Security researchers have uncovered a new malware campaign dubbed “GhostPoster,” which hides malicious JavaScript code inside the image logos of Firefox browser extensions.
The campaign involves at least 17 compromised Firefox extensions that use steganography to conceal a JavaScript loader within PNG logo files. In one case, the FreeVPN Forever extension was flagged after the researchers observed it parsing the raw bytes of its own logo image to extract and execute hidden code.
Once activated (typically 48 hours after installation) the loader attempts to retrieve a secondary payload from a hardcoded remote domain, with a backup domain available if the first fails. To evade detection, the payload is fetched only 10% of the time, making traffic-based monitoring less effective.
The downloaded malware is heavily obfuscated and decrypted using a key derived from the extension’s runtime ID. Once deployed, it grants attackers persistent, high-privilege browser access, allowing them to hijack affiliate links, inject Google Analytics tracking into all visited pages, strip security headers, bypass CAPTCHA protections, and inject self-deleting invisible iframes for ad and click fraud.
Despite variations in loading techniques, all identified extensions exhibit similar behavior and communicate with the same attacker-controlled infrastructure.
A list of affected extensions and Indicators of Compromise (IoCs) related to the GhostPoster campaign are available in Koi Security’s report.