GhostPoster
GhostPoster is a malicious browser extension campaign referenced in reporting on the StegoAd operation. The available content links GhostPoster to a Chinese operation through Koi Security’s assessment that the credential exfiltration domain mitarchive.info was previously associated with DarkSpectre and with the ShadyPanda and GhostPoster extension campaigns. GhostPoster is also described as sharing a steganographic concealment method with StegoAd, specifically hiding code inside an extension’s icon, and StegoAd reportedly reused some extension names previously seen in GhostPoster, including “Ads Block Ultimate.” Known associated names mentioned in the content are GhostPoster, ShadyPanda, and DarkSpectre. No additional high-confidence details on GhostPoster’s targets, full intrusion set, or broader TTPs are directly provided in the supplied content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a prior campaign sharing icon steganography methods and reused extension names with StegoAd.
A related malicious browser extension campaign that used the same technique of hiding code inside an extension icon.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.