< Back
Ghost png

Tags:

Threat intelligence
17 December 2025

Weekly Summary Cyberattacks December 11-17

Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users  

Cybersecurity researchers disclosed details of a malicious Firefox extension campaign, dubbed GhostPoster, in which attackers embedded executable JavaScript malware inside PNG logo files used by browser extensions, ultimately infecting more than 50,000 users. The activity was uncovered after a risk engine detected anomalous behavior in the Firefox extension Free VPN Forever, which was observed reading its own logo file and parsing the raw image bytes to locate a hidden payload. Analysis revealed that malicious JavaScript code had been appended beyond the legitimate image data of the PNG file, marked by a delimiter string, allowing the extension to extract and execute the code at runtime while the logo continued to display normally. 

8 Million Users' AI Conversations Sold for Profit by "Privacy" Extensions 

Security researchers revealed that more than eight million users had their AI chatbot conversations silently collected and sold for profit by widely trusted browser extensions marketed as privacy and security tools. The investigation uncovered that Urban VPN Proxy, a Chrome extension with over six million users and a Google "Featured" badge, contained functionality specifically designed to intercept and exfiltrate conversations from major AI platforms, including ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. 

PyStoreRAT: A New AI-Driven Supply Chain Malware Campaign Targeting IT & OSINT Professionals   

Cybersecurity researchers at Morphisec disclosed a new supply chain malware campaign that abuses GitHub-hosted Python repositories to distribute a previously undocumented, JavaScript-based remote access trojan (RAT) dubbed PyStoreRAT, primarily targeting IT professionals, developers, and OSINT practitioners. The campaign relies on GitHub repositories masquerading as development utilities, OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities, many of which contain only minimal loader code that silently downloads and executes a remote HTML Application (HTA) file using mshta.exe. Once executed, the HTA payload delivers PyStoreRAT, a modular, multi-stage implant capable of executing EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules, and deploying the Rhadamanthys information stealer as a secondary payload. 

GOLD SALEM Tradecraft for Deploying Warlock Ransomware   

Cybersecurity researchers reported that the financially motivated cybercrime group GOLD SALEM conducted 11 intrusions between April and September 2025 that were assessed with high confidence to be Warlock ransomware operations or ransomware precursor activity. CTU identified six incidents involving attempted ransomware deployment and five additional compromises exhibiting consistent preparatory behavior consistent with Warlock tradecraft. The activity affected organizations across multiple sectors, including agriculture, government, energy, industrial services, and technology-related industries. 

New Spiderman Phishing Service Targets Dozens of European Banks   

A newly identified phishing-as-a-service framework known as Spiderman has emerged as a major multi-country threat targeting customers of dozens of European banks and financial platforms. The professionally structured kit enables even low-skill threat actors to rapidly deploy pixel-perfect phishing pages, automate credential theft, and manage victim sessions through a highly polished control panel. Unlike traditional single-bank phishing kits, Spiderman consolidates login page replicas for numerous institutions.