533/68 Thursday, December 18, 2025
Cybersecurity researchers have uncovered a new malware campaign dubbed “GhostPoster”, which was distributed through 17 Firefox browser extensions with a combined total of more than 50,000 downloads. The malware uses steganography to conceal malicious JavaScript code inside the image files used as extension logos, allowing it to evade browser security detection mechanisms.
GhostPoster’s operation is designed to be difficult to detect. After installation, it remains dormant for approximately 48 hours before activating, and it connects to the attackers’ servers in only about 10% of its execution attempts to retrieve the main command payload. Once active, the malware manipulates browser behavior, including affiliate link hijacking to steal commissions, disabling certain web security features, and bypassing bot protection mechanisms such as CAPTCHA.
The malicious extensions often impersonate popular tools, using names such as Free VPN Forever, Dark Reader for FF, Google Translate Pro, and YouTube Downloader. Experts advise users to review the list of installed extensions on their systems and immediately remove any suspicious entries. Users are also encouraged to change account passwords as a precaution, since the backdoors created by the malware could later be abused to conduct further attacks or steal sensitive information.
