Platform02-Feb-26|11 min read

Analysing Malicious Browser Extensions: From Manifest to C2

How attackers weaponise trusted extensions to deliver steganographic payloads

Definition:

Malicious browser extension analysis is the process of examining Chrome (.crx) and Firefox (.xpi) extension packages to identify hidden threats, including steganographic payloads concealed in icon files, obfuscated JavaScript, dangerous permission combinations, and command-and-control infrastructure. Unlike traditional malware analysis, extension forensics requires understanding both the extension architecture and the specific techniques attackers use to abuse browser APIs.

Browser extensions operate in a privileged position. They run with elevated permissions, persist across sessions, and interact with every website a user visits. When one turns malicious, the blast radius is enormous. In December 2025, Koi Security published research on a campaign they named GhostPoster. The initial finding was troubling enough: 17 Firefox extensions hiding JavaScript payloads inside PNG logo files using steganography. But the full picture was worse. By January 2026, LayerX Security had traced the campaign across Chrome, Edge, and Firefox, documenting over 840,000 cumulative downloads.

Then came the DarkSpectre attribution. The same threat actor had been running extension-based campaigns for over seven years, accumulating 8.8 million victims across three major operations. Some of the malicious extensions had earned "Featured" badges on the Chrome Web Store and remained legitimate for years before weaponisation.

This is not a theoretical risk. It is an active, large-scale threat that has evaded detection for the better part of a decade.

Why extensions make effective delivery vehicles

Traditional malware delivery faces increasingly robust defences. Email gateways scan attachments. Browsers block known malicious downloads. EDR solutions monitor process behaviour. Attackers need delivery mechanisms that bypass these controls entirely.

Browser extensions solve this problem elegantly. They install through official stores with apparent legitimacy. They execute JavaScript in a context that security tools rarely monitor. They persist without touching the filesystem in ways that trigger alerts. And critically, they can bundle arbitrary files that never receive scrutiny.

The GhostPoster campaign exploited this last point specifically. The malicious payload was not in the JavaScript files that reviewers might examine. It was hidden inside the extension's icon file, extracted at runtime using steganography techniques that leave the image visually identical to a clean version.

Anatomy of a weaponised extension

Understanding extension forensics requires knowing what you are examining. Both Chrome and Firefox extensions share a common structure: a manifest file declaring permissions and entry points, JavaScript files implementing functionality, and resource files including images.

The manifest.json file is the declaration of intent. It specifies which permissions the extension requests, which scripts run in the background, which content scripts inject into pages, and which resources the extension bundles. A clean extension requests only the permissions it needs. A malicious extension requests permissions that enable its true purpose.

GhostPoster extensions shared a consistent permission fingerprint: alarms, declarativeNetRequest, scripting, storage, webRequest, and crucially, host permissions covering all URLs. This combination enables scheduled execution, network request manipulation, arbitrary script injection, persistent storage, and unrestricted web access. Individually, each permission has legitimate uses. Together, they form a complete attack platform.

The steganography layer

The innovation in recent extension attacks is not the abuse of permissions. Security researchers have documented that vector for years. The innovation is concealment.

GhostPoster hid its payload after the PNG IEND chunk, the marker that signals the end of valid image data. Image viewers and parsers ignore anything after this marker, but the data remains accessible to code that reads the raw file bytes. The extension's background script would fetch its own icon file, scan forward from the IEND position for a delimiter marker, extract everything after it, reverse a character swap cipher, Base64 decode the result, and XOR decrypt using the extension's runtime ID as the key. The final payload was cached in chrome.storage.local so the extraction only needed to succeed once; subsequent executions retrieved the payload directly from storage.

The delimiter patterns varied by browser. Firefox variants used the triple equals sign (three consecutive bytes of 0x3D). Chrome and Edge variants used four greater-than symbols. The character swap cipher exchanged uppercase and lowercase letters and swapped digits 8 and 9 — simple transformations, but enough to defeat signature-based detection of the Base64 layer underneath.

The XOR step using the extension's runtime ID as the key is particularly significant. It meant the same extension installed on different browsers produced different decrypted payloads in memory, complicating IOC sharing between analysts. The combination of appended-data steganography, character-swap ciphers, modified Base64, and runtime-specific XOR keys creates a multi-layer concealment that no single detection method addresses alone.

Permission risk assessment

Not every permission request indicates malice, but certain combinations warrant immediate scrutiny.

The most dangerous single permission is host access to all URLs. This grants the extension the ability to read and modify content on every website the user visits. Combined with scripting permissions, it enables credential theft, session hijacking, and arbitrary content injection. Combined with webRequest, it enables stripping security headers like Content-Security-Policy and X-Frame-Options that would otherwise block malicious behaviour.

Storage permissions appear benign but serve a critical function in steganographic attacks. GhostPoster cached its fully decoded payload in chrome.storage.local under keys like "instlogo" and "dipLstCd667". Once cached, the extension bypassed the entire extraction chain on subsequent runs — no image fetch, no delimiter scan, no decryption. The steganographic extraction was a one-time bootstrap; persistence relied entirely on the storage API.

Alarms permissions enable delayed execution, a common evasion technique. GhostPoster activated only after 48 hours post-installation, with an additional 10% probability gate on each connection attempt. Activation ramped up gradually over weeks, with only about a third of installations active by day six. This delay evades automated analysis tools that typically run extensions for minutes, not days.

The 48-hour delay combined with 10% probability gating means only ~10% of installations activate on day 3, ~19% by day 4, and ~35% by day 6. This exponential ramp-up defeats sandboxes that observe extensions for standard 24-48 hour windows.

Extension permission risk levels
<all_urls>
Risk LevelCritical
Attack EnablementUnrestricted page access, C2 communication
webRequest
Risk LevelHigh
Attack EnablementSecurity header stripping, request interception
scripting
Risk LevelHigh
Attack EnablementArbitrary code injection into pages
storage
Risk LevelMedium
Attack EnablementPayload persistence, configuration caching
alarms
Risk LevelMedium
Attack EnablementDelayed activation, scheduled C2 beaconing
activeTab
Risk LevelMedium
Attack EnablementAccess to current tab content on user action

JavaScript behaviour analysis

Even when the manifest appears reasonable, the JavaScript reveals true intent. Steganographic extensions exhibit distinctive code patterns that differ markedly from legitimate functionality.

The extraction sequence typically begins with fetching a local resource. Legitimate extensions fetch resources for display or configuration. Malicious extensions fetch image files and immediately convert them to ArrayBuffer, a binary format unsuitable for display but perfect for byte-level scanning.

javascript
// GhostPoster extraction pattern (reconstructed)
const buf = new Uint8Array(
  await fetch(chrome.runtime.getURL('logo.png'))
    .then(r => r.arrayBuffer())
);
const marker = [0x3E, 0x3E, 0x3E, 0x3E]; // '>>>>' for Chrome/Edge; '===' for Firefox
const idx = findSequence(buf, marker);
const encoded = new TextDecoder().decode(buf.slice(idx + marker.length));
const decoded = base64Decode(charSwapCipher(encoded));  // swap case, swap 8↔9
const payload = xorDecrypt(decoded, chrome.runtime.id); // runtime ID as key
chrome.storage.local.set({instlogo: payload});          // persist for reuse

The scanning logic searches for delimiter sequences. Legitimate JavaScript has no reason to scan binary data for arbitrary byte patterns. When you encounter indexOf operations on Uint8Array data looking for specific sequences, you are likely examining payload extraction code.

The execution path terminates in eval or Function constructor calls. Legitimate extensions rarely need dynamic code execution. When decoded data flows into these functions, especially data extracted from image files, the intent is clear.

Indicators from the GhostPoster campaign

The campaign left consistent forensic traces across its variants.

Command and control domains included liveupdt[.]com, dealctr[.]com, and mitarchive[.]info. The extensions used a shared Google Analytics tracking ID (UA-60144933-8) across variants, enabling campaign correlation even when other indicators changed.

Storage keys followed predictable patterns: dipLstCd667, dipLstSig667, dipLstLd667. These keys stored the decoded payload, a signature value, and a load flag respectively.

The shared Google Analytics ID (UA-60144933-8) across GhostPoster variants is a textbook OPSEC failure. When analysing suspicious extensions, always extract tracking IDs, storage key patterns, and delimiter sequences — these are often reused across campaigns and enable rapid variant discovery.

Network behaviour showed characteristic delays and probability gating. Extensions would not beacon immediately, and when they did, only a fraction of installations would activate on each cycle. This pattern optimises for longevity over speed, prioritising evasion of security monitoring over rapid exploitation.

The analysis workflow

Effective extension analysis follows a structured progression from static indicators through behavioural analysis.

  • Begin with manifest examination. Extract the extension package and parse manifest.json. Document requested permissions, background scripts, content scripts, and web-accessible resources. Flag any host permissions covering all URLs or sensitive domains. Note icon files for subsequent steganography analysis.
  • Proceed to icon file analysis. For each image file in the extension, examine the raw bytes beyond format boundaries. PNG files should end at the IEND chunk; check for appended data. JPEG files should end at the EOI marker (0xFFD9); check for trailing content. Scan for known delimiter patterns used in documented campaigns.
  • Analyse JavaScript for suspicious patterns. Search for arrayBuffer conversion of image fetches, delimiter scanning in binary data, TextDecoder usage on non-text sources, eval or Function calls with decoded input, and storage operations that cache decoded content.
  • Correlate findings across files. A benign-looking manifest combined with steganographic payloads in images and extraction code in JavaScript confirms malicious intent. Document the complete attack chain from installation through payload execution.

Why automated analysis matters

Manual analysis is thorough but does not scale. The Chrome Web Store alone hosts over 130,000 extensions. Firefox Add-ons hosts tens of thousands more. Attackers can submit variants faster than analysts can review them.

Automated analysis addresses this asymmetry. Static analysis can flag suspicious permission combinations and code patterns in seconds. Steganographic detection can scan icon files for appended data and embedded payloads without human intervention. Behavioural monitoring can track storage operations and network requests over extended periods.

The challenge is combining these capabilities into a coherent workflow. Most security tools analyse one dimension: either the manifest, or the JavaScript, or network behaviour. Extension attacks span all three, requiring integrated analysis that follows the attack chain from steganographic concealment through JavaScript extraction to C2 communication.

KlaroSkope bridges this gap. Extract the JavaScript from a suspicious extension, paste it in, and the platform handles the rest automatically: steganographic payload extraction, multi-layer deobfuscation through up to 25 encoding layers, IOC extraction with C2 URLs and encryption keys, MITRE ATT&CK technique mapping, and generated YARA and Sigma detection rules. What takes an analyst 30-60 minutes of manual tool-chaining completes in under a minute. The full pipeline is available on the free tier.

Paste suspicious extension code and get the complete analysis — deobfuscation, IOCs, MITRE mapping, YARA rules, Sigma rules, and a Markdown report — automatically. Analyse Extension Code Free →

For the specific steganography detection methods used in extension icon analysis, see Steganography Detection Techniques. For the broader context of why attackers are adopting these methods, see Steganography in Malware Delivery.

Frequently Asked Questions

Q

What makes browser extensions attractive to attackers?

Browser extensions execute with elevated privileges, persist across sessions, and install through official stores that users trust. They can bundle arbitrary files including images that contain hidden payloads, and their JavaScript runs in a context that traditional security tools rarely monitor. This combination of trust, persistence, and visibility gaps makes them effective delivery vehicles.
Q

How do attackers hide malware in extension icon files?

Attackers append data after image termination markers like PNG's IEND chunk. Image viewers ignore this data, so the icon displays normally. At runtime, the extension's JavaScript fetches the icon, scans the raw bytes for a delimiter pattern, extracts everything after it, reverses a character swap cipher, Base64 decodes the result, and XOR decrypts using the extension's runtime ID as the key. The decoded payload is cached in browser storage so extraction only runs once; subsequent executions load directly from cache.
Q

Which extension permissions should raise immediate concern?

Host permissions covering all URLs combined with scripting and webRequest permissions create a complete attack platform. This combination enables reading and modifying any webpage, stripping security headers, and injecting arbitrary code. Storage and alarms permissions, while less dangerous alone, enable payload persistence and delayed activation that helps evade detection.
Q

How long can malicious extensions remain undetected?

The DarkSpectre campaigns documented by Koi Security operated for over seven years, accumulating 8.8 million victims. Some malicious extensions earned "Featured" badges and remained legitimate for years before weaponisation. Delayed activation (waiting days before beaconing) and probability gating (only activating a fraction of installations) extend detection timelines significantly.
Q

Can traditional antivirus detect malicious browser extensions?

Traditional antivirus focuses on filesystem and process monitoring. Browser extensions operate within the browser's JavaScript context, which most security tools do not instrument. Steganographic payloads hidden in image files evade signature detection because the malicious code only exists after extraction and decoding at runtime. Effective detection requires specialised analysis that follows the full attack chain. KlaroSkope handles this end-to-end: paste suspicious extension code and it automatically deobfuscates through multiple layers, extracts IOCs, maps to MITRE ATT&CK, and generates YARA and Sigma detection rules.

Found this useful? Sharing is caring!

Ready to decode?

See KlaroSkope transform obfuscated scripts into actionable intelligence.

Try It Free