A cybercriminal campaign dubbed GhostPoster has exploited Mozilla Firefox add-ons to embed malicious JavaScript code that hijacks affiliate links, injects tracking, and conducts ad fraud. Security researchers warn that these extensions, though now removed, delivered a complex malware payload capable of monitoring browsing activity, stripping browser security, and opening backdoors for remote code execution. #GhostPoster #MozillaExtensions #AffiliateHijacking #MalwarePayload #C2Infrastructure
Keypoints
- The GhostPoster campaign used 17 compromised Mozilla Firefox add-ons with over 50,000 downloads.
- The malicious code in the extensions hijacks affiliate links and injects tracking and ad fraud mechanisms.
- The malware employs multi-stage delivery, including fetching logo files that contain embedded JavaScript and connecting to external servers for payloads.
- Techniques such as CAPTCHA bypass and time delays help the malware evade detection and analysis.
- This campaign highlights the risks of fake extensions promising VPNs, translators, or utilities, which can lead to surveillance and malicious activity.
Read More: https://thehackernews.com/2025/12/ghostposter-malware-found-in-17-firefox.html