Microsoft has successfully dismantled the StegoAd campaign, a sophisticated operation that utilized 119 malicious Edge extensions to achieve approximately 2.6 million installs over a two-year period. The threat actor behind this campaign has been active since 2021, employing advanced techniques to evade detection, based on information published by Security Affairs.The StegoAd campaign employed steganography to hide malicious JavaScript within image and font files, making the extensions appear legitimate and functional. These extensions, disguised as ad blockers, VPNs, and translators, would remain dormant for days after installation and even extend dormancy if developer tools were opened. The campaign's command-and-control server used fingerprint checks to serve payloads only to verified victims. The primary monetization method was ad fraud, including injecting ads and hijacking affiliate commissions from major e-commerce platforms like Amazon, eBay, and AliExpress. However, the extensions also contained a full remote code execution backdoor capable of stealing credentials from Google and WordPress login pages.The operation leveraged Google Analytics and GitHub Pages for telemetry, demonstrating a professional approach to criminal activity. Microsoft's investigation linked the campaign to the DarkSpectre operation, noting shared techniques and reused extension names.Source: Security Affairs
