Researchers at Koi Security have uncovered a malicious campaign, dubbed GhostPoster, that abuses the Firefox add-ons ecosystem to distribute browser-based malware. The operation relies on steganography—hiding malicious code inside seemingly harmless extension icons—to evade detection. At least 17 extensions masquerading as VPNs, ad blockers, translators, and weather tools have been identified, with a combined install base of roughly 50,000 users. Once active, the malware enables tracking, monetization abuse, and potential remote code execution.

Browser extensions are widely trusted to enhance functionality and privacy. However, their deep integration into browser internals also makes them an attractive attack surface. Over the past several years, security teams have repeatedly documented malicious extensions abusing update mechanisms, permissions, and marketplace trust signals to persist undetected. GhostPoster represents an escalation in sophistication, using image-based steganography and delayed execution to bypass both automated review systems and user suspicion.

Koi Security identified a cluster of Firefox extensions that appeared legitimate but were quietly performing malicious actions. One extension, Free VPN Forever, alone accumulated more than 16,000 installations after being published in September 2025.

Rather than downloading obvious malicious files, the extensions extracted hidden code embedded within their own icon images. After installation, the malware waited several days before activating, significantly reducing the likelihood of detection during initial review or casual use.

The attack chain begins when the extension loads its icon image and scans the raw bytes for a predefined marker. Data hidden after this marker contains a loader, concealed using steganography.

Once triggered, the loader contacts an attacker-controlled command-and-control (C2) server, though only in a small fraction of attempts to avoid traffic-based detection. The retrieved payload is encrypted, decrypted locally, and then re-encrypted for storage within browser data, ensuring persistence.

The malware includes capabilities to:

Delayed execution—sometimes exceeding six days—further complicates detection and forensic analysis.

While the campaign does not initially deploy destructive malware, its implications are serious. Affected users face:

Because browser extensions operate within trusted contexts, their compromise can undermine otherwise secure browsing environments.

GhostPoster highlights how trust in extension marketplaces can be exploited at scale. The use of steganography demonstrates that traditional signature-based detection and manual reviews are no longer sufficient. As browsers become central to work, commerce, and identity, malicious extensions represent a persistent and underappreciated risk vector.

“These extensions strip your browser’s security headers on every site you visit. They inject code into every page. They maintain a persistent connection to attacker-controlled servers, waiting for instructions,” Koi Security warned. “What runs in your browser tomorrow is entirely up to them.”