threat-wire
Microsoft Pulls 119 Edge Extensions That Hid Malware in Images
Microsoft removed 119 Edge extensions that smuggled malware inside image and font files, then waited days to wake up and steal logins. The add-ons looked like ordinary ad blockers and VPNs and reached up to 2.6 million installs over two years. Check your browser against Microsoft's list before you trust it again.
By SecureBusinessHub Editorial, International cybersecurity desk — · 4 min read
Microsoft has pulled 119 extensions from the Edge add-ons store that hid malware inside ordinary-looking image and font files. It calls the campaign StegoAd, and ties all 119 to a single operator that has been running since at least 2021. The extensions reached up to 2.6 million installs.
How it worked
The trick was steganography: stashing code inside files that look like normal assets. Payloads were tucked into PNG images, WebP files, and WOFF2 fonts. The images rendered fine, the fonts displayed fine, and the hidden code was pulled out and run at the right moment.
Timing did the rest of the work. The malware stayed quiet for three to five days after install, then fired in only about one session in ten. If a developer opened the browser's DevTools, it shut itself off. All of that was built to slide past store reviewers and frustrate researchers trying to catch it in the act.
What it stole
Once active, the extensions grabbed Google sign-in details, including the two-factor codes, and harvested WordPress admin logins. They rewrote affiliate links to skim commissions, injected their own adverts into pages, and carried a backdoor for running further code on demand. Credential theft and ad fraud in one package.
The affiliate skim spanned Amazon stores in more than 20 countries plus eBay, AliExpress, Taobao, and JD.com, and the injected adverts were capped at six per page so nothing looked obviously broken. That restraint is part of how it ran for two years without being caught.
The disguises were the everyday kind: ad blockers, VPNs, translators, video downloaders, all with working features and decent reviews. The 2.6 million figure is a ceiling rather than a victim count, since the delays and gates meant the payload never fired for many installs. It is still a large blast radius.
Signs to watch for
Even without the official list, a few symptoms give these extensions away: adverts turning up on sites that do not normally carry them, search results routing through unfamiliar domains, and the browser feeling sluggish or spiking the processor while idle. On company machines, the cleanest fix is an allow-list so staff can only install extensions you have vetted.
Check your browser
- Open edge://extensions and compare what you have installed against Microsoft's published list of the 119 extension IDs.
- If you find a match, treat the browser as compromised. Removing the extension is not enough on its own.
- Reset your Google password and review recent sign-in activity for sessions you do not recognise.
- Check any WordPress and Amazon accounts you use in that browser for changes you did not make.
- Move off SMS and app codes to a passkey or hardware security key, which a stolen session cannot replay.
Browser extensions run with deep access to everything you do on the web, and a popular one can turn hostile long after you installed it. Keep the list short, and remove anything you are not actively using.