Security researchers have uncovered a new malware campaign called GhostPoster that targeted Firefox users through browser add-ons. The malware was found hidden inside 17 different Firefox extensions, which together had more than 50,000 downloads. These add-ons looked completely normal, making the attack hard to notice. Many users installed them without realizing the risk.
The investigation was carried out by cybersecurity experts after they noticed suspicious behavior in a Firefox extension. A closer look revealed that the malware was not placed in regular code files. Instead, it was secretly embedded inside the PNG icon images used by the extensions. This unusual method allowed the malware to stay hidden for a long time.
The attackers used a technique known as steganography, which means hiding malicious code inside harmless-looking files such as images. Since image files are usually not checked deeply during reviews, the hidden code went unnoticed. When the extension was installed, the image was decoded to extract and run the malicious script. This made detection even more difficult.
Once activated, the malware did not act immediately in many cases. Researchers observed that it often waited for hours or even days before doing anything suspicious. Sometimes it only contacted attacker-controlled servers randomly, which helped it avoid detection. This slow and silent behavior allowed it to operate under the radar.
The malicious activity mainly focused on tracking user browsing behavior and hijacking affiliate links. In simple terms, attackers could earn money by secretly redirecting users’ clicks. In some cases, the malware could also inject tracking scripts or act as a backdoor. This posed serious privacy and security risks for users.
The infected extensions appeared legitimate and offered common features such as VPN services, ad blocking, translation tools, and utilities. Because these are popular types of add-ons, users were more likely to trust and install them. This shows how attackers are increasingly using trusted platforms to spread malware.
After the campaign was exposed, the affected extensions were taken down from the Firefox add-on store. Mozilla was informed about the issue, and steps were taken to protect users. However, anyone who had already installed these add-ons could still be at risk if they did not remove them manually.
This incident highlights a growing threat in browser security. It shows that even non-code files like images can be used to hide malware. Users are advised to regularly review installed extensions, remove unnecessary ones, and stay alert for unusual browser behavior. Browser extension security checks may also need to become stricter in the future.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
