Through the use of logo files that are related with seventeen Mozilla Firefox browser add-ons, a new campaign known as GhostPoster has been able to incorporate malicious JavaScript code. This code is aimed to hijack affiliate links, inject tracking code, and commit click and ad fraud.
According to Koi Security, which was the one who uncovered the campaign, the extensions have been downloaded more than 50,000 times cumulatively. It is no longer possible to purchase the add-ons.
These browser apps were offered as virtual private networks (VPNs), screenshot utilities, ad blockers, and copies of Google Translate that were not officially supported. Dark Mode is the add-on that has been around the longest, having been released on October 25, 2024. It provided users with the ability to enable a dark look for all websites. A complete list of the add-ons for the browser can be found below:
Weather (weather-best-forecast) Screenshot of a Free Virtual Private Network
Expression of the Mouse (crxMouse)
"Cache" is a quick website loader.
A Free Downloader for MP3s
To use Google Translate, right-click on the Google Translate icon.
Dark Reader Dark Mode is a free download of the Google Global VPN, which is available forever.
Using Google Bing as a translator (Baidu) I-like-weather, also known as DeepL Weather
(google-translate-pro-extension) Google Translate Google Translate
Free videos that may be viewed on Libertv.
Best Ad Blocker, Ad Stop (Ad Stop)
Right-clicking on Google Translate displays the translation tool.
According to security researchers Lotan Sery and Noga Gouldman, "What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away the security protections contained within your browser, and opens a backdoor for remote code execution."
The sequence of attacks starts when the logo file is retrieved when one of the extensions that were specified earlier is loaded upon the system. The malicious code examines the file in order to locate a marker that contains the "===" sign. This is done in order to extract JavaScript code, which is a loader that communicates with an external server (such as "www.liveupdt[.]com" or "www.dealctr[.]com") in order to acquire the primary payload. The loader waits for a period of forty-eight hours between each attempt.
Additionally, in order to avoid detection even further, the loader is set up to get the payload just ten percent of the time. In order to circumvent the efforts that are being made to monitor network traffic, this unpredictability is a planned choice that has been implemented. The payload that was returned is a comprehensive toolkit that has been custom-encoded and is capable of monetizing browser activity without the victims' awareness through four different methods:
This practice, known as affiliate link hijacking, involves the theft of affiliate links to e-commerce websites such as Taobao or JD.com, so robbing real affiliates of their earning potential.
In order to covertly profile the victim, tracking injection is a technique that involves inserting the Google Analytics tracking code into each and every web page that the victim visits.
The removal of security headers from HTTP answers, such as Content-Security-Policy and X-Frame-Options, is known as security header stripping. This practice leaves users vulnerable to security threats such as clickjacking and cross-site scripting.
Hidden iframe injection is a technique that involves inserting invisible iframes into web pages in order to load URLs from servers controlled by the attacker and enable click and advertisement fraud.
This technique, known as CAPTCHA bypass, makes use of a variety of techniques to circumvent CAPTCHA challenges and avoid bot detection protections.
"Why would malicious software desire to circumvent CAPTCHAs? The researchers said that this is due to the fact that certain actions, such as the concealed iframe injections, cause bot detection to occur. "The malware needs to prove it's 'human' to keep operating."
In addition to probability checks, the add-ons also have time-based delays, which prevent the virus from acting until more than six days following the installation of the add-on. The existence of these multilayer evasion strategies makes it more difficult to discover what is taking place behind the scenes.
It is important to note that not all of the extensions mentioned above employ the same steganographic attack chain. However, all of them display the same behavior and communicate with the same command-and-control (C2) infrastructure, which indicates that they are all the product of a single threat actor or group that has experimented with a variety of lures and methods.
A popular VPN extension for Google Chrome and Microsoft Edge was discovered to be secretly capturing artificial intelligence conversations from ChatGPT, Claude, and Gemini and then exfiltrating them to data brokers. This new development comes just a few days subsequent to the discovery. An additional Chrome addon known as FreeVPN was released in August of 2025. The collection of screenshots, information about the system, and the locations of users was observed by one one.
"Free virtual private networks (VPNs) promise privacy, but nothing in life comes for free," Koi Security warned. "Again and again, they deliver surveillance instead."
