Microsoft has recently taken action against a significant security threat by removing 119 malicious extensions from the Edge Add-ons store. These extensions, collectively known as ‘StegoAd,’ utilized steganography to conceal harmful code within seemingly innocuous image and font files. This sophisticated method allowed the malware to remain undetected for extended periods, activating only days after installation to execute credential theft and ad fraud.
The affected extensions appeared as legitimate tools, including ad blockers, VPNs, translators, and video downloaders. They functioned as advertised, accumulating user reviews and trust. The malicious code remained dormant until the extensions passed various evasion checks, enabling them to persist in the store for years without detection.
Combined, these 119 extensions had an install base of up to 2.6 million users. However, Microsoft emphasizes that this figure represents the upper limit of potential exposure, not the exact number of compromised users. The malware’s activation was delayed by several days and included server-side validation, with some variants executing the payload in only 10% of installations. Consequently, the precise number of affected users remains unknown.
Steganography: Concealing Code in Media Files
The StegoAd campaign employed steganography to embed executable code within files that appeared normal. Early versions appended JavaScript code after the IEND marker of PNG images, allowing the images to render correctly while carrying hidden payloads that static scanners overlooked. As detection methods improved, the attackers adapted by using WebP images and WOFF2 font files, embedding code in glyph ranges resembling Asian text or font metadata. Microsoft notes that such large-scale use of steganography is rare in the browser extension ecosystem.
Some advanced variants did not include the payload locally. Instead, they fetched seemingly normal images from command-and-control (C2) servers. The extensions decoded these images through multiple layers of obfuscation, including case swaps, digit swaps, Base64 encoding, and XOR operations, before verifying a signature and executing the code. The C2 servers delivered the actual payload only to requests that met specific fingerprints and User-Agent checks; direct probes by researchers received empty decoy responses. Additionally, the extensions monitored for open developer tools and extended their dormancy if they detected analysis attempts.
Ad Fraud and Credential Theft
The primary visible impact of the StegoAd campaign was ad fraud. The malicious extensions injected unauthorized ads, hijacked affiliate commissions on platforms like Amazon, eBay, and AliExpress, and redirected search queries, thereby generating illicit revenue while degrading the user experience.
Further analysis of the payloads revealed more severe threats. The malware included a remote code execution backdoor capable of running arbitrary JavaScript pushed from the C2 server. It also stole Google credentials and two-factor authentication codes during sign-in, harvested WordPress administrator logins, and exfiltrated cookies in bulk for session hijacking. Microsoft identified seven Google Analytics tracking IDs used as covert telemetry, providing the attackers with near real-time dashboards of their campaign through Google’s infrastructure.
The operation’s infrastructure was notably robust. Microsoft identified over ten C2 domains with automatic failover mechanisms. The attackers utilized Cloudflare Workers to proxy traffic and abused GitHub Pages to host beacons. A polymorphic framework operated across approximately 66 extensions under more than 15 different names, and the operation transitioned from Manifest V2 to V3 as the attackers adapted to platform changes.
Recommended Actions for Users
In response to this threat, Microsoft has removed all 119 malicious extensions and suspended over 90 developer accounts associated with them. Users are advised to open edge://extensions in their browser and compare their installed add-ons against the list provided in Microsoft’s technical report. If any matches are found, or if Edge has automatically removed an extension, users should consider their browser compromised. It is recommended to change passwords for sensitive accounts, including Google, WordPress, and banking services. Additionally, users should review recent sign-in activity and enable strong two-factor authentication methods, such as hardware security keys, which offer better protection against credential theft compared to SMS codes.
Microsoft has also published indicators of compromise applicable to Chrome, Firefox, and other Chromium-based browsers, emphasizing the widespread nature of this threat.
The StegoAd campaign appears to be a new iteration of known malicious activities. The credential theft payloads exfiltrated data to mitarchive.info, a domain previously linked to the DarkSpectre operation, which has connections to the ShadyPanda and GhostPoster extension campaigns. Both StegoAd and GhostPoster employed similar techniques, such as hiding code within an extension’s icon and sharing extension names like ‘Ads Block Ultimate.’ While Microsoft has not officially named the threat actor, the overlaps suggest a clear connection, and the operator remains active.
This incident underscores the evolving sophistication of cyber threats targeting browser extensions. Users should exercise caution when installing extensions, even those that appear legitimate, and regularly review and manage their browser add-ons to maintain security.
