Malware Spreads Across Chrome, Firefox, and Edge with Over 800,000 Downloads

Security researchers from Koi Security and LayerX have issued a global warning after uncovering a large-scale malware campaign known as GhostPoster, which has been spreading through malicious browser extensions on popular web browsers. The attack affects Google Chrome, Microsoft Edge, and Mozilla Firefox, with some infected extensions reportedly operating unnoticed since as early as 2020.

What makes GhostPoster especially dangerous is its stealthy design. Instead of embedding malicious code directly, the malware hides its payload inside PNG image files, typically used as extension logos. These images act as a delivery channel to download the main malware from attacker-controlled servers, allowing it to bypass traditional security scans.

17 Dangerous Browser Extensions Identified

Researchers identified 17 malicious extensions that should be removed immediately. Many of them appear to be useful tools and have extremely high download counts. The most notable example is Google Translate in Right Click, which alone accumulated over 522,398 installs. Other infected extensions include Translate Selected Text with Google, Ads Block Ultimate, YouTube Download, Instagram Downloader, Cool Cursor, and Full Page Screenshot.

Users are urged to carefully check extension names, as these tools closely mimic legitimate software and can be difficult to distinguish at a glance.

How GhostPoster Operates

GhostPoster is designed to evade detection by delaying its activity. After installation, the malware remains dormant for up to 48 hours before activating. It only connects to command servers under specific conditions, making its behavior harder to analyze.

Once active, GhostPoster can hijack affiliate commissions from online shopping, inject tracking scripts to monitor browsing behavior, bypass CAPTCHA systems, and use infected machines to perform fraudulent ad clicks. All of this generates revenue for attackers without the user’s knowledge.

Privacy and Performance Risks

Although researchers confirm that GhostPoster does not primarily target passwords or direct financial phishing, its impact on user privacy and browser security is severe. The malware lowers browser security protections, making it easier for additional malicious systems to access the device.

Users may notice slower system performance, frequent browser freezes, or unexpected behavior such as page redirects or abnormal CPU usage. These symptoms can serve as early warning signs of infection.

Immediate Action Required

All identified malicious extensions have already been removed from the Chrome Web Store, Microsoft Edge Add-ons, and Firefox Add-ons. However, extensions previously installed will not be removed automatically. Infected extensions will remain active until users manually delete them through the browser’s Manage Extensions menu.

Researchers strongly advise users to check their installed extensions immediately and remove anything suspicious.

Long-Term Protection Tips

To stay protected, users should install browser extensions only when absolutely necessary and choose developers with a proven reputation. If a browser starts displaying unexpected ads, redirects to unknown websites, or behaves abnormally, users should assume a possible extension infection and investigate immediately.

Regular extension audits and removing unused add-ons remain the most effective way to maintain browser security and protect personal data online.

Source: Lifehacker