Back to Intelligence

StegoAd Malware: Microsoft Edge Extension Takedown and Detection Guide

SA
Security Arsenal Team
June 29, 2026
6 min read

Introduction

In a significant disruption of a long-running supply-chain attack, Microsoft has removed 119 malicious extensions from the Edge Add-ons store. This campaign, tracked by Microsoft as StegoAd (a portmanteau of steganography and adware), represents a sophisticated evolution in browser-based threats. Active since at least 2021, the threat actor behind these extensions utilized novel evasion techniques—specifically hiding malicious payloads within benign-looking image and font files—to bypass traditional code review and static analysis mechanisms.

For defenders, this is a critical wake-up call. The compromise is not merely about ad fraud; these extensions possessed the capability to steal credentials and exfiltrate sensitive data days after installation. While Microsoft has purged the store listings, any endpoint that installed these extensions prior to the takedown remains compromised. Immediate detection, forensic review, and remediation are required.

Technical Analysis

Affected Platform: Microsoft Edge (Chromium-based) Threat Actor: StegoAd Operator (Active since ~2021) Attack Vector: Malicious Browser Extensions (Trojanized Add-ons)

The StegoAd Attack Chain:

  1. Initial Infection: Users install seemingly legitimate extensions from the official Edge Add-ons store. These extensions often masqueraded as productivity tools, VPNs, or utilities.
  2. Evasion via Steganography: The primary differentiator of this campaign was the use of steganography. Malicious JavaScript code was not stored in plain text within the extension's .js files. Instead, it was concealed within the binary data of image files (e.g., PNG backgrounds) or font files (WOFF/WOFF2).
  3. Dwell Time and Activation: To avoid immediate detection during sandbox testing or initial user review, the extensions included a "sleeper" mechanism. The malicious code would not activate until several days after installation.
  4. Payload Execution: Upon activation, the browser decodes the hidden script from the media files and executes it.
  5. Objectives:
    • Ad Fraud: Injection of unauthorized advertisements into the user's browsing session.
    • Credential Theft: Harvesting of session cookies, saved passwords, and autofill data from the browser's storage.

Why This Matters: Standard extension review processes often scan for dangerous patterns in JavaScript and HTML. By embedding the payload in non-executable media files, the attackers rendered the malicious code invisible to automated scanners and cursory human review.

Detection & Response

Detecting StegoAd requires a shift from simply looking for known bad hashes to hunting for behavioral anomalies and file system artifacts consistent with steganographic loading.

SIGMA Rules

The following rules target the persistence mechanism of Edge extensions and suspicious process spawning associated with credential theft.

YAML
---
title: StegoAd - Suspicious Edge Extension Installation via Registry
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the installation of new Microsoft Edge extensions via registry modifications, useful for tracking newly added add-ons that may be malicious like StegoAd.
references:
  - https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html
author: Security Arsenal
date: 2026/06/23
tags:
  - attack.persistence
  - attack.t1546.015
logsource:
  category: registry_add
  product: windows
detection:
  selection:
    TargetObject|contains: '\\Software\\Microsoft\\Edge\\Extensions\\'
    Details|contains: 'update_url'
  condition: selection
falsepositives:
  - Legitimate administrative software deployment
level: low
---
title: StegoAd - Edge Browser Spawning Shell for Credential Theft
id: 9b3c2d1e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Microsoft Edge spawning child processes like PowerShell or CMD, a common behavior for extensions attempting to steal credentials or escape the sandbox.
references:
  - https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html
author: Security Arsenal
date: 2026/06/23
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\\msedge.exe'
    Image|endswith:
      - '\\powershell.exe'
      - '\\\cmd.exe'
      - '\\\wscript.exe'
  filter_generic:
    CommandLine|contains: 'Print' # Filtering out standard 'Print to PDF' or similar legitimate triggers if applicable
  condition: selection and not filter_generic
falsepositives:
  - Users manually launching shell from Edge downloads (rare)
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for Edge extension folders created or modified recently, which may indicate the presence of the StegoAd variants or other unauthorized add-ons.

KQL — Microsoft Sentinel / Defender
// Hunt for Edge Extension file modifications
DeviceFileEvents
| where FolderPath startswith @"C:\Users\" and FolderPath contains "\AppData\Local\Microsoft\Edge\User Data\Default\Extensions"
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, ActionType
| summarize count() by DeviceName, InitiatingProcessAccountName, FolderPath
| order by count_ desc

Velociraptor VQL

This artifact hunts for the presence of image and font files within Edge extension directories. Since StegoAd hides payloads in these file types, an extension with an unusually high ratio of images/fonts to code, or simply the existence of specific large media files, warrants investigation.

VQL — Velociraptor
-- Hunt for Edge Extension directories and analyze file types
LET ExtensionDirs = glob(globs="/*/*/AppData/Local/Microsoft/Edge/User Data/*/Extensions/*")

SELECT 
  ExtensionDir,
  count(path=FullFiles.Path) AS TotalFiles,
  filter(list=FullFiles.Path, regex="\\.(png|jpg|jpeg|gif|woff|woff2|ttf)$", re=FullFiles.Name) AS MediaFiles
FROM foreach(row=ExtensionDirs, query={
    SELECT 
      ExtensionDir AS ExtensionDir,
      glob(globs=ExtensionDir + "/**") AS FullFiles
    FROM scope()
})
WHERE len(list=MediaFiles) > 0
GROUP BY ExtensionDir

Remediation Script (PowerShell)

Use this script to enumerate all installed Edge extensions on a local machine to facilitate manual review against the list of known bad actors.

PowerShell
# Enumerate Edge Extensions for Audit
$EdgeBasePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data"

# Get all user profiles
$Profiles = Get-ChildItem -Path $EdgeBasePath -Directory -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'Default|Profile' }

foreach ($Profile in $Profiles) {
    $ExtPath = Join-Path -Path $Profile.FullName -ChildPath "Extensions"
    if (Test-Path $ExtPath) {
        Write-Host "Checking Extensions for Profile: $($Profile.Name)" -ForegroundColor Cyan
        # Get Extension IDs (Folder names)
        $Extensions = Get-ChildItem -Path $ExtPath -Directory -ErrorAction SilentlyContinue
        
        foreach ($Ext in $Extensions) {
            # Usually the version is a subfolder, look for manifest.
            $Manifest = Get-ChildItem -Path $Ext.FullName -Recurse -Filter "manifest." -ErrorAction SilentlyContinue | Select-Object -First 1
            if ($Manifest) {
                try {
                    $JsonData = Get-Content $Manifest.FullName -Raw | ConvertFrom-Json
                    [PSCustomObject]@{
                        Profile = $Profile.Name
                        ExtensionID = $Ext.Name
                        Name = $JsonData.name
                        Version = $JsonData.version
                        Path = $Ext.FullName
                    }
                }
                catch {
                    Write-Warning "Failed to parse manifest for $($Ext.Name)"
                }
            }
        }
    }
}

Remediation

  1. Audit and Uninstall: Access the Edge browser menu, go to Extensions > Manage Extensions. Review all installed extensions. If any extension is recognized as part of the "StegoAd" campaign (check against Microsoft's official advisory for the specific names of the 119 removed extensions), click Remove.
  2. Force Reset: If an extension cannot be removed or if the infection is deep-seated, perform a factory reset of Edge via Settings > Reset settings > Restore settings to their default values.
  3. Credential Hygiene: Assume credentials were compromised. Force a password reset for all accounts accessed through the browser during the infection window.
  4. System Re-imaging: In high-security environments or if credential theft is confirmed, re-imaging the endpoint is the only guaranteed way to remove all remnants of the malware.
  5. Policy Enforcement: Deploy Group Policy or MDM configurations to blacklist the installation of new Edge extensions from the web store, requiring IT approval for all add-ons.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemmicrosoft-edgestegoadsteganography

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action