Category: Uncategorized

A federal judge in Rhode Island on Friday struck down a series of President Donald Trump’s policies that he ruled were rooted in “anti-immigrant sentiments” and ordered the administration to resume processing of asylum grants and immigration benefit applications of people from 39 targeted countries.

Last November, US Citizenship and Immigration Services indefinitely suspended asylum adjudications and froze immigration applications for people affected by a travel ban implemented after a man from Afghanistan allegedly shot two National Guard troops in Washington, DC.

Trump vowed to “permanently pause migration from all Third World countries” and expedite the removal of people his administration doesn’t consider “a net asset” to the United States. The administration’s move halted the ability of people from affected nations to obtain green cards, US citizenship, and other benefits.

US District Judge John J. McConnell Jr., an appointee of former President Barack Obama, said in his ruling that the administration’s policies are rooted in “anti-immigrant sentiments that it is forbidden from letting influence its decision-making” and have placed immigrants living in the United States in “indeterminate legal limbo.”

“The challenged policies placed the lives of countless individuals on hold — solely by virtue of their countries of birth,” McConnell wrote. “Over six months later, many of those individuals remain without work, without legal status, and without any meaningful ability to plan for their futures.”

“The government effectively invites the court to shut its eyes and ignore the strong evidence of anti-immigrant animus before it,” the judge added. “Doing so would require profound naiveté on the court’s part. Unfortunately for the government, that is an invitation that this court will have to decline.”

US Department of Homeland Security (DHS) General Counsel James Percival slammed McConnell’s ruling in a social media post accusing “the Left” of “running the same gambit with so-called ‘animus’ claims since 2017.”

“It is sabotage dressed in legal clothing,” Percival added. “It goes like this: (1) the admin is racist, (2) therefore a policy I don’t like is motivated by race, (3) therefore it is invalid. They have used it on virtually every Trump-era DHS policy.”

Plaintiffs and others involved in the case welcomed McConnell’s decision.

“This ruling reaffirms a basic principle: The federal government cannot shut down lawful immigration pathways or discriminate against people based on where they come from,” Democracy Forward president and CEO Skye Perryman said in a statement.

“These unlawful policies caused enormous harm to families, workers, asylum seekers, and communities across the country who were left in limbo, unable to work, access protections, or move forward with their lives,” Perryman added. “We are pleased that the court recognized the devastating human consequences of these policies. Our communities deserve a fair process governed by law, not political targeting rooted in fear-mongering and discrimination.”

Milagro Sique, CEO at the Dorcas International Institute of Rhode Island, said: “Today is a good day. On behalf of the thousands of immigrants we serve, we are grateful to Judge McConnell for his ruling.”

“These policies were wrong, plain and simple, and caused profound fear and uncertainty for so many of our friends, neighbors, and coworkers,” Sique added. “Having the judicial process work as intended — by upholding the rule of law — gives us some reassurance that all is not lost and allows those who have been impacted to move forward with their lives in a meaningful way.”

Abbey Koenning-Rutherford, staff attorney at Muslim Advocates, said that “today’s decision is an unsparing rejection of the government’s discriminatory and unlawful actions to gut access to immigration benefits under the false pretext of national security.”

“These policies unjustly revived the discriminatory logic of the first Muslim and African bans and expanded them widely to millions of community members already inside the United States,” she continued, referring to policies enacted during Trump’s first term.

“In vacating these unlawful policies, the court makes it unmistakably clear that the Trump administration cannot hold the lives of immigrants in legal limbo based on their countries of birth, and must continue processing their applications for status and benefits as required by law,” Koenning-Rutherford added.

Congresswoman Pramila Jayapal (D-Wash.) — an immigrant from India — was among the Democratic lawmakers who applauded Friday’s ruling, writing on social media that “this is a BIG win.”

“A judge has now reaffirmed that Trump’s freeze on processing immigration applications for 39 countries is illegal and that processing must restart immediately,” she added. “Today’s ruling is not the end of the fight, but it is a major step in the right direction.”

Media that fights fascism

Truthout is funded almost entirely by readers — that’s why we can speak truth to power and cut against the mainstream narrative. But independent journalists at Truthout face mounting political repression under Trump.

We rely on your support to survive McCarthyist censorship. Please make a tax-deductible one-time or monthly donation.

A few months ago, I wrote a diary about a payload that was embedded into a JPEG picture. It was a MSI-branded background[1]. Yesterday, I spotted another one! It seems that the technic is getting more and more popular. This time, it started with a mail containing a WeTransfer link.

Often, the WeTransfer brand is abused in phishing emails. Here, it’s was an official link: 

hxxps://we[.]tl/t-R4Wv1JkvFfC4Awus

The thread-actor shared the initial file via this platform. The file is a piece of Javascript called “Remittance Advice.js” (SHA256:8a83de81fbac4eb0961f3d58982f299664a5fa4c874c7469e69f85f3fc5bd33f).

The contains a lot of junk code that will just do nothing:

Every for-loop will just move to the next line. In the middle of the file (>2MB), we have the interesting code that will perform the following tasks:

It will decode the next payload in an environment variable:

[Environment]::SetEnvironmentVariable("INTERNAL_DB_CACHE", )

The obfuscation technique used is ROT13, old but still very efficient:

cbjrefuryy.rkr -RkrphgvbaCbyvpl Olcnff -AbCebsvyr -JvaqbjFglyr Uvqqra -Pbzznaq

Decoded, it becomes:

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command

PowerShell is executed throug WMI:

• winmgmts:root\cimv2: connect to WMI
• Win32_ProcessStartup: configure process startup (hidden window)
• Win32_Process.Create(): spawn the process

The full command is:

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command [ScriptBlock]::Create(${env:INTERNAL_DB_CACHE})

This code will fetch an MSI background JPEG file from this location:

hxxp://icy-lab-0431[.]guilherme-telecomunicacoes2024[.]workers[.]dev/mCSlB

Note that the threat-actor likes to use well-known services to store his/her payloads. workers.dev is the default, free subdomain provided by Cloudflare for deploying serverless applications[2].

The technique to hide the next payload is the same as my previous diary. The Base64-encode payload is delimited here with “IN-” and “-in1”. To defeat simple Base64 lookups, all “A” characters have been replaced by “#”. Once decoded, the payload is a .Net DLL (SHA256:184a3008adff54cb345a599b4f3ca0c7bde29d8ac8379783ff40cd4e7ecc931b). It’s a modified version of the Microsoft.Win32.TaskScheduler, an open-source .NET library for managing Windows Task Scheduler[3].

The PowerShell payload will also fetch another file that will be passed to the loaded malicious DLL:

hxxps://pub-a06eb79f0ebe4a6999bcc71a2227d8e3[.]r2[.]dev/snake.png

Here again, a legit online service is used. r2.dev is the default domain used by Cloudflare R2 to serve files and assets stored in public cloud-native buckets. It is a globally distributed, S3-compatible object storage service that allows developers to store large amounts of unstructured data[4].

The file looks to be another background and contains probably another payload protected by steganograpy (very common with the .Net loaders):

I’m now reversing the .Net loader. Stay tuned for more details soon!

[1] https://isc.sans.edu/diary/Malicious+Script+Delivering+More+Maliciousness/32682

[2] https://developers.cloudflare.com/workers/

[3] https://github.com/dahall/taskscheduler

[4] https://developers.cloudflare.com/r2/buckets/public-buckets/

Xavier Mertens (@xme)

Xameco

Senior ISC Handler – Freelance Cyber Security Consultant

PGP Key

A researcher has reverse-engineered the iOS SDK that Bright Data embeds in consumer apps and documented how it turns devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic for a data business Bright Data markets heavily to the AI industry.

The company, the successor to Luminati, operates what it calls the largest residential proxy network in the world, advertised at more than 400 million residential IPs. Part of that supply comes from this SDK, shipped inside free apps behind an opt-in screen and described as a consent-sourced pool of 150 million-plus IPs.

The findings, published June 5 by Include Security and independent researcher Buchodi, matter because the scraping comes from the user’s home IP, not the customer’s. The immediate risk is not a hacked account or stolen data; it is that a home connection and its bandwidth get used as someone else’s scraping infrastructure.

A connected TV is close to ideal for that: usually plugged in, on a fast connection, effectively unmetered, and unwatched.

The deepest technical evidence is from the iOS SDK; the smart-TV reach rests on Bright Data’s platform support, its public partner list, and earlier reporting. The research found the peer channel that carries scraping jobs has no real authentication, and on iOS, its traffic bypasses a configured VPN.

Inside the peer tunnel

When the app opens, the SDK contacts one of Bright Data’s servers, which hands over its instructions without really checking who is asking. From then on, the server can tell the device to go and fetch pages from other websites, using the user’s home internet connection to do it.

The researcher found the channel that carries those jobs has none of the usual security checks, and described it as weaker than the controls built into most malware.

On iPhones, the researcher found that this traffic slips past a VPN, and that much of what the app does does not show up in the tools security teams normally use to monitor apps. The device can also keep relaying in the background while someone is watching the screen or on a call, as long as the battery is not low.

The consent gap

The opt-in screen does not match what the SDK actually allows. In one Roku app, Petflix, the screen said it would use the device and its connection “occasionally.”

The settings the SDK loads allow up to 200 GB of traffic a month. In a few countries, including Uzbekistan and Oman, the limits are set far higher, and the device is cleared to keep working almost until the battery runs flat. The SDK can also tie together a person’s phone and computers that run the same company’s apps, treating them as one user.

Bright Data publishes its list of app partners on a page anyone can open, and it includes makers of smart-TV apps such as PlayWorks Digital, CloudTV, and Longvision. The researcher is careful to note that being on the list only shows a company worked with Bright Data at some point, not that its app includes the SDK today. Each one would need to be checked on its own.

An old model, pulled by AI demand

None of this is new in shape, only in scale. Bright Data is the successor to Luminati, the paid proxy service that grew out of Hola VPN. In 2015 Hola was caught selling its free users’ bandwidth as exit nodes through Luminati, at $20 a gigabyte. The same model now runs on the always-on box in the living room.

What changed is the buyer. Anti-bot defenses from Cloudflare, DataDome, and others block scrapers coming from datacenter IPs, so AI scrapers route through residential connections instead.

Krebs reported in October 2025 that proxies from botnets like Aisuru are fueling large-scale AI data harvesting, and Google dismantled the criminal IPIDEA proxy network in January. Those operations hijack consumer devices; Bright Data says its exit nodes opt in through a consent screen. That consent is the line between the two, and whether it is meaningful is the open question.

Lowpass, syndicated by The Verge, first surfaced the smart-TV angle in February, and this is the technical teardown. Google, Amazon, and Roku have since restricted background proxy SDKs, and Bright Data dropped those platforms, though it still lists Samsung’s Tizen and LG’s webOS.

What to do

The traffic is easy to spot and block. On a home network, the simplest step is to block the web addresses the SDK uses to connect, with a router-level tool like Pi-hole or NextDNS.

The main ones are proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. According to the research, blocking these stops the device from acting as a relay without affecting Bright Data’s paid service, which runs on separate addresses.

Companies that manage staff phones can also scan for apps that carry the SDK. One catch: on a mobile connection, the traffic sidesteps office Wi-Fi, so a network block alone will not always catch it. Bright Data could also change how the SDK connects in the future, which would mean any blocklist needs updating.