StegoAd — 119 Edge extensions hide payloads via steganography (DarkSpectre)

campaign · item:stegoad-darkspectre-119-edge-extensions-steganography

Coverage timeline

first 2026-06-30 → last 2026-06-30

Briefs

1 distinct

Sources cited

3 hosts

Sections touched

research

Co-occurring entities

see Related entities below

Story timeline

2026-06-30CTI Daily Brief — 2026-06-30
researchFirst coverage. Microsoft disruption; payloads after PNG IEND / WebP / WOFF2; 2.6M installs; China-linked DarkSpectre overlap.

Where this entity is cited

research1

Source distribution

microsoftedge.github.io1 (33%)
news.risky.biz1 (33%)
thehackernews.com1 (33%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
campaigncampaign:teams-external-chat-phishing×1
npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatype×1

All cited sources (3)

Items in briefs about StegoAd — 119 Edge extensions hide payloads via steganography (DarkSpectre) (1)

Microsoft disrupts StegoAd — 119 Edge extensions hid payloads in image and font files via steganography

From CTI Daily Brief — 2026-06-30 · published 2026-06-30 · view item permalink →

Microsoft's Edge security team detailed and disrupted StegoAd, 119 malicious extensions across 90+ developer accounts with a combined ~2.6M installs, masquerading as ad blockers, VPNs, translators, and downloaders (Microsoft Edge Security, 2026-06-16 · Risky Biz News, 2026-06-29). The core trick hides executable payloads after the IEND marker of PNG icon files (later WebP images and WOFF2 fonts), passing standard scanner analysis; extensions stay dormant 3–5 days, detect DevTools, and validate requests server-side to dodge sandboxes. Payloads ranged from Google/WordPress credential theft and cookie collection to affiliate-commission hijack, ad fraud, and an RCE backdoor, with failover C2 across 10+ domains fronted by Cloudflare Workers and Google Analytics properties used as a covert channel. The Hacker News reports overlap with the China-linked DarkSpectre operation (prior ShadyPanda / GhostPoster extension campaigns) (The Hacker News, 2026-06-29); the Microsoft Edge write-up itself does not name DarkSpectre. Hunt: extensions with multi-day activation delays; data after IEND in PNGs or at unusual WOFF2 offsets; browser-process requests to Cloudflare Workers domains not matching the installed manifest origin.