15.12.2025
2 min
438
An active malware campaign dubbed GhostPoster is abusing an unusual technique to infect Firefox browsers by embedding malicious JavaScript directly inside extension logo images. Researchers report that over 50,000 users have already installed compromised add-ons without realizing they were infected.
Research by cybersecurity firm Koi Security revealed that at least 17 Firefox extensions were modified to execute hidden malicious code. The attack relies on steganography, embedding a malicious loader into the raw bytes of a PNG logo file that Firefox automatically fetches when an extension loads.
Once installed, the code remains dormant for up to 48 hours and only retrieves its payload in roughly 10% of sessions. This delayed and probabilistic execution makes the campaign extremely difficult to detect using traditional security tools.
The compromised extensions grant attackers full browser control, allowing them to hijack affiliate links, inject tracking code, strip security headers, and maintain persistent command-and-control access.
Free VPN extensions for Firefox appear to be the primary infection vector, but researchers also identified compromised add-ons for translation, weather, and ad-blocking services. At the time of discovery, all affected extensions were still available on the official Firefox Add-ons marketplace.
Security experts note that GhostPoster represents a shift toward stealth-first malware campaigns, prioritizing long-term persistence and invisibility over rapid mass infection.
GhostPoster demonstrates how trusted browser extension ecosystems can be abused to silently monetize users and compromise their security. The campaign highlights the importance of limiting installed extensions and continuously reviewing browser add-ons, even those that appear legitimate.
