- Microsoft shut down a large-scale malicious extension campaign on its Edge Add-ons store, dubbed StegoAd, which had up to 2.6 million potential installs.
- The campaign hid malicious code inside image and font files using steganography, delaying activation for days to evade detection while stealing credentials and committing ad fraud.
- Users should check their installed extensions against Microsoft’s published list and change passwords, as the threat actor remains active.
In a major security crackdown, Microsoft has dismantled a massive, long-running malicious extension operation on its Edge Add-ons store, targeting millions of users with sophisticated credential theft and ad fraud. The campaign, which Microsoft calls StegoAd, cleverly hid its payloads within ordinary image and font files to avoid detection. This operation involved 119 seemingly benign extensions, such as ad blockers and VPNs, that had collectively been installed up to 2.6 million times.
The malicious code remained dormant for days after installation, only activating if it passed a series of evasion checks. Consequently, many users may have been spared the final payload despite having the extension. The attackers employed advanced steganography, embedding executable JavaScript within PNG and WebP images or even WOFF2 font files. Some variants fetched payloads dynamically from command-and-control servers, which only responded to properly fingerprinted requests.
Meanwhile, the extensions monitored for open developer tools, extending their dormancy if analysis was suspected. The visible impact was ad fraud, including injected ads and hijacked affiliate commissions on major e-commerce sites. However, Microsoft’s analysis revealed a more sinister layer, including a remote code execution backdoor and the theft of Google credentials, second-factor codes, and WordPress admin logins.
The operation’s infrastructure was robust, utilizing over ten command-and-control domains with automatic failover and abusing services like Cloudflare Workers and GitHub Pages. Microsoft has removed all 119 extensions and suspended the associated developer accounts. The company urges users to check their installed extensions against the list in its technical report and change passwords for sensitive accounts. Evidence suggests this campaign is linked to the known threat actor DarkSpectre, indicating the operator remains active.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
