Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Warning Over “Industrialized” Cyber-Attacks by Ransomware Gang

July 3, 2026

Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

July 3, 2026

AI is Already Powering Cyber-Attacks. Can it Power Cyber Defense?

July 3, 2026
Facebook X (Twitter) Instagram
Friday, July 3
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts
News

Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

Team-CWDBy Team-CWDJuly 3, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud.

The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021.

The extensions were the kind people install without a second thought: ad blockers, VPNs, translators, video downloaders. Each one did its job and earned reviews. The malicious code stayed dormant until the extension cleared a stack of evasion checks, which is how it sat in the store for years.

Combined, the 119 extensions had an install base of up to 2.6 million users. Microsoft is clear that this is a ceiling, not a victim count.

A multi-day delay, server-side validation, and a 10% execution gate on some variants meant the payload never fired for many installs. How many people were actually compromised is not known.

Code hidden in pictures and fonts

The trick that names the campaign is steganography: tucking executable code inside files that look completely normal. The earliest variants appended JavaScript after the IEND marker of a PNG icon, so the image rendered fine everywhere while carrying a payload that static scanners never flagged.

As detection caught up, the actor moved to WebP images, then to WOFF2 font files, hiding code in glyph ranges that read as Asian text or font metadata. Microsoft calls steganography at this scale rare in the browser extension ecosystem.

Some high-impact variants did not even ship the payload locally. They fetched a normal-looking image from a command-and-control server. The extension decoded it through layers of case swaps, digit swaps, Base64, and XOR, then checked it against a signature before running it.

The C2 server only served the real file to requests that passed a fingerprint and a User-Agent check; anyone probing it directly, researchers included, got an empty decoy response.

Extensions also watched for open DevTools and extended their dormancy if they spotted an analyst looking.

Ad fraud on top, credential theft underneath

The visible damage was ad fraud: injected ads, hijacked affiliate commissions on Amazon, eBay, and AliExpress, and redirected searches, all skimming money while degrading browsing.

Microsoft’s analysis of retrieved payloads found a lot more underneath. The payloads included a remote code execution backdoor that ran arbitrary JavaScript pushed from the server. They also stole Google credentials and second-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies in bulk for session hijacking.

Microsoft says seven Google Analytics tracking IDs appear to have served as covert telemetry, giving the operator near real-time dashboards on the campaign through Google’s own infrastructure.

The plumbing matched the ambition. Microsoft counts more than ten C2 domains with automatic failover. The actor proxied traffic through Cloudflare Workers and abused GitHub Pages to host beacons.

A polymorphic framework ran across roughly 66 extensions under 15-plus naming variants, and the operation migrated from Manifest V2 to V3 as the actor adapted to platform changes.

What to do

Microsoft says it has removed all 119 extensions and suspended the 90-plus developer accounts behind them. The full list of extension IDs is in the company’s technical report.

Open edge://extensions and compare your installed add-ons against that list. If anything matches, or if Edge removed one automatically, treat the browser as exposed. Change passwords for Google, WordPress, banking, and other sensitive accounts.

Review recent sign-in activity, and turn on strong two-factor authentication. Hardware security keys hold up against this kind of credential theft in a way that SMS codes do not. Microsoft published indicators of compromise for use across Chrome, Firefox, and other Chromium browsers.

StegoAd looks less like a new campaign than a new face on a known one. Its credential payload exfiltrates to mitarchive.info, a domain Koi Security ties to DarkSpectre, the Chinese operation it linked in December to the ShadyPanda and GhostPoster extension campaigns.

The connection goes beyond the domain. StegoAd hides code inside an extension’s own icon, the same method GhostPoster used months earlier. The two even share extension names, such as Ads Block Ultimate.

Microsoft has not named the actor, but the overlap is clear. The operator is still active, Microsoft says.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleAI is Already Powering Cyber-Attacks. Can it Power Cyber Defense?
Next Article Warning Over “Industrialized” Cyber-Attacks by Ransomware Gang
Team-CWD
  • Website

Related Posts

News

Warning Over “Industrialized” Cyber-Attacks by Ransomware Gang

July 3, 2026
News

Qilin Dominates Ransomware Market – Infosecurity Magazine

July 3, 2026
News

Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

July 3, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Why children’s data is a long-term identity risk

June 3, 2026

How it preys on personal data – and how to stay safe

October 23, 2025

The quest for greater tech independence

May 19, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.