A stealthy malware operation has been discovered by cybersecurity researchers, which remained undetected for a period of up to five years and accumulated more than 840,000 downloads on various platforms. The research began with a study by Koi Security of a Firefox browser extension called GhostPoster, which embedded its malicious code in a seemingly innocuous PNG image file. Such a trick allowed the malware to evade static analysis and manual reviews by browser markets.
Based on the findings of Koi Security, the LayerX researchers decided to dig deeper into the infrastructure and discovered 17 more extensions that used the same backend infrastructure and had the same tactics, techniques, and procedures (TTPs). In total, these extensions had more than 840,000 downloads, with some of them remaining undetected on the users' devices for almost five years. LayerX researchers also discovered a more complex variant of the malware that used other evasion techniques and had 3,822 downloads on its own.
The operation emanates from Microsoft Edge and then methodically moves to chrome and Firefox, which looks like the work of a patient, evolving threat actor that is focused on stealth and trust-building. The extensions used to mimic legitimate functionality at first, avoiding suspicion, while the infrastructure was in place after many years. This stress test mentality highlights how cybercriminals abuse browser extensions as a low-friction vector to compromise user security without raising alarms in the short term.
Following the revelations, Mozilla and Microsoft immediately removed the offending extensions from their official stores, preventing further downloads. However, this removal does nothing to those copies already installed on users browsers, meaning millions might be left vulnerable to potential attacks unless they take action. LayerX’s blog stressed that users need to take an active role in mitigating ongoing risk by reviewing for and deleting the extensions.
Browser extensions have become a lucrative target for cybercriminals as hackers exploit the deep access these extensions have to browsing data and permissions, raising the stakes for vigilance in the evolving threat landscape. Users are advised to regularly review the installed add-ons' permissions, disable the ones they don't use or need, and remove the ones they don't trust. This is a warning that even extensions or add-ons that have been trusted for a long time can potentially contain malicious code, and it effectively calls for those using any major browser to adopt a more proactive approach to security.