GhostPoster hides in 17 Firefox add-ons, 50k installs

GhostPoster hides in 17 Firefox add-ons, 50k installs
December 17, 2025 at 12:00 AM

A stealthy campaign dubbed GhostPoster embedded malicious JavaScript inside logo image files used by 17 Mozilla Firefox extensions, enabling ad fraud, affiliate hijacking, tracking injection, and weaker web security. Koi Security says the extensions amassed 50,000+ installs before being removed from the store.

Marketed as VPNs, ad blockers, translators, and utilities, the add-ons all exhibited the same malicious behavior. The oldest, Dark Mode, was published on October 25, 2024.

How the attack works

  • The extension loads a logo image and parses it for a special marker ("===") to extract hidden JavaScript.
  • A loader then contacts attacker infrastructure ("www.liveupdt[.]com" or "www.dealctr[.]com") to fetch the main payload.
  • To evade detection, it tries only every 48 hours and retrieves the payload just 10% of the time.
  • Additional time-based delays keep the malware dormant for over six days after installation.
  • Researchers note the tool monitors browsing, strips protections, and establishes a backdoor for remote code execution.

What the payload does

  • Affiliate link hijacking: intercepts links to sites like Taobao and JD.com, stealing commissions.
  • Tracking injection: silently inserts Google Analytics into every page to profile victims.
  • Security header stripping: removes CSP and X-Frame-Options, increasing XSS and clickjacking risk.
  • Hidden iframe injection: loads attacker-controlled URLs for click and ad fraud.
  • CAPTCHA bypass: automates challenges so fraudulent activity can continue undetected.

Affected Firefox add-ons (now removed)

  • Free VPN
  • Screenshot
  • Weather (weather-best-forecast)
  • Mouse Gesture (crxMouse)
  • Cache - Fast site loader
  • Free MP3 Downloader
  • Google Translate (google-translate-right-clicks)
  • Traductor de Google
  • Global VPN - Free Forever
  • Dark Reader Dark Mode
  • Translator - Google Bing Baidu DeepL
  • Weather (i-like-weather)
  • Google Translate (google-translate-pro-extension)
  • 谷歌翻译
  • libretv-watch-free-videos
  • Ad Stop - Best Ad Blocker
  • Google Translate (right-click-google-translate)

Not every extension used the exact same steganographic chain, but their behavior and shared command-and-control infrastructure point to a single threat actor experimenting with different lures.

Why it matters

  • The discovery follows reports of a popular VPN extension for Chrome and Edge harvesting AI chats from ChatGPT, Claude, and Gemini, and an August 2025 case where FreeVPN.One collected screenshots, system info, and location data. As Koi Security warns: "Free VPNs promise privacy, but nothing in life comes free. Again and again, they deliver surveillance instead."

What to do now

  • If you installed any of the listed add-ons, uninstall them immediately.
  • Update Firefox and consider resetting browser settings.
  • Clear cookies and site data; review saved passwords and enable 2FA where possible.
  • Run a reputable security scan and monitor accounts for unusual activity.

Source: The Hacker News

Back…