← All articles

Microsoft pulls 119 Edge extensions that hid malware inside images and fonts

Microsoft has removed 119 malicious Microsoft Edge extensions, tied to a single actor active since at least 2021, that hid their payloads inside ordinary image and font files using steganography. The extensions posed as ad blockers, VPNs, translators, and similar tools, worked as advertised, and stayed dormant for days while passing evasion checks, which let them survive in the store for years and reach up to 2.6 million installs. Beyond ad fraud and affiliate hijacking, the more dangerous variants stole Google credentials and two-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies for session hijacking, with extra aggression against corporate and banking targets. Microsoft has published indicators of compromise.

Check
Open your browser's extensions page and check installed add-ons against Microsoft's published list of StegoAd extension IDs, and review endpoints for the campaign's indicators of compromise across Chromium browsers.
Affected
Users who installed any of the 119 extensions, which posed as ad blockers, VPNs, and similar tools; stolen cookies and two-factor codes let attackers hijack sessions and accounts without passwords.
Fix
Remove any matching extension and treat the browser as compromised: reset Google and WordPress passwords, review sign-in activity, and prefer hardware security keys over SMS codes. Govern extensions with allowlists.