GhostPoster Malware Discovered in Firefox Add-ons Affecting 50,000+ Users

Security researchers have uncovered a malicious campaign dubbed "GhostPoster" that infected 17 Mozilla Firefox browser extensions with hidden code designed to hijack affiliate links, inject tracking scripts, and commit click fraud. These compromised add-ons, downloaded over 50,000 times, have since been removed from the platform.

The extensions, which masqueraded as VPNs, screenshot utilities, ad blockers, and translation tools, were found to contain sophisticated malware that monitors browsing activity, disables security protections, and creates backdoors for remote code execution. Koi Security researchers Lotan Sery and Noga Gouldman identified the campaign in December 2025.

How the malware operates

The GhostPoster attack employs an elaborate multi-stage infection chain that begins with seemingly innocent logo files within the browser extensions. These logo files contain hidden JavaScript code through a steganographic technique—concealing malicious content within seemingly benign image files.

"What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser's security protections, and opens a backdoor for remote code execution," explained the Koi Security researchers.

The infection process follows several calculated steps:

1. When the extension loads, it fetches its logo file that contains hidden JavaScript code
2. The code looks for a marker containing "===" to extract the malicious payload
3. This loader then contacts external command servers at "www.liveupdt[.]com" or "www.dealctr[.]com"
4. The loader includes evasion techniques, only fetching payloads 10% of the time and waiting 48 hours between attempts
5. After a six-day dormancy period, the full malware activates

These sophisticated evasion tactics make detection extremely difficult, as they prevent standard security monitoring from correlating the extension installation with malicious behavior. Understanding different types of malware and their infection methods is crucial for protecting your digital assets against such threats.

Monetization and attack capabilities

Once activated, the GhostPoster malware exhibits multiple monetization techniques:

1. Affiliate link hijacking: The malware intercepts legitimate affiliate links to e-commerce sites like Taobao and JD.com, redirecting commissions away from legitimate affiliates to the attackers.

2. Tracking code injection: Every website visited by victims receives injected Google Analytics tracking code, enabling silent user profiling.

3. Security protection removal: The malware strips critical security headers like Content-Security-Policy and X-Frame-Options from web pages, exposing users to additional attacks like clickjacking and cross-site scripting.

4. Hidden iframe injection: Invisible frames are injected into browsing sessions to silently load attacker-controlled content, facilitating ad fraud and click fraud.

5. CAPTCHA bypass capabilities: The malware includes sophisticated techniques to overcome CAPTCHA challenges, allowing it to continue operating when security systems detect suspicious activity.

"The malware needs to prove it's 'human' to keep operating," noted the researchers, explaining why CAPTCHA bypass functionality was crucial to maintaining the fraud operation.

Advanced evasion techniques

What makes GhostPoster particularly concerning is its sophisticated evasion capabilities. The malware employs timing-based evasion, only activating after several days of dormancy to avoid detection during initial security scans. Additionally, it includes code obfuscation techniques and anti-debugging features that make analysis by security researchers more challenging.

This level of sophistication suggests the attackers behind GhostPoster have significant experience developing malicious software and understand browser extension security models in detail. According to Mozilla's Security Blog, such targeted attacks against browser extensions have been increasing in frequency and complexity.

The compromised extensions

The 17 affected add-ons covered a range of popular utility categories, with the oldest dating back to October 2024. The complete list includes:

• Free VPN
• Screenshot
• Weather (weather-best-forecast)
• Mouse Gesture (crxMouse)
• Cache – Fast site loader
• Free MP3 Downloader
• Google Translate (google-translate-right-clicks)
• Traductor de Google
• Global VPN – Free Forever
• Dark Reader
• Dark Mode
• Translator – Google Bing Baidu DeepL
• Weather (i-like-weather)
• Google Translate (google-translate-pro-extension)
• 谷歌翻译
• libretv-watch-free-videos
• Ad Stop – Best Ad Blocker
• Google Translate (right-click-google-translate)

While not all extensions used identical attack techniques, security researchers confirmed they all communicated with the same command-and-control infrastructure, indicating a single threat actor or group experimenting with various delivery methods.

Popular extension categories targeted

It's notable that the attackers specifically targeted extensions that provide convenience features many users consider essential. Translation tools, weather apps, and VPNs represent some of the most downloaded extension categories, giving attackers access to a large potential victim pool. The attackers also focused on utilities that would reasonably require network access permissions, allowing the malicious code to operate without triggering suspicion.

Implementing reliable anti-malware software across your devices can provide an additional layer of protection against such threats, potentially detecting suspicious behaviors even when they're hidden within legitimate-seeming applications.

Part of a growing trend

This discovery comes amid rising concerns about malicious browser extensions across popular platforms. Only days before the GhostPoster revelation, a widely-used VPN extension for Google Chrome and Microsoft Edge was caught secretly harvesting AI conversations from platforms like ChatGPT, Claude, and Gemini and selling this data to brokers.

In August 2025, another Chrome extension named FreeVPN.One was discovered collecting screenshots, system information, and location data from users.

"Free VPNs promise privacy, but nothing in life comes free," warned Koi Security. "Again and again, they deliver surveillance instead."

How to protect yourself

This incident highlights several important security practices for browser users:

1. Verify extension legitimacy: Before installing any browser add-on, research the developer and check reviews carefully.

2. Limit extensions to necessities: Only install extensions you genuinely need, as each one increases your potential attack surface.

3. Regular security audits: Periodically review installed extensions and remove those you no longer use.

4. Be wary of "free" security tools: Free VPNs and security tools often monetize through data collection or worse—malicious activity.

5. Monitor for unusual behavior: Watch for unexpected browser slowdowns, strange redirections, or changes to website appearance that might indicate compromised extensions.

6. Use specialized removal tools: If you suspect infection, consider using specialized free malware removal tools designed to detect and eliminate browser threats that traditional antivirus might miss.

The GhostPoster campaign demonstrates that even seemingly simple browser tools can harbor sophisticated threats that operate silently for extended periods before detection. As browser extensions become increasingly integrated into daily workflows, they continue to represent an attractive target for cybercriminals seeking to monetize user data and browser activity.

Technical indicators of compromise

For system administrators and security professionals, monitoring for the following indicators can help identify potential GhostPoster infections:

• Connections to domains including liveupdt[.]com and dealctr[.]com
• Unexpected Google Analytics tracking IDs appearing in network traffic
• Modified security headers on internally accessed websites
• Presence of hidden iframes in rendered web pages
• Unusual patterns of affiliate link traffic, particularly to Asian e-commerce platforms

Early detection and rapid response are critical to minimizing damage from this sophisticated malware campaign.