Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

Microsoft removed 119 malicious Edge extensions from its add-ons store that belonged to a single threat actor operating since at least 2021. The extensions, collectively called StegoAd by Microsoft, used steganography to hide malware payloads inside seemingly innocent image and font files.

The attack worked in stages. Users installed what appeared to be legitimate browser extensions. Days after installation, the malware activated and extracted obfuscated payloads from the embedded images and fonts. Once activated, the extensions stole user credentials and executed ad fraud schemes, injecting unwanted advertisements into web pages and manipulating ad networks for profit.

Steganography enabled the threat actor to evade detection. Rather than storing malicious code directly in the extension, hiding payloads inside image metadata and font files made the extensions appear benign during initial review. This delay between installation and activation also circumvented automated security scanning that typically occurs immediately after extension submission.

The scope of this operation reflects a persistent problem with browser extension ecosystems. Microsoft's add-ons store lacks the rigorous vetting applied to major app stores. Individual threat actors can submit multiple extensions under different identities, and reviewing teams struggle to correlate malicious submissions across batches. The 119 extensions attributed to this single actor demonstrate how one group can maintain presence across numerous seemingly separate tools.

The credential theft component posed direct risks to individual users. Stolen login information enables account takeover across multiple services. The ad fraud generated revenue for the attacker while degrading user experience and inflating metrics for legitimate advertisers.

Organizations with Windows endpoints should audit employee browser extensions. Even extensions installed from official stores carry risk. Administrators should enforce extension policies that limit user installation capabilities and maintain blocklists of known malicious extensions. Users should review their installed extensions and remove any unfamiliar tools.

Microsoft has not disclosed whether the extensions had significant user bases