Advanced Persistent Teenagers #apt
NSA, FBI, CISA, and Japanese Partners Release Advisory on PRC-Linked Cyber Actors: BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations.
"🎯 #EvilBamboo Unleashed: A Multi-Year Assault on Mobile Devices 📱"
In a recent expose, Volexity delves into the menacing operations of EvilBamboo, a nefarious entity targeting mobile devices in a multi-year campaign. The meticulous analysis sheds light on their modus operandi, unveiling a grim reality for mobile security. 🛡️
Volexity has spotted ongoing malicious campaigns by a group they call EvilBamboo, targeting folks from Tibet, Uyghur, and Taiwan. These groups are on China's naughty list, known as the Five Poisonous Groups. EvilBamboo has been on the radar for over five years, pulling off new stunts now and then. They've made nasty software for Android and iOS, tricking people into downloading malware through fake websites and social media. They even sneaked malicious apps into Apple's App Store. Volexity is pretty sure that EvilBamboo is playing dirty games for the Chinese government, sharing their findings in a recent conference and reports.
Source: Volexity Blog
"🕵️ Chinese APT Flax Typhoon: Master of Stealth in Cyber Espionage 🕵️"
Microsoft unveils a meticulous investigation into the Chinese government-backed APT group, Flax Typhoon, known for its stealthy cyber espionage campaigns against Taiwanese organizations since mid-2021. Unlike other APT groups, Flax Typhoon shuns heavy reliance on malware, instead, it exploits legitimate OS tools and benign software to maintain persistence on targeted networks. This strategy not only aids in cyber espionage but also ensures long-term access to a plethora of organizations across diverse industries. 🕵️💻🔍
The group, also dubbed Ethereal Panda, orchestrates its operations with a finesse that could easily mislead organizations, employing commonplace techniques often overlooked. Its focus on persistence, credential access, and lateral movement makes detection and mitigation a challenging task. The group's previous campaigns have also targeted entities in Southeast Asia, Africa, and North America, hinting at its extensive cyber espionage activities. 🌏🎯
Microsoft's Threat Intelligence Team has shared an in-depth analysis, shedding light on Flax Typhoon's modus operandi, which includes the use of China Chopper web shell, Bad Potato and Juicy Potato privilege escalation tools, Metasploit, Mimikatz, and more. The group's knack for exploiting known vulnerabilities in publicly accessible servers underscores the need for robust cybersecurity measures. 🛡️🔐
Source: HackRead Article by Deeba Ahmed
The initial compromise of Gelsemium’s targets was achieved by installing web shells, likely exploiting vulnerabilities in servers accessible via the internet.
Counterfeit Aptos Token Deposited on Upbit Leads to APT Withdrawals Being Temporarily Suspended - Exchange has resumed operations, but many are left wondering how such an issue will be pr... - https://www.coindesk.com/markets/2023/09/25/counterfeit-aptos-token-deposited-on-upbit-leads-to-apt-withdrawals-being-temporarily-suspended/?utm_medium=referral&utm_source=rss&utm_campaign=headlines #markets #aptos #upbit #news #apt
Crypto exchange Upbit stems fake APT token flood, resumes services - The newly created fake APT token called “ClaimAPTGift.com” made i... - https://cointelegraph.com/news/crypto-exchange-upbit-fix-fake-aptos-token-issue #systemmaintenance #claimaptgift.com #withdrawals #faketoken #deposits #refund #upbit #apt
ESET Research reported on a new Deadglyph backdoor used by the UAE-based Stealth Falcon group. They described the infection chain with a multi-stage shellcode downloader, as well as backdoor features. IOC included.
Volexity reports that Chinese APT EvilBamboo aka Poison Carp (Citizen Lab), Evil Eye, Earth Empusa (Trend Micro), Red Dev 16 (PWC), targets mobile devices of Tibetan, Uyghur, and Taiwanese individuals and organizations. IOC included.
The command-and-control communication of LuaDream is established by connecting to a domain named “mode.encagil[.]com” using the WebSocket protocol.
Unit 42 is on the war path, publishing 4 articles involving Chinese APTs targeting a Southeast Asian Government on a Friday morning: https://unit42.paloaltonetworks.com/analysis-of-three-attack-clusters-in-se-asia/ https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/ https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/ https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/
Sandman APT targets telcos with LuaDream backdoor – Source: securityaffairs.com https://ciso2ciso.com/sandman-apt-targets-telcos-with-luadream-backdoor-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #Cyberespionage #BreakingNews #Intelligence #SecurityNews #hackingnews #SandmanAPT #hacking #Malware #telco #APT
"🔍 Unveiling Sandman APT: The Silent Menace Targeting Global Telcos 🎯"
SentinelLabs has unearthed a new threat actor dubbed Sandman APT, primarily targeting telecommunication providers across the Middle East, Western Europe, and South Asia. This enigmatic group employs a novel modular backdoor named LuaDream, utilizing the LuaJIT platform, a rarity in the threat landscape. The meticulous movements and minimal engagements hint at a strategic approach to minimize detection risks. The LuaDream malware, a well-orchestrated and actively developed project, is designed for system and user info exfiltration, paving the way for precision attacks. The intriguing part? The attribution remains elusive, hinting at a private contractor or a mercenary group akin to Metador. The activities observed are espionage-driven, with a pronounced focus on telcos due to the sensitive data they harbor. The meticulous design of LuaDream showcases the continuous innovation in the cyber espionage realm, urging for a collaborative effort within the threat intelligence community to navigate the shadows of the threat landscape.
Source: SentinelOne Labs
Indicators of Compromise (IoCs):
- Domains: mode.encagil[.]com, ssl.explorecell[.]com
- File Paths: %ProgramData%\FaxConfig, %ProgramData%\FaxLib
- fax.dat: 1cd0a3dd6354a3d4a29226f5580f8a51ec3837d4
- fax.Application: 27894955aaf082a606337ebe29d263263be52154
- ualapi.dll: 5302c39764922f17e4bc14f589fa45408f8a5089
- fax.cache: 77e00e3067f23df10196412f231e80cec41c5253
- UpdateCheck.dll: b9ea189e2420a29978e4dc73d8d2fd801f6a0db2
- updater.ver: fb1c6a23e8e0693194a365619b388b09155c2183
- fax.module: ff2802cdbc40d2ef3585357b7e6947d42b875884
Author: Aleksandar Milenkoski, a seasoned threat researcher at SentinelLabs, has meticulously dissected the activities of Sandman APT, shedding light on the LuaDream backdoor. His expertise in reverse engineering and malware research is evident in the detailed analysis provided.
Happy Friday everyone!
The SentinelOne Labs research team has discovered a new #APT they named #Sandman. This group targets telecommunication providers and uses a modular backdoor known as #LuaDream. They used techniques that included pass-the-hash and DLL hijacking to meet their objectives! Enjoy and Happy Hunting!
Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit
entry02.bat will use the bitsadmin tool to download the pmny04.crt and qmny04.crt files from the specified URL address and save them to the specified path C:\Users\Public\Documents\ on the local computer.
Sentinel Labs reported on a new APT they dubbed Sandman. Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.They identified a novel backdoor dubbed LuaDream. IOCs provided.
Recorded Future: Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities (IOC included)
"🚨 Earth Lusca's New Linux Backdoor: SprySOCKS Unveiled! 🐙"
Earth Lusca, a China-linked threat actor, has been spotted employing a novel Linux backdoor, dubbed "SprySOCKS". This malware seems to have evolved from the open-source Windows backdoor Trochilus. The backdoor showcases swift behavior and a SOCKS implementation, hence the name. 🐍💼
SprySOCKS's structure is reminiscent of the RedLeaves backdoor, a RAT known to infect Windows machines. This backdoor is still under development, with different versions observed. Its interactive shell seems to draw inspiration from the Linux variant of the Derusbi malware. 🕵️♂️🔍
Recent activities of Earth Lusca indicate a focus on Southeast Asia, Central Asia, and the Balkans. Their primary targets? Government departments in foreign affairs, technology, and telecommunications. They've been exploiting server-based N-day vulnerabilities, including CVE-2022-40684, CVE-2022-39952, and more. Once inside, they deploy Cobalt Strike for lateral movement, aiming to exfiltrate sensitive data and conduct long-term espionage. 🌍🎯
Source: Trend Micro Research
"🚨 Juniper Firewalls Under Siege: Over 12,000 Vulnerable Devices Exposed! 🔥"
New research reveals nearly 12,000 internet-facing Juniper firewall devices are susceptible to a recently disclosed remote code execution flaw. The vulnerability, identified as CVE-2023-36845, allows an unauthenticated remote attacker to execute arbitrary code without creating a file on the system. This medium-severity flaw in the J-Web component of Junos OS can be weaponized by adversaries to control certain environment variables. Juniper Networks patched this alongside other vulnerabilities last month. A proof-of-concept (PoC) exploit by watchTowr combined CVE-2023-36846 and CVE-2023-36845 to upload malicious PHP files and achieve code execution. Jacob Baines points out, "Firewalls are interesting targets to APT as they help bridge into the protected network and can serve as useful hosts for C2 infrastructure." Juniper has acknowledged the vulnerability but is unaware of any successful exploits against its customers. However, they've detected exploitation attempts in the wild, urging users to apply necessary patches. 🛡️
Source: The Hacker News
"🔥 CapraTube Alert! Transparent Tribe's Sneaky Move 📺📲"
Transparent Tribe, a suspected Pakistani actor, has unveiled CapraTube, a deceptive Android application that mimics YouTube. SentinelLabs discovered three Android application packages (APKs) linked to Transparent Tribe's CapraRAT mobile remote access trojan (RAT). These apps give the illusion of being YouTube but are far less feature-rich than the genuine Android YouTube app.
CapraRAT is a potent tool, granting attackers control over vast amounts of data on infected Android devices. This RAT has been used for surveillance against targets related to the disputed Kashmir region and human rights activists focusing on Pakistan. The group distributes these Android apps outside the Google Play Store, using self-hosted websites and social engineering to lure users into installing weaponized applications.
In 2023, the group spread CapraRAT Android apps disguised as a dating service that carried out spyware activities. One of the newly identified APKs connects to a YouTube channel owned by Piya Sharma, suggesting the actor continues to employ romance-based social engineering tactics.
Key features of CapraRAT include:
- Recording via microphone, front & rear cameras 🎥
- Collecting SMS, multimedia message contents, call logs 📞
- Sending SMS messages, blocking incoming SMS 📩
- Initiating phone calls 📲
- Taking screen captures 🖼️
- Overriding system settings like GPS & Network 🛰️
- Modifying files on the phone's filesystem 📁
For those in the India and Pakistan regions linked to diplomatic, military, or activist matters, it's crucial to be cautious of this actor and threat. Always be wary of apps outside the Google Play store and evaluate the permissions they request.
Source: SentinelOne Labs
Author: Alex Delamotte.
SentinelLabs identified three Android application packages (APK) linked to Pakistan-based APT Transparent Tribe’s CapraRAT mobile remote access trojan (RAT). These apps mimic the appearance of YouTube, though they are less fully featured than the legitimate native Android YouTube application. CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects. IOCs provided.
Happy Friday everyone, I hope everyone survived this week!
The Microsoft Threat Intel team has been tracking an Iranian #APT known as #PeachSandstorm. They start with a password spray attack and if they are successful they then utilize both publicly available and custom tools. They cover the attacks in much more detail and provide us with some mitigations and detections! Enjoy and Happy Hunting!
Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets
Wow, did I miss this or did I forget? Microsoft switched their naming from elements to... something-weather..
checks the Risky Business Podcast archive Oh yes... They talked about this in April (#702 around ~34m) so I did hear about it I just forgot...
Either way, I'm not the only one who has missed this (or simply stopped caring), Wikipedia's page on Lazarus still says Microsoft calls them ZINC, malpedia hasn't updated...
So PSA or reminder to everyone.
I guess they ran out of elements, and decided to throw it all out and start anew. As if it was not confusing enough that everyone has their own names for the threat groups, now Microsoft has two.
#Redfly #cyberespionage group continuously targets Asia's critical infrastructure sector with #ShadowPad #malware. Detect associated malicious activity with a set of #SigmaRules in the SOC Prime Platform.
Crypto Traders Grow Bearish as Aptos Plans $103M APT Token Unlock in November - The collective 20 million APT to be unlocked then equates to 112% of the average daily tr... - https://www.coindesk.com/markets/2023/09/14/crypto-traders-grow-bearish-on-apt-token-as-aptos-plans-20m-unlock-in-november/?utm_medium=referral&utm_source=rss&utm_campaign=headlines #unlocked #markets #supply #aptos #news #apt
I’ve just published a new Ansible module called perlmod_install_info whose purpose is to help you install Perl modules on systems in the most portable way possible.
Specifically, this module knows how to search for Perl modules in dnf, yum, and apt repositories as well as in cpanm. It prefers the OS repositories over CPAN because generally speaking you’re better off going with the OS-packaged versions of modules when they’re available, both because that’s more robust and because the OS packages install much faster than CPAN. CPAN is needed as a backstop because the OS distributions don’t include all Perl modules.
What’s especially clever about this module is that when it does need to resort to CPAN to find a module that isn’t available in the OS repository, it recursively determines all of the dependencies of that module and checks for them in the OS repository. It then returns lists of modules you can install from the OS and modules you need to install from CPAN, so you can minimize the number of modules that end up coming from CPAN.
If this sounds useful to you, you can check it out on GitHub.
Zscaler provides a threat actor profile on Pakistani APT36 (aka Transparent Tribe). They described a new Remote Access Trojan, Linux malware and attack vectors, MITRE ATT&CK mapped TTPs, and provided IOC.
"🎯 Ballistic Bobcat APT Targets Government & Healthcare! 🎯"
The Iran-aligned APT group, Ballistic Bobcat, has initiated a new campaign, Sponsor Malware, targeting government and healthcare organizations. Stay alert and informed! 🌍🔍
Source: GBHackers On Security
Dia 67 #ElternzeitTour2023
Hem arribat a destinació: el Llac de #SainteCroix, on la previsió és d'una setmana de Sol i vora 30°C. Ha estat tirada llarga travessant el Parc Natural de #Luberon, fent parada a la vila d' #Apt que avui dissabte el poble era tot un mercadillo, ideal per passejar-hi.
Ara ja plantats, la idea és gaudir del bon temps, del llac i de l'última estada abans d'enfilar cap a la freda Alemanya.
Two openings for APT researchers in my team just went live today:
Elevator pitch: full remote USA/Canada, the job is to team up with the other team members to hunt for state-aligned activity in the richest email-centric telemetry I know of in the whole security vendor space. You will triage, cluster, analyze and attribute suspected state-aligned activity to generate top-of-the-line threat intelligence and have a real day-to-day impact in keeping Proofpoint customers safe.
Of course there is much more to tell about these positions, have a look at the full postings for the full details. Feel free to DM with any questions!
#hiring #jobs #cti #threatintelligence #apt #threatresearch
Microsoft reported on a Chinese APT dubbed Flax Typhoon conducting cyberespionage against Taiwanese organizations. Flax Typhoon is known for living off the land techniques as well as China Chopper web shell, Metasploit, Juicy Potato PrivEsc tool, Mimikatz, and SoftEthernet VPN client. Microsoft described TTPs and provided IOCs.
Never bothered to get into #snapper for #Linux, but now I am just amazed how easy the #snapshots for #BTRFS are automatically managed. In this case for #Debian, there is even hooks for #apt that are installed with snapper.
A remaining question is, if the pre and post snapshots are also cleaned automatically?
These apt warnings were annoying me but I found a tool to automatically fix 'em https://www.omgubuntu.co.uk/2023/08/fix-target-configured-multiple-times-ubuntu #apt #aptlavistababy
Im Visier: #Exchange.
E-Mails mit #XLSM-Anhängen; enthaltene Makros führen einen #PowerShell-Befehl aus und erstellen eine geplante Aufgabe, die sich als Firefox-Browser-Updater ausgibt. Geladen wird Malware, die den Server auf und zu einem #C2Server für die #Hacker macht.
#CyberSecurity experts are sounding the alarm over a so-called "Microsoft Logging Tax" where incident response teams can only see the full picture of an attack against their #Microsoft365 tenant if their organization subscribed to the E5 license (or "Security and Compliance add-on license with E3).
In the case of the recent #email #hack by #Chinese #APT group #Storm_0558, an affected human rights organization was unable to find any evidence of compromise in their logs because they didn't have the upgraded subscription. They only learned that they were compromised after Microsoft reached out to them to tell them they were breached.
#infosec #cybersecurity #Microsoft #Azure #AzureAD #IncidentResponse
@thelinuxcast I've always had my share of issues with #apt, and that is the top reason I'm not a #debian user in the past. After a conversation with a group of friends where we were discussing #redhat going closed source, they promised me all past issues with apt are gone and that it is very safe now. I'm giving it a run on a VM for sometime and might use one server for it as a trial, bit I'm also thinking of #opensuse at this point as it a distro I keep visiting between times, and also RPM.
finally ran an update on my computer that doesn't do automatic updates through Gnome. don't remember if I used this computer since June 10th, but that's when #Debian released the next version. While reading through the release notes, I noticed how we can use #apt through #Tor. I have been contemplating this for a while. Required putting tor+ before http: and/or https: in /etc/apt/sources.list and installing apt-transport-tor.
@ablackcatstail @SpaceLifeForm@infosec.exchange I don't know if `nvm` is available for `bookworm` or not -- I mean, it's a POSIX-compliant shell script but I don't know for sure if it'll work -- but that's typically what I use for managing multiple versions of `node` on my machine. This project needs X, that package needs Y, etc etc.
>nvm is a version manager for node.js, designed to be installed per-user, and invoked per-shell. nvm works on any POSIX-compliant shell (sh, dash, ksh, zsh, bash), in particular on these platforms: unix, macOS, and windows WSL.
If your use-case involves working within the shell -- or at least has the ability to toss a pre-flight `nvm` command to get the environment properly set first -- then I imagine it'll work.
@SpaceLifeForm Hey! Hope you're doing well and that you don't mind me asking question about #debian #apt. I added a repo for nodesource so I could install an older version of #nodejs. How do I then tell apt to use that repo instead of the one for #bookworm ? Thank you in advance. Google wasn't netting me the answer and quite possibly because of my using the wrong keywords. Ugh.
The #APT known as #Kimsuky strikes again, this time targeting think tanks, academia, and media organizations with a social engineering. The goal? Stealing Google and subscription credentials of a news and analysis service that focuses on North Korea. Enjoy and Happy Hunting!
Link in the comments!
***This one is a little different. In this article, SentinelLabs mentioned ReconShark being used. Can you provide me with any TTPs that are associated with that #malware?***
TA0001 - Initial Access
T1566.002 - Phishing: Spearphishing Link
T1566.001 - Phishing: Spearphishing File
TA0002 - Execution
T1204.001 - User Execution: Malicious Link
T1204.002 - User Execution: Malicious File
TA0006 - Credential Access
T1056.003 - Input Capture: Web Portal Capture
Here is your chance to shine! Let me know what TTPs are associated with this malware!
"This attack has been attributed to Aurora Panda aka APT17 aka Deputy Dog aka Hidden Lynx aka Tailgater Team aka Group 8 aka Burning Umbrella."
FFS. Why. Just why.
Mastodon Linux users, I need your help!!
- Built on #Debian Linux latest
- Supports more #apt providers
- Does not use #systemd, #pulseaudio & #x11
- Does use #PipeWire and #Wayland
- Has a big userbase and is maintained by a group of people, not an individual
I'd go for MX, but it breaks #3
I'm ok with X11 but I'd like it toggleable
@c0nac @thelinuxexperiment So you are kind of making my point - there is no obvious (and therefore, no easy) way to save a package for later use. And also, if that package has dependencies, then saving the package may not be enough, you might also need to save some or all of its dependencies. AND if you don't realize you have a problem with a new version, finding a source for the older package may prove a challenge.
Back in my Windows days, every time I downloaded an .exe file I saved it until a newer version of the program came along and I was satisfied that the new version hadn't broken anything important. Today I do the same thing with MacOS programs, except for the handful I get from the app store. But with #Linux, because it all comes from a repository, I am never given the opportunity to save the file. Even with #snaps and #flatpaks I do not believe you are given the opportunity to set them aside for later use. I run #Ubuntu so I don't know about flatpaks, but snaps seem to give you even less control than #apt, they upgrade automatically in the background and you never even know when something is being upgraded (until maybe you notice something is broken).
Interesting findings this time around:
- Starting from this version of the EU-specific payload, the PlugX no longer uses the launcher as its primary process image; instead, it now injects into a newly spawned mshta.exe as specified in the config block.
- The config block is no longer presented in the decoded payload blob. No idea where it went - but it is certainly not located at the beginning of the data section anymore.
- An awful lots of unrelated files present in the parent archive - noise?
- No persistence...? There's no path configured in the config block either. Weird.
- They finally removed the computer name ("desktop-n2v1smh") from the LNK - only took them almost a year.
Long shot, does anyone know where Debian keeps a change log for NMU (non-maintainer-uploads, as per https://www.debian.org/doc/debian-policy/ch-controlfields.html#special-version-conventions)?
I want to do know the differences is in all +b0-6.
Source page & changelog are silent on this: https://packages.debian.org/stable/source/misc/gosu / https://metadata.ftp-master.debian.org/changelogs//main/g/gosu/gosu_1.12-1_changelog
My latest #APT research on #IronTiger (#APT27/#EmissaryPanda/#LuckyMouse) is out ! It includes analysis of a new version of SysUpdate ported to Linux, a new communication protocol through DNS TXT requests, a VMProtect certificate compromise, and probable infection vector https://trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
Ali would not have approved ...
B&W portrait photo of Muhammad Ali encoded to audio using APT, re-encoded to 8 kHz MP3 by the very fast lo-fi shineenc encoder, then decoded to a picture again.
APT is the audio format used by weather satellite transmissions. I am (mis)using it here for art purposes
Currently having a tinker with Google Cloud's native container image scanning...
I'm hoping I can wrap this in with a more concrete version on my base container image and not running `apt update` to make builds more repeatable but without losing too much in the way of security assurance.
Will report back in due course...
#googlecloud #containers #security #debian #apt
«UK cyber experts warn of targeted phishing attacks from actors based in Russia and Iran» Rather than using surprise #phishing, these campaigns seek to develop rapport with their targets. #NCSC #Malware #APT #CyberSecurity https://www.ncsc.gov.uk/news/uk-cyber-experts-warn-of-targeted-phishing-attacks-from-actors-based-in-russia-and-iran
@ppatel I'm shure #Apple will copy & paste their approach from #macOS to #iOS, defaulting to "certified developers" but allowing users with admin privilegues to click through safety permissions and explicity say "yes, let me install untrusted apps I know what I'm doing!"
“As part of ongoing hunting and continuous monitoring efforts … intelligence team recently came across an interesting RAR file”
You could just tell us you found it on VirusTotal like everyone else. #APT
CISA and FBI reported that Iranian government-sponsored APT actors compromised Federal Civilian Executive Branch (FCEB) network.
The attackers deployed crypto miner and credential harvester.
Detailed reports and IOCs listed below.
CISA report Alert (AA22-320A): https://www.cisa.gov/uscert/ncas/alerts/aa22-320a
Malware Analysis Report (AR22-320A)10387061-1.v1 XMRig Cryptocurrency Mining Software:
I haven't gotten around to it yet, but here goes: #introduction
#anarchist working as a #malware researcher in Montreal.
Will post mostly stuff related to #privacy #infosec #DigitalRights #surveillance #unions #APT #threatintel #Workersrights #ReverseEngineering
Show me your Adversarial interoperability (aka Competitive compatibility) projects, I love that stuff!