Microsoft says it removed 119 malicious extensions from the Microsoft Edge Add-ons store after uncovering a campaign it calls StegoAd. The extensions looked like normal ad blockers, VPN helpers, translators, and video tools, but Microsoft says they could hide payloads inside image and font files, steal credentials and session cookies, and deliver additional browser code after installation.
The important point for users is not only that the extensions were removed. Some people may still have one installed, synced, or restored from an old browser profile. If you installed a free Edge extension from an unfamiliar developer, especially an ad blocker or downloader, check it now and treat any password or session activity from that browser as potentially exposed.
Who should check Edge now
Open edge://extensions and review every installed extension, including disabled ones. The StegoAd campaign used normal-looking categories, so do not rely only on the extension name or whether it appeared useful.
| Installed a free ad blocker, VPN, translator, or video downloader | Remove anything you do not recognize, then review account sessions and saved passwords. |
| Edge says the extension came from a removed store listing | Delete it instead of waiting for it to update or repair itself. |
| You run a WordPress site from the same browser | Change administrator passwords and review recent users, plugins, and login history. |
| Security tools flag browser data, cookies, or extension files | Keep the detection quarantined, remove the extension source, and scan again after reboot. |
Examples from Microsoft’s StegoAd extension list
Microsoft’s technical report includes a full IOC table of malicious extension IDs. The examples below are not a complete list and should not be treated as a popularity ranking; they are recognizable names from the report that users are likely to notice in Edge’s extension screen.
- Adblock for Youtube
afakckepbbffmnoghgpfnnebijeahjcb - AI Search GPT for Edge
beemogkfhphmjghmkghdaggidgohohee - Free Online Video Downloader
bpdanoaacmebjgfjdmekfcfgmnaoekim - Turbo Download Manager
bpjnmlookdfciblphehedlcbpmignahe - TikTok APP for Edge
celdediiemogjpfcjocdbildilkccepl - Google Translate in Right Click
fcoongackakfdmiincikmjgkedcgjkdp - Adblocker FX
fkkoeecbjckjpnmenebojblcljjgbpoj - Image Downloader Pro
gnbnbmnldhfoplgjojhepikgjanaplle - Trusted VPN for Edge – Free VeePN
klmfgbnlbfgpdenpdddpdfigmnkmchil - Adblock (µBlock clone)
kmiahfbflcnmlobepelpgkmolhodmiek - VPN
pdnjhppcgkdbjolbeplcabkcfmpnbjmh - Similar Sites – Discover Related Websites
fifeankddgioinbcchlokclbcgjlopjj
To check a match, open edge://extensions, enable developer details if needed, copy the extension ID, and compare it with the Microsoft report. If an ID matches, remove the extension, pause sync while cleaning, and secure accounts used in that browser.
What StegoAd did
Microsoft describes StegoAd as a long-running extension campaign active since at least 2021. The actor used more than 90 disposable developer identities and designed the extensions to provide a real visible feature first, which made the add-ons look legitimate to users and reviewers.
The risky part came after installation. Microsoft says the payload path used delayed execution, server-side validation, and hidden code inside image or font resources. Not every installation led to payload execution, but the retrieved modules included credential and session theft, affiliate hijacking, additional code delivery, WordPress administrator credential harvesting, and covert telemetry.
That mix matters because browser extensions sit close to logins, cookies, page content, and form fields. A malicious extension does not need to install a normal Windows program to create account risk. It can abuse browser permissions, read page data, and in some cases keep working until the extension is removed and synced copies are cleaned up.
What to do now
- Open Edge’s extensions page and remove unfamiliar ad blockers, VPN helpers, translators, downloaders, coupon tools, and anything whose store page no longer exists.
- Check the extension details screen before deleting it. Record the name, extension ID, developer, permissions, and install date if you need to investigate later.
- Pause browser sync while cleaning. Otherwise a bad extension or setting can return from another signed-in device.
- Restart Edge, then recheck edge://extensions and edge://policy. If an extension returns or appears managed, follow the deeper cleanup path in our returning browser extension guide.
- Change passwords for Google, Microsoft, email, banking, crypto, hosting, and WordPress accounts used in that browser. Sign out other sessions where the service allows it.
- Review recent account activity and WordPress admin logs if you manage a website from Edge.
- Run a full malware scan if the extension downloaded files, browser alerts keep returning, or you see unknown startup items, scheduled tasks, proxy changes, or new browser policies.
If an extension may have stolen cookies or credentials, removing it is only the first step. A local scan helps check for bundled payloads, persistence, suspicious browser changes, and other components that may not disappear when the extension is deleted.
If a token stealer ran here, logging back in can hand the attacker your new Discord session, email cookie, Steam token, or wallet access. Scan this Windows PC first, then reset passwords from a clean device.
Scan for browser-extension leftoversHow this differs from normal extension risk
Many risky extensions over-collect browsing data or inject ads. StegoAd is more serious because Microsoft says the campaign used hidden payload delivery and modules for credential theft, session theft, and WordPress credential harvesting. That moves the response from a privacy cleanup into account-security triage.
For future installs, prefer well-known developers, avoid extensions that request access to all sites without a clear reason, and remove tools you installed for a one-time task. Our browser extension safety checklist explains which permissions deserve extra caution before you install another add-on.
FAQ
Was every StegoAd extension installation infected?
No. Microsoft says not every installation led to payload execution because the campaign used time gates, probability checks, and server-side validation. You should still remove suspicious extensions and secure accounts if you used one.
Can removing the extension fix the whole problem?
It removes the browser add-on, but it does not rotate stolen passwords or invalidate stolen sessions. Change passwords from a clean session and sign out other devices for important accounts.
Should Chrome or other Chromium users care?
The disclosed removals were from Microsoft Edge Add-ons, but the defensive lesson applies to Chromium-based browsers in general: extension permissions, developer identity, sync, and hidden payload delivery all matter.
References
- Microsoft Edge Extensions Security Team. “Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign.” Microsoft Browser Vulnerability Research, published June 16, 2026, accessed June 29, 2026. https://microsoftedge.github.io/edgevr/posts/Inside-StegoAd-How-We-Disrupted-a-Massive-Malicious-Extension-Campaign/
- Microsoft Edge Extensions Security Team. “Microsoft Edge Security Blog: StegoAd Campaign Analysis.” Microsoft technical report, published June 2026, accessed June 29, 2026. https://microsoftedge.github.io/edgevr/assets/files/stego_ad/Microsoft_Edge_Security_StegoAd.pdf
