A Trusted Add-on with a Hidden Agenda: The GhostPoster Case

Overview

GhostPoster is a browser-based malware campaign that abused trust in Firefox extensions rather than exploiting software bugs. Instead of attacking the operating system or browser directly, it quietly entered systems through seemingly legitimate add-ons hosted on the official Firefox marketplace.

What makes GhostPoster stand out is not just what it does, but how patiently and quietly it does it. It hides malicious code inside image files, waits days before activating, and only runs on a small percentage of installations at any given time. This allowed it to operate for months without drawing attention.

The campaign primarily focused on monetization and tracking, but it also weakened browser security in ways that could expose users to further attacks.

How the Malware Gets Installed

GhostPoster does not rely on phishing emails, cracked software, or exploit kits.

It spreads through normal browser extension installs.

A typical infection looks like this:

A user searches for a common utility like a VPN, translator, weather widget, dark mode, or ad blocker.
The extension looks normal, has a clean interface, and requests permissions that seem reasonable for its function.
The extension passes automated store review because no malicious JavaScript is visible.
The user installs it, and nothing suspicious happens immediately.

From the user’s perspective, the extension works exactly as advertised.

Firefox Add-ons Confirmed as Part of the Campaign

The following extensions were confirmed to be malicious and removed:

free-vpn-forever
world-wide-vpn
screenshot-saved-easy
weather-best-forecast
i-like-weather
dark-reader-for-ff
crxmouse-gesture
cache-fast-site-loader
freemp3downloader
libretv-watch-free-videos
ad-stop
google-translate-right-clicks
right-click-google-translate
google-translate-pro-extension
translator-gbbd
google-traductor-esp
谷歌-翻译

They were intentionally designed to blend in with popular utility categories that users rarely question.

The Core Trick: Hiding Code Inside an Image

Instead of placing malicious logic in JavaScript files, GhostPoster hides it inside the extension’s logo image (logo.png).

At the very end of the PNG file, attackers appended extra data. This data begins after a simple marker:

===

Everything after that marker is encoded JavaScript.

When the extension runs, it:

Opens its own logo image
Reads the raw binary data
Searches for the marker
Extracts and executes the hidden script

Because security tools generally treat images as static assets, this technique bypasses most extension scanners.

Delayed and Selective Execution

GhostPoster does not activate immediately.

After installation:

It waits at least 48 hours before attempting any network communication
In many cases it stays inactive for six days or more
Even when conditions are met, it only activates on about 10% of runs

This behavior is intentional.
It avoids sandbox environments, automated reviews, and behavior-based monitoring that only watches the first few hours after install.

Command and Control Communication

Once activated, the hidden loader contacts attacker-controlled infrastructure to retrieve the real payload.

Known domains used by the campaign include:

www.liveupdt[.]com
www.dealctr[.]com
mitarchive[.]info
refeuficn.github[.]io (used for CAPTCHA-related components)

The payload is often disguised as an image or benign resource but contains encrypted JavaScript.

Payload Decoding Process

Before execution, the downloaded payload goes through several transformation layers:

Uppercase and lowercase letters are swapped
Digits 8 and 9 are swapped
Base64 decoding is applied
XOR decryption is performed using a key derived from the extension’s runtime ID

This means:

Each installation decrypts the payload slightly differently
Reusing the payload across extensions is difficult
Static signatures are unreliable

What the Malware Does After Activation

GhostPoster focuses on control, tracking, and revenue generation, not destruction.

1. Affiliate Link Manipulation

Intercepts shopping and referral links
Rewrites affiliate identifiers
Redirects commission earnings to the attackers
User sees no visible change

2. Persistent Tracking Injection

Injects analytics scripts into every visited page
Creates hidden HTML elements used for tracking
Collects browsing behavior, timestamps, and identifiers
Uses a fixed analytics tracking ID: UA-60144933-8

3. Browser Security Weakening

The malware removes important security headers from web responses, including:

Content-Security-Policy (CSP)
X-Frame-Options

This makes websites more vulnerable to:

Clickjacking
Cross-site scripting
Malicious iframe abuse

4. CAPTCHA and Bot Detection Bypass

GhostPoster includes multiple methods to defeat bot protections:

Invisible overlays simulating user clicks
External CAPTCHA-solving scripts
Account validation checks

This allows automated ad fraud and scripted actions to appear human.

5. Invisible Iframe Injection

Loads hidden iframes pointing to attacker-controlled URLs
Used for ad impressions, click fraud, and traffic laundering
Iframes self-delete after roughly 15 seconds to limit forensic traces

Indicators of Compromise (IOCs)

Network Indicators

Connections to:
- liveupdt[.]com
- dealctr[.]com
- mitarchive[.]info
- refeuficn.github[.]io

File and Code Indicators

PNG files containing the ASCII marker ===
Image files larger than expected for simple icons
Extensions reading raw binary data from their own images
Suspicious local storage keys:
- dipLstCd667
- dipLstSig667
- dipLstLd667

Behavioral Indicators

Long inactivity after installation followed by sudden outbound traffic
Probabilistic execution patterns
Removal of CSP or X-Frame-Options headers
Creation of hidden DOM elements with unusual IDs
Short-lived invisible iframes

Detection Guidance

On Endpoints

Monitor extensions that access raw image bytes
Flag unexpected manipulation of HTTP security headers
Watch for injected analytics scripts where none should exist

On the Network

Block known command-and-control domains
Look for low-frequency, delayed outbound connections
Monitor for traffic patterns consistent with ad fraud

Extension Audits

Review installed add-ons against known compromised names
Inspect extension image files for appended data
Pay attention to extensions with overly broad permissions

Prevention and Mitigation

For Individual Users

Remove affected extensions immediately
Reset passwords for sensitive accounts
Avoid “free VPN” and privacy-themed extensions with unclear ownership
Keep extension count as low as possible

For Organizations

Enforce browser extension allow-lists
Monitor browser behavior at the endpoint level
Block known malicious domains
Educate users about extension-based supply chain risks

Sample YARA Rule (Hunting Image-Based Payloads)

This rule is intended as a starting point, not a silver bullet:

rule GhostPoster_PNG_Embedded_Data
{
    meta:
        description = "Detects PNG images with appended data using === marker"
        author = "internal security team"
        date = "2025-12-18"

    strings:
        $png = { 89 50 4E 47 0D 0A 1A 0A }
        $marker = "===" ascii

    condition:
        $png at 0 and $marker in (filesize - 4096 .. filesize)
}

Use this alongside behavioral detection for best results.

Final Takeaway

GhostPoster shows how dangerous browser extensions can be when trust is abused.
There was no exploit, no warning, and no visible sign of compromise. Everything worked “normally” while the malware quietly tracked users, weakened browser protections, and generated revenue for the attackers.

This campaign reinforces a critical lesson:
convenience tools are now a primary attack surface, and browser extensions deserve the same level of scrutiny as any other software installed on a system.