At least 17 Firefox extensions have been found to contain hidden malware in an unusual location: their icons. Thousands of users have been infected, and the malicious add-ons remain available on the Firefox platform.
Koi Security researchers discovered the 17 Firefox extensions, which appeared harmless and contained no visible malicious scripts. They offered features like "free VPN," screenshot tools,
weather forecasts, file downloads, ad blocking, and dark mode. However, inspecting the extensions' icons revealed the developers' true intent.
The report on infected PNG icons explained that while extensions typically just display the icon file, these specific extensions spent more time searching through the raw bytes of the image data. The icons contained embedded, hidden malware loaders. Researchers found a "hidden extraction routine," noting that the extension was looking for a marker within the image data that should not have been there.
The attackers edited the PNG icon files by inserting malicious code after the image data ends, separated by a marker of three equal signs ("==="). To the user, the icon appears normal. This technique, known as steganography, helps attackers bypass security scanners that examine the extension's code. Everything after that marker is JavaScript hidden in plain sight.
Hackers Steal Purchase Commissions, Thousands Compromised
The campaign, spanning at least 17 extensions has accumulated over 50,000 downloads and is still active. An extension called "Free VPN Forever" had the most installations at 16,000. Once a malicious add-on is installed, a multi-stage infection chain begins. The icon only holds a loader for the actual malware, which the extension extracts upon loading.
To avoid detection, the loader uses inconsistent behavior. It deliberately waits 48 hours between check-ins with attacker-controlled servers and randomly infects only 10% of users. The attackers encode their payloads using custom ciphers, which combine letter and number swapping with Base64 encoding.
Ultimately, users are infected with a comprehensive toolkit for monetizing their behavior without their knowledge. The Koi researchers stated that the delivered payload monitors everything users browse, removes browser security protections, and opens a backdoor for remote code execution.
The analyzed malware intercepted affiliate links and redirected commissions for purchases on major platforms, such as Taobao or JD.com, to the malware operators. It also used hidden iframe injections to load content from attacker-controlled servers, likely for ad fraud, click fraud, and tracking. Furthermore, the malicious extensions profiled users with secret trackers, compromised browser security by removing security headers from HTTP responses, and
included methods to bypass CAPTCHA checks. All detected extensions used the same command and control infrastructure but utilized different injection mechanisms, suggesting attackers were testing various techniques.
The threat actor can alter the payloads at any time, meaning the malicious activity is not limited to what was observed. The extensions maintain a persistent connection to the attacker-controlled servers, awaiting new instructions.
Koi urged users to be wary, especially since most of the malicious extensions were still live on the Firefox Add-ons marketplace. The list of affected extensions includes:
- free-vpn-forever
- screenshot-saved-easy
- weather-best-forecast
- crxmouse-gesture
- cache-fast-site-loader
- freemp3downloader
- google-translate-right-clicks
- google-traductor-esp
- world-wide-vpn
- dark-reader-for-ff
- translator-gbbd
- i-like-weather
- google-translate-pro-extension
- 谷歌-翻译
- libretv-watch-free-videos
- ad-stop
- right-click-google-translate
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
