Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ad-fraud (2 articles)Clear

Microsoft pulls 119 Edge extensions that hid malware inside images and fonts

Microsoft has removed 119 malicious Microsoft Edge extensions, tied to a single actor active since at least 2021, that hid their payloads inside ordinary image and font files using steganography. The extensions posed as ad blockers, VPNs, translators, and similar tools, worked as advertised, and stayed dormant for days while passing evasion checks, which let them survive in the store for years and reach up to 2.6 million installs. Beyond ad fraud and affiliate hijacking, the more dangerous variants stole Google credentials and two-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies for session hijacking, with extra aggression against corporate and banking targets. Microsoft has published indicators of compromise.

Check
Open your browser's extensions page and check installed add-ons against Microsoft's published list of StegoAd extension IDs, and review endpoints for the campaign's indicators of compromise across Chromium browsers.
Affected
Users who installed any of the 119 extensions, which posed as ad blockers, VPNs, and similar tools; stolen cookies and two-factor codes let attackers hijack sessions and accounts without passwords.
Fix
Remove any matching extension and treat the browser as compromised: reset Google and WordPress passwords, review sign-in activity, and prefer hardware security keys over SMS codes. Govern extensions with allowlists.

Trapdoor Android ad fraud: 455 apps, 24M downloads, 659M daily bid requests, selective activation via attribution tools

HUMAN Security has detailed Trapdoor, an Android ad-fraud and malvertising operation that pushed 455 apps with more than 24 million combined Play Store downloads and drove an average of 659 million daily ad-bid requests, three-quarters of them from US devices. The operators run their own ad campaigns to recruit victims, then use legitimate install-attribution tools to switch on fraud only for users who came in through those campaigns, suppressing the bad behavior for anyone who installed organically - which kept Google's reviewers and most security researchers in the dark. Google has now removed all identified apps from the Play Store.

Check
Use MDM to inventory any Trapdoor app from HUMAN's published list on managed Android devices. Look for outbound traffic to HTML5 cashout domains in your DNS logs.
Affected
Android users who downloaded Trapdoor apps after clicking attribution-tagged ads. The campaign is invisible to users who installed the same apps organically.
Fix
MDM-uninstall the named apps and block their package IDs. Restrict Android sideloading on managed devices. Review attribution-provider settings to limit click campaigns' ability to flag malicious behavior.