svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief December 17, 2025

Private VPN — just $1.2/mo

Cellik Android Malware-as-a-Service Targets Google Play Apps

A new Android malware-as-a-service (MaaS) named Cellik is being sold on underground forums for $150/month or $900 lifetime. It can trojanize any Google Play app, keeping its functionality while adding malicious capabilities like screen streaming, credential theft, and file exfiltration. The malware claims to bypass Google Play Protect by embedding itself in trusted apps.
Impact: Mass distribution of trojanized apps, credential theft, and persistent device access.
Mitigation: Avoid sideloading APKs, enable Play Protect, monitor app permissions, and check for unusual activity.
Source: BleepingComputer

GRU Hackers Shift to Misconfigured Edge Devices in Critical Infrastructure Attacks

Russian GRU-linked hackers (Sandworm/APT44) have shifted from exploiting vulnerabilities like CVE-2022-26318 (WatchGuard) and CVE-2023-27532 (Veeam) to targeting misconfigured edge devices (routers, VPNs) for initial access. Amazon Threat Intelligence observed credential harvesting and lateral movement in energy sector attacks since 2021.
Impact: Persistent access to critical infrastructure, credential theft, and potential operational disruption.
Mitigation: Audit edge devices, restrict management interfaces, monitor for credential replay, and enable AWS GuardDuty/VPC Flow Logs.
Source: BleepingComputer

Fortinet SAML Auth Bypass Exploited in Active Attacks

Attackers are exploiting CVE-2025-59718 and CVE-2025-59719 (CVSS 9.8) in FortiOS, FortiProxy, and FortiWeb to bypass authentication via malicious SAML assertions. Arctic Wolf observed attacks exporting device configs from admin accounts starting December 12.
Impact: Unauthorized admin access, config theft, and potential lateral movement.
Mitigation: Disable FortiCloud SSO, patch to FortiOS 7.6.4+/FortiWeb 8.0.1+, and restrict firewall management access.
Source: BleepingComputer

GhostPoster Campaign Hides Malware in Firefox Add-On Logos

A campaign dubbed GhostPoster embeds JavaScript in Firefox add-on logos (e.g., FreeVPN Forever, Dark Reader) to deploy backdoors. The malware hijacks affiliate links, injects tracking code, and evades detection by fetching payloads only 10% of the time.
Impact: Browser hijacking, ad fraud, and potential escalation to more harmful payloads.
Mitigation: Remove listed extensions, reset passwords, and monitor for unusual browser activity.
Source: BleepingComputer

AWS Cryptomining Campaign Uses Compromised IAM Credentials

Attackers abuse compromised IAM credentials to deploy cryptominers on AWS EC2/ECS within 10 minutes of access. Techniques include DryRun API calls, disabling instance termination, and creating Lambda roles for persistence.
Impact: Resource hijacking, cost exploitation, and potential phishing via SES abuse.
Mitigation: Enforce MFA, use temporary credentials, restrict IAM permissions, and enable GuardDuty/CloudTrail.
Source: TheHackerNews

Rogue NuGet Package Steals Cryptocurrency Wallet Data

A malicious NuGet package (Tracer.Fody.NLog) impersonates the legitimate Tracer.Fody library to steal Stratis wallet files and exfiltrate data to 176.113.82[.]163. The package has been downloaded 2,000+ times since 2020.
Impact: Cryptocurrency theft and persistent data exfiltration.
Mitigation: Audit NuGet dependencies, block suspicious IPs, and monitor wallet file access.
Source: TheHackerNews

SoundCloud Confirms Breach Exposing 20% of User Emails

SoundCloud confirmed a breach compromising 28M user emails and public profile data after unauthorized access to an ancillary dashboard. VPN disruptions occurred due to incident response measures, followed by DDoS attacks.
Impact: Phishing risks and service disruptions.
Mitigation: Watch for phishing emails, update credentials, and monitor VPN access changes.
Source: BleepingComputer

Share this brief: https://svo.bz/avcg

If you want to support us, you can donate here: Donate