- 119 malicious Edge extensions went unnoticed
- They installed harmful code a few days after installing the extension
- This is proof that static code review is no longer enough
Microsoft says it has removed 119 malicious extensions from the Edge Add-ons store after “proactive threat hunting” revealed a campaign called StegoAd.
As part of this program, the company also had to suspend more than 90 developer accounts associated with this questionable activity.
The malicious browser extensions are estimated to have been active since at least 2021 and are believed to have been downloaded a total of 2.6 million times.
Microsoft removes 119 malicious ‘StegoAd’ extensions
The campaign was so broad that the extensions didn’t occupy just one category: ad blockers, VPNs, video downloaders, translators, and utility tools like PDF exporters were all ploys for the malicious extensions.
This particular campaign owes its name to the type of tactic used: steganography is the name given to hiding malicious code in seemingly harmless files. PNG images, SVG graphics, and font files contained embedded hidden JavaScript to bypass traditional antivirus tools and web filtering.
Once installed, Microsoft says they remained inactive for three to five days to avoid detection before stealing browser credentials, redirecting users to malicious websites, manipulating affiliate links for financial gain, uploading additional malicious code, and even communicating with C2 servers for updated instructions.
“The StegoAd campaign demonstrates that browser extensions remain a powerful and scalable attack surface,” Microsoft wrote, admitting that even its own protection measures had missed these questionable extensions.
The report also concludes that static code review alone is no longer enough, because extensions and other installations can download malicious code long after they are first installed.
For developers themselves, Microsoft recommends being as clear as possible by not obfuscating code, only requesting permissions necessary to establish trust, and reporting any suspected impersonation.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
