Full Report
Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021.
Analysis Summary
# Incident Report: StegoAd Malicious Extension Campaign
## Executive Summary
Microsoft disrupted a large-scale malicious operation involving 119 Edge browser extensions, dubbed "StegoAd," which used steganography to hide malware within image and font files. Active since at least 2021, the campaign affected up to 2.6 million users, facilitating ad fraud and the theft of sensitive credentials for Google, WordPress, and banking platforms. Microsoft has since removed the extensions and suspended the associated developer accounts.
## Incident Details
- **Discovery Date:** June 2026 (Reported)
- **Incident Date:** Active since at least 2021
- **Affected Organization:** Microsoft Edge Users / General Public
- **Sector:** Technology / Software (Browser Ecosystem)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since 2021
- **Vector:** Official Browser Extension Store (Edge Add-ons)
- **Details:** Users voluntarily installed functional extensions (ad blockers, VPNs, translators) which contained dormant malicious code.
### Lateral Movement
- **Mechanism:** Not applicable in a traditional network sense; however, the malware performed session hijacking by exfiltrating cookies, allowing unauthorized access to various web accounts (Google, WordPress, etc.).
### Data Exfiltration/Impact
- **Theft:** Harvesting of Google credentials, 2FA codes, WordPress admin logins, and bulk cookie exfiltration.
- **Fraud:** Ad injection, hijacked affiliate commissions on e-commerce sites (Amazon, eBay, AliExpress), and search redirection.
### Detection & Response
- **Detection:** Microsoft’s security teams identified a pattern of steganographic payloads and multi-staged evasion tactics.
- **Response:** Simultaneous removal of 119 extensions and suspension of 90+ developer accounts. Published indicators of compromise (IoCs) and technical guidance for users.
## Attack Methodology
- **Initial Access:** Supply chain attack via compromised or malicious developer accounts on the Edge Add-ons store.
- **Persistence:** Browser extensions remained installed and functional, surviving browser restarts.
- **Privilege Escalation:** Exploited browser permissions to access site data and cookies.
- **Defense Evasion:** Used steganography (hiding code in PNG, WebP, and WOFF2 files), multi-day execution delays, detection of DevTools, and server-side validation to ignore researchers.
- **Credential Access:** Keylogging/form-grabbing of sign-in credentials and redirection of 2FA codes.
- **Discovery:** Fingerprinting user agents and system environments before deploying payloads.
- **Lateral Movement:** Session hijacking through cookie extraction.
- **Collection:** Automated harvesting of login data and browsing session information.
- **Exfiltration:** Data sent to C2 domains via Layer 7 protocols (HTTPS) and Cloudflare Workers.
- **Impact:** Financial loss via affiliate fraud and compromise of personal/professional accounts.
## Impact Assessment
- **Financial:** Significant loss of affiliate revenue for retailers; potential financial theft from compromised banking logins.
- **Data Breach:** High volume of PII (credentials and session tokens) for up to 2.6 million potential installs.
- **Operational:** Degradation of browser performance and integrity.
- **Reputational:** Erosion of trust in official extension marketplaces.
## Indicators of Compromise (Defanged)
- **Network Indicators:**
- mitarchive[.]info
- [Redacted] GitHub Pages beacons
- [Redacted] Cloudflare Workers proxies
- **File Indicators:**
- Malicious PNG/WebP files with JavaScript appended after IEND markers.
- WOFF2 font files with executable code in Asian glyph ranges.
- **Behavioral Indicators:**
- Extensions that delay activity for several days after installation.
- Browser extensions that stop activity when DevTools/Inspect Element is opened.
## Response Actions
- **Containment:** Remote removal of extensions from user browsers by Microsoft.
- **Eradication:** Deletion of 119 malicious extension entries from the store and ban of 90+ developer IDs.
- **Recovery:** Public advisory issued for users to rotate passwords and enable hardware-based MFA.
## Lessons Learned
- **Evasion Maturity:** Threat actors are increasingly using steganography in web assets (fonts and icons) to bypass static analysis.
- **Marketplace Trust:** "Functional" malware (apps that actually do what they say while being malicious) is highly effective at gaining positive reviews and avoiding early detection.
- **Infrastructure Abuse:** The use of legitimate services like Google Analytics for telemetry and GitHub for C2 makes detection through traditional traffic monitoring difficult.
## Recommendations
- **To End Users:** Prefer hardware security keys over SMS-based 2FA. Regularly audit installed extensions via `edge://extensions`.
- **To Developers/Platforms:** Implement stricter runtime analysis for extensions and monitor for prolonged dormancy periods followed by high network activity.
- **To Organizations:** Implement browser extension allow-lists via Group Policy (GPO) to prevent the installation of unvetted add-ons.