840,000+ users hit by malicious browser extensions. Uninstall these ASAP!

How the GhostPoster attack works

The first analysis of GhostPoster comes from security experts at Koi Security. They uncovered the campaign at the end of last year and realized that the malicious code wasn’t contained in the extension itself, but was instead hidden in the image data of the respective logo.

Instead of acting directly, the extension is designed to spy on user behavior after installation. Afterwards, another script hidden behind three “=” signs is loaded via a backdoor in the logo’s code.

Once executed, this script manipulates affiliate links and redirects users to fraudulent websites and offers, among other things. The attackers are also able to infect affected devices with malware by unlocking extended control rights and abusing them for their own purposes.

What’s especially problematic is the fact that these browser extensions have been offered in the official Mozilla and Microsoft stores since 2020. They’ve remained largely undetected for over 5 years and were likely able to infect over 840,000 systems during this time.

What you need to do now

Mozilla and Microsoft reacted quickly and removed the malicious extensions from their stores. However, users who had already installed them must remove the extensions manually, or else they’ll remain active and continue to cause damage.

These malicious extensions have been identified so far:

• AdBlock
• Ads Block Ultimate
• Amazon Price History
• Color Enhancer
• Convert Everything
• Cool Cursor
• Floating Player – PiP Mode
• Free MP3 Downloader
• Free VPN Forever
• Full Page Screenshot
• Google Translate in Right Click
• I Like Weather
• Instagram Downloader
• One Key Translate
• Page Screenshot Clipper
• RSS Feed
• Save Image to Pinterest on Right Click
• Translate Selected Text with Google
• Translate Selected Text with Right Click
• Weather Best Forecast
• World Wide VPN
• YouTube Download