Firefox Extension Malware Deep Dive: Steganography, C2 Beacons, and Affiliate Hijacking in Plain Sight

A security researcher has published a detailed analysis of a Firefox extension called "YTMP4 — Download YouTube Videos to MP4" that was found live on Mozilla's official extension store. The malware employs sophisticated techniques including steganographic payloads, 72-hour sleeper delays to evade review, C2 beacons hidden in PNG files, and affiliate commission hijacking.

The Extension

• Name: YTMP4 — Download YouTube Videos to MP4
• Status: Live on Mozilla's official extension store as of April 2026
• Verdict: CRITICAL RISK (1 CRITICAL · 22 HIGH · 17 MEDIUM · 1 INFO)
• Capabilities: Credential stealing, remote command execution, affiliate commission hijacking, full HTTP request control

Key Techniques

1. Steganographic Payload in PNG Icon

The malware hides its core payload after the IEND marker in the extension's PNG icon — a technique that simple code reviews miss. The appended 1902 bytes contain ROT13-encoded C2 server addresses and command instructions.

2. 72-Hour Sleeper with Random Sampling

The malware remains completely dormant for 72 hours after installation, using random sampling to avoid exhibiting malicious behavior during Mozilla's extension review process. Only after the delay does it activate its C2 beacon.

3. C2 Beacon in PNG File

The command-and-control server address is hidden in a second PNG file, making it invisible to DOM inspection and DevTools. This bypasses conventional browser extension security scanning.

4. Dynamic declarativeNetRequest Rule Injection

The extension disguises itself as an ad-blocker but actually gives the C2 server full control over all HTTP requests — enabling arbitrary URL redirects on any domain and CSP erasure.

The Attack Chain

1. User installs seemingly legitimate extension from Mozilla's store
2. Extension sleeps for 72 hours to pass review
3. Decodes steganographic payload from PNG icon
4. Establishes C2 communication through hidden PNG beacon
5. Injects dynamic network request rules disguised as ad-blocking
6. Begins credential theft, affiliate hijacking, and arbitrary URL redirection
7. CSP erasure enables cross-site scripting on any visited domain

Why It Matters

The researcher notes: "I am sure that if I could find this in just 15 minutes of looking through random extensions with few users, there are many MANY more examples."

The analysis was performed using an open-source tool called browser-xpi-malware-scanner.py, available on GitHub. The tool could help identify similar threats across the Firefox extension ecosystem.

A simple mitigation exists: checking for data appended after the IEND tag in PNG files would catch this and many similar malware techniques.