A sophisticated malware campaign known as GhostPoster has expanded significantly, with security researchers uncovering 17 additional malicious browser extensions across Chrome, Edge, and Firefox stores. These extensions, which have amassed more than 840,000 installs in total, masquerade as legitimate productivity tools (HR dashboards, ERP integrations, VPNs) but quietly steal sensitive data from users’ browsing sessions.
Discovered initially by Koi Security in late December 2025, the campaign uses steganography (hidden code embedded in PNG images) to deliver multi-stage payloads. LayerX Security traced the same infrastructure and TTPs to the new extensions, revealing a long-running operation that has evaded detection for up to five years in some cases.
The malicious extensions request broad permissions under the guise of “anonymous, non-identifiable analytics data.” Once installed, they monitor tabs, scrape chat interfaces (ChatGPT, DeepSeek, Claude), local storage, browsing history, and URLs, encode everything in Base64, and exfiltrate it in batches every 30 minutes to attacker-controlled domains such as deepaichats[.]com and chatsaigpt[.]com. This “prompt poaching” tactic is becoming a growing concern in early 2026 as AI workflows become more valuable targets.
The GhostPoster extensions impersonate popular AI sidebar tools and productivity helpers. LayerX identified the following new extensions tied to the same C2 infrastructure:
Attackers use modular payloads for persistence, reconnaissance, credential theft, affiliate hijacking, click fraud, and session hijacking. The campaign originated on Microsoft Edge, then spread to Firefox and Chrome. Many extensions remained dormant for years before activating malicious updates, making detection extremely difficult.
Browser extensions remain one of the most under-monitored parts of the modern attack surface. They are granted excessive permissions that enable stealthy, persistent data exfiltration — especially when tied to high-value AI workflows.
Stolen data includes proprietary prompts, strategic business information, PII embedded in chats, browsing logs for phishing profiling, and session tokens for account takeover. This aligns with the rising prompt poaching trend, where attackers target AI interaction history to harvest intellectual property, competitive intelligence, or personal data.
Small and medium-sized businesses are particularly vulnerable. Employees often install these tools without IT vetting, bypassing corporate security controls. The extensions evade traditional antivirus by mimicking legitimate behavior and using encrypted exfiltration. This expands the attack surface far beyond email or SaaS — a single compromised extension can expose trade secrets, client data, or compliance violations (GDPR, CCPA, PIPEDA). Organizations relying on “Featured” badges in extension stores are at higher risk, as the badge is not a security guarantee.
The GhostPoster campaign relies on several detectable artifacts and behaviors. Key indicators include the presence of the delimiter [62,62,62,62] (ASCII ‘>>>>’) embedded within the PNG icon files of infected extensions, used to extract hidden payloads via steganography. Malicious scripts are stored in chrome.storage.local under the key instlogo, with delayed execution (48+ hours) before contacting remote configuration servers. Payloads are retrieved using Base64-encoded data, custom character case swapping, digit alteration (8/9), and XOR operations keyed to the extension’s runtime ID. Network traffic shows periodic outbound requests (every ~30 minutes) to attacker-controlled domains for config updates and exfiltration of scraped chat content, browsing history, and session tokens. Behavioral signs include broad permission requests (“tabs”, “storage”, “webNavigation”), unusual DOM scraping on AI chat sites (chat.openai.com, claude.ai, deepseek.com), and injection of tracking scripts or affiliate redirects. These IOCs should be integrated into SIEM rules, browser policy monitoring, and extension audits for early detection.
The campaign was first exposed in late December 2025. Since LayerX’s report, some extensions have been restricted or removed, but many remain active. Vigilance in AI-driven workflows remains essential.
“Browser extensions remain one of the most under-monitored parts of the modern attack surface, often granted excessive permissions that enable stealthy, persistent data exfiltration — especially when tied to high-value AI workflows.” LayerX Security research team, January 2026 analysis
Source and full details:
A sophisticated malware campaign known as GhostPoster has expanded significantly, with security researchers uncovering 17 additional malicious browser extensions across Chrome, Edge, and Firefox stores. These extensions, which have amassed more than 840,000 installs in total, masquerade as legitimate productivity tools (HR dashboards, ERP integrations, VPNs) but quietly steal sensitive data from users’ browsing sessions.
Discovered initially by Koi Security in late December 2025, the campaign uses steganography (hidden code embedded in PNG images) to deliver multi-stage payloads. LayerX Security traced the same infrastructure and TTPs to the new extensions, revealing a long-running operation that has evaded detection for up to five years in some cases.
The malicious extensions request broad permissions under the guise of “anonymous, non-identifiable analytics data.” Once installed, they monitor tabs, scrape chat interfaces (ChatGPT, DeepSeek, Claude), local storage, browsing history, and URLs, encode everything in Base64, and exfiltrate it in batches every 30 minutes to attacker-controlled domains such as deepaichats[.]com and chatsaigpt[.]com. This “prompt poaching” tactic is becoming a growing concern in early 2026 as AI workflows become more valuable targets.
The GhostPoster extensions impersonate popular AI sidebar tools and productivity helpers. LayerX identified the following new extensions tied to the same C2 infrastructure:
Attackers use modular payloads for persistence, reconnaissance, credential theft, affiliate hijacking, click fraud, and session hijacking. The campaign originated on Microsoft Edge, then spread to Firefox and Chrome. Many extensions remained dormant for years before activating malicious updates, making detection extremely difficult.
Browser extensions remain one of the most under-monitored parts of the modern attack surface. They are granted excessive permissions that enable stealthy, persistent data exfiltration — especially when tied to high-value AI workflows.
Stolen data includes proprietary prompts, strategic business information, PII embedded in chats, browsing logs for phishing profiling, and session tokens for account takeover. This aligns with the rising prompt poaching trend, where attackers target AI interaction history to harvest intellectual property, competitive intelligence, or personal data.
Small and medium-sized businesses are particularly vulnerable. Employees often install these tools without IT vetting, bypassing corporate security controls. The extensions evade traditional antivirus by mimicking legitimate behavior and using encrypted exfiltration. This expands the attack surface far beyond email or SaaS — a single compromised extension can expose trade secrets, client data, or compliance violations (GDPR, CCPA, PIPEDA). Organizations relying on “Featured” badges in extension stores are at higher risk, as the badge is not a security guarantee.
The GhostPoster campaign relies on several detectable artifacts and behaviors. Key indicators include the presence of the delimiter [62,62,62,62] (ASCII ‘>>>>’) embedded within the PNG icon files of infected extensions, used to extract hidden payloads via steganography. Malicious scripts are stored in chrome.storage.local under the key instlogo, with delayed execution (48+ hours) before contacting remote configuration servers. Payloads are retrieved using Base64-encoded data, custom character case swapping, digit alteration (8/9), and XOR operations keyed to the extension’s runtime ID. Network traffic shows periodic outbound requests (every ~30 minutes) to attacker-controlled domains for config updates and exfiltration of scraped chat content, browsing history, and session tokens. Behavioral signs include broad permission requests (“tabs”, “storage”, “webNavigation”), unusual DOM scraping on AI chat sites (chat.openai.com, claude.ai, deepseek.com), and injection of tracking scripts or affiliate redirects. These IOCs should be integrated into SIEM rules, browser policy monitoring, and extension audits for early detection.
The campaign was first exposed in late December 2025. Since LayerX’s report, some extensions have been restricted or removed, but many remain active. Vigilance in AI-driven workflows remains essential.
“Browser extensions remain one of the most under-monitored parts of the modern attack surface, often granted excessive permissions that enable stealthy, persistent data exfiltration — especially when tied to high-value AI workflows.” LayerX Security research team, January 2026 analysis
Source and full details: