GhostPoster Browser Malware Hid for 5 Years With 840,000 Installs

Researchers uncover a 5-year malware campaign using browser extensions on Chrome, Firefox and Edge, relying on hidden payloads and shared infrastructure.

What started as a single suspicious browser add-on has grown into a much larger cybersecurity concern that many users never saw coming. Last month, Koi Security published an analysis of a Firefox extension it named GhostPoster, describing a method of abuse that avoided the usual warning signs reviewers look for when scanning browser extensions.

GhostPoster’s modus operandi included hiding the payload inside a harmless looking PNG image file. That image was later decoded and executed, allowing the extension to bypass static analysis tools and manual reviews without raising suspicion.

LayerX After Koi Security

After Koi shared its findings, LayerX began tracing the infrastructure behind the extension. Their investigation revealed 17 more add-ons using the same backend systems and operating playbook. Combined, those extensions were installed more than 840 ...