top of page
perceptive_background_267k.jpg

GhostPoster Malware Found in 17 Firefox Add-ons with 50,000+ Downloads

Published:

17 December 2025 at 08:14:00

Alert date:

17 December 2025 at 10:01:11

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Ransomware & Malware, Supply Chain & Dependencies

A malicious campaign called GhostPoster compromised 17 Mozilla Firefox browser extensions with over 50,000 collective downloads. The malware embedded JavaScript code in logo files to hijack affiliate links, inject tracking code, and commit click and ad fraud. The malicious extensions have since been removed from availability. This represents a significant supply chain attack targeting Firefox users through compromised browser extensions.

Technical details

GhostPoster campaign embeds malicious JavaScript code in PNG logo files associated with Firefox add-ons. The attack chain begins when logo files are fetched during extension loading. Malicious code parses files for '===' marker to extract JavaScript loader that contacts external servers (www.liveupdt.com or www.dealctr.com) for main payload, waiting 48 hours between attempts. Loader fetches payload only 10% of the time for evasion. Payload performs affiliate link hijacking, tracking injection via Google Analytics, security header stripping (Content-Security-Policy, X-Frame-Options), hidden iframe injection for ad fraud, and CAPTCHA bypass. Incorporates time-based delays preventing activation until 6+ days after installation.

Mitigation steps:

Remove affected Firefox extensions if installed. Monitor network traffic for communications to identified C2 domains. Implement security policies to prevent installation of untrusted browser extensions. Be cautious of free VPN and utility extensions as they often contain malware instead of providing advertised functionality.

Affected products:

Mozilla Firefox browser extensions: Free VPN
Screenshot
Weather (weather-best-forecast)
Mouse Gesture (crxMouse)
Cache - Fast site loader
Free MP3 Downloader
Google Translate (google-translate-right-clicks)
Traductor de Google
Global VPN - Free Forever
Dark Reader Dark Mode
Translator - Google Bing Baidu DeepL
Weather (i-like-weather)
Google Translate (google-translate-pro-extension)
谷歌翻译
libretv-watch-free-videos
Ad Stop - Best Ad Blocker
Google Translate (right-click-google-translate)

Related links:

https://www.koi.ai/blog/inside-ghostposter-how-a-png-icon-infected-50-000-firefox-browser-users
https://thehackernews.com/2022/08/malicious-browser-extensions-targeted.html
https://thehackernews.com/2025/08/weekly-recap-password-manager-flaws.html#:~:text=Chrome%20Extension%20Detected%20Capturing%20Screenshots

Related CVE's:

Related threat actors:

IOC's:

www.liveupdt[.]com, www.dealctr[.]com, Marker '===' in PNG logo files, 48-hour delay between payload retrieval attempts, 6+ day activation delay after installation, 10% probability payload fetch rate

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page