A newly uncovered campaign dubbed GhostPoster has weaponized logo files in 17 Mozilla Firefox add-ons to deliver malicious JavaScript, according to researchers at Koi Security. The extensions, collectively downloaded more than 50,000 times, have since been removed from the platform.

Marketed as VPNs, ad blockers, screenshot tools, and translation utilities, the add-ons secretly deployed a multi-stage malware payload. Researchers Lotan Sery and Noga Gouldman warned that the malware stripped browser security protections, monitored user activity, and opened a backdoor for remote code execution.

The attack chain began when an extension loaded its logo file, which contained hidden code. This triggered a loader that contacted external servers to fetch the main payload, often delayed by 48 hours and activated only 10% of the time to evade detection.

Once installed, the toolkit enabled affiliate link hijacking, tracking injection, removal of security headers, hidden iframe injections for ad fraud, and CAPTCHA bypass techniques. The malware also incorporated time-based delays, activating only after six days to further avoid scrutiny.

Koi Security noted that while not all extensions used identical methods, they shared the same command-and-control infrastructure, pointing to a single threat actor experimenting with different lures. The discovery follows recent revelations of malicious Chrome and Edge VPN extensions harvesting sensitive user data, underscoring ongoing risks in free browser add-ons.