Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign | Microsoft Browser Vulnerability Research Light Dark System

Post<br>Cancel<br>Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign<br>Contents Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign

119 extensions, up to 2.6 million installs, delayed execution, and payloads hidden inside image and font files. Here’s what we found, how we disrupted it, and how we’re protecting you.<br>Browser extensions make every day browsing better — blocking ads, translating pages, and downloading videos. Millions of people trust them. But what happens when that trust is exploited?<br>Through proactive threat hunting, our team identified and disrupted one of the most sophisticated malicious extension campaigns we’ve encountered. We call it StegoAd — named for its signature technique of hiding malicious code inside innocent-looking image files (steganography) combined with ad fraud (adware).<br>The threat actor operated 119 malicious extensions with a combined install base of up to 2.6 million users. Not every installation led to payload execution — the actor’s own evasion logic (time-gates, probabilistic execution, server-side validation) meant payloads did not fire for every user. Our data indicates this actor has been active since at least 2021, continuously evolving techniques to evade detection. All identified extensions have been removed, and associated developer accounts suspended.<br>Threat Campaign Overview<br>Imagine downloading an ad blocker from a trusted store. It works perfectly — your ads disappear; you leave a positive review. But three days later, without any visible change, that extension quietly fetches an innocent-looking PNG image from either a package or a remote server. Hidden inside that image — invisible to any viewer or scanner — is executable code. Your browser decodes and runs it. Now the attacker has a backdoor.<br>That’s StegoAd. The actor impersonated trusted categories — ad blockers, VPNs, translators, and video downloaders — across 90+ disposable developer accounts. Every extension delivers genuine functionality to earn reviews. The malicious payload activated only after passing multiple gates: days of dormancy, probabilistic execution, and server-side validation.<br>Why we attribute this to a single threat actor<br>Attributing 119 extensions across 90+ developer accounts to a single threat actor required multiple converging signals:<br>Shared infrastructure — All extensions connect to the same set of C2 domains using identical URL path patternsCode fingerprints — Identical hashing algorithms and unique debug strings persist across all variants, regardless of obfuscation techniqueOperational behavior — Rapid account recreation after suspensions, and multiple extensions all mapping to the same backend infrastructureSame monetization IDs — One AdSense publisher ID and the same Google Analytics properties appear across extensions from seemingly unrelated developersDeveloper metadata — Multiple accounts share similar registration patterns and reuse the same developer details across extensionsHow the attack works<br>StegoAd used a five-stage attack chain designed to reduce visibility during analysis and delay malicious execution until post-installation conditions were met.<br>Figure 1: StegoAd 5-stage attack chain — from store impersonation to credential theft and monetization, mapped to MITRE ATT&CK<br>Store impersonation — The actor publishes extensions mimicking popular tools. Each provides real functionality to earn reviews and avoid suspicion.Dormancy & evasion — A 3–5 day time-gate ensures the extension stays silent during sandbox analysis. It even detects if DevTools is open and hides indefinitely.Hidden payload retrieval — The extension fetches a normal-looking PNG image from a static package or C2 server. The server validates the request — researchers probing directly get empty responses.Multi-layer decoding — The hidden payload is decoded through case-swaps, digit-swaps, Base64, and XOR transformations — then validated against a signature before execution.Monetization & theft — The full attack suite activates: credential theft, RCE backdoor, affiliate hijacking, ad replacement, and covert telemetry.Why this campaign matters beyond ad fraud<br>The campaign directly impacted users by injecting unauthorized ads on web pages, hijacking affiliate commissions on shopping sites like Amazon, eBay, and AliExpress, and redirecting search results — generating revenue at the user’s expense while degrading their browsing experience. Beyond this ad fraud, our dynamic analysis of retrieved payloads revealed far more serious capabilities: credential theft targeting Google and WordPress accounts, cookie collection, and a remote code execution backdoor that could deliver additional malicious functionality after installation. The underlying infrastructure and multi-layered concealment methods allowed the campaign to persist and adapt over...