Malware Activity
Hidden Malware Campaigns and Data-Stealing Tools
Recent cybersecurity reports reveal alarming tactics used by cybercriminals to spy on and steal from users. One campaign, called GhostPoster, hides malicious JavaScript code inside logos of popular Firefox extensions, such as VPNs and ad blockers, many with over 50,000 downloads. These covert scripts can monitor browsing, hijack affiliate links, and inject tracking codes, all without the user knowing, by using clever techniques like steganography to hide the malicious code in images. While it does not steal passwords directly, it can still compromise privacy and become more dangerous if it downloads harmful content later. Additionally, an emerging malware tool called SantaStealer is marketed online, targeting personal data like passwords, cookies, and chat logs from browsers and messaging apps. It operates covertly to avoid detection but remains a threat, especially when spread through phishing or malicious downloads. These incidents highlight the importance of being cautious when installing browser add-ons or clicking on suspicious links and underscore the ongoing need for strong security practices to protect personal information from hidden cyber threats.
- BleepingComputer: GhostPoster Attacks Hide Malicious JavaScript in Firefox Addon Logos article
- TheHackerNews: GhostPoster Malware Found In 17 Firefox Add-ons With 50,000+ Downloads article
- BleepingComputer: New SantaStealer Malware Steals Data from Browsers, Crypto Wallets article
Threat Actor Activity
Venezuela’s Oil Giant, PDVSA, Suffers Cyberattack Amid Rising US Tensions
Venezuela’s state-owned oil company, Petroleos de Venezuela (PDVSA), recently suffered a cyberattack that disrupted its export operations, although the company claims the impact was limited to administrative systems. The attack comes amid heightened tensions between Venezuela and the U.S., following the seizure of a Venezuelan oil tanker by U.S. authorities. PDVSA and the Venezuelan government have accused the U.S. and domestic conspirators of orchestrating the attack to undermine national stability and seize control of Venezuelan oil resources. Despite PDVSA’s assertions that operational areas were unaffected, internal sources indicate that systems managing the country’s main crude terminal remain offline, halting oil cargo deliveries. The company instructed staff to disconnect from the network and shut down computers as a precaution. Sources report that oil output, refining, and domestic distribution were not impacted, but export operations have been severely disrupted, with more than eleven (11) million barrels of oil stuck on vessels in Venezuelan waters. The attack is believed to be a ransomware incident, with malicious software encrypting files and potentially stealing data. PDVSA has reportedly recovered from the attack, but ongoing effects include suspended loading instructions and tankers making u-turns.
Vulnerabilities
Active Exploitation of Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Threat actors are actively exploiting two critical Fortinet authentication bypass flaws to gain unauthorized administrative access to affected devices and exfiltrate sensitive system configuration files, with exploitation observed less than a week after public disclosure. The vulnerabilities, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS 9.8), stem from improper cryptographic signature validation of SAML messages and impact multiple Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, when FortiCloud single sign-on (SSO) is enabled (a feature that is disabled by default but often automatically activated during FortiCare device registration unless explicitly turned off). Arctic Wolf observed malicious SSO logins beginning December 12, 2025, originating from infrastructure linked to The Constant Company, BL Networks, and Kaopu Cloud HK, where attackers targeted the administrator account, accessed web management interfaces, and exported device configuration files that may expose network topology, firewall policies, routing information, internet-facing services, and hashed credentials susceptible to offline cracking. The activity appears opportunistic and in early stages, but the deliberate exfiltration of configuration data suggests intent beyond simple vulnerability scanning and may enable follow-on attacks. In response to confirmed exploitation in-the-wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog with a remediation deadline of no later than December 23, 2025. Fortinet has released patches across affected product lines, and CTIX analysts advise organizations to follow the guidance and immediately upgrade, temporarily disable FortiCloud SSO until remediation is complete, restrict management interface access to trusted networks, and rotate credentials if any indicators of compromise are detected.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
