Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
GhostPoster is a stealthy malware campaign that abuses trusted Firefox extensions to compromise users at scale, hiding malicious JavaScript inside PNG logo files using steganography techniques. Active since September 2025, the GhostPoster operation spread through 17 malicious Firefox extensions published on Mozilla’s official Add-ons marketplace and has already affected more than 50,000 users worldwide by posing as legitimate tools such as free VPNs, translators, weather apps, and ad blockers. The GhostPoster attack unfolds in multiple stages, with hidden code extracted from the Firefox extension’s logo acting as a loader that quietly contacts attacker-controlled servers using delayed and randomized check-ins to evade detection. Once active, the GhostPoster final payload manipulates browser behavior for profit by hijacking affiliate links, injecting tracking scripts, stripping security headers from websites, bypassing CAPTCHA protections, and embedding hidden iframes for ad fraud, effectively turning the victim’s Firefox browser into a monetization platform without their knowledge. The GhostPoster malware campaign leverages steganography to conceal malicious JavaScript payloads within PNG icon files, making detection difficult for both users and security tools. GhostPoster extensions masquerade as useful Firefox utilities while delivering a multi-stage malware framework that weakens browser security, monitors user activity, and enables potential remote code execution on compromised systems.
Browser extensions often rely on familiar logos to signal legitimacy and build user trust. GhostPoster is a sophisticated malware campaign leveraging steganographic techniques to conceal malicious JavaScript payloads within PNG icon files of Firefox browser extensions. First observed in September 2025, the GhostPoster campaign distributed 17 malicious extensions through Mozilla’s official Firefox Add-ons marketplace, collectively infecting over 50,000 users. The GhostPoster extensions masqueraded as legitimate utilities including VPNs, translation tools, weather forecasts, and ad blockers.
Free VPN Forever, one of the prominent GhostPoster extensions, has been available on the Firefox Add-ons marketplace since September 2025 and has already been installed by more than 16,000 users. It is not an isolated case in the GhostPoster campaign. These malicious add-ons present themselves as useful tools offering free VPN access, translation, weather updates, or ad blocking. In reality, GhostPoster extensions deliver a multi-stage malware framework that weakens browser security, monitors user activity, and can ultimately enable remote code execution on compromised Firefox systems.
The GhostPoster attack unfolds in carefully designed stages. First, the Firefox extension loads its logo image and extracts hidden JavaScript code embedded inside the PNG using steganography. This hidden script acts as a loader, reaching out to attacker-controlled servers, primarily liveupdt[.]com with dealctr[.]com as a fallback, to request the real GhostPoster payload. To avoid detection, the GhostPoster loader checks in only once every 48 hours and downloads the payload just 10 percent of the time, making its behavior appear inconsistent and harder to trace. When the GhostPoster payload is finally retrieved, it is decoded and encrypted using a custom method tied to the extension’s unique runtime ID, allowing it to persist quietly within the Firefox browser.
Once active, the final GhostPoster payload focuses on monetizing and exploiting the user’s browsing activity without consent. It hijacks affiliate links to divert commissions, injects stealthy tracking using analytics frameworks, removes security headers from websites, bypasses CAPTCHA protections, and plants hidden iframes to support ad and click fraud. These GhostPoster actions erode browser defenses across every site the user visits, all while remaining largely invisible. The real danger of GhostPoster lies not in one flashy trick, but in the extension’s broad and persistent access to the Firefox browser environment.
This GhostPoster campaign reflects a familiar and troubling pattern, particularly among free VPN extensions that promise privacy but deliver surveillance instead. GhostPoster stands out because of its layered evasion techniques and its scale, with tens of thousands of active users unknowingly granting attackers deep browser access through malicious Firefox extensions. These malicious GhostPoster extensions were still available on the Firefox marketplace at the time of discovery, underscoring the need for stronger detection of steganography-based malware. The GhostPoster campaign has directly impacted over 50,000 Firefox users globally. The GhostPoster malware strips critical browser security headers from all websites visited, exponentially increasing exposure to secondary attacks. Steganography is no longer a niche tactic and is appearing in many recent malware campaigns, making awareness of hidden threats in seemingly benign files like PNG logos increasingly important for Firefox users and security teams.
Be Selective with Browser Extensions: Users should think carefully before installing browser extensions, especially those offering free VPNs, ad blocking, or other services that seem too good to be free. Always review the extension’s publisher, update history, and user feedback before installation. If a Firefox add-on requests broad access to all websites or browser data without a clear explanation, it should be considered a red flag for potential GhostPoster-style malware.
Limit Extensions in Work Environments: Organizations should avoid allowing unrestricted installation of browser extensions on corporate systems to prevent GhostPoster-style threats. Using allow-lists and approving only trusted, business-necessary Firefox add-ons can significantly reduce risk. Periodic reviews of installed extensions help ensure that outdated or unnecessary tools are removed before they become a security liability like the GhostPoster malicious extensions.
Rethink Visual Trust Signals: Logos, high download numbers, and featured listings can create a false sense of safety. The GhostPoster campaign shows that even familiar-looking Firefox extensions can hide serious threats using steganography and other evasion techniques. Treat the browser as a critical attack surface and keep extension usage minimal to reduce exposure to GhostPoster-style malware and protect privacy.
Regularly Review and Remove Unused Add-ons: Users should periodically audit their installed Firefox extensions and remove those they no longer use to reduce the risk of GhostPoster-style infections. Sudden changes in browsing behavior, such as excessive ads, redirects, or slower performance, can be warning signs of malicious activity from compromised extensions and should be investigated promptly.
Malicious Firefox Extensions Associated with GhostPoster:
GhostPoster Command and Control Domains:
Initial Access:
Execution:
Persistence:
Defense Evasion:
Collection:
Command and Control:
Get through updates and upcoming events, and more directly in your inbox