StegoAd · malicious browser extensions using steganography
StegoAd campaign: the group, active since at least 2021, distributed 119 malicious extensions reaching approximately 2.6 million users, mainly on Microsoft Edge and other Chromium-based browsers. From 2024, over a 25-month period, the operators concealed the attack code inside images and fonts using steganography, evading traditional controls. On affected systems the extension enables remote command execution, theft of Google credentials and session tokens (account access even where multi-factor authentication is enabled, since the theft occurs after legitimate authentication), acquisition of WordPress administrator credentials and exfiltration of session cookies, with outbound traffic masked through Google Analytics. Fortgale has begun verification across the entire monitored infrastructure.