News
Microsoft Disrupts StegoAd Extension Campaign Affecting Up to 2.6 Million Users
Microsoft has disrupted a large malicious browser extension campaign that used hidden payloads, delayed execution and disposable developer accounts to evade detection while targeting users with ad fraud, credential theft and remote code execution capabilities.
The campaign, which Microsoft calls StegoAd, involved 119 malicious extensions across more than 90 developer accounts, with a combined install base of up to 2.6 million users, according to a June 16 post from the Microsoft Edge Extensions Security Team. The company said all identified extensions have been removed from the Microsoft Edge Add-ons store and the associated developer accounts have been suspended.
"Through proactive threat hunting, our team identified and disrupted one of the most sophisticated malicious extension campaigns we've encountered," Microsoft said.
The campaign's name comes from its use of steganography, a technique for hiding data inside files that appear harmless. In this case, Microsoft said the extensions could fetch what appeared to be normal image or font files, including PNG, WebP and WOFF2 files, that actually contained concealed executable code.
"Imagine downloading an ad blocker from a trusted store," Microsoft wrote. "It works perfectly -- your ads disappear; you leave a positive review. But three days later, without any visible change, that extension quietly fetches an innocent-looking PNG image from either a package or a remote server."
According to Microsoft, the extensions were crafted to look like ordinary browser tools, such as ad blockers, VPNs, translators and video downloaders. They also worked as advertised, which helped them earn user trust and collect positive reviews. But after sitting quietly for three to five days, the extensions began checking for signs that they were being analyzed, validating instructions with remote servers and selectively activating their malicious features.
The campaign wasn't limited to ad fraud, either. Microsoft said the extensions could hijack affiliate revenue, swap out ads, redirect search results, collect cookies, steal WordPress administrator credentials, capture Google credentials and two-factor codes, and use a remote backdoor to deliver additional malicious code.
"Beyond this ad fraud, our dynamic analysis of retrieved payloads revealed far more serious capabilities: credential theft targeting Google and WordPress accounts, cookie collection, and a remote code execution backdoor that could deliver additional malicious functionality after installation," Microsoft said.
Microsoft said the group behind the campaign has been in operation since at least 2021 and kept changing its gameplan as detection efforts improved. That included switching infrastructure, changing encryption methods and updating its extensions from Manifest V2 to Manifest V3. The malicious attacks also relied on more than 10 command-and-control domains, backup systems to keep the campaign running if one domain was blocked, Cloudflare Workers proxying, abuse of GitHub Pages and affiliate fraud schemes tailored to specific countries.
Microsoft said it has added new detection tools to catch similar threats, including systems that analyze command-and-control responses and scan for hidden payloads embedded in files. The company also published indicators of compromise to help security teams look for related activity across Chrome, Firefox and other Chromium-based browsers.
The Edge disclosure comes as Microsoft is also beefing up new safeguards in Teams. In a separate update Monday, the company announced smarter bot protection for Teams meetings, including “a new admin policy for managing external bots.” Microsoft said the goal is to give organizations more confidence that “the right people and tools are participating” in meetings.
The two updates point to a broader Microsoft push to lock down areas where users interact with outside software, services and AI tools. For Edge, that means identifying malicious extensions that can hide behind useful browser features. For Teams, it means giving administrators more control over bots and AI assistants as they become a bigger part of workplace meetings.
"Every campaign we investigate directly strengthens protections for the entire ecosystem," Microsoft said.