Microsoft has pulled 119 extensions from the Edge add-on store after tying them all to a single, long-running malware operation that reached roughly 2.6 million users. In a report titled "Inside StegoAd," Microsoft's threat researchers describe how everyday-looking add-ons quietly turned malicious weeks or months after they were installed, and how the company dismantled the campaign. The takedown was laid out in a published write-up of the research.
The extensions did exactly what their listings promised, at first. They worked as ad blockers, VPNs, translators, video downloaders, calculators and coupon finders. That genuine functionality is what built trust and kept them live in the store. After a dormant period, the add-ons behaved as "sleepers" and began pulling extra code from an attacker-controlled server.
What the malware did once it woke up
The later-stage payloads went well beyond nuisance adware. Microsoft says some extensions ran arbitrary JavaScript pushed from the server that stole Google credentials and second-factor codes at sign-in, harvested WordPress admin logins, and bulk-exfiltrated browser cookies for session hijacking, the kind of token theft that can let attackers slip past multi-factor authentication entirely. Other variants simply committed ad fraud in the background.
The campaign's name, StegoAd, blends "advertising" and "steganography," the practice of hiding data inside something innocuous. Here the operators concealed malicious code inside images so it would not draw attention. They layered on more evasion: some extensions only triggered the next stage in about 10% of installs and left the other 90% alone, and several reused the names of well-known legitimate add-ons to borrow their credibility.
Why browser extensions are such a prize
An installed extension is effectively a small program living inside your browser that can see and act on everything you do online, which is why criminals keep targeting them. Although Microsoft found this campaign in Edge, it notes the techniques apply to Chromium-based browsers generally, including Chrome. This was not a browser bug being exploited; it was users being persuaded to install trusted-looking software that flipped malicious later, an approach we saw recently when a ransomware affiliate hid a malicious Edge extension to hijack Windows PCs.
What you should do
Audit the extensions in every Chromium browser you use and remove anything you do not recognize or no longer need. Microsoft published the full list of 119 names and IDs in its report, and warns that several share names, so match on the extension ID rather than the label alone. Treat add-on permissions as seriously as app permissions, trust the developer rather than the star rating, and keep a real-time security tool running to flag extensions that suddenly start reaching out to known-bad domains.
The lesson is uncomfortable but simple: a useful, legitimate extension today can be one server-side update away from spying on you tomorrow.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.