Security Now #1057: "GhostPoster"

Date: December 24, 2025
Host: Leo Laporte
Guest: Steve Gibson

Episode Overview

In the final episode of 2025, Steve Gibson and Leo Laporte dive into a wide spectrum of today's pressing security threats:

• An in-depth look at "GhostPoster"—a malicious Firefox extension family that uses PNG logo steganography to infect more than 50,000 users.
• The massive scale of North Korean cryptocurrency theft, including advanced social engineering and laundering tactics.
• Alarming dangers from insecure Docker servers and compromised AWS credentials, leading to persistent and hard-to-remove crypto-mining operations.
• The emergence of “Kim Wolf,” a hugely capable DDoS botnet infecting over 1.8 million Android-based smart TVs worldwide.
• Listener feedback on certificate authorities, cross-platform app compatibility, and the privacy challenges of age verification.

The episode is full of practical advice, insightful analysis, and the show’s trademark relaxed, geeky banter.

Key Discussion Points & Segment Timestamps

1. End-of-Year Reflections; Show Housekeeping

• [00:00–02:36]
  • Announcements about next week’s "Vitamin D" best-of episode.
  • Steve jokes about his history in supplement research and upcoming holiday specials.
  • Leo: “A lot of people... are saying, vitamin D saved my life. I haven’t been sick in four years.” (06:00)

2. Main Security News Headlines

Crypto-Centric Crime: North Korean Hacking

• [14:18–38:15]
  • Chainalysis report: North Korea stole $2.02 billion in cryptocurrency in 2025—a 51% increase over the previous year, bringing their all-time haul to $6.75 billion.
  • Attacks are fewer but more lucrative; often involve embedding IT workers or social engineering at crypto services for privileged access.
  • Sophisticated laundering: After major thefts, money is rapidly distributed across blockchains and mixed to evade detection.
  • Quote (Steve Gibson, 14:58):
    “There is, as they say, money to be made in them thar hills. ... Their all-time total is $6.75 billion that North Korean hackers have made by basically figuring out how to get a hold of other people's money.”
  • North Korean hackers also impersonate recruiters or investors to phish for credentials and strategic data.
  • User wallet compromises rose to 158,000 incidents in 2025, with 80,000 unique victims.

Crypto Thefts & Security Recommendations

• [31:43–38:15]
  • Users are strongly advised to move crypto assets off exchanges into offline wallets.
  • Quote (Steve Gibson, 36:15):
    “Anyone who is technically capable of transferring any cryptocurrency they do not need to have online into an offline wallet has nothing to lose and everything to gain.”
  • Brief policy discussion: U.S. governmental discussion about banning non-custodial wallets.

3. AWS & Docker: Persistent Crypto-Mining Breaches

AWS Cloud Attack Campaign

• [40:11–52:07]
  • Advanced mining operation compromised AWS customers via leaked credentials (not AWS’s fault).
  • Attackers set EC2 termination protection, making miners hard to remove.
  • Malicious docker images (with SRBminer) distributed via Docker Hub with over 100,000 pulls.

Insecure Docker Daemons

• [52:07–56:00]
  • Many Docker servers are misconfigured to accept remote API calls over the Internet, giving attackers root access.
  • Docker warns: “Configuring Docker to accept connections from remote clients can leave you vulnerable to unauthorized access to the host and other attacks.”
  • Lesson: Never rely solely on remote authentication for security.
  • Quote (Steve Gibson, 54:31):
    “Never rely upon the strength of remote authentication. We see instance after instance, time and time again, it doesn’t work.”

The SRBminer

• [56:00–60:00]
  • Not malicious itself: SRBMiner is a flexible, feature-rich multi-platform miner. Attackers simply like using it for illicit gain.

4. The “Kim Wolf” Android Smart TV Botnet

• [63:47–89:47]
  • Discovery: “Kim Wolf,” a DDoS/proxy botnet infecting >1.8 million devices, primarily Android-powered smart TVs.
  • At its peak, the botnet surpassed even Google.com in Cloudflare’s global domain rankings.
  • Capabilities: DDoS at up to 30 Tbps, proxying, reverse shell, encrypted C2 using elliptic curve signatures, Ether blockchain-based resilience.
  • Key infection hotspots: Brazil (15%), India (13%), USA (10%).
  • Quote (Steve Gibson, 65:07):
    “There is no doubt that this is a hyperscale botnet ... it even surpassed google.com to claim the number one spot in Cloudflare's global domain popularity rankings.”
  • Advice: Stick to reputable TV boxes, keep firmware updated, use strong passwords, avoid installing APKs of unknown origin.

5. Listener Feedback and Security Q&A

• [92:55–113:50]

  • Running Windows tools on Linux: Use Steam and Proton as a compatibility layer.
  • TLS Certificates & Let’s Encrypt: Most sites now rely on Let’s Encrypt (free, automated certificates). Other CAs like Google now offer free ACME-based certs, but commercial CAs are moving away from “cheap” or free certs.
    • Let’s Encrypt is entirely sponsored by corporate/charitable donations (e.g., Google, Mozilla, AWS).
    • Steve notes that EV (Extended Validation) certificates no longer have practical browser benefit.

• Policy & Privacy:

  • User Age Verification: Privacy problems persist if analytics and tracking are ever-present behind site gates.
  • Quote (Listener Jeff Root, 114:55):
    “What we need is a fully private and anonymous Internet, not yet another app which gives the illusion of privacy.”

Featured Topic: GhostPoster – Malicious Firefox Extensions via Steganography

[121:08–137:36]

Attack Summary

• "GhostPoster" is a family of at least 17 malicious Firefox extensions, with >50,000 installations, including VPNs, translation tools, ad blockers, and weather apps.
• Main trick:
  • Malicious code is hidden (steganography) inside their official PNG logo images.
  • On load, the extension extracts hidden JavaScript from the logo and runs it.
  • Initial code acts as a loader, periodically (randomized) contacting C2 servers (liveupdt.com, dealctr.com) to fetch an encoded, per-browser-payload.
  • Layered obfuscation: code is transformed (case and number swaps, base64, XOR’d with a per-browser key), stored in browser storage for persistence.

Payload Capabilities

• Browse & Data Monetization:
  • Hijacks affiliate links.
  • Injects Google Analytics tracking on every page.
  • Tracks infection age, merchant networks visited, and browser identity.
• Defense Evasion:
  • Only phones home 10% of the time, waits days before activating, and uses randomized timing.
• Security Head Sabotage:
  • Strips HTTP security headers (like Content Security Policy, X-Frame-Options), degrading browser defenses against XSS, clickjacking, etc.
• More Tricks:
  • Invisible iframes for ad/click fraud.
  • CAPTCHA solvers to bypass bot detection.
• Persistence:
  • Logic stored per-browser, updated live via C2.
• Quote (Koi Security, 121:54):
  “Past where the image data ends, we found malware embedded in the bytes of the PNG image file itself, waiting to be extracted and executed.”

Implications & Advice

• Google and Mozilla’s extension stores are repeatedly caught out by evolving techniques like steganography, staged payloads, and defense layering.
• Widespread abuse of “free VPN” and utilitarian-sounding extensions for mass browser compromise.
• Steve’s advice: Remove unneeded extensions, install only vetted add-ons, and beware of freebies (especially “free VPNs” and similar utilities).

Notable Quotes

• On North Korean crypto theft motivation:

  • Leo Laporte, 30:30:
    “North Korea’s GDP is only $18 billion. So this is a significant source of hard [currency].”
  • Steve Gibson, 30:37:
    “Yes, it's a third, a third of their cash. You see why they do it.”

• On insecure Docker exposure:

  • Steve Gibson, 55:31:
    “Never rely upon the strength of remote authentication. Period. That's it.”

• On browser security:

  • Steve Gibson, 137:12:
    “As we have said, the browser is the window to the Internet. ... Keeping it secure is really important. These things destroy that.”

Key Takeaways

• Crypto attacks are growing more sophisticated, lucrative, and nation-state-sponsored (notably in North Korea).
• Cloud misconfigurations (especially Docker and leaked AWS credentials) remain a major attack surface for persistent crypto hijacking.
• “Smart” devices—like Android TV boxes—are now prime targets for botnet armies, enabling record-breaking DDoS power with little user awareness or defense.
• Browser extensions are a critical attack vector. Even "trustworthy"-looking add-ons may contain advanced, deeply-hidden malware.
• User vigilance is vital: Limit browser extensions, keep IoT devices updated, don’t expose server APIs unnecessarily, and use offline wallets for cryptocurrency.
• On the infrastructure side, Let’s Encrypt remains foundational for free/automated web security, but its reliance on donations should not be taken for granted.
• Policy debates around privacy (age verification, certificate lifecycles, data analytics) are ongoing but offer no easy, technical fix.

For More Info

• Read Koi Security's full GhostPoster extension analysis: Link
• SpinRite, DNS Benchmark, transcripts, and more: grc.com
• Join Club Twit for ad-free content and community: club.twit.tv
• Follow Steve Gibson for weekly updates and security tools.

Wishing all listeners safe, secure holidays and a happy new year!