Microsoft has removed 119 Edge extensions from its Add-ons store that concealed malware within images and fonts, compromising user credentials and facilitating ad fraud. The extensions, installed by up to 2.6 million users, utilized steganography to hide malicious code, operating undetected for years.
Microsoft has terminated a campaign involving 119 malicious extensions in its Edge Add-ons store. These extensions masqueraded as benign tools—such as ad blockers and video downloaders—but contained hidden payloads that were activated post-installation. The campaign, dubbed StegoAd, has been linked to a single threat actor active since at least 2021.
The malicious code was cleverly concealed using steganography, embedding executable scripts within standard image and font files. Initially, these scripts were placed after the IEND marker of PNG files, allowing them to appear harmless to security scanners. As detection methods improved, the actor adapted by using more sophisticated file types like WebP images and WOFF2 font files.
The extensions potentially impacted an extensive user base, with Microsoft estimating that up to 2.6 million installations occurred. The exact number of compromised users is unclear, as many installations did not execute the malicious payload due to various checks put in place by the attackers. However, the visible effects included ad fraud, hijacking affiliate commissions on platforms such as Amazon and eBay, and redirecting search queries.
In addition to ad fraud, the payloads retrieved by Microsoft encompassed capabilities for remote code execution, indicating the extensive threat posed by these extensions. The operational sophistication included mechanisms to evade detection by monitoring for security tools and analysts, allowing the malicious activities to remain under the radar for an extended period.
✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →
Microsoft has removed 119 Edge extensions from its Add-ons store that concealed malware within images and fonts, compromising user credentials and facilitating ad fraud. The extensions, installed by up to 2.6 million users, utilized steganography to hide malicious code, operating undetected for years.