Microsoft Removes 119 Malicious Edge Extensions Hiding Malware via Steganography
Microsoft has removed 119 malicious Edge extensions from its add-ons store, a campaign dubbed StegoAd, which used steganography to conceal malware within image and font files, stealing credentials and engaging in ad fraud.
Microsoft has successfully dismantled a sophisticated and long-running operation involving 119 malicious extensions within its Edge Add-ons store. This campaign, named StegoAd by Microsoft, employed steganography to hide its malicious payloads within seemingly innocuous image and font files, a technique rarely seen at this scale in the browser extension ecosystem. The extensions, which included popular tools like ad blockers, VPNs, translators, and video downloaders, had amassed a combined install base of up to 2.6 million users since at least 2021.
The threat actor behind StegoAd implemented a multi-layered evasion strategy. Malicious code was hidden within PNG files after the IEND marker, and later evolved to use WebP images and WOFF2 font files, concealing code within glyph ranges or font metadata. This allowed the extensions to function normally and even garner positive reviews while the malicious code remained dormant. A multi-day delay post-installation, server-side validation, and an execution gate of 10% on some variants ensured that the payload would not trigger immediately, further complicating detection efforts.
Some advanced variants of the malware did not even contain the payload locally. Instead, they fetched a normal-looking image from a command-and-control (C2) server. The extension would then decode this image through multiple layers of obfuscation, including case swaps, digit swaps, Base64 encoding, and XOR operations, before checking it against a signature prior to execution. The C2 server was designed to only serve the actual malicious file to requests that passed specific fingerprint and User-Agent checks, returning an empty decoy response to any probing researchers or security tools.
Further complicating analysis, the extensions were programmed to detect and avoid analysis by monitoring for open Developer Tools. If an analyst was spotted, the extension would extend its dormancy period, making it even harder to capture and examine the malicious code in action. This sophisticated approach allowed the campaign to persist for years undetected within the official Microsoft Edge Add-ons store.
The visible impact of StegoAd included widespread ad fraud, such as injected advertisements, hijacked affiliate commissions from major e-commerce platforms like Amazon, eBay, and AliExpress, and redirected searches. However, the underlying threat was far more severe. Microsoft's analysis of retrieved payloads revealed a remote code execution backdoor capable of running arbitrary JavaScript pushed from the server. The malware also actively stole Google credentials and second-factor authentication codes during sign-in processes, harvested WordPress admin logins, and exfiltrated cookies for session hijacking.
The infrastructure supporting StegoAd was as ambitious as its attack methods. Microsoft identified over ten C2 domains with automatic failover capabilities. The threat actor leveraged Cloudflare Workers for proxying traffic and abused GitHub Pages to host beacons. A polymorphic framework was employed across approximately 66 extensions, distributed under more than 15 naming variants, demonstrating a high degree of adaptability. The operation also showed a commitment to staying current by migrating from Manifest V2 to V3 as platform changes were introduced.
Microsoft has taken decisive action by removing all 119 identified extensions and suspending the associated 90-plus developer accounts. The company has published a technical report detailing the extension IDs and indicators of compromise (IOCs) for use across various Chromium-based browsers. Users are advised to check their installed Edge extensions against the provided list and, if any match or have been automatically removed, to treat their browser as compromised. This includes changing passwords for sensitive accounts such as Google, WordPress, and banking, and enabling strong two-factor authentication, preferably hardware security keys.
Analysis suggests StegoAd is not an entirely new campaign but rather a new iteration of previously identified operations. The credential exfiltration domain, mitarchive.info, has been linked by Koi Security to the DarkSpectre operation, which was previously associated with the ShadyPanda and GhostPoster extension campaigns. The shared technique of hiding code within an extension's icon, identical to GhostPoster's method, and the use of similar extension names like 'Ads Block Ultimate,' strongly indicate a connection to the same persistent threat actor, who Microsoft confirms remains active.