top of page

StegoAd: Microsoft Dismantles a Massive Edge Extension Campaign Hiding Malware in Images and Fonts


Microsoft has dismantled StegoAd, a long-running malicious campaign involving 119 Microsoft Edge extensions that collectively reached up to 2.6 million installations. Disguised as legitimate ad blockers, VPNs, translators, and video downloaders, the extensions hid malicious payloads inside seemingly harmless PNG, WebP, and WOFF2 font files using steganography, allowing them to evade detection for years while performing credential theft, ad fraud, and remote code execution.


Phase 1. Legitimate Appearance and Distribution


The attackers published browser extensions that provided the functionality users expected, allowing them to accumulate positive reviews and trust over time.

The malicious extensions appeared to be completely legitimate while remaining available in the Microsoft Edge Add-ons Store for several years.


Phase 2. Stealth and Payload Activation


Instead of embedding obvious malicious code, the operators concealed JavaScript payloads inside image and font files using steganographic techniques.

After installation, the extensions remained dormant for several days while performing multiple anti-analysis checks, including:

  • Multi-day execution delays.

  • Server-side validation.

  • Device fingerprinting.

  • User-Agent verification.

  • Developer Tools detection.

  • Limited execution on only a percentage of installations.

Only after these checks succeeded did the extensions retrieve and execute their hidden payload.


Phase 3. Credential Theft and Ad Fraud


Once activated, the malware executed multiple malicious activities simultaneously.

The campaign injected advertisements, hijacked affiliate commissions from Amazon, eBay and AliExpress, redirected web searches, and generated fraudulent advertising revenue.

At the same time, it stole:

  • Google credentials.

  • WordPress administrator accounts.

  • Authentication cookies.

  • Two-factor authentication (2FA) codes.

Some variants also included a remote JavaScript execution backdoor, allowing attackers to deploy additional payloads dynamically.


Phase 4. Resilient Infrastructure


The operation relied on a sophisticated infrastructure designed for resilience and stealth.

Researchers identified:

  • More than ten command-and-control (C2) domains.

  • Automatic failover mechanisms.

  • Cloudflare Workers used as proxy infrastructure.

  • GitHub Pages hosting communication beacons.

  • Google Analytics identifiers used as covert telemetry channels.

Microsoft also observed significant overlaps with previous browser extension campaigns linked to GhostPoster, ShadyPanda, and DarkSpectre, suggesting the same threat actor or closely related operators remain active.


Defense Measures


  • Review all installed browser extensions and remove unknown or unnecessary add-ons.

  • Compare installed extensions with Microsoft’s published Indicators of Compromise (IoCs).

  • Immediately change passwords for Google, WordPress, banking, and other sensitive accounts if a malicious extension was installed.

  • Enable phishing-resistant multi-factor authentication using hardware security keys whenever possible.

  • Monitor authentication logs for suspicious sign-in attempts.

  • Restrict browser extensions through enterprise security policies.

  • Continuously monitor browser telemetry for anomalous extension behavior.


Conclusions


StegoAd demonstrates how browser extensions continue to represent a powerful attack vector when combined with advanced evasion techniques such as steganography. By hiding malicious payloads inside ordinary images and font files, delaying execution, and validating victims before activation, the attackers successfully operated for years while avoiding detection.

The campaign also highlights a broader trend: modern browser-based threats are evolving beyond simple adware into fully featured credential theft and remote access platforms. Organizations should treat browser extensions with the same level of scrutiny as any other software component and continuously monitor them as part of their endpoint security strategy.



 
 
 

Comentarios


bottom of page