Microsoft has disrupted a sophisticated malware operation that leveraged the official Edge Add-ons store to distribute malicious software. The campaign, tracked as StegoAd (a portmanteau of steganography and adware), resulted in the removal of 119 extensions linked to a single threat actor active since at least 2021.

The Steganography Trick

The core of the StegoAd operation was the use of steganography, a method used to hide secret data within ordinary files. The attackers embedded malicious payloads inside image and font files. To avoid detection, the malware remained dormant for several days after installation before triggering its malicious activities.

Credential Theft and Ad Fraud

The rogue extensions posed as legitimate tools, including VPNs, ad blockers, translators, and video downloaders. Once active, the payloads focused on:
  • Credential Harvesting: Stealing Google credentials and WordPress admin logins.
  • Session Theft: Capturing session cookies to hijack user accounts.
  • Ad Fraud: Running fraudulent advertising operations in the background.
According to The Hacker News, the campaign reached a ceiling of 2.6 million installs, though Microsoft clarified that this is an installation limit rather than a confirmed victim count.

A Growing Threat in Browser Ecosystems

The StegoAd takedown highlights a persistent trend where browser extensions are weaponized to target massive user bases. By suspending over 90 developer accounts, Microsoft has targeted the infrastructure of a coordinated operation that managed to stay undetected for nearly two years, emphasizing the need for stricter vetting processes in official add-on stores.