Microsoft disrupts StegoAd — 119 Edge extensions hid payloads in image and font files via steganography

Microsoft's Edge security team detailed and disrupted StegoAd, 119 malicious extensions across 90+ developer accounts with a combined ~2.6M installs, masquerading as ad blockers, VPNs, translators, and downloaders (Microsoft Edge Security, 2026-06-16 · Risky Biz News, 2026-06-29). The core trick hides executable payloads after the IEND marker of PNG icon files (later WebP images and WOFF2 fonts), passing standard scanner analysis; extensions stay dormant 3–5 days, detect DevTools, and validate requests server-side to dodge sandboxes. Payloads ranged from Google/WordPress credential theft and cookie collection to affiliate-commission hijack, ad fraud, and an RCE backdoor, with failover C2 across 10+ domains fronted by Cloudflare Workers and Google Analytics properties used as a covert channel. The Hacker News reports overlap with the China-linked DarkSpectre operation (prior ShadyPanda / GhostPoster extension campaigns) (The Hacker News, 2026-06-29); the Microsoft Edge write-up itself does not name DarkSpectre. Hunt: extensions with multi-day activation delays; data after IEND in PNGs or at unusual WOFF2 offsets; browser-process requests to Cloudflare Workers domains not matching the installed manifest origin.