Introduction

Our colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the Kaspersky Unified Monitoring and Analysis Platform SIEM system. In a separate article, our colleagues shared how the model had been created and what success they had achieved in lab environments. Here, we focus on how it operates within Kaspersky SIEM, the preparation steps taken before its release, and some real-world incidents it has already helped us uncover.

How the model works in Kaspersky SIEM

The model’s operation generally boils down to a step-by-step check of all DLL libraries loaded by processes in the system, followed by validation in the Kaspersky Security Network (KSN) cloud. This approach allows local attributes (path, process name, and file hashes) to be combined with a global knowledge base and behavioral indicators, which significantly improves detection quality and reduces the probability of false positives.

The model can run in one of two modes: on a correlator or on a collector. A correlator is a SIEM component that performs event analysis and correlation based on predefined rules or algorithms. If detection is configured on a correlator, the model checks events that have already triggered a rule. This reduces the volume of KSN queries and the model’s response time.

This is how it looks:

A collector is a software or hardware component of a SIEM platform that collects and normalizes events from various sources, and then delivers these events to the platform’s core. If detection is configured on a collector, the model processes all events associated with various processes loading libraries, provided these events meet the following conditions:

• The path to the process file is known.
• The path to the library is known.
• The hashes of the file and the library are available.

This method consumes more resources, and the model’s response takes longer than it does on a correlator. However, it can be useful for retrospective threat hunting because it allows you to check all events logged by Kaspersky SIEM. The model’s workflow on a collector looks like this:

It is important to note that the model is not limited to a binary “malicious/non-malicious” assessment; it ranks its responses by confidence level. This allows it to be used as a flexible tool in SOC practice. Examples of possible verdicts:

• 0: data is being processed.
• 1: maliciousness not confirmed. This means the model currently does not consider the library malicious.
• 2: suspicious library.
• 3: maliciousness confirmed.

A Kaspersky SIEM rule for detecting DLL hijacking would look like this:
N.KL_AI_DLLHijackingCheckResult > 1
Embedding the model into the Kaspersky SIEM correlator automates the process of finding DLL-hijacking attacks, making it possible to detect them at scale without having to manually analyze hundreds or thousands of loaded libraries. Furthermore, when combined with correlation rules and telemetry sources, the model can be used not just as a standalone module but as part of a comprehensive defense against infrastructure attacks.

Incidents detected during the pilot testing of the model in the MDR service

Before being released, the model (as part of the Kaspersky SIEM platform) was tested in the MDR service, where it was trained to identify attacks on large datasets supplied by our telemetry. This step was necessary to ensure that detection works not only in lab settings but also in real client infrastructures.

During the pilot testing, we verified the model’s resilience to false positives and its ability to correctly classify behavior even in non-typical DLL-loading scenarios. As a result, several real-world incidents were successfully detected where attackers used one type of DLL hijacking — the DLL Sideloading technique — to gain persistence and execute their code in the system.

Let us take a closer look at the three most interesting of these.

Incident 1. ToddyCat trying to launch Cobalt Strike disguised as a system library

In one incident, the attackers successfully leveraged the vulnerability CVE-2021-27076 to exploit a SharePoint service that used IIS as a web server. They ran the following command:
c:\windows\system32\inetsrv\w3wp.exe -ap "SharePoint - 80" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmd32ded38-e45b-423f-804d-34471928538b -h "C:\inetpub\temp\apppools\SharePoint - 80\SharePoint - 80.config" -w "" -m 0
After the exploitation, the IIS process created files that were later used to run malicious code via the DLL sideloading technique (T1574.001 Hijack Execution Flow: DLL):
C:\ProgramData\SystemSettings.exe
C:\ProgramData\SystemSettings.dll
SystemSettings.dll is the name of a library associated with the Windows Settings application (SystemSettings.exe). The original library contains code and data that the Settings application uses to manage and configure various system parameters. However, the library created by the attackers has malicious functionality and is only pretending to be a system library.

Later, to establish persistence in the system and launch a DLL sideloading attack, a scheduled task was created, disguised as a Microsoft Edge browser update. It launches a SystemSettings.exe file, which is located in the same directory as the malicious library:
Schtasks /create /ru "SYSTEM" /tn "\Microsoft\Windows\Edge\Edgeupdates" /sc DAILY /tr "C:\ProgramData\SystemSettings.exe" /F
The task is set to run daily.

When the SystemSettings.exe process is launched, it loads the malicious DLL. As this happened, the process and library data were sent to our model for analysis and detection of a potential attack.

Example of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM

The resulting data helped our analysts highlight a suspicious DLL and analyze it in detail. The library was found to be a Cobalt Strike implant. After loading it, the SystemSettings.exe process attempted to connect to the attackers’ command-and-control server.
DNS query: connect-microsoft[.]com
DNS query type: AAAA
DNS response: ::ffff:8.219.1[.]155;
8.219.1[.]155:8443
After establishing a connection, the attackers began host reconnaissance to gather various data to develop their attack.
C:\ProgramData\SystemSettings.exe
whoami /priv
hostname
reg query HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid
powershell -c $psversiontable
dotnet --version
systeminfo
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Drivers"
cmdkey /list
REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
netsh wlan show profiles
netsh wlan show interfaces
set
net localgroup administrators
net user
net user administrator
ipconfig /all
net config workstation
net view
arp -a
route print
netstat -ano
tasklist
schtasks /query /fo LIST /v
net start
net share
net use
netsh firewall show config
netsh firewall show state
net view /domain
net time /domain
net group "domain admins" /domain
net localgroup administrators /domain
net group "domain controllers" /domain
net accounts /domain
nltest / domain_trusts
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Based on the attackers’ TTPs, such as loading Cobalt Strike as a DLL, using the DLL sideloading technique (1, 2), and exploiting SharePoint, we can say with a high degree of confidence that the ToddyCat APT group was behind the attack. Thanks to the prompt response of our model, we were able to respond in time and block this activity, preventing the attackers from causing damage to the organization.

Incident 2. Infostealer masquerading as a policy manager

Another example was discovered by the model after a client was connected to MDR monitoring: a legitimate system file located in an application folder attempted to load a suspicious library that was stored next to it.
C:\Program Files\Chiniks\SettingSyncHost.exe
C:\Program Files\Chiniks\policymanager.dll E83F331BD1EC115524EBFF7043795BBE
The SettingSyncHost.exe file is a system host process for synchronizing settings between one user’s different devices. Its 32-bit and 64-bit versions are usually located in C:\Windows\System32\ and C:\Windows\SysWOW64\, respectively. In this incident, the file location differed from the normal one.

Example of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM

Analysis of the library file loaded by this process showed that it was malware designed to steal information from browsers.

Graph of policymanager.dll activity in a sandbox

The file directly accesses browser files that contain user data.
C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Local State
The library file is on the list of files used for DLL hijacking, as published in the HijackLibs project. The project contains a list of common processes and libraries employed in DLL-hijacking attacks, which can be used to detect these attacks.

Incident 3. Malicious loader posing as a security solution

Another incident discovered by our model occurred when a user connected a removable USB drive:

Example of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict

The connected drive’s directory contained hidden folders with an identically named shortcut for each of them. The shortcuts had icons typically used for folders. Since file extensions were not shown by default on the drive, the user might have mistaken the shortcut for a folder and launched it. In turn, the shortcut opened the corresponding hidden folder and ran an executable file using the following command:
"%comspec%" /q /c "RECYCLER.BIN\1\CEFHelper.exe [$DIGITS] [$DIGITS]"
CEFHelper.exe is a legitimate Avast Antivirus executable that, through DLL sideloading, loaded the wsc.dll library, which is a malicious loader.

Code snippet from the malicious file

The loader opens a file named AvastAuth.dat, which contains an encrypted backdoor. The library reads the data from the file into memory, decrypts it, and executes it. After this, the backdoor attempts to connect to a remote command-and-control server.

The library file, which contains the malicious loader, is on the list of known libraries used for DLL sideloading, as presented on the HijackLibs project website.

Conclusion

Integrating the model into the product provided the means of early and accurate detection of DLL-hijacking attempts which previously might have gone unnoticed. Even during the pilot testing, the model proved its effectiveness by identifying several incidents using this technique. Going forward, its accuracy will only increase as data accumulates and algorithms are updated in KSN, making this mechanism a reliable element of proactive protection for corporate systems.

IoC

Legitimate files used for DLL hijacking
E0E092D4EFC15F25FD9C0923C52C33D6 loads SystemSettings.dll
09CD396C8F4B4989A83ED7A1F33F5503 loads policymanager.dll
A72036F635CECF0DCB1E9C6F49A8FA5B loads wsc.dll

Malicious files
EA2882B05F8C11A285426F90859F23C6 SystemSettings.dll
E83F331BD1EC115524EBFF7043795BBE policymanager.dll
831252E7FA9BD6FA174715647EBCE516 wsc.dll

Paths
C:\ProgramData\SystemSettings.exe
C:\ProgramData\SystemSettings.dll
C:\Program Files\Chiniks\SettingSyncHost.exe
C:\Program Files\Chiniks\policymanager.dll
D:\RECYCLER.BIN\1\CEFHelper.exe
D:\RECYCLER.BIN\1\wsc.dll

securelist.com/detecting-dll-h…

Airbags are an incredibly important piece of automotive safety gear. They’re also terrifying—given that they’re effectively small pyrotechnic devices that are aimed directly at your face and chest. Myths have pervaded that they “kill more people than they save,” in part due a hilarious episode of The Simpsons. Despite this, they’re credited with saving tens of thousands of lives over the years by cushioning fleshy human bodies from heavy impacts and harsh decelerations.

While an airbag is generally there to help you, it can also hurt you in regular operation. The immense sound pressure generated when an airbag fires is not exactly friendly to your ears. However, engineers at Mercedes-Benz have found a neat workaround to protect your hearing from the explosive report of these safety devices. It’s a nifty hack that takes advantage of an existing feature of the human body. Let’s explore how air bags work, why they’re so darn loud, and how that can be mitigated in the event of a crash.

A Lot Of Hot Air

The first patent for an airbag safety device was filed over 100 years ago, intended for use in aircraft. Credit: US Patent Office
Once an obscure feature only found in luxury vehicles, airbags became common safety equipment in many cars and trucks by the mid-1990s. Indeed, a particular turning point was when they became mandatory in vehicles sold in the US market from late 1998 onwards, which made them near-universal equipment in many other markets worldwide. Despite their relatively recent mainstream acceptance, the concept of the airbag actually dates back a lot farther.

The basic invention of the airbag is typically credited to two English dentists—Harold Round and Arthur Parrott—who submitted a patent for the concept all the way back in 1919. The patent regarded the concept of creating an air cushion to protect occupants in aircraft during serious impacts. Specific attention was given to the fact that the air cushion should “yield readily without developing the power to rebound,” which could cause further injury. This was achieved by giving the device air outlet passages that would vent as a person impacted the device, which would allow the cushion to absorb the hit gently while reducing the chance of injury.

The concept only later became applicable to automobiles when Walter Linderer filed for a German patent in 1951, and John W. Hetrick filed for a US patent in 1952. Both engineers devised airbags that were based on the release of compressed air, triggered either by human intervention or automated mechanical means. These concepts proved ultimately infeasible, as compressed air could not be feasibly be released to inflate an airbag quickly enough to be protective in an automobile crash.

It would only be later in the 1960s that workable versions using explosive or pyrotechnic inflation came to the fore. The concept was simple—use a chemical reaction to generate a great deal of gas near-instantaneously, inflating the airbag fractions of a second before vehicle occupants come into contact with the device. The airbags are fitted with vents that only allow the gas to escape slowly. This means that as a person hits the airbag, they are gently decelerated as their impact pushes the gas out of the restrictive vents. This helps reduce injuries that would typically be incurred if the occupants instead hit interior parts of the car without any protection at all.
In a crash, it’s much nicer to faceplant into an air-filled pillow than a hard, unforgiving dashboard. Credit: DaimlerChrysler AG, CC BY SA 3.0

The Big Bang

The use of pyrotechnic gas generators to inflate airbags was the leap forward that made airbags practical and effective for use in automobiles. However, as you might imagine, releasing a massive burst of gas in under 50 milliseconds does create a rather large pressure wave—which we experience as an incredibly loud sound. If you ever seen airbags detonated outside of a vehicle, you’ve probably noticed they sound rather akin to fireworks or a gun going off. Indeed, the sound of an airbag can exceed 160 decibels (dB)—more than enough to cause instant damage to the ear. Noise generated in a vehicle impact is often incredibly loud, too, or course. Ultimately, this isn’t great for the occupants of the vehicle, particularly their hearing. Ultimately, an airbag deployment is a carefully considered trade-off—the general consensus is that impact protection in a serious crash is preferable, even if your ears are worse for wear afterwards.

However, there is atechnique that can mitigate this problem. In particular, Mercedes-Benz developed a system to protect the hearing of vehicle occupants in the event that the airbags are fired. The trick is in using the body’s own reactions to sound to reduce damage to the ear from excessive sound pressure levels.
In humans, the stapedius muscle can be triggered reflexively to protect the ear from excess sound levels, though the mechanism is slow enough that it can’t respond well to sudden loud impulses. However, pre-emptively triggering it before a loud event can be very useful. Credit: Mercedes Benz
The stapedius reflex (also known as the acoustic reflex) is one of the body’s involuntary, instantaneous movements in response to an external stimulus—in this case, certain sound levels. When a given sound stimulus occurs to either ear, muscles inside both ears contract, most specifically the stapedius muscle in humans. When the muscle contracts, it has a stiffening effect on the ossicular chain—the three tiny bones that connect the ear drum to the cochlea in the inner ear. Under this condition, less vibrational energy is transferred, reducing damage to the cochlea from excessive sound levels.

The threshold at which the reflex is triggered is usually 10 to 20 dB lower than the point at which the individual feels discomfort; typical levels are from around 70 to 100 dB. When triggered by particularly loud sounds of 20 dB above the trigger threshold, the muscle contraction is enough to reduce the sound level at the cochlea by a full 15 dB. Notably, the reflex is also triggered by vocalization—reducing transmission through to the inner ear when one begins to speak.

Mercedes-Benz engineers realized that the stapedius reflex could be pre-emptively triggered ahead of firing the airbags, in order to provide a protective effect for the ears. To this end, the company developed the PRE-SAFE Sound system. When the vehicle’s airbag control unit detects a collision, it triggers the vehicle’s sound system to play a short-duration pink noise signal at a level of 80 dB. This is intended to be loud enough to trigger the stapedius reflex without in itself doing damage to the ears. Typically, it takes higher sound levels closer to 100 dB to reliably trigger the reflex in a wide range of people, but Mercedes-Benz engineers realized that the wide-spread frequency content of pink noise enable the reflex to be switched on at a much lower, and safer, sound level. With the reflex turned on, when the airbags do fire a fraction of a second later, less energy from the intense pressure spike will be transferred to the inner ear, protecting the delicate structures that provide the sense of hearing.

youtube.com/embed/vTmLYY-Z2rc?…

Mercedes-Benz first released the technology in production models almost a decade ago.

The stapedius reflex does have some limitations. It can be triggered with a latency of just 10 milliseconds, however, it can take up to 100 milliseconds for the muscle in the ear to reach full tension, conferring the full protective effect. This limits the ability of the reflex to protect against short, intense noises. However, given the Mercedes-Benz system triggers the sound before airbag inflation where possible, this helps the muscles engage prior to the peak sound level being reached. The protective effect of the stapedius reflex also only lasts for a few seconds, with the muscle contraction unable to be maintained beyond this point. However, in a vehicle impact scenario, the airbags typically all fire very quickly, usually well within a second, negating this issue.

Mercedes-Benz was working on the technology from at least the early 2010s, having run human trials to trigger the stapedius reflex with pink noise in 2011. It deployed the technology on its production vehicles almost a decade ago, first offering PRE-SAFE Sound on E-Class models for the 2017 model year. Despite the simple nature of the technology, few to no other automakers have publicly reported implementing the technique.

Car crashes are, thankfully, rather rare. Few of us are actually in an automobile accident in any given year, even less in ones serious enough to cause an airbag deployment. However, if you are unlucky enough to be in a severe collision, and you’re riding in a modern Mercedes-Benz, your ears will likely thank you for the added protection, just as your body will be grateful for the cushioning of the airbags themselves.

hackaday.com/2025/10/06/how-me…

We’ve covered plenty of interesting human input devices over the years, but how about an instrument? No, not as a MIDI controller, but to interact with what’s going on-on screen. That’s the job of GuitarPie, a guitar-driven pie menu produced by a group at the University of Stuttgart.

The idea is pretty simple: the computer is listening for one specific note, which cues the pie menu on screen. Options on the pie menu can be selected by playing notes on adjacent strings and frets. (Check it out in action in the video embedded below). This is obviously best for guitar players, and has been built into a tablature program they’re calling TabCTRL. For those not in the loop, tablature, also known as tabs, is an instrument-specific notation system for stringed instruments that’s quite popular with guitar players. So TabCTRL is a music-learning program, that shows how to play a given song.

With this pairing, you can rock out to the tablature, the guitarist need never take their hands off the frets. You might be wondering “how isn’t the menu triggered during regular play”? Well, the boffins at Stuttgart thought of that– in TabCTRL, the menu is locked out while play mode is active. (It keeps track of tempo for you, too, highlighting the current musical phrase.) A moment’s silence (say, after you made a mistake and want to restart the song) stops play mode and you can then activate the menu. It’s well a well-thought-out UI. It’s also open source, with all the code going up on GitHub by the end of October.

The neat thing is that this is pure software; it will work with any unmodified guitar and computer. You only need a microphone in front of the amp to pick up the notes. One could, of course, use voice control– we’ve seen no shortage of hacks with that–but that’s decidedly less fun. Purists can comfort themselves that at least this time the computer interface is a real guitar, and not a guitar-shaped MIDI controller.

youtube.com/embed/ItJGNO-IQDw?…

hackaday.com/2025/10/06/guitar…

S/PDIF has been around for a long time; it’s still a really great way to send streams of digital audio from device A to device B. [Nathan Ladwig] has got the ESP32 decoding SPDIF quite effectively, using an onboard peripheral outside its traditional remit.

On the ESP32, the Remote Control Transceiver (RMT) peripheral was intended for use with infrared transceivers—think TV remotes and the like. However, this peripheral is actually quite flexible, and can be used for sending and receiving a range of different signals. [Nathan] was able to get it to work with S/PDIF quite effectively. Notably, it has no defined bitrate, which allows it to work with signals of different sample rates quite easily. Instead, it uses biphase mark code to send data. With one or two transitions for each transmitted bit, it’s possible to capture the timing and determine the correct clock from the signal itself.

[Nathan] achieved this feat as part of his work to create an ESP32-based RTP streaming device. The project allows an ESP32 to work as a USB audio device or take an S/PDIF signal as input, and then transmitting that audio stream over RTP to a receiver which delivers the audio at the other end via USB audio or as an SPDIF output. It’s a nifty project that has applications for anyone that regularly finds themselves needing to get digital audio from once place to another. It can also run a simple visualizer, too, with some attached LEDs.

It’s not the first time we’ve seen S/PDIF decoded on a microcontroller; it’s quite achievable if you know what you’re doing. Meanwhile, if you’re cooking up your own digital audio hacks, we’d love to hear about it. Digitally, of course, because we don’t accept analog phone calls here at Hackaday. Video after the break.

youtube.com/embed/k_nE87P4N88?…

hackaday.com/2025/10/06/esp32-…

Un gruppo che si autodefinisce Scattered LAPSUS$ Hunters è ricomparso dopo mesi di silenzio e l’arresto dei suoi membri. Su un nuovo sito di fuga di notizie, gli aggressori hanno pubblicato un elenco di circa 40 ambienti aziendali Salesforce e hanno chiesto un pagamento di quasi un miliardo di dollari – 989,45 milioni di dollari – in cambio della non divulgazione dei dati, che, secondo gli estorsori, includono circa un miliardo di record di clienti. Hanno fissato un ultimatum per il 10 ottobre: se Salesforce non riuscirà a negoziare, i criminali minacciano di pubblicare tutto ciò che hanno rubato.

Un rappresentante di Salesforce ha dichiarato a The Register che l’azienda era a conoscenza dei tentativi di estorsione e aveva condotto un’indagine in collaborazione con esperti esterni e forze dell’ordine. La nota ufficiale affermava che gli incidenti erano correlati a casi precedentemente noti o non confermati e che non erano stati riscontrati segni di compromissione dell’infrastruttura di Salesforce. L’azienda ha sottolineato che l’attacco non era correlato ad alcuna vulnerabilità nella sua tecnologia e che i clienti interessati stanno ricevendo supporto.

Tuttavia, la situazione affonda le sue radici in eventi accaduti ad agosto. Si è scoperto che gli aggressori avevano utilizzato token OAuth tramite l’integrazione Drift di Salesloft , consentendo loro di accedere a più istanze di Salesforce.

Cloudflare ha segnalato che “centinaia di organizzazioni” sono state colpite, con il furto di informazioni sui clienti in alcuni casi. Il team di Mandiant, incaricato da Salesloft, è stato incaricato di indagare su questi incidenti e il Google Threat Intelligence Group ha successivamente confermato l’entità della violazione. Prima di lanciare l’attuale sito di fuga di notizie, Google e Salesforce hanno inviato avvisi alle aziende potenzialmente interessate.

Nel suo rapporto di agosto sulle intrusioni in Salesforce, Google ha evidenziato il coinvolgimento del gruppo ShinyHuntersnegli incidenti e ha previsto la comparsa di un sito di fuga di notizie. All’epoca, gli analisti dell’azienda hanno anche osservato che la nuova ondata di pubblicazioni mirava probabilmente ad aumentare la pressione sulle vittime associate ai recenti attacchi UNC6040. Lo stesso giorno, è apparso un canale Telegram chiamato Scattered LAPSUS$ Hunters, con Scattered Spider, ShinyHunters e Lapsus$ che dichiaravano la loro collaborazione. Tuttavia, il canale è durato solo pochi giorni ed è stato chiuso all’inizio della settimana successiva.

A metà settembre, i rappresentanti di Scattered Spider e Lapsus$ hanno annunciato pubblicamente il loro ritiro dalle attività, con l’intenzione di “godersi i milioni accumulati”.

Ma poco dopo, due adolescenti del Regno Unito sono stati accusati di attacchi alle infrastrutture di Transport for London e gli investigatori americani e britannici li hanno collegati al gruppo Scattered Spider. Un altro adolescente si è consegnato alla polizia di Las Vegas il 17 settembre: è sospettato di aver partecipato a una serie di attacchi ai casinò nel 2023, attribuiti anch’essi allo stesso gruppo .

In risposta alle richieste dei giornalisti, i rappresentanti del nuovo gruppo SLH/SLSH Press Newsroom hanno rifiutato di fornire dettagli, confermando solo che la decisione di riprendere l’attività era “collegata ai recenti arresti”. Non hanno commentato la struttura del gruppo né l’origine dei dati trapelati.

L'articolo Ritorna il gruppo Scattered LAPSUS$ Hunters e minaccia di divulgare i dati di Salesforce proviene da il blog della sicurezza informatica.

The Czech Pirate Party won 18 seats in the October 2025 election for Parliament!

Unfortunately, the main winner of the election was the populist billionaire and former prime minister Andrej Babiš and his ANO movement. He has expressed skepticism toward support for Ukraine and has drawn closer to authoritarian leaders such as Viktor Orbán in Hungary. The Czech Pirates run on a diametrically opposed platform. The overall result of 8.7% of the vote makes them the 3rd largest party in the country. While the success is not quite as monumental as when they won 22 seats in 2017. It does represent a vast improvement from just 4 seats that the the Pirates won in 2021. In that year they ran in the Pirates and Mayors (STAN) alliance. That alliance won 37 seats in total. The Pirates ran independently this year after separating from STAN.

The Czech Pirate Party is a member of Pirate Parties International. We appreciate the strong support they provide internationally, and we wish them good luck with their upcoming term!

pp-international.net/2025/10/c…

The GOP wants to shutdown the federal government.

It is true that Congress failed to pass a 2026 appropriation bill. The GOP controlled House passed an extension spending bill, but it did not pass in the Senate. It failed in the Senate because it did not have the 60 votes needed to close debate (i.e. cloture) and the Democrats were not willing to provide those votes without changes such as rolling back the GOP’s increase in health insurance premiums for Affordable Care Act recipients or blocking Trump’s unconstitutional efforts to not spend money Congress has already appropriated.

Requiring 60 votes to close debate is a Senate rule that can be changed by a simple majority vote in the Senate. There is nothing in the constitution that requires it. The GOP majority in the Senate could change the rule to close debate with a majority and pass their appropriations extension.

They choose not to. It allows GOP office holders to blame anyone, except themselves. The corporate media parrot their lies.

The GOP wants the federal government shutdown.

I am not talking about the changes in the bill. It is awful, of course, and would continue to let Trump use ICE to illegally round up people in apartment buildings, whether citizens, or immigrants documented or not. Trump could still force national guard members to illegally act like police in cities in other states. Trump has already laid off 12% of federal all workers and the bill would continue to let him illegally hold back billions of dollars Congress appropriated. Billions that should be given to clean energy projects, state transportation projects, VA benefits and needed medical research.

The GOP wants the federal government shutdown.

They want millions of federal workers to suffer from being furloughed unable to provide needed government services. They want us to face uncertainty and loss because those services are not available or require us to waste even more of our time to access them.

Since Trump was inaugurated the GOP has sought a federal government shutdown. Through the DOGEbros, they started their government shutdown as they held back funding and pushed illegal layoffs. The cost has been high to the rest of us. The economy and hiring has flatlined. Prices increased.

They don’t care.

The GOP wants the federal government shutdown and they will use any tool they have to make it happen.

Vote Pirate!

masspirates.org/blog/2025/10/0…

Steve, Joe and James discuss HorizonMass/BINJ effort to use public records requests to determine if the drones over the Boston Dominican Parade and Caribbean Carnival were owned by the Boston Police Department. We also discussed the Trump administration’s recent efforts to censor free speech and an ex-Florida sheriff’s deputy attempt to spread disinformation from Russia.

youtube.com/embed/rHy8jXfhQVw?…

Sign up to our newsletter to get notified of new events or volunteer. Join us on:

• Mastodon;
• Facebook;
• Blue Sky;
• Twitter.

Some links we mentioned:

• Our Administrative Coup Memory Bank;
• Our Things to Do when Fascists are Taking Over;
• Did The BPD Fly A Surveillance Drone Over The Dominican Parade? They Won’t Tell Us.
• Disney Plus Subscribers Quit in Droves Over Jimmy Kimmel Axe;
• 2025 shootings of Minnesota legislators;
• Russian fake-news network, led by an ex-Florida sheriff’s deputy, storms back into action with 200+ new sites.

Image Credit: CC-By-2.0 image via Wikipedia Commons by Maurizio Pesce.

uspirates.org/mass-pirate-news…