Microsoft's StegoAd: The Hidden Threat in Edge Extensions

The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021.

The extensions were the kind people install without a second thought: ad blockers, VPNs, translators, video downloaders. Each one did its job and earned reviews. The malicious code stayed dormant until the extension cleared a stack of evasion checks, which is how it sat in the store for years.

Combined, the 119 extensions had an install base of up to 2.6 million users. Microsoft is clear that this is a ceiling, not a victim count.

A multi-day delay, server-side validation, and a 10% execution gate on some variants meant the payload never fired for many installs. How many people were actually compromised is not known.

The trick that names the campaign is steganography: tucking executable code inside files that look completely normal. The earliest variants appended JavaScript after the IEND marker of a PNG icon, so the image rendered fine everywhere while carrying a payload that static scanners never flagged.

As detection caught up, the actor moved to WebP images, then to WOFF2 font files, hiding code in glyph ranges that read as Asian text or font metadata. Microsoft calls steganography at this scale rare in the browser extension ecosystem.

Some high-impact variants did not even ship the payload locally. They fetched a normal-looking image from a command-and-control server. The extension decoded it through layers of case swaps, digit swaps, Base64, and XOR, then checked it against a signature before running it.

The C2 server only served the real file to requests that passed a fingerprint and a User-Agent check; anyone probing it directly, researchers included, got an empty decoy response.

Extensions also watched for open DevTools and extended their dormancy if they spotted an analyst looking.

The visible damage was ad fraud: injected ads, hijacked affiliate commissions on Amazon, eBay, and AliExpress, and redirected searches, all skimming money while degrading browsing.

Microsoft's analysis of retrieved payloads found a lot more underneath. The payloads included a remote code execution backdoor that ran arbitrary JavaScript pushed from the server. They also stole Google credentials and second-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies in bulk for session hijacking.

Microsoft says seven Google Analytics tracking IDs appear to have served as covert telemetry, giving the operator near real-time dashboards on the campaign through Google's own infrastructure.

The plumbing matched the ambition. Microsoft counts more than ten C2 domains with automatic failover. The actor proxied traffic through Cloudflare Workers and abused GitHub Pages to host beacons.

A polymorphic framework ran across roughly 66 extensions under 15-plus naming variants, and the operation migrated from Manifest V2 to V3 as the actor adapted to platform changes.

Microsoft says it has removed all 119 extensions and suspended the 90-plus developer accounts behind them. The full list of extension IDs is in the company's technical report.

Open edge://extensions and compare your installed add-ons against that list. If anything matches, or if Edge removed one automatically, treat the browser as exposed. Change passwords for Google, WordPress, banking, and other sensitive accounts.

Review recent sign-in activity, and turn on strong two-factor authentication. Hardware security keys hold up against this kind of credential theft in a way that SMS codes do not. Microsoft published indicators of compromise for use across Chrome, Firefox, and other Chromium browsers.

StegoAd looks less like a new campaign than a new face on a known one. Its credential payload exfiltrates to mitarchive.info, a domain Koi Security ties to DarkSpectre, the Chinese operation it linked in December to the ShadyPanda and GhostPoster extension campaigns.

The connection goes beyond the domain. StegoAd hides code inside an extension's own icon, the same method GhostPoster used months earlier. The two even share extension names, such as Ads Block Ultimate.

Microsoft has not named the actor, but the overlap is clear. The operator is still active, Microsoft says.