- 119 malicious Edge extensions went undetected
- They installed harmful code days after installing the extension
- It's proof that static code review is no longer enough
Microsoft says it has removed 119 malicious extensions from the Edge Add-ons store after “proactive threat hunting” revealed a campaign called StegoAd.
As part of the program, the company also had to suspend more than 90 developer accounts associated with the questionable activity.
They are believed to have been active since at least 2021 and the malicious browser extensions were downloaded a total of 2.6 million times.
Microsoft removes 119 malicious 'StegoAd' extensions
The campaign was so broad that the extensions didn't just occupy one category: ad blockers, VPNs, video downloaders, translators, and utility tools like PDF exporters were all tactics for malicious extensions.
This particular campaign owes its name to the type of tactic used: steganography is the name given to hiding malicious code inside seemingly harmless files. The PNG images, SVG graphics, and font files had hidden JavaScript embedded inside them to bypass traditional antivirus tools and web filtering.
Once installed, Microsoft says they remained dormant for three to five days to avoid detection before stealing browser credentials, redirecting users to malicious websites, manipulating affiliate links for financial gain, downloading additional malicious code, and even contacting C2 servers for updated instructions.
“The StegoAd campaign demonstrates that browser extensions remain a powerful and evolving attack surface,” Microsoft wrote, admitting that even its own safeguards had missed these unreliable extensions.
The report also concludes that static code review alone is no longer sufficient, because extensions and other installations can download malicious code long after they are installed.
For developers themselves, Microsoft recommends being as clear as possible by not obscuring the code, requesting only the permissions necessary to build trust, and reporting any suspected impersonation.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
