Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
This week’s cyber roundup highlights a broad range of threats impacting both public and private sectors, from actively exploited enterprise vulnerabilities to sophisticated nation-state campaigns and widespread user-facing breaches. The stories below cover urgent patching guidance from Microsoft, China-linked malware operations targeting governments, stealthy browser-based threats, and high-impact attacks disrupting critical infrastructure and major online platforms—underscoring the continued need for vigilance across the threat landscape.
- Microsoft Asks IT Admins to Reach Out for Windows IIS Failures Fix
Microsoft has warned enterprises about a known issue affecting Message Queuing (MSMQ) after recent December 2025 Patch Tuesday updates, which can cause enterprise applications and IIS websites to fail. MSMQ, an optional Windows component widely used in enterprise environments for application-to-application communication, is impacted on systems running Windows 10 22H2, Windows Server 2016, and Windows Server 2019 with specific December security updates installed.
According to Microsoft, the issue is linked to recent changes in the MSMQ security model that alter NTFS permissions on a critical system folder. As a result, MSMQ services may be unable to write to message queues, triggering errors such as inactive queues, application failures, and IIS sites reporting “insufficient resources,” even when system resources are available. Clustered MSMQ environments may be particularly affected under load.
While consumer devices are unlikely to encounter this problem, Microsoft advises enterprise customers to contact business support for guidance on temporary mitigations. A permanent fix is still under investigation, and organizations may need to apply workarounds or roll back affected updates until a resolution is released.
- China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware
The threat group known as Jewelbug has intensified its focus on European government organizations since July 2025, while continuing operations across Southeast Asia and South America. Tracked by Check Point Research as Ink Dragon, also known as CL-STA-0049, Earth Alux, and REF7707, the China-aligned group has been active since at least early 2023.
Researchers describe Ink Dragon’s campaigns as highly disciplined, blending strong engineering practices with the strategic reuse of legitimate, platform-native tools to evade detection. According to Check Point, the ongoing activity has impacted dozens of victims, including government and telecom entities across Europe, Asia, and Africa.
Ink Dragon first drew attention in early 2025 following reports from Elastic Security Labs and Palo Alto Networks Unit 42 detailing its use of the FINALDRAFT backdoor, which targets both Windows and Linux systems. More recently, the group was linked to a prolonged intrusion against a Russian IT services provider.
The group commonly exploits vulnerable, internet-facing web applications to deploy web shells, which are then used to deliver additional malware such as VARGEIT and Cobalt Strike for command-and-control, lateral movement, and data exfiltration. Other tools in its arsenal include NANOREMOTE, which leverages the Google Drive API for C2 operations, though Check Point did not observe it in recent investigations.
A key tactic involves abusing misconfigured ASP.NET machine keys to perform ViewState deserialization attacks against IIS and SharePoint servers. Ink Dragon then installs a custom ShadowPad IIS Listener, effectively turning compromised servers into resilient C2 relays capable of proxying attacker traffic across victim networks.
The group has also been observed exploiting ToolShell vulnerabilities, harvesting credentials, escalating privileges via LSASS dumping, modifying firewall rules, and abusing idle RDP sessions to gain domain-wide control. Rather than relying on a single backdoor, Ink Dragon deploys multiple loaders and utilities to maintain long-term persistence.
Check Point notes that this relay-centric architecture blurs the line between victim and infrastructure, creating a distributed attacker-controlled network built from compromised systems themselves. As a result, defenders must treat each intrusion as part of a broader ecosystem, where isolating a single host may be insufficient without dismantling the entire relay chain.
- GhostPoster Firefox Extensions Hide Malware in Icons
Koi Security has uncovered a malicious campaign targeting Firefox users through trojanized browser extensions that conceal malware using steganography embedded in extension icons. Disguised as VPNs, ad blockers, translators, and weather tools, the extensions deliver a multi-stage payload capable of tracking user activity, weakening browser defenses, and enabling remote code execution.
Dubbed GhostPoster, the campaign involves at least 17 malicious extensions published on Firefox’s add-ons marketplace, collectively installed around 50,000 times. One extension, Free VPN Forever, launched in September 2025, alone reached more than 16,000 installs.
Koi found that the extensions extract hidden code from image files, which acts as a loader connecting to attacker-controlled command-and-control servers to retrieve encrypted payloads. To avoid detection, C&C communication is delayed and payloads are delivered infrequently, with full activation occurring more than six days after installation.
Once active, the malware persists in browser storage and performs extensive tracking and monetization abuse. It hijacks affiliate links on ecommerce sites, injects analytics tracking across all pages, inventories installed extensions, and profiles user behavior without consent. Security protections are deliberately weakened, exposing users to clickjacking and cross-site scripting attacks.
Koi reports that all identified extensions connect to the same two C&C servers, indicating a single threat actor. As the payload can be updated at any time, infected browsers remain under continuous attacker control.
- A Cyber Attack Hit Petróleos de Venezuela (PDVSA) Disrupting Export Operations
Venezuela’s state-owned oil company, Petróleos de Venezuela (PDVSA), reported a cyber incident over the weekend that disrupted parts of its export workflow. According to the company, the attack was contained to administrative systems and did not affect oil production or core operational infrastructure.
PDVSA stated that internal security protocols and staff response prevented wider disruption. Employees were instructed to shut down computers, disconnect external devices, and disable WiFi and Starlink connections while physical security at facilities was increased. The company described the incident as a neutralized “sabotage attempt.”
Sources cited by Reuters indicated the activity resembled a ransomware attack, noting that remediation efforts temporarily took administrative systems offline. The incident comes amid heightened geopolitical tensions, with PDVSA attributing the attack to foreign interference and framing it as an attempt to undermine Venezuela’s energy sovereignty.
- SoundCloud Hit by Cyber Attack, Breach Affects 20% of its Users
SoundCloud has confirmed it recently experienced a security breach that exposed a limited set of user data. The disclosure follows a wave of service disruptions that prevented some users, particularly those accessing the platform via VPNs, from connecting.
The company stated that the unauthorized access occurred through an internal service dashboard, a supporting system not directly tied to core user infrastructure. Access was quickly shut down, and a third-party cybersecurity firm was engaged to investigate and assist with incident response.
Reports estimate that up to 20% of SoundCloud’s user base may have been affected, potentially impacting millions of accounts. The data involved was limited to email addresses and information already visible on public profiles. SoundCloud confirmed that no passwords, financial data, or payment details were compromised and that all unauthorized access has since been contained.
While SoundCloud has not officially identified the attackers, multiple media outlets report that the cyber extortion group ShinyHunters may be responsible and is allegedly attempting to pressure the company into payment to prevent a data leak.
Following containment, SoundCloud experienced several denial-of-service (DoS) attacks, two of which briefly disrupted web access. The platform remains operational, and the earlier connectivity issues were attributed to emergency security configuration changes.
SoundCloud is advising users to stay alert for phishing attempts and recommends updating passwords and enabling multi-factor authentication as a precaution.
- U.S. CISA Adds a Flaw in Multiple Fortinet Products to its Known Exploited Vulnerabilities Catalog
CISA has added a critical Fortinet vulnerability, CVE-2025-59718 (CVSS 9.1), to its Known Exploited Vulnerabilities (KEV) catalog after confirmation of active exploitation. Alongside CVE-2025-59719, the flaw affects multiple Fortinet products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, when FortiCloud SSO is enabled.
Both issues stem from improper cryptographic signature verification and allow unauthenticated attackers to bypass authentication using crafted SAML messages. While FortiCloud SSO is disabled by default, it may be automatically enabled during FortiCare registration unless explicitly turned off.
Fortinet released patches for 18 vulnerabilities last week, addressing the affected versions across its product line. As a temporary mitigation, Fortinet recommends disabling FortiCloud SSO admin login until systems are upgraded.
Arctic Wolf reports that attackers began exploiting these flaws just three days after patches were released, primarily targeting FortiGate admin accounts. Observed activity includes malicious SSO logins followed by the exfiltration of device configuration files containing hashed credentials, increasing the risk of follow-on compromise.
Organizations are strongly advised to apply patches immediately, review logs for signs of compromise, reset credentials where necessary, and restrict administrative access. Under BOD 22-01, U.S. federal agencies must remediate these vulnerabilities by December 23, 2025, while private organizations are urged to do the same.
References:
https://www.securityweek.com/chrome-143-patches-high-severity-vulnerabilities/
https://www.theregister.com/2025/12/03/india_gps_spoofing/
