Executive Summary
Microsoft has recently removed 119 malicious extensions from the Edge Add-ons store after uncovering a sophisticated malware campaign dubbed StegoAd. These extensions, which appeared as legitimate utilities such as ad blockers, VPNs, translators, and video downloaders, leveraged advanced steganography to conceal malware payloads within image and font files. The campaign, attributed to a single threat actor active since at least 2021, resulted in up to 2.6 million installs. The malicious extensions facilitated ad fraud, credential theft, and remote code execution, and are linked to previous campaigns such as ShadyPanda and GhostPoster, with possible ties to the DarkSpectre group.
Technical Information
The StegoAd campaign represents a significant evolution in browser extension threats, combining social engineering, advanced evasion, and steganographic payload delivery.
The infection vector began with the distribution of malicious extensions via the official Microsoft Edge Add-ons store. These extensions masqueraded as popular utilities, complete with legitimate functionality and positive user reviews to evade suspicion. The malicious code within these extensions was engineered to remain dormant for several days, activating only after passing a series of evasion checks. These checks included verifying the absence of open developer tools, server-side validation, and random execution gating to avoid detection by automated analysis systems.
The steganography techniques employed were highly advanced. Initial payloads were hidden as JavaScript code appended after the IEND marker in PNG icon files. As detection improved, the threat actors migrated to using WebP images and eventually WOFF2 font files, embedding code within glyph ranges or font metadata. Some variants fetched images from remote command-and-control (C2) servers, decoding payloads using a combination of case swaps, digit swaps, Base64 encoding, and XOR operations. Execution was further gated by signature checks to ensure only targeted victims received the malicious code.
The C2 infrastructure was robust and resilient, utilizing over ten domains with automatic failover, traffic proxying via Cloudflare Workers, and GitHub Pages for beacon hosting. The C2 servers were configured to serve real payloads only to requests with correct fingerprints and User-Agent headers, returning decoy responses to thwart researchers and automated scanners.
Malicious activities included ad fraud through ad injection and affiliate commission hijacking (targeting platforms such as Amazon, eBay, and AliExpress), credential theft (including Google credentials, 2FA codes, and WordPress admin logins), and session hijacking via cookie exfiltration. The extensions also featured a backdoor for arbitrary JavaScript execution, enabling remote code execution on compromised browsers. Telemetry and campaign monitoring were conducted using seven unique Google Analytics tracking IDs.
The campaign demonstrated significant polymorphism, with a codebase spanning over 66 extensions and at least 15 naming variants. The threat actors adapted to browser extension standard changes, migrating from Manifest V2 to V3 as required.
Exploitation in the Wild
The StegoAd campaign has been observed in active exploitation, with up to 2.6 million installs reported. The actual number of victims is likely higher, given the campaign's execution gating and dormancy mechanisms. Impacted users experienced credential theft, ad fraud, session hijacking, and exposure to remote code execution. The extensions' delayed activation and polymorphic payloads enabled them to evade detection for extended periods, complicating incident response and forensic analysis.
APT Groups using this vulnerability
Attribution for the StegoAd campaign has not been officially confirmed by Microsoft, but there is strong overlap with the DarkSpectre group, which has previously been linked to the ShadyPanda and GhostPoster campaigns. The tactics, techniques, and procedures (TTPs) observed align with those documented in the MITRE ATT&CK framework, including JavaScript execution (T1059.007), obfuscated files or information via steganography (T1027), C2 over web protocols (T1071.001), automated collection (T1119), modification of authentication processes (T1556), and phishing (T1566).
Affected Product Versions
The affected products are Microsoft Edge browsers with any of the 119 malicious extensions installed. These extensions were distributed via the official Edge Add-ons store and included popular names such as Ads Block Ultimate, Adblock for Youtube, AI Search GPT for Edge, Free Online Video Downloader, Turbo Download Manager, TikTok APP for Edge, Google Translate in Right Click, Adblocker FX, Image Downloader Pro, Trusted VPN for Edge – Free VeePN, Adblock (µBlock clone), VPN, and Similar Sites – Discover Related Websites. The full list of affected extension names and IDs is available in the Microsoft technical report.
Workaround and Mitigation
Immediate actions recommended include opening edge://extensions and comparing installed add-ons against the list in the Microsoft technical report. If a match is found or if Edge has automatically removed an extension, the browser should be treated as compromised. Users should change passwords for Google, WordPress, banking, and other sensitive accounts, review recent sign-in activity for suspicious logins, and enable strong two-factor authentication, preferably using hardware security keys.
Detection efforts should focus on using IOCs such as domains, extension IDs, and Google Analytics IDs to scan browser extension inventories and network logs. Monitoring for connections to known C2 domains and suspicious GitHub Pages activity is also advised.
Indicators of Compromise
The following table presents real, published indicators of compromise associated with the StegoAd campaign. Please note that these indicators are point-in-time and should be validated against your environment before enforcement.
Type | Indicator | Reported (date) | Source
|
Domain | mitarchive[.]info | 2026-06-29 |
No additional public indicators of compromise were available at the time of writing. For a comprehensive list, refer to the official Microsoft technical report.
References
The Hacker News: Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts, Gridinsoft Blog: StegoAd Edge Extensions Malware, Microsoft Technical Report (linked from The Hacker News)
Rescana is here for you
Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform that empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our platform delivers actionable intelligence, automated workflows, and deep visibility into vendor security posture, helping you stay ahead of emerging threats. For any questions or to request a custom threat assessment, we are happy to assist at info@rescana.com.
