Threat Research

Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users

Securonix
Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users

GhostPoster is a multi-extension campaign that hides a JavaScript loader inside extension logo PNGs using steganography, which extracts, decodes, and XOR-encrypts staged payloads fetched from C2 domains to fully compromise browsers. The malware performs affiliate link hijacking, tracking injection (UA-60144933-8), security-header stripping, CAPTCHA bypasses, and hidden iframe injections across 17 Firefox extensions with over 50,000 installs. #GhostPoster #FreeVPNForever

Keypoints

  • Researchers flagged anomalous behavior in the Firefox extension Free VPN Forever that reads its logo PNG and extracts hidden JavaScript embedded after the marker “===”.
  • The hidden JavaScript acts as a loader that contacts primary C2 www.liveupdt[.]com and backup www.dealctr[.]com, with fetches occurring rarely and with 48-hour and probabilistic delays to evade detection.
  • The delivered payload is custom-encoded (case swap, 8/9 swap, Base64) then XOR-encrypted with a key derived from the extension runtime ID and stored in browser storage for persistence.
  • Final-stage capabilities include affiliate link hijacking on e-commerce sites, injecting Google Analytics (UA-60144933-8), creating hidden tracking divs, injecting invisible iframes for ad/click fraud, and stripping security headers like Content-Security-Policy and X-Frame-Options.
  • CAPTCHA bypass mechanisms include simulated interaction overlays, loading an external solver (refeuficn.github.io), and leveraging logged-in Baidu account status.
  • The campaign spans 17 Firefox extensions (50,000+ installs) using the same backend infrastructure; techniques vary between PNG steganography, direct script download, and hidden eval() calls with encoded C2 domains.

MITRE Techniques

  • [T1027] Obfuscated Files or Information – steganography hiding JavaScript in PNG bytes: [‘”It was searching through the image data, looking for a marker: three equals signs (===). Everything after that marker isn’t image data. It’s JavaScript, hidden in plain sight.”‘]
  • [T1105] Ingress Tool Transfer – loader fetching payload from attacker servers: [‘”The loader reaches out to www.liveupdt[.]com. If that fails, it tries the backup: www.dealctr[.]com.”‘]
  • [T1059.007] Command and Scripting Interpreter: JavaScript – executing extracted JavaScript payload in the browser context: [‘”Every time the extension loads, it extracts that hidden code and runs it.”‘]
  • [T1112] Modify Registry or Browser Storage (persistence via local storage) – decoded payload XOR-encrypted with a key from the extension runtime ID and stored in browser storage: [‘”The decoded payload gets XOR encrypted using a key derived from the extension’s unique runtime ID, then stored in browser storage. Persistence achieved.”‘]
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication over HTTP(s) to control servers and fetch payloads: [‘”Primary: www.liveupdt[.]com/ext/rd.php?f= Backup: www.dealctr[.]com/ext/load.php?f=svr.png”‘]
  • [T1562] Impair Defenses – removal of security headers from HTTP responses to weaken browser protections: [‘”The malware actively removes security headers from HTTP responses: Content-Security-Policy – gone X-Frame-Options – gone”‘]
  • [T1055] Process Injection / Web-based Injection (script and iframe injection) – injecting tracking divs, hidden iframes, and manipulating referrer policy for fraud and tracking: [‘”Hidden div elements get injected into pages with IDs like extwaigglbit and extwaiokist… The referrer policy gets manipulated… The iframes disappear after 15 seconds.”‘]
  • [T1497] Defeat Defenses by Evasion (delays, probabilistic fetches, custom encoding) – staged loading, randomized delays, and custom encoding to evade detection: [‘”The loader doesn’t phone home every time. It waits 48 hours between check-ins. And even then, it only actually fetches the payload 10% of the time.”‘]

Indicators of Compromise

  • [Domain ] C2 and infrastructure – www.liveupdt[.]com (primary C2), www.dealctr[.]com (backup C2)
  • [Domain ] Additional infrastructure/tools – mitarchive[.]info, refeuficn.github.io (CAPTCHA solver)
  • [File Name / Marker ] steganography marker in extension logo.png – logo.png contains ‘===’ (0x3D 0x3D 0x3D)
  • [Extension Names ] malicious extensions observed – Free VPN Forever, free-vpn-forever, screenshot-saved-easyweather-best-forecast (and 14 other extension names)
  • [Storage Keys ] browser storage keys used for persistence – dipLstCd667, dipLstSig667, dipLstLd667
  • [Tracking ID ] injected analytics identifier – UA-60144933-8

Read more: https://www.koi.ai/blog/inside-ghostposter-how-a-png-icon-infected-50-000-firefox-browser-users

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint