StegoAd: How 119 Fake Browser Extensions Stole Credentials and Ran Ad Fraud for Two Years

Pierluigi Paganini
June 29, 2026

Microsoft shut down the StegoAd campaign, which used 119 malicious Edge extensions, hit 2.6M installs, and ran undetected for two years.

Microsoft just shut down one of the more technically clever malicious extension campaigns it’s ever documented. The operation, named StegoAd, ran 119 extensions on the Edge Add-ons store, racked up roughly 2.6 million installs, and stayed alive for at least two years. The threat actor behind it has been active since 2021.

“Over the past several years, the Microsoft Edge Extensions Security team has tracked a persistent threat actor operating one of the most technically sophisticated malicious browser extension campaigns we have encountered.” reads the report published by Microsoft. “We call it StegoAd, a name combining steganography and ad injection, the two pillars of the campaign’s methodology.”

The extensions looked completely normal. Ad blockers, VPNs, translators, video downloaders, they all worked. They earned positive reviews. The malicious payload didn’t activate until days after installation, which is exactly how the campaign survived multiple detection sweeps.

The name comes from steganography, the practice of hiding data inside ordinary files. This actor hid executable JavaScript inside PNG icon files, then WebP images, then WOFF2 font files. Static scanners saw valid images. What actually ran was a multi-stage attack suite.

“This encoding technique stores JavaScript payload characters as high Unicode codepoints, values in the CJK Unified Ideograph and Private Use Area ranges that overlap with character ranges defined in WOFF2 font files.” continues the report. “To a scanner, it looks like Asian text or font metadata. To the decoder, it’s an executable JavaScript”

The earliest technique appended JavaScript code after the IEND marker at the end of a PNG file. The image rendered perfectly in any viewer. The extension’s own background script read the icon as raw text, found a custom marker string, pulled out everything after it, and executed it. No suspicious domain calls. No obvious obfuscation in the JavaScript source. Standard scanners found nothing.

When PNG detection improved, the actor moved to WebP containers. Same idea, different format, less scrutiny from security tools at the time. After that came WOFF2 font files, where payload characters were stored as high Unicode codepoints in glyph ranges that look like Asian text or font metadata to any scanner that doesn’t decode them.

The most recent variant, spotted in March 2026, disguised a PNG file as a configuration file called setting.conf. The extension fetched it, searched for the marker_vpn_settings, and decoded a Base64 payload split into segments by a ///// delimiter. Calling it a settings file was a nice touch.

The extension stayed dormant for three to five and a half days after installation. Some variants only activated in 10% of sessions on top of that. If you opened DevTools to inspect the extension, a flag called dipFlgDev was set and the dormancy period extended indefinitely. The payload would never fire while an analyst was watching.

The command-and-control server added another layer. It only served real payloads to requests that passed a fingerprint check built from the extension’s own runtime ID, plus the correct User-Agent. Researchers probing the C2 directly got an empty decoy response. The full payloads Microsoft analyzed were intercepted from controlled infected instances, not retrieved by querying the server.

The polymorphic framework, called orderArray, ran across 66 extensions with over 15 naming variants. Every instance had the same four-component structure: an encoded payload object, a seed generator using the extension’s runtime ID, a regex decoder, and a double-Base64 extractor. Variable and function names changed completely across each variant, which defeated fixed-pattern detection rules.

Ad fraud was the visible layer. The extensions injected ads, replaced existing Google AdSense and Amazon ad slots with the actor’s own (capped at six replacements per page to avoid suspicion), and hijacked affiliate commissions on Amazon across more than 20 country-specific stores, plus eBay, AliExpress, Taobao, and JD.com.

Underneath that was a full remote code execution backdoor. The C2 server could push arbitrary JavaScript to any victim’s browser and have it execute within 10 milliseconds. Every extension in the campaign received the same payload modules, meaning all 2.6 million users were exposed to the complete attack surface, not just the ad fraud piece.

The credential theft module targeted Google sign-in pages. It captured the password, waited for the 2FA prompt, captured that code too, and sent both to mitarchive.info via double-Base64 encoding. A separate module hit WordPress admin login pages and attached a SimilarWeb link to each stolen credential so the operator could sort stolen sites by traffic value before deciding what to do with them.

Seven Google Analytics tracking IDs served as the campaign’s telemetry infrastructure. The operator tracked active installs, geographic distribution, merchant click counts, per-ad-replacement performance, and extension version numbers, all through Google’s own dashboard. Hosting telemetry on Google infrastructure meant those beacons blended in completely with normal web traffic.

Two GA4 beacons were served through GitHub Pages. The operator was running what amounts to a professional analytics setup for a criminal campaign, on free hosting, using Google’s tools.

The campaign migrated from Manifest V2 to Manifest V3 as browser platforms tightened restrictions. Where MV2 allowed real-time JavaScript interception of HTTP responses, MV3 requires static declarative rules. The actor solved this by fetching those rules dynamically from the C2 server and installing them into the browser’s declarativeNetRequest API every 15 days. The result was the same header-stripping capability through a more constrained interface.

Each time a wave of extensions was removed, the actor responded within weeks. The C2 domains shifted, encryption schemes changed, and new steganographic formats appeared. Microsoft’s analysis describes a clear detect-and-adapt pattern across eight major milestones from March 2024 through April 2026.

Microsoft has not named the threat actor. Koi Security has linked the credential exfiltration domain mitarchive.info to DarkSpectre, a Chinese operation previously connected to the ShadyPanda and GhostPoster campaigns. StegoAd shares the icon steganography method with GhostPoster and even reuses some extension names, including “Ads Block Ultimate.”

The full list of 119 extension IDs is in Microsoft’s technical report. Open edge://extensions and check your installed add-ons against it. If anything matches, treat the browser as compromised: change your Google password, review recent sign-in activity at myaccount.google.com/security, and check WordPress and Amazon accounts for anything you didn’t do.

“Hardware security keys hold up against this kind of 2FA interception in a way that SMS codes and authenticator apps do not. If you’re still using SMS for 2FA on accounts that matter, this campaign is a reasonable argument for upgrading.” concludes the report. “The StegoAd campaign demonstrates clear technical evolution over 2+ years, with the actor consistently adapting to detection pressure” concludes the report. “The progression also reveals strategic priorities: the actor invests heavily in payload concealment (steganography variants evolved four times) while keeping the monetization logic largely stable. This asymmetry suggests the actor views detection of evasion, not feature development as the primary operational constraint.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon