Operation GhostPoster did not die, experts say
- LayerX found 17 malicious browser extensions with 840,000+ downloads
- Extensions hijacked affiliate links, injected tracking, and enabled ad fraud
- All extensions removed, but users must uninstall them manually
Security researchers LayerX have discovered 17 extensions for Chrome, Firefox, and Edge browsers which monitored people’s internet activity and installed backdoors for persistent access. In total, the extensions were downloaded more than 840,000 times.
This is not a new campaign. In fact, LayerX claims this is the continuation of GhostPoster, a campaign first discovered by Koi Security in mid-December 2025.
Back then, the investigators found a different set of 17 extensions, cumulatively downloaded 50,000 times, which were doing the same thing - monitoring behavior and installing backdoors.
GhostPoster
Here is the full list of all discovered extensions:
Google Translate in Right Click
Translate Selected Text with GoogleAds Block Ultimate
Floating Player – PiP Mode
Convert Everything
Youtube Download
One Key Translate
AdBlocker
Save Image to Pinterest on Right Click
Instagram Downloader
RSS Feed
Cool Cursor
Full Page Screenshot
Amazon Price History
Color Enhancer
Translate Selected Text with Right Click
Page Screenshot Clipper
Among this new batch are some extensions that were first uploaded in 2020, meaning people have been exposed to malware on official browser repositories for years. Edge’s store seems to be the place where most of these extensions first appeared, later expanding to Chrome and Firefox, too.
Some of the extensions store malicious JavaScript code in the PNG logo. The code serves as instructions on how to download the main payload from a remote server. To make detection and attribution more difficult, the attackers made the extensions download the main payload on 10% of the time.
The main payload can do all sorts of things. First and foremost, it hijacks affiliate links on major ecommerce sites - stealing money directly from content creators.
Then, it injects Google Analytics tracking into every page the user visits, and strips security headers from all HTTP responses.
Finally, it can bypass CAPTCHA using three separate mechanisms, and can inject invisible iframes, mostly used for ad fraud, click fraud, and tracking. These iframes self-destruct after roughly 15 seconds.
In the meantime, all extensions were removed from their respective repositories, but users are still advised to remove them from their browsers.
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.