Microsoft takes down over 100 malicious Edge extensions hiding malware in images and fonts

119 malicious Edge extensions flew under the radar
They installed harmful code days after extension installation
It’s proof that static code review is no longer sufficient

Microsoft says it has taken down 119 malicious extensions from the Edge Add-ons store after “proactive threat hunting” revealed a campaign that’s been dubbed StegoAd.

As part of the program, the company also had to suspend more than 90 developer accounts associated with the dodgy activity.

Believed to have been active since at least 2021, it’s believed that the malicious browser extensions had been downloaded a total of 2.6 million times.

Microsoft removes 119 ‘StegoAd’ malicious extensions

The campaign was so broad that the extensions didn’t just occupy one category: ad blockers, VPNs, video downloaders, translators and utility tools like PDF exporters were all ploys for the malicious extensions.

This particular campaign got its name from the type of tactic used – steganography is the name given to hiding malicious code inside seemingly harmless files. PNG images, SVG graphics and font files had hidden JavaScript embedded inside to bypass traditional antivirus tools and web filtering.

Once installed, Microsoft says they remained dormant for three to five days to avoid detection before going on to steal browser credentials, redirect users to malicious websites, manipulate affiliate links for financial gain, download additional malicious code and even communicate with C2 servers for updated instructions.

“The StegoAd campaign demonstrates that browser extensions remain a potent and evolving attack surface,” Microsoft wrote, admitting that even its own safeguards had missed these dodgy extensions.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The report also concludes that static code review alone is no longer sufficient, because extensions and other installations can download malicious code long after they were first installed.

For developers themselves, Microsoft recommends being as clear as possible by not obscuring code, requesting only the necessary permissions to build trust, and report any suspected impersonation.

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Microsoft removes 119 ‘StegoAd’ malicious extensions

Leave a Reply Cancel reply

Related Posts

Apple’s first M5 products could launch this week – here are the 3 biggest rumors, from iPads to a MacBook Pro surprise

Another gloomy Nvidia RTX 5000 rumor suggests next-gen GPUs will be price hiked over the MSRP in many cases, and I’m getting worried now

Lighter. Better. Faster. Stronger. The legendary laptops that created today’s killer kit