Malware News 119 Edge extensions promised useful tools, instead downloaded malware

[Brownie2019]

Content source

https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware

Microsoft has removed 119 extensions from the Edge add-on store which were all tied to one adware campaign.

In a paper titled “Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign,” Microsoft researchers detail how they uncovered and dismantled a sophisticated malware campaign that abused browser extensions to infect users. According to Microsoft, the campaign involved 119 malicious browser extensions which were downloaded by 2.6 million users.

The extensions all promised, and delivered, some kind of basic functionality: ad blockers, VPNs, translators, video downloaders, calculators, coupon extensions and so on. But after a while they turned out to be “sleepers” and secretly started downloading additional malware.

Among the payload was malware involved in ad fraud, but also extensions that ran arbitrary JavaScript pushed from the server, which stole Google credentials and second-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies in bulk for session hijacking.

The name of the campaign “StegoAd” is derived from the words advertising and steganography, which means techniques of hiding secrets in something that doesn’t immediately cause suspicion. In this case, hiding code in images.

And not only did the cybercriminals try to stay under the radar by waiting for some time, and hiding malicious code inside images, they also left some victims alone. Some of the extensions only went rogue in about 10% of installs, which would actually execute the next stage of the malware, while the other ~90% would be left alone (at least for that execution attempt). And, in some cases, they re-used names of well-known legitimate extensions to install an additional level of trust.

Browser extensions are a source of wealth for cybercriminals because it compares to installing a small program that lives inside your browser, which can see and report about everything you do on the internet.

Now I hear some of you thinking: I don’t use Edge. Or I’ve used it just once, to download and install my favorite browser. But although Microsoft discovered and analyzed the campaign, the techniques used in this campaign are applicable to Chromium-based browsers in general.

This campaign was less about exploiting a browser vulnerability and more about tricking users into installing a trusted-looking extension, then using sophisticated concealment techniques to avoid detection long enough to compromise systems.

How to stay safe

Read the full Story:

119 Edge extensions promised useful tools, instead downloaded malware

Researchers uncovered a campaign called StegoAd that uses sleeper Edge extensions to deliver malware hidden in images

www.malwarebytes.com

 

[Bot]

Microsoft has removed 119 extensions from the Edge add-on store which were all tied to one adware campaign.

In a paper titled “Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign,” Microsoft researchers detail how they uncovered and dismantled a sophisticated malware campaign that abused browser extensions to infect users. According to Microsoft, the campaign involved 119 malicious browser extensions which were downloaded by 2.6 million users.

The extensions all promised, and delivered, some kind of basic functionality: ad blockers, VPNs, translators, video downloaders, calculators, coupon extensions and so on. But after a while they turned out to be “sleepers” and secretly started downloading additional malware.

Among the payload was malware involved in ad fraud, but also extensions that ran arbitrary JavaScript pushed from the server, which stole Google credentials and second-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies in bulk for session hijacking.

The name of the campaign “StegoAd” is derived from the words advertising and steganography, which means techniques of hiding secrets in something that doesn’t immediately cause suspicion. In this case, hiding code in images.


Read the full Story:

119 Edge extensions promised useful tools, instead downloaded malware

Researchers uncovered a campaign called StegoAd that uses sleeper Edge extensions to deliver malware hidden in images

www.malwarebytes.com

This is a good reminder that “useful” browser extensions can still be a high-risk attack surface, especially when they are designed as sleepers and only turn malicious later.

Why this campaign is concerning

• The extensions reportedly provided real functionality at first, building trust before changing behavior.
• Some installs were reportedly left “clean” (only a subset activated), which makes community reporting and automated detection harder.
• Capabilities described (remote script execution, cookie theft, credential/2FA interception, WordPress admin credential theft) can lead to account takeover even without a traditional “PC malware” infection.
• Because Edge is Chromium-based, similar tactics can be used on other Chromium browsers if the extension ecosystem and permissions allow it.

Practical ways to stay safe with extensions

• Use as few extensions as possible. Remove anything you don’t truly need (especially “helper” add-ons like coupons, video downloaders, “all-in-one” toolboxes).
• Prefer well-known publishers and extensions with a long history. Be cautious with clones that reuse similar names/icons to popular add-ons.
• Review permissions before installing. Be particularly wary of extensions that request broad access like “Read and change all your data on all websites.”
• Avoid overlapping extensions (multiple ad blockers, multiple coupon tools, multiple downloaders). More extensions = larger attack surface.
• Keep extensions updated, but also remember updates can introduce risk; periodically re-check permissions and recent reviews after major updates.
• Use separate browser profiles (or separate browsers) for sensitive admin work (email, banking, WordPress/admin panels) versus general browsing. This limits damage if a browsing profile gets compromised.
• Consider extension allowlisting in families/small businesses (only approved extensions), and disable extension installs for non-admin users where feasible.

If you think you may have been affected

• Remove suspicious extensions immediately and restart the browser.
• Change passwords for key accounts (email first, then anything tied to it), from a clean device if possible.
• Revoke active sessions/tokens in your account security pages (Google/Microsoft/etc.), because cookie theft can bypass passwords.
• Check account security history (recent sign-ins, new forwarding rules, new OAuth/app connections, recovery email/phone changes).
• Run reputable scans on the system (your installed AV plus a second-opinion scanner). Note that extension-based compromise may not always leave classic malware artifacts, so account/session hardening matters.
• If you manage a site (e.g., WordPress), rotate admin passwords, check for newly created admins, and review recent plugin/theme changes.

Key takeaway
This incident is less about a “browser exploit” and more about supply-chain style trust abuse via extensions, so the most effective defense is strict extension hygiene, minimizing permissions, and quickly revoking sessions if anything looks suspicious.