Summary

In September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers used steganography to embed shellcode within image files. This shellcode downloads GodRAT from a Command-and-Control (C2) server.

GodRAT supports additional plugins. Once installed, attackers utilized the FileManager plugin to explore the victim’s systems and deployed browser password stealers to extract credentials. In addition to GodRAT, they also used AsyncRAT as a secondary implant to maintain extended access.

GodRAT is very similar to the AwesomePuppet, another Gh0st RAT-based backdoor, which we reported in 2023, both in its code and distribution method. This suggests that it is probably an evolution of AwesomePuppet, which is in turn likely connected to the Winnti APT.

As of this blog’s publication, the attack remains active, with the most recent detection observed on August 12, 2025. Below is a timeline of attacks based on detections of GodRAT shellcode injector executables. In addition to malicious .scr (screen saver) files, attackers also used .pif (Program Information File) files masquerading as financial documents.

Technical details

Malware implants

Shellcode loaders

We identified the use of two types of shellcode loaders, both of which execute the shellcode by injecting it into their own process. The first embeds the shellcode bytes directly into the loader binary, and the second reads the shellcode from an image file.

A GodRAT shellcode injector file named “2024-08-01_2024-12-31Data.scr” (MD5 d09fd377d8566b9d7a5880649a0192b4) is an executable that XOR-decodes embedded shellcode using the following hardcoded key: “OSEDBIU#IUSBDGKJS@SIHUDVNSO*SKJBKSDS#SFDBNXFCB”. A new section is then created in the memory of an executable process, where the decoded shellcode is copied. Then the new section is mapped into the process memory and a thread is spawned to execute the shellcode.

Another file, “2024-11-15_23.45.45 .scr” (MD5 e723258b75fee6fbd8095f0a2ae7e53c), serves as a self-extracting executable containing several embedded files as shown in the image below.

Content of self-extracting executable

Among these is “SDL2.dll” (MD5 512778f0de31fcce281d87f00affa4a8), which is a loader. The loader “SDL2.dll” is loaded by the legitimate executable Valve.exe (MD5 d6d6ddf71c2a46b4735c20ec16270ab6). Both the loader and Valve.exe are signed with an expired digital certificate. The certificate details are as follows:

• Serial Number: 084caf4df499141d404b7199aa2c2131
• Issuer Common Name: DigiCert SHA2 Assured ID Code Signing CA
• Validity: Not Before: Friday, September 25, 2015 at 5:30:00 AM; Not After: Wednesday, October 3, 2018 at 5:30:00 PM
• Subject: Valve

The loader “SDL2.dll” extracts shellcode bytes hidden within an image file “2024-11-15_23.45.45.jpg”. The image file represents some sort of financial details as shown below.

The loader allocates memory, copies the extracted shellcode bytes, and spawns a thread to execute it. We’ve also identified similar loaders that extracted shellcode from an image file named “2024-12-10_05.59.18.18.jpg”. One such loader (MD5 58f54b88f2009864db7e7a5d1610d27d) creates a registry load point entry at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyStartupApp” that points to the legitimate executable Valve.exe.

Shellcode functionality

The shellcode begins by searching for the string “godinfo,” which is immediately followed by configuration data that is decoded using the single-byte XOR key 0x63. The decoded configuration contains the following details: C2 IP address, port, and module command line string. The shellcode connects to the C2 server and transmits the string “GETGOD.” The C2 server responds with data representing the next (second) stage of the shellcode. This second-stage shellcode includes bootstrap code, a UPX-packed GodRAT DLL and configuration data. However, after downloading the second-stage shellcode, the first stage shellcode overwrites the configuration data in the second stage with its own configuration data. A new thread is then created to execute the second-stage shellcode. The bootstrap code injects the GodRAT DLL into memory and subsequently invokes the DLL’s entry point and its exported function “run.” The entire next-stage shellcode is passed as an argument to the “run” function.

GodRAT

The GodRAT DLL has the internal name ONLINE.dll and exports only one method: “run”. It checks the command line parameters and performs the following operations:

1. If the number of command line arguments is one, it copies the command line from the configuration data, which was “C:\Windows\System32\curl.exe” in the analyzed sample. Then it appends the argument “-Puppet” to the command line and creates a new process with the command line “C:\Windows\System32\curl.exe -Puppet”. The parameter “-Puppet” was used in AwesomePuppet RAT in a similar way. If this fails, GodRAT tries to create a process with the hardcoded command “%systemroot%\system2\cmd.exe -Puppet”. If successful, it suspends the process, allocates memory, and writes the shellcode buffer (passed as a parameter to the exported function “run”) to the allocated memory. A thread is then created to execute the shellcode, and the current process exits. This is done to execute GodRAT inside the curl.exe or cmd.exe process.
2. If the number of command line arguments is greater than one, it checks if the second argument is “-Puppet.” If true, it proceeds with the RAT’s functionality; otherwise, it acts as if the number of command line arguments is one, as described in the previous case.

The RAT establishes a TCP connection to the C2 server on the port from the configuration blob. It collects the following victim information: OS information, local hostname, malware process name and process ID, user account name associated with malware process, installed antivirus software and whether a capture driver is present. A capture driver is probably needed for capturing pictures, but we haven’t observed such behavior in the analyzed sample.

The collected data is zlib (deflate) compressed and then appended with a 15-byte header. Afterward, it is XOR-encoded three times per byte. The final data sent to the C2 server includes a 15-byte header followed by the compressed data blob. The header consists of the following fields: magic bytes (\x74\x78\x20) , total size (compressed data size + header size), decompressed data size, and a fixed DWORD (1 for incoming data and 2 for outgoing data). The data received from the C2 is only XOR-decoded, again three times per byte. This received data includes a 15-byte header followed by the command data. The RAT can perform the following operations based on the received command data:

• Inject a received plugin DLL into memory and call its exported method “PluginMe”, passing the C2 hostname and port as arguments. It supports different plugins, but we only saw deployment of the FileManager plugin
• Close the socket and terminate the RAT process
• Download a file from a provided URL and launch it using the CreateProcessA API, using the default desktop (WinSta0\Default)
• Open a given URL using the shell command for opening Internet Explorer (e.g. “C:\Program Files\Internet Explorer\iexplore.exe” %1)
• Same as above but specify the default desktop (WinSta0\Default)
• Create the file “%AppData%\config.ini”, create a section named “config” inside this file, and, create in that section a key called “NoteName” with the string provided from the C2 as its value

GodRAT FileManager plugin

The FileManager plugin DLL has the internal name FILE.dll and exports a single method called PluginMe. This plugin gathers the following victim information: details about logical drives (including drive letter, drive type, total bytes, available free bytes, file system name, and volume name), the desktop path of the currently logged-on user, and whether the user is operating under the SYSTEM account. The plugin can perform the following operations based on the commands it receives:

• List files and folders at a specified location, collecting details like type (file or folder), name, size, and last write time
• Write data to an existing file at a specified offset
• Read data from a file at a specified offset
• Delete a file at a specified path
• Recursively delete files at a specified path
• Check for the existence of a specified file. If the file exists, send its size; otherwise, create a file for writing.
• Create a directory at a specified path
• Move an existing file or directory, including its children
• Open a specified application with its window visible using the ShellExecuteA API
• Open a specified application with its window hidden using the ShellExecuteA API
• Execute a specified command line with a hidden window using cmd.exe
• Search for files at a specified location, collecting absolute file paths, sizes, and last write times
• Stop a file search operation
• Execute 7zip by writing hard-coded 7zip executable bytes to “%AppData%\7z.exe” (MD5 eb8d53f9276d67afafb393a5b16e7c61) and “%AppData%\7z.dll” (MD5 e055aa2b77890647bdf5878b534fba2c), and then runs “%AppData%\7z.exe” with parameters provided by the C2. The utility is used to unzip dropped files.

Second-stage payload

The attackers deployed the following second-stage implants using GodRAT’s FileManager plugin:

Chrome password stealer

The stealer is placed at “%ALLUSERSPROFILE%\google\chrome.exe” (MD5 31385291c01bb25d635d098f91708905). It looks for Chrome database files with login data for accessed websites, including URLs and usernames used for authentication, as well as user passwords. The collected data is saved in the file “google.txt” within the module’s directory. The stealer searches for the following files:

• %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data – an SQLite database with login and stats tables. This can be used to extract URLs and usernames used for authentication. Passwords are encrypted and not visible.
• %LOCALAPPDATA%\Google\Chrome\User Data\Local State – a file that contains the encryption key needed to decrypt stored passwords.

MSEdge password stealer

The stealer is placed at “%ALLUSERSPROFILE%\google\msedge.exe” (MD5 cdd5c08b43238c47087a5d914d61c943). The collected data is stored in the file “edge.txt” in the module’s directory. The module attempts to extract passwords using the following database and file:

• %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data – the “Login Data” SQLite database stores Edge logins in the “logins” table.
• %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State – this file contains the encryption key used to decrypt saved passwords.

AsyncRAT

The DLL file (MD5 605f25606bb925d61ccc47f0150db674) is an injector and is placed at “%LOCALAPPDATA%\bugreport\LoggerCollector.dll” or “%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll”. It verifies that the module name matches “bugreport_.exe”. The loader then XOR-decodes embedded shellcode using the key “EG9RUOFIBVODSLFJBXLSVWKJENQWBIVUKDSZADVXBWEADSXZCXBVADZXVZXZXCBWES”. After decoding, it subtracts the second key “IUDSY86BVUIQNOEWSUFHGV87QCI3WEVBRSFUKIHVJQW7E8RBUYCBQO3WEIQWEXCSSA” from each shellcode byte.

A new memory section is created, the XOR-decoded shellcode is copied into it, and then the section is mapped into the current process memory. A thread is started to execute the code in this section. The shellcode is used to reflectively inject the C# AsyncRAT binary. Before injection, it patches the AMSI scanning functions (AmsiScanBuffer, AmsiScanString) and the EtwEventWrite function to bypass security checks.
AsyncRAT includes an embedded certificate with the following properties:

• Serial Number: df:2d:51:bf:e8:ec:0c:dc:d9:9a:3e:e8:57:1b:d9
• Issuer: CN = marke
• Validity: Not Before: Sep 4 18:59:09 2024 GMT; Not After: Dec 31 23:59:59 9999 GMT
• Subject: CN = marke

GodRAT client source and builder

We discovered the source code for the GodRAT client on a popular online malware scanner. It had been uploaded in July 2024. The file is named “GodRAT V3.5_______dll.rar” (MD5 04bf56c6491c5a455efea7dbf94145f1). This archive also includes the GodRAT builder (MD5 5f7087039cb42090003cc9dbb493215e), which allows users to generate either an executable file or a DLL. If an executable is chosen, users can pick a legitimate executable name from a list (svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe and QQScLauncher.exe) to inject the code into. When saving the final payload, the user can choose the file type (.exe, .com, .bat, .scr and .pif). The source code is based on Gh0st RAT, as indicated by the fact that the auto-generated UID in “GodRAT.h” file matches that of “gh0st.h”, which suggests that GodRAT was originally just a renamed version of Gh0st RAT.

GodRAT.h

gh0st.h

Conclusions

The rare command line parameter “puppet,” along with code similarities to Gh0st RAT and shared artifacts such as the fingerprint header, indicate that GodRAT shares a common origin with AwesomePuppet RAT, which we described in a private report in 2023. This RAT is also based on the Gh0st RAT source code and is likely connected with Winnty APT activities. Based on these findings, we are highly confident that GodRAT is an evolution of AwesomePuppet. There are some differences, however. For example, the C2 packet of GodRAT uses the “direction” field, which was not utilized in AwesomePuppet.

Old implant codebases, such as Gh0st RAT, which are nearly two decades old, continue to be used today. These are often customized and rebuilt to target a wide range of victims. These old implants are known to have been used by various threat actors for a long time, and the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can still maintain a long lifespan in the cybersecurity landscape.

Indicator of Compromise

File hashes

cf7100bbb5ceb587f04a1f42939e24ab
d09fd377d8566b9d7a5880649a0192b4 GodRAT Shellcode Injector
e723258b75fee6fbd8095f0a2ae7e53c GodRAT Self Extracting Executable
a6352b2c4a3e00de9e84295c8d505dad
6c12ec3795b082ec8d5e294e6a5d6d01
bb23d0e061a8535f4cb8c6d724839883
160a80a754fd14679e5a7b5fc4aed672
2750d4d40902d123a80d24f0d0acc454
441b35ee7c366d4644dca741f51eb729
318f5bf9894ac424fd4faf4ba857155e GodRAT Shellcode Injector
512778f0de31fcce281d87f00affa4a8 GodRAT Shellcode Injector
6cad01ca86e8cd5339ff1e8fff4c8558 GodRAT Shellcode Injector
58f54b88f2009864db7e7a5d1610d27d GodRAT Shellcode Injector
64dfcdd8f511f4c71d19f5a58139f2c0 GodRAT FileManager Plugin(n)
8008375eec7550d6d8e0eaf24389cf81 GodRAT
04bf56c6491c5a455efea7dbf94145f1 GodRAT source code
5f7087039cb42090003cc9dbb493215e GodRAT Builder
31385291c01bb25d635d098f91708905 Chrome Password Stealer
cdd5c08b43238c47087a5d914d61c943 MSEdge Password Stealer
605f25606bb925d61ccc47f0150db674 Async RAT Injector (n)
961188d6903866496c954f03ecff2a72 Async RAT Injector
4ecd2cf02bdf19cdbc5507e85a32c657 Async RAT
17e71cd415272a6469386f95366d3b64 Async RAT

File paths

C:\users\[username]\downloads\2023-2024clientlist＆.scr
C:\users\[username]\downloads\2024-11-15_23.45.45 .scr
C:\Users\[username]\Downloads\2024-08-01_2024-12-31Data.scr
C:\Users\[username]\\Downloads\2025TopDataTransaction&.scr
C:\Users\[username]\Downloads\2024-2025Top&Data.scr
C:\Users\[username]\Downloads\2025TopClineData&1.scr
C:\Users\[username]\Downloads\Corporate customer transaction &volume.pif
C:\telegram desktop\Company self-media account application qualifications&.zip
C:\Users\[username]\Downloads\个人信息资料&.pdf.pif
%ALLUSERSPROFILE%\bugreport\360Safe2.exe
%ALLUSERSPROFILE%\google\chrome.exe
%ALLUSERSPROFILE%\google\msedge.exe
%LOCALAPPDATA%\valve\valve\SDL2.dll
%LOCALAPPDATA%\bugreport\LoggerCollector.dll
%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll
%LOCALAPPDATA%\bugreport\bugreport_.exe

Domains and IPs

103[.]237[.]92[.]191 GodRAT C2
118[.]99[.]3[.]33 GodRAT С2
118[.]107[.]46[.]174 GodRAT C2
154[.]91[.]183[.]174 GodRAT C2
wuwu6[.]cfd AsyncRAT C2
156[.]241[.]134[.]49 AsyncRAT C2
https://holoohg.oss-cn-hongkong.aliyuncs[.]com/HG.txt AsyncRAT URL
47[.]238[.]124[.]68 AsyncRAT C2

securelist.com/godrat/117119/

More and more car manufacturers these days are becoming interested in the recurring revenue model, with Volkswagen’s ID.3 BEV being the latest to have an optional ‘motor power upgrade’ that you can pay for either monthly or with a ‘lifetime’ payment.

As the BBC reports, this option is now available in the UK, with customers offered the option to pay £16.50 per month or £165 annually, or opt to shell out £649 for what is reportedly a ‘car lifetime’ subscription.

It appears that this subscription service has been in the works for a while already, with it being offered first last year in countries like Denmark, following which it appears to be rolled out in other countries too. The software unlock changes the maximum motor output from 150 kW to 170 kW, which some users report as being noticeable.

Regardless of whether you find this to be a good deal, the concept of Car-As-A-Service (CAAS) has becoming increasingly prevalent, with the BBC article referencing BMW’s heated seats subscription and Mercedes’ acceleration subscription. Considering that all the hardware is already in the car that you purportedly purchased, this is sure to rub people the wrong way, not to mention that from a car tuning perspective this seems to suggest that third-party tuners don’t need to apply.

Thanks to [Robert Piston] for the tip.

hackaday.com/2025/08/19/volksw…

Proofpoint ha pubblicato il secondo volume del suo studio annuale “Human Factor 2025” , incentrato sul phishing e sugli attacchi basati su URL. L’analisi dei dati da maggio 2024 a maggio 2025 mostra che gli aggressori utilizzano sempre più spesso il social engineering in combinazione con i link, che sono diventati il principale vettore per attaccare gli utenti.

Secondo le statistiche, i link sono stati riscontrati quattro volte più spesso degli allegati con contenuti dannosi. Oltre il 55% degli SMS con tracce di phishing conteneva un URL e il numero di campagne con la tecnica ClickFix è aumentato di quasi il 400% in un anno. In totale, i ricercatori hanno registrato 3,7 miliardi di tentativi di furto di credenziali tramite link dannosi, contro gli 8,3 milioni di tentativi di distribuzione di malware, il che conferma che l’obiettivo principale degli aggressori oggi è compromettere gli account.

Particolarmente preoccupante è il crescente numero di attacchi che utilizzano servizi legittimi. Gli aggressori mascherano URL dannosi come documenti su OneDrive o Google Drive e creano anche pagine di autorizzazione false, indistinguibili da quelle reali. L’uso diffuso di modelli di intelligenza artificiale generativa consente loro di perfezionare all’infinito i modelli di email di phishing, aumentandone la persuasività.

Tra gli strumenti principali ci sono kit di phishing già pronti all’uso come CoGUI e Darcula. Il primo è attivamente utilizzato da gruppi di lingua cinese e si rivolge principalmente agli utenti in Giappone, il secondo viene utilizzato negli attacchi SMS , spesso spacciandosi per messaggi provenienti da agenzie governative o aziende postali. Entrambi gli strumenti possono aggirare la protezione e persino intercettare i codici MFA.

Una delle tendenze più evidenti è stata la diffusione del programma ClickFix . Alla vittima viene mostrata una falsa finestra di errore o un CAPTCHA, che la invita a eseguire manualmente i comandi. Questo installa RAT , infostealer e downloader sul dispositivo. Le campagne ClickFix sono diventate una pratica comune, utilizzata sia da gruppi motivati finanziariamente che da attori statali.

Separatamente, gli esperti notano la crescita degli attacchi ai dispositivi mobili. Secondo il rapporto, nel 2024, il numero di minacce URL negli SMS è aumentato del 2534%. Nel 2025, almeno il 55% degli SMS di phishing conteneva link e il 75% delle organizzazioni ha confermato di aver subito tali attacchi. I principali attacchi sono le frodi con “multe stradali” e false notifiche di consegna.

Anche gli attacchi di phishing tramite QR code stanno guadagnando terreno. Solo nei primi sei mesi del 2025, Proofpoint ha identificato quasi 4,2 milioni di casi di abuso di codici QR. Questo vettore è comodo per i criminali, poiché consente loro di aggirare il filtro del gateway di posta: la vittima scansiona il codice su uno smartphone e finisce su un sito falso per rubare password o dati di carte di credito.

Il rapporto conclude che gli attacchi più distruttivi oggi non sono rivolti ai sistemi, ma alle persone. Tali campagne non possono avere successo senza un clic da parte dell’utente, il che significa che la principale linea di difesa è proteggere tutti i canali di comunicazione: dalle email aziendali alla messaggistica istantanea e ai servizi SaaS. Proofpoint consiglia soluzioni di intelligenza artificiale multilivello in grado di rilevare anche i più piccoli segnali di phishing in qualsiasi flusso digitale.

L'articolo Clicchi sui link degli SMS? Ecco 4,2 milioni di motivi per non farlo proviene da il blog della sicurezza informatica.

Una complessa operazione di attacco è stata individuata recentemente, nella quale gli aggressori digitali utilizzano la struttura di protezione Cisco per eseguire manovre di inganno online. I malintenzionati prendono di mira la tecnologia Cisco Safe Links, ideata per mettere al sicuro gli utenti da indirizzi URL pericolosi, al fine di sviare i sistemi di individuazione e superare i controlli di rete, approfittando della credibilità legata al nome Cisco nel settore della sicurezza.

Secondo l’analisi di Raven AI, il vettore di attacco sfrutta Cisco Safe Links, un componente della suite Secure Email Gateway e Web Security di Cisco che riscrive gli URL sospetti nelle e-mail, indirizzando i clic attraverso l’infrastruttura di scansione di Cisco su secure-web.cisco[.]com. Gli aggressori hanno scoperto diversi metodi per generare Cisco Safe Link legittimi per scopi dannosi.

Quando gli utenti vedono URL che inizia con secure-web[.]cisco.com, istintivamente si fidano del collegamento grazie alla reputazione di Cisco nel campo della sicurezza informatica, creando quella che i ricercatori definiscono “fiducia per associazione”. Inoltre l’attacco aggira i tradizionali gateway di sicurezza della posta elettronica perché molti sistemi concentrano la loro analisi sui domini visibili negli URL.

Le tecniche principali includono sfruttano i servizi cloud che inviano e-mail tramite ambienti protetti da Cisco e riciclando i collegamenti sicuri generati in precedenza da campagne precedenti. Quando il dominio viene visualizzato come secure-web.cisco[.]com, spesso passa attraverso filtri che altrimenti segnalerebbero contenuti sospetti.

Tra gli esempi recenti rilevati da Raven AI figurano e-mail di “Richiesta di revisione documenti” dall’aspetto professionale provenienti da presunti servizi di firma elettronica, complete di branding e terminologia aziendale appropriati.

L’intelligenza artificiale contestuale di Raven AI ha identificato con successo questi attacchi analizzando simultaneamente più segnali, tra cui identità del mittente incoerenti, strutture URL sospette con parametri codificati e modelli di richiesta di documenti comunemente utilizzati nel phishing delle credenziali. La capacità del sistema di comprendere flussi di lavoro aziendali legittimi gli consente di individuare quando le comunicazioni si discostano dagli schemi previsti, anche quando sembrano redatte in modo professionale.

Questo comporta una trasformazione radicale nel panorama delle minacce informatiche, dove i malintenzionati prendono di mira i processi organizzativi e la psicologia dell’utente, andando oltre le semplici vulnerabilità tecnologiche.

L'articolo I Criminal Hacker sfruttano Cisco Safe Links per attacchi di phishing proviene da il blog della sicurezza informatica.

In what sounds like the plot from a sci-fi movie, scientists have isolated an incredibly rare immune mutation to create a universal antiviral treatment.

Only present in a few dozen people worldwide, ISG15 immunodeficiency causes people to be more susceptible to certain bacterial illnesses, but it also grants the people with this condition immunity to known viruses. Researchers think that the constant, mild inflammation these individuals experience is at the root of the immunoresponse.

Where things get really interesting is how the researchers have found a way to stimulate protein production of the most beneficial 10 proteins of the 60 created by the natural mutation using 10 mRNA sequences inside a lipid nanoparticle. Lead researcher [Vagelos Bogunovic] says “we have yet to find a virus that can break through the therapy’s defenses.” Researchers hope the treatment can be administered to first responders as a sort of biological Personal protective equipment (PPE) against the next pandemic since it would likely work against unknown viruses before new targeted vaccines could be developed.

Hamsters and mice were given this treatment via nasal drip, but how about intranasal vaccines when it comes time for human trials? If you want a short history of viruses or to learn how smartwatches could help flatten the curve for the next pandemic, we’ve got you covered.

hackaday.com/2025/08/19/antivi…

Boston Police (BPD) continue their efforts rollout more surveillance tools. This time on social media.

Tuesday, August 19th, the Boston Public Safety Committee will hold a hearing on the Boston 2024 Surveillance Technology Report including police usage of three new tools to monitor social media posts. Any tool BPD uses will feed into the Boston Regional Information Center (BRIC) and Federal agencies such as ICE, CBP and the FBI.

If you want to tell the Boston Public Safety committee to oppose this expansion of surveillance, please show up on the 19th virtually. Details are posted, but to sign up to speak, email ccc.ps@boston.gov and they will send you a video conference link. We especially encourage Boston Pirates to attend and speak against this proposal. The Docket # is 1357.

masspirates.org/blog/2025/08/1…

Dear Friend of Press Freedom,

It’s the 143rd day that Rümeysa Öztürk is facing deportation by the United States government for writing an op-ed it didn’t like, and the 62nd day that Mario Guevara has been imprisoned for covering a protest. After more than two months in detention, press freedom groups are again demanding Guevara’s immediate release. Read on for more, and click here to subscribe to our other newsletters.

LAPD lies about attack on reporters

Last Friday, officers from the Los Angeles Police Department wantonly violated a court order by assaulting, detaining, and jailing journalists covering a protest.

Then, the LAPD falsely told California station KABC-TV that two people were detained at the protest for “pretending to be media.” The two were, in fact, journalists, but you wouldn’t know it from KABC-TV’s report, which uncritically parroted the LAPD’s claims.

Journalists must be skeptical of LAPD statements about its treatment of the press. The department knows that it violates the First Amendment and California law to detain or interfere with journalists covering protests, but it does it anyway. It won’t stop until the press reports accurately on all of the LAPD’s abuses, and the public makes clear that it won’t stand for them.

Read more here.

Israel kills journalists in Gaza to silence reporting

Two weeks ago, the Committee to Protect Journalists reported on the Israeli Defense Forces’ threats to Anas al-Sharif, meant to scare him into ceasing reporting. He didn’t, and now he’s dead.

Al-Sharif was one of four Al Jazeera staff correspondents and two freelancers killed by the IDF in an Aug. 10 targeted strike. The others were Mohammed Qreiqeh, Ibrahim Zaher, Mohammed Noufal, Moamen Aliwa, and Mohammad al-Khaldi.

“Israel is killing journalists for exposing its atrocities in Gaza,” said Freedom of the Press Foundation (FPF) director of advocacy Seth Stern. “We can’t let our leaders get away with mere performative condemnations while the money and weapons Israel uses to exterminate journalists and other civilians keep flowing.”

Read the full statement here.

Two years since ‘a massive failure’ of the justice system in Kansas

This week marked two years since the shocking police raid on the Marion County Record and the death of Record co-owner Joan Meyer, who passed away the day after the raid.

FPF spoke to investigative journalist Jessica McMaster, whose award-winning coverage of the raid for KSHB-TV in Kansas City, Missouri, had us glued to her social media feed for weeks.

“This was a massive failure by several people within the justice system,” McMaster said, speaking about the raid. “I think it’s hard for a lot of us to grasp that so many people, in positions of power, failed in such spectacular fashion to do their jobs.”

Read the full interview here.

How a climate change researcher makes FOIA work

Rachel Santarsiero, director of the Climate Change Transparency Project at the National Security Archive, knows how to use the Freedom of Information Act to uncover information the government would rather keep secret. This week, FPF’s Daniel Ellsberg Chair on Government Secrecy Lauren Harper spoke to Santarsiero, who shared her expert FOIA tips.

“The key with any agency is sending targeted requests asking for specific types of documents, a date range, and the office or official who would’ve been responsible for the records,” Santarsiero explained.

Santarsiero also recommends that requesters build relationships with FOIA officers, always appeal denials, and check federal website reading rooms and other publicly available source materials. “You’ll be surprised what you can find hiding in plain sight,” she said.

Read the whole interview here.

What we’re reading

Eyewitness to Gaza’s death traps: Whistleblower Anthony Aguilar in conversation with Defending Rights & Dissent (Defending Rights & Dissent). With journalists being killed or shut out in Gaza, whistleblowers are even more important. Watch Anthony Aguilar’s firsthand account of blowing the whistle on the Gaza Humanitarian Foundation.

Trump administration outlines plan to throw out an agency’s FOIA requests en masse (404Media). This is “an underhanded attempt to close out as many FOIA requests as possible, because who in their right mind checks the federal register regularly?” FPF’s Harper said.

Appeals court upholds block on Indiana’s 25-foot police buffer law, citing vagueness (Indiana Capital Chronicle). Hopefully, Tennessee’s and Louisiana’s “buffer” laws will be next, and other states will think twice before passing these unconstitutional laws.

Sorry, scanner listeners: BPD is encrypting its transmissions starting this weekend (Boston.com). Just like in New York City, encrypting police radio transmissions and adding a delay makes it harder for journalists to report and the public to stay informed.

freedom.press/issues/lapd-lies…

404 Media

2025-08-13 21:53:37

Trump Administration Outlines Plan to Throw Out an Agency's FOIA Requests En Masse

The Department of Energy (DOE) said in a public notice scheduled to be published Thursday that it will throw out all Freedom of Information Act (FOIA) requests sent to the agency before October 1, 2024 unless the requester proactively emails the agency to tell it they are still interested in the documents they requested. This will result in the improper closure of likely thousands of FOIA requests if not more; government transparency experts told 404 Media that the move is “insane,” “ludicrous,” a “Pandora’s Box,” and “an underhanded attempt to close out as many FOIA requests as possible.”

The DOE notice says “requesters who submitted a FOIA request to DOE HQ at any time prior to October 1, 2024 (FY25), that is still open and is not under active litigation with DOE (or another Federal agency) shall email StillInterestedFOIA@hq.doe.gov to continue processing of the FOIA request […] If DOE HQ does not receive a response from requesters within the 30-day time-period with a DOE control number, no further action will be taken on the open FOIA request(s), and the file may be administratively closed.” A note at the top of the notice says it is scheduled to be formally published in the Federal Register on Thursday.

The agency will send out what are known as “still interested” letters, which federal agencies have used over the years to see if a requester wants to withdraw their request after a certain period of inactivity. These types of letters are controversial and perhaps not legal, and previous administrations have said that they should be used rarely and that requests should only be closed after an agency made multiple attempts to contact a requester over multiple methods of communication. What the DOE is doing now is sending these letters to submitters of all requests prior to October 1, 2024, which is not really that long ago; it also said it will close the requests of people who do not respond in a specific way to a specific email address.

FOIA requests—especially complicated ones—can often take months or years to process. I have outstanding FOIA requests with numerous federal agencies that I filed years ago, and am still interested in getting back, and I have gotten useful documents from federal agencies after years of waiting. The notion that large numbers of people who filed FOIA requests as recently as September 2024, which is less than a year ago, are suddenly uninterested in getting the documents they requested is absurd and should be seen as an attack on public transparency, experts told 404 Media. The DOE’s own reports show that it often does not respond to FOIA requests within a year, and, of course, a backlog exists in part because agencies are not terribly responsive to FOIA.

“If a requester proactively reaches out and says I am withdrawing my request, then no problem, they don’t have to process it,” Adam Marshall, senior staff attorney at the Reporters Committee for Freedom of the Press, told me. “The agency can’t say we’ve decided we’ve gotten a lot of requests and we don’t want to do them so we’re throwing them out.”

“I was pretty shocked when I saw this to be honest,” Marshall added. “I’ve never seen anything like this in 10 years of doing FOIA work, and it’s egregious for a few reasons. I don’t think agencies have the authority to close a FOIA request if they don’t get a response to a ‘still interested’ letter. The statute doesn’t provide for that authority, and the amount of time the agency is giving people to respond—30 days—it sounds like a long time but if you happen to miss that email or aren’t digging through your backlogs, it’s not a lot of time. The notion that FOIA requesters should keep an eye out in the Federal Register for this kind of notice is ludicrous.”

The DOE notice essentially claims that the agency believes it gets too many FOIA requests and doesn’t feel like answering them. “DOE’s incoming FOIA requests have more than tripled in the past four years, with over 4,000 requests received in FY24, and an expected 5,000 or more requests in FY25. DOE has limited resources to process the burgeoning number of FOIA requests,” the notice says. “Therefore, DOE is undertaking this endeavor as an attempt to free up government resources to better serve the American people and focus its efforts on more efficiently connecting the citizenry with the work of its government.”

Lauren Harper of the Freedom of the Press Foundation told me in an email that she also has not seen any sort of precedent for this and that “it is an underhanded attempt to close out as many FOIA requests as possible, because who in their right mind checks the federal register regularly, and it should be challenged in court. (On that note, I am filing a FOIA request about this proposal.)”

“The use of still interested letters isn't explicitly allowed in the FOIA statute at all, and, as far as I know, there is absolutely zero case law that would support the department sending a mass ‘still interested’ letter via the federal register,” she added. “That they are also sending emails is not a saving grace; these types of letters are supposed to be used sparingly—not as a flagrant attempt to reduce their backlog by any means necessary. I also worry it will open a Pandora's Box—if other agencies see this, some are sure to follow.”

Marshall said that FOIA response times have been getting worse for years across multiple administrations (which has also been my experience). The Trump administration and the Department of Government Efficiency (DOGE) have cut a large number of jobs in many agencies across the government, which may have further degraded response times. But until this, there hadn’t been major proactive attempts taken by the self-defined “most transparent administration in history” to destroy FOIA.

“This is of a different nature than what we have seen so far, this affirmative, large-scale effort to purport to cancel a large number of pending FOIA requests,” Marshall said.

Limitations on Use of “Still-Interested” Inquiries

^{www.justice.gov}

DISCLAIMER: questa non è una pubblicità per la FUTO, ho pensato di fare questa guida per le ragioni che spiego e perché mi sto trovando benissimo!

Molti pensano che la tastiera virtuale del telefono faccia parte delle componenti base e che non possa essere cambiata, invece è una semplice app.
Un'app che ha accesso direttamente a tutto quello che scriviamo, prima che venga crittografato dalle varie app di chat (anche le più sicure)...
Perciò, se la tastiera si connette a internet, può inviare ai server tutto quello che digitiamo.

Per questo, se teniamo alla nostra sovranità digitale, la tastiera è la prima app da sostituire.

Ho ottime ragioni per fidarmi di quella installata di default nel mio telefono degooglizzato, ma per chi usa un regolare sistema Android la tastiera di default è quella di Google, Gboard, che è nota per inviare ai server pacchetti dal contenuto per lo meno sospetto.

1) FUTO Keyboard
Poco tempo fa ho scoperto questo bel progetto della FUTO per rimpiazzare tutte le funzioni (anche le più avanzate) di Gboard, escludendo però ogni collegamento a internet durante l'utilizzo e utilizzando basi di dati più trasparenti (il training per il modello di digitazione a scorrimento, per esempio, viene fatto su base volontaria tra utenti che scelgono di contribuire).

Detto ciò, parliamo di una tastiera open source (più propriamente, source available) che ha integrati:
- dettatura vocale multilingue (voice input)
- immissione a scorrimento (swipe)
- dizionari per la lingua e per la ricerca delle emoji
- pannello di selezione delle emoji di sistema
- funzioni per spostarsi facilmente nel testo
- funzioni di copia e incolla avanzate, tra cui la cronologia degli appunti

È ancora in uno stadio iniziale di sviluppo, perciò ci alcune cose sono ancora in corso di implementazione e, per esempio, i dizionari e i modelli vanno installati a mano, e i menu di impostazione sono solo in inglese per il momento.
Ma ciononostante è sicuramente la più completa e promettente!

Seguite i passaggi nelle immagini per installarla e configurare le risorse italiane.
(Qui le istruzioni in un'immagine unica ad alta risoluzione)

Link PlayStore (o app alternativa)

Sito (futo.org)

---
In alternativa, è possibile installare separatamente un'app di dettatura vocale e provare una delle seguenti tastiere open source.
Per la dettatura vocale c'è l'app specifica di FUTO oppure Whisper:
- FUTO Voice Input
- Whisper per Android
---

2) AnySoftKeyboard
Il progetto open source più completo ed evoluto.
I pacchetti delle lingue e di alcuni layout aggiuntivi si installano come app separate, perciò in modo molto semplice.
Si appoggia all'app di dettatura vocale esistente. Il supporto allo swipe e le tantissime feature la rendono la migliore alternativa con licenza libera (apache).

App principale: Play Store / FDroid
Pacchetto italiano: Play Store / FDroid

Sito del progetto

3) Heliboard
Heliboard è un progetto open source già molto ricco di feature e con la possibilità di essere completato da una libreria opzionale per l'immissione a scorrimento (che però è quella proprietaria di Google, estratta da Gboard).

Purtroppo Heliboard non è presente nel Play Store, perciò dovrete installarla tramite F-Droid

4) Altre tastiere open source sono anche Florisboard e Fossify Keyboard.
Le funzionalità sono simili a quelle di Heliboard, eccetto che non supportano lo swipe.
Nessuna delle due supporta la dettatura vocale.
Per chi cerca il massimo della trasparenza, però, sono le più raccomandate (insieme a Heliboard).

Fossify Keyboard è reperibile sul Play Store o su FDroid.
Florisboard si può trovare su F-Droid

5) La tastiera minimalista: Simple Keyboard
Se tutto quello che vi serve è una tastiera, non sopportate l'autocorrettore e i suggerimenti e non vi interessa inserire le emoji, allora questa è la vostra tastiera ideale. Potrebbe rendere anche più veloce un vecchio telefono perché occupa pochissima memoria e non ha bisogno di processori moderni.

Link PlayStore (o app alternativa)

*) Purtroppo, ad oggi non sono a conoscenza di progetti simili per gli utenti Apple iOS...

#Google #degoogle #gboard #keyboard #virtualkeyboard #futokeyboard #FUTO #FUTO Tech #heliboard #florisbaord #fossify #fossifykeyboard #openboard