A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud.
The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available.
These browser programs were advertised as VPNs, screenshot utilities, ad blockers, and unofficial versions of Google Translate. The oldest add-on, Dark Mode, was published on October 25, 2024, offering the ability to enable a dark theme for all websites. The full list of the browser add-ons is below –
- Free VPN
- Screenshot
- Weather (weather-best-forecast)
- Mouse Gesture (crxMouse)
- Cache – Fast site loader
- Free MP3 Downloader
- Google Translate (google-translate-right-clicks)
- Traductor de Google
- Global VPN – Free Forever
- Dark Reader Dark Mode
- Translator – Google Bing Baidu DeepL
- Weather (i-like-weather)
- Google Translate (google-translate-pro-extension)
- 谷歌翻译
- libretv-watch-free-videos
- Ad Stop – Best Ad Blocker
- Google Translate (right-click-google-translate)
“What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser’s security protections, and opens a backdoor for remote code execution,” security researchers Lotan Sery and Noga Gouldman said.
The attack chain begins when the logo file is fetched when one of the above-mentioned extensions is loaded. The malicious code parses the file to look for a marker containing the “===” sign in order to extract JavaScript code, a loader that reaches out to an external server (“www.liveupdt[.]com” or “www.dealctr[.]com”) to retrieve the main payload, waiting 48 hours in between every attempt.
To further evade detection, the loader is configured to fetch the payload only 10% of the time. This randomness is a deliberate choice that’s introduced to sidestep efforts to monitor network traffic. The retrieved payload is a custom-encoded comprehensive toolkit capable of monetizing browser activities without the victims’ knowledge through four different ways –
- Affiliate link hijacking, which intercepts affiliate links to e-commerce sites like Taobao or JD.com, depriving legitimate affiliates of their commission
- Tracking injection, which inserts the Google Analytics tracking code into every web page visited by the victim, to silently profile them
- Security header stripping, which removes security headers like Content-Security-Policy and X-Frame-Options from HTTP responses, exposing users to clickjacking and cross-site scripting attacks
- Hidden iframe injection, which injects invisible iframes into pages to load URLs from attacker-controlled servers and enable ad and click fraud
- CAPTCHA bypass, which employs various methods to bypass CAPTCHA challenges and evade bot detection safeguards
“Why would malware need to bypass CAPTCHAs? Because some of its operations, like the hidden iframe injections, trigger bot detection,” the researchers explained. “The malware needs to prove it’s ‘human’ to keep operating.”
Besides probability checks, the add-ons also incorporate time-based delays that prevent the malware from activating until more than six days after installation. These layered evasion techniques make it harder to detect what’s going on behind the scenes.
It’s worth emphasizing here that not all the extensions above use the same steganographic attack chain, but all of them exhibit the same behavior and communicate with the same command-and-control (C2) infrastructure, indicating it’s the work of a single threat actor or group that has experimented with different lures and methods.
The development comes merely days after a popular VPN extension for Google Chrome and Microsoft Edge was caught secretly harvesting AI conversations from ChatGPT, Claude, and Gemini and exfiltrating them to data brokers. In August 2025, another Chrome extension named FreeVPN.One was observed collecting screenshots, system information, and users’ locations.
“Free VPNs promise privacy, but nothing in life comes free,” Koi Security said. “Again and again, they deliver surveillance instead.”
