Another attack vector is browser extensions. The article below mentions the browser-based malware GhostPoster, which uses an innocent looking PNG icon file to store the payload.
When running, the extension parses the icon's binary data which contains hidden code. Then it waits 48 hours to start execution of that code, which downloads other code that:
- injects headers to evade web security policies
- hijacks traffic
- injects scripts for click fraud
- other malicious scripts for extended control
LayerX Security has identified many malicious extensions disguised as screenshot clippers, text translators, image/video downloaders, ad blockers, Amazon price checkers - these were installed by thousands of users unknowingly.