The Shift Towards Browser=Based Exploitation

In 2025, Casmer Labs has observed a marked increase in “trust-based” attacks, where threat actors exploit the inherent trust users place in official browser marketplaces.

The GhostPoster campaign, recently identified by researchers at Koi Security, exemplifies this trend. Rather than exploiting a software vulnerability, the attackers utilized functional lures—VPNs, ad blockers, and translation tools—to embed a persistent surveillance and monetization toolkit directly into the user’s browsing environment.

How It Works

Unlike many “noisy” browser threats, GhostPoster was designed to remain dormant and undetected for extended periods.

1. Steganographic Delivery via PNG Icons: The malware hides its initial loader inside the extension’s logo file (a standard .png). When the extension loads, it doesn’t just display the icon, it scans the image file for a specific marker. By using steganography, the attackers ensure that the extension’s source code appears benign to automated scanners and manual reviewers at Mozilla’s marketplace.
2. Probabilistic and Time-Based Evasion: To bypass network monitoring and sandbox analysis, GhostPoster employs two primary throttling techniques:
   • Activation delay, where the malware remains inactive for at least 6 days following installation
   • Probabilistic check-ins, where, even after the delay, the loader contacts the command-and-control servers www.liveupdt.com or www.dealctr.com only 10% of the time. During a standard 24h observation window, it is difficult for security teams to replicate the malicious behavior.
3. Payload Delivery: Once the payload is received and decrypted using a custom scheme involving XOR and Base64, it executes the following actions:
   • The malware intercepts clicks to major e-commerce platforms such as Taobao, replacing legitimate affiliate IDs with those of the attackers
   • Removes Content-Security-Policy and X-Frame-Options from HTTP responses. By stripping these headers, the malware can effectively dismantle the browser’s built-in protections against cross-site scripting (XSS) and clickjacking
   • Injection of Google Analytics code into every page visited, profiling the user

Why It Matters

The GhostPoster campaign’s incentive is clearly financial- but the removal of security headers and the ability to remotely execute code presents a sizable risk for enterprises. A secondary attack, outside of GhostPoster, can take advantage of the aforementioned lack of security features, weakening the security posture of internal SaaS applications, cloud consoles, and more.

Protection Methods

• Using Group Police (GPO) or MDM solutions to restrict browser extensions to a pre-approved whitelist. Free utilities, especially VPNs and adblockers from unknown developers should be treated as high risk.
• Implementing EDR tools that are configured to monitor browser process behavior. Specifically, unauthorized modifications to HTTP headers or unusual outbound connections to known command and control servers.
• Considering the implementation of browser isolation technologies that can execute web sessions in a disposable container, preventing extensions from interacting with the local system or stripping security features.