Microsoft has removed 119 Microsoft Edge extensions tied to a campaign it calls StegoAd after researchers found that the add-ons could hide malware code inside image and font files, then wake up after installation to run ad fraud, steal credentials, and harvest browser cookies.
The case matters because the extensions looked like ordinary browser tools: ad blockers, VPNs, translators, video downloaders, calculators, coupon helpers, and PDF utilities. They delivered enough visible functionality to appear legitimate, while the malicious behavior waited behind dormancy checks and server-side instructions.
What Microsoft Found
In its StegoAd technical report, Microsoft describes a large extension operation that used steganography to conceal JavaScript inside files that looked harmless to users and many automated checks. Early versions appended code to PNG images, later versions used WebP images and WOFF2 font files, and some variants fetched a normal-looking image from command-and-control infrastructure before decoding and running the hidden payload.
Microsoft says the 119 extensions reached up to 2.6 million users before removal. That number is an install-base ceiling, not a confirmed victim count, but it is large enough that anyone who uses Edge extensions should review their add-ons instead of assuming store removal fixed every local risk.
Why This Is More Than Annoying Adware
StegoAd included classic ad-fraud behavior, but Microsoft also documented payloads that could execute arbitrary JavaScript from the server, steal Google sign-in credentials and second-factor codes, harvest WordPress administrator logins, and collect cookies for session hijacking. Malwarebytes’ June 29 report highlights the same practical risk: useful-looking extensions can stay quiet first and turn malicious later.
The campaign also avoided easy detection. Some extensions reportedly ran the next stage only for a small share of installs during a given attempt, watched for developer tools, and reused trustworthy-sounding names. This is the same broader browser-extension risk pattern seen in earlier Adware Guru coverage of SearchJack search hijacking and Chrome wallpaper extension adware.
Quick Check for Edge Users
- Open
edge://extensionsand review every installed extension, including disabled ones. - Remove extensions you do not recognize, no longer use, or cannot tie to a trusted developer.
- Compare suspicious extension IDs with the malicious ID list in Microsoft’s report, especially if an add-on was recently removed from the Edge Add-ons store.
- If a match is found, remove it, restart the browser, clear site sessions, and change passwords for Google, WordPress, banking, email, and other sensitive accounts used in that browser.
- Review recent sign-in activity and enable phishing-resistant two-factor authentication where available.
Takeaway
StegoAd was not a browser vulnerability that infected users by itself. The dangerous step was installing a trusted-looking extension that later received or decoded hidden code. Treat extension permissions like installed software: keep the list short, avoid copycat names, check the developer history, and remove tools that promise broad browser access for a small convenience.
If extension abuse is part of a larger unwanted-ad or redirect problem, the browser notification scam removal guide and PUP cleanup guide are useful companion checks.
