Microsoft Removes 119 Malicious Edge Extensions

Microsoft removed 119 malicious extensions from the Edge Add-ons store this week, an operation that had been active since at least 2021. These extensions employed steganography to conceal their malicious payloads within seemingly ordinary image and font files. Once installed, the malware remained dormant for several days before activating to steal user credentials and engage in ad fraud.

The operation, dubbed StegoAd by Microsoft, combined steganography techniques with adware functionalities. The threat actor behind these 119 extensions is believed to be a single entity. Microsoft's security team identified the malicious code hidden within the legitimate-looking files, which would then execute after a delay. This tactic aimed to evade detection by security software and the review process for the add-ons store.

StegoAd's primary objectives were credential theft and ad fraud. By compromising user accounts and injecting fraudulent advertisements, the threat actor sought to generate illicit revenue. The discovery and removal of these extensions highlight the ongoing challenges in securing browser extension marketplaces against sophisticated malware distribution techniques. Microsoft has not disclosed the specific types of credentials targeted or the estimated financial impact of the ad fraud.