StegoAd Edge Extensions: Microsoft Removed 119 Malicious Add-ons

Microsoft says it removed 119 malicious Microsoft Edge extensions tied to a campaign it calls StegoAd, after finding add-ons that hid executable payloads inside image and font files and then activated days after installation.^[1] The extensions posed as everyday tools such as ad blockers, VPNs, translators, and video downloaders, with a combined install base of up to 2.6 million users.^[1]

This is not a simple case of a fake extension that immediately looks broken. Microsoft’s Edge Extensions Security Team said the add-ons often provided the promised functionality, earned user trust, and then waited through dormancy checks before fetching or decoding malicious code.^[1] That makes the campaign relevant even for cautious users who usually remove suspicious software quickly.

The first practical step is to open edge://extensions and compare installed extensions with the extension IDs in Microsoft’s technical report. If Edge has already disabled or removed one, treat that browser profile as potentially exposed instead of assuming the cleanup ended the risk. For broader cleanup steps, HowToFix also has a practical guide on how to remove browser extensions.

What StegoAd Did and What Users Should Check

According to Microsoft, StegoAd used a five-stage chain: store impersonation, dormancy and evasion, hidden payload retrieval, staged execution, and monetization or credential theft.^[1] Some versions appended JavaScript to normal-looking PNG images, while later variants moved into WebP images and WOFF2 font files. Other variants pulled a payload from command-and-control servers only after server-side checks passed.^[1]

The campaign’s visible goal was ad fraud: injected ads, search redirects, affiliate abuse on shopping sites, and similar monetization. The more serious finding is what Microsoft says appeared in retrieved payloads: arbitrary JavaScript execution, Google credential and second-factor theft during sign-in, WordPress admin login theft, and bulk cookie exfiltration for session hijacking.^[1] The Hacker News highlighted the same post-installation risk in its June 29 coverage, noting that the malicious behavior could wake up after the extension had already appeared trustworthy.^[2]

For home users, the response is straightforward: remove matching or unknown extensions, update Edge, sign out of important web sessions, change passwords for accounts used in the affected browser profile, and revoke suspicious sessions where the service provides that option. Prioritize Google accounts, email, banking, cloud storage, marketplaces, and any WordPress admin panels opened in that profile.

For administrators, the better question is not only “which extension was installed?” but also “which accounts did that browser profile touch?” If the extension list matches Microsoft’s report, review identity-provider sign-in logs, OAuth grants, WordPress administrator activity, unusual ad or search redirects reported by users, and cookie/session reuse from new locations. Enterprise teams should also consider Edge extension allowlists or blocklists for high-risk groups, especially where employees handle finance, publishing, helpdesk, or cloud-console access.

The campaign also reinforces an older browser-extension lesson. In 2022, HowToFix covered Chrome extensions that spoofed user cookies, and the pattern has not gone away: extensions can sit close enough to browser sessions to make account recovery harder than ordinary malware cleanup. Older Chrome and Edge malicious-extension cases show why store removal is useful but not always sufficient for users who already installed the add-on.

Microsoft says all identified StegoAd extensions have been removed and the related developer accounts suspended.^[1] That lowers future exposure through the Edge Add-ons store, but it does not answer whether a given user’s credentials, cookies, or WordPress sessions were already touched. Anyone who finds a match should treat it as an account-security incident, not only an extension cleanup task.

References

1. Microsoft Edge Extensions Security Team. “Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign.” Microsoft Browser Vulnerability Research, June 16, 2026. https://microsoftedge.github.io/edgevr/posts/Inside-StegoAd-How-We-Disrupted-a-Massive-Malicious-Extension-Campaign/
2. Swati Khandelwal. “Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts.” The Hacker News, June 29, 2026. https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html
3. Microsoft Support. “Add, turn off, or remove extensions in Microsoft Edge.” https://support.microsoft.com/en-us/edge/add-turn-off-or-remove-extensions-in-microsoft-edge