Microsoft Removes 119 Edge Extensions Hiding Malware in Images and Fonts

Microsoft has removed 119 extensions from the Microsoft Edge Add-ons store, exposing a campaign that bypassed the platform's vetting. The group, active since at least 2021, distributed malware dubbed StegoAd by hiding JavaScript payloads in seemingly innocuous files: PNG and WebP images and WOFF2 fonts. The operation amassed a combined install base of up to 2.6 million users, Microsoft told The Hacker News. Technical details come from The Hacker News reporting; Microsoft has not published a directly accessible official advisory.

The Browser Steganography Trick

The concealment techniques documented by The Hacker News represent a level of sophistication Microsoft considers rare in the browser extension ecosystem. Early variants appended JavaScript after the IEND marker of PNG files, a position static analysis tools tend to ignore. The operator later migrated to WebP and WOFF2 fonts, exploiting metadata and glyph ranges to hide executable instructions.

This evolution is not accidental. The migration from Manifest V2 to V3, the latest Chromium extension format, shows continuous adaptation to platform changes. The operator demonstrated an understanding not only of technical vulnerabilities but also of Edge's development cadence.

The Evasion Mechanisms That Fooled the Store

Persistence in the official marketplace requires more than a good hiding place. StegoAd implemented a multi-day dormancy system: malicious code did not activate immediately after installation but waited a variable period that rendered short-lived dynamic analysis sandboxes ineffective. Additionally, a 10% execution gate limited payload execution to a minority of sessions, reducing the chance of generating anomalous patterns detectable by telemetry.

DevTools detection completed the picture. If the extension detected the browser's developer tools opening, it halted suspicious behavior, making manual analysis difficult. This combination of delay, sampling, and environmental fingerprinting constitutes an operational maturity profile unusual for browser extension campaigns.

C2 Infrastructure and Operation Profits

Documented damage includes ad fraud and credential theft. The extensions, disguised as ad blockers, VPNs, translators, and video downloaders, injected ads, hijacked affiliate commissions, and redirected searches. Seven Google Analytics tracking IDs served as covert telemetry, letting the operator monitor distribution effectiveness without exposing their own servers.

Command-and-control infrastructure relied on more than 10 domains with automatic failover, distributed across Cloudflare Workers and GitHub Pages. Some variants did not even include the payload locally; they fetched it remotely after fingerprinting the system. A polymorphic framework covered roughly 66 extensions across more than 15 name variants, complicating manual correlation.

"Combined, the 119 extensions had an install base of up to 2.6 million users. Microsoft is clear that this is a ceiling, not a victim count." — The Hacker News

The DarkSpectre Link and Attribution Limits

Microsoft has not publicly named the responsible actor but confirmed the operator remains active. The Hacker News reports that Koi Security linked the domain mitarchive.info — used for credential exfiltration — to the group known as DarkSpectre or GhostPoster. Overlap includes shared icon methods and overlapping extension names such as "Ads Block Ultimate."

This attribution remains external to Microsoft. The source does not specify whether Microsoft shared or validated Koi Security's analysis. The absence of an official Microsoft advisory with IoC lists and extension identifiers limits independent verification: The Hacker News cites a "technical report" that is not directly accessible.

What to Do Now

• Immediately remove from Edge any Edge any Edge browser any unrecognized or no-longer-needed extensions, particularly ad blockers, VPNs, translators, and video downloaders installed during the campaign's active period.
• Monitor enterprise extension stores on a regular cadence, given that official stores do not guarantee immunity from long-term compromise.
• Report suspicious extensions through official Microsoft channels, contributing to improved platform vetting.

The "Safe Marketplace" Paradox

StegoAd exposes a structural contradiction in the extension ecosystem. Users are conditioned to treat official stores as trust boundaries, but manual or automated review of hundreds of thousands of extensions does not scale against attacker sophistication. Steganography at this level, as Microsoft notes, is rare in the browser context — but its rarity does not lessen the impact when it penetrates controls.

The campaign is not technically a supply-chain attack in the classic sense: the extensions do not compromise legitimate software but masquerade as it. The result, however, is equivalent: malicious code distributed through an official channel with the platform's unwitting complicity. The difference lies in persistence: years of activity since at least 2021, with continuous technical evolution, suggest that the curated-store trust model requires integration with post-install behavioral analysis, not just pre-publication review.

Information is based on sources available at time of publication. Technical details derive from The Hacker News reporting; Microsoft has not released a directly accessible official advisory.

Information has been verified against cited sources and is current as of publication.

Sources

• https://thomasharris6.wordpress.com/2026/06/29/microsoft-removes-119-edge-extensions-that-hid-malware-in-images-and-fonts/
• https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html
• https://therecord.media/russia-ukraine-social-engineering-messaging-accounts
• https://isc.sans.edu/diary/rss/33102
• https://therecord.media/russian-hackers-target-signal-whatsapp-warn-dutch-intelligence-agencies
• https://therecord.media/ukraine-military-personnel-cyber-espionage-uac-0184