Microsoft Removes 119 Extensions That Hide Malware in Images and Fonts

Microsoft has shut down a long-running malicious extension in the Edge Add-ons store that hides its payloads inside standard image and font files, then wakes up days after installation to steal credentials and use ad fraud.
The company calls it StegoAd, a combination of steganography and adware, and links 119 extensions to a single threat actor that it says has been active since at least 2021.
Extensions were kind people installed without a second thought: ad blockers, VPNs, translators, video downloaders. Each one did its job and earned reviews. The malicious code remained inactive until the extension removed most of the checks, which is how it sat in the store for years.
Combined, the 119 extensions have an installed base of up to 2.6 million users. Microsoft is clear that this is a ceiling, not a victim count.
Multi-day delays, server-side verification, and a 10% activation gate on some exceptions meant that payouts weren’t fired on many entries. It is not known how many people were put in harm’s way.
The code is hidden in the images and fonts
The trick behind the campaign is steganography: putting executable code inside perfectly normal-looking files. Early variants added JavaScript after the IEND tag of the PNG icon, so the image worked fine everywhere while carrying the payload of static scans that were never tagged.
As detection took hold, the actor moved to WebP images, then to WOFF2 font files, hiding the code in glyph ranges that read like Asian script or font metadata. Microsoft calls steganography on this scale rare in the browser extension ecosystem.
Some high-impact variants didn’t even send a payload into space. They downloaded a familiar looking image from the command and control server. We split the extension into case-shifting, digit-shifting, Base64, and XOR, and checked it for signature before running it.
The C2 server only served the original file to requests that passed fingerprint and user agent authentication; anyone who investigates it directly, the researchers report, gets a blank answer of deception.

Extensions also watch DevTools open and increase their sleep if they see a visible analyzer.
Ad fraud at the top, identity theft at the bottom
The visible damage was ad fraud: injected ads, stolen affiliate commissions from Amazon, eBay, and AliExpress, and redirected searches, all skimming money while degrading browsing.
Microsoft’s analysis of returned payloads found much more below. Payloads include remote backend code execution that uses JavaScript pushed to the server arbitrarily. They also stole Google credentials and second-factor login codes, compromised WordPress admin logins, and filtered cookies for mass session hijacking.

Microsoft says the seven Google Analytics tracking IDs appear to have worked as covert telemetry, giving operators near real-time dashboards on the campaign through Google’s infrastructure.
The pipes are compatible with the desire. Microsoft lists more than a dozen C2 domains with automatic failover. The actor solicited traffic through Cloudflare Workers and abused GitHub Pages to host beacons.
The polymorphic framework has gone through nearly 66 extensions under 15-plus name variations, and functionality has moved from Manifest V2 to V3 as the actor adapts to platform changes.
What to do
Microsoft says it has removed all 119 extensions and suspended the 90-plus developer accounts behind them. A full list of extension IDs is in the company’s technical report.
Open edge://extensions and compare your installed extensions to that list. If something matches, or if Edge has automatically removed one, treat the browser as exposed. Change passwords for Google, WordPress, banking, and other sensitive accounts.
Review recent sign-in activity, and turn on strong two-factor authentication. Hardware authentication keys resist this type of data theft in a way that SMS codes do not. Microsoft has published flattering guidelines for use in all Chrome, Firefox, and other Chromium browsers.
StegoAd looks less like a new campaign than a new face for a celebrity. Its verification fee goes to mitarchive.info, a site Koi Security has linked to DarkSpectre, a Chinese operation it linked in December to the ShadyPanda and GhostPoster expansion campaigns.
The connection goes beyond the domain. StegoAd hides the code inside the extension icon, the same method that GhostPoster used months before. The two even share names for each other, such as Ads Block Ultimate.
Microsoft didn’t name the actor, but the overlap is clear. The operator is still working, Microsoft said.



