Up to 2.6 million installs across 119 Edge extensions — that is the ceiling Microsoft gives for a long-running operation it calls StegoAd, a campaign that hid executable code inside ordinary image and font files and woke days later to steal credentials and run ad fraud.
StegoAd’s steganography: code tucked into PNG, WebP, and WOFF2
Microsoft says the operation relied on steganography at scale inside browser-extension assets. Early variants appended JavaScript after the IEND marker of PNG icons so images rendered normally while carrying payloads that static scanners missed. As detection improved, the actor shifted to WebP images and then to WOFF2 font files, placing code in glyph ranges that appeared as Asian text or inside font metadata. Some variants did not store payloads locally at all; instead they fetched seemingly normal images from a command-and-control (C2) server and decoded them through layers of case swaps, digit swaps, Base64 decoding, and XOR before running the result.
Evasion, gating, and delivery: how the campaign stayed under the radar
Microsoft’s analysis highlights multiple operational steps that reduced detection and limited visible execution. Extensions sat dormant for a multi-day delay, then performed server-side validation and a 10% execution gate on some variants, meaning the payload only ran in a minority of installs. The C2 server served the real payload only to requests that passed fingerprint and User-Agent checks; other probes, including researcher queries, returned an empty decoy. Extensions also checked for open DevTools and extended dormancy if they detected analyst activity. The operator migrated the framework from Manifest V2 to V3 and ran a polymorphic codebase spanning roughly 66 extensions under 15-plus naming variants.
Impact: ad fraud on the surface, credential theft underneath
The visible activity Microsoft recovered included injected ads, hijacked affiliate commissions on Amazon, eBay, and AliExpress, and redirected searches. Behind that ad fraud, payloads included a remote-code-execution backdoor that ran arbitrary JavaScript pushed from the server, stole Google credentials and second-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies en masse for session hijacking. Microsoft found seven Google Analytics tracking IDs used as covert telemetry to give the operator near real-time dashboards through Google’s infrastructure. Plumbing for resilience included more than ten C2 domains with automatic failover, Cloudflare Workers proxying, and abuse of GitHub Pages to host beacons.
Microsoft’s takedown and user guidance
Microsoft removed all 119 extensions and suspended the more than 90 developer accounts behind them; the full list of extension IDs is in the company’s technical report. The company says the 2.6 million-install figure is a ceiling, not a confirmed victim count, because gating and server-side checks meant many installs never executed the payload. Microsoft published indicators of compromise for use across Chrome, Firefox, and other Chromium-based browsers and urges users to open edge://extensions and compare installed add-ons against its list. If an extension matches or Edge removed one automatically, Microsoft says to treat the browser as exposed: change passwords for Google, WordPress, banking, and other sensitive accounts; review recent sign-in activity; and turn on strong two-factor authentication. Microsoft notes that hardware security keys hold up against this kind of credential theft in a way that SMS codes do not.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Expect adversaries to combine benign extension functionality with delayed, server-validated payloads. The use of steganography in extension assets and fast migration between Manifest V2 and V3 means detection must include behavioral monitoring and server-activity correlation, not only static scanning of packaged code.
- Enterprises and procurement leaders: Extensions with popular consumer-facing names — ad blockers, VPNs, translators, video downloaders — can be a supply-chain risk. Microsoft found shared extension names across campaigns (for example, Ads Block Ultimate) and a polymorphic framework across dozens of extensions; cataloging and vetting browser add-ons should be part of procurement and endpoint hygiene.
- End users: If you used Edge during the period Microsoft describes, check your installed extensions against Microsoft’s list and assume compromise if a match appears. Change high-value passwords, review sign-ins, and prefer hardware-based 2FA where feasible.
StegoAd looks less like an isolated experiment than a new face on an established operation: Microsoft links credential exfiltration to mitarchive.info, a domain Koi Security has tied to DarkSpectre, which it connected in December to the ShadyPanda and GhostPoster extension campaigns. The overlap in hiding code inside an extension’s icon and sharing extension names adds to the resemblance. Microsoft has not publicly named the actor; it does say the operator has been active since at least 2021 and remains active now.
The practical takeaways are concrete: a long shelf-life in an official store, sophisticated staged delivery, and credential theft that bypasses common protections mean defenders must treat browser extensions as high-risk software. Microsoft’s list of IDs and published indicators are the immediate next steps for remediation — and the unanswered operational question remaining in the public record is how many of the up-to-2.6-million installs actually executed the payloads and suffered data loss. Microsoft’s finding that the operator is still active is the clearest reason to act now.
