originally published by PC World, January 2026
Security researchers are now warning of a targeted malware campaign that involves malicious software hiding in certain browser extensions. The wave of attacks, dubbed “GhostPoster”, targets Chrome, Firefox, and Edge users.
There have been over 840,000 attacks since December, and the extensions went undiscovered in the Google App Store since 2020.
How the GhostPoster attack works:
Experts uncovered the campaign at the end of last year and realized that the malicious code wasn’t contained in the extension itself, but was instead hidden in the image data of the respective logo.
Instead of acting directly, the extension is designed to spy on user behavior after installation. Afterwards, another script hidden behind three “=” signs is loaded via a backdoor in the logo’s code.
Once executed, this script manipulates affiliate links and redirects users to fraudulent websites and offers, among other things. The attackers are also able to infect affected devices with malware by unlocking extended control rights and abusing them for their own purposes.
What’s especially problematic is the fact that these browser extensions have been offered in the official Mozilla and Microsoft stores since 2020. They’ve remained largely undetected for over 5 years and were likely able to infect over 840,000 systems during this time.
How To Protect Your Devices Now:
Mozilla and Microsoft reacted quickly and removed the malicious extensions from their stores. However, users who had already installed them must remove the extensions manually, or else they’ll remain active and continue to cause damage.
These malicious extensions have been identified so far:
- Ads Block Ultimate
- Amazon Price History
- Color Enhancer
- Convert Everything
- Cool Cursor
- Floating Player – PiP Mode
- Free MP3 Downloader
- Free VPN Forever
- Full Page Screenshot
- Google Translate in Right Click
- I Like Weather
- Instagram Downloader
- One Key Translate
- Page Screenshot Clipper
- RSS Feed
- Save Image to Pinterest on Right Click
- Translate Selected Text with Google
- Translate Selected Text with Right Click
- Weather Best Forecast
- World Wide VPN
- YouTube Download
Important Note: The original list included the extension “AdBlock,” which is not the legitimate extension from AdBlock Inc. We have therefore removed it from the list to avoid confusion.
Please note that there may be several extensions with very similar names, but these are not all harmful and therefore do not need to be removed. The easiest way to check this is to see whether the extension is still available in the store or has already been removed.
Engler IT is here to help!
You can get help TODAY securing your phone, email and all devices: connect with Engler IT.