A newly discovered malware named GhostPoster has been discovered that infected the PNG logo files in 17 Mozilla Firefox browser add-ons. The malware embeds malicious JavaScript code designed to hijack affiliate links, add tracking code and take over browsers
According to security researchers at Koi Security, who discovered the malware, the browser extensions have been downloaded more than 50,000 times.
"What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser's security protections, and opens a backdoor for remote code execution," Koi Security researchers Lotan Sery and Noga Gouldman wrote. They initially discovered the malware in the “Free VPN Forever” extension.
The attack begins when the logo file for one of affected the extensions is fetched. The malicious code parses the file to extract its JavaScript code, then reaches out to an external server to retrieve the main payload, apparently waiting 48 hours between attempts.
The loader also evades detection by only fetching 10% of the program each time it attempts to do so in order to avoid efforts to monitor network traffic.
Once infected, GhostPoster is capable of monetizing browser activities without your knowledge. It can intercept affiliate links to e-commerce sites to deprive them of their commission, inject tracking code to profile you, inject hidden frames to load malicious sites from servers controlled by attackers and bypass CAPTCHA as well asevade bot detection.
"The malware needs to prove it's 'human' to keep operating,” the researchers explained.
This is a good reminder, as the researchers note, that many of the best free VPNs promise privacy but often come with surveillance or malware instead.
Infected add-ons
Here’s the full list of impacted add-ons discovered by Koi Security:
- Free VPN
- Screenshot
- Weather (weather-best-forecast)
- Mouse Gesture (crxMouse)
- Cache - Fast site loader
- Free MP3 Downloader
- Google Translate (google-translate-right-clicks)
- Traductor de Google
- Global VPN - Free Forever
- Dark Reader Dark Mode
- Translator - Google Bing Baidu DeepL
- Weather (i-like-weather)
- Google Translate (google-translate-pro-extension)
- 谷歌翻译
- libretv-watch-free-videos
- Ad Stop - Best Ad Blocker
- Google Translate (right-click-google-translate)
How to stay safe from malicious browser extensions
Most of the browser add-ons were advertised as ad blockers, screenshot utilities, unofficial versions Google Translate, and VPNs. The oldest, Dark Mode, released in October 2024 and was supposed to enable dark themes for all websites.
While the add-ons are no longer available for download, if you have one of the impacted extensions installed, you’ll want to remove it immediately. Once that’s done, you should reset your account passwords, which we recommend for all of your accounts.
Yes, it’s a serious undertaking, so you may want to utilize one of the best password managers to lighten the load. Not only can they help manage your passwords and keep them safe, but a password manager can also automatically generate strong and unique passwords for each of your accounts.
As always, we recommend you have the best antivirus software installed. While an antivirus may not have caught GhostPoster yet, they can scan for malware, spyware and viruses even if you slip up and download something you shouldn’t. Antivirus programs also have browser extensions that can help you avoid visiting suspicious websites, protect your data or provide you with a VPN for extra layers of security.
Of course, when it comes to extensions, you always want to double check the trustworthiness of the company producing them. GhostPoster is still new and may be floating around, even if the known infected add-ons have been removed. We recommend limiting the number of extensions you have installed and carefully vetting each one before you add it. Keep your data, browser and devices safe with these tips and you’ll be less likely to fall for a malware campaign like this one
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom’s Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
