Microsoft has taken action against a persistent threat actor, shutting down 119 malicious extensions on the **Edge Add-ons** store. The operation, which **Microsoft** has named **StegoAd** – a portmanteau of steganography and adware – has been active since at least 2021. These seemingly innocuous extensions, ranging from ad blockers and VPNs to translators and video downloaders, performed their stated functions while secretly harboring malicious code. This code remained dormant, circumventing detection by employing a series of evasion checks that allowed the extensions to reside in the store for years. While the 119 extensions collectively amassed up to 2.6 million installs, **Microsoft** clarifies that this represents a potential ceiling rather than a definitive victim count. A multi-day delay, server-side validation, and a 10% execution gate on some variants meant that the payload never activated for many users. ## Code Hidden in Pictures and Fonts The campaign's namesake, steganography, was central to its evasion tactics. Early variants appended JavaScript after the `IEND` marker of **PNG** icons, allowing images to render normally while carrying a hidden payload that static scanners failed to flag. As detection methods improved, the threat actor adapted, shifting to **WebP** images and then **WOFF2** font files. They concealed code within glyph ranges that appeared as Asian text or font metadata. **Microsoft** notes that steganography at this scale is rare within the browser extension ecosystem. Some advanced variants didn't even ship the payload locally. Instead, they fetched a normal-looking image from a command-and-control (**C2**) server. The extension would then decode this image through multiple layers of obfuscation, including case swaps, digit swaps, **Base64**, and **XOR**, before verifying it against a signature and executing it.  Crucially, the **C2** server would only deliver the actual malicious file to requests that passed specific fingerprint and **User-Agent** checks. Researchers attempting to probe the server directly would receive an empty decoy response. Additionally, the extensions were designed to detect open **DevTools**, extending their dormancy if an analyst was observed. ## Ad Fraud on Top, Credential Theft Underneath The visible impact of **StegoAd** was primarily ad fraud: injected ads, hijacked affiliate commissions on platforms like **Amazon**, **eBay**, and **AliExpress**, and redirected searches. This generated illicit revenue while degrading the user's browsing experience. However, **Microsoft's** analysis of the retrieved payloads uncovered a more severe underlying threat. The payloads included a remote code execution backdoor capable of running arbitrary JavaScript pushed from the server. They also actively stole **Google** credentials and second-factor codes during sign-in, harvested **WordPress** admin logins, and exfiltrated cookies in bulk for session hijacking.  To facilitate campaign telemetry, seven **Google Analytics** tracking IDs were seemingly used, providing the operator with near real-time dashboards via **Google's** own infrastructure. The operational infrastructure demonstrated significant sophistication, featuring over ten **C2** domains with automatic failover. The actor proxied traffic through **Cloudflare Workers** and leveraged **GitHub Pages** to host beacons. A polymorphic framework was employed across approximately 66 extensions under more than 15 naming variants, and the operation seamlessly migrated from **Manifest V2** to **V3** as platform changes necessitated. ## What to Do **Microsoft** has confirmed the removal of all 119 malicious extensions and the suspension of over 90 associated developer accounts. A comprehensive list of the compromised extension IDs is available in **Microsoft's** technical report. Users should navigate to `edge://extensions` and cross-reference their installed add-ons against this list. If any matches are found, or if **Edge** has automatically removed an extension, the browser should be considered compromised. It is critical to immediately change passwords for sensitive accounts, including **Google**, **WordPress**, and banking services. Review recent sign-in activity for any anomalies and enable strong two-factor authentication (**2FA**). Hardware security keys offer superior protection against this type of credential theft compared to **SMS** codes. **Microsoft** has also published indicators of compromise (**IOCs**) applicable across **Chrome**, **Firefox**, and other **Chromium**-based browsers. **StegoAd** appears to be a new manifestation of an existing threat rather than an entirely new campaign. Its credential payload exfiltrates to `mitarchive.info`, a domain that **Koi Security** has previously linked to **DarkSpectre**, a Chinese operation tied to the **ShadyPanda** and **GhostPoster** extension campaigns. The connection extends beyond the domain, with **StegoAd** mirroring **GhostPoster's** method of hiding code within an extension's own icon and even sharing extension names like "Ads Block Ultimate." While **Microsoft** has not officially named the actor, the overlaps are clear, and the operator remains active.