| ||||||
Description: North Korea's profitable fixation on cryptocurrency. Amazon uncovers a cryptomining sneaking into customer clouds. Insecure Docker API servers are also hosting cryptominers. A new and truly massive Smart TV-based botnet discovery. DNS Benchmark's fourth release. Who, besides Let's Encrypt, offers free automated certs? Some interesting listener feedback. And how a PNG icon was used to infect 50,000 Firefox users.
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-1057.mp3 |
SHOW TEASE: It's time for Security Now!. Steve Gibson's here with our last episode of the year. We're going to talk about North Korea, the billions of dollars they've made hacking us. We'll talk about insecure Docker servers, maybe why you want to think a little bit harder before putting that Docker container up on the Internet. We'll also talk about Let's Encrypt free automated certs, the future of that; and then how a PNG icon was used to infect 50,000 Firefox users. Security Now! is next.
| Leo Laporte: This is Security Now! with Steve Gibson, Episode 1057, recorded Tuesday, December 23rd, 2025: GhostPoster. It's time for Security Now!, the last show of 2025. Hello, everybody. I'm Leo Laporte. Joining me now, the man in charge - the man, the myth, the legend. Wait a minute. Steve Gibson, you've got a Santa baseball cap on. |
| Steve Gibson: Yes, I do. |
| Leo: Oh, I thought we were celebrating St. Patrick's Day. I clearly have the wrong hat. |
| Steve: Yeah, well, you've got the green. You need some green. And you have a nice tree... |
| Leo: There we go. Here we go. |
| Steve: ...shirt. |
| Leo: This will work. |
| Steve: Yeah, you look like a jungle now. That's good. |
| Leo: This is the last show of the year, two days before Christmas, a week before New Year's Eve. We will next week, on December 30th, air a very special Security Now!. It'll be the Vitamin D episode we recorded way back 16 years ago, in 2009. Hard to believe. |
| Steve: Way back before anyone had heard of Vitamin D. Vitamin what? |
| Leo: What? |
| Steve: That's right. |
| Leo: But, you know, in the intervening years you've been proven spot-on. So I think that it is kind of timely. We also, because it was back when we did audio only, Anthony Nielsen has created a marvelous geek Yule Log for the show. So you will want the video version of the show. The content is all audio, but while you're listening you can relax by the digital fire. And it's got some Easter eggs. It's very, very cool. He did a really neat job with that. So, and I think he said it's got a periodicity of I think 30 minutes or more. I mean, it goes on for quite a while. |
| Steve: Oh. |
| Leo: Yeah. You might want to put it on your big screen and just, you know, have it running all Christmas. |
| Steve: Just geek out. That's right. |
| Leo: So Steve, is there any security news this week? |
| Steve: Yeah. Oh, I mean, that's the advantage of this podcast, Leo. When you suggested it to me 21 years ago... |
| Leo: There's no lack. |
| Steve: ...I thought, what? I go, okay, we'll talk for a couple weeks and run out of stuff. But... |
| Leo: It's probably worse this time of year, actually; right? |
| Steve: I don't really see much seasonality to it. The bad guys do seem to take some time off, too. So there is that. But today's topic is something called GhostPoster, which was the name given to a malicious extension for Firefox. What's interesting is that the malicious code is stored using steganography in a PNG icon, the extension's PNG icon. |
| Leo: Wow. |
| Steve: And I forgot to follow up on this. But several times they mention that this is one of 16 or 17 extensions which are in the same family of bad. And they kept saying, "And they're still available." It's like, what's wrong with you people? Get Mozilla to take it down. Anyway, it's infected 50,000 Firefox users, and it's not good. So that'll be our main topic for this Episode 1057, this final episode on December 23rd of 2025. But bizarrely enough, some things aligned, I don't know why, but about cryptocurrency. North Korea's profitable fixation we're going to talk about on cryptocurrency. Amazon uncovering a cryptomining agent sneaking into their customers' clouds. Insecure Docker API servers, which turn out to be a thing, are also found to be hosting cryptominers. In addition we have a new and truly massive Smart TV-based botnet discovery. I'm going to briefly mention that the DNS Benchmark is now in its fourth release. And I'm actually working on a fifth that's going to add some additional features. And I'll talk a little bit about that. Then also some listener feedback drew me into a sort of a revisiting Let's Encrypt and automated certificates and that whole world. And then we've got some addition listener feedback, and we're going to talk about how this GhostPoster infected PNG icons. So I think another great podcast for everybody as we wrap up 2025. I don't know what happened to the year, but it seems to be gone. And of course a great picture. |
| Leo: Picture of the Week. |
| Steve: Yup. |
| Leo: Yup. Sometime you have to publish a book of all the Pictures of the Week or something like that. I think it'd be very popular. |
| Steve: That would be fun, yeah. |
| Leo: Like a coffee table book. |
| Steve: I mean, I'm getting more people saying "I don't like clicking. Can you please wrap up these podcasts into annual archive sort of things?" |
| Leo: Oh. |
| Steve: So, you know, there are... |
| Leo: Yeah, we could do that. |
| Steve: There's that. |
| Leo: I'll talk to our editors, if you want. |
| Steve: It would be a bit hit. People are saying, you know, I want all this stuff, but I've just got to go click, and then download... |
| Leo: Actually, the easiest thing to do would probably just be make a YouTube playlist. We could certainly do that of everything in the last, say, seven or eight years. Going back 20 years, I think that's going to take a shovel, a pick, and a miner's lamp, I think. But we might be able to do that. We'll have to figure that one out. I was, you know, it's funny, you forget, but, I mean, I was surprised when I saw that our Vitamin D episode was audio only. It's like, oh. Yeah, I guess we didn't have video all the whole time. Now the whole world says podcasts are video, which we didn't think that was the case for a while. Lot of people, by the way, in our YouTube chat and elsewhere, are saying Vitamin D saved my life. I haven't been sick in four years. Things like that. So that will be an episode to listen to next week, if you're at all interested. |
| Steve: The reason, I mean, there are many supplements that I take. And as I was mentioning before, before I turned 50, I had just finished SpinRite 5, I think it was, or maybe it was 6. And I didn't have anything to do. So I just started reading. I went Vitamin A, Vitamin B, Vitamin C, Vitamin D, and so on. And of all the things that I encountered and that I myself take, it is the biggest bang for the buck. It's inexpensive. It costs nothing, $15 for like a year's supply. And, I mean, there is some other stuff that's very expensive which I also believe in. But it's not - it doesn't make sense for everybody. It doesn't have the same return on investment, so to speak. So that's why Vitamin D got singled out for that podcast is I couldn't think of anything else that was easier to do. Also there are a lot of people who don't like swallowing big pills. There was something I recommended to my mom once. And she said, she called me up, she said, "Honey, this is an SUV." So she went, "I can't swallow this." |
| Leo: I have calcium pills that really are like horse pills. I don't know what they... |
| Steve: Yeah, because they're bulk. Yeah. Anyway, so Vitamin D, I mean, in fact Lorrie said to me, my wife, we were FaceTiming this morning because I left the house to come here to get an early start. And she went, while we were FaceTiming, she said, oh, she said, "I see the Vitamin D twinkling on the floor in the kitchen." Because she had dropped one, and it just disappeared because it's a little tiny droplet. So anyway, I call them "little drops of sunshine," as you will hear in the podcast. And anyway, I couldn't - I think it's just a - it's a complete win. Now you need to combine D-3 with K-2. |
| Leo: Right. Oh, my. We've lost you, Steve. Hold on. |
| Steve: Saw that. |
| Leo: You just disappeared. |
| Steve: I hear you. Oh, there I am. Weird. |
| Leo: I am ready for a Picture of the Week, sir. |
| Steve: So our title for this picture is "Rather than discarding the heat from a power-sucking Bitcoin mining rig, why not use it to heat your home?" |
| Leo: It looks like a furnace. |
| Steve: It is. It is literally, it is a Bitcoin mining furnace. So what we see, just having reverse-engineered this from the photo, AC power is coming in at the right, that big silver spiral cable going in to deliver power to it. Down below we see two silver hoses. So this is a fluid-cooled Bitcoin mining rig. And then you can see that mounted down below, that dark red in the center, is a circulating pump which then runs out off to the upper left where you see a series of hoses. So what this thing is doing is it is a radiant heating system where all those hoses are going off carrying hot water to radiators scattered around the house that have air being pushed across them. They pick up the heat from the fluid, push it into the air, returning cold fluid back to the mining rig, which then it of course reheats, and the cycle repeats. So it is a power-efficient heater. |
| Leo: A money-making heater. |
| Steve: For people who live in cold climes. |
| Leo: Wow. |
| Steve: Yes, and of course above that is a laptop sitting there hooked up to the Ethernet. You see the yellow Ethernet cable plugging in on the right. And it's connected to the mining rig monitoring the money that this thing is making while it heats your house. |
| Leo: Wow. Wow. |
| Steve: So anyway, I just - and it turns out this is a commercial enterprise. There are companies selling commercial heaters which make money at the same time. |
| Leo: What a world. |
| Steve: Very cool, yeah. And speaking, as I said, this is like - oh, there's like a weird conjunction of cryptomining all happened today, or this week. The blockchain analytics company we've talked about before, "Chainalysis," posted an interesting end-of-the-year piece just last Thursday which they titled "North Korea Drives Record $2 Billion Crypto Theft Year, Pushing All-Time Total to" - get this - "$6.75 Billion." |
| Leo: Oh, my gosh. |
| Steve: Yeah. I mean, there is, as they say, money to be made in them thar hills. So $2 million North Korea stole from just generally crypto, and we'll take a look at the breakdown here in a second, but that is - but their all-time total is $6.75 billion that North Korean hackers have made by basically figuring out how to get a hold of other people's money, thanks to, unfortunately, it's digital currency. And as we know, digital security is the reason we spend a couple hours every week here for the last 20-plus years, trying to see how we can get it right. So the article was lengthy. I'm not going to share it all. But it provides, as I said, a really interesting breakdown into today's digital assets industry. The article starts by laying out five points about North Korea. They said, first, North Korean hackers stole $2.02 billion in cryptocurrency in 2025. And this is interesting. A 51% year-over-year increase from 2024, which as I said pushed their all-time total to $6.75 billion. Now, this is interesting, too, also despite there being fewer attacks. Which means they're netting more per attack this year than they were last year. Second, the DPRK is achieving larger thefts - oh, they're making the point I did - with fewer incidents, often by - oh, here's a frightening tidbit - by embedding IT workers inside crypto services or using sophisticated impersonation tactics targeting executives. So, I mean, they're, like, sitting around, what can we do to get those fat Westerners' cash? Third, the DPRK shows clear preferences for Chinese-language money laundering services, bridge services, and mixing protocols, with a 45-day laundering cycle following major thefts. So we've talked about that before, too. In fact, it was these guys, North Korea, that was behind that massive theft, I think it was in February, I have it in the notes, where a huge amount of money was lost and then immediately, like, it dissolved into, like, across blockchains. The idea was you don't leave it all in one place; right? You break it up into small pieces, and you start moving it around, swapping it in and out of blockchains. You want to make it difficult to find. You know, in other words, modern-day crypto laundering is now a well-established sub-industry. They said individual wallet compromises, like individual people's wallets, surged to 158,000 incidents. 158,000 individual wallets were somehow penetrated, affecting 80,000 unique victims during this year, 2025, though the total value stolen, which was $713 million, so .713 billion, 713 million, decreased from what was stolen from individuals in 2024, last year. And despite increased Total Value Locked in DeFi, hack losses remained suppressed in 2024-2025, suggesting some improved security practices are making a meaningful difference. Okay. So then, to get a little bit more flesh on this, they explain: "The cryptocurrency ecosystem faced another challenging year" - yeah, you could say that, 2.2 what billion? - "in 2025, with stolen funds continuing their upward trajectory." 51% gain, right, this year over last. "Our analysis reveals a shift in crypto theft patterns, characterized by four key developments: the persistence of the Democratic People's Republic of Korea (DPRK) as a primary threat actor in this theft industry, the growing severity of individual attacks on centralized services, a surge in personal wallet compromises, and an unexpected divergence in decentralized finance hacking trends. "These patterns emerge clearly from the data and reveal significant changes in how crypto theft is occurring across different platform types and victim categories. As digital asset adoption expands and valuations reach new heights, understanding these evolving security threats has become increasingly critical." It's worth noting, too, that, I mean, there's just a lot more of it this year than there was last year; right? So there's just more potential for loss with more crypto sloshing around in all of these blockchains. They said: "The cryptocurrency industry witnessed over $3.4 billion in theft from January through early December 2025." So North Korea was a huge piece of it. But 3.4 billion so far this year. Oh, and here's the one we were talking about, with the February compromise of Bybit alone accounting for $1.5 billion. Remember that they just - they really got taken to the cleaners and said, you know, please, we'll give you some if you'll give us most back. And that just never happened because, again, North Korea. So anyway, it was in March, it was toward the end of February that that Bybit hack happened which we then immediately picked up on and covered early in March of this year. And so remember that they - they meaning Bybit - used a third-party multisig wallet provider. They had outsourced their multiple signature wallet security to an outfit called, unfortunately, "Safe{Wallet}." The extremely clever North Korean hackers injected malicious code into the Safe{Wallet} domain which selectively targeted Bybit's smart contracts and their multi-signature process, which allowed them to compromise Bybit and extract all that money. But aside from all that, just during 2025, this year, the concerted efforts of North Korean hackers sitting in North Korea netted the DPRK $3.4 billion U.S. dollars in digital cryptocurrency. So you can imagine they're probably - that group of elite hackers are probably being treated quite well by the North Korean government. Chainalysis continues, explaining: "Beyond the headline figure, the data reveal important shifts in the composition of these thefts. Personal wallet compromises have grown substantially, increasing from just 7.3% of total stolen value back in 2022 - so 7.3 in 2022 to 44% two years later through 2024. And in 2025, the share would have been 37% if it weren't for the outsized impact of that single Bybit attack. "Meanwhile," they said, "centralized services are experiencing increasingly large losses due to private key compromises." And, you know, I've stopped talking about it because there was so much of that going on that it was like, oh, these people lost billions here and billions there. And it's like, how can there be all this money? They said: "Despite their institutional resources and professional security teams, these platforms remain vulnerable because of this fundamental security challenge. While such compromises are infrequent, their scale still drives enormous shares of stolen volume when they do occur, accounting for 88% of all losses in the first quarter of 2025. The persistence of high-theft volume indicates that while some areas of crypto security may be improving, attackers continue to find success across multiple vectors." Then I'm going to talk a little bit about that as soon as I wrap up with this. They said: "Stolen fund activity has always been outlier-driven, with most hacks relatively small, and some immense. But 2025 reveals a striking escalation," they said. "The ratio between the largest hack and median of all incidents has crossed the 1,000x threshold for the first time." Meaning the big ones have gotten far bigger, and the median attack size has shrunk such that the ratio between the largest and the median is now 1,000x. They said: "Funds stolen in the largest attacks are now 1,000 times larger than those stolen in the typical incident, surpassing even the 2021 bull market peak," they termed it. They said: "These calculations are based on the USD values of funds stolen at the time of their theft. "This growing discrepancy has concentrated losses dramatically. The top three hacks in 2025" - so the top three in 2025 - "account for 69% of all service losses, creating a landscape where individual incidents have an outsized impact on yearly totals. While the number of incidents may fluctuate and median losses grow with asset prices, right, because Bitcoin is like way more valuable now than it was a couple years ago, the potential for catastrophic individual breaches is escalating faster still. "The Democratic People's Republic of Korea (DPRK) continues to pose the most significant nation-state threat to cryptocurrency security, achieving a record-breaking year for stolen funds despite an assessed dramatic reduction in attack frequency. In 2025, North Korean hackers stole at least $2 billion in cryptocurrency ($681 million more than in 2024), representing a 51% increase year-over-year. This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises. So overall, 2025's numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK." So 2025 brings the lower-bound cumulative to $6.75 billion. In other words, they're not going to stop. I'm sure those hackers are considered elite, and they're being treated quite well. "North Korean threat actors," they said, "are increasingly achieving these outsized results often by embedding IT workers - one of DPRK's principal attack vectors - inside crypto services to gain privileged access and enable high-impact compromises. Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and Web3 firms, which can accelerate initial access and lateral movement ahead of large-scale theft. "More recently, however, DPRK-linked operators have flipped this IT worker model on its head. Instead of merely applying for roles and embedding themselves as employees, they are increasingly impersonating recruiters for prominent Web3 and AI firms, orchestrating fake hiring processes that culminate in 'technical screens,'" as they called them, "designed to harvest credentials, source code, and VPN or single-sign-on access to the victim's current employer." Right? So they're pretending to be recruiting people from these firms, getting inside information in the process and then using that against them because they have no intention of hiring anybody. "At the executive level," they said, "a similar social-engineering playbook appears in the form of bogus outreach from purported strategic investors or acquirers, who use pitch meetings and pseudo-due diligence to probe for sensitive systems information and potential access paths into high-value infrastructure an evolution that builds directly on the DPRK's IT worker fraud operations and their focus on strategically important AI and blockchain companies." So just think about that for a minute. I mean, basically we have a hyper-aggressive state-backed hacking community that is, I'm sure, where speaking English with as little accent as possible is highly valued, that are doing everything they can think of, every clever social engineering approach to take people's money. They said: "As we have seen in years past, the DPRK continues to undertake significantly higher-value attacks than other threat actors. As shown in the chart, from 2022 to 2025, DPRK-attributed hacks occupy the highest value ranges, while non-DPRK hacks show more normal distributions across all theft sizes. This pattern reinforces that, when North Korean hackers strike, they target large services and aim for maximum impact. This year's record haul came from significantly fewer known attacks. This shift fewer incidents yielding far greater returns reflects the impact of the massive Bybit hack in February. So that thing, that separate $1.5 billion that did tend to skew a lot of these percentages and charts because, you know, that's a one-off." |
| Leo: You realize that North Korea's GDP is only $18 billion. So this is a significant source of hard currency. |
| Steve: Yes. Yes, it's a third, a third of their cash. |
| Leo: Yeah. This is significant. You see why they do it. |
| Steve: Yes, exactly. It's why they do it. And, I mean, it also ought to raise the anxiety level on the people in charge of security at, you know, all of these major exchanges, just to know that - because, you know, motivation, as we know, motivation and pushing and wanting and being as clever as you can is not something you want an attacker to have toward your organization. They will find a way in. The human factor is the weak link. I would think it would keep people, you know, executives and people in charge of security up at night wondering can they trust their own employees. Are they all really loyal and faithful? Where did they come from? I mean, they must be doing deep background checks on anybody that they hire. |
| Leo: Yeah. |
| Steve: So another way to look at this is that they are leveraging, North Korea is leveraging trust at every level. You know, they might observe and determine who provides janitorial services for an intended target, then obtain employment there and arrange to obtain access to their target's physical plant facilities. Or they masquerade as recruiters who are attempting to hire employees away from their target and use the departing employee's access and their desire to, you know, impress their would-be next employer or recruiting firm, you know, they're trying to get a higher paid job, so maybe they leak a little bit of useful insider information. Unfortunately, while we're all hard at work generating income, they're spending their time over in North Korea coming up with new and clever ways to separate us from that income we've generated. And they've got a lot of motivation. |
| Leo: Yeah. |
| Steve: Chainalysis then spends a little bit of time talking about the money laundering employed by the DPRK. But their discussion of the escalating threat from the number, if not the size, of personal wallet compromises I thought was interesting because anybody who's holding cryptocurrency. They wrote: "Through analysis of on-chain patterns, in addition to the reporting from victims and industry partners, we can gain an understanding of the magnitude of personal wallet compromises, although the true number of compromises is likely far greater. "Based on our lower bound estimates, personal wallet compromises now account for 20% of all value" - so think about that, one out of five, 20%, one fifth of all value stolen this year - "in 2025, down from 44% of the total in 2024, so it's better this year, was 44% of the total. On the other hand, remember that there was that one Bybit, 1.5 billion, which tended to skew things, representing an evolution in both scale and pattern." They said: "The total number of theft incidents surged to 158,000 in 2025, nearly triple the 54,000 back in 2022." So not just last year, but in 2022. So since three years ago, which was 54,000, it's tripled to 158,000 in this past 2025 year. They said: "These dramatic increases are likely due to greater crypto adoption. For example, Solana, one of the blockchains with the greatest number of active personal wallets, had by far the largest number of incidents, around 26,500 victims. "Yet despite," they wrote, "more incidents and victims, the total U.S. dollar value stolen from individual victims actually declined from 2024's peak of $1.5 billion" - okay, so just take that. Last year individual victims collectively, and this is lower bound estimates, the numbers that they're sure of, 2024's lost $1.5 billion. That's down about half. This year it was only - only - $713 million from individual victims. They said: "This suggests that attackers are targeting more users, but are managing to steal smaller amounts per victim. "Network-specific victimization data provides additional insight into which domains present the greatest risk to crypto users." They said: "When measuring crime rates per 100K wallets in 2025, this past year, Ethereum and Tron show the highest rates of theft. Ethereum's large size indicates both high rates of theft and high victim count, while Tron's position shows elevated rate of theft despite a smaller active wallet base. In contrast, Base and Solana show lower victimization rates despite significant user bases. "These measurable differences highlight that personal wallet security risks are not uniform across the crypto ecosystem. The variation in victimization rates across chains with similar technical architectures suggests that factors beyond technology such as user demographics, popular applications, and criminal infrastructure play important roles in determining theft rates." So a bunch of information I thought was really interesting about where this whole cryptocurrency industry stands on the dark side, you know. A lot of money is leaking from people's wallets, and a lot of it is leaking over to the DPRK. And what all this says, I think, ultimately, for the end user is that anyone who is technically capable of transferring any cryptocurrency they do not need to have online into an offline wallet has nothing to lose and everything to gain. Right? It's not like you have to have it online to have its value keep increasing. No. You know, you pull your cryptocurrency offline if you can. If I today owned any appreciable amount of cryptocurrency, I would not be inclined to leave it sitting in an online account of any kind. The beauty of this technology is that another wallet can be created with a private key that has never been seen online, and the currency can be then safely transferred into that wallet under that key. And it's true that at that point you are then utterly responsible for its safekeeping, which, yes, is a lesson that Leo and I both painfully learned the hard way back before our crypto had become, you know, before it had any value at all. |
| Leo: You know, there has been talk at the federal level of outlawing personal custody of wallets. |
| Steve: No. |
| Leo: Yes. Because of course then you're out of the... |
| Steve: Tracking. |
| Leo: You can't be tracked. |
| Steve: You're out of the system. |
| Leo: You're out of the system. And so they don't want you to have your own wallet. They want you to have a custodial wallet. |
| Steve: Wow. |
| Leo: This is [mumbling]. Well, and honestly I wish I had had a custodial wallet because I'd probably be rich right now. |
| Steve: Right. |
| Leo: But nevertheless. |
| Steve: Right. |
| Leo: I'm glad I didn't, and I didn't on purpose because I wanted my own wallet. Right? |
| Steve: Well, Leo, we didn't - there were no exchanges. |
| Leo: There was no money. |
| Steve: There was nothing. There was - Bitcoin was free. There was a bitcoin faucet that was dripping bitcoin, and you could just go get yourself some. |
| Leo: This is why we need time machines. All right. |
| Steve: Yes, that was the most expensive installation of Windows I have ever, ever made. |
| Leo: Don't think about it. You're watching Security Now!. That's Steve Gibson in the cute hat. I'm Leo Laporte. I've doffed my cap, but I doff it to Steve as our last episode of the year. Steve did appear on Sunday on our holiday episode of Security Now!. It was really fun. Thank you for being here with Paris Martineau and Micah Sargent. We covered all the big stories of the year. |
| Steve: [Crosstalk] |
| Leo: Three-hour marathon. Yeah, but it was a lot of fun, so I appreciate [crosstalk]. |
| Steve: And not surprising, a lot of time was spent on AI because, after we stepped into that puddle, it wasn't easy to step out. |
| Leo: To get out of it. It's like a quicksand quagmire. We did a little security talk, too, though. We talked a little bit about that. On we go. Let's go. Security Now! continues on. Steve? |
| Steve: Okay. So last week, Amazon's AWS Security Blog shared the news of their discovery of an advanced cryptomining operation targeting AWS users whose credentials had leaked. So not Amazon's fault; right? These people had a bad password or whatever. The brief start of their blog posting reads like a sales and marketing piece, but I need to share it just as a means of establishing the context. So, you know, hold your nose. They wrote: "Amazon GuardDuty and our automated security monitoring systems identified an ongoing cryptocurrency (crypto)" - thank you for the abbreviation - "mining campaign beginning on November 2nd, 2025. The operation uses compromised AWS Identity and Access Management (IAM) credentials to target Amazon Elastic Container Service (ECS) and Amazon Elastic Compute Cloud (EC2). GuardDuty Extended Threat Detection was able to correlate signals across these data sources to raise a critical severity attack sequence finding." Whoa. "Using the massive, advanced threat intelligence capability and existing detection mechanisms of Amazon Web Services (AWS), GuardDuty proactively identified this ongoing campaign and quickly alerted customers to the threat. AWS is sharing relevant findings and mitigation guidance to help customers take appropriate action on this ongoing campaign. "It's important to note that these actions don't take advantage of a vulnerability within an AWS service. Rather they require valid credentials that an unauthorized user uses in an unintended way." Nice way to put it. "Although these actions occur in the customer domain of the shared responsibility model, AWS recommends steps that customers can use to detect, prevent, and reduce the impact of such activity." Okay. So, essentially, they're saying our GuardDog sniffed out some suspicious activity (oh, by the way, using our massive threat intelligence), and we found that bad guys were abusing our customers' accounts after having somehow obtained their IAM account credentials. Then we begin to get to the interesting details, which are, they write: "The recently detected crypto mining campaign employed a novel persistence technique designed to disrupt incident response and extend mining operations. The ongoing campaign was originally identified when GuardDuty security engineers discovered similar attack techniques being used across multiple AWS customer accounts, indicating a coordinated campaign targeting customers using compromised IAM credentials. Operating from an external hosting provider, the threat actor quickly enumerated Amazon EC2 service quotas and IAM permissions before deploying crypto mining resources across Amazon EC2 and Amazon ECS. Within 10 minutes of the threat actor gaining initial access, crypto miners were operational. "A key technique observed in this attack was the use of 'ModifyInstanceAttribute'" - which is an API call - with 'Disable API Termination' set to TRUE. So Disable API Termination. And they wrote: "...forcing victims to re-enable API termination before being able to delete the impacted resources. Disabling instance termination protection adds an additional consideration for incident responders and can disrupt automated remediation controls. The threat actor's" - basically it's like the bad guys figured out how to turn on a firewall to prevent us from turning off their cryptominer. Right. So they said: "The threat actor's scripted use of multiple compute services, in combination with emerging persistence techniques, represents an advancement in crypto mining persistent methodologies that security teams should be aware of." Okay. So that's that. So this use of "Disable API Termination" (also known as termination protection) is a setting on an Amazon EC2 instance that prevents that instance from being terminated using AWS-provided APIs, the AWS command-line interface, or the AWS Management Console, or the API. None of them work. I mean, so this is obviously there, you know, the intent is to give EC2 users a means of preventing the accidental termination of some service or process that absolutely positively always needs to be present and running. So who would be surprised that bad guys who know their way around the operation of AWS EC2 compute services would enable blocking their cryptominer's termination. It's like, duh. That seems like a good thing to do. We then learn that a malicious Docker Hub image was created a few days prior to the first observed instance of this intrusion, Docker Hub being sort of like reminiscent of GitHub; right? It is a source of Docker images. So on October 29th, something with over 100,000 pulls had been created. That Docker Hub image was used to deploy crypto miners to containerized environments. Now, inside that image they found something known as SRBMiner-MULTI, the SRBMiner-MULTI binary, I'll be talking about that in a minute, for crypto mining. This specific image, having been identified as malicious - that is, the entire Docker image - has since been taken down from Docker Hub, but we know that threat actors will probably deploy similar images under different names. You know, like why wouldn't they? We know they do. The AWS security guys also discovered that the attackers employed the AWS SDK for Python, known as boto3, the user agent to deploy Python-based automation scripts throughout the entire attack chain. The crypto mining domains were asia[.]rplant[.]xyz, eu[.]rplant[.]xyz, and na[.]rplant[.]xyz, used for the miners. Now, Amazon's mention of the SRBMiner reminded me of something I had seen earlier. So I tracked down a different recent piece in The Hacker News titled "Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks." The Hacker News wrote: "Bad actors have been observed targeting Docker remote API servers to deploy the SRBMiner crypto miner on compromised instances, according to new findings from Trend Micro." The Trend Micro researcher said: "In this attack, the threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host. The attacker first checks the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities. "The adversary," writes The Hacker News, "the adversary checks for gRPC methods that are designed to carry out various tasks pertaining to managing and operating Docker environments remotely, including those relating to health checks, file synchronization, authentication, secrets management, and SSH forwarding." Okay. So there's a bunch of Docker-specific jargon flying back and forth here. What's happening is that the Internet, it turns out, now contains of course a population of publicly accessible Docker remote API servers which should not be publicly exposed, almost certainly. And of course, when not properly secured, can be remotely exploited to accept, host, and run attacker-provided cryptominers. The Docker Docs talk about this. There's a page on Docker Docs titled "Configure remote access for Docker daemon" which says: "By default, the Docker daemon listens for connections on Unix sockets to accept requests from local clients." Local being the key word. "By default, the Docker daemon listens for connections on a Unix socket to accept requests from local clients." They said: "You can configure Docker to accept requests from remote clients by configuring it to listen on an IP address and port as well as the Unix socket, Unix sockets being a local intramachine technology. But then they have a big, impossible-to-miss warning box in a different background color. You can't miss it. And it says: "WARNING!! Configuring Docker to accept connections from remote clients can leave you vulnerable to unauthorized access to the host and other attacks. It's critically important," they wrote, "that you understand the security implications of opening Docker to the network." And they're not necessarily even talking about the Internet; right? Just your own whatever it is - your LAN, your enterprise, however big. Putting Docker on a network puts that machine's resources on the network. They said: "If steps are not taken to secure the connection, it's possible for remote non-root users to gain root access on the host. Remote access without TLS is not recommended, and will require explicit opt-in in a future release." Whoops. But not yet, apparently. "For more information on how to use TLS certificates to secure this connection, see [a link] Protect the Docker daemon socket." |
| Leo: This is kind of ironic because one of the things people use Docker for is to run home servers. |
| Steve: Right. |
| Leo: It's a very popular way to install self-hosted software. |
| Steve: Yup. |
| Leo: Almost always, I mean, very frequently you're going to put it online. Wow. |
| Steve: Right. Well, and so are you using it to host a server on your own machine or, you know, in a closet somewhere? |
| Leo: Yeah, on a machine right here that is open to the Internet. |
| Steve: Right. |
| Leo: Of course, the smart way to do it is with Tailscale, you know, and hide it behind a VPN and a firewall so that you have to log into the VPN, and then you have access to it on the LAN. |
| Steve: That is exactly the right way to do it. |
| Leo: It's very tempting to just say, well, I have this fine, you know, server. I'd like to put it on the Internet. |
| Steve: Right. |
| Leo: And that's how people do it with Docker very frequently. |
| Steve: So we learn that Docker themselves - this is not Docker's fault; right? |
| Leo: No. |
| Steve: Docker themselves did everything right. The default is secure, local machine-only access by clients running on the local machine, connecting to Docker through the local Unix socket interface. So it appears that there are those who wanted to have their Docker interfaces available across the network. And Leo, who knows about authentication; right? I mean, and this is the problem, you know, is that, well, I get to it. So, you know, did they intend it only for the LAN and not the WAN? Was this a misconfiguration of an important option? Or did they deliberately make their Docker instances available across the entire global Internet? Certainly they didn't intend to expose Docker itself; right? It's one thing to run a server on Docker and have that server's services exposed through the Docker container. It's different, though, to expose the Docker API itself, which then gives anybody who has access to it access to your underlying machine. So I should spend some time distilling a short list of fundamental laws of security at some point, Leo. Maybe we'll get around to that. Isaac Asimov created his three laws of robotics. This podcast could have a similar short set of laws. |
| Leo: That's a great idea. |
| Steve: If we did have such, right up there near the top would be "Never rely upon the strength of remote authentication." Period. That's it. Never rely upon the strength of remote authentication. We see instance after instance, time and time again. It doesn't work. Microsoft always thought RDP had authentication; right? I mean, you have to authenticate. You have to log in. Didn't stop pretty much anybody from logging in, you know, in its original incantations. So never rely upon the strength of remote authentication would have been one of the golden rules. So, you know, we just keep seeing that mistake being made over and over and over. But for whatever reason, Docker's API, not the services it's hosting, but its API, is being published - maybe just people don't understand, like, what they're doing. So it's like, oh, this is easy with Docker. |
| Leo: I think that's the case, yeah. |
| Steve: Yeah. |
| Leo: Because it's really easy to get up and running. |
| Steve: Too easy. |
| Leo: That's the whole beauty of it. |
| Steve: Right, yeah. So for whatever reason the Docker API is being published on the Internet, and bad guys are now scouting around looking for them. So this is a variant on the AWS EC2 case that we first talked about. In this second instance, bad guys have figured out a way to bypass several layers of intended security. Trend Micro and The Hacker News both concluded their coverage with the advice to better secure all publicly exposed instances of Docker API servers. Duh. Yeah. Okay, now, I also should clarify that this SRBMiner that was implicated in both of these instances is not in any way itself malicious. It is a beautiful piece of work, in fact. It's a CPU plus GPU miner which mines using a system's processor plus, if you've got them, I hope you do, an AMD, NVIDIA, or Intel GPU, depending upon the build of the miner. It's able to mine using up to four different algorithms at the same time, which is to say four different cryptocurrencies it's able to mine simultaneously, which is why they called it SRBMiner-Multi, because it's multi-algorithm. It's available to run on 64-bit instances of either Windows or Linux, and it can be found at SRBMiner.com. Poking around over there we see a list of interesting features: Mine up to four algorithms simultaneously. Guided setup mode. Run in background without a window. Hashrate watchdog that restarts miner on a GPU error. Monitoring of GPU temperature, and auto turnoff if temperature is too high. System shutdown on too high GPU temperature. Miner auto restarts on too many rejected shares. API to obtain miner statistics. Web-based GUI interface for miner statistics. Multiple pools with failover support. Difficulty monitor, reconnects to pool if difficulty is too high. Job timeout monitor reconnects to pool if no job received for a long time. And a bunch of other useful features. So it is distributed there on that site and also through their GitHub repo. The reason I wanted to share these two recent examples of surreptitious mining is that they dovetail so nicely with the Chainalysis report about North Korea. All of these instances have a single common thread. That thread is money. It's about money. It's all about money, and it's only about money. That's also, of course, the entire motivating factor behind all of the breaches and the ransomware and the extortion that we're now looking at and seeing and reporting on and which are growing. The bad guys want to obtain an advantage. And they want to leverage that advantage to get themselves as much of someone else's money as they can. They could not care less, frankly, about some random company's client list or random people's social security numbers or anything else that might be stored in an exfiltrated database. That's not money. But if they can figure out a way to turn that data - which they themselves have no interest in whatsoever - into some cold hard cash, then unfortunately for the original owners of that data, they will be highly motivated to find a way to do just that. It's all about money. They want ours. And, sadly, today's network and other security practices are proving not to be strong enough to keep them from finding ways to get our money. 153,000 wallets, what was it, 80,000 individual users, they lost some of their money because the bad guys want it. And today's security, while it seems to be improving, still isn't enough to patch the leaks of that cache. Really interesting. Yeah. Now would be another good time to take a break because I'm about to get into a really interesting question of why have our Smart TVs become so sluggish. |
| Leo: Sounds like a personal problem. But we'll get to that in a moment. You're watching Security Now! with Steve Gibson, year-end episode. So glad you're here. Let's get back to Steve and Security Now!. |
| Steve: So I ran across an interesting description of a new, quite large and distressingly capable Android-based DDoS botnet that preferentially inhabits Smart TVs. This botnet appears to be capable of generating around 30 terabits, 30 trillion bits of DDoS flood per second, and it has so has many other features that would concern anyone who knew that it had taken up residence in their family's Smart TV. The security company that received a sample of this bot and reverse-engineered its operation posted their complete analysis under the title "Kimwolf" - that's their name for it, K-I-M-W-O-L-F, for reasons we'll see in a second - "Kimwolf Exposed: The Massive Android botnet with 1.8 Million Infected Devices." Remember, Leo, those quaint days when a couple thousand commandeered routers, like thousands, oh, my god, oh. 1.8 million now. |
| Leo: That's amazing. |
| Steve: They wrote: "On October 24th, 2025" - so a couple months back - "a trusted partner in the security community provided us with a brand-new botnet sample. The most distinctive feature of this sample was its command-and-control domain, it's 14emeliaterracewestroxburyma02132, that's a street address of somebody, dot su is the command-and-control domain." And get this. They wrote: "Which at the time ranked" - so that wacky domain name - "at the time ranked second in the Cloudflare Domain Rankings. A week later, it even surpassed Google.com to claim the number one spot in Cloudflare's global domain popularity rankings." They said: "There is no doubt that this is a hyper-scale botnet. Based on the information output during runtime and its use of the wolfSSL library, we have named it Kimwolf." Okay, now, just to clarify here, what they intend by citing Cloudflare's Domain Rankings is that Cloudflare tracks, ranks, and reports the popularity of the domains being used across the Internet from their view. There are so many instances of this newly discovered botnet that it was briefly taking the number one slot globally in Cloudflare's global rankings, pushing even Google down from its normally secure first slot ranking down into second place. So that is a lot of activity. Okay. So get a load of what they discovered about this massive newcomer. They wrote: "Kimwolf is a botnet compiled using the NDK (Android's Native Developer Kit). In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions." Okay. So it's a proxy, meaning that other traffic can be routed through your Smart TV, and stuff appears to be coming from you. A reverse shell, meaning they're able to log into your Android instance running in your Smart TV, and file management. You know, load, save, get files and so forth. They said: "From an overall architectural perspective, its functional design is not complex, but there are some highlights worth noting. For example, the sample that they received uses a simple yet effective Stack XOR operation to encrypt sensitive data. Meanwhile, it utilizes the DNS over TLS (DoT) protocol" - which actually is built into Android, so that would make sense - "to encapsulate DNS requests to evade traditional security detection. "Furthermore, its command-and-control identity authentication employs a digital signature protection mechanism based on elliptic curves." So the command-and-control system is now using elliptic curve digital signatures to prevent anybody else from commandeering control of the botnet. Different world than we used to be in. They said: "Where the bot side will only accept communication instructions after the signature verification passes. Recently, it's introduced EtherHiding technology" - as in Ether Ethereum - "EtherHiding technology to counter takedowns using blockchain domains. These features are relatively rare in similar malware." So this is a sophisticated little bot. "Based on our analysis results, it primarily targets Android platform TV boxes. The 'Welcome to Android Support Center' message displayed on the command-and-control backend also corroborates this. "The Kimwolf samples use a naming rule to identify version numbers. The sample previously provided by our community partner was version 4. After completing the reverse engineering analysis, we imported the sample's intelligence into the XLab's" - and these are security researchers from XLab - "into the XLab's Cyber Threat Insight and Analysis System, successively capturing multiple related samples including they've got their own copies of v4 and also the next one, v5, thus achieving automated continuous tracking of this family." Meaning that now that they're in, they will automatically be updated when the botnet system updates. They said: "On November 30th, we captured another new sample of this botnet family and successfully took over one of the C2" - one of the command-and-control domains - "thereby obtaining the opportunity to directly observe the true operating scale of this botnet for the first time. Based on statistics from source IP data that established connections with our registered C2 address and whose communication behavior matched Kimwolf command-and-control protocol characteristics, we observed a cumulative total of approximately 2.7 million distinct source IP addresses over the three days from December 3rd through December 5th, 2.7 million." They said: "Among them, we observed approximately 1.36 million active IPs on December 3rd, 1.83 million on December 4th, and 1.5 million on December 5th." They said: "There's an IP overlap between different dates. Analysis indicates that Kimwolf's primary infection targets are TV boxes deployed in residential network environments. Since residential networks usually adopt dynamic IP allocation mechanisms" - you know, DHCP - "the public IPs of devices change over time, so the true scale of infected devices cannot be accurately measured solely by the quantity of IPs. In other words, the cumulative observation of 2.7 million IP addresses does not equate to 2.7 million infected devices. Despite this, we still have sufficient reason to believe that the actual number of devices infected by Kimwolf exceeds 1.8 million. This judgment is based on observations in the following areas: First, Kimwolf uses multiple command-and-control infrastructures. We took over only a portion of the command-and-controls so we could only observe the activity of some bots, unable to cover the full picture of the botnet. Also, on December 4th, the number of bot IPs we observed reached approximately 1.83 million, a historical peak. On that day, parts of the command-and-control normally used by Kimwolf were taken down by relevant organizations, causing a large number of bots to fail to connect to the original command-and-controls and in turn to try connecting to the C2 we preemptively registered. So that means that there's an algorithm, right, we talked about this in years past, an algorithm by which the bots generate the domains which they'll be using, and it's possible to look into the future and register a domain before the bad guys get to it and then wait there for the bots to generate that domain name and then start, you know, send out DNS queries for it and then start connecting to it by IP. So they said this anomalous event caused more bots to be centrally exposed in a short period, so the data for that day may be closer to the lower limit of the true infection scale, that being 1.83 million devices. They said: "Infected devices are distributed across multiple global time zones, affected by time zone differences and usage habits - for example, turning off devices at night, not using TV boxes during holidays, et cetera. These devices are not online simultaneously, further increasing the difficulty of comprehensive observation through a single time window. And finally, Kimwolf exists in multiple different versions, and the command-and-controls used by different versions are not completely identical, which is also one of the important reasons why we cannot obtain a complete perspective. "Combining the above factors, we conservatively estimate that the actual number of devices infected by Kimwolf has exceeded 1.8 million. A botnet of such scale possesses the capability to launch massive cyberattacks, and its potential destructive power cannot be ignored. "While working hard to track new versions, we were also full of curiosity about the old versions. Through source tracing analysis, although we failed to capture old versions like v1 or v2, we surprisingly found that Kimwolf is actually associated with the Aisuru botnet. Kimwolf relies on the APK file to load and start it during runtime. A DEX file uploaded to Virus Total (VT) from India on October 7th showed obvious homologous characteristics with Kimwolf's APK. Subsequently, on October 18th, the parent APK of that DEX was uploaded to Virus Total from Algeria. The resource files of this APK contained Aisuru samples for three CPU architectures: x86, x64, and ARM. "We speculate that in the early stages of this campaign, the attackers directly reused Aisuru's code; subsequently, likely because Aisuru samples had high detection rates in security products - Android platforms have more mature security protection systems compared to IoT ecosystems - the group decided to redesign and develop the Kimwolf botnet to enhance stealth and evade detection." So this is an evolution, an outgrowth, of what was previously the largest, most powerful botnet known. They said: "From the monitoring data of the XLab command tracking system, statistics show that the main functions of the Kimwolf botnet are usually concentrated on traffic proxying, with a small amount of DDoS attacks. However, between November 19th and 22nd, it went suddenly 'crazy.' In just three days, it issued 1.7 billion DDoS attack commands, with the attack range covering massive amounts of IP addresses globally. This high-profile spree follows on the heels of the command-and-control domain's unprecedented rise to number one spot in global popularity. Theoretically, such a large number of attack commands and targets may not be able to produce substantial attack effects on the targets." Right? Because they're too short-lived. "This behavior may have been purely to demonstrate its own presence." "Currently, the security community's understanding of Kimwolf presents a polarized situation. Information in the public intelligence field is scarce, its propagation path is not yet clear, and the detection rate of related samples and their command-and-control domains on VirusTotal is extremely low. At the same time, due to the adoption of covert technologies like DoT, the association between its command-and-control and samples has not been effectively discovered. However, at the non-public threat confrontation level, the situation is entirely different. We observed that Kimwolf's command-and-control domains have been successfully taken down by unknown parties at least three times, forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability. "Given that Kimwolf has formed a massive attack scale, and its recent activity frequency and attack behaviors show a significant upward trend, we believe it's necessary to break the intelligence silence. We hereby release this technical analysis report to make relevant research results fully public, aiming to promote threat intelligence sharing, gather community strength to jointly respond to such threats, and effectively maintain cyberspace security." Okay. Now everyone has a good sense now for what's going on with this apparent descendent of the previously massive and famous Aisuru botnet. So one question is, where are these infected TV boxes? Who has them? Since these researchers were briefly in the position to be receiving incoming bot traffic to their command-and-control IP to the tune of 1.83 billion IPs - no, sorry, 1.83 million IPs - "they were able to obtain the bot's demographics. Infected devices are distributed across, well, pretty much everywhere, 222 countries? How many countries are there? So the top 15 countries are, in order of most to last, the top 15: Brazil is the highest percentage of infections in consumer TV boxes of Kimwolf at nearly 15% of this 1.83 million devices are in Brazil, 14.63%. India's number two at 12.71%. And we, proudly, the USA at 9.58%. So we're in third place. So we are one, just shy of one-tenth of the total Kimwolf botnet infestation percentage. Argentina at 7.19%; South Africa, 3.85%; the Philippines, 3.58%; Mexico at 3; China also at 3; Thailand 2.46%; Saudi Arabia 2.37%; Indonesia 1.87%; Morocco 1.85%; Turkey 1.60%; Iraq 1.53%; and Pakistan 1.39%. So with all of the last bunch of those, Indonesia, Morocco, Turkey, Iraq, Pakistan at a little over 1%, and this being the top 15 out of a total of 222 countries, obviously there's a huge, I mean, there's a massive spread. But all the other countries..." |
| Leo: It's a long tail. |
| Steve: ...are just miniscule populations. But Brazil number one, India number two, U.S.A. number three, and we've got just shy of 10%. So I'm going to share one more piece from their extensive research. They wrote: "Readers familiar with DDoS might be curious." And they have a quote: "For such a huge botnet, what level has its attack capability actually reached?" Okay. So they said: "Although we cannot directly measure it, through observations of two large-scale DDoS events and a horizontal comparison with Aisuru, we believe Kimwolf's attack capability is close to 30Tbps. First" - and they have three factoids. They said: "First, a well-known cloud service provider observed a 2.3 billion packets per second" - and remember each packet is made out of many more bits. So 2.3 billion packets per second attack at 22:09 Zulu on November 23rd, with 450,000 participating IPs. They said: "We confirmed Kimwolf's participation. "Second, a well-known cloud service provider observed an attack nearing 30 Tbps and 2.9 Gpps at 09:35 Zulu on December 9th. After data comparison, both parties confirmed Kimwolf's participation." And finally, "Cloudflare pointed out in its third quarter 2025 DDoS threat report that Aisuru was one of the strongest known botnets currently, with a control scale of millions of IoT/network devices, capable of sustaining Tbps-level attacks, and even peak attacks approaching 30 Tbps and more than 10 Bpps." So they said: "In fact, we believe that behind many attacks observed by Cloudflare attributed to Aisuru, it may not just be the Aisuru botnet acting alone. Kimwolf may also be participating, or even led by Kimwolf. These two major botnets propagated through the same infection scripts between September and November, coexisting in the same batch of devices. They actually belong to the same hacker group." Okay, now. "If 9.58% of Kimwolf infections have been seen in the U.S., and if there are conservatively more than 1.8 million operating instances of Kimwolf, that's more than 172,000" - 172,000 - "Android-based Smart TVs currently infected with Kimwolf just in the U.S." These guys conclude their very thorough analysis. And I've got a link to the original posting because they did a complete reverse engineering of this bot. But they wrote: "This is the majority of the intelligence we currently possess on the Kimwolf botnet. Giant botnets originated with Mirai in 2016, with infection targets mainly concentrated on IoT devices like home broadband routers and cameras. However, in recent years, information on multiple million-level giant botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have started to turn their attention to various smart TVs and TV boxes. These devices generally suffer from problems like firmware vulnerabilities, pre-installed malicious components" - yikes - "weak passwords, and lack of security update mechanisms, making them extremely easy for attackers to control long-term and use for large-scale cyberattacks. "One of our motives for disclosing the Kimwolf botnet this time is to call on the security community to give due attention to smart TV-related devices. After attackers gain root privileges on smart TVs, the resulting attacks are not limited to traditional cyberspace. Attackers can use controlled terminals to insert tampered, biased, or extreme videos. In the legal systems of many countries, inserting content without written permission violates the contract between the viewer and the TV program provider and is illegal. This is our second motive for disclosing the Kimwolf botnet this time, calling on law enforcement agencies to consider scrutinizing such suspected illegal activities related to smart TVs. "Against the backdrop of overlapping threats, whether ordinary TV boxes, sales channels, operators, or regulatory departments and manufacturers, all must attach great importance to the security of TV boxes. Among them, TV box users should especially ensure devices come from reliable sources, use firmware that can be updated in time, avoid setting weak passwords, and refuse to install APKs of unknown origin to reduce the risk of being infected and controlled by botnets." And remember, social techniques for penetrating trust are going to be high up on the list of what attackers do. They said: "We sincerely welcome CERTs from all countries to contact us, share intelligence and vision, join hands to combat cybercrime, and jointly maintain global cybersecurity. If you are interested in our research, or have inside information, feel free to contact us via the X platform." So as I said, I've placed a link to their entire analysis, most of which I skipped over because it's way more than what's needed here. But they provide everything anyone knows to understand and identify Kimwolf. So for anybody who wants to get a very clear look into the guts of the operation of a massively successful state-of-the-art global botnet, these guys have published that. And I would heed their advice. I can't think of anything more useful and significant than, you know, you do not want this operating inside your Smart TV. I have the feeling, Leo, that there's a huge population of non-mainstream top-drawer TV boxes, you know, available through Apple... |
| Leo: Oh, I don't think these are Apple TVs. |
| Steve: Right. AliExpress and who knows where. You know, or also-ran things on Amazon where it's just, oh, look, I can get a smart TV with Android for, you know... |
| Leo: Yes, exactly. |
| Steve: ...$25. It's like, woohoo. Yeah. And you also end up with, you know, Kimwolf preinstalled. |
| Leo: Although I doubt most TVs or TV set top boxes have much security. I mean... |
| Steve: You're right. You know, I would agree with you. |
| Leo: Yeah. Wow. |
| Steve: And I would think that typically you have to create a password with some horrible onscreen keyboard. |
| Leo: Yeah, so you're not going to do it. |
| Steve: So people are probably going xxxx. |
| Leo: Yeah, exactly. |
| Steve: In order to just make it easy for themselves. |
| Leo: Yeah, exactly. |
| Steve: So I would imagine that the passwords on these things are atrocious also. I did want to take a mention, as I said at the top of the show, to just sort of tell everybody something I really don't think I've said is that I am very pleased with the way this commercial launch of the second version of the GRC DNS Benchmark, after a year of work on it, has rolled out. It's still in the process of settling down, which is what I expected. We're now at release 4. It acquired a couple of new features. I fixed two bugs that had escaped notice until now. Windows 11, it turns out its new smart app control which I mentioned last week did block another person's use of the product. But now we know to ask them just to try again. When they did, they had no trouble. So, you know, so far no one's been permanently blocked. But that's going to be probably an annoyance for a while. So we have a new solid commercial offering. I received a piece of email from someone who said that he'd been listening to the podcast since he was much younger, obviously, 20 years younger. And that it was underpriced at $9.95. |
| Leo: Aw. |
| Steve: So I appreciated the sentiment. |
| Leo: Nice. |
| Steve: So thank you. So anyway, I'm really happy with the way it's going. And I've got a couple more ideas for similar sort of inexpensive commercial goodies before I settle down and get to work on SpinRite 7. So that is the game plan. Let's see. Is it time for a break? |
| Leo: Yeah, it's time. It's a good time for a break. It's about 1.5 hours in. |
| Steve: Okay. Let's do that, and then we're going to do some listener feedback. And I've got one long piece that is going to be a lot of fun. |
| Leo: Okay, good. It's not much of a break here because it's the end of the year, so we're just going to say thank you. Happy holidays. We appreciate your support and your viewership, and we hope you keep listening to Security Now! in 2026. Goodness knows, things aren't going to get any more secure. |
| Steve: No sign of that, no. |
| Leo: Unh-unh, no. On we go with Security Now!. Steve? |
| Steve: Okay. So Jamie said: "Hello, Steve. Huge fan and very long-time listener. Just wanted to give you some quick information that might be helpful to your listeners. A very quick and painless way" - oh. Okay. This is about running the DNS Benchmark. It's a cool tip, though, which has much wider application. "A very quick and painless way to run the DNS Benchmark" - and I would argue and any Windows app - "on any Linux system is to install Steam, add a non-Steam executable to your library and use Proton..." |
| Leo: I didn't know you could do that. |
| Steve: Huh? Yeah. |
| Leo: I didn't know you could do that. I thought it was just the games in the Steam store. |
| Steve: Right. And he says: "...and then use Proton as the compatibility layer." |
| Leo: It's very good, yeah. |
| Steve: He says: "It takes about 15 seconds, and the Benchmark runs perfectly." He said: "And a couple of episodes you mentioned wanting some more insights into traffic entering and exiting your network. Take a look at the Netdata plugin for pfsense. If I have any bead on your interests, you might want to set aside an afternoon to dive into it. It gives you an incredibly deep and insightful look into your traffic." Then he finished: "Thanks for everything you do. Much love to you and Leo. Thanks, Jamie in Las Vegas." I took a look at the Netdata plugin, and it looks very interesting. There is a free non-subscription, you know, it lacks a bunch of features that enterprises don't need. It looks like it does everything that I would want. And so I will definitely set aside some time to take a look at it. And of course putting it in your pfsense border router is where it needs to be in order to have visibility into your entire network. There are versions for Windows and Linux. But then it would only be seeing what your own local machine is doing. So anyway, thank you, Jamie, for the tip. And as for Steam and Proton, I did a little bit of digging. And I agree with you, Leo. It turns out to be a terrific suggestion. |
| Leo: I had no idea. |
| Steve: So the path is install Steam on Linux, which is easily done. |
| Leo: Most people have already, yeah. |
| Steve: Right. Launch Steam, and then go to Add a Game. And then under Add a Game you'll find Add a Non-Steam Game. |
| Leo: Okay. It doesn't have to be a game, it could be any exe. |
| Steve: Right. Then select the Windows DNS benchmark exe. Right-click the entry Properties. And he says, and then enable "Force the use of a specific compatibility tool." |
| Leo: Okay. |
| Steve: And Select Proton. And then he said Click Play, and that's it. And it runs. So thank you, Jamie. I've been looking for a simple way to solve the "Running GRC's Windows Apps on Linux and Mac" because there's been a surprisingly strong interest in that. And I'm not done with Windows apps. So having a solution that works very easily, that's, you know, super useful. |
| Leo: Almost certainly will not work on a Mac. It would work on Linux and Windows because they're both Intel. It's the same problem with games. You can't run - you can run many Windows games on Linux, but you can't on Mac unless they're specifically ported to the Mac. |
| Steve: Okay. I do know that we've got the DNS Benchmark running on ARM Macs. |
| Leo: Yeah, but not running Steam. Using some other... |
| Steve: Oh, okay. Okay. Gotcha. Gotcha. Rick Andrews said: "Steve, in this episode you noted" - and I guess that was last week - "that the hundreds of millions of certificates" - oh, yeah, we talked about that - "issued by Let's Encrypt represented a huge risk," saying that, and he quotes me, "A billion websites are all now dependent upon a single service for their certificates." He said: "But many other public CAs, including DigiCert, offer ACME-based service to automatically obtain a certificate that chains up to one of their roots. In other words, you can use ACME with someone other than Let's Encrypt; and if more people did that, it would reduce and spread out the risk. I just wanted to clarify that. Signed, Rick Andrews." So Rick is absolutely correct. To the best of my knowledge there are only two providers of Domain Validation (DV) web certificates who offer them at no charge. Okay, now, I actually learned something after these show notes arrived yesterday early afternoon, in the mailbox of someone who has a site devoted to ACME protocol development. It turns out Google has a service that I will have more to say about next week. I just learned about it after everything was assembled. But so it's Let's Encrypt and Google's is no charge also. The one that I knew about was one called ZeroSSL. Unfortunately, ZeroSSL wants to sell you stuff. They show that their free certs are limited to three per customer. What? Okay. They also require you to create an account, verify your email, and all that rigmarole which we're all too familiar with. So in my opinion, there is only Let's Encrypt, and now I know about Google, who has the fundamentally correct ethics around truly free certificates. But looking at the point that Rick has made another way, it's utterly obvious that with the shortening lifecycle of TLS web certificates eventually marching down to 47 days, ANY certificate authority that wishes to remain in business must already have, or rapidly be working to, bring ACME certificate issuance automation online. You're not going to be in business unless you can, like, offer your customers ACME. And thinking about this caused me to wonder who exactly IS paying the bills for Let's Encrypt, because users aren't. A service that, as we know, that's wonderful to have, but it's also quite easy to take it for granted. You know, you set it up. You forget it. The problem is solved. But a number of times we've looked at the scaling, we're talked about this, you know, in the not-too-distant past, that Let's Encrypt needs to do, especially as certificate lifetimes continue to shorten because that means that they're going to be like way busier than they were before. So again, is Let's Encrypt really and truly a free lunch? After a little bit of digging, here's what I found. First of all, as I noted last week, Let's Encrypt is operated by and is a service of the nonprofit Internet Security Research Group (ISRG). And the ISRG is funded entirely through charitable contributions, through sponsorships and grants and donations from individuals and corporations that are supporting it. And that's 100% of its funding comes from these contributed sources rather than from any user fees. So who? Google, the Mozilla Foundation, Cisco, OVHcloud, Facebook/Meta, AWS, Shopify, Nginx, the Internet Society, SiteGround, Automattic, Hostpoint, Discourse, Infomaniak, and PlanetHoster are the officially recognized supporters for ISRG. And also the EFF and the Ford Foundation are also backers, as well as the Open Technology Fund. So I had never really stopped to think about the question of who pays for all this because, you know, they're taking on a seriously big responsibility; right? They're talking about crossing into a billion sites being supplied with certificates, and a huge volume of certificate reissuance on an ongoing rolling basis, crossing significant thresholds last year. So I'm not yet using Let's Encrypt certs. I'm still happily with DigiCert because I last purchased certs at a time when they still had a long life. But the decisions that the CA/Browser forum have made regarding web certificate lifetimes means that I'll be moving to Let's Encrypt, and I also plan to be voluntarily supporting Let's Encrypt, much the way I do Wikipedia, because having access to Let's Encrypt is a privilege I think that should never be taken for granted. They are doing a lot of work for us and maintaining a massive network. And I hope they never go offline. But this brought me to wonder about the stance of a major - actually THE major - certificate authority with whom I have proudly hung my hat since I left VeriSign. As a DigiCert customer I've received their email announcing their support for ACME certificate issuance automation years ago. You know, they're completely up to speed and raring and going forward. And I like DigiCert, so I wanted to be certain that I would not be able to remain with them. Like maybe they offer the same thing Let's Encrypt does. So I went over to DigiCert and used their site-search to search for "Free SSL/TLS Certificates." The first link that came up was titled "The Fraud Problem with Free SSL Certificates." And I thought, oh? This ought to be interesting. What does the company that's never been in the business of issuing free certificates have to say about those who do? So here's DigiCert's take on why they do not offer free web certificates. They start off: "SSL Certificates are the de facto standard for online trust today. SSLs are so important to online security that Google gives a ranking boost to sites that secure their content with HTTPS." And I thought, wait, what? You cannot have a site today that's not HTTPS. I mean, Google probably won't even list a site that's not HTTPS. So I was already curious like, what was going on due to their use of the abbreviation SSL, right, rather than TLS, which has completely supplanted. So I went looking for a date on this posting, and I found it. That was written April 6th, 2015. So this is 10.5 years ago that they had, you know, the fraud problem with free SSL certificates. I still wanted to know what they thought, especially since their policy hasn't appeared to change. And I wanted to see whether there might be anything there to learn. So they wrote: "Savvy Internet users have come to recognize and expect that any website asking for sensitive or personal information to display the universal symbol, the padlock, before typing in any sensitive information. In a Tech-Ed survey, users reported that without knowing the identity of the organization conducting business, over 35% would reconsider entering a credit card number from a site using a plain SSL Certificate." So they say: "Are SSLs less trustworthy than we think? To answer this question, we have to consider the fact that not all SSL Certificates are created equal." So then they diss on DV, on Domain Validated certificates, saying "No identity verification is done. The Certificate Authority (CA) sends an automated challenge email, and the site owner clicks on a link to approve the certificate. Information is encrypted, but no assurance is made that the organization should be trusted. Because of the lack of trust and the frequent use for fraudulent purposes, DigiCert does not issue cheap domain validated certificates." Now, they didn't say "free." Right? They said "cheap." So they then talk about Organization Validation, Extended Validation, and saying that the problem with free certificates is that you know nothing about the person behind them. So, okay. We understand that. Right? And I had also forgotten, when talking about organizations that offer free SSL, I'd forgotten about Cloudflare. While Cloudflare is not an ACME user, right, because they've got their whole other own infrastructure, anyone using Cloudflare's hosting, including their free tier, gets HTTPS connections at no cost. So a website with an SSL certificate or TLS certificate, you know, gets that benefit just by using Cloudflare. Anyway, they go on, basically, to talk about upselling EV. Unfortunately, we know that EV no longer matters at all because years ago, when the presence of EV certs was apparent in the browser chrome, I took the time to do it, all the browsers backed off of that, stopped showing you anything special because, you know, the contention was that users were being confused by this, you know, the extra green or whatever it was that the browsers were showing. They were supposed to be trusting that, but bad guys could get bad EV just as they could get, you know, bad OV or DV. So we know that all of that's changed. No more benefit for extended validation. No more special treatment for code signing of extended validation. Microsoft also backed off of any special treatment there. So, you know, I was looking for some contemporary benefit to justify an investment in something beyond a domain validation, and I don't find it. I get it that they've got a strong enterprise, they DigiCert, a strong enterprise certificate presence. But, you know, they're just not going to be competing in the free certificate business, and we know that Let's Encrypt is now about two-thirds of all the certificates on the web. And that's going to be going up as people migrate to look for an automated solution. And they're getting what they need; right? They're getting domain validation. They're getting authentication of their domain, and they're getting secure encryption for their visitors, and that's all you need. I also ought to mention also that the BIMI certificates require extended validation assurance, which surprised me when I had to do it. And it just surprised me again. I needed to get re-EV certified in order to renew my BIMI, remember BIMI allows me to have a logo in my email. And I went through all of that back when I was bringing GRC's email system up to speed. Sue, my office manager, first needed to make an appointment in order to be present at our official corporate phone number, which is published in some directory. There are several that they use. Dunn & Bradstreet is one, for example, so that you are a known business entity. It turns out that appointments were booking four days out at that point, so we had to wait for that. Once that was done, I needed to engage in another video conference similar to the previous one. Remember that I first had to send DigiCert a high-resolution photo of my driver's license, then in front of a camera I followed instructions to look into the camera, then hold the same driver's license up next to my face, move it around, pass my other hand between my face and the driver's license. The very nice and patient young woman who was on the other end of the zoom call, who this time had her camera on, she explained that the hand waving was to prevent any sort of green screen from being used in order to spoof this validation. So, and finally, after a lot of jumping through hoops, my organization was requalified for Extended Validation. So it is a huge annoyance which I am glad I will probably no longer do again. There's no point for having EV certificates. There's no point for having EV code signing. All of that has sort of drained out of the system. And I'm hoping that when this next, in a year from now, when this BIMI certificate expires, or whenever my EV qualification expires with DigiCert, that I'm just going to go without it. By then I hope that GRC will have established itself as a well-known enough email provider that I can just go BIMI-free. And, I mean, I understand the motivation behind it. I get it that the industry wants the use of BIMI to actually mean something. But having it on every single piece of GRC's email from the start, which I did, did not apparently earn GRC any, you know, useful get-out-of-jail free card. I still needed to battle the spam gods and establish GRC separately. So anyway, returning to Rick's original point, where he wrote: "But many other public CAs, including DigiCert, offer ACME-based service to automatically obtain a certificate that chains up to one of their roots," again, absolutely right. As I said, you are not in business as a certificate authority moving forward if you don't support certificate automation because it's coming down to three weeks eventually of certificate life. But it appears to me that Let's Encrypt, and now I understand Google, are in the unique position of having a business model, in the case of Let's Encrypt always free, in the case of Google they're able to give anything they want to away for free because they're Google, and they have the network that they have, those two entities have business models that allow them to offer hassle-free, automatically issued and re-issued TLS web certificates. And frankly, I don't see any reason, given what the CA/Browser Forum has done, for anyone paying for encryption and domain-level authentication on the Internet. We've solved this problem. We just need now to keep it online and available and free. So as I said, once I start using Let's Encrypt certs, I plan to be sending them some money, as I do Wikipedia, because I think it's really a service that is worth something. |
| Leo: Good, yeah. |
| Steve: So thank you, Rick, for a really terrific discussion point. Jason Townsend reminds us of an old saying that's, sadly, less and less true today. He said: "Back in the '90s in a UK computer magazine there was a picture of a dog using a computer. I have it in the show notes, actually. The caption was 'The best thing about the Internet is that no one knows that you are really a dog.'" And he said: "Sadly, it's getting more and more difficult to be a dog or a kangaroo on the Internet, and the days of anonymity are fading fast." And so Jason of course is referring to the famous New Yorker magazine cartoon that was published on July 5th, 1993. And it shows a dog sitting in front of a computer talking to another one who's standing on the floor looking up at him. And it says, "On the Internet, nobody knows you're a dog." So I got a kick out of that because, as Jason says... |
| Leo: That was an innocent time, wasn't it, 1993. |
| Steve: It was, 1993, yup. Jeff Root said: "Steve, Australia has done us a service, in that we now have great discussions about an important topic. Your piece was great, and got even better when Leo weighed in. But I think your insistence that age verification be 'privacy protecting' is wrong-headed. Assume Apple and Google solve this problem perfectly. Now you go to a website, maybe an online liquor store, and they use the age verification system which reveals nothing other than you are above a certain age. Now what? "Now you are let into a website which is chock full of Google Analytics, Cloudflare Analytics, probably fronted by Cloudflare, and containing Javascript code from 30-50 other random sites. Security Now! has long reported on how easily ISPs and data brokers can de-anonymize users. So where's the privacy? And how has that effort to produce a 100% private age verification system made it harder for sites and data brokers to identify you?" His point is, it hasn't. He said: "I would suggest that Leo was right. The answer is not an Apple App, the answer is regulation and enforcement. Data brokers should be tightly regulated. Sites should be required to collect only such information as is necessary to render their pages, or transact their business. What we need is a fully private and anonymous Internet, not yet another app which gives the illusion of privacy. Just my opinion. Keep up the good work. Jeff Root in San Diego, California." |
| Leo: Yeah. You mentioned this on Sunday on TWiT. I remember, yeah. |
| Steve: Yup. I think Jeff makes a very valid and an ironic point about the idea of preserving privacy absolutely while gaining entry to a website where forces that are often far beyond any visitor's control are all about tracking and profiling and doing everything possible to dissolve whatever privacy its users may imagine they have. And as for websites not collecting any information beyond that which is required to render their pages, the only way I can see that happening would be if the EU were to make that a requirement, much as they did with the cookie disclosure and permission pop-ups that they have made the entire world endure. They really did manage to change website behavior. It happened to be for the worse. But I doubt we'll see the EU enforcing website privacy since remember it was the European advertising and tracking companies that are profiling just as much as companies everywhere else. And they were the ones who caused the EU to kill Google's hopes for the Privacy Sandbox initiative that would have allowed interest profiling without cookies or tracking. So I have a feeling we're pretty much stuck with the current business model that we have today. |
| Leo: Yeah, I think you're right. |
| Steve: And Leo, our last break, and then we're going to look at a naughty little PNG icon. |
| Leo: This is a wild story. You're watching Security Now!. All the stories are wild on Security Now!. Every Tuesday, hope you'll join us. We're going to take a break next week, as I mentioned. It's our Best Of episode, a 2009 episode about Vitamin D. After that we come back to work on January 6th, and every Tuesday thereafter, right after MacBreak Weekly. So that's about 1:30 Pacific, 4:30 Eastern, 2130 UTC. You can watch us do the show live if you're in the club, in the Club TWiT Discord. Everybody can stuff they want, if they want to watch the live version on YouTube, Twitch, X.com, Facebook, LinkedIn, and Kick. You can chat with us, too. I'm watching the chats from all of the above. This show, I think more than any other show we do, I think it's the largest live audience. I might be wrong, but I feel like this is the biggest live audience of the week. So welcome to you all. You don't have to watch live, of course. We have on-demand versions of this show at our website, TWiT.tv/sn. Steve's got it at his website. Actually, Steve has some unique versions: a 16Kb audio version; a 64Kb audio version. He has the show notes, which we refer to often, which you can download there. And he also has a transcript written by an actual human being, Elaine Farris, she does a great job. So all that's at GRC.com. While you're there you can sign up for Steve's email whitelist so that you can send him email, GRC.com/email. |
| Steve: Get lots of feedback from our listeners. |
| Leo: Oh, good, I bet, yeah. It's a great way to get feedback, I think. He also has forums that are very active, so you can go there. There's really a lot of ways to interact with the show. Hope you will, and I hope you will listen on a regular basis. If you can't listen live, download a copy. You can also just do it in your favorite podcast client. Subscribe. Steve. |
| Steve: And we do have archives available for everything else. |
| Leo: All the shows. |
| Steve: So if you end up, you know, thinking, yeah, well, what am I going to listen to today? Then... |
| Leo: That's a good idea. Kind of get - I know there are people who get extended education credits and so forth by listening to Security Now!. It's a really educational show. It's a good use of your time. |
| Steve: Yeah, it does quality for the ongoing security credits. And somewhere we have a semi-truck driver who is... |
| Leo: That's right. |
| Steve: ...consuming 70 hours a week of this podcast and catching up rather quickly. |
| Leo: We're kind of watching along with amazement as he listens to the show. Steve. Let's go. On with the show. |
| Steve: Okay. |
| Leo: I want to know about this PNG thing. |
| Steve: KOI is the name of the company, K-O-I, who fashion themselves an endpoint security company. Last Tuesday, they published a nice descriptive piece that I just - it was well written. I liked it. I wanted to share it, about their recent discovery which, as I said, it immediately caught my eye and imagination, as I imagine it might catch our listeners'. Under their headline "Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users," they explained: "Every extension" - meaning browser extension, Firefox extension in this case - "every extension has a logo, a tiny image sitting in your toolbar, a visual shorthand for trust. You glance at it, you recognize it, and you move on. You probably never think about what's actually inside that file. The authors of GhostPoster are counting on that. Our risk engine, Wings, flagged anomalous behavior in a Firefox extension called Free VPN Forever." And I'll just interrupt to say it should come as no surprise that malicious FreeVPN offerings are beginning to crawl out of the woodwork as the UK, the EU, Australia, and various U.S. states such as Texas and Mississippi begin limiting who can access their services based on their location. So beware of, you know, the FreeVPN. Koi continues, writing: "The Firefox extension was reading its own logo file, standard behavior, but then doing something unusual with the raw bytes. When we dug into the code, we found a hidden extraction routine. The extension wasn't just displaying the logo. It was searching through the logo's image data, looking for a marker that shouldn't be there." It was actually three equal signs. They said: "Inside that friendly little planet icon, past where the image data ends, we found malware embedded in the bytes of the PNG image file itself, waiting to be extracted and executed. Free VPN Forever has been on the Firefox Add-ons marketplace since September of 2025, with over 16,000 downloads and installations. It's still live as of this writing. And it's not alone. The campaign spans 17 Firefox extensions with over 50,000 combined downloads and installations. Extensions promising free VPNs, translation tools, weather forecasts, ad blocking, the usual lures. What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser's security protections, and opens a backdoor for remote code execution." Okay. So clearly, since PNG images are defined to contain non-executable image data, the authors of this malware must have assumed, apparently correctly, that the files of type PNG would not be closely scrutinized by anti-malware scanners and would be allowed to pass. And you're not expected to understand what's in an image, especially a PNG because they are encrypted bitmaps. Which makes them very efficient. They don't blur the way JPEG does. So you wouldn't expect to understand what's there. Koi continues, writing: "When Free VPN Forever loads, it fetches its own logo file, logo.png. Standard behavior for any extension. But then something unusual happens. The code starts searching through the raw bytes of the image, looking for a marker: three equal signs. Nothing after that marker is image data. It's malicious JavaScript, hidden in plain sight. The technique is called steganography, hiding information inside something that looks completely innocent. Security scanners examining the extension's JavaScript files won't find the payload. Code reviewers won't see it. The logo displays normally in your toolbar. Nothing looks wrong. But every time the extension loads, it extracts the hidden code and runs it. "The code pulled from the logo isn't actual malware. It's a loader, a small program whose only job is to fetch the real payload from a remote server. The loader reaches out to www.liveupdt[.]com. If that fails, it tries the backup: www.dealctr[.]com. The request includes a signature parameter, so the attackers can track which infected extensions are checking in. "But the loader doesn't phone home every time. It waits 48 hours between check-ins. And even then, it only actually fetches the payload 10% of the time randomly. The other 90% it just doesn't. Random chance. This is deliberate. Security researchers monitoring network traffic might watch an infected extension for hours and see nothing that looks suspicious. The malware is patient. It knows that inconsistent behavior is much harder to catch than consistent behavior. "When the payload does arrive from the command-and-control server, it's not readable JavaScript. It's been transformed using a custom encoding scheme. The decoding algorithm is almost playful in its simplicity: Swap all lowercase letters to uppercase, and vice versa. Swap all eights with nines and vice versa. Base64 decode the result. The decoded payload gets XOR encrypted using a key derived from the extension's unique runtime ID, then stored in local browser storage. Persistence achieved. And now it gets interesting. "The final payload pulled from the command-and-control server, decoded, and executed, is a comprehensive toolkit for monetizing your browser without your knowledge using affiliate link hijacking. The malware watches for visits to major e-commerce platforms. When you click an affiliate link on Taobao or JD.com, the extension intercepts it. The original affiliate, whoever was supposed to earn a commission from your purchase, gets nothing. The malware operators get paid instead. It's invisible to the user. You still end up on the product page. You still make your purchase. The only difference is who gets the commission. "And then there's the Tracking Injection: The malware injects Google Analytics tracking into every page you visit. Tracking ID is UA-60144933-8. It collects your extension installation date, how many days you've been infected, which merchant networks you visit, and a unique identifier tied to your browser. Hidden HTML <div> elements get injected into pages with IDs like extwaigglbit and extwaiokist. These elements contain tracking attributes, installation days, signatures, merchant network data, that can be read by scripts on the page or by the extension itself. You're being profiled, and you'd never know it. "Then there's the Security Header Stripping: The malware actively removes security headers from HTTP responses. Content-Security-Policy - gone. X-Frame-Options - gone. These headers exist to protect you from clickjacking and cross-site scripting attacks. The extension strips them from every response, on every site you visit. Your browser's security model is quietly dismantled. "And then there's the CAPTCHA Bypass: The malware includes multiple methods for bypassing CAPTCHA challenges. One method creates an invisible overlay that simulates user interaction. Another loads an external CAPTCHA solver from refeuficn.github.io. A third checks if you're logged into Baidu and uses your account status as verification. Why would malware need to bypass CAPTCHAs? Because some of its operations, like the hidden iframe injections, trigger bot detection. The malware needs to be able to prove it's human to keep operating. "What was that about Hidden Iframe Injection? The extension injects invisible iframes into pages, loading URLs from attacker-controlled servers. These iframes enable ad fraud, click fraud, and additional tracking. They're created, used, and deleted, leaving no visible trace. Referrer policy gets manipulated to hide the traffic's source. The iframes disappear after 15 seconds. Forensic analysis would need to catch them in the act. "What makes GhostPoster effective isn't any single technique, it's how they're layered together. Steganography hides the initial payload where scanners won't look. Staged uploading means the actual malware never exists in a file, it's fetched at runtime. Custom per-browser encoding defeats pattern matching. Random delays and probability checks make behavior inconsistent and harder to observe. Time delays prevent the malware from activating until six-plus days after its installation, long after most security researchers and reviews would have concluded. XOR encryption protects stored data from casual inspection. Each layer isn't particularly sophisticated on its own. Combined, they create something genuinely difficult to detect. "Free VPN Forever is not alone. We found 16 other Firefox extensions communicating with the same command-and-control infrastructure - liveupdt.com and dealctr.com. Different extensions, different lures, same backend. Some use the PNG steganography technique. Others download JavaScript directly and inject it into every page you visit. Others use hidden eval() calls with the command-and-control domains encoded using custom ciphers. Same attacker. Same servers. Different delivery mechanisms. This looks like experimentation, testing which approach evades detection the longest, which gets the most installs, which generates the most revenue. Collectively, these extensions have been installed over 50,000 times. "And GhostPoster isn't the first time we've seen free VPN extensions turning malicious. It's becoming a pattern. Earlier this week, we exposed Urban VPN Proxy - a Google-featured extension with eight million users that was secretly harvesting AI conversations from ChatGPT, Claude, and Gemini, and selling them to data brokers. Before that, FreeVPN.One - another featured, verified extension with 100,000-plus installs - was silently capturing screenshots of everything users browsed, including bank accounts, private photos, and sensitive documents. Free VPNs promise privacy, but nothing in life comes free. Again and again, they deliver surveillance instead. What makes GhostPoster dangerous isn't any single technique. It's the access. These extensions strip your browser's security headers on every site you visit. They inject code into every page you view. They maintain a persistent connection to attacker-controlled servers, waiting for instructions. The payload can be updated at any time. What runs in your browser tomorrow is entirely up to them. "The steganography is clever. The layered evasion techniques show operational maturity. But the real threat is simpler: 50,000 users installed extensions that gave attackers full control over their browsers, and those extensions are still live on the Firefox Add-ons marketplace." So to give everyone an idea of the sort of extensions, they list the names of the actual ones they found. We've got free-vpn-forever. screenshot-saved-easy, weather-best-forecast, crxmouse-gesture, cache-fast-site-loader, freemp3downloader, google-translate-right-clicks, google-traductor-esp, world-wide-VPN, dark-reader-for-ff, translator-gbbd, i-like-weather, google-translate-pro-extension, libretv-watch-free-videos, ad-stop, and right-click-google-translate. Needless to say, when you know what this stuff is doing, nobody wants this sort of crap lurking inside their browser and tremendously reducing its native security guarantees by removing all incoming website security measures which prevent all manner of other hijinks. We've seen that movie. It doesn't end well. There's not really anything anyone can do. You know, these things snuck past the observers trying to keep the store clean. Google has featured VPNs with eight-plus million downloads that are malicious. The original admonishment that we gave is still operative and still applies: Don't just rummage around adding every random browser add-on that presents itself and looks like it might be fun. Do everything you can to limit your usage to those only that you really need. Remove any that you downloaded thinking you would use it and then haven't. Get rid of it. Just, you know, practice, you know, safe hygiene of Internet use with your browser. As we have said, the browser is the window to the Internet. You know, keeping it secure is really important. These things destroy that. |
| Leo: It's just a natural attack vector, too. |
| Steve: Yes. |
| Leo: I mean, that's the place you want to be if you're going to attack somebody's machine. |
| Steve: So much sense that they would, yup. |
| Leo: Yeah. Yeah. That's just - it's really interesting to see how clever and determined these guys are, and all the little ins and outs, the funny names they give their functions and... |
| Steve: Yeah, we're just not equipped to deal with, due to the nature of security and the human factor on our end, the amount of effort that North Koreans are willing to expend to penetrate... |
| Leo: There's nothing else to do. |
| Steve: Yes, exactly. |
| Leo: It's amazing. It really is. Yeah, they're much more devoted attacking us than we are defending ourselves. |
| Steve: Yeah. I mean, and a lesson we learn about, you know, humanity is somebody who really wants something really bad who just keeps pushing for it often gets it. |
| Leo: Often get it, yeah. |
| Steve: Other people are like, well, yeah, okay, fine. |
| Leo: Okay, fine. |
| Steve: If that's what you want. |
| Leo: I don't have the energy. |
| Steve: You know? |
| Leo: Well, and I know you have the energy. You're like the Energizer Bunny. All year long you've been cranking them out. We thought, you thought you'd be done last year at 999. But no, a whole year has come and gone, and you've delivered us some wonderful shows. Thank you, Steve Gibson. |
| Steve: That's my pleasure. I like doing it. I like having listeners. I like the feedback. I like writing code. And I appreciate the support of people buying my stuff. It keeps it going. |
| Leo: You're living in heaven right now. |
| Steve: Couldn't be any better. |
| Leo: GRC.com's the place. That's where you get a copy of SpinRite, the world's best mass storage maintenance and recovery utility. His brand new tool, the DNS Benchmark Pro, only $10. $9.95, pardon me. Save a nickel. Both of those are available there right now. He puts a lot of thought into everything he writes. It's always good stuff. Just browse around at GRC.com. You'll find lots of goodies. |
|
 | Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2026 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |  |
| Last Edit: Dec 29, 2025 at 10:49 (143.00 days ago) | Viewed 4 times per day |