Microsoft has removed 119 malicious extensions from the Edge Add-ons store after uncovering a long-running campaign that used hidden code to steal user data and carry out ad fraud.
The campaign, called ‘StegoAd,’ had been active since at least 2021. The extensions were disguised as popular tools such as ad blockers, VPNs, translators, and video downloaders.
Microsoft said the extensions were installed up to 2.6 million times, although that number does not represent confirmed victims. Many of the extensions never activated because they included delays and security checks before running the hidden payloads.
The attackers hid malicious code inside image and font files, allowing it to avoid detection. Some versions downloaded additional code from remote servers only after confirming the target met specific conditions.
The malware was capable of stealing Google login credentials, two-factor authentication codes, WordPress administrator accounts, and browser cookies. It also included a backdoor that allowed attackers to run remote JavaScript on infected systems.
Microsoft said using steganography on this scale is uncommon in browser extension attacks and has removed all identified extensions from the Edge Add-ons store.