A new malware campaign called GhostPoster has been discovered exploiting 17 Mozilla Firefox browser extensions to deliver malicious JavaScript code capable of hijacking affiliate links, injecting tracking scripts, and performing click and ad fraud. According to security researchers at Koi Security, the affected add-ons were collectively downloaded over 50,000 times before they were removed from distribution. The extensions were marketed as VPNs, ad blockers, screenshot tools, and unofficial Google Translate utilities.
The oldest of the malicious add-ons, Dark Mode, was published on October 25, 2024, and allowed users to enable a dark theme for all websites. Other extensions included Free VPN, Screenshot, Cache-Fast Site Loader, Traductor de Google, Global VPN-Free Forever, and several Google Translate variants. Researchers highlighted that while not all extensions followed the same attack chain, all shared the same command-and-control infrastructure, indicating coordination by a single threat actor or group.
The malware operates by embedding JavaScript within logo files associated with the extensions. When an affected add-on is loaded, the code searches for a marker containing “===” to extract a loader script. The loader reaches out to external servers such as www.liveupdt[.]com and www.dealctr[.]com to fetch the main payload, waiting 48 hours between attempts and executing the payload only 10% of the time to evade detection. This comprehensive toolkit performs multiple operations, including hijacking affiliate links to e-commerce platforms like Taobao and JD.com, injecting Google Analytics tracking code on every visited page, stripping security headers such as Content-Security-Policy and X-Frame-Options, and injecting hidden iframes to facilitate ad and click fraud.
Additional techniques include CAPTCHA bypass mechanisms to ensure automated operations remain undetected and time-based delays preventing activation until six days after installation. The layered evasion techniques make the campaign difficult to identify using traditional monitoring methods. Researchers Lotan Sery and Noga Gouldman explained that these operations monitor browser activity, disable security protections, and open backdoors for remote code execution, exposing users to a wide range of cyber threats.
This development follows a series of incidents targeting browser extension users. In August 2025, a Chrome extension called FreeVPN.One was reported harvesting screenshots, system information, and user location data. More recently, a popular VPN extension for Chrome and Edge was found exfiltrating AI conversations from ChatGPT, Claude, and Gemini to data brokers. Koi Security emphasized that while VPNs promise privacy, malicious extensions can deliver surveillance and monetization mechanisms under the guise of legitimate features.
The GhostPoster campaign highlights the ongoing risks associated with third-party browser extensions and emphasizes the need for vigilance among users and continuous monitoring by security teams. Users are encouraged to review installed add-ons, remove suspicious extensions, and adopt updated cybersecurity practices to mitigate the potential impact of these multi-stage malware threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
