You installed an ad blocker. Or a VPN. Maybe a video downloader or a translation tool. It worked perfectly. It had good reviews. You never gave it another thought.
And the whole time, it may have been quietly stealing your passwords.
Microsoft just announced the removal of 119 malicious extensions from its Edge browser store — all tied to a single criminal operation that researchers are calling StegoAd. This campaign had been running since at least 2021. The extensions had been installed by up to 2.6 million users. They looked completely legitimate. Many of them actually worked as advertised. And hidden underneath, they were doing something most users would never suspect.
The Trick That Made This So Hard to Catch
What made StegoAd so effective — and so dangerous — was where the malware hid.
It wasn't buried in suspicious code that security scanners would flag. It was tucked inside the extension's own image files and font files — the ordinary visual elements that make up the extension's appearance. To every security tool that examined these extensions, everything looked completely normal. The images displayed correctly. The fonts rendered fine. But hidden inside those files, invisible to the naked eye, was executable code waiting to be triggered.
This technique is called steganography — concealing information inside innocent-looking files. It is rarely used at this scale in browser extensions. That's precisely why it went undetected for years.
Designed to Stay Hidden
The extensions didn't just hide their malware cleverly — they were engineered to avoid detection at every step.
After installation, many waited several days before doing anything at all. Some only activated on a fraction of devices to avoid triggering alarms. If the extension detected that a security researcher was examining it — through open developer tools, for example — it would go dormant immediately. The attackers even configured their server so that anyone probing it directly would receive a blank, harmless response instead of the real malicious payload.
This wasn't a crude, quickly-built scam. This was a professionally operated, long-running criminal enterprise — complete with automatic failover servers, traffic routed through legitimate platforms, and a system that updated itself as the attackers adapted to Microsoft's defenses over several years.
What the Extensions Were Actually Doing
On the surface, the visible damage was ad fraud — injecting fake advertisements into web pages, hijacking shopping affiliate commissions on Amazon, eBay, and AliExpress, and redirecting searches to generate illegal revenue for the attackers.
But Microsoft's deeper investigation found something far more serious underneath.
These extensions were stealing Google account passwords and two-factor authentication codes at the exact moment users typed them in. They were harvesting WordPress admin login credentials. They were collecting browser cookies in bulk — the small files that keep you logged into websites — which can be used to hijack accounts without ever needing a password. And they included a backdoor that allowed the attackers to push and run any code they wanted on infected devices, remotely, at any time.
The ad fraud was what funded the operation. The credential theft was the real weapon.
Why This Is a Business Problem — Not Just a Personal One
Every employee who uses a browser for work is a potential target. Work email accounts, cloud platforms, remote access portals, financial systems — these are exactly the categories of credentials StegoAd was designed to capture.
And because these extensions appeared in an official store, had real user reviews, and functioned normally for everyday tasks, there was no obvious reason for any employee — or their IT team — to be suspicious. The extensions did their jobs. That was the cover.
For small businesses especially, a single compromised employee account can cascade quickly. A stolen email login becomes access to files. A captured VPN credential becomes access to internal systems. A hijacked admin account becomes a full network compromise.
Where Businesses Are Most Exposed
Extensions installed and forgotten — Most people install a browser extension once and never review it again. StegoAd counted on exactly that. Extensions that sat quietly for months were the ones that ultimately caused the most damage.
Official stores are not a guarantee — All 119 extensions passed Microsoft's initial review and were available in the official Edge Add-ons store. An official listing is a starting point for trust, not a final answer.
Work browsers with personal extensions — Many employees use the same browser profile for work and personal activity, meaning personal extensions they've installed are running alongside work logins, email accounts, and company platforms.
Two-factor authentication via SMS — StegoAd specifically targeted and stole two-factor authentication codes sent by text message. SMS-based two-factor authentication is better than nothing, but it is not sufficient against this type of attack.
What Your Team Should Do Right Now
- Open your Edge browser extensions page by typing edge://extensions into the address bar. Review everything that's installed. If anything looks unfamiliar, remove it immediately. Microsoft has published the full list of affected extension IDs in their technical report — cross-reference anything you don't recognize.
- If Edge has already automatically removed an extension from your browser, treat that browser as potentially compromised. Change your passwords for Google, email, banking, and any other sensitive accounts accessed from that device.
- Review recent login activity on your important accounts — Google, Microsoft, and any cloud platforms your business uses. Look for any sign-ins from unfamiliar locations or devices.
- Upgrade your two-factor authentication. SMS text codes are vulnerable to exactly this kind of attack. Switch to an authenticator app like Microsoft Authenticator or Google Authenticator. For your most sensitive business accounts, consider hardware security keys — they are specifically designed to resist credential theft of this type.
- Audit browser extensions across your team. Establish a policy that employees only install extensions that have been reviewed and approved, and that extensions are periodically reviewed and removed when no longer needed.
- Apply the same rule to Chrome, Firefox, and other Chromium-based browsers — Microsoft has confirmed that indicators from this campaign apply across multiple browser platforms, not just Edge.
The Bottom Line
Browser extensions are small, easy to install, and easy to forget about. That's exactly what makes them such an attractive target. StegoAd spent years hiding malware inside ordinary image and font files, stealing passwords and two-factor codes from millions of devices, all while the extensions worked normally and maintained positive reviews.
Official stores are not a guarantee of safety. The malware was invisible to security scanners. The only real defense is knowing what's installed, keeping it to a minimum, and reviewing it regularly.