Microsoft Removes Over 100 StegoAd Edge Extensions Hiding Malware via Steganography
Published
Key Takeaways
- Extensions Removed: Microsoft pulled 100+ malicious Edge browser extensions tied to the StegoAd campaign.
- Hidden Payloads: The extensions concealed malware inside image and font files to evade detection.
- Dual Objective: The operators relied on malicious code to steal credentials and run ad fraud operations.
Microsoft has removed 119 Edge browser extensions that concealed malware payloads inside image and font files, part of a campaign tracked as StegoAd. The extensions used steganography to embed malicious payloads within image and font files. The operators also relied on polymorphism, remote code execution (RCE) backdoors, and time-delayed activation.
According to the company’s report, the extensions pursued two distinct malicious goals. First, they were built to steal credentials, exposing affected users to account compromise. Second, they carried out ad fraud, generating illicit revenue for the operators behind the campaign.
StegoAd Hid Malware in Images and Fonts
By hiding code inside these seemingly benign asset types, the StegoAd operators were able to slip past conventional review and detection mechanisms. The technique allowed the malicious functionality to remain concealed within files that appear ordinary to both users and automated scanners, according to Microsoft (PDF).
The report notes that the campaign’s use of image- and font-based steganography to deliver executable payloads is a technique rarely seen at this scale in the browser extension ecosystem. StegoAd is a monetization and credential theft platform at its core that protects a multi-layered revenue and data theft engine:
- Search Affiliate Hijacking (~75 extensions): Extensions intercept user navigations to major shopping and search sites, redirecting through affiliate tracking URLs to earn commission revenue.
- Ad Injection and Replacement (~12 extensions): A DOM scanner identifies existing ads on web pages and replaces them with the actor's own ads to generate AdSense revenue.
- Remote Code Execution (RCE) Backdoor: The C2 server delivers arbitrary JavaScript executed in real time, effectively acting as a full Remote Access Trojan (RAT) in the browser, serving as the delivery mechanism for all other attack modules.
- Google Account Credential Theft + 2FA Bypass: Content scripts steal passwords and second-factor codes on Google sign-in pages.
- WordPress/CMS Admin Credential Theft: Captures credentials and triages stolen sites by traffic value via SimilarWeb lookups.
- Shopping Commission Fraud: Affiliate tag injection across Amazon (20+ locales), eBay, AliExpress, Taobao, and JD.com with behavioral targeting.
- Cookie and Browsing Data Exfiltration: Exfiltrates page cookies and visited URLs for victim tracking and data brokerage.
The combination of data theft and fraudulent ad activity reflects a financially motivated operation leveraging the trust users place in browser add-ons.
Microsoft Removes the Edge Extensions
Microsoft removed all the malicious extensions from its Edge platform after the StegoAd activity was identified. The takedown underscores the persistent risk posed by extensions that request access to browsing activity and can deliver hidden code at scale.
The incident reinforces the need to scrutinize extension behavior beyond its stated functionality, particularly where image and font files can serve as carriers of concealed payloads. Steganography was also used in a global Caminho Loader campaign seen in October, which deployed Remcos RAT, XWorm, and Katz Stealer.
In other recent news, browser security company Island found last week that the Adblock for YouTube Chrome extension hides dormant JavaScript injection. A LayerX report in February found that malicious Chrome extensions exploit the popularity of AI.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular