Key Takeaways
- A new campaign named GhostPoster has been discovered, which leverages malicious JavaScript code embedded in logo files associated with 17 Mozilla Firefox browser add-ons.
- The add-ons, which have been collectively downloaded over 50,000 times, have been used to hijack affiliate links, inject tracking code, and commit click and ad fraud.
- The malware uses various evasion techniques, including probability checks and time-based delays, to avoid detection.
- The campaign is believed to be the work of a single threat actor or group, which has experimented with different lures and methods.
- The discovery highlights the risks associated with using free VPNs and other browser extensions, which often promise privacy but deliver surveillance instead.
Introduction to the GhostPoster Campaign
The GhostPoster campaign is a new and sophisticated threat that has been discovered by Koi Security, a leading cybersecurity firm. The campaign involves the use of malicious JavaScript code embedded in logo files associated with 17 Mozilla Firefox browser add-ons. These add-ons, which have been collectively downloaded over 50,000 times, were advertised as VPNs, screenshot utilities, ad blockers, and unofficial versions of Google Translate. However, instead of providing the promised functionality, they deliver a multi-stage malware payload that monitors everything the user browses, strips away the browser’s security protections, and opens a backdoor for remote code execution.
The Attack Chain
The attack chain begins when the logo file is fetched when one of the compromised extensions is loaded. The malicious code parses the file to look for a marker containing the "===" sign, which is used to extract JavaScript code. This code is a loader that reaches out to an external server to retrieve the main payload, waiting 48 hours in between every attempt. To further evade detection, the loader is configured to fetch the payload only 10% of the time, introducing randomness to sidestep efforts to monitor network traffic. The retrieved payload is a custom-encoded comprehensive toolkit capable of monetizing browser activities without the victim’s knowledge through various means, including affiliate link hijacking, tracking injection, security header stripping, and hidden iframe injection.
Evasion Techniques
The malware uses various evasion techniques to avoid detection, including probability checks and time-based delays. The add-ons incorporate time-based delays that prevent the malware from activating until more than six days after installation. This makes it harder to detect what’s going on behind the scenes. Additionally, the malware employs CAPTCHA bypass techniques to evade bot detection safeguards. The researchers explain that the malware needs to bypass CAPTCHAs because some of its operations, such as hidden iframe injections, trigger bot detection. By employing these evasion techniques, the malware is able to operate undetected and continue to commit ad and click fraud.
The Impact of the Campaign
The GhostPoster campaign highlights the risks associated with using free VPNs and other browser extensions, which often promise privacy but deliver surveillance instead. The discovery comes merely days after a popular VPN extension for Google Chrome and Microsoft Edge was caught secretly harvesting AI conversations from ChatGPT, Claude, and Gemini and exfiltrating them to data brokers. In August 2025, another Chrome extension named FreeVPN.One was observed collecting screenshots, system information, and users’ locations. As Koi Security notes, "Free VPNs promise privacy, but nothing in life comes free. Again and again, they deliver surveillance instead." The GhostPoster campaign is a reminder of the importance of being cautious when installing browser extensions and using free VPNs.
Conclusion
The GhostPoster campaign is a sophisticated threat that highlights the risks associated with using free VPNs and other browser extensions. The campaign’s use of evasion techniques, including probability checks and time-based delays, makes it difficult to detect and highlights the need for increased vigilance when installing browser extensions. As the cybersecurity landscape continues to evolve, it is essential to be aware of the potential risks associated with using free VPNs and other browser extensions. By being cautious and taking steps to protect ourselves, we can reduce the risk of falling victim to campaigns like GhostPoster and other malicious threats.