Microsoft cracks down on hidden malware in Edge browser extensions
Microsoft has removed 119 browser extensions from its Edge Add-ons store after uncovering a sophisticated malware campaign that hid malicious code within everyday image and font files. The operation, dubbed StegoAd by Microsoft researchers, used steganography—a technique for concealing data inside other files—to evade detection while allowing the extensions to steal credentials and commit ad fraud days after installation.
The extensions, which appeared legitimate at first glance, would remain dormant for several days before activating and downloading additional payloads. These payloads were embedded in what seemed like normal image and font files, making the malware difficult to detect through routine scans. Microsoft linked the campaign to a single threat actor active since at least 2021, indicating a long-term effort to exploit unsuspecting users.
How the malware operated
Once installed, the extensions would stay inactive to avoid immediate suspicion. After a set period, they would retrieve hidden instructions from seemingly harmless files, triggering the theft of stored browser credentials and the manipulation of online advertisements to generate fraudulent revenue. The use of steganography allowed the malware to bypass traditional security measures, which often focus on executable files rather than embedded data.
The response from Microsoft
Microsoft has revoked the certificates of the affected extensions and is notifying users who may have installed them. The company advises users to review their installed extensions and remove any unfamiliar ones. This incident highlights the growing sophistication of malware campaigns that leverage everyday file formats to avoid detection, underscoring the need for continuous vigilance and updated security practices.
Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.