Microsoft Removes 119 Edge Extensions Hiding Malware in Images

Microsoft has dismantled a long-running malware campaign on the Edge Add-ons store, removing 119 extensions that concealed malicious code inside ordinary image and font files. Dubbed StegoAd by the company, the operation combined steganography with adware to evade detection.

The threat actor behind StegoAd has been active since at least 2021, according to Microsoft. The extensions would appear benign upon installation, only to activate days later—a delayed-execution tactic designed to bypass initial automated security scans.

Once triggered, the extensions initiated credential theft and ad fraud. By embedding payloads in image and font files, the attackers circumvented traditional signature-based detection methods that do not inspect media assets for hidden code.

The takedown has cleaned the Edge Add-ons store of these malicious extensions. Microsoft has not disclosed whether users of the affected extensions have been notified or what specific credentials were targeted.

Attribution for the campaign remains unclear beyond Microsoft's link to a single, persistent actor. The technique underscores a growing trend of using steganography to bypass modern browser security measures.