Security researchers at Koi Security have described a campaign, dubbed GhostPoster, that conceals JavaScript inside the PNG logo images of malicious Firefox extensions to monitor activity and deploy a backdoor.
The hidden script acts as a loader and is embedded in the icon image; it remains mostly dormant, activating about 48 hours after installation to fetch a main payload from a hardcoded domain with a backup domain available if the first fails. The loader intentionally retrieves the payload only one time in ten attempts, a behavior researchers say is likely intended to reduce detection by traffic monitoring tools.
Koi Security reported that the downloaded payload is heavily obfuscated, including case swapping and base64 encoding, then decoded and XOR-encrypted with a key derived from the extension’s runtime ID. The final payload can hijack affiliate links on major e-commerce sites, inject Google Analytics tracking into pages, strip security headers from HTTP responses, bypass CAPTCHAs via multiple mechanisms, and inject invisible iframes used for ad and click fraud that self-delete after 15 seconds.
The researchers identified 17 compromised extensions across popular categories, and said not all used the same loading chain but all communicated with the same infrastructure. Koi Security initially analyzed the FreeVPN Forever extension after an automated tool flagged code that parsed the raw bytes of its logo to extract a hidden JavaScript snippet.
Although the malware did not appear to harvest passwords or redirect users to phishing pages, researchers warned it poses a privacy risk and could become more dangerous if operators deploy a different payload. Users of the listed extensions were advised to remove them and consider resetting passwords for critical accounts; many of the extensions were still available on Firefox’s add-ons site when the issue was reported.
A Mozilla spokesperson said the company investigated the report, removed the extensions from its add-ons site and updated automated systems to detect and block similar attacks.