GhostPoster Campaign: How Malicious Firefox Extensions Hide Code in Logo Files

Security researchers have identified a sophisticated malware campaign affecting 17 Firefox browser extensions with a combined installation base exceeding 50,000 users. The investigation, conducted by the Koi, uncovered a multi-stage attack that embeds malicious JavaScript code within PNG image files—specifically, extension logo graphics—to evade detection by automated security scanners and manual code reviews. The flagship extension in this campaign, Free VPN Forever, has remained available on the Firefox Add-ons marketplace since September 2025 with over 16,000 installations as of publication.

The threat was detected when their risk engine Wings flagged anomalous file-reading patterns in Free VPN Forever. Rather than simply displaying its logo file, the extension was executing a data extraction routine on the PNG bytes. This discovery led to the identification of a coordinated infrastructure spanning multiple extensions that promise VPN services, translation tools, weather forecasts, and ad-blocking capabilities while delivering comprehensive browser surveillance and control mechanisms.

Technical Findings: Analyzing the Four-Stage Infection Chain

The Koi research team documented a sophisticated four-stage infection process that demonstrates operational maturity and deliberate evasion design:

1. Steganographic Payload Embedding: Upon extension initialization, the malware loads its legitimate logo.png file through standard browser APIs. The code then searches the raw byte stream for a three-equals-sign marker (===). All data following this delimiter represents JavaScript code hidden beyond the valid PNG image data. This steganographic technique allows malicious code to pass through static analysis tools that examine JavaScript files but not image assets.
2. Delayed Loader Execution: The extracted code functions as a minimal loader program designed to fetch the primary payload from remote command-and-control infrastructure. The loader implements a 48-hour delay between network requests and activates only 10% of the time through probabilistic logic. This inconsistent behavior pattern is engineered to evade network monitoring by security researchers who might observe the extension for limited periods.
3. Custom Encoding and Encryption: The payload retrieved from primary server www.liveupdt[.]com (or backup www.dealctr[.]com) undergoes a three-step decoding process: case inversion of all alphabetic characters, digit swap of all 8s and 9s, followed by Base64 decoding. The decoded JavaScript is then XOR-encrypted using a key derived from the extension's unique runtime identifier and stored in browser storage for persistence.
4. Six-Day Activation Delay: The malware remains dormant for a minimum of six days post-installation before executing its full surveillance and monetization capabilities. This extended dormancy period allows the extension to pass initial security reviews and user evaluation periods before revealing its malicious behavior.

Key Data Points and Indicators

The investigation identified several specific technical artifacts and operational signatures:

• Command-and-Control Infrastructure: Primary domain www.liveupdt[.]com/ext/rd.php with signature parameter tracking, backup domain www.dealctr[.]com/ext/load.php
• Tracking Implementation: Google Analytics ID UA-60144933-8 injected into all visited pages
• Steganographic Marker: Three consecutive equals signs (===) used as delimiter in PNG files
• DOM Injection Identifiers: Hidden div elements with IDs extwaigglbit and extwaiokist containing installation metadata
• External CAPTCHA Solver: Resource loaded from refeuficn.github.io for bot detection bypass
• Activation Probability: 10% payload fetch rate combined with 48-hour interval checks
• Dormancy Period: Minimum six-day delay before full functionality activation

Contextual Implications: Browser Security Model Circumvention

According to the research, the campaign's effectiveness stems from systematic removal of browser-native security protections. The malware actively strips Content-Security-Policy and X-Frame-Options headers from every HTTP response across all visited domains. These headers constitute fundamental defense mechanisms against clickjacking and cross-site scripting attacks. By removing them at the response level before the browser processes page content, the extensions eliminate protections that web developers and security teams rely upon.

The research highlights that this header stripping occurs silently across the entire browsing session, affecting banking sites, email platforms, and any other domains the user visits. The malware maintains persistent access to inject arbitrary code into every page, enabling affiliate link manipulation on e-commerce platforms (specifically Taobao and JD.com according to the investigation), invisible iframe creation for ad fraud operations, and comprehensive tracking of user behavior across domains.

The CAPTCHA bypass mechanisms documented in the research serve a specific operational purpose: the malware's iframe injection and automated link manipulation trigger bot detection systems on target platforms. The extension implements multiple bypass techniques, including invisible overlay simulation, external solver integration, and Baidu authentication status verification, to maintain its fraudulent operations without triggering security alerts.

Recommendations and Future Outlook

The Koi research team's findings indicate several immediate actions for stakeholders based on the documented attack vectors:

• Extension Marketplace Operators: Implement mandatory behavioral analysis periods extending beyond six days with network traffic monitoring for extensions requesting broad permissions. Static code analysis must be supplemented with runtime inspection of all asset files, including images, for steganographic content following standard file format specifications.
• Browser Vendors: Introduce restrictions on extensions modifying security-critical HTTP response headers, particularly Content-Security-Policy and X-Frame-Options. Extensions lacking legitimate use cases for header manipulation should be denied this capability through permission model updates.
• Security Research Teams: Deploy monitoring systems that track extension network activity over extended timeframes with probabilistic sampling detection. The 10% activation rate and 48-hour intervals documented in this campaign require surveillance periods of multiple weeks to capture malicious behavior reliably.
• Enterprise Security Organizations: Audit installed browser extensions for network communications with the documented C&C domains (liveupdt[.]com and dealctr[.]com). Review extension permissions for header modification capabilities and DOM injection access across all domains.
• End Users: Exercise heightened scrutiny toward free VPN extensions and any browser add-ons offering services that typically require infrastructure costs. The Koi team notes this marks the third significant malicious VPN extension campaign documented in recent months, establishing a clear pattern of abuse in this extension category.

Methodology and Attribution

This investigation was conducted by the Koi research team, whose risk engine system Wings detected the initial anomalous file-reading patterns in the Free VPN Forever extension. The research involved reverse-engineering the multi-stage infection chain, documenting the steganographic encoding techniques, analyzing network communications with command-and-control infrastructure, and identifying 16 additional extensions sharing the same backend servers. The team continues to monitor the campaign's infrastructure for additional extensions and payload updates as the malware remains active on the Firefox Add-ons marketplace.

Conclusion

The GhostPoster campaign represents a maturation of browser extension-based threats through the integration of steganographic concealment, staged payload delivery, and systematic security control circumvention. The research demonstrates that the primary risk extends beyond the initial infection vector—the ability to update payloads remotely, strip security headers across all browsing activity, and maintain persistent code injection capabilities provides attackers with comprehensive browser control that can be weaponized for purposes beyond the currently observed affiliate fraud and tracking operations. With affected extensions remaining available for installation and the infrastructure actively serving payloads to existing victims, the documented techniques establish a blueprint for future campaigns targeting browser extension ecosystems.