top of page
Buscar

GhostPoster: The Browser Extension That Haunts Firefox from the Inside

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 17 dic 2025
  • 4 Min. de lectura

Ghosts rarely force their way in. They inhabit familiar spaces, blending into the background until their presence becomes impossible to ignore.

GhostPoster follows that exact pattern.

What appeared to be harmless Firefox add-ons — VPNs, translators, ad blockers, weather tools, and dark mode utilities — were in fact vessels for a stealthy malware campaign. By hiding malicious JavaScript inside something as mundane as a logo image, GhostPoster turned trusted browser extensions into long-lived surveillance and fraud engines, quietly haunting users’ browsers long after installation.

Discovered by Koi Security, the campaign affected 17 Firefox add-ons with more than 50,000 combined downloads, all tied to the same backend infrastructure and a single, methodical threat actor.


Phase 1: The Invitation — Familiar Tools, Familiar Trust


The campaign did not rely on exploits or social panic. Instead, it relied on utility and convenience.

GhostPoster add-ons were advertised as:

  • Free VPNs

  • Screenshot and productivity tools

  • Ad blockers

  • Weather extensions

  • Dark mode utilities

  • Unofficial Google Translate variants

These are categories users routinely install without hesitation. Some, like Dark Mode, had been available since October 2024, building credibility over time.

The ghost did not arrive suddenly. It moved in slowly.


Full malicious extension list:


  • Free VPN

  • Screenshot

  • Weather (weather-best-forecast)

  • Mouse Gesture (crxMouse)

  • Cache - Fast site loader

  • Free MP3 Downloader

  • Google Translate (google-translate-right-clicks)

  • Traductor de Google

  • Global VPN - Free Forever

  • Dark Reader Dark Mode

  • Translator - Google Bing Baidu DeepL

  • Weather (i-like-weather)

  • Google Translate (google-translate-pro-extension)

  • 谷歌翻译

  • libretv-watch-free-videos

  • Ad Stop - Best Ad Blocker

  • Google Translate (right-click-google-translate)


Phase 2: The Hidden Sigil — Malware Inside an Image


The true innovation of GhostPoster lies in its steganographic delivery mechanism.

When an affected extension loads, it fetches what appears to be a benign logo image. Embedded inside this image is hidden JavaScript code, marked by a specific delimiter (“===”). The extension parses the image, extracts the concealed code, and executes it as a loader.

This loader then attempts to contact attacker-controlled servers:

  • www.liveupdt[.]com

  • www.dealctr[.]com

Crucially, it does not do this immediately or consistently.


Phase 3: The Waiting Ghost — Delays and Probability


To evade detection, GhostPoster layers multiple evasion techniques:

  • Time-based delays: the malware remains dormant for more than six days after installation

  • Probability checks: payload retrieval occurs only 10% of the time

  • Retry intervals: the loader waits 48 hours between attempts

This design dramatically reduces the chances that security tools, researchers, or sandbox environments will observe malicious behavior.

For days, sometimes weeks, the extension appears completely normal.

The ghost waits.


Phase 4: The Manifestation — Monetization Toolkit


When the conditions are met, the loader retrieves a custom-encoded payload that transforms the browser into a monetization engine operating entirely without the user’s knowledge.

The payload enables multiple abuse techniques simultaneously:

  • Affiliate link hijacking, intercepting links to e-commerce platforms like Taobao and JD.com

  • Tracking injection, adding Google Analytics code to every page visited to silently profile users

  • Security header stripping, removing protections such as Content-Security-Policy and X-Frame-Options

  • Hidden iframe injection, loading attacker-controlled URLs to perform ad and click fraud

  • CAPTCHA bypass, allowing the malware to evade bot detection triggered by its own activity

By stripping browser protections and injecting invisible content, GhostPoster not only commits fraud but actively weakens the user’s security posture.


Phase 5: The Reason for the Mask — Why CAPTCHA Bypass Matters


One of the more revealing capabilities is CAPTCHA bypass.

Hidden iframe injections and automated browsing behaviors often trigger bot detection systems. To continue operating undetected, GhostPoster must convincingly present itself as a human user.

In other words, the malware is aware it is being watched — and it adapts accordingly.

This is not opportunistic adware. It is a deliberate, resilient operation.


Phase 6: One Ghost, Many Faces


Not all 17 extensions used the exact same steganographic chain. However, all of them:

  • Exhibited identical malicious behavior

  • Communicated with the same command-and-control infrastructure

This strongly indicates a single threat actor or group experimenting with different lures, languages, and extension types to maximize reach while minimizing detection.

The add-ons have since been removed, but the methodology remains viable.


Phase 7: A Pattern, Not an Accident


GhostPoster is not an isolated case. It arrives shortly after:

  • A Chrome and Edge VPN extension was caught harvesting AI conversations at scale

  • Other “free VPN” tools were exposed collecting screenshots, system data, and geolocation

As Koi Security bluntly put it:

“Free VPNs promise privacy, but nothing in life comes free. Again and again, they deliver surveillance instead.”

GhostPoster fits squarely into this pattern.


Defensive Measures: Breaking the Haunting


Defending against campaigns like GhostPoster requires acknowledging that the browser itself has become an attack surface.

Effective defenses include:

  • Auditing installed browser extensions and removing unnecessary ones

  • Treating free VPNs and generic utilities as high-risk by default

  • Monitoring delayed and probabilistic network connections

  • Enforcing browser security headers and detecting their removal

  • Blocking extensions that fetch or execute remote code outside their declared purpose

Security cannot rely on initial reviews alone. Persistence is the attacker’s advantage.



GhostPoster demonstrates how modern malware no longer needs to exploit vulnerabilities or trigger alarms. It only needs to move in quietly and wait.

By hiding inside trusted extensions, disguising code as images, and activating only when conditions are perfect, the malware turns the browser — the most personal interface users have — into a haunted house.

And once the ghost is inside, it does not need to break anything.

It simply watches, redirects, and profits.

The lesson is clear:

If an extension promises convenience or privacy for free, it may already be listening.



The Hacker News


 
 
 
bottom of page