actually deliver is a multi-stage malware payload that monitors everything you view, strips away the browser’s security protections, and opens a backdoor for remote code execution,” said security researchers Lotan Selly and Noga Gouldman.
The attack chain begins when the logo file is fetched when one of the above extensions is loaded. The malicious code parses the file for markers containing the “===” symbol and extracts JavaScript code, an external server (a loader that accesses “www.liveupdt”).[.]com” or “www.dealctr[.]com”) to get the main payload and wait 48 hours between each attempt.
To further avoid detection, the loader is configured to only fetch the payload 10% of the time. This randomness is a deliberate choice introduced to circumvent efforts to monitor network traffic. The retrieved payload is a comprehensive custom-encoded toolkit that can monetize browser activity in four different ways without the victim’s knowledge.
Affiliate link hijacking. It intercepts affiliate links to e-commerce sites such as Taobao and JD.com and steals commissions from legitimate affiliates. Tracking injection. Silent profiling by inserting Google Analytics tracking code into every web page visited by the victim. Security header stripping. Removes security headers such as Content-Security-Policy and X-Frame-Options from HTTP responses, exposing users to clickjacking and cross-site scripting attacks. Hidden iframe injection. Injects a hidden iframe into a page to load a URL from an attacker-controlled server, enabling advertising and click fraud. CAPTCHA bypass. They use various methods to bypass CAPTCHA challenges and circumvent bot detection safeguards.
“Why would malware need to bypass CAPTCHA? Because some malware operations, such as hidden iframe injections, trigger bot detection,” the researchers explain. “In order for malware to continue working, it must prove that it is ‘human’.”
In addition to probability checks, the add-on also incorporates a time-based delay that prevents malware from activating until at least 6 days after installation. These layered evasion techniques make it difficult to detect what is happening behind the scenes.
We would like to emphasize here that while not all of the extensions listed above use the same steganographic attack chain, the fact that they all exhibit the same behavior and communicate with the same command-and-control (C2) infrastructure indicates that this is the work of a single attacker or group that has experimented with different temptations and techniques.
This development comes just days after it was discovered that popular VPN extensions for Google Chrome and Microsoft Edge were secretly collecting AI conversations from ChatGPT, Claude, and Gemini and leaking them to data brokers. In August 2025, another Chrome extension named FreeVPN.One was observed collecting screenshots, system information, and user location information.
“Free VPNs promise privacy, but nothing in life comes for free,” says Koi Security. “Time and time again, they provide oversight instead.”
Source link
