Thousands of Firefox users compromised: 17 extensions hide malware in icons

Published: 16 December 2025
Last updated: 16 December 2025
Firefox extensions
Image by Cybernews.

At least 17 Firefox extensions slipped past detection by hiding malware in an unlikely place – their icons. Thousands of users have been infected, and the malicious add-ons are still available on the Firefox platform.

Koi Security researchers discovered 17 Firefox extensions that contained no visible malicious scripts and appeared harmless, offering users to use “free VPN,” take screenshots, live transitions, obtain weather forecasts, download files, block ads, use dark mode, and other features.

However, a glance at their icons unveiled the developers’ true intentions.

ADVERTISEMENT

“Every extension has a logo. A tiny image sitting in your toolbar, a visual shorthand for trust,” the report about infected PNG icons explains.

Usually, extensions read the file, display it to the user, and that’s it. However, Koi researchers discovered that some extensions spent more time with icons, searching through the raw bytes. The icons contained embedded hidden malware loaders.

Mozilla Firefox browser logo
Image by Ali Balikci/Anadolu Agency/Getty Images

“We found a hidden extraction routine. The extension wasn’t just displaying the logo. It was searching through the image data, looking for a marker that shouldn’t be there,” said the researchers.

The attackers edited the icon PNG files so that, after the image data ends, the malicious code insert begins, separated by a marker of three equal signs (“===”). For the user, the icon still appears normal, but for attackers, it helps bypass security scanners that examine extensions’ code. This technique is known as steganography.

“Everything after that marker isn't image data. It’s JavaScript, hidden in plain sight.”

Hackers steal purchase commissions, thousands compromised

The campaign, spanning at least 17 extensions, has already accumulated over 50,000 downloads and remains active. An extension called Free VPN Forever had the most installations at 16,000.

ADVERTISEMENT
free-vpn-extension
Image by Koi Security.

Once a malicious add-on is installed, a multi-stage infection chain begins.

The icon only contains a loader for the actual malware. Once the extension loads, it also extracts the hidden code.

To remain undetected, the loader uses inconsistent behavior. It deliberately waits 48 hours between check-ins with attacker-controlled servers and randomly infects only 10% of users.

Attackers encode payloads using custom ciphers, a combination of swapping letters and numbers, as well as Base64 encoding.

Has my data been leaked?
Check Now

Ultimately, users are infected with a comprehensive toolkit for monetizing user behavior without their knowledge.

“What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser's security protections, and opens a backdoor for remote code execution,” the Koi researchers said.

The analyzed malware intercepted affiliate links and redirected commissions for purchases on major platforms, such as Taobao or JD.com, to the malware operators. Additionally, it utilized hidden iframe injections to load content from attacker-controlled servers, likely for ad fraud, click fraud, and tracking.

Malicious extensions also profiled users using secret trackers, compromised browser security by stripping security headers from HTTP responses, and included multiple methods to bypass CAPTCHA checks.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

All detected extensions utilized the same command and control infrastructure, but differed in their injection mechanisms, with attackers likely testing various techniques.

The malicious activity is not limited to what was observed, as the threat actor can alter the payloads at any time. The extensions maintain a persistent connection to the attacker-controlled servers, waiting for instructions.

“Free VPNs promise privacy, but nothing in life comes free. Again and again, they deliver surveillance instead,” the researchers warn.

Koi urges users to beware of malicious extensions, as most of them are still live on the Firefox Add-ons marketplace:

  • free-vpn-forever
  • screenshot-saved-easy
  • weather-best-forecast
  • crxmouse-gesture
  • cache-fast-site-loader
  • freemp3downloader
  • google-translate-right-clicks
  • google-traductor-esp
  • world-wide-vpn
  • dark-reader-for-ff
  • translator-gbbd
  • i-like-weather
  • google-translate-pro-extension
  • 谷歌-翻译
  • libretv-watch-free-videos
  • ad-stop
  • right-click-google-translate

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT