We use cookies. By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
TechGeer Black Text Logo Light Header TechGeer Main Logo
  • News
    • AI News
    • Cybersecurity News
    • Streaming News
    • Tech News
  • Statistics
    • Entertainment
    • Gadgets and Hardware
    • Internet Security
    • Lifestyle
    • Marketing and Finance
    • Science
    • Web and Software
    • Workplace and Business
  • Streaming
  • Security
    • VPN
    • Spy
    • Antivirus
    • Torrenting
  • AI
  • About Us
    • Why Trust Us
    • Editorial Policy
    • Our Writers and Editors
    • Terms of Use
    • How We Make Money
    • Get in Touch
Reading: Microsoft Removes 119 Malicious Extensions from Edge Add-ons Store
TechGeerTechGeer
Search
  • News
    • AI News
    • Cybersecurity News
    • Streaming News
    • Tech News
  • Statistics
    • Entertainment
    • Gadgets and Hardware
    • Internet Security
    • Lifestyle
    • Marketing and Finance
    • Science
    • Web and Software
    • Workplace and Business
  • Streaming
  • Security
    • VPN
    • Spy
    • Antivirus
    • Torrenting
  • AI
  • About Us
    • Why Trust Us
    • Editorial Policy
    • Our Writers and Editors
    • Terms of Use
    • How We Make Money
    • Get in Touch
Have an existing account? Sign In
Follow US
  • Terms of Use
  • Privacy Policy
© 2024 TechGeer.com. All Rights Reserved.
Home » News » Cybersecurity » Microsoft Removes 119 Malicious Extensions from Edge Add-ons Store

Microsoft Removes 119 Malicious Extensions from Edge Add-ons Store

TechGeer Desk
Last updated: June 30, 2026 9:23 pm
By TechGeer Desk - Senior Editorial Team
5 Min Read
Share
We conduct in-depth independent evaluations before making a recommendation. If you buy through links on our site, we may earn a fee that supports our mission.
  • Microsoft shut down 119 malicious extensions from its Edge Add-ons store.
  • The extensions hid dangerous code inside images and fonts to steal your data.
  • The malware went beyond ad fraud to steal Google credentials, 2FA codes, and WordPress admin logins for complete account takeover.
Microsoft Removes 119 Malicious Extensions From Edge Add-ons Store

Microsoft just exposed one of the most clever malicious extension campaigns ever seen on the Edge Add-ons store. It was termed StegoAd, which is a combination of the terms “steganography” and “adware”. It has been active since at least 2021.

This campaign consisted of 119 extensions that were masqueraded to be helpful programs such as adblockers, virtual private networks (VPNs), translation software, and video downloaders.

In This Article
How the Extensions Stayed Hidden for YearsAd Fraud and Credential Theft CombinedWhat You Should Do Now

These extensions served their purpose and got good ratings. But underneath the surface, these extensions hid a nasty secret. Combined, they had a potential install base of up to 2.6 million users.

How the Extensions Stayed Hidden for Years

Steganography played a vital role in this attack, which involves hiding secret information within regular files. The criminals used images and fonts as carriers of malicious code.

The earliest variants of the malware placed their JavaScript payloads after the IEND header of a PNG icon file. This did not alter the way the image looked. It appeared perfectly fine.

As malware detection techniques became increasingly sophisticated, attackers also changed their strategy and resorted to hiding their code within the WebP files and later even the WOFF2 font files. They cleverly used glyph ranges, which appeared similar to Asian text and even font metadata to evade detection.

They did not start working immediately after being installed on the system. These extensions remained dormant for days following their installation to avoid detection.

Some variants of the malware executed the payload only in 10 percent of browser sessions, which implies that if you have an extension installed, there is a chance that it may never run.

If the attacker detected that the developer tools were being used, it slept for a long time. To make things worse, the command-and-control server delivered the payload only after successful fingerprint and User-Agent checks.

Ad Fraud and Credential Theft Combined

The most serious damage was due to ad fraud. The extensions injected ads, took over affiliate commissions on eBay, Amazon, and AliExpress, and redirected searches. But Microsoft’s analysis found a much darker purpose underneath: credential theft.

The stolen data wasn’t just for selling. The payloads included a backdoor that let attackers push and run arbitrary JavaScript on victims’ browsers. They specifically targeted Google sign-in pages to steal passwords and second-factor authentication codes. They also harvested WordPress admin logins and bulk-exfiltrated browser cookies for session hijacking.

The scale of account takeover attempts has been growing; Microsoft users have been receiving unsolicited one-time passcodes, suggesting a large-scale campaign to probe and compromise accounts.

The infrastructure was professional and ambitious. The attackers used more than ten command-and-control domains with automatic failover. They even used seven Google Analytics tracking IDs as covert telemetry, giving them real-time dashboards on the campaign’s success.

What You Should Do Now

Microsoft has removed all 119 extensions and suspended over 90 developer accounts. A complete list of the IDs of the malicious extensions has also been provided by the firm in its technical report.

Open up your Edge browser and access edge://extensions to see if you have any of these installed on your system. In case you do, or if one has already been automatically uninstalled by Edge, you will now have to consider your system as being compromised and reset all your passwords for Google, banking sites, WordPress, and any other important accounts you might have.

The operators behind StegoAd are still active. The campaign shares connections with a larger, known threat actor called DarkSpectre. This serves as a clear warning that you can never be too careful, even with extensions from official stores.

Share This Article
Facebook LinkedIn Reddit Copy Link
ByTechGeer Desk
Senior Editorial Team
Follow:
We're tech enthusiasts with over a decade of experience in the digital landscape. With our background in computer science and a passion for emerging technologies, our desk brings a unique blend of technical knowledge and clear communication to TechGeer. When not decoding the latest AI breakthroughs or testing cutting-edge gadgets, you'll find many of us exploring the intersections of technology and society. Our work aims to make complex tech topics accessible to all, empowering readers to navigate our increasingly digital world with confidence.
Leave a Comment Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related Articles

Security Researchers Warn of Phishing Kit Targeting Major Crypto Wallets
Cybersecurity

Security Researchers Warn of Phishing Kit Targeting Major Crypto Wallets

June 22, 2026
Free VPNs and Apps may be Turning Home Internet into Residential Proxies, Researchers Warn
Cybersecurity

Free VPNs and Apps may be Turning Home Internet into Residential Proxies, Researchers Warn

June 22, 2026
Ransomware Group Claims 200GB NSW Government Data Leak, Officials Dispute Allegation
Cybersecurity

Ransomware Group Claims 200GB NSW Government Data Leak, Officials Dispute Allegation

June 17, 2026
ESET Finds Windows Versions of Advanced SprySOCKS Backdoor Used in Government Cyberespionage
Cybersecurity

ESET Finds Windows Versions of Advanced SprySOCKS Backdoor Used in Government Cyberespionage

June 16, 2026
TechGeer Black Text Logo Light Header TechGeer Main Logo

Discover the latest in tech at TechGeer.com: AI, software, VPNs, privacy, monitoring, gaming, streaming, and alternatives. Your go-to source for cutting-edge news and guides in the digital world.

Navigation

  • News
  • Statistics
  • Security and Privacy Guides
  • Monitoring
  • VPN
  • Torrenting
  • Streaming & Geoblocking
  • Software and Apps
  • Artificial Intelligence

Company

  • About Us
  • Why Trust Us
  • Editorial Policy
  • Disclaimer
  • How We Evaluate
  • Career
  • Contact

Follow Us

TechGeer Ltd
Office 1214 727 51
High Streat, East
London E72JA
United Kingdom

© 2024 TechGeer.com. All Rights Reserved.
  • Terms of Use
  • Privacy Policy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?

Not a member? Sign Up