Breaking Update: Here’s a clear explanation of the latest developments related to Breaking News:Researchers Expose Long-Running ‘Ghost Poster’ Malware Operation In Chrome, Firefox, Edge Stores– What Just Happened and why it matters right now.
For years, they looked like harmless tools—translation helpers, ad blockers, download buttons. Buried deep inside their code, however, was a quieter operation that researchers now say evolved to survive scrutiny, persist across browser ecosystems, and quietly monetize millions of users’ activity.
A Campaign Hidden in Plain Sight
A new report from the browser security firm LayerX details an ongoing malicious campaign, known as GhostPoster, that relied on seemingly legitimate browser extensions distributed through official add-on stores. The extensions, many of them utilities with generic names and everyday functions, were available on Google Chrome, Mozilla Firefox, and Microsoft Edge. Some had been present in these marketplaces since at least 2020.
The scope of the campaign became clearer only after researchers pieced together how the extensions behaved once installed. While outwardly performing their advertised functions, the extensions also monitored browsing activity, injected invisible iframes, and hijacked affiliate links on major e-commerce platforms. These actions enabled ad fraud and click fraud, generating revenue while remaining largely unnoticed by users.
LayerX estimates that one set of 17 extensions alone accumulated more than 840,000 installations across the three browser ecosystems. Another group of 17 extensions, previously identified, added hundreds of thousands more.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
An Unusual Method of Concealment
Central to the GhostPoster campaign was an unconventional method for hiding malicious code. Earlier research by Koi Security, which first reported the operation in December, found that extensions concealed JavaScript payloads inside their own logo images. These images contained hidden data that, once extracted, allowed the extensions to fetch and execute additional code from external servers.
LayerX’s latest findings suggest that the campaign has since evolved. In newer variants, the malicious staging logic was moved into the extension’s background script. Instead of relying solely on icon images, attackers bundled full image files as covert payload containers. At runtime, the background script scanned the raw bytes of these images for a specific delimiter, extracted the embedded data, stored it locally, and later Base64-decoded and executed it as JavaScript.
Researchers described this staged execution flow as more resilient against both static code analysis and behavioral detection, allowing the extensions to remain dormant for longer periods before activating.
Familiar Names, Broad Reach
The extensions flagged by LayerX bore names that closely resembled legitimate tools, including “Google Translate in Right Click,” “Translate Selected Text with Google,” and “Ads Block Ultimate.” Some had installation counts exceeding half a million before being removed. Others, such as “Instagram Downloader,” “YouTube Download,” and “Amazon Price History,” appeared tailored to common user needs, further reducing suspicion.
According to LayerX, the campaign appears to have originated on Microsoft Edge before expanding to Firefox and Chrome. While Google confirmed that all identified extensions have since been removed from the Chrome Web Store, the researchers noted that users who installed them earlier may still be exposed unless the extensions are manually removed.
Mozilla and Microsoft have also removed the affected add-ons from their stores, but the report emphasizes that marketplace takedowns do not automatically neutralize already-installed extensions.
An Operation That Endured
One of the most striking aspects of the GhostPoster campaign is its longevity. LayerX found evidence that some extensions associated with the operation remained available for years, suggesting a sustained effort rather than a short-lived burst of activity. Throughout that time, the core capabilities—tracking browsing behavior, injecting ads, and manipulating affiliate links—remained largely consistent, even as the delivery mechanisms grew more sophisticated.
Despite being publicly exposed, researchers say the campaign is not fully dismantled. The continued identification of new variants points to an operation that adapts incrementally, prioritizing stealth and persistence over rapid expansion.