GhostPoster

GhostPoster is a malicious browser-extension campaign initially identified in Firefox and later linked to Chrome, Microsoft Edge, and Opera extensions. It was first reported by Koi Security and later expanded by LayerX, which linked at least 17 related extensions through shared infrastructure and tactics. Reported install counts range from roughly 50,000 Firefox users in the initial cluster to more than 840,000 downloads across the broader cross-browser campaign, with some extensions active as early as 2020 and remaining undetected for up to five years.

Its defining tradecraft is steganographic payload delivery: the extensions hide JavaScript inside bundled PNG icon files such as logo.png. The extension reads the raw PNG bytes, searches for a marker sequence (reported as 0x3D 0x3D 0x3D / "==="), extracts the concealed JavaScript, and launches a multi-stage infection chain. Additional evasion includes delayed activation ranging from 48 hours to several days, random delays, infrequent payload retrieval, runtime-only decoding, and keeping the final decrypted code only in browser memory. Reported decoding steps include case swapping, swapping digits 8 and 9, Base64 decoding, and XOR decryption derived from the extension runtime ID.

Observed capabilities include remote command execution in the browser context, affiliate-link hijacking, forced redirects to e-commerce sites for affiliate fraud, click/ad fraud, injection of tracking or Google Analytics scripts, browser activity monitoring, weakening or stripping HTTP security headers including Content-Security-Policy, bypassing CAPTCHA protections, and injecting hidden iframes/backdoors. Reporting also states the malware can steal credentials and personal data, though one source specifically noted no password harvesting or phishing-page redirection in the analyzed Firefox sample. Named infrastructure includes liveupdt.com, with additional domains such as dealctr.com, mitarchive.info, and gmzdaily.com reported in related extensions.

The campaign has been linked in reporting to a broader Chinese-linked operation tracked as DarkSpectre, which researchers describe as a long-running, well-funded browser-extension threat actor. GhostPoster has targeted users through official extension marketplaces using legitimate-looking extension themes such as VPN, translation, ad-blocking, weather, and download tools; cited examples include Free VPN Forever, Google Translate in Right Click, Youtube Download, Ads Block Ultimate, and an Opera add-on named Google™ Translate. Mozilla and Microsoft reportedly removed identified extensions from their stores, but already-installed extensions require manual removal.