Trend Micro ha rilevato un attacco mirato ai settori governativo e aeronautico in Medio Oriente, utilizzando un nuovo ransomware chiamato Charon. Gli aggressori hanno utilizzato una complessa catena di infezione con funzionalità di sideload di DLL, iniezione di processi e bypass EDR, tipiche delle operazioni APT avanzate che dei normali ransomware.

Il vettore di attacco inizia con l’avvio di un file Edge.exe legittimo (in precedenza cookie_exporter.exe), che viene utilizzato per caricare una libreria msedge.dll dannosa, denominata SWORDLDR. Quest’ultima decifra lo shellcode crittografato dal file DumpStack.log e inietta il payload, ovvero Charon stesso, nel processo svchost.exe, mascherando l’attività come un servizio di sistema Windows.

Dopo aver decifrato tutti i livelli di mascheramento, gli esperti hanno confermato che l’eseguibile finale crittografa i dati e lascia un segno distintivo di infezione – “hCharon è entrato nel mondo reale!” – alla fine di ogni file crittografato. Tutti i file crittografati ricevono l’estensione .Charon e nelle directory compare una richiesta di riscatto – How To Restore Your Files.txt – che menziona una vittima specifica, confermando la natura mirata dell’attacco.

Charon supporta una varietà di opzioni da riga di comando, dalla specifica dei percorsi di crittografia alla definizione delle priorità delle risorse di rete. All’avvio, crea un mutex chiamato OopsCharonHere, termina i processi di protezione, disabilita i servizi di sicurezza, elimina le copie shadow e svuota il Cestino. Quindi procede alla crittografia in un thread multi-thread, evitando i file di sistema (.exe, .dll), così come i propri componenti e la richiesta di riscatto.

Per la crittografia viene utilizzato uno schema ibrido: Curve25519 per lo scambio di chiavi e ChaCha20 per la crittografia dei dati. Ogni file viene fornito con un footer di 72 byte contenente la chiave pubblica e i metadati della vittima, che consente la decrittografia dei dati se la chiave privata è disponibile.

Inoltre, Charon ha capacità di movimento laterale: esegue la scansione della rete utilizzando NetShareEnum e WNetEnumResource, crittografa le condivisioni accessibili e funziona anche con percorsi UNC, bypassando solo ADMIN$ per ridurre le possibilità di essere rilevato.

Il binario contiene anche, sebbene inattivo, un componente basato sul driver del progetto open source Dark-Kill, progettato per disabilitare le soluzioni EDR . Dovrebbe essere installato come servizio WWC, ma non è utilizzato nella versione attuale: probabilmente la funzione non è ancora abilitata ed è in fase di preparazione per future iterazioni.

Sebbene l’uso di strumenti simili a quelli del gruppo cinese Earth Baxia sia sospetto, non ci sono prove conclusive del loro coinvolgimento: forse stanno prendendo in prestito tattiche o sviluppando in modo indipendente gli stessi concetti.

L’emergere di Charon è un’ulteriore prova del fatto che il ransomware sta adottando attivamente sofisticati metodi APT. La combinazione di tecniche di evasione avanzate con danni aziendali diretti sotto forma di perdita di dati e tempi di inattività aumenta i rischi e richiede alle organizzazioni di rivedere la propria strategia di difesa.

L'articolo Arriva Charon Ransomware. Supera EDR, è Stealh e strizza l’occhio ai migliori APT proviene da il blog della sicurezza informatica.

It’s hard to overstate the impact desktop 3D printing has had on the making and hacking scene. It drastically lowered the barrier for many to create their own projects, and much of the prototyping and distribution of parts and tools that we see today simply wouldn’t be possible via traditional means.

What might not be obvious to those new to the game is that much of what we take for granted today in the 3D printing world has its origins in open source hardware (OSHW). Unfortunately, [Josef Prusa] has reason to believe that this aspect of desktop 3D printing is dead.

If you’ve been following 3D printing for awhile, you’ll know how quickly the industry and the hobby have evolved. Just a few years ago, the choice was between spending the better part of $1,000 USD on a printer with all the bells and whistles, or taking your chances with a stripped-down clone for half the price. But today, you can get a machine capable of self calibration and multi-color prints for what used to be entry-level prices. According to [Josef] however, there’s a hidden cost to consider.

(Data from Espacenet International Database by European Patent Organization, March 2025) – Major Point made by Prusa on the number of patents from certain large-name companies
From major development comes major incentives. In 3D printing’s case, we can see the Chinese market dominance. Printers can be sold for a loss, and patents are filed when you can rely on government reimbursements, all help create the market majority we see today. Despite continuing to improve their printers, these advantages have made it difficult for companies such as Prusa Research to remain competitive.

That [Josef] has become disillusioned with open source hardware is unfortunately not news to us. Prusa’s CORE One, as impressive as it is, marked a clear turning point in how the company released their designs. Still, [Prusa]’s claims are not unfounded. Many similar issues have arisen in 3D printing before. One major innovation was even falsely patented twice, slowing adoption of “brick layering” 3D prints.

Nevertheless, no amount of patent trolling or market dominance is going to stop hackers from hacking. So while the companies that are selling 3D printers might not be able to offer them as OSHW, we feel confident the community will continue to embrace the open source principles that helped 3D printing become as big as it is today.

Thanks to [JohnU] for the tip.

hackaday.com/2025/08/13/josef-…

Mark Solotroff, figura cardine della scena noise-industrial e power electronics americana (fondatore di Intrinsic Action, Anatomy Of Habit, BLOODYMINDED), torna quest'anno con In Search of Total Placelessness
#musica

iyezine.com/mark-solotroff-in-…

@Musica Agorà

Mark Solotroff - In Search of Total Placelessness - In Your Eyes ezine

Mark Solotroff, figura cardine della scena noise-industrial e power electronics americana (fondatore di Intrinsic Action, Anatomy Of Habit, BLOODYMINDED), torna quest'anno con In Search of Total Placelessness

^{NoiseGang (In Your Eyes ezine)}

The Unknowns "Looking from the outside": un'esperienza punk che scuote e incendia! Scopri il terzo album della band australiana che spacca!

iyezine.com/the-unknowns-looki…

#musica @Musica Agorà

The Unknowns - Looking from the outside - In Your Eyes ezine

The Unknowns "Looking from the outside": un'esperienza punk che scuote e incendia! Scopri il terzo album della band australiana che spacca!

^{Reverend Shit-Man (In Your Eyes ezine)}

Introduction

Phishing and scams are dynamic types of online fraud that primarily target individuals, with cybercriminals constantly adapting their tactics to deceive people. Scammers invent new methods and improve old ones, adjusting them to fit current news, trends, and major world events: anything to lure in their next victim.

Since our last publication on phishing tactics, there has been a significant leap in the evolution of these threats. While many of the tools we previously described are still relevant, new techniques have emerged, and the goals and methods of these attacks have shifted.

In this article, we will explore:

• The impact of AI on phishing and scams
• How the tools used by cybercriminals have changed
• The role of messaging apps in spreading threats
• Types of data that are now a priority for scammers

AI tools leveraged to create scam content

Text

Traditional phishing emails, instant messages, and fake websites often contain grammatical and factual errors, incorrect names and addresses, and formatting issues. Now, however, cybercriminals are increasingly turning to neural networks for help.

They use these tools to create highly convincing messages that closely resemble legitimate ones. Victims are more likely to trust these messages, and therefore, more inclined to click a phishing link, open a malicious attachment, or download an infected file.

Example of a phishing email created with DeepSeek

The same is true for personal messages. Social networks are full of AI bots that can maintain conversations just like real people. While these bots can be created for legitimate purposes, they are often used by scammers who impersonate human users. In particular, phishing and scam bots are common in the online dating world. Scammers can run many conversations at once, maintaining the illusion of sincere interest and emotional connection. Their primary goal is to extract money from victims by persuading them to pursue “viable investment opportunities” that often involve cryptocurrency. This scam is known as pig butchering. AI bots are not limited to text communication, either; to be more convincing, they also generate plausible audio messages and visual imagery during video calls.

Deepfakes and AI-generated voices

As mentioned above, attackers are actively using AI capabilities like voice cloning and realistic video generation to create convincing audiovisual content that can deceive victims.

Beyond targeted attacks that mimic the voices and images of friends or colleagues, deepfake technology is now being used in more classic, large-scale scams, such as fake giveaways from celebrities. For example, YouTube users have encountered Shorts where famous actors, influencers, or public figures seemingly promise expensive prizes like MacBooks, iPhones, or large sums of money.

Deepfake YouTube Short

The advancement of AI technology for creating deepfakes is blurring the lines between reality and deception. Voice and visual forgeries can be nearly indistinguishable from authentic messages, as traditional cues used to spot fraud disappear.

Recently, automated calls have become widespread. Scammers use AI-generated voices and number spoofing to impersonate bank security services. During these calls, they claim there has been an unauthorized attempt to access the victim’s bank account. Under the guise of “protecting funds”, they demand a one-time SMS code. This is actually a 2FA code for logging into the victim’s account or authorizing a fraudulent transaction.
media.kasperskycontenthub.com/…Example of an OTP (one-time password) bot call

Data harvesting and analysis

Large language models like ChatGPT are well-known for their ability to not only write grammatically correct text in various languages but also to quickly analyze open-source data from media outlets, corporate websites, and social media. Threat actors are actively using specialized AI-powered OSINT tools to collect and process this information.

The data so harvested enables them to launch phishing attacks that are highly tailored to a specific victim or a group of victims – for example, members of a particular social media community. Common scenarios include:

• Personalized emails or instant messages from what appear to be HR staff or company leadership. These communications contain specific details about internal organizational processes.
• Spoofed calls, including video chats, from close contacts. The calls leverage personal information that the victim would assume could not be known to an outsider.

This level of personalization dramatically increases the effectiveness of social engineering, making it difficult for even tech-savvy users to spot these targeted scams.

Phishing websites

Phishers are now using AI to generate fake websites too. Cybercriminals have weaponized AI-powered website builders that can automatically copy the design of legitimate websites, generate responsive interfaces, and create sign-in forms.

Some of these sites are well-made clones nearly indistinguishable from the real ones. Others are generic templates used in large-scale campaigns, without much effort to mimic the original.

Phishing pages mimicking travel and tourism websites

Often, these generic sites collect any data a user enters and are not even checked by a human before being used in an attack. The following are examples of sites with sign-in forms that do not match the original interfaces at all. These are not even “clones” in the traditional sense, as some of the brands being targeted do not offer sign-in pages.

These types of attacks lower the barrier to entry for cybercriminals and make large-scale phishing campaigns even more widespread.

Login forms on fraudulent websites

Telegram scams

With its massive popularity, open API, and support for crypto payments, Telegram has become a go-to platform for cybercriminals. This messaging app is now both a breeding ground for spreading threats and a target in itself. Once they get their hands on a Telegram account, scammers can either leverage it to launch attacks on other users or sell it on the dark web.

Malicious bots

Scammers are increasingly using Telegram bots, not just for creating phishing websites but also as an alternative or complement to these. For example, a website might be used to redirect a victim to a bot, which then collects the data the scammers need. Here are some common schemes that use bots:

• Crypto investment scams: fake token airdrops that require a mandatory deposit for KYC verification

Telegram bot seemingly giving away SHIBARMY tokens

• Phishing and data collection: scammers impersonate official postal service to get a user’s details under the pretense of arranging delivery for a business package.

Phishing site redirects the user to an “official” bot.

• Easy money scams: users are offered money to watch short videos.

Phishing site promises easy earnings through a Telegram bot.

Unlike a phishing website that the user can simply close and forget about when faced with a request for too much data or a commission payment, a malicious bot can be much more persistent. If the victim has interacted with a bot and has not blocked it, the bot can continue to send various messages. These might include suspicious links leading to fraudulent or advertising pages, or requests to be granted admin access to groups or channels. The latter is often framed as being necessary to “activate advanced features”. If the user gives the bot these permissions, it can then spam all the members of these groups or channels.

Account theft

When it comes to stealing Telegram user accounts, social engineering is the most common tactic. Attackers use various tricks and ploys, often tailored to the current season, events, trends, or the age of their target demographic. The goal is always the same: to trick victims into clicking a link and entering the verification code.

Links to phishing pages can be sent in private messages or posted to group chats or compromised channels. Given the scale of these attacks and users’ growing awareness of scams within the messaging app, attackers now often disguise these phishing links using Telegram’s message-editing tools.

This link in this phishing message does not lead to the URL shown

New ways to evade detection

Integrating with legitimate services

Scammers are actively abusing trusted platforms to keep their phishing resources under the radar for as long as possible.

• Telegraph is a Telegram-operated service that lets anyone publish long-form content without prior registration. Cybercriminals take advantage of this feature to redirect users to phishing pages.

Phishing page on the telegra.ph domain

• Google Translate is a machine translation tool from Google that can translate entire web pages and generate links like https://site-to-translate-com.translate.goog/… Attackers exploit it to hide their assets from security vendors. They create phishing pages, translate them, and then send out the links to the localized pages. This allows them to both avoid blocking and use a subdomain at the beginning of the link that mimics a legitimate organization’s domain name, which can trick users.

Localized phishing page

• CAPTCHA protects websites from bots. Lately, attackers have been increasingly adding CAPTCHAs to their fraudulent sites to avoid being flagged by anti-phishing solutions and evade blocking. Since many legitimate websites also use various types of CAPTCHAs, phishing sites cannot be identified by their use of CAPTCHA technology alone.

CAPTCHA on a phishing site

Blob URL

Blob URLs (blob:example.com/…) are temporary links generated by browsers to access binary data, such as images and HTML code, locally. They are limited to the current session. While this technology was originally created for legitimate purposes, such as previewing files a user is uploading to a site, cybercriminals are actively using it to hide phishing attacks.

Blob URLs are created with JavaScript. The links start with “blob:” and contain the domain of the website that hosts the script. The data is stored locally in the victim’s browser, not on the attacker’s server.

Blob URL generation script inside a phishing kit

Hunting for new data

Cybercriminals are shifting their focus from stealing usernames and passwords to obtaining irrevocable or immutable identity data, such as biometrics, digital signatures, handwritten signatures, and voiceprints.

For example, a phishing site that asks for camera access supposedly to verify an account on an online classifieds service allows scammers to collect your biometric data.

Phishing for biometrics

For corporate targets, e-signatures are a major focus for attackers. Losing control of these can cause significant reputational and financial damage to a company. This is why services like DocuSign have become a prime target for spear-phishing attacks.

Phishers targeting DocuSign accounts

Even old-school handwritten signatures are still a hot commodity for modern cybercriminals, as they remain critical for legal and financial transactions.

Phishing for handwritten signatures

These types of attacks often go hand-in-hand with attempts to gain access to e-government, banking and corporate accounts that use this data for authentication.

These accounts are typically protected by two-factor authentication, with a one-time password (OTP) sent in a text message or a push notification. The most common way to get an OTP is by tricking users into entering it on a fake sign-in page or by asking for it over the phone.

Attackers know users are now more aware of phishing threats, so they have started to offer “protection” or “help for victims” as a new social engineering technique. For example, a scammer might send a victim a fake text message with a meaningless code. Then, using a believable pretext – like a delivery person dropping off flowers or a package – they trick the victim into sharing that code. Since the message sender indeed looks like a delivery service or a florist, the story may sound convincing. Then a second attacker, posing as a government official, calls the victim with an urgent message, telling them they have just been targeted by a tricky phishing attack. They use threats and intimidation to coerce the victim into revealing a real, legitimate OTP from the service the cybercriminals are actually after.

Fake delivery codes

Takeaways

Phishing and scams are evolving at a rapid pace, fueled by AI and other new technology. As users grow increasingly aware of traditional scams, cybercriminals change their tactics and develop more sophisticated schemes. Whereas they once relied on fake emails and websites, today, scammers use deepfakes, voice cloning and multi-stage tactics to steal biometric data and personal information.
Here are the key trends we are seeing:

• Personalized attacks: AI analyzes social media and corporate data to stage highly convincing phishing attempts.
• Usage of legitimate services: scammers are misusing trusted platforms like Google Translate and Telegraph to bypass security filters.
• Theft of immutable data: biometrics, signatures, and voiceprints are becoming highly sought-after targets.
• More sophisticated methods of circumventing 2FA: cybercriminals are using complex, multi-stage social engineering attacks.

How do you protect yourself?

• Critically evaluate any unexpected calls, emails, or messages. Avoid clicking links in these communications, even if they appear legitimate. If you do plan to open a link, verify its destination by hovering over it on a desktop or long-pressing on a mobile device.
• Verify sources of data requests. Never share OTPs with anyone, regardless of who they claim to be, even if they say they are a bank employee.
• Analyze content for fakery. To spot deepfakes, look for unnatural lip movements or shadows in videos. You should also be suspicious of any videos featuring celebrities who are offering overly generous giveaways.
• Limit your digital footprint. Do not post photos of documents or sensitive work-related information, such as department names or your boss’s name, on social media.

securelist.com/new-phishing-an…

If your guitar needs more distortion, lower audio fidelity, or another musical effect, you can always shell out some money to get a dedicated piece of hardware. For a less conventional route, though, you could follow [Brek Martin]’s example and reprogram a handheld game console as a digital effects processor.

[Brek] started with a Sony PSP 3000 handheld, with which he had some prior programming experience, having previously written a GPS maps program and an audio recorder for it. The PSP has a microphone input as part of the connector for a headset and remote, though [Brek] found that a Sony remote’s PCB had to be plugged in before the PSP would recognize the microphone. To make things a bit easier to work with, he made a circuit board that connected the remote’s hardware to a microphone jack and an output plug.

[Brek] implemented three effects: a flanger, bitcrusher, and crossover distortion. Crossover distortion distorts the signal as it crosses zero, the bitcrusher reduces sample rate to make the signal choppier, and the flanger mixes the current signal with its variably-delayed copy. [Brek] would have liked to implement more effects, but the program’s lag would have made it impractical. He notes that the program could run more quickly if there were a way to reduce the sample chunk size from 1024 samples, but if there is a way to do so, he has yet to find it.

If you’d like a more dedicated digital audio processor, you can also build one, perhaps using some techniques to reduce lag.

youtube.com/embed/MlPtfeSyyak?…

hackaday.com/2025/08/13/runnin…

Uso spesso podcast e video di persone di madrelingua inglese per migliorare la conoscenza della lingua.

Mi piacerebbe restituire il favore.

Ho pensato che magari da qualche parte sul pianeta c'è qualcuno che studia italiano a cui potrebbe fare altrettanto comodo avere uno sparring partner, quindi non podcast e video ma vere conversazioni on-line (gratuite).

Non so da che parte partire per far arrivare la notizia a chi potrebbe essere interessato, voi come fareste?

Si tratta di un latitante 44enne, ricercato dalle autorità italiane per i reati di associazione a delinquere finalizzata al traffico internazionale di sostanze stupefacenti con le aggravanti connesse a due distinti tentativi di importazione di ingenti quantitativi di cocaina dal Sudamerica.

E' ritenuto legato alla 'Ndrangheta. E' stato catturato in un appartamento nel quartiere residenziale di Cali.

A carico di Starnone è stata già emessa una sentenza di condanna a 5 anni e mezzo per reati di droga. L'uomo è stato catturato dalla polizia colombiana mentre si trovava in un appartamento nel quartiere residenziale nel capoluogo del dipartimento Valle del Cauca.

Essenziale l'apporto del progetto INTERPOL Cooperation Against ‘Ndrangheta (I-CAN).

Si tratta di un'iniziativa lanciata dall'Italia e dall'INTERPOL nel gennaio 2020 per contrastare la minaccia globale rappresentata dalla ‘Ndrangheta, come noto un'organizzazione criminale transnazionale altamente organizzata e potente.

Finanziato dal Dipartimento della Pubblica Sicurezza italiano, il progetto mira a rafforzare la cooperazione internazionale tra forze di polizia sfruttando le capacità dell'INTERPOL di condividere intelligence, competenze e best practice, trasformando così le informazioni in arresti e smantellando le reti criminali.

Avviato a Reggio Calabria l'obiettivo principale del progetto è stato - da subito - quello di istituire un sistema globale di allerta precoce contro questo "nemico invisibile". I-CAN opera attraverso una rete di paesi pilota, che inizialmente includevano Australia, Argentina, Brasile, Canada, Colombia, Francia, Germania, Italia, Svizzera, Stati Uniti e Uruguay, che si è espanso a 13, tra cui Austria, Belgio e Spagna.

Il progetto facilita operazioni coordinate transfrontaliere, come dimostrato dall'operazione globale del 2020 che ha portato all'arresto di sei latitanti legati alla 'Ndrangheta in Albania, Argentina e Costa Rica, con conseguente sequestro di 400 kg di cocaina e smantellamento del clan Bellocco. Le operazioni successive hanno continuato a dare risultati, tra cui l'arresto nel 2023 di un latitante di 16 anni, Edgardo Greco, in Francia, con il supporto di I-CAN.

Il progetto si è evoluto oltre la sua fase iniziale, con iniziative in corso tra cui la Conferenza I-CAN del 2022 a Roma, che ha riunito le forze dell'ordine di 14 paesi per definire una strategia unitaria contro la 'Ndrangheta, oggi considerata un'entità criminale "silenziosa e pervasiva" che si infiltra nelle economie legittime attraverso la corruzione e il riciclaggio di denaro.

Il successo del progetto si basa su una combinazione di condivisione di intelligence, coordinamento internazionale e utilizzo di strumenti analitici avanzati per esplorare dati provenienti da diverse fonti, consentendo indagini transnazionali. Il suo quadro continua a sostenere gli sforzi in corso, tra cui il progetto I-FORCE, incentrato sulla cooperazione regionale nell'Europa orientale e sudorientale.

#ndrangheta #ican #interpol #iforce

@Attualità e Geopolitica - Gruppo di discussione