GhostPoster
Cybersecurity

GhostPoster Browser Extensions Reached 840,000 Installs Before Removal From Stores

By Sean Doyle · · 8 min read

Security researchers have uncovered a large-scale malicious browser extension campaign known as GhostPoster that accumulated approximately 840,000 installs across Google Chrome, Microsoft Edge, and Mozilla Firefox before the affected extensions were removed from official add-on stores.

The GhostPoster campaign relied on browser extensions that appeared legitimate but secretly concealed malicious JavaScript code inside image files. This technique allowed the extensions to activate tracking and monetization abuse after installation while evading traditional static detection and marketplace review processes.

How the GhostPoster Campaign Was Discovered

The GhostPoster campaign was first documented in December after researchers from Koi Security identified suspicious behavior in several browser extensions that were reading and parsing their own image files in unexpected ways.

While browser extensions commonly load icon files for display purposes, investigators observed extensions scanning the raw byte data of these images and extracting content that was not part of the visible image itself. Further analysis revealed that malicious JavaScript code was embedded directly inside PNG files and executed at runtime.

Subsequent research by browser security platform LayerX confirmed that the GhostPoster operation remained active even after initial disclosures. According to the researchers, multiple extensions linked to the campaign continued to operate across browser ecosystems for months, despite earlier reports.

At least 17 browser extensions were ultimately attributed to the GhostPoster campaign. These extensions were distributed through official extension marketplaces and presented themselves as common utilities, including translation tools, ad blockers, screenshot utilities, downloaders, and free VPN services.

How GhostPoster Extensions Operated After Installation

Once installed, GhostPoster extensions activated a staged execution process designed to avoid detection during initial review. The malicious code was not stored directly in JavaScript source files where scanners would normally inspect it. Instead, execution was deferred until runtime.

The extensions retrieved obfuscated payloads from attacker-controlled servers only after installation. This behavior reduced the likelihood that static analysis or brief behavioral checks would detect the malicious activity during marketplace review.

Researchers observed that GhostPoster primarily engaged in browser-level monetization abuse. The malware monitored browsing activity, intercepted affiliate links on major e-commerce platforms, injected invisible iframes into web pages, and generated fraudulent ad impressions and clicks.

While the documented behavior focused on advertising fraud and tracking, browser extensions inherently operate with elevated permissions. Once granted access, malicious extensions can read page content, modify network requests, inject scripts, and interfere with browser security mechanisms.

Steganography and Multi-Stage Payload Delivery

One of the defining characteristics of the GhostPoster malware was its use of steganography. Instead of storing malicious code in plain JavaScript files, the campaign embedded executable payloads inside PNG image files associated with the extensions.

The technique involved appending JavaScript code after the legitimate image data within the file. The image displayed normally in the browser toolbar, raising no visual suspicion. However, at runtime, the extension scanned the raw image bytes for a specific marker and extracted everything beyond that point.

This extracted data acted as a loader rather than the final payload. Its sole purpose was to contact command-and-control servers and fetch additional code when conditions were met.

The staged design provided several advantages to the attackers. Security scanners examining extension source files would find no obvious malicious scripts. Code reviewers would see normal-looking assets. The actual malware existed only briefly in memory and could be updated remotely.

Advanced GhostPoster Variants and Execution Delays

Most GhostPoster extensions followed a similar execution pattern, but researchers identified more advanced variants associated with certain extensions, including an add-on labeled Instagram Downloader.

In these cases, the malicious staging logic was moved into the extension’s background script rather than being triggered from a visible component. A bundled image file served as a covert payload container separate from the extension icon.

At runtime, the background script scanned the image’s raw byte sequence for a delimiter, extracted the concealed payload, decoded it, and executed it as JavaScript.

Execution was intentionally delayed. Some GhostPoster variants waited several days after installation before contacting remote servers. Others used probabilistic execution, fetching the payload only a small percentage of the time. These delays made behavioral analysis unreliable and significantly reduced the chance of detection.

Researchers noted that this evolution reflected an effort to maintain long-term persistence within browser ecosystems rather than rapid exploitation.

Browser Extensions Linked to the GhostPoster Campaign

LayerX identified the following extensions as part of the GhostPoster operation, along with reported installation counts at the time of analysis:

  • Google Translate in Right Click with 522,398 installs
  • Translate Selected Text with Google with 159,645 installs
  • Ads Block Ultimate with 48,078 installs
  • Floating Player PiP Mode with 40,824 installs
  • Convert Everything with 17,171 installs
  • Youtube Download with 11,458 installs
  • One Key Translate with 10,785 installs
  • AdBlocker with 10,155 installs
  • Save Image to Pinterest on Right Click with 6,517 installs
  • Instagram Downloader with 3,807 installs
  • RSS Feed with 2,781 installs
  • Cool Cursor with 2,254 installs
  • Full Page Screenshot with 2,000 installs
  • Amazon Price History with 1,197 installs
  • Color Enhancer with 712 installs
  • Translate Selected Text with Right Click with 283 installs
  • Page Screenshot Clipper with 86 installs

Researchers reported indicators suggesting that the GhostPoster campaign first appeared within the Microsoft Edge add-on ecosystem before expanding to Firefox and Chrome.

Long-Term Marketplace Exposure and Oversight Gaps

One of the most concerning aspects of the GhostPoster campaign was its longevity. Some of the identified extensions had been present in official browser stores since at least 2020.

This prolonged exposure highlights ongoing challenges faced by browser extension marketplaces. Even when extensions undergo initial review, malicious behavior can be concealed through obfuscation, delayed execution, and staged activation.

In several cases, updates introduced new functionality long after approval, allowing malicious behavior to appear well after the review window had closed.

Why GhostPoster Posed a Serious Security Risk

The danger of GhostPoster was not limited to advertising abuse. The malware operated at the browser level, granting attackers visibility into nearly all web activity performed by the affected user.

Researchers documented capabilities that included traffic interception, security header stripping, CAPTCHA bypass techniques, and persistent background communication with attacker-controlled infrastructure.

By removing protections such as Content Security Policy and frame restrictions, GhostPoster weakened browser defenses designed to prevent clickjacking and script injection attacks.

Because extensions update automatically, attackers retained the ability to modify payload behavior at any time. This meant that users who initially experienced only tracking abuse could later be exposed to credential theft, phishing, or additional malware delivery.

Current Status of the GhostPoster Extensions

Mozilla and Microsoft confirmed that extensions associated with the GhostPoster campaign were removed from their respective add-on stores. Google also confirmed the removal of the identified extensions from the Chrome Web Store.

However, removal from extension marketplaces does not automatically uninstall add-ons from user devices. Users who installed the extensions prior to removal may remain exposed until they manually remove the affected add-ons.

If you recognize any of the extension names listed above, removal should be treated as a priority. Begin by uninstalling the extension directly from your browser before scanning your system for related threats.

Scan Your Computer With Malwarebytes

The most reliable way to detect and remove components associated with GhostPoster is to run a full system scan using a dedicated anti-malware solution. We recommend Malwarebytes for Windows and macOS because it specializes in detecting malicious browser extensions, adware, and hidden persistence mechanisms.

  1. Download Malwarebytes from the official site and install it on your system.
  2. Allow the program to update its threat definitions.
  3. Run a full system scan to detect malicious extensions and related files.
  4. Quarantine all detected items and restart your system if prompted.

Scan Mobile Devices if Applicable

Although GhostPoster primarily targeted desktop browsers, users who installed companion apps or experienced suspicious behavior on mobile devices should also scan their phones.

Install Malwarebytes for Android or iOS and perform a device scan to identify adware, unsafe apps, and configuration changes.

Post-Removal Security Steps

  • Review all installed browser extensions and remove any that are unnecessary or unfamiliar.
  • Reset your browser homepage and default search provider.
  • Clear cookies and site data for sensitive accounts.
  • Change passwords for accounts accessed while the extension was installed.
  • Enable multi-factor authentication where available.

How to Avoid Malicious Browser Extensions

GhostPoster demonstrates how malicious actors exploit trust in official marketplaces. To reduce future risk, install extensions only when necessary and verify developer reputation carefully.

Avoid free VPN and utility extensions that promise broad functionality without transparency. Keep browsers updated, audit installed extensions regularly, and use layered security tools to detect threats that evade traditional antivirus solutions.

For continued coverage of emerging threats and browser-based malware, follow our latest malware research and security reports.

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.
View all posts →

Related Posts

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.