Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

Key Points:

• Microsoft has shut down StegoAd, a malicious operation involving 119 Edge browser extensions that hid harmful code inside image and font files to steal credentials and run ad fraud, affecting up to 2.6 million installs since 2021.
• The extensions appeared legitimate, including ad blockers and VPNs, and used steganography to hide payloads in PNG, WebP images, and WOFF2 font files, evading detection by activating only after multiple evasion checks and delays.
• The campaign conducted ad fraud through injected ads and affiliate hijacking, while also stealing Google credentials, two-factor codes, WordPress logins, and session cookies, with sophisticated command-and-control infrastructure employing Cloudflare Workers and GitHub Pages.
• Microsoft removed all 119 extensions, suspended over 90 developer accounts, and urged users to check their installed extensions against the provided list, change passwords, enable strong two-factor authentication, and consider hardware security keys for better protection.
• The operation is linked to the Chinese threat actor DarkSpectre and shares tactics and extension names with previous campaigns like GhostPoster, indicating the actor remains active despite Microsoft's takedown efforts.