GhostPoster Campaign: Malicious JavaScript Hidden in Firefox Add‑On Logos

December 17, 2025 Faeem BLOGS 0

Researchers have uncovered a stealthy malware campaign called GhostPoster, which embeds JavaScript code inside the PNG logos of Firefox extensions. With over 50,000 downloads, these malicious add‑ons granted attackers persistent, high‑privilege access to browsers.

How GhostPoster Works

  • Steganography technique: JavaScript hidden in extension logos.
  • Loader behavior:
    • Fetches payload from a remote server.
    • Payload retrieved only once in 10 attempts to evade detection.
    • Activates 48 hours after installation.
  • Obfuscation: Payload encoded via case swapping, base64, and XOR encryption using the extension’s runtime ID.

Malicious Extensions Identified

Koi Security flagged 17 compromised extensions, including:

  • free-vpn-forever
  • screenshot-saved-easy
  • weather-best-forecast
  • crxmouse-gesture
  • cache-fast-site-loader
  • freemp3downloader
  • google-translate-right-clicks
  • dark-reader-for-ff
  • world-wide-vpn
  • translator-gbbd
  • ad-stop
  • right-click-google-translate …and more.

Capabilities of the Final Payload

  • Hijacks affiliate links on e‑commerce sites.
  • Injects Google Analytics tracking into every page.
  • Strips security headers from HTTP responses.
  • Bypasses CAPTCHA protections using three mechanisms.
  • Injects invisible iframes for ad fraud and click fraud (self‑delete after 15 seconds).

While GhostPoster does not steal passwords or redirect to phishing sites, it poses a serious privacy risk and could escalate if more harmful payloads are deployed.

Defensive Actions

  • Remove listed extensions immediately.
  • Reset passwords for critical accounts.
  • Monitor browser activity for suspicious redirects or injected analytics.

Mozilla’s Response

Mozilla confirmed removal of the malicious extensions from AMO (Add‑Ons Marketplace) and updated automated systems to detect and block similar attacks in the future:

“User safety is something we’ve always prioritized… We continue to improve our systems as new attacks appear.”

Takeaway

GhostPoster highlights how trusted browser ecosystems can be abused through creative techniques like logo steganography. Even popular extensions can become vectors for ad fraud, tracking, and backdoors.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.