RICORSO STRAORDINARIO CONTRO LA MADRE DI TUTTE LE ORDINANZE

Per l'impatto dell'ordinanza commissariale n. 24/2025, le realtà dell'Unione dei Comitati contro l'inceneritore insieme a Zero Waste e VAS, hanno fatto ricorso straordinario al Presidente della Repubblica.

Ieri abbiamo pertanto impugnato "la madre di tutte le ordinanze" perché con essa il 9 maggio Gualtieri ha dichiarato la pubblica utilità del mega impianto. Con questa ordinanza, ha approvato l'aggiudicazione fatta da Roma Capitale, disposto la presa d'atto della concessione e del diritto di superficie in favore di Renew Rome (la cordata guidata da Acea) prevedendo le famigerate operazioni di cantierizzazione che hanno portato alla devastazione di tutta la vegetazione ripariale del fosso della Cancelliera.

L'ordinanza è una lunghissima sequela di vizi di legittimità puntualmente indicati nel ricorso per il quale ci siamo affidati ancora una volta alla straordinaria professionalità di Giuseppe Libutti che, per questo giudizio, lavorerà con il collega Benedetto Cimino. Presto o tardi avremo giustizia. Santa Palomba non si piega.

#Ambiente #StopInceneritore #NoInceneritore #NoInceneritori #ZeroWaste #Rifiuti #Riciclo #EconomiaCircolare #NoAlCarbone #EnergiaPulita

Il Gruppo di Azione Finanziaria Internazionale (#GAFI), il Gruppo #Egmont, l' #INTERPOL e l'Ufficio delle Nazioni Unite contro la Droga e il Crimine (#UNODC) chiedono una maggiore collaborazione globale tra analisti, investigatori, pubblici ministeri e altri soggetti, con il lancio di un pratico Manuale sulla Cooperazione Internazionale contro il Riciclaggio di Denaro, che fornisce strumenti essenziali per aiutare i Paesi ad accelerare le indagini e assicurare alla giustizia un maggior numero di criminali.
Il riciclaggio di denaro attraversa quasi sempre i confini nazionali e i criminali sfruttano le lacune tra i sistemi giuridici nazionali per nascondere le proprie attività ed evitare le sanzioni. Tuttavia, le valutazioni del GAFI mostrano costantemente che indagare, perseguire e sanzionare il riciclaggio di denaro rimane uno degli ambiti più deboli a livello mondiale. Senza una cooperazione più efficace, i Paesi non possono fermare sul nascere la criminalità finanziaria.
"Una minaccia internazionale richiede una risposta internazionale. Una vittima può spesso trovarsi dall'altra parte del mondo rispetto ai criminali che stanno distruggendo le loro vite o i loro mezzi di sussistenza, quindi dobbiamo vedere i paesi collaborare in modo più efficace e moltiplicare le nostre difese per garantire la sicurezza delle persone, assicurare più criminali alla giustizia e recuperare i profitti illeciti" è stata la dichiarazione di Elisa de Anda Madrazo, Presidente del GAFI

Globalizzazione dei sistemi finanziari e rapidi progressi tecnologici

Il manuale risponde alla globalizzazione dei sistemi finanziari e ai rapidi progressi tecnologici, che richiedono intelligence e azioni più rapide per tenere il passo con i criminali.
La risposta è promuove quindi la cooperazione informale, come canali di comunicazione sicuri, meccanismi di risposta rapida e analisi congiunte, che possono consentire indagini più rapide, flessibili e mirate, integrando i processi formali, solitamente legali, che sono spesso più lenti e proceduralmente complessi.

Collaborazione efficace

Il manuale evidenzia casi concreti che dimostrano l'impatto della cooperazione internazionale: le Unità di Intelligence Finanziaria in Italia, Spagna e Paesi Bassi hanno scoperto un sistema di riciclaggio transfrontaliero da 95 milioni di euro attraverso analisi congiunte e condivisione di informazioni. L'operazione AVARUS-X in Australia, supportata dalla Sicurezza Nazionale degli Stati Uniti, ha smantellato una rete di riciclaggio che sfruttava le società di servizi finanziari per trasferire miliardi di dollari australiani all'anno. Le autorità statunitensi e indiane si sono coordinate in tempo reale per sequestrare asset in criptovaluta per un valore di 150 milioni di dollari, collegati al traffico di droga. Un'indagine multinazionale supportata dall'INTERPOL sul traffico di corni di rinoceronte ha ottenuto condanne a Singapore, supportate da prove provenienti dal Sudafrica.
Le organizzazioni avvertono che i criminali continueranno a sfruttare le scappatoie legali a meno che le unità di informazione finanziaria, le forze dell'ordine e i pubblici ministeri non cooperino in modo più efficace.
Quali le sfide

Le giurisdizioni devono affrontare diverse sfide nella gestione dei casi di riciclaggio di denaro, tra cui: accesso e poteri diseguali: le autorità competenti hanno livelli diversi di accesso alle informazioni, limitando la loro capacità di indagare efficacemente; volume crescente di dati e casi: l'aumento dei casi e delle richieste internazionali richiede risorse e capacità adeguate per gestirli; differenze nelle priorità: le giurisdizioni possono avere priorità diverse riguardo ai casi, complicando la cooperazione internazionale e l'efficacia delle indagini.
L'approccio delle autorità competenti nella cooperazione internazionale contro il riciclaggio di denaro è evoluto verso una strategia più mirata, in risposta all'aumento della complessità e del volume dei casi. Le autorità ora identificano specificamente quando e quali informazioni richiedere, cercando di massimizzare l'efficacia degli scambi di cooperazione. Inoltre, si è assistito a un passaggio da un approccio reattivo a uno più proattivo, anticipando nuove minacce e sfide nel panorama del crimine finanziario.

Cooperazione informale

Le autorità competenti possono utilizzare quattro principali tipi di cooperazione informale per assistenza: la cooperazione multilaterale: scambi di informazioni tra più giurisdizioni su piattaforme stabilite; quella bilaterale: scambi diretti tra due giurisdizioni; la così detta diagonale: collaborazione tra giurisdizioni diverse che non sono necessariamente collegate.
Inoltre possono approdare ad analisi e indagini congiunte: lavoro collaborativo su casi specifici per approfondire l'analisi e le indagini.
Le autorità competenti possono migliorare l'efficacia delle richieste internazionali di informazioni attraverso: la formazione e consapevolezza: garantire che il personale sia formato sui canali di assistenza disponibili e su come utilizzarli efficacemente; l' utilizzo di formati standardizzati: adottare modelli di richiesta standardizzati per facilitare la condivisione e la comparazione dei dati, riducendo il rischio di malintesi; la comunicazione continua: mantenere una comunicazione costante con le autorità richiedenti e riceventi per garantire che le esigenze siano soddisfatte e per fornire feedback tempestivi.
Esistono diversi strumenti e reti di cooperazione per facilitare lo scambio di informazioni tra le autorità competenti, tra cui:
- Piattaforme di comunicazione sicure: come il sistema Secure Web dell'Egmont Group (ESW), I-24/7 di INTERPOL e SIENA di Europol, che garantiscono comunicazioni criptate.
- Reti multilaterali: come il gruppo Egmont delle FIUs e INTERPOL, che offrono quadri per analisi congiunte e indagini collaborative.
- Protocolli standardizzati: linee guida e pratiche comuni che facilitano uno scambio di informazioni più coerente e affidabile.

Per saperne di più fatf-gafi.org/content/dam/fatf…

Chemical warfare detection was never supposed to be a hobbyist project. Yet here we are: Air Quality Guardian by [debdoot], the self-proclaimed world’s first open source chemical threat detection system, packs lab-grade sensing into an ESP32-based build for less than $100. Compare that with $10,000+ black-box hardware and you see why this is worth trying at home.

It’s nothing like your air monitor from IKEA. Unlike those, or the usual indoor monitors, this device goes full counter-surveillance. It sniffs for organophosphates, carbamates, even stealth low-VOC agents designed to trick consumer sensors. It flags when incense or frying oil is used to mask something nastier. It does so by analysing raw gas sensor resistance – ohm-level data most devices throw away – combined with temporal spikes, humidity correlations, and a database of 35+ signatures.

This technology – once only available in expensive military labs – can be useful in many situations: journalists or whistleblowers can record signs of chemical harassment, safehouses can notice when their air changes in suspicious ways, and researchers can test strange environmental events. Of course, you must take care with calibration, and sometimes the system may give a false alarm. Still, just having such a detector visible already makes attacks less likely.

Featured Image by Arjun Lama on Unsplash

hackaday.com/2025/09/16/seriou…

Background

RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealing sensitive data, and maintaining persistence, among other malicious activities.

In previous campaigns, the group was observed using malicious emails with Word, Excel, or PDF documents attached. Some of them exploited the CVE-2017-0199 vulnerability, loading Visual Basic Scripting (VBS), or PowerShell scripts to install customized versions of different RAT families, such as RevengeRAT, NanoCoreRAT, NjRAT, 888 RAT, and custom malware named ProCC. These campaigns affected hotels in multiple countries across Latin America, including Brazil, Argentina, Chile, and Mexico, but also hotel front-desks globally, particularly in Russia, Belarus, Turkey, and so on.

Later, this threat group expanded its arsenal by adding XWorm, a RAT with commands for control, data theft, and persistence, amongst other things. While investigating the campaign that distributed XWorm, we identified high-confidence indicators that RevengeHotels also used the RAT tool named DesckVBRAT in their operations.

In the summer of 2025, we observed new campaigns targeting the same sector and featuring increasingly sophisticated implants and tools. The threat actors continue to employ phishing emails with invoice themes to deliver VenomRAT implants via JavaScript loaders and PowerShell downloaders. A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents. This suggests that the threat actor is now leveraging AI to evolve its capabilities, a trend also reported among other cybercriminal groups.

The primary targets of these campaigns are Brazilian hotels, although we have also observed attacks directed at Spanish-speaking markets. Through a comprehensive analysis of the attack patterns and the threat actor’s modus operandi, we have established with high confidence that the responsible actor is indeed RevengeHotels. The consistency of the tactics, techniques, and procedures (TTPs) employed in these attacks aligns with the known behavior of RevengeHotels. The infrastructure used for payload delivery relies on legitimate hosting services, often utilizing Portuguese-themed domain names.

Initial infection

The primary attack vector employed by RevengeHotels is phishing emails with invoicing themes, which urge the recipient to settle overdue payments. These emails are specifically targeted at email addresses associated with hotel reservations. While Portuguese is a common language used in these phishing emails, we have also discovered instances of Spanish-language phishing emails, indicating that the threat actor’s scope extends beyond Brazilian hospitality establishments and may include targets in Spanish-speaking countries or regions.

Example of a phishing email about a booking confirmation

In recent instances of these attacks, the themes have shifted from hotel reservations to fake job applications, where attackers sent résumés in an attempt to exploit potential job opportunities at the targeted hotels.

Malicious implant

The malicious websites, which change with each email, download a WScript JS file upon being visited, triggering the infection process. The filename of the JS file changes with every request. In the case at hand, we analyzed Fat146571.js (fbadfff7b61d820e3632a2f464079e8c), which follows the format Fat\{NUMBER\}.js, where “Fat” is the beginning of the Portuguese word “fatura”, meaning “invoice”.

The script appears to be generated by a large language model (LLM), as evidenced by its heavily commented code and a format similar to those produced by this type of technology. The primary function of the script is to load subsequent scripts that facilitate the infection.

A significant portion of the new generation of initial infectors created by RevengeHotels contains code that seems to have been generated by AI. These LLM-generated code segments can be distinguished from the original malicious code by several characteristics, including:

• The cleanliness and organization of the code
• Placeholders, which allow the threat actor to insert their own variables or content
• Detailed comments that accompany almost every action within the code
• A notable lack of obfuscation, which sets these LLM-generated sections apart from the rest of the code

AI generated code in a malicious implant as compared to custom code

Second loading step

Upon execution, the loader script, Fat\{NUMBER\}.js, decodes an obfuscated and encoded buffer, which serves as the next step in loading the remaining malicious implants. This buffer is then saved to a PowerShell (PS1) file named SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1 (d5f241dee73cffe51897c15f36b713cc), where “\{TIMESTAMP\}” is a generated number based on the current execution date and time. This ensures that the filename changes with each infection and is not persistent. Once the script is saved, it is executed three times, after which the loader script exits.

The script SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1 runs a PowerShell command with Base64-encoded code. This code retrieves the cargajecerrr.txt (b1a5dc66f40a38d807ec8350ae89d1e4) file from a remote malicious server and invokes it as PowerShell.

This downloader, which is lightly obfuscated, is responsible for fetching the remaining files from the malicious server and loading them. Both downloaded files are Base64-encoded and have descriptive names: venumentrada.txt (607f64b56bb3b94ee0009471f1fe9a3c), which can be interpreted as “VenomRAT entry point”, and runpe.txt (dbf5afa377e3e761622e5f21af1f09e6), which is named after a malicious tool for in-memory execution. The first file, venumentrada.txt, is a heavily obfuscated loader (MD5 of the decoded file: 91454a68ca3a6ce7cb30c9264a88c0dc) that ensures the second file, a VenomRAT implant (3ac65326f598ee9930031c17ce158d3d), is correctly executed in memory.

The malicious code also exhibits characteristics consistent with generation by an AI interface, including a coherent code structure, detailed commenting, and explicit variable naming. Moreover, it differs significantly from previous samples, which had a structurally different, more obfuscated nature and lacked comments.

Exploring VenomRAT

VenomRAT, an evolution of the open-source QuasarRAT, was first discovered in mid-2020 and is offered on the dark web, with a lifetime license costing up to $650. Although the source code of VenomRAT was leaked, it is still being sold and used by threat actors.

VenomRAT packages on the dark web

According to the vendor’s website, VenomRAT offers a range of capabilities that build upon and expand those of QuasarRAT, including HVNC hidden desktop, file grabber and stealer, reverse proxy, and UAC exploit, amongst others.

As with other RATs, VenomRAT clients are generated with custom configurations. The configuration data within the implant (similar to QuasarRAT) is encrypted using AES and PKCS #5 v2.0, with two keys employed: one for decrypting the data and another for verifying its authenticity using HMAC-SHA256. Throughout the malware code, different sets of keys and initialization vectors are used sporadically, but they consistently implement the same AES algorithm.

Anti-kill

It is notable that VenomRAT features an anti-kill protection mechanism, which can be enabled by the threat actor upon execution. Initially, the RAT calls a function named EnableProtection, which retrieves the security descriptor of the malicious process and modifies the Discretionary Access Control List (DACL) to remove any permissions that could hinder the RAT’s proper functioning or shorten its lifespan on the system.

The second component of this anti-kill measure involves a thread that runs a continuous loop, checking the list of running processes every 50 milliseconds. The loop specifically targets those processes commonly used by security analysts and system administrators to monitor host activity or analyze .NET binaries, among other tasks. If the RAT detects any of these processes, it will terminate them without prompting the user.

List of processes that the malware looks for to terminate

The anti-kill measure also involves persistence, which is achieved through two mechanisms written into a VBS file generated and executed by VenomRAT. These mechanisms ensure the malware’s continued presence on the system:

1. Windows Registry: The script creates a new key under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, pointing to the executable path. This allows the malware to persist across user sessions.
2. Process: The script runs a loop that checks for the presence of the malware process in the process list. If it is not found, the script executes the malware again.

If the user who executed the malware has administrator privileges, the malware takes additional steps to ensure its persistence. It sets the SeDebugPrivilege token, enabling it to use the RtlSetProcessIsCritical function to mark itself as a critical system process. This makes the process “essential” to the system, allowing it to persist even when termination is attempted. However, when the administrator logs off or the computer is about to shut down, VenomRAT removes its critical mark to permit the system to proceed with these actions.

As a final measure to maintain persistence, the RAT calls the SetThreadExecutionState function with a set of flags that forces the display to remain on and the system to stay in a working state. This prevents the system from entering sleep mode.

Separately from the anti-kill methods, the malware also includes a protection mechanism against Windows Defender. In this case, the RAT actively searches for MSASCui.exe in the process list and terminates it. The malware then modifies the task scheduler and registry to disable Windows Defender globally, along with its various features.

Networking

VenomRAT employs a custom packet building and serialization mechanism for its networking connection to the C2 server. Each packet is tailored to a specific action taken by the RAT, with a dedicated packet handler for each action. The packets transmitted to the C2 server undergo a multi-step process:

1. The packet is first serialized to prepare it for transmission.
2. The serialized packet is then compressed using LZMA compression to reduce its size.
3. The compressed packet is encrypted using AES-128 encryption, utilizing the same key and authentication key mentioned earlier.

Upon receiving packets from the C2 server, VenomRAT reverses this process to decrypt and extract the contents.

Additionally, VenomRAT implements tunneling by installing ngrok on the infected computer. The C2 server specifies the token, protocol, and port for the tunnel, which are sent in the serialized packet. This allows remote control services like RDP and VNC to operate through the tunnel and to be exposed to the internet.

USB spreading

VenomRAT also possesses the capability to spread via USB drives. To achieve this, it scans drive letters from C to M and checks if each drive is removable. If a removable drive is detected, the RAT copies itself to all available drives under the name My Pictures.exe.

Extra stealth steps

In addition to copying itself to another directory and changing its executable name, VenomRAT employs several stealth techniques that distinguish it from QuasarRAT. Two notable examples include:

• Deletion of Zone.Identifier streams: VenomRAT deletes the Mark of the Web streams, which contain metadata about the URL from which the executable was downloaded. By removing this information, the RAT can evade detection by security tools like Windows Defender and avoid being quarantined, while also eliminating its digital footprint.
• Clearing Windows event logs: The malware clears all Windows event logs on the compromised system, effectively creating a “clean slate” for its operations. This action ensures that any events generated during the RAT’s execution are erased, making it more challenging for security analysts to detect and track its activities.

Victimology

The primary targets of RevengeHotels attacks continue to be hotels and front desks, with a focus on establishments located in Brazil. However, the threat actors have been adapting their tactics, and phishing emails are now being sent in languages other than Portuguese. Specifically, we’ve observed that emails in Spanish are being used to target hotels and tourism companies in Spanish-speaking countries, indicating a potential expansion of the threat actor’s scope. Note that among earlier victims of this threat are such Spanish-speaking countries as Argentina, Bolivia, Chile, Costa Rica, Mexico, and Spain.

It is important to point out that previously reported campaigns have mentioned the threat actor targeting hotel front desks globally, particularly in Russia, Belarus, and Turkey, although no such activity has yet been detected during the latest RevengeHotels campaign.

Conclusions

RevengeHotels has significantly enhanced its capabilities, developing new tactics to target the hospitality and tourism sectors. With the assistance of LLM agents, the group has been able to generate and modify their phishing lures, expanding their attacks to new regions. The websites used for these attacks are constantly rotating, and the initial payloads are continually changing, but the ultimate objective remains the same: to deploy a remote access Trojan (RAT). In this case, the RAT in question is VenomRAT, a privately developed variant of the open-source QuasarRAT.

Kaspersky products detect these threats as HEUR:Trojan-Downloader.Script.Agent.gen, HEUR:Trojan.Win32.Generic, HEUR:Trojan.MSIL.Agent.gen, Trojan-Downloader.PowerShell.Agent.ady, Trojan.PowerShell.Agent.aqx.

Indicators of compromise

fbadfff7b61d820e3632a2f464079e8c Fat146571.js
d5f241dee73cffe51897c15f36b713cc SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1
1077ea936033ee9e9bf444dafb55867c cargajecerrr.txt
b1a5dc66f40a38d807ec8350ae89d1e4 cargajecerrr.txt
dbf5afa377e3e761622e5f21af1f09e6 runpe.txt
607f64b56bb3b94ee0009471f1fe9a3c venumentrada.txt
3ac65326f598ee9930031c17ce158d3d deobfuscated runpe.txt
91454a68ca3a6ce7cb30c9264a88c0dc deobfuscated venumentrada.txt

securelist.com/revengehotels-a…

🔴 BASTA POTERI SPECIALI
Oltre 10mila le firme raccolte, talmente tante da dover organizzare la trasferta con destinazione Montecitorio per la prossima settimana.
Le faremo valere tutte!!

#Ambiente #StopInceneritore #NoInceneritore #NoInceneritori #ZeroWaste #Rifiuti #Riciclo #EconomiaCircolare #NoAlCarbone #EnergiaPulita