A long-running and highly sophisticated malware campaign has been quietly targeting users of Google Chrome, Mozilla Firefox and Microsoft Edge, and chances are many people never noticed a thing. According to a report by GBhackers, at least 17 malicious browser extensions were involved in what security researchers have named the GhostPoster operation. Together, these extensions were downloaded more than 840,000 times, making this one of the most persistent and technically mature extension-based threats seen so far.
What makes GhostPoster especially worrying is how normal everything looked on the surface. The infected extensions were simple, everyday tools like screenshot grabbers, ad blockers, translation helpers, cursor customisers, and media downloaders. These are exactly the kind of add-ons people install without thinking twice. Behind the scenes, however, these extensions were hiding malware in a very clever way.
Instead of placing malicious code where scanners would usually look, the attackers hid it inside PNG image files, specifically the extension’s icon. This technique, known as steganography, allowed the malware to slip past security checks used by browser extension stores. To a human reviewer or an automated system, the icon looked like a regular image. But to the extension itself, it was a container full of hidden data.
Even after installation, GhostPoster didn’t rush into action. The malware was designed to wait quietly for at least 48 hours, and in some advanced versions, nearly five days. During this time, the extension behaved normally, helping it avoid systems that watch for suspicious activity right after installation. Once the waiting period ended, the malware contacted remote servers and downloaded additional malicious code.
This setup gave attackers a lot of flexibility. They could change what the malware did without updating the extension itself, making it harder for security teams to shut the operation down completely. By the time anything suspicious showed up, the extension had already earned the browser’s trust.
So what was GhostPoster actually doing? Most signs point to money. The malware could weaken website security protections, redirect affiliate links to steal commissions, inject scripts for click fraud, and track users across browsing sessions. It even had the ability to bypass CAPTCHA systems, which are meant to stop automated abuse.
Researchers believe the campaign may have started on Edge as early as 2020, before spreading to Firefox and Chrome. That means it managed to evade detection across major browser stores for almost five years, raising serious questions about how extensions are reviewed.
While Mozilla and Microsoft have removed confirmed malicious extensions from their stores, there’s a catch. If the extension is already installed on your system, it will keep working unless you remove it yourself.
The takeaway is simple: take a few minutes to check your browser extensions. If you don’t recognise one or no longer use it, uninstall it. GhostPoster is a reminder that even the smallest tools in your browser can become a serious security risk if left unchecked.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
