Skip to content

Microsoft Disables 119 Edge Extensions With Hidden Malware Payloads

The Bottom Line: Microsoft removed a steganography-based adware network (StegoAd) consisting of 119 extensions that had been active since at least 2021 and concealed malware payloads in images and fonts.

Microsoft has removed 119 malicious extensions from the Edge Add-ons Store that hid malicious code using steganography in image and font files, stealing credentials after several days and conducting ad fraud.

Microsoft has halted a long-running campaign of malicious browser extensions on the Edge Add-ons Store. The attackers concealed their malicious code payloads in ordinary image and font files, making detection through static analysis significantly more difficult.

The software company designates the operation as StegoAd – a portmanteau of steganography and adware – and attributes 119 extensions to a single threat actor. According to analysis, this actor has been active since at least 2021. The operational pattern shows deliberate delay: the malware activates only several days after installation to evade detection mechanisms and automated sandboxes.

The ultimate damage consisted of the extensions exfiltrating credentials and conducting ad fraud operations – a classic monetization strategy for large extension networks. For CISOs, this campaign is an indicator of the persistent risks posed by seemingly harmless browser extensions. The steganography technique further demonstrates that threat actors are increasingly employing obfuscation methods to circumvent security products.

Regular review of installed extensions and a restrictive approval policy for their use in the enterprise are recommended. Security teams should also investigate whether their environment was affected by known identifiers of these 119 extensions.


Source: thehackernews.com · Published June 29, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: