A browser extension malware campaign called StegoAd infected more than 2.6 million users before Microsoft pulled 119 malicious extensions from its Edge store. The extensions impersonated tools people use daily: ad blockers, PDF editors, colour pickers, AI sidebars, video downloaders. Each one functioned as advertised for three to five days, then quietly activated a hidden payload. By that point, most users had no reason to suspect anything was wrong.
The story behind StegoAd is worth understanding. It shows a class of risk that many organisations have not addressed: the browser’s own extension model as an attack path into corporate systems.
Table of Contents
Why Browser Extension Malware Is Different
Most endpoint security advice focuses on email attachments, drive-by downloads, and phishing links. Browser extensions rarely appear in the same conversation, but they warrant the same scrutiny. A typical extension requests permission to “read and change all data on websites you visit”. That grants access to session cookies, autofill passwords, chat histories in web tools, and anything typed into a browser. That covers most of what modern business work involves.
StegoAd used those permissions for password theft, session hijacking, and ad fraud. That is what makes browser extension malware so effective: the extension accesses data the browser handles directly, with no network exploit needed. The browser invites it in.
How the Steganography Technique Works
The StegoAd campaign embedded malicious JavaScript inside the image files bundled with each extension, rather than in the extension’s code itself. Automated store review tools scan scripts for suspicious behaviour. They do not typically inspect image binaries for encoded payloads, so the extensions passed review. Microsoft described the operators as “sophisticated and technically advanced,” noting they have continuously updated their evasion and command-and-control techniques.
Security researchers at LayerX documented this in a related campaign. Malicious code was hidden inside a PNG icon. At runtime, the extension parsed marker bytes in the image binary, extracted the code, and ran it. Newer variants embedded payloads in arbitrary images within the extension bundle, making detection harder still. The DarkSpectre group behind StegoAd ran previous campaigns on the same model. GhostPoster affected 840,000 users; ShadyPanda hit 4.3 million devices in late 2025. When Google tightened extension standards, the operators ported their malware to the newer format and continued.
What to Check in Your Organisation
The first step is understanding what is already installed. Enterprise tools for Chrome and Edge can list every installed extension by ID across managed devices. The known extension IDs from StegoAd and GhostPoster are in threat intelligence feeds from major security vendors. Cross-referencing your managed estate against those feeds is a good starting point and takes less time than expected.
Bear in mind that store removal does not fix devices where the extension is already installed. Microsoft pulled the StegoAd extensions from its store, but anyone who installed them before the takedown still has an active copy. Remediation requires active uninstallation across affected devices.
Restrict extension installs. Most enterprise browser management tools allow IT to enforce an allowlist. If staff can only install from an approved list, 90 developer accounts cannot deliver browser extension malware to managed devices. That removes the risk category rather than chasing bad actors after the fact.
Separate personal and work browser profiles. If staff use personal browser profiles for work, the risk extends to every extension they have installed personally. Enforcing distinct work profiles with restricted permissions closes that gap.
Is Browser Extension Risk in Your Security Testing Scope?
This is a question worth putting to your current testing provider. Endpoint assessments typically inventory installed software and assess network-facing services. Browser extensions often fall outside the scope definition, sometimes because clients do not ask and testers do not raise it. Given that a malicious extension inside the browser reaches everything the browser can access, the gap in scope is worth closing.
If you are planning a penetration test or security review, ask specifically whether browser extension risk is included. The browser is not just an access method for corporate systems. For most staff, it is the primary working environment, and extension risk deserves explicit scope coverage rather than being assumed covered by other objectives.
The Wider Point
StegoAd is not a sophisticated nation-state operation. It is a financially motivated criminal group running browser-based fraud at scale, using techniques that are well documented, adaptive, and clearly profitable. For UK businesses, staff use browsers to reach email, finance systems, and internal tools. The question is not whether browser extension malware exists. It is whether the organisation knows what is running inside its browsers right now. StegoAd ran for at least five years before being named. The disruption makes that question harder to defer.
Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world
