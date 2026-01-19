GhostPoster Malware Campaign Targets Chrome, Firefox, And Edge Users With Malicious Extensions
This stealthy malware uses advanced steganography to embed malicious payloads within PNG icon files that are bundled with browser extensions.
Published : January 19, 2026 at 9:19 PM IST
Hyderabad: A long-running and sophisticated malware campaign, GhostPoster, has infected Google Chrome, Mozilla Firefox, and Microsoft Edge web browser users. According to GBHacker’s report, this malware campaign deploys 17 malicious extensions that use advanced steganography techniques to evade detection.
The GhostPoster malware campaign is one of the most technically mature and long-lasting web browser extension threats to be documented to date, which has collectively been downloaded more than 840,000 times.
How does GhostPoster malware function?
The most dangerous part of the GhostPoster malware is its usage of Portable Network Graphics (PNG) icon files. With the help of advanced steganography, the malware embeds malicious payloads within PNG icon files that are bundled with browser extensions.
For those who don’t know advanced steganography, it refers to the modern and sophisticated techniques for hiding information within digital carriers such as images, videos, audio, and network protocols. This method focuses on maximising embedded capacity, while maintaining a high-level of stealth. So, it goes beyond simple data hiding, such as the Least Significant Bit (LSB) method.
Once installed, GhostPoster does not rush to infect the system. It is designed to wait quietly for at least 48 hours, and in several advanced versions, the malware waits for five days. During this time, the infected web browsers behave normally, as it avoids those system that watch for suspicious activities right after installation. Once the waiting period is over, the malware connects with remote servers and downloads additional malicious code to corrupt files and systems.
What did this malware actually do?
The GhostPoster malware could:
- Weaken website security protections
- Redirect affiliate links to steal commissions
- Inject malicious scripts for click fraud
- Track users across browsing sessions
- Bypass CAPTCHA systems, which were meant to stop automated abuse.
When did the GhostPoster malware campaign start?
Cybersecurity experts believe that the campaign may have started in 2020 on the Edge browser, before spreading to Firefox and Chrome browsers. This indicates that the GhostPoster malware campaign managed to escape suspicion for almost five years, raising a serious concern about how to review web browser extensions.
Recently, Google discovered several vulnerabilities in its Chrome browser and released new critical security patches for them. Usually, people wait and watch the latest updates, as they often come with bugs, affecting user experience. Once they are sure there are no issues, they update the app or the phone.
So, this time, Google decided not to reveal key vulnerabilities in Chrome. This prevented cyber criminals from exploiting these vulnerabilities to attack users. Once the tech giant knew that the vast majority of registered Chrome accounts had been updated to the latest version, only then did Google reveal the full details of the vulnerabilities.
How to protect yourself from GhostPoster malware?
Chrome users are advised to update their browser version to the following latest versions:
- Chrome v144.0.7559.59 (for Linux)
- Chrome v144.0.7559.59 (for Windows)
- Chrome v144.0.7559.60 (for Mac)
To update Chrome, Firefox, or Edge web browsers, users just have to follow the steps below:
Step 1: Open your favourite web browser.
Step 2: Go to the three-dot menu in the top-right corner of your web browser.
Step 3: Now, click Help.
Step 4: Tap on “About Chrome”, “About Firefox”, or “About Microsoft Edge”.
After this, the update will automatically get downloaded.