[2026-02-13] Presentazione libro "La furia del codardo" + cena @ COA T28
Presentazione libro "La furia del codardo" + cena
COA T28 - Via dei Transiti 28, Milano
(venerdì, 13 febbraio 19:00)
📌VENERDÌ 13 FEBBRAIO
ORE 19:00 PRESENTAZIONE DEL LIBRO:
"La furia del codardo, Racconti da una sezione d'isolamento di un militante dell’ETA."
Con un intervento del compagno prigioniero e autore del libro Fernando García Jodra.
Un'occasione per rompere le mura del carcere!
A seguire cena popolare.
in Via Dei Transiti 28
Al Centro Occupato Autogestito T28.
[2026-02-13] Gli Spazi Liberi, Fondamenta Nuove e Juno live @Cantiere @ Centro Sociale Cantiere
Gli Spazi Liberi, Fondamenta Nuove e Juno live @Cantiere
Centro Sociale Cantiere - via Monterosa 84, Milano
(venerdì, 13 febbraio 22:00)
TORNA IL PUNK IN CANTIERE
Venerdì 13 Febbraio si torna a pogare in dancehall!
Ci vediamo insieme a Fondamenta Nuove, Juno e Gli Spazi Liberi.
Dalle 22 cominciano le danze della prima serata della stagione!
L’anno scorso sono passat3 sul nostro palco decine di artist3 portando rabbia, gioia, speranza, grida e tante corde rotte. Quest’anno ricominciamo più carich3 di prima!
Ci vediamo al Cantiere, uno spazio liberato che dal 2001 resiste al nulla che avanza e in cui costruire insieme altri mondi possibili. In cantiere pretendiamo rispetto per tutt3, indipendentemente dal colore della pelle, dalla nazionalità o dal genere scritto sui documenti, dal peso del portafoglio.
[2026-02-14] Party Popolare Hot @ Centro Sociale Cantiere
Party Popolare Hot
Centro Sociale Cantiere - via Monterosa 84, Milano
(sabato, 14 febbraio 10:00)
Amicз, compagnз, cuorз ribell3: il 14 febbraio vi aspettiamo al Party Popolare Hot della Palestra Popolare Hurricane 💥
Una serata di condivisione, musica e lotta, dove il piacere di stare insieme incontra valori chiari e non negoziabili.
🍴 Dalle 20.00 – Cena Popolare
Si parte a tavola, con una cena conviviale per sostenere la Palestra Popolare Hurricane e rafforzare la nostra comunità. Mangiare insieme è sempre un atto politico ❤️
🎶 Dalle 22.30 – DJ Set by Edohard e HackeraTea
Dopo cena, spazio alla festa con musica, vibrazioni e corpi liberi in movimento.
✊ Perché esserci?
Per sostenere una realtà antirazzista e transfemminista, per ballare senza giudizi, per costruire spazi sicuri e condivisi, per stare insieme come ci piace.
Invita chi vuoi, porta chi ami e vieni a festeggiare con noi 🖤
[2026-02-14] Presidio Free All Antifas @ Consolato ungherese @ Consolato Ungherese
Presidio Free All Antifas @ Consolato ungherese
Consolato Ungherese - Piazza Missori, Milano
(sabato, 14 febbraio 15:00)
📌SABATO 14 FEBBRAIO
PRESIDIO FREE ALL ANTIFAS!
al consolato ungherese di Milano (MM Missori)
ORE 15.00
Per Maja, per Gabri, per Anna e tutt gli antifas colpit dalla repressione. Fuori i compagni dalle galere!
[2026-02-13] Presentazione di HUB bollettino di informazione contro la militarizzazione @ Sala Montecitorio del Palazzo dei Portuali
Presentazione di HUB bollettino di informazione contro la militarizzazione
Sala Montecitorio del Palazzo dei Portuali - Via San Giovanni, 13, Livorno
(venerdì, 13 febbraio 18:00)
Nasce "HUB" un bollettino sulla militarizzazione
Venerdì 13 Febbraio a Livorno - Via San Giovanni 13
ore 18:00
Sala Montecitorio, Palazzo dei Portuali - Livorno
Presentazione del primo numero
Intervengono alcune delle realtà che partecipano al progetto:
Gruppo Autonomo Portuali, Scrivania Autogestita d'Informazione, Coordinamento Antimilitarista Livornese, Movimento No base
HUB è un bollettino di informazione, inchiesta e confronto sulla militarizzazione dei territori, nato dalla discussione tra chi si oppone alle basi militari e chi ogni giorno lavora e lotta in porti, fabbriche e ferrovie per costruire un percorso comune.
“HUB” è la proposta che raccoglie questa spinta: un bollettino digitale e cartaceo, aperiodico, che offre analisi e contributi su come funziona l’hub militare che attraversa i territori.
La militarizzazione avanza ovunque, ma possiamo costruire la conoscenza del sistema di guerra in cui siamo immersə, raccontarlo e soprattutto organizzarci per fermarlo.
Questo primo numero contiene approfondimenti su diversi territori, infrastrutture e snodi della logistica di guerra redatti da movimenti, comitati, lavoratorə portuali e ferrovieri e ha un’ampiezza che va da Livorno a La Spezia, uno dei corridoi centrali della militarizzazione in Italia
A new study indicates that vast oceans of hydrogen are locked deep inside our planet, helping to explain a strange “density deficit” and shedding light on the origin of life.#TheAbstract
A Mystery Inside Earth’s Core Has Finally Been Solved With a Mind-Boggling Discovery
🌘
Subscribe to 404 Media to get The Abstract, our newsletter about the most exciting and mind-boggling science news and studies of the week.For decades, scientists have puzzled over the “density deficit” in Earth’s core, an unexplained discrepancy between the expected density of a solid iron core and the much lower density that is actually observed through seismic measurements of our planet’s center.
Now, scientists have provided some of the best experimental evidence yet that this deficit can be explained by vast oceans of hydrogen that are locked within the core, significantly lowering its overall density, according to a study published on Tuesday in Nature Communications.
In addition to constraining this longstanding problem, the research reveals new insights about another persistent mystery: the original source of Earth’s liquid water, the key ingredient that enabled life on our planet to emerge.
“Hydrogen has long been considered a major light-element candidate to account for the observed density deficit in Earth’s core,” said researchers led by Dongyang Huang, an assistant professor of Earth and space sciences at Peking University, in the new study. “For decades, however, our knowledge of the exact content of H in planetary cores has been hindered by the inability to unambiguously quantify H in high-pressure samples.”
To solve this problem, the researchers performed a series of experiments that simulated the extreme environment in the core during Earth’s formation billions of years ago. This approach involved heating up iron metal with lasers to a fully-molten state that resembles ancient Earth’s inner magma ocean, which reached temperatures up to 8,700°F, and pressures more than a million times more intense than those we experience on Earth’s surface.
The team then searched for the presence of hydrogen in nanostructures made primarily of silicon and oxygen. The results revealed that the core’s hydrogen percentage sits between 0.07 to 0.36 percent, which works out to roughly nine-to-45 times the amount of the hydrogen in all of Earth’s oceans.
But perhaps the most tantalizing part of the study is its implications for understanding the enigmatic origins of Earth’s water, the wellspring of life on our world.
Some theories suggest that Earth’s water was primarily delivered from extraterrestrial sources, such as comets and asteroids that impacted our planet as it was forming more than four billion years ago. An alternate possibility is that Earth’s water was largely sourced from its building blocks, including vast interior reservoirs of hydrogen. This latter scenario is supported by the new study.
“Although 71 percent of the Earth’s surface is covered by ocean, mainly made of H, it has been argued that the majority of Earth’s H had been stored in the core since its formation, ~4.5 billion years ago,” the researchers said.
The estimates presented in the study “require the Earth to obtain the majority of its water from the main stages of terrestrial accretion, instead of through comets during late addition,” the team concluded.
The study certainly helps tackle the mystery of the precise contents of Earth’s core, though the authors note that their estimate has large uncertainties that will need to be further narrowed down in future work. They also suggest that hydrogen alone cannot explain the density deficit, and that other light elements or compounds, including water, might be contributing to the discrepancy.
“Compared to existing models for Earth’s core composition this is a somewhat less H-rich core, and requires its density deficit to be accounted for by a mixture of light elements, rather than a single light species, akin to that of Mars’ core,” the team said in the study.
Given that water is essential to all life on Earth, solving the riddle of its origins is the first step to understanding how our planet came to be inhabited, and whether other planets may commonly go through the same process.
Experimental quantification of hydrogen content in the Earth’s core - Nature Communications
Earth’s core is arguably the largest reservoir of hydrogen (H) on the planet. Experiments show that H sequestration is coupled with those of Si and O, enabling the core to store the equivalent of dozens of Earth’s oceans.Nature
Kylie Brewer isn't unaccustomed to harassment online. But when people started using Grok-generated nudes of her on an OnlyFans account, it reached another level.
Kylie Brewer isnx27;t unaccustomed to harassment online. But when people started using Grok-generated nudes of her on an OnlyFans account, it reached another level.#AI #grok #Deepfakes
'The Most Dejected I’ve Ever Felt:' Harassers Made Nude AI Images of Her, Then Started an OnlyFans
In the first week of January, Kylie Brewer started getting strange messages.“Someone has a only fans page set up in your name with this same profile,” one direct message from a stranger on TikTok said. “Do you have 2 accounts or is someone pretending to be you,” another said. And from a friend: “Hey girl I hate to tell you this, but I think there’s some picture of you going around. Maybe AI or deep fake but they don’t look real. Uncanny valley kind of but either way I’m sorry.”
It was the first week of January, during the frenzy of people using xAI’s chatbot and image generator Grok to create images of women and children partially or fully nude in sexually explicit scenarios. Between the last week of 2025 and the first week of 2026, Grok generated about three million sexualized images, including 23,000 that appear to depict children, according to researchers at the Center for Countering Digital Hate. The UK’s Ofcom and several attorneys general have since launched or demanded investigations into X and Grok. Earlier this month, police raided X’s offices in France as part of the government’s investigation into child sexual abuse material on the platform.
Messages from strangers and acquaintances are often the first way targets of abuse imagery learn that images of them are spreading online. Not only is the material disturbing itself — everyone, it seems, has already seen it. Someone was making sexually explicit images of Brewer, and then, according to her followers who sent her screenshots and links to the account, were uploading them to an OnlyFans and charging a subscription fee for them.
“It was the most dejected that I've ever felt,” Brewer told me in a phone call. “I was like, let's say I tracked this person down. Someone else could just go into X and use Grok and do the exact same thing with different pictures, right?”
@kylie.brewer
Please help me raise awareness and warn other women. We NEED to regulate AI… it’s getting too dangerous #leftist #humanrights #lgbtq #ai #saawareness
♬ original sound - Kylie Brewer💝Brewer is a content creator whose work focuses on feminism, history, and education about those topics. She’s no stranger to online harassment. Being an outspoken woman about these and other issues through a leftist lens means she’s faced the brunt of large-scale harassment campaigns primarily from the “manosphere,” including “red pilled” incels and right-wing influencers with podcasts for years. But when people messaged her in early January about finding an OnlyFans page in her name, featuring her likeness, it felt like an escalation.
One of the AI generated images was based on a photo of her in a swimsuit from her Instagram, she said. Someone used AI to remove her clothing in the original photo. “My eyes look weird, and my hands are covering my face so it kind of looks like my face got distorted, and they very clearly tried to give me larger breasts, where it does not look like anything realistic at all,” Brewer said. Another image showed her in a seductive pose, kneeling or crawling, but wasn’t based on anything she’s ever posted online. Unlike the “nudify” one that relied on Grok, it seemed to be a new image made with a prompt or a combination of images.
Many of the people messaging her about the fake OnlyFans account were men trying to get access to it. By the time she clicked a link one of them sent of the account, it was already gone. OnlyFans prohibits deepfakes and impersonation accounts. The platform did not respond to a request for comment. But OnlyFans isn’t the only platform where this can happen: Non-consensual deepfake makers use platforms like Patreon to monetize abusive imagery of real people.
“I think that people assume, because the pictures aren't real, that it's not as damaging,” Brewer told me. “But if anything, this was worse because it just fills you with such a sense of lack of control and fear that they could do this to anyone. Children, women, literally anyone, someone could take a picture of you at the store, going grocery shopping, and ask AI or whatever to do this.”
A lack of control is something many targets of synthetic abuse imagery say they feel — and it can be especially intense for people who’ve experienced sexual abuse in real life. In 2023, after becoming the target of deepfake abuse imagery, popular Twitch streamer QTCinderella told me seeing sexual deepfakes of herself resurfaced past trauma. “You feel so violated…I was sexually assaulted as a child, and it was the same feeling,” she said at the time. “Like, where you feel guilty, you feel dirty, you feel like, ‘what just happened?’ And it’s bizarre that it makes that resurface. I genuinely didn’t realize it would.”
Other targets of deepfake harassment also feel like this could happen anytime, anywhere, whether you’re at the grocery store or posting photos of your body online. For some, it makes it harder to get jobs or have a social life; the fear that anyone could be your harasser is constant. “It's made me incredibly wary of men, which I know isn't fair, but [my harasser] could literally be anyone,” Joanne Chew, another woman who dealt with severe deepfake harassment for months, told me last year. “And there are a lot of men out there who don't see the issue. They wonder why we aren't flattered for the attention.”
‘I Want to Make You Immortal:’ How One Woman Confronted Her Deepfakes Harasser
“After discovering this content, I’m not going to lie… there are times it made me not want to be around any more either,” she said. “I literally felt buried.”404 MediaSamantha Cole
Brewer’s income is dependent on being visible online as a content creator. Logging off isn’t an option. And even for people who aren’t dependent on TikTok or Instagram for their income, removing oneself from online life is a painful and isolating tradeoff that they shouldn’t have to make to avoid being harassed. Often, minimizing one’s presence and accomplishments doesn’t even stop the harassment.Since AI-generated face-swapping algorithms became accessible at the consumer level in late 2017, the technology has only gotten better, more realistic, and its effects on targets harder to combat. It was always used for this purpose: to shame and humiliate women online. Over the years, various laws have attempted to protect victims or hold platforms accountable for non-consensual deepfakes, but most of them have either fallen short or present new risks of censorship and marginalize legal, consensual sexual speech and content online. The TAKE IT DOWN Act, championed by Ted Cruz and Melania Trump, passed into law in April 2025 as the first federal level legislation to address deepfakes; the law imposes a strict 48-hour turnaround requirement on platforms to remove reported content. President Donald Trump said that he would use the law, because “nobody gets treated worse online” than him. And in January, the Disrupt Explicit Forged Images and Non-Consensual Edits (DEFIANCE) Act passed the Senate and is headed to the House. The act would allow targets of deepfake harassment to sue the people making the content. But taking someone to court has always been a major barrier to everyday people experiencing harassment online; It’s expensive and time consuming even if they can pinpoint their abuser. In many cases, including Brewer’s, this is impossible—it could be an army of people set to make her life miserable.
“It feels like any remote sense of privacy and protection that you could have as a woman is completely gone and that no one cares,” Brewer said. “It’s genuinely such a dehumanizing and horrible experience that I wouldn't wish on anyone... I’m hoping also, as there's more visibility that comes with this, maybe there’s more support, because it definitely is a very lonely and terrible place to be — on the internet as a woman right now.”
Senate passes DEFIANCE Act to deal with sexually explicit deepfakes
The DEFIANCE Act goes to the House amid controversy over images created by X’s Grok.Jasmine Mithani (19th News)
Ring is back with a feature for scanning your neighborhood; we bought a Super Bowl ad; and how Lockdown Mode stopped the FBI.#Podcast
Podcast: Ring Is Back and Scarier Than Ever
We start this week with exciting news: we bought a Super Bowl ad! For… $2,550. We explain how. After the break, Jason tells us about Ring’s recently launched Search Party feature, and gives us a very timely reminder of what Ring really is and how we got here. In the subscribers-only section, Joseph breaks down Lockdown Mode and how it kept the FBI out of a Washington Post reporter’s phone.
youtube.com/embed/0JK-VSrtlWw?…
Listen to the weekly podcast on Apple Podcasts,Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.
playlist.megaphone.fm?e=TBIEA5…
- 2:49 Watch 404 Media’s Super Bowl Ad
- 27:29 With Ring, American Consumers Built a Surveillance Dragnet
- Subscriber's story: FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled
The 404 Media Podcast
Tech News Podcast · Updated Weekly · Welcome to the podcast from 404 Media where Joseph, Sam, Emanuel, and Jason catch you up on the stories we published this week. 404 Media is a journalist-owned digital media company exploring the way …Apple Podcasts
Il nuovo video di Pasta Grannies: youtube.com/shorts/qKBXo5p2cgw
@Cucina e ricette
(HASHTAG)
reshared this
A Roma la presentazione de “Il prezzo della libertà” di Valentina Petrini
Venerdì 13 febbraio 2026
Ore 18:30
Libreria Feltrinelli – Via Appia Nuova 427 – Roma
A Roma la presentazione del nuovo libro della giornalista Valentina Petrini, Il prezzo della libertà (Solferino), il testo intreccia le storie vere di due donne, Sibilla Barbieri e “Anna” (nome di fantasia, scelto a tutela della privacy), che vivono malattie senza via d’uscita in condizioni sociali ed economiche profondamente diverse e solo una di loro potrà permettersi di scegliere come affrontare il proprio fine vita. Insieme all’autrice dialogano Marianna Aprile e Tosca. Modera l’incontro Eva Giovannino. L’incontro vedrà inoltre la partecipazione di Vittorio Parpaglioni Barbieri e Fabia Salvucci accompagnata al pianoforte da Pasquale Filastrò.
L'articolo A Roma la presentazione de “Il prezzo della libertà” di Valentina Petrini proviene da Associazione Luca Coscioni.
Oggi al #MIM si svolge il convegno “Libro, carta e penna. Il valore della lettura e della scrittura su carta nell’era dell’IA”. Interviene il Ministro Giuseppe Valditara.
Qui il video integrale ▶️ https://youtu.
Ministero dell'Istruzione
Oggi al #MIM si svolge il convegno “Libro, carta e penna. Il valore della lettura e della scrittura su carta nell’era dell’IA”. Interviene il Ministro Giuseppe Valditara. Qui il video integrale ▶️ https://youtu.Telegram
#Macron e l'Europa all'angolo
Macron e l’Europa all’angolo -
Questa settimana è circolata senza fare troppo rumore la notizia che il governo francese ha riattivato le comunicazioni con la Russia dopo anni di rapportiMichele Paris (altrenotizie.org)
CrossOver 26 porta Wine 11.0 su Linux con NTSync e miglioramenti per le app Windows
linuxeasy.org/crossover-26-por…
CrossOver 26 introduce Wine 11.0, supporto NTSync e numerosi miglioramenti per la compatibilità delle applicazioni Windows su Linux e macOS.
Auster likes this.
GNU/Linux Italia reshared this.
The game is over: when “free” comes at too high a price. What we know about RenEngine
We often describe cases of malware distribution under the guise of game cheats and pirated software. Sometimes such methods are used to spread complex malware that employs advanced techniques and sophisticated infection chains.
In February 2026, researchers from Howler Cell announced the discovery of a mass campaign distributing pirated games infected with a previously unknown family of malware. It turned out to be a loader called RenEngine, which was delivered to the device using a modified version of a Ren’Py engine-based game launcher. Kaspersky solutions detect the RenEngine loader as Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen.
However, this threat is not new. Our solutions began detecting the first samples of the RenEngine loader in March 2025, when it was used to distribute the Lumma stealer (Trojan-PSW.Win32.Lumma.gen).
In the ongoing incidents, ACR Stealer (Trojan-PSW.Win32.ACRstealer.gen) is being distributed as the final payload. We have been monitoring this campaign for a long time and will share some details in this article.
Incident analysis
Disguise as a visual novel
Let’s look at the first incident we detected in March 2025. At that time, the attackers distributed the malware under the guise of a hacked game on a popular gaming web resource.
The website featured a game download page with two buttons: Free Download Now and Direct Download. Both buttons had the same functionality: they redirected users to the MEGA file-sharing service, where they were offered to download an archive with the “game.”
Game download page
When the “game” was launched, the download process would stop at 100%. One might think that the game froze, but that was not the case — the “real” malicious code just started working.
Placeholder with the download screen
“Game” source files analysis
The full infection chain
After analyzing the source files, we found Python scripts that initiate the initial device infection. These scripts imitate the endless loading of the game. In addition, they contain the is_sandboxed function for bypassing the sandbox and xor_decrypt_file for decrypting the malicious payload. Using the latter, the script decrypts the ZIP archive, unpacks its contents into the .temp directory, and launches the unpacked files.
Contents of the .temp directory
There are five files in the .temp directory. The DKsyVGUJ.exe executable is not malicious. Its original name is Ahnenblatt4.exe, and it is a well-known legitimate application for organizing genealogical data. The borlndmm.dll library also does not contain malicious code; it implements the memory manager required to run the executable. Another library, cc32290mt.dll, contains a code snippet patched by attackers that intercepts control when the application is launched and deploys the first stage of the payload in the process memory.
HijackLoader
The dbghelp.dll system library is used as a “container” to launch the first stage of the payload. It is overwritten in memory with decrypted shellcode obtained from the gayal.asp file using the cc32290mt.dll library. The resulting payload is HijackLoader. This is a relatively new means of delivering and deploying malicious implants. A distinctive feature of this malware family is its modularity and configuration flexibility. HijackLoader was first detected and described in the summer of 2023. More detailed information about this loader is available to customers of the Kaspersky Intelligence Reporting Service.
The final payload can be delivered in two ways, depending on the configuration parameters of the malicious sample. The main HijackLoader ti module is used to launch and prepare the process for the final payload injection. In some cases, an additional module is also used, which is injected into an intermediate process launched by the main one. The code that performs the injection is the same in both cases.
Before creating a child process, the configuration parameters are encrypted using XOR and saved to the %TEMP% directory with a random name. The file name is written to the system environment variables.
Loading configuration parameters saved by the main module
In the analyzed sample, the execution follows a longer path with an intermediate child process, cmd.exe. It is created in suspended mode by calling the auxiliary module modCreateProcess. Then, using the ZwCreateSection and ZwMapViewOfSection system API calls, the code of the same dbghelp.dll library is loaded into the address space of the process, after which it intercepts control.
Next, the ti module, launched in the child process, reads the hap.eml file, from which it decrypts the second stage of HijackLoader. The module then loads the pla.dll system library and overwrites the beginning of its code section with the received payload, after which it transfers control to this library.
Payload decryption
The decrypted payload is an EXE file, and the configuration parameters are set to inject it into the explorer.exe child process. The payload is written to the memory of the child process in several stages:
- First, the malicious payload is written to a temporary file on disk using the transaction mechanism provided by the Windows API. The payload is written in several stages and not in the order in which the data is stored in the file. The
MZsignature, with which any PE file begins, is written last with a delay.
Writing the payload to a temporary file - After that, the payload is loaded from the temporary file into the address space of the current process using the
ZwCreateSectioncall. The transaction that wrote to the file is rolled back, thus deleting the temporary file with the payload. - Next, the sample uses the
modCreateProcessmodule to launch a child processexplorer.exeand injects the payload into it by creating a shared memory region with theZwMapViewOfSectioncall.
Payload injection into the child processAnother HijackLoader module,
rshell, is used to launch the shellcode. Its contents are also injected into the child process, replacing the code located at its entry point.
The rshell module injection - The last step performed by the parent process is starting a thread in the child process by calling
ZwResumeThread. After that, the thread starts executing thershellmodule code placed at the child process entry point, and the parent process terminates.
Thershellmodule prepares the final malicious payload. Once it has finished, it transfers control to another HijackLoader module calledESAL. It replaces the contents ofrshellwith zeros using thememsetfunction and launches the final payload, which is a stealer from the Lumma family (Trojan-PSW.Win32.Lumma).
In addition to the modules described above, this HijackLoader sample contains the following modules, which were used at intermediate stages: COPYLIST, modTask, modUAC, modWriteFile.
Kaspersky solutions detect HijackLoader with the verdicts Trojan.Win32.Penguish and Trojan.Win32.DllHijacker.
Not only games
In addition to gaming sites, we found that attackers created dozens of different web resources to distribute RenEngine under the guise of pirated software. On one such site, for example, users can supposedly download an activated version of the CorelDRAW graphics editor.
Distribution of RenEngine under the guise of the CorelDRAW pirated version
When the user clicks the Descargar Ahora (“Download Now”) button, they are redirected several times to other malicious websites, after which an infected archive is downloaded to their device.
File storage imitations
Distribution
According to our data, since March 2025, RenEngine has affected users in the following countries:
Distribution of incidents involving the RenEngine loader by country (TOP 20), February 2026 (download)
The distribution pattern of this loader suggests that the attacks are not targeted. At the time of publication, we have recorded the highest number of incidents in Russia, Brazil, Turkey, Spain, and Germany.
Recommendations for protection
The format of game archives is generally not standardized and is unique for each game. This means that there is no universal algorithm for unpacking and checking the contents of game archives. If the game engine does not check the integrity and authenticity of executable resources and scripts, such an archive can become a repository for malware if modified by attackers. Despite this, Kaspersky Premium protects against such threats with its Behavior Detection component.
The distribution of malware under the guise of pirated software and hacked games is not a new tactic. It is relatively easy to avoid infection by the malware described in this article — simply install games and programs from trusted sites. In addition, it is important for gamers to remember the need to install specialized security solutions. This ongoing campaign employs the Lumma and ACR stylers, and Vidar was also found — none of these are new threats, but rather long-known malware. This means that modern antivirus technologies can detect even modified versions of the above-mentioned stealers and their alternatives, preventing further infection.
Indicators of compromise
12EC3516889887E7BCF75D7345E3207A – setup_game_8246.zip
D3CF36C37402D05F1B7AA2C444DC211A – __init.py__
1E0BF40895673FCD96A8EA3DDFAB0AE2 – cc32290mt.dll
2E70ECA2191C79AD15DA2D4C25EB66B9 – Lumma Stealer
hxxps://hentakugames[.]com/country-bumpkin/
hxxps://dodi-repacks[.]site
hxxps://artistapirata[.]fit
hxxps://artistapirata[.]vip
hxxps://awdescargas[.]pro
hxxps://fullprogramlarindir[.]me
hxxps://gamesleech[.]com
hxxps://parapcc[.]com
hxxps://saglamindir[.]vip
hxxps://zdescargas[.]pro
hxxps://filedownloads[.]store
hxxps://go[.]zovo[.]ink
Lumma C2
hxxps://steamcommunity[.]com/profiles/76561199822375128
hxxps://localfxement[.]live
hxxps://explorebieology[.]run
hxxps://agroecologyguide[.]digital
hxxps://moderzysics[.]top
hxxps://seedsxouts[.]shop
hxxps://codxefusion[.]top
hxxps://farfinable[.]top
hxxps://techspherxe[.]top
hxxps://cropcircleforum[.]today
securelist.com/renengine-campa…
Spam and phishing in 2025
The year in figures
- 99% of all emails sent worldwide and 43.27% of all emails sent in the Russian web segment were spam
- 50% of all spam emails were sent from Russia
- Kaspersky Mail Anti-Virus blocked 144,722,674 malicious email attachments
- Our Anti-Phishing system thwarted 554,002,207 attempts to follow phishing links
Phishing and scams in 2025
Entertainment-themed phishing attacks and scams
In 2025, online streaming services remained a primary theme for phishing sites within the entertainment sector, typically by offering early access to major premieres ahead of their official release dates. Alongside these, there was a notable increase in phishing pages mimicking ticket aggregation platforms for live events. Cybercriminals lured users with offers of free tickets to see popular artists on pages that mirrored the branding of major ticket distributors. To participate in these “promotions”, victims were required to pay a nominal processing or ticket-shipping fee. Naturally, after paying the fee, the users never received any tickets.
In addition to concert-themed bait, other music-related scams gained significant traction. Users were directed to phishing pages and prompted to “vote for their favorite artist”, a common activity within fan communities. To bolster credibility, the scammers leveraged the branding of major companies like Google and Spotify. This specific scheme was designed to harvest credentials for multiple platforms simultaneously, as users were required to sign in with their Facebook, Instagram, or email credentials to participate.
As a pretext for harvesting Spotify credentials, attackers offered users a way to migrate their playlists to YouTube. To complete the transfer, victims were to just enter their Spotify credentials.
Beyond standard phishing, threat actors leveraged Spotify’s popularity for scams. In Brazil, scammers promoted a scheme where users were purportedly paid to listen to and rate songs.
To “withdraw” their earnings, users were required to provide their identification number for PIX, Brazil’s instant payment system.
Users were then prompted to verify their identity. To do so, the victim was required to make a small, one-time “verification payment”, an amount significantly lower than the potential earnings.
The form for submitting this “verification payment” was designed to appear highly authentic, even requesting various pieces of personal data. It is highly probable that this data was collected for use in subsequent attacks.
In another variation, users were invited to participate in a survey in exchange for a $1000 gift card. However, in a move typical of a scam, the victim was required to pay a small processing or shipping fee to claim the prize. Once the funds were transferred, the attackers vanished, and the website was taken offline.
Even deciding to go to an art venue with a girl from a dating site could result in financial loss. In this scenario, the “date” would suggest an in-person meeting after a brief period of rapport-building. They would propose a relatively inexpensive outing, such as a movie or a play at a niche theater. The scammer would go so far as to provide a link to a specific page where the victim could supposedly purchase tickets for the event.
To enhance the site’s perceived legitimacy, it even prompted the user to select their city of residence.
However, once the “ticket payment” was completed, both the booking site and the individual from the dating platform would vanish.
A similar tactic was employed by scam sites selling tickets for escape rooms. The design of these pages closely mirrored legitimate websites to lower the target’s guard.
Phishing pages masquerading as travel portals often capitalize on a sense of urgency, betting that a customer eager to book a “last-minute deal” will overlook an illegitimate URL. For example, the fraudulent page shown below offered exclusive tours of Japan, purportedly from a major Japanese tour operator.
Sensitive data at risk: phishing via government services
To harvest users’ personal data, attackers utilized a traditional phishing framework: fraudulent forms for document processing on sites posing as government portals. The visual design and content of these phishing pages meticulously replicated legitimate websites, offering the same services found on official sites. In Brazil, for instance, attackers collected personal data from individuals under the pretext of issuing a Rural Property Registration Certificate (CCIR).
Through this method, fraudsters tried to gain access to the victim’s highly sensitive information, including their individual taxpayer registry (CPF) number. This identifier serves as a unique key for every Brazilian national to access private accounts on government portals. It is also utilized in national databases and displayed on personal identification documents, making its interception particularly dangerous. Scammer access to this data poses a severe risk of identity theft, unauthorized access to government platforms, and financial exposure.
Furthermore, users were at risk of direct financial loss: in certain instances, the attackers requested a “processing fee” to facilitate the issuance of the important document.
Fraudsters also employed other methods to obtain CPF numbers. Specifically, we discovered phishing pages mimicking the official government service portal, which requires the CPF for sign-in.
Another theme exploited by scammers involved government payouts. In 2025, Singaporean citizens received government vouchers ranging from $600 to $800 in honor of the country’s 60th anniversary. To redeem these, users were required to sign in to the official program website. Fraudsters rushed to create web pages designed to mimic this site. Interestingly, the primary targets in this campaign were Telegram accounts, despite the fact that Telegram credentials were not a requirement for signing in to the legitimate portal.
We also identified a scam targeting users in Norway who were looking to renew or replace their driver’s licenses. Upon opening a website masquerading as the official Norwegian Public Roads Administration website, visitors were prompted to enter their vehicle registration and phone numbers.
Next, the victim was prompted for sensitive data, such as the personal identification number unique to every Norwegian citizen. By doing so, the attackers not only gained access to confidential information but also reinforced the illusion that the victim was interacting with an official website.
Once the personal data was submitted, a fraudulent page would appear, requesting a “processing fee” of 1200 kroner. If the victim entered their credit card details, the funds were transferred directly to the scammers with no possibility of recovery.
In Germany, attackers used the pretext of filing tax returns to trick users into providing their email user names and passwords on phishing pages.
A call to urgent action is a classic tactic in phishing scenarios. When combined with the threat of losing property, these schemes become highly effective bait, distracting potential victims from noticing an incorrect URL or a poorly designed website. For example, a phishing warning regarding unpaid vehicle taxes was used as a tool by attackers targeting credentials for the UK government portal.
We have observed that since the spring of 2025, there has been an increase in emails mimicking automated notifications from the Russian government services portal. These messages were distributed under the guise of application status updates and contained phishing links.
We also recorded vishing attacks targeting users of government portals. Victims were prompted to “verify account security” by calling a support number provided in the email. To lower the users’ guard, the attackers included fabricated technical details in the emails, such as the IP address, device model, and timestamp of an alleged unauthorized sign-in.
Last year, attackers also disguised vishing emails as notifications from microfinance institutions or credit bureaus regarding new loan applications. The scammers banked on the likelihood that the recipient had not actually applied for a loan. They would then prompt the victim to contact a fake support service via a spoofed support number.
Know Your Customer
As an added layer of data security, many services now implement biometric verification (facial recognition, fingerprints, and retina scans), as well as identity document verification and digital signatures. To harvest this data, fraudsters create clones of popular platforms that utilize these verification protocols. We have previously detailed the mechanics of this specific type of data theft.
In 2025, we observed a surge in phishing attacks targeting users under the guise of Know Your Customer (KYC) identity verification. KYC protocols rely on a specific set of user data for identification. By spoofing the pages of payment services such as Vivid Money, fraudsters harvested the information required to pass KYC authentication.
Notably, this threat also impacted users of various other platforms that utilize KYC procedures.
A distinctive feature of attacks on the KYC process is that, in addition to the victim’s full name, email address, and phone number, phishers request photos of their passport or face, sometimes from multiple angles. If this information falls into the hands of threat actors, the consequences extend beyond the loss of account access; the victim’s credentials can be sold on dark web marketplaces, a trend we have highlighted in previous reports.
Messaging app phishing
Account hijacking on messaging platforms like WhatsApp and Telegram remains one of the primary objectives of phishing and scam operations. While traditional tactics, such as suspicious links embedded in messages, have been well-known for some time, the methods used to steal credentials are becoming increasingly sophisticated.
For instance, Telegram users were invited to participate in a prize giveaway purportedly hosted by a famous athlete. This phishing attack, which masqueraded as an NFT giveaway, was executed through a Telegram Mini App. This marks a shift in tactics, as attackers previously relied on external web pages for these types of schemes.
In 2025, new variations emerged within the familiar framework of distributing phishing links via Telegram. For example, we observed prompts inviting users to vote for the “best dentist” or “best COO” in town.
The most prevalent theme in these voting-based schemes, children’s contests, was distributed primarily through WhatsApp. These phishing pages showed little variety; attackers utilized a standardized website design and set of “bait” photos, simply localizing the language based on the target audience’s geographic location.
To participate in the vote, the victim was required to enter the phone number linked to their WhatsApp account.
They were then prompted to provide a one-time authentication code for the messaging app.
The following are several other popular methods used by fraudsters to hijack user credentials.
In China, phishing pages meticulously replicated the WhatsApp interface. Victims were notified that their accounts had purportedly been flagged for “illegal activity”, necessitating “additional verification”.
The victim was redirected to a page to enter their phone number, followed by a request for their authorization code.
In other instances, users received messages allegedly from WhatsApp support regarding account authentication via SMS. As with the other scenarios described, the attackers’ objective was to obtain the authentication code required to hijack the account.
Fraudsters enticed WhatsApp users with an offer to link an app designed to “sync communications” with business contacts.
To increase the perceived legitimacy of the phishing site, the attackers even prompted users to create custom credentials for the page.
After that, the user was required to “purchase a subscription” to activate the application. This allowed the scammers to harvest credit card data, leaving the victim without the promised service.
To lure Telegram users, phishers distributed invitations to online dating chats.
Attackers also heavily leveraged the promise of free Telegram Premium subscriptions. While these phishing pages were previously observed only in Russian and English, the linguistic scope of these campaigns expanded significantly this year. As in previous iterations, activating the subscription required the victim to sign in to their account, which could result in the loss of account access.
Exploiting the ChatGPT hype
Artificial intelligence is increasingly being leveraged by attackers as bait. For example, we have identified fraudulent websites mimicking the official payment page for ChatGPT Plus subscriptions.
Social media marketing through LLMs was also a potential focal point for user interest. Scammers offered “specialized prompt kits” designed for social media growth; however, once payment was received, they vanished, leaving victims without the prompts or their money.
The promise of easy income through neural networks has emerged as another tactic to attract potential victims. Fraudsters promoted using ChatGPT to place bets, promising that the bot would do all the work while the user collected the profits. These services were offered at a “special price” valid for only 15 minutes after the page was opened. This narrow window prevented the victim from critically evaluating the impulse purchase.
Job opportunities with a catch
To attract potential victims, scammers exploited the theme of employment by offering high-paying remote positions. Applicants responding to these advertisements did more than just disclose their personal data; in some cases, fraudsters requested a small sum under the pretext of document processing or administrative fees. To convince victims that the offer was legitimate, attackers impersonated major brands, leveraging household names to build trust. This allowed them to lower the victims’ guard, even when the employment terms sounded too good to be true.
We also observed schemes where, after obtaining a victim’s data via a phishing site, scammers would follow up with a phone call – a tactic aimed at tricking the user into disclosing additional personal data.
By analyzing current job market trends, threat actors also targeted popular career paths to steal messaging app credentials. These phishing schemes were tailored to specific regional markets. For example, in the UAE, fake “employment agency” websites were circulating.
In a more sophisticated variation, users were asked to complete a questionnaire that required the phone number linked to their Telegram account.
To complete the registration, users were prompted for a code which, in reality, was a Telegram authorization code.
Notably, the registration process did not end there; the site continued to request additional information to “set up an account” on the fraudulent platform. This served to keep victims in the dark, maintaining their trust in the malicious site’s perceived legitimacy.
After finishing the registration, the victim was told to wait 24 hours for “verification”, though the scammers’ primary objective, hijacking the Telegram account, had already been achieved.
Simpler phishing schemes were also observed, where users were redirected to a page mimicking the Telegram interface. By entering their phone number and authorization code, victims lost access to their accounts.
Job seekers were not the only ones targeted by scammers. Employers’ accounts were also in the crosshairs, specifically on a major Russian recruitment portal. On a counterfeit page, the victim was asked to “verify their account” in order to post a job listing, which required them to enter their actual sign-in credentials for the legitimate site.
Spam in 2025
Malicious attachments
Password-protected archives
Attackers began aggressively distributing messages with password-protected malicious archives in 2024. Throughout 2025, these archives remained a popular vector for spreading malware, and we observed a variety of techniques designed to bypass security solutions.
For example, threat actors sent emails impersonating law firms, threatening victims with legal action over alleged “unauthorized domain name use”. The recipient was prompted to review potential pre-trial settlement options detailed in an attached document. The attachment consisted of an unprotected archive containing a secondary password-protected archive and a file with the password. Disguised as a legal document within this inner archive was a malicious WSF file, which installed a Trojan into the system via startup. The Trojan then stealthily downloaded and installed Tor, which allowed it to regularly exfiltrate screenshots to the attacker-controlled C2 server.
In addition to archives, we also encountered password-protected PDF files containing malicious links over the past year.
E-signature service exploits
Emails using the pretext of “signing a document” to coerce users into clicking phishing links or opening malicious attachments were quite common in 2025. The most prevalent scheme involved fraudulent notifications from electronic signature services. While these were primarily used for phishing, one specific malware sample identified within this campaign is of particular interest.
The email, purportedly sent from a well-known document-sharing platform, notified the recipient that they had been granted access to a “contract” attached to the message. However, the attachment was not the expected PDF; instead, it was a nested email file named after the contract. The body of this nested message mirrored the original, but its attachment utilized a double extension: a malicious SVG file containing a Trojan was disguised as a PDF document. This multi-layered approach was likely an attempt to obfuscate the malware and bypass security filters.
“Business correspondence” impersonating industrial companies
In the summer of last year, we observed mailshots sent in the name of various existing industrial enterprises. These emails contained DOCX attachments embedded with Trojans. Attackers coerced victims into opening the malicious files under the pretext of routine business tasks, such as signing a contract or drafting a report.
The authors of this malicious campaign attempted to lower users’ guard by using legitimate industrial sector domains in the “From” address. Furthermore, the messages were routed through the mail servers of a reputable cloud provider, ensuring the technical metadata appeared authentic. Consequently, even a cautious user could mistake the email for a genuine communication, open the attachment, and compromise their device.
Attacks on hospitals
Hospitals were a popular target for threat actors this past year: they were targeted with malicious emails impersonating well-known insurance providers. Recipients were threatened with legal action regarding alleged “substandard medical services”. The attachments, described as “medical records and a written complaint from an aggrieved patient”, were actually malware. Our solutions detect this threat as Backdoor.Win64.BrockenDoor, a backdoor capable of harvesting system information and executing malicious commands on the infected device.
We also came across emails with a different narrative. In those instances, medical staff were requested to facilitate a patient transfer from another hospital for ongoing observation and treatment. These messages referenced attached medical files containing diagnostic and treatment history, which were actually archives containing malicious payloads.
To bolster the perceived legitimacy of these communications, attackers did more than just impersonate famous insurers and medical institutions; they registered look-alike domains that mimicked official organizations’ domains by appending keywords such as “-insurance” or “-med.” Furthermore, to lower the victims’ guard, scammers included a fake “Scanned by Email Security” label.
Messages containing instructions to run malicious scripts
Last year, we observed unconventional infection chains targeting end-user devices. Threat actors continued to distribute instructions for downloading and executing malicious code, rather than attaching the malware files directly. To convince the recipient to follow these steps, attackers typically utilized a lure involving a “critical software update” or a “system patch” to fix a purported vulnerability. Generally, the first step in the instructions required launching the command prompt with administrative privileges, while the second involved entering a command to download and execute the malware: either a script or an executable file.
In some instances, these instructions were contained within a PDF file. The victim was prompted to copy a command into PowerShell that was neither obfuscated nor hidden. Such schemes target non-technical users who would likely not understand the command’s true intent and would unknowingly infect their own devices.
Scams
Law enforcement impersonation scams in the Russian web segment
In 2025, extortion campaigns involving actors posing as law enforcement – a trend previously more prevalent in Europe – were adapted to target users across the Commonwealth of Independent States.
For example, we identified messages disguised as criminal subpoenas or summonses purportedly issued by Russian law enforcement agencies. However, the specific departments cited in these emails never actually existed. The content of these “summonses” would also likely raise red flags for a cautious user. This blackmail scheme relied on the victim, in their state of panic, not scrutinizing the contents of the fake summons.
To intimidate recipients, the attackers referenced legal frameworks and added forged signatures and seals to the “subpoenas”. In reality, neither the cited statutes nor the specific civil service positions exist in Russia.
We observed similar attacks – employing fabricated government agencies and fictitious legal acts – in other CIS countries, such as Belarus.
Fraudulent investment schemes
Threat actors continued to aggressively exploit investment themes in their email scams. These emails typically promise stable, remote income through “exclusive” investment opportunities. This remains one of the most high-volume and adaptable categories of email scams. Threat actors embedded fraudulent links both directly within the message body and inside various types of attachments: PDF, DOC, PPTX, and PNG files. Furthermore, they increasingly leveraged legitimate Google services, such as Google Docs, YouTube, and Google Forms, to distribute these communications. The link led to the site of the “project” where the victim was prompted to provide their phone number and email. Subsequently, users were invited to invest in a non-existent project.
We have previously documented these mailshots: they were originally targeted at Russian-speaking users and were primarily distributed under the guise of major financial institutions. However, in 2025, this investment-themed scam expanded into other CIS countries and Europe. Furthermore, the range of industries that spammers impersonated grew significantly. For instance, in their emails, attackers began soliciting investments for projects supposedly led by major industrial-sector companies in Kazakhstan and the Czech Republic.
Fraudulent “brand partner” recruitment
This specific scam operates through a multi-stage workflow. First, the target company receives a communication from an individual claiming to represent a well-known global brand, inviting them to register as a certified supplier or business partner. To bolster the perceived authenticity of the offer, the fraudsters send the victim an extensive set of forged documents. Once these documents are signed, the victim is instructed to pay a “deposit”, which the attackers claim will be fully refunded once the partnership is officially established.
These mailshots were first detected in 2025 and have rapidly become one of the most prevalent forms of email-based fraud. In December 2025 alone, we blocked over 80,000 such messages. These campaigns specifically targeted the B2B sector and were notable for their high level of variation – ranging from their technical properties to the diversity of the message content and the wide array of brands the attackers chose to impersonate.
Fraudulent overdue rent notices
Last year, we identified a new theme in email scams: recipients were notified that the payment deadline for a leased property had expired and were urged to settle the “debt” immediately. To prevent the victim from sending funds to their actual landlord, the email claimed that banking details had changed. The “debtor” was then instructed to request the new payment information – which, of course, belonged to the fraudsters. These mailshots primarily targeted French-speaking countries; however, in December 2025, we discovered a similar scam variant in German.
QR codes in scam letters
In 2025, we observed a trend where QR codes were utilized not only in phishing attempts but also in extortion emails. In a classic blackmail scam, the user is typically intimidated by claims that hackers have gained access to sensitive data. To prevent the public release of this information, the attackers demand a ransom payment to their cryptocurrency wallet.
Previously, to bypass email filters, scammers attempted to obfuscate the wallet address by using various noise contamination techniques. In last year’s campaigns, however, scammers shifted to including a QR code that contained the cryptocurrency wallet address.
News agenda
As in previous years, spammers in 2025 aggressively integrated current events into their fraudulent messaging to increase engagement.
For example, following the launch of $TRUMP memecoins surrounding Donald Trump’s inauguration, we identified scam campaigns promoting the “Trump Meme Coin” and “Trump Digital Trading Cards”. In these instances, scammers enticed victims to click a link to claim “free NFTs”.
We also observed ads offering educational credentials. Spammers posted these ads as comments on legacy, unmoderated forums; this tactic ensured that notifications were automatically pushed to all users subscribed to the thread. These notifications either displayed the fraudulent link directly in the comment preview or alerted users to a new post that redirected them to spammers’ sites.
In the summer, when the wedding of Amazon founder Jeff Bezos became a major global news story, users began receiving Nigerian-style scam messages purportedly from Bezos himself, as well as from his former wife, MacKenzie Scott. These emails promised recipients substantial sums of money, framed either as charitable donations or corporate compensation from Amazon.
During the BLACKPINK world tour, we observed a wave of spam advertising “luggage scooters”. The scammers claimed these were the exact motorized suitcases used by the band members during their performances.
Finally, in the fall of 2025, traditionally timed to coincide with the launch of new iPhones, we identified scam campaigns featuring surveys that offered participants a chance to “win” a fictitious iPhone 17 Pro.
After completing a brief survey, the user was prompted to provide their contact information and physical address, as well as pay a “delivery fee” – which was the scammers’ ultimate objective. Upon entering their credit card details into the fraudulent site, the victim risked losing not only the relatively small delivery charge but also the entire balance in their bank account.
The widespread popularity of Ozempic was also reflected in spam campaigns; users were bombarded with offers to purchase versions of the drug or questionable alternatives.
Localized news events also fall under the scrutiny of fraudsters, serving as the basis for scam narratives. For instance, last summer, coinciding with the opening of the tax season in South Africa, we began detecting phishing emails impersonating the South African Revenue Service (SARS). These messages notified taxpayers of alleged “outstanding balances” that required immediate settlement.
Methods of distributing email threats
Google services
In 2025, threat actors increasingly leveraged various Google services to distribute email-based threats. We observed the exploitation of Google Calendar: scammers would create an event containing a WhatsApp contact number in the description and send an invitation to the target. For instance, companies received emails regarding product inquiries that prompted them to move the conversation to the messaging app to discuss potential “collaboration”.
Spammers employed a similar tactic using Google Classroom. We identified samples offering SEO optimization services that likewise directed victims to a WhatsApp number for further communication.
We also detected the distribution of fraudulent links via legitimate YouTube notifications. Attackers would reply to user comments under various videos, triggering an automated email notification to the victim. This email contained a link to a video that displayed only a message urging the viewer to “check the description”, where the actual link to the scam site was located. As the victim received an email containing the full text of the fraudulent comment, they were often lured through this chain of links, eventually landing on the scam site.
Over the past two years or so, there has been a significant rise in attacks utilizing Google Forms. Fraudsters create a survey with an enticing title and place the scam messaging directly in the form’s description. They then submit the form themselves, entering the victims’ email addresses into the field for the respondent email. This triggers legitimate notifications from the Google Forms service to the targeted addresses. Because these emails originate from Google’s own mail servers, they appear authentic to most spam filters. The attackers rely on the victim focusing on the “bait” description containing the fraudulent link rather than the standard form header.
Google Groups also emerged as a popular tool for spam distribution last year. Scammers would create a group, add the victims’ email addresses as members, and broadcast spam through the service. This scheme proved highly effective: even if a security solution blocked the initial spam message, the user could receive a deluge of automated replies from other addresses on the member list.
At the end of 2025, we encountered a legitimate email in terms of technical metadata that was sent via Google and contained a fraudulent link. The message also included a verification code for the recipient’s email address. To generate this notification, scammers filled out the account registration form in a way that diverted the recipient’s attention toward a fraudulent site. For example, instead of entering a first and last name, the attackers inserted text such as “Personal Link” followed by a phishing URL, utilizing noise contamination techniques. By entering the victim’s email address into the registration field, the scammers triggered a legitimate system notification containing the fraudulent link.
OpenAI
In addition to Google services, spammers leveraged other platforms to distribute email threats, notably OpenAI, riding the wave of artificial intelligence popularity. In 2025, we observed emails sent via the OpenAI platform into which spammers had injected short messages, fraudulent links, or phone numbers.
This occurs during the account registration process on the OpenAI platform, where users are prompted to create an organization to generate an API key. Spammers placed their fraudulent content directly into the field designated for the organization’s name. They then added the victims’ email addresses as organization members, triggering automated platform invitations that delivered the fraudulent links or contact numbers directly to the targets.
Spear phishing and BEC attacks in 2025
QR codes
The use of QR codes in spear phishing has become a conventional tactic that threat actors continued to employ throughout 2025. Specifically, we observed the persistence of a major trend identified in our previous report: the distribution of phishing documents disguised as notifications from a company’s HR department.
In these campaigns, attackers impersonated HR team members, requesting that employees review critical documentation, such as a new corporate policy or code of conduct. These documents were typically attached to the email as PDF files.
Phishing notification about “new corporate policies”
To maintain the ruse, the PDF document contained a highly convincing call to action, prompting the user to scan a QR code to access the relevant file. While attackers previously embedded these codes directly into the body of the email, last year saw a significant shift toward placing them within attachments – most likely in an attempt to bypass email security filters.
Malicious PDF content
Upon scanning the QR code within the attachment, the victim was redirected to a phishing page meticulously designed to mimic a Microsoft authentication form.
Phishing page with an authentication form
In addition to fraudulent HR notifications, threat actors created scheduled meetings within the victim’s email calendar, placing DOC or PDF files containing QR codes in the event descriptions. Leveraging calendar invites to distribute malicious links is a legacy technique that was widely observed during scam campaigns in 2019. After several years of relative dormancy, we saw a resurgence of this technique last year, now integrated into more sophisticated spear phishing operations.
Fake meeting invitation
In one specific example, the attachment was presented as a “new voicemail” notification. To listen to the recording, the user was prompted to scan a QR code and sign in to their account on the resulting page.
Malicious attachment content
As in the previous scenario, scanning the code redirected the user to a phishing page, where they risked losing access to their Microsoft account or internal corporate sites.
Link protection services
Threat actors utilized more than just QR codes to hide phishing URLs and bypass security checks. In 2025, we discovered that fraudsters began weaponizing link protection services for the same purpose. The primary function of these services is to intercept and scan URLs at the moment of clicking to prevent users from reaching phishing sites or downloading malware. However, attackers are now abusing this technology by generating phishing links that security systems mistakenly categorize as “safe”.
This technique is employed in both mass and spear phishing campaigns. It is particularly dangerous in targeted attacks, which often incorporate employees’ personal data and mimic official corporate branding. When combined with these characteristics, a URL generated through a legitimate link protection service can significantly bolster the perceived authenticity of a phishing email.
“Protected” link in a phishing email
After opening a URL that seemed safe, the user was directed to a phishing site.
Phishing page
BEC and fabricated email chains
In Business Email Compromise (BEC) attacks, threat actors have also begun employing new techniques, the most notable of which is the use of fake forwarded messages.
BEC email featuring a fabricated message thread
This BEC attack unfolded as follows. An employee would receive an email containing a previous conversation between the sender and another colleague. The final message in this thread was typically an automated out-of-office reply or a request to hand off a specific task to a new assignee. In reality, however, the entire initial conversation with the colleague was completely fabricated. These messages lacked the thread-index headers, as well as other critical header values, that would typically verify the authenticity of an actual email chain.
In the example at hand, the victim was pressured to urgently pay for a license using the provided banking details. The PDF attachments included wire transfer instructions and a counterfeit cover letter from the bank.
Malicious PDF content
The bank does not actually have an office at the address provided in the documents.
Statistics: phishing
In 2025, Kaspersky solutions blocked 554,002,207 attempts to follow fraudulent links. In contrast to the trends of previous years, we did not observe any major spikes in phishing activity; instead, the volume of attacks remained relatively stable throughout the year, with the exception of a minor decline in December.
Anti-Phishing triggers, 2025 (download)
The phishing and scam landscape underwent a shift. While in 2024, we saw a high volume of mass attacks, their frequency declined in 2025. Furthermore, redirection-based schemes, which were frequently used for online fraud in 2024, became less prevalent in 2025.
Map of phishing attacks
As in the previous year, Peru remains the country with the highest percentage (17.46%) of users targeted by phishing attacks. Bangladesh (16.98%) took second place, entering the TOP 10 for the first time, while Malawi (16.65%), which was absent from the 2024 rankings, was third. Following these are Tunisia (16.19%), Colombia (15.67%), the latter also being a newcomer to the TOP 10, Brazil (15.48%), and Ecuador (15.27%). They are followed closely by Madagascar and Kenya, both with a 15.23% share of attacked users. Rounding out the list is Vietnam, which previously held the third spot, with a share of 15.05%.
| Country/territory | Share of attacked users** |
| Peru | 17.46% |
| Bangladesh | 16.98% |
| Malawi | 16.65% |
| Tunisia | 16.19% |
| Colombia | 15.67% |
| Brazil | 15.48% |
| Ecuador | 15.27% |
| Madagascar | 15.23% |
| Kenya | 15.23% |
| Vietnam | 15.05% |
** Share of users who encountered phishing out of the total number of Kaspersky users in the country/territory, 2025
Top-level domains
In 2025, breaking a trend that had persisted for several years, the majority of phishing pages were hosted within the XYZ TLD zone, accounting for 21.64% – a three-fold increase compared to 2024. The second most popular zone was TOP (15.45%), followed by BUZZ (13.58%). This high demand can be attributed to the low cost of domain registration in these zones. The COM domain, which had previously held the top spot consistently, fell to fourth place (10.52%). It is important to note that this decline is partially driven by the popularity of typosquatting attacks: threat actors frequently spoof sites within the COM domain by using alternative suffixes, such as example-com.site instead of example.com. Following COM is the BOND TLD, entering the TOP 10 for the first time with a 5.56% share. As this zone is typically associated with financial websites, the surge in malicious interest there is a logical progression for financial phishing. The sixth and seventh positions are held by ONLINE (3.39%) and SITE (2.02%), which occupied the fourth and fifth spots, respectively, in 2024. In addition, three domain zones that had not previously appeared in our statistics emerged as popular hosting environments for phishing sites. These included the CFD domain (1.97%), typically used for websites in the clothing, fashion, and design sectors; the Polish national top-level domain, PL (1.75%); and the LOL domain (1.60%).
Most frequent top-level domains for phishing pages, 2025 (download)
Organizations targeted by phishing attacks
The rankings of organizations targeted by phishers are based on detections by the Anti-Phishing deterministic component on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.
Phishing pages impersonating web services (27.42%) and global internet portals (15.89%) maintained their positions in the TOP 10, continuing to rank first and second, respectively. Online stores (11.27%), a traditional favorite among threat actors, returned to the third spot. In 2025, phishers showed increased interest in online gamers: websites mimicking gaming platforms jumped from ninth to fifth place (7.58%). These are followed by banks (6.06%), payment systems (5.93%), messengers (5.70%), and delivery services (5.06%). Phishing attacks also targeted social media (4.42%) and government services (1.77%) accounts.
Distribution of targeted organizations by category, 2025 (download)
Statistics: spam
Share of spam in email traffic
In 2025, the average share of spam in global email traffic was 44.99%, representing a decrease of 2.28 percentage points compared to the previous year. Notably, contrary to the trends of the past several years, the fourth quarter was the busiest one: an average of 49.26% of emails were categorized as spam, with peak activity occurring in November (52.87%) and December (51.80%). Throughout the rest of the year, the distribution of junk mail remained relatively stable without significant spikes, maintaining an average share of approximately 43.50%.
Share of spam in global email traffic, 2025 (download)
In the Russian web segment (Runet), we observed a more substantial decline: the average share of spam decreased by 5.3 percentage points to 43.27%. Deviating from the global trend, the fourth quarter was the quietest period in Russia, with a share of 41.28%. We recorded the lowest level of spam activity in December, when only 36.49% of emails were identified as junk. January and February were also relatively calm, with average values of 41.94% and 43.09%, respectively. Conversely, the Runet figures for March–October correlated with global figures: no major surges were observed, spam accounting for an average of 44.30% of total email traffic during these months.
Share of spam in Runet email traffic, 2025 (download)
Countries and territories where spam originated
The top three countries in the 2025 rankings for the volume of outgoing spam mirror the distribution of the previous year: Russia, China, and the United States. However, the share of spam originating from Russia decreased from 36.18% to 32.50%, while the shares of China (19.10%) and the U.S. (10.57%) each increased by approximately 2 percentage points. Germany rose to fourth place (3.46%), up from sixth last year, displacing Kazakhstan (2.89%). Hong Kong followed in sixth place (2.11%). The Netherlands and Japan shared the next spot with identical shares of 1.95%; however, we observed a year-over-year increase in outgoing spam from the Netherlands, whereas Japan saw a decline. The TOP 10 is rounded out by Brazil (1.94%) and Belarus (1.74%), the latter ranking for the first time.
TOP 20 countries and territories where spam originated in 2025 (download)
Malicious email attachments
In 2025, Kaspersky solutions blocked 144,722,674 malicious email attachments, an increase of nineteen million compared to the previous year. The beginning and end of the year were traditionally the most stable periods; however, we also observed a notable decline in activity during August and September. Peaks in email antivirus detections occurred in June, July, and November.
Email antivirus detections, 2025 (download)
The most prevalent malicious email attachment in 2025 was the Makoob Trojan family, which covertly harvests system information and user credentials. Makoob first entered the TOP 10 in 2023 in eighth place, rose to third in 2024, and secured the top spot in 2025 with a share of 4.88%. Following Makoob, as in the previous year, was the Badun Trojan family (4.13%), which typically disguises itself as electronic documents. The third spot is held by the Taskun family (3.68%), which creates malicious scheduled tasks, followed by Agensla stealers (3.16%), which were the most common malicious attachments in 2024. Next are Trojan.Win32.AutoItScript scripts (2.88%), appearing in the rankings for the first time. In sixth place is the Noon spyware for all Windows systems (2.63%), which also occupied the tenth spot with its variant specifically targeting 32-bit systems (1.10%). Rounding out the TOP 10 are Hoax.HTML.Phish (1.98%) phishing attachments, Guloader downloaders (1.90%) – a newcomer to the rankings – and Badur (1.56%) PDF documents containing suspicious links.
TOP 10 malware families distributed via email attachments, 2025 (download)
The distribution of specific malware samples traditionally mirrors the distribution of malware families almost exactly. The only differences are that a specific variant of the Agensla stealer ranked sixth instead of fourth (2.53%), and the Phish and Guloader samples swapped positions (1.58% and 1.78%, respectively). Rounding out the rankings in tenth place is the password stealer Trojan-PSW.MSIL.PureLogs.gen with a share of 1.02%.
TOP 10 malware samples distributed via email attachments, 2025 (download)
Countries and territories targeted by malicious mailings
The highest volume of malicious email attachments was blocked on devices belonging to users in China (13.74%). For the first time in two years, Russia dropped to second place with a share of 11.18%. Following closely behind are Mexico (8.18%) and Spain (7.70%), which swapped places compared to the previous year. Email antivirus triggers saw a slight increase in Türkiye (5.19%), which maintained its fifth-place position. Sixth and seventh places are held by Vietnam (4.14%) and Malaysia (3.70%); both countries climbed higher in the TOP 10 due to an increase in detection shares. These are followed by the UAE (3.12%), which held its position from the previous year. Italy (2.43%) and Colombia (2.07%) also entered the TOP 10 list of targets for malicious mailshots.
TOP 20 countries and territories targeted by malicious mailshots, 2025 (download)
Conclusion
2026 will undoubtedly be marked by novel methods of exploiting artificial intelligence capabilities. At the same time, messaging app credentials will remain a highly sought-after prize for threat actors. While new schemes are certain to emerge, they will likely supplement rather than replace time-tested tricks and tactics. This underscores the reality that, alongside the deployment of robust security software, users must remain vigilant and exercise extreme caution toward any online offers that raise even the slightest suspicion.
The intensified focus on government service credentials signals a rise in potential impact; unauthorized access to these services can lead to financial theft, data breaches, and full-scale identity theft. Furthermore, the increased abuse of legitimate tools and the rise of multi-stage attacks – which often begin with seemingly harmless files or links – demonstrate a concerted effort by fraudsters to lull users into a false sense of security while pursuing their malicious objectives.
securelist.com/spam-and-phishi…
PROFS: The Office Suite of the 1980s
Today, we take office software suites for granted. But in the 1970s, you were lucky to have a typewriter and access to a photocopier. But in the early 1980s, IBM rolled out PROFS — the Professional Office System — to try to revolutionize the office. It was an offshoot of an earlier internal system. The system would hardly qualify as an office suite today, but for the time it was very advanced.
The key component was an editor you could use to input notes and e-mail messages. PROFS also kept your calendar and could provide databases like phonebooks. There were several key features of PROFS that would make it hard to recognize as productivity software today. For one thing, IBM terminals were screen-oriented. The central computer would load a form into your terminal, which you could fill out. Then you’d press send to transmit it back to the mainframe. That makes text editing, for example, a very different proposition since you work on a screen of data at any one time. In addition, while you could coordinate calendars and send e-mail, you could only do that with certain people.
In general, PROFS connected everyone using your mainframe or, perhaps, a group of mainframes. In some cases, there might be gateways to other systems, but it wasn’t universal. However, it did have most of the major functions you’d expect from an e-mail system that was text-only, as you can see in the screenshot from a 1986 manual. PF keys, by the way, are what we would now call function keys.
The calendar was good, too. You could grant different users different access to your calendar. It was possible to just let people see when you were busy or mark events as confidential or personal.
You could actually operate PROFS using a command-line interface, and the PF keys were simply shorthand. That was a good thing, too. If you wanted to erase a file named Hackaday, for example, you had to type: ERASE Hackaday AUT$PROF.
Styles
PROFS messages were short and were essentially ephemeral chat messages. Of course, because of the block-mode terminals, you could only get messages after you sent something to the mainframe, or you were idle in a menu. A note was different. Notes were what we could call e-mail. They went into your inbox, and you could file them in “logs”, which were similar to folders.
If you wanted something with more gravitas, you could create documents. Documents could have templates and be merged with profiles to get information for a particular author. For example, a secretary might prepare a letter to print and mail using different profiles for different senders that had unique addresses, titles, and phone numbers.
Documents could be marked draft or final. You had your own personal data storage area, and there was also a shared storage. Draft documents could be automatically versioned. Documents also received unique ID numbers and were encoded with their creation date. Of course, you could also restrict certain documents to certain users or make them read-only for particular users.
More Features
PROFS could remind you of things or calendar appointments. It could also let you look up things like phone numbers or work with other databases. The calendar could help you find times when all participants were available. PROFS could tie into DisplayWrite (at least, by version 2) so it could spell check using custom or stock dictionaries. It also looked for problematic words such as effect vs. affect and wordy phrases or clichés.
The real game changer, though, was the ability to find documents without searching through a physical filing cabinet. The amount of time spent maintaining and searching files in a typical pre-automation business was staggering.
You could ask PROFS to suggest rewrites for a certain grade level or access a thesaurus. This all sounds ordinary now, but it was a big innovation in the 1980s.
Of course, in those days, documents were likely to be printed on a computer-controlled typewriter or, perhaps, an ordinary line printer. But how could you format using text? This all hinged on IBM’s DisplayWriter word processor.
youtube.com/embed/5Snvu8U1IE8?…
Markup
Today we use HTML or Markdown to give hints about rendering our text. PROFS and DisplayWriter wasn’t much different, although it had its own language. The 😛. tag started a paragraph. You could set off a quotation between :q. and :eq. Unnumbered lists would start with :ul., continue with :li., and end with :eul. Sounds almost familiar, right? Of course, programs like roff and WordStar had similar kinds of commands, and, truthfully, the markup is almost like strange HTML.
The Whole Office
IBM wanted to show people that this wasn’t just wordprocessing for the secretarial pool. Advanced users could customize templates and profiles. Administrators could tailor menus and add features. There were applications you could add to provide a spreadsheet capability, access different databases, and gateway to other systems like TWX or Telex.
It is hard to find any demonstrations of PROFs, but a few years ago, someone documented their adventure in trying to get PROFS running. Check out [HS Tech Channel’s] video below.
youtube.com/embed/FIqbesDvNL8?…
History and Future
Supposedly, the original system was built in the late 1970s in conjunction with Amoco Research. However, we’re a little suspicious of that claim. We know of at least three other companies that were very proud of “helping IBM design PROFS.” As far as we could ever tell, that was a line IBM sales fed people when they helped them design a sign-in screen with their company name on it, and that was about it.
The system would go through several releases until it morphed into OfficeVision. As PCs started to take over, OfficeVision/2 and OS/2 were the IBM answer that few wanted. Eventually, IBM would suggest using Lotus Notes or Domino and would eventually buy Lotus in 1995 to own the products.
Scandal
One place that PROFS got a lot of public attention was during the Iran-Contra affair. Oliver North and others exchanged PROFS notes about their activities and deleted them. However, deleting a note in PROFS isn’t always a true deletion. If you send a note to several people, they all have to delete it before the system may delete it. If you send a document, deleting the message only deletes the notification that the document is ready, not the document.
Investigators recovered many “deleted” e-mails from PROFS that provided key details about the case. Oddly, around the same time, IBM offered an add-on to PROFS to ensure things you wanted to delete were really gone. Maybe a coincidence. Maybe not.
On Your Own
If you want to try to build up a new PROFS system, we suggest starting with a virtual machine. If anyone suggests that wordprocessing can’t get worse than DisplayWriter, they are very wrong.
Forget Waldo. Where’s Luna 9?
Luna 9 was the first spacecraft to soft-land on the moon. In 1966, the main spacecraft ejected a 99-kg lander module that used a landing bag to survive impact. The problem is, given the technology limitations of 1966, no one is exactly sure where it is now. But it looks like that’s about to change.
We know that the lander bounced a few times and came to rest somewhere in Oceanus Procellarum, in the area of the Reiner and Marius craters. The craft deployed four stabilizing petals and sent back dramatic panoramas of the lunar surface. The Soviets were not keen to share, but Western radio astronomers noticed the pictures were in the standard Radiofax format, so the world got a glimpse of the moon, and journalists speculated that the use of a standard might have been a deliberate choice of the designers to end run against the government’s unwillingness to share data.
Several scientists have been looking for the remains of the historic mission, but with limited success. But there are a few promising theories, and the Indian Chandrayaan-2 orbiter may soon confirm which theory is correct. Interestingly, Pravda published exact landing coordinates, but given the state of the art in 1966, those coordinates are unlikely to be completely correct. The Lunar Reconnaissance Orbiter couldn’t find it at that location. The leading candidates are within 5 to 25 km of the presumed site.
The Luna series had a number of firsts, including — probably — the distinction of being the first spacecraft stolen by a foreign government. Don’t worry, though. They returned it. Since the Russians didn’t talk much about plans or failures, you can wonder what they wanted to build but didn’t. There were plenty of unbuilt dreams on the American side.
Featured Art – 1:1 model of the Luna 9, Public Domain.
Against Technosolutionism: Governing Platforms as Systems of Care
Why do our digital systems break people? Conversational AI tools like Grok or ChatGPT are promoted as a means to democratize knowledge and expand access to information. In practice, however, they have also made sexual harassment easier, reproduced harmful stereotypes, and, in some cases, encouraged people to self-harm rather than helping them. These outcomes are not rare glitches. They reveal how conversational AI and social media platforms are built, governed, and deployed at scale.
The post Against Technosolutionism: Governing Platforms as Systems of Care appeared first on European Digital Rights (EDRi).
The State of the Internet 2026 with Fieke Jansen
During the State of the Internet, Waag Futurelab takes the annual temperature of the internet. This edition focuses on AI and the limits of our planet. The lecture will be given by Fieke Jansen, co-founder of the Critical Infrastructure Lab.
The post The State of the Internet 2026 with Fieke Jansen appeared first on European Digital Rights (EDRi).
Science Cafe: Why the current internet sucks
Media scholars Lucie Chateau and Michael Stevenson, and legal scholar Catalina Goanta on how Big Tech killed the internet.
The post Science Cafe: Why the current internet sucks appeared first on European Digital Rights (EDRi).
Global Gathering 2026
The Global Gathering brings together groups from around the world working on the most urgent technology-related challenges affecting human rights, social justice, civil society, and journalism at the local, regional and global levels.
The post Global Gathering 2026 appeared first on European Digital Rights (EDRi).
Conference Digital Commons: Infrastructures, Design, and the Ethics of Autonomy
Digital Commons: Infrastructures, Design, and the Ethics of Autonomy is an international conference exploring how digital infrastructures shape contemporary life, and how communities, researchers, and technologists imagine and build alternatives.
The post Conference Digital Commons: Infrastructures, Design, and the Ethics of Autonomy appeared first on European Digital Rights (EDRi).
I dati clinici: un bene comune?
Le notizie dal Centro Nexa su Internet & Società del Politecnico di Torino su @Etica Digitale (Feddit)
12 febbraio 2026 | Con Maurizio Borghi (Co-Direttore del Centro Nexa), Maria Chiara Pievatolo (Trustee del Centro Nexa) e Daniela Tafani (Faculty Fellow del Centro Nexa)
The post I dati clinici: un bene comune? appeared firsthttps://nexa.polito.it/i-dati-clinici-un-bene-comune/
Etica Digitale (Feddit) reshared this.
Google Chrome 145 porta il supporto JPEG‑XL su Linux
linuxeasy.org/google-chrome-14…
Google Chrome 145 arriva su Linux con il ritorno del supporto JPEG‑XL, un decoder Rust più sicuro e numerose novità per web developer e utenti L'articolo Google Chrome 145 porta il supporto JPEG‑XL su Linux è su Linux Easy.
GNU/Linux Italia reshared this.
Equivoci da rimuovere sul referendum
@Giornalismo e disordine informativo
articolo21.org/2026/02/equivoc…
Sono molti gli equivoci che stanno nascendo e che più o meno maliziosamente vengono coltivati intorno alla riforma dell’ordinamento giudiziario su cui il popolo sarà chiamato a esprimere la propria opinione e il proprio voto con il referendum costituzionale del
reshared this
Nella rete di Epstein c’erano decine di intellettuali e scienziati
@Notizie dall'Italia e dal mondo
Il finanziere, a capo di una rete di spionaggio e di sfruttamento sessuale di minorenni, coltivava rapporti e finanziava decine di scienziati ed intellettuali di alto livello per legittimare le sue posizioni razziste e misogine
L'articolo Nella rete di Epstein c’erano
Notizie dall'Italia e dal mondo reshared this.
Arctic Sentry, al via la nuova operazione Nato nell’Alto Nord. Cosa implica
@Notizie dall'Italia e dal mondo
L’Alleanza Atlantica ha dato il via ad Arctic Sentry, una nuova operazione destinata a rafforzare la postura della Nato nell’Artico e nell’Alto Nord. L’annuncio arriva dopo settimane di tensioni interne all’Alleanza innescate dalle dichiarazioni di Donald Trump sulla
Notizie dall'Italia e dal mondo reshared this.
Report Acn sugli infostealer: ecco le raccomandazioni contro il vettore fantasma dei cyber attacchi
@Informatica (Italy e non Italy)
Gli infostealer non sono più 'semplice' malware da commodity. Dal rapporto dell'Acn emerge la centralità di questi strumenti nell’economia del cybercrime, dove le famiglie come LummaC2, RedLine e DcRat
Informatica (Italy e non Italy) reshared this.
Usulnet: la piattaforma self‑hosted che unifica la gestione completa dell’infrastruttura Docker
linuxeasy.org/usulnet-la-piatt…
Usulnet è una piattaforma self‑hosted moderna per gestire container, stack, sicurezza, backup, proxy e deployment
GNU/Linux Italia reshared this.
Euro contraffatti in banconote e monete arrivavano a pacchi dalla Cina
Un'operazione internazionale coordinata da Europol, condotta da Austria, Portogallo e Spagna, e che ha visto coinvolte le forze di polizia anche di Bulgaria, Croazia, Repubblica Ceca, Francia, Germania, Grecia, Irlanda, Italia, Paesi Bassi, Polonia, Romania, Serbia, Turchia, Regno Unito e Stati Uniti, ha portato al sequestro di circa 1,2 miliardi di euro in contanti falsi e monete contraffatte.
L'operazione si è svolta tra giugno e novembre 2025 e ha portato al blocco di 379 pacchi contenenti denaro falso.
Più del 90% del denaro sequestrato proveniva dalla Cina, con particolare rilevanza per i sequestri in Romania, dove sono state scoperte oltre 223.000 banconote contraffatte.
In questo contesto sono state identificate e bloccate diverse reti criminali che distribuivano denaro falso tramite servizi postali. Europol collabora con la Banca Centrale Europea e le autorità cinesi per affrontare il problema alla fonte
reshared this
Non solo droni, in Ue serve il pragmatismo di Meloni e Merz. Parla Donazzan (FdI)
@Notizie dall'Italia e dal mondo
Cedere più sovranità all’Ue o rafforzare un presidio già perfettamente operativo come la Nato? Il dibattito prende forma mentre la Commissione Europea presenta il piano d’azione per i droni, iniziativa che inevitabilmente si mescola con la complessiva strategia
Notizie dall'Italia e dal mondo reshared this.
Redox OS: i progressi di gennaio 2026 verso un sistema sempre più maturo
linuxeasy.org/redox-os-i-progr…
Redox OS avanza con miglioramenti al kernel, al filesystem TFS, al supporto hardware e agli strumenti di sviluppo. Le novità di gennaio 2026 mostrano un progetto sempre più stabile e
GNU/Linux Italia reshared this.
Un robot saldatore per Fincantieri. Ecco la partnership con Generative Bionics
@Notizie dall'Italia e dal mondo
Fincantieri ha avviato una partnership industriale con Generative Bionics, società italiana attiva nello sviluppo di robot umanoidi basati su Physical AI, per sviluppare un robot umanoide saldatore da impiegare nei propri cantieri navali. L’iniziativa rientra nella strategia di innovazione del gruppo e
Notizie dall'Italia e dal mondo reshared this.
Netanyahu alla Casa Bianca per imporre la linea di Israele sulla trattativa con l’Iran
@Notizie dall'Italia e dal mondo
Israele pretende una sorta di ultimatum americano volto ad ottenere lo stop al programma nucleare e missilistico di Teheran. Sul tavolo dell'incontro anche Gaza
L'articolo Netanyahu alla Casa Bianca per imporre la linea di Israele sulla
Notizie dall'Italia e dal mondo reshared this.
Così l’Italia può diventare regista della sicurezza nel Mediterraneo allargato. Parla Cesa
@Notizie dall'Italia e dal mondo
La guida italiana del comando Nato di Napoli segna un passaggio rilevante nel ruolo del Paese sul fianco sud dell’Alleanza. Il trasferimento della leadership viene interpretato come un segnale concreto di maggiore responsabilizzazione
Notizie dall'Italia e dal mondo reshared this.
131 gatti spariscono da un'isola e il finale sorprende tutti
Su un'isola giapponese, l'eliminazione di 131 gatti ha salvato una specie e messo in crisi le certezze della genetica.Everyeye Tech
𝟏𝟗 𝐟𝐞𝐛𝐛𝐫𝐚𝐢𝐨 – 𝐓𝐮𝐭𝐭𝐢 𝐢𝐧 𝐩𝐢𝐚𝐳𝐳𝐚
🔴𝐒𝐜𝐞𝐧𝐝𝐢𝐚𝐦𝐨 𝐢𝐧 𝐩𝐢𝐚𝐳𝐳𝐚
𝐩𝐞𝐫 𝐥𝐞 𝐛𝐚𝐦𝐛𝐢𝐧𝐞 𝐞 𝐢 𝐛𝐚𝐦𝐛𝐢𝐧𝐢
𝐜𝐡𝐞 𝐦𝐞𝐫𝐢𝐭𝐚𝐧𝐨 𝐮𝐧 𝐟𝐮𝐭𝐮𝐫𝐨
𝐬𝐞𝐧𝐳𝐚 𝐯𝐞𝐥𝐞𝐧𝐢
𝟏𝟗 𝐟𝐞𝐛𝐛𝐫𝐚𝐢𝐨 – 𝐓𝐮𝐭𝐭𝐢 𝐢𝐧 𝐩𝐢𝐚𝐳𝐳𝐚
𝐜𝐨𝐧𝐭𝐫𝐨 𝐥’𝐢𝐧𝐜𝐞𝐧𝐞𝐫𝐢𝐭𝐨𝐫𝐞 𝐝𝐢 𝐒𝐚𝐧𝐭𝐚 𝐏𝐚𝐥𝐨𝐦𝐛𝐚
📍 Segna la tua presenza, condividi, vieni con noi.
👉 Link all’evento Facebook: fb.me/e/3ZqUl64Ce
👉 Link all'evento Mobilizon: mobilizon.it/events/0f2dad94-2…
#NoInceneritore #SantaPalomba #RomaSud #DifendiamoIlTerritorio #AriaPulita
Il “no” in vantaggio nei sondaggi. La democrazia e la Costituzione possono essere salvate
@Giornalismo e disordine informativo
articolo21.org/2026/02/il-no-i…
Erano partiti sbandierando sondaggi con venti punti di vantaggio, poi dieci, poi quattro, ora Youtrend segna
Giornalismo e disordine informativo reshared this.
Fragili alleanze: il nord-est della Siria tra tribù, Sdf e Governo di transizione
@Notizie dall'Italia e dal mondo
A inizio 2026, la Siria ha rischiato di sprofondare in una nuova escalation. La mancata implementazione dell’accordo raggiunto nel marzo 2025 tra il governo di Damasco e le Forze democratiche siriane (Sdf) – e le Amministrazioni autonome del nord-est della
Notizie dall'Italia e dal mondo reshared this.
Annuario 2025 della televisione italiana: uno spettro si aggira nell’immaginario
@Giornalismo e disordine informativo
articolo21.org/2026/02/annuari…
Si è tenuta ieri alla Camera dei deputati la presentazione dell’Annuario 2025 della televisione italiana «Le sfide dello streamcasting»,
Giornalismo e disordine informativo reshared this.
Nuovi contratti, partnership e intese tra Italia e Arabia Saudita. Tutto dal Wds 2026
@Notizie dall'Italia e dal mondo
La terza edizione del World defense show (Wds) di Riyadh, in Arabia Saudita, ha confermato ancora una volta la centralità del Golfo nel panorama dell’industria internazionale della difesa. In pochi anni, il salone saudita si è affermato come uno degli
Notizie dall'Italia e dal mondo reshared this.
Ubuntu 26.04 rimuove “Software e Aggiornamenti”
linuxeasy.org/ubuntu-26-04-rim…
Ubuntu 26.04 abbandona l’app “Software e Aggiornamenti”. Le sue funzioni si spostano in altre applicazioni, mentre restano disponibili strumenti CLI e pacchetti opzionali. L'articolo Ubuntu 26.04 rimuove “Software e Aggiornamenti” è su Linux Easy.
GNU/Linux Italia reshared this.
Guatemala nel caos: la presidenza Arevalo tra violenza interna e allineamento a Trump
@Notizie dall'Italia e dal mondo
L’elezione dell’outsider progressista aveva acceso aspettative di riforme ma Arevalo non mantiene le promesse elettorali: corruzione e violenza aumentano, mentre il governo lascia via libera al controllo di Washington
L'articolo
Notizie dall'Italia e dal mondo reshared this.