Introduction

On December 31, cybercriminals launched a mass infection campaign, aiming to exploit reduced vigilance and increased torrent traffic during the holiday season. Our telemetry detected the attack, which lasted for a month and affected individuals and businesses by distributing the XMRig cryptominer. This previously unidentified actor is targeting users worldwide—including in Russia, Brazil, Germany, Belarus and Kazakhstan—by spreading trojanized versions of popular games via torrent sites.

In this report, we analyze how the attacker evades detection and launches a sophisticated execution chain, employing a wide range of defense evasion techniques.

Kaspersky’s products detect this threat as
Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, HEUR:Trojan.Win64.StaryDobry.gen.

Initial infection

On December 31, while reviewing our telemetry, we first detected this massive infection. Further investigation revealed that the campaign was initially distributed via popular torrent trackers. Trojanized versions of popular games—such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy—were designed to launch a sophisticated infection chain, ultimately deploying a miner implant. These malicious releases were created in advance and uploaded around September 2024.

Infection timeline

Although the malicious releases were published by different authors, they were all cracked the same way.

Malicious torrent available for download

Among the compromised installers are popular simulator and sandbox games that require minimal disk space. Below is the distribution of affected users by game as of January 2025:

Infected users per game (download)

These releases, often referred to as “repacks”, were usually distributed in an archive. Let’s now take a closer look at one of the samples. Upon unpacking the archive, we found a trojanized installer.

Technical details

Trojanized installer

After launching the installer (a Windows 32-bit GUI executable), we were welcomed with a GUI screen showing three options: install the game, choose the language, or quit.

Installer screen

This installer was created with Inno Setup. After decompiling the installer, we examined its code and found an interesting functionality.

Decompiled installer code

This code is responsible for extracting the malicious files used in this attack. First, it decrypts unrar.dll using the DECR function, which is a proxy for the RARExtract function within the rar.dll library. RARExtract decrypts unrar.dll using AES encryption with a hard-coded key,
cls-precompx.dll. Next, additional files from the archive are dropped into the temporary directory, and execution proceeds to the RARGetDllVersion function within unrar.dll.

Unrar.dll dropper

First of all, the sample runs a series of methods to check if it’s being launched in a debugging environment. These methods search for debugger and sandbox modules injected into processes, and also check the registry and filesystem for certain popular software. If such software is detected, execution immediately terminates.

Anti-debug checks example

If the checks are passed, the malware executes cmd.exe to register unrar.dll as a command handler with regsvr32.exe. The sample attempts to query the following list of sites to determine the user’s IP address.
api.myip [.]com
ip-api [.]com
ipapi [.]co
freeipapi [.]com
ipwho [.]is
api.miip [.]my
This is done to identify the infected user’s location, specifically their country. If the malware fails to detect the IP address, it defaults the country code to
CNOrBY (meaning “China or Belarus”). Next, the sample sends a request to hxxps://pinokino[.]fun/donate_button/game_id=%s&donate_text=%s with the following substitutions:

• game_id = appended with DST_xxxx, where x represents digits. This value is passed as an argument from the installer; in this campaign, we discovered the variant DST_1448;
• donate_text = appended with the country code.

After this generic country check, the sample collects a fingerprint of the infected machine. This fingerprint consists of various parameters, forming a unique identifier as follows:
mac|machineId|username|country|windows|meminGB|numprocessors|video|game_id

This fingerprint is then encoded using URL-safe Base64 to be sent successfully over the network. Next, the malware retrieves MachineGUID from HKLM\Software\Microsoft\Cryptography and calculates its SHA256 checksum. It then collects 10 characters starting from the 20^th position (
SHA256(MachineGUID)[20:30]). This hexadecimal sequence is used as the filename for two newly created files: %SystemRoot%\%hash%.dat and %SystemRoot%\%hash%.efi. The first file contains the encoded fingerprint, while the second is an empty decoy. The creation time of the .dat file is spoofed with a random date between 01/01/2015 and 12/25/2021. This file stores the Base64-encoded fingerprint.
After this step, unrar.dll starts preparing to drop the decrypted MTX64.exe to the disk. First, it generates a new filename for the decrypted payload. The malware searches for files in %SystemRoot% or %SystemRoot%\Sysnative. If these directories are empty, the decrypted MTX64.exe is written to the disk as Windows.Graphics.ThumbnailHandler.dll. Otherwise, unrar.dll creates a new file and names it by choosing a random file from the specified directories, taking its name, trimming its extension and appending a random suffix from a predefined list. Besides suffixes, this list contains junk data, most likely added to evade signature-based detection.

Suffix list and junk data

For example, if the malware finds a file named msvc140.dll in %SystemRoot%, it removes the extension and appends the resulting
msvc140 with handler.dll (a random suffix from the list), resulting in msvc140handler.dll. The malware then writes the decrypted payload to the newly generated file in the %SystemRoot% folder.
After that, the sample opens the encrypted MTX64.exe and decrypts it using AES-128 with a hard-coded key,
cls-precompx.dll.
The loader also carries out resource spoofing. First of all, it scans the _res.rc file for DLL property names and values—such as CompanyName, FileVersion and so on—and creates a dictionary of (key, value) pairs. Then it takes a random DLL from the %SystemRoot% folder (exiting if nothing is found), extracts its property values using the VerQueryValueW WinAPI, and replaces the corresponding dictionary values. The resulting resources are embedded into the decrypted MTX64.exe DLL. This file is then saved under the name generated in the previous step. Finally, unrar.dll changes the creation time of the resulting DLL using the same spoofing method as for the fingerprint file.

Spoofed resources

The dropped DLL is installed using the following command:
cmd.exe /C "cd $system32 && regsvr32.exe /s %dropped_name%.dll"

MTX64

This DLL is based on a public project called EpubShellExtThumbnailHandler, a Windows Shell Extension Thumbnail Handler. This stage completely mimics the legitimate behavior up until the actual thumbnail handling. It gets registered as a .lnk (shortcut) file handler, so whenever a .lnk file is opened, the DLL tries to process its thumbnail. However, here the sample implements its own version of the GetThumbnail interface function, and creates a separate thread to perform its malicious activities.

First, this thread writes the current date and month in
dd-mm format to the %TEMP%\time_windows_com.ini file. This stage then retrieves MachineGUID from HKLM\SOFTWARE\Microsoft\Cryptography, calculates SHA256(MachineGUID)[20 : 30], just like unrar.dll did. After that, it checks %SystemRoot% for the .dat file with this name. The presence of this file confirms that the infection is uninterrupted, prompting the DLL to extract the fingerprint and make a query to the hard-coded threat actors’ domain in the following format, where the UID is the fingerprint’s SHA256 hash.hxxps://promouno[.]shop/check/uid=%s
The server sends back a JSON that looks like
{'code':'reg'}. After this, the DLL makes another query to the server with an additional field, data, which is the Base64-encoded fingerprint (uid remains the same):hxxps://promouno[.]shop/check/uid=%s&data=%s
Upon receiving this request, the server also sends a JSON. The malware checks its
code field, which must be equal to either 322 or 200. If it is, the sample proceeds to extract the MD5 checksum from the flmd field in the same JSON and download the next-stage payload from the following link:hxxps://promouno[.]shop/dloadm/uid=%s
Next, the sample calculates the MD5 checksum of the received payload (a kickstarter PE file), and checks this hash against the MD5 checksum from the JSON. If they match, the malware parses the PE structure to locate the Export Address Table, retrieves the
kickstarter function address, and executes it.

Kickstarter running

Kickstarter

The kickstarter PE has an encrypted blob in its resources. This stage reads the blob and stores it in a C++ vector of bytes.

Resource reading

After that, it chooses a random name for the payload using the same method as for MTX64.exe during the execution of unrar.dll. However, there is a difference: if nothing is found in %SystemRoot% or %SystemRoot%\Sysnative, it chooses Unix.Directory.IconHandler.dll as a default file name. The payload is saved to %appdata\Roaming\Microsoft\Credentials\%InstallDate%\. To locate the InstallDate directory, the DLL retrieves the system installation date from the registry subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate.

Then the blob is decrypted using the CryptoPP AES-128 implementation. The key consists of the sequence of bytes from
\x00 to \x10. The decrypted contents are written onto the disk. This executable also spoofs its resources using the same method as for MTX64.exe, after which it executes the following command:schtasks /create / tn %s /tr "regsvr32.exe /s %s" / st 00:00 /du 9999:59 / sc once / ri 1 /f
The first argument is the system installation date, while the second one is the path to the dropped DLL. A scheduled task to register a server with regsvr32.exe is created, using the first argument as its name, with a suppressed warning, set to trigger at 00:00. The loader sends a GET request to the hard-coded address
45.200.149[.]58/conf.txt, implicitly setting the request header to User-Agent: StupidSandwichAgent\r\n.
The loader then waits for a response from the server. If the response begins with act, the sample stops execution after creating the scheduled task. If the response is noactive, meaning the targeted device has not been registered previously, the sample tries to delete itself with the following command, which clears everything in the %temp% directory:

Cleanup

Unix.Directory.IconHandler.dll

Subsequently, Unix.Directory.IconHandler.dll creates a mutex named com_curruser_mttx. If this mutex has already been created, execution stops immediately. Then the DLL searches for the %TEMP%\_cache.binary file. If the sample can’t find it, it downloads the binary directly from
45.200.149[.]58 using a GET 44912.f request, with the same StupidSandwichAgent User-Agent header. This file is written to the temporary directory and then decrypted using AES-128 with the same key consisting of the \x00–\x10 byte sequence.
The sample proceeds to open the current process, look for SeDebugPrivilege in the process token, and adjust it if applicable. We believe this is done to inject code into a newly created cmd.exe process. The author chose the easiest way possible, copying the entire open source injector, including its debug strings:

Injector

After injecting the code into the command interpreter, the sample enters an endless loop, continuously checking for taskmgr.exe and procmon.exe in the list of running processes. If either process is detected, the sample is shut down.

Miner implant

This implant is a slightly modified XMRig miner executable. Instead of parsing command-line arguments, it constructs a predefined command line.
xmrig – url =45.200.149[.]58:1448 –algo= rx /0 –user=new-www –donate-level=1 –keepalive – nicehash –background –no-title –pass=x – cpu -max-threads-hint=%d
The last parameter is calculated from the CPU topology: the implant calls the GetSystemInfo API to check the number of processor cores. If there are fewer than 8, the miner does not start. Moreover, the attacker chose to host a mining pool server in their own infrastructure instead of using a public one.

XMRig parses the constructed command line using its built-in functionality. The miner also creates a separate thread to check for process monitors running in the system, using the same method as in the previous stage:

Anti-tracing

Victims

This campaign primarily targets regular users by distributing malicious repacks. Some organizations were also affected, but these seem to be compromised computers inside corporate infrastructures, rather than direct targets.

Most of the infections have been observed in Russia, with additional cases in Belarus, Kazakhstan, Germany, and Brazil.

Attribution

There are no clear links between this campaign and any previously known crimeware actors, making attribution difficult. However, the use of Russian language in the PDB suggests the campaign may have been developed by a Russian-speaking actor.

Conclusions

StaryDobry tends to be a one-shot campaign. To deliver the miner implant, the actors implemented a sophisticated execution chain that exploited users seeking free games. This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity. Additionally, the attacker’s use of DoH helped conceal communication with their infrastructure, making it harder to detect and trace the campaign.

Indicators of compromise

File hashes

15c0396687d4ff36657e0aa680d8ba42
461a0e74321706f5c99b0e92548a1986
821d29d3140dfd67fc9d1858f685e2ac
3c4d0a4dfd53e278b3683679e0656276
04b881d0a17b3a0b34cbdbf00ac19aa2
5cac1df1b9477e40992f4ee3cc2b06ed

Domains and IPs

45.200.149[.]58
45.200.149[.]146
45.200.149[.]148
hxxps://promouno[.]shop
hxxps://pinokino[.]fun

securelist.com/starydobry-camp…

Microsoft ha annunciato la rimozione della funzione Location History da Windows 10 e 11, eliminando di fatto la possibilità per le applicazioni di accedere alla cronologia delle posizioni del dispositivo. Una decisione che solleva interrogativi nel mondo della cybersecurity: una mossa per rafforzare la privacy o un cambiamento che potrebbe influenzare la sicurezza e la forensic analysis?

Cosa cambia con la rimozione della cronologia delle posizioni?

La funzione Location History consentiva ad applicazioni come Cortana di accedere alla posizione del dispositivo registrata nelle ultime 24 ore. Con la sua rimozione, questi dati non verranno più salvati localmente e l’opzione sparirà dalle impostazioni di Windows (Privacy & Security > Location).

Microsoft ha dichiarato: “Stiamo deprecando e rimuovendo la funzione Location History, un’API che permetteva a Cortana di accedere alle ultime 24 ore di cronologia delle posizioni del dispositivo quando la localizzazione era abilitata.”

L’API Geolocator.GetGeopositionHistoryAsync, che permetteva l’accesso ai dati memorizzati localmente, verrà dismessa. Ciò significa che le app non potranno più recuperare automaticamente le posizioni passate del dispositivo, eliminando un potenziale vettore di attacco ma anche uno strumento di monitoraggio.

Impatto sulla sicurezza e sulla forensic analysis

Questa decisione si inserisce in un trend più ampio di maggiore attenzione alla privacy, seguendo normative come GDPR e CCPA, che impongono restrizioni più severe sulla raccolta e conservazione dei dati personali. Tuttavia, la rimozione di questa funzione potrebbe avere effetti collaterali imprevisti:

• Limitazione delle indagini forensi: gli analisti di sicurezza spesso usano dati di localizzazione per individuare attività sospette o analizzare movimenti legati a minacce informatiche.
• Meno strumenti per le aziende: alcune organizzazioni utilizzano la cronologia delle posizioni per verificare accessi anomali o per migliorare la protezione dei dispositivi aziendali.
• Riduzione del rischio di esfiltrazione: la rimozione della cronologia delle posizioni potrebbe diminuire la superficie di attacco per i cybercriminali che sfruttano questi dati per tracciare utenti o pianificare attacchi mirati.

Microsoft consiglia agli sviluppatori di rivedere le proprie applicazioni e migrare verso nuove soluzioni che non dipendano dalla funzione obsoleta. Per gli utenti, invece, il consiglio è:

1. Disattivare i servizi di localizzazione nelle impostazioni di Windows se non necessari.
2. Cliccare su “Clear” per cancellare eventuali dati di posizione registrati nelle ultime 24 ore.

Privacy o limitazione della sicurezza?

Se da una parte Microsoft si allinea alla crescente richiesta di maggiore privacy e controllo sui dati, dall’altra questa rimozione potrebbe creare disagi a chi sfruttava la cronologia delle posizioni per funzioni avanzate, costringendo sviluppatori e aziende a ripensare le proprie strategie. Sarà interessante vedere quali soluzioni alternative emergeranno per colmare questo vuoto.

In un mondo digitale sempre più complesso e minaccioso, la vera sfida sarà trovare il giusto equilibrio tra tutela della privacy e capacità di difesa dalle minacce informatiche, senza compromettere né la sicurezza né l’innovazione.

L'articolo Microsoft elimina la cronologia delle posizioni su Windows. Scelta di privacy o rischio sicurezza? proviene da il blog della sicurezza informatica.

Logically we understand that the other planets in the solar system, as well as humanity’s contributions to the cosmos such as the Hubble Space Telescope and the International Space Station, are zipping around us somewhere — but it can be difficult to conceptualize. Is Jupiter directly above your desk? Is the ISS currently underneath you?

If you’ve ever found yourself wondering such things, you might want to look into making something like Space Monitor. Designed by [Kevin Assen], this little gadget is able to literally point out the locations of objects in space. Currently it’s limited to the ISS and Mars, but adding new objects to track is just a matter of loading in the appropriate orbital data.

In addition to slewing around its 3D printed indicator, the Space Monitor also features a round LCD that displays the object currently being tracked, as well as the weather. Reading through the list of features and capabilities of the ESP32-powered device, we get the impression that [Kevin] is using it as a sort of development platform for various concepts. Features like remote firmware updates and the ability to point smartphones to the device’s configuration page via on-screen QR aren’t necessarily needed on a personal-use device, but its great practice for when you do eventually send one of your creations out into the scary world beyond your workbench.

If you’re interested in something a bit more elaborate, check out this impressive multi-level satellite tracker we covered back in 2018.

youtube.com/embed/6-wM_a_eX-g?…

hackaday.com/2025/02/18/space-…

Meta ha annunciato il più grande progetto di cavo sottomarino mai realizzato, il Progetto Waterworth , che attraverserà cinque continenti.

Il progetto multimiliardario, che richiederà diversi anni, è stato annunciato sul blog dell’azienda. Meta afferma che rafforzerà la portata e l’affidabilità dell’infrastruttura digitale globale aprendo tre nuovi corridoi oceanici con l’elevata capacità, necessaria per promuovere le tecnologie di intelligenza artificiale.

Secondo l’azienda, l’intelligenza artificiale sta cambiando radicalmente vari ambiti della vita e Meta si impegna a essere all’avanguardia in questo processo tecnologico. Il progetto Waterworth fornirà l’accesso a tecnologie avanzate a milioni di persone in tutto il mondo.

Secondo le dichiarazioni del vicepresidente dell’ingegneria di rete di Meta, Ghai Nagarajan, e il responsabile degli investimenti di rete globali, Alex-Handra Aime, il progetto sarà il più grande progetto di cavo sottomarino nella storia dell’azienda. La sua lunghezza sarà di oltre 50.000 km, ovvero superiore alla circonferenza della Terra.

La rete sottomarina collegherà gli Stati Uniti, l’India, il Brasile, il Sudafrica e altre regioni chiave, promuovendo la cooperazione economica, l’inclusione digitale e lo sviluppo tecnologico. In particolare, il blog sottolinea che il Progetto Waterworth accelererà l’implementazione della strategia digitale dell’India.

Negli ultimi dieci anni Meta ha preso parte allo sviluppo di oltre 20 cavi sottomarini, implementando sistemi con 24 coppie di fibre invece delle standard 8-16. Il nuovo progetto proseguirà questa tendenza, creando la più lunga rete sottomarina ad alta capacità.

L’azienda inoltre prevede di utilizzare Tecniche innovative di posa dei cavi a profondità fino a 7 km e tecniche migliorate di interramento costiero per ridurre al minimo il rischio di danni causati dalle ancore delle navi e da altri pericoli.

Oltre al Progetto Waterworth , Meta sta formando una nuova divisione all’interno di Reality Labs che si concentrerà sullo sviluppo di robot umanoidi alimentati dall’intelligenza artificiale. Andrew Bosworth, CTO di Meta, ha dichiarato in una nota che il nuovo gruppo lavorerà alla creazione di robot per i consumatori utilizzando le capacità del modello Llama.

Inoltre, Meta prevede di espandere la propria presenza al dettaglio aprendo negozi propri, simili al Meta Lab Store , inaugurato a Los Angeles a novembre.

L'articolo Meta rivoluziona il web: Waterworth, il cavo sottomarino da 50.000 km! proviene da il blog della sicurezza informatica.

GameLook riporta che dopo quasi un anno di attesa, secondo le ultime notizie provenienti dai media stranieri, Apple ha presentato una domanda per collaborare con Alibaba allo sviluppo di un grande modello di intelligenza artificiale e attende l’approvazione del governo nazionale. In altre parole, in futuro Apple Intelligence in Cina fornirà agli utenti servizi di intelligenza artificiale pertinenti basati sul modello Tongyi Qianwen di Alibaba.

Sebbene negli ultimi anni la quota di mercato di Apple in Cina sia stata erosa dai marchi nazionali, secondo gli ultimi dati di IDC la quota di mercato di Apple in Cina sarà del 15,6% nel 2024, in calo di due punti percentuali rispetto al 2023.

Ma essendo una delle aziende con il più grande “spazio fantasy” e il più alto valore per l’utente al mondo, chiunque riesca a collaborare con Apple nell’ambito dell’intelligenza artificiale sarà senza dubbio in grado di cogliere l’iniziativa nell’era dell’intelligenza artificiale nell’ecosistema mobile.

Attualmente nei principali mercati esteri, il partner di Apple per questo servizio è ChatGPT di OpenAI.

Mentre i servizi intelligenti di Apple in Cina cominciano a prendere forma, GameLook, in quanto media, si sta anche chiedendo se il tutto sia utile per i comuni utenti cinesi e cosa significhi. Innanzitutto, per quanto riguarda la notizia della cooperazione di Alibaba con Apple, la prima domanda di molte persone debba essere: perché Alibaba e Tongyi Qianwen?

Dovresti sapere che la presenza di Alibaba non è la più forte nel mercato 2C e nel percorso AI. Dopotutto, c’è Doubao di ByteDance (DAU raggiunge i 17 milioni) davanti, e DeepSeek, che è stato recentemente al centro dell’attenzione e ha superato i 40 milioni di utenti attivi al giorno. Infatti, secondo quanto riportato dai media stranieri, Apple avrebbe scelto Alibaba dopo aver valutato i modelli sviluppati da Tencent, ByteDance, Alibaba e DeepSeek.

Secondo GameLook, Alibaba, in quanto fornitore di servizi cloud e azienda leader nel settore Internet nazionale, può fornire servizi più stabili e completi quando si confronta con clienti di grandissime dimensioni come Apple, in particolare nell’ambito della conformità governativa, ambito in cui Alibaba vanta anch’esso una notevole esperienza.

In questo senso, i nuovi arrivati ​​come DeepSeek sono ovviamente inferiori. È impossibile che quando gli utenti Apple domestici chiamano Siri, la risposta che ottengono sia “Il server è occupato, riprova più tardi”. In secondo luogo, Tongyi Qianwen di Alibaba è sempre stato uno dei modelli di intelligenza artificiale su larga scala più capaci in Cina. Oltre al modello di punta, Tongyi Qianwen di Alibaba, come DeepSeek, è sempre rimasto open source per la comunità e pertanto gode di una forte influenza nella comunità open source globale.

Secondo gli ultimi dati pubblicati ufficialmente da Alibaba, il suo ultimo modello Qwen2.5-Max ha ottenuto risultati paragonabili o addirittura superiori a quelli di DeepSeek, Llama, GPT-4o e altri modelli negli attuali test di benchmark sui modelli di grandi dimensioni più diffusi.

L'articolo Apple in Cina Sceglie l’AI Tongyi Qianwen Di Alibaba per Alimentare Siri proviene da il blog della sicurezza informatica.

Gli hacker filorussi del gruppo DXPLOIT hanno rivendicato un attacco DDoS ai danni del sito Research Italy, portale ufficiale del Ministero dell’Università e della Ricerca italiano (researchitaly.mur.gov.it/). L’azione è stata annunciata tramite il loro canale di comunicazione, dove hanno pubblicato anche prove dell’attacco attraverso un check host, dimostrando che il sito risulta irraggiungibile.

Secondo quanto riportato da DXPLOIT, il sito governativo italiano è stato messo offline tramite un attacco Distributed Denial of Service (DDoS), una tecnica che sovraccarica i server con un’enorme quantità di richieste fino a renderli inutilizzabili. Nel messaggio pubblicato dal gruppo, sono state fornite evidenze con un check-hostche conferma l’indisponibilità del sito. Inoltre, hanno condiviso un IP address (130.186.10.36) legato all’attacco.

Screenshot condivisi dagli hacker mostrano che il sito restituisce un errore 502 Bad Gateway, segnale tipico di un server sovraccarico o di una configurazione errata causata da un’elevata quantità di traffico malevolo.

Questo articolo è stato redatto attraverso l’utilizzo della piattaforma di Recorded Future, partner strategico di Red Hot Cyber e Leader Mondiale nell’intelligence sulle minacce informatiche, che fornisce analisi avanzate per identificare e contrastare le attività malevole nel cyberspazio.

Attacchi DDoS: una minaccia crescente

Gli attacchi DDoS sono uno dei metodi più utilizzati dagli hacktivisti per colpire siti web istituzionali e governativi, soprattutto in periodi di tensione geopolitica. Negli ultimi anni, diversi gruppi filorussi hanno preso di mira paesi europei e NATO con campagne di attacco coordinate.

DXPLOIT non è il primo gruppo a colpire obiettivi italiani. Prima del loro attacco, altri hacker come NoName057(16) hanno ripetutamente preso di mira infrastrutture digitali dell’Italia, tra cui ministeri, aeroporti e aziende critiche.

Questi attacchi rientrano in una più ampia strategia di cyberwarfare, dove gruppi di hacktivisti e cybercriminali cercano di destabilizzare governi, aziende e istituzioni attraverso il sabotaggio digitale.

Italia sempre più bersaglio del cybercrime

Negli ultimi mesi, l’Italia è stata al centro di numerosi attacchi informatici provenienti da gruppi legati alla Russia, con obiettivi che spaziano dalla pubblica amministrazione alle infrastrutture critiche. Le istituzioni stanno lavorando per rafforzare le difese, ma la minaccia resta elevata, con la possibilità di nuovi attacchi in futuro.

L’attacco di DXPLOIT è solo l’ultimo di una lunga serie. Resta da vedere come le autorità italiane risponderanno e se verranno adottate misure di contrasto più efficaci per proteggere i sistemi informatici nazionali.

L'articolo Hacker filorussi di DXPLOIT colpiscono il sito Research Italy con un attacco DDoS proviene da il blog della sicurezza informatica.

Rev up your browsers, package managers, or whatever other tool you use to avail yourself of new software releases, because the KiCAD team have announced that barring any major bugs being found in the next few hours, tomorrow should see the release of version 9 of the open source EDA suite. Who knows, depending on where you are in the world that could have already happened when you read this.

Skimming through the long list of enhancements brought into this version there’s one thing that strikes us; how this is now a list of upgrades and tweaks to a stable piece of software rather than essential features bringing a rough and ready package towards usability. There was a time when using KiCAD was a frustrating experience of many quirks and interface annoyances, but successive versions have improved it beyond measure. We would pass comment that we wished all open source software was as polished, but the fact is that much of the commercial software in this arena is not as good as this.

So head on over and kick the tires on this new KiCAD release, assuming that it passes those final checks. We look forward tot he community’s verdict on it.

hackaday.com/2025/02/17/get-re…

We’ve all got our health-related crosses to bear, and even if you’re currently healthy, it’s only a matter of time before entropy catches up to you. For [Markus Bindhammer], it caught up to him in a big way: liver disease, specifically cirrhosis. The disease has a lot of consequences, none of which are pleasant, like abnormally high ammonia concentration in the blood. So naturally, [Markus] built an ammonia analyzer to monitor his blood.

Measuring the amount of ammonia in blood isn’t as straightforward as you think. Yes, there are a few cheap MEMS-based sensors, but they tend to be good only for qualitative measurements, and other solid-state sensors that are more quantitative tend to be pretty expensive since they’re mostly intended for industrial applications. [Marb]’s approach is based on the so-called Berthelot method, which uses a two-part reagent. In the presence of ammonia (or more precisely, ammonium ions), the reagent generates a dark blue-green species that absorbs light strongly at 660 nm. Measuring the absorbance at that wavelength gives an approximation of the ammonia concentration.

[Marb]’s implementation of this process uses a two-stage reactor. The first stage heats and stirs the sample in a glass tube using a simple cartridge heater from a 3D printer head and a stirrer made from a stepper motor with a magnetic arm. Heating the sample volatilizes any ammonia in it, which mixes with room air pumped into the chamber by a small compressor. The ammonia-laden air moves to the second chamber containing the Berthelot reagent, stirred by another stepper-powered stir plate. A glass frit diffuses the gas into the reagent, and a 660-nm laser and photodiode detect any color change. The video below shows the design and construction of the micro lab along with some test runs.

We wish [Markus] well in his journey, of course, especially since he’s been an active part of our community for years. His chemistry-related projects run the gamut from a homebrew gas chromatograph to chemical flip flops, with a lot more to boot.

youtube.com/embed/AdfZKD2SkI0?…

hackaday.com/2025/02/17/integr…

[Michael Wessel] found some of his old DOS 3D graphics software and tried to run it on an 8088 PC. The tale of adding an 8087 co-processor to speed up the rendering was anything but straightforward, resulting in a useful little project.

There was a point around the end of the 1980s when the world of PCs had moved on to the 386, but the humble 8086 and 8088 hung around at the consumer end of the market. For Europeans that meant a variety of non-standard machines with brand names such as Amstrad and Schneider, and even surprisingly, later on Sinclair and Commodore too.

Of these the Schneider Euro PC was an all-in-one design reminiscent of an Amiga or Atari ST, packing a serviceable 8088 PC with a single 3.5″ floppy drive. A cheap machine like this was never thought to need an 8087, and lacked the usual socket on the motherboard, so he made a small PCB daughter board for the 8088 socket with space for both chips.

It’s a surprisingly simple circuit, as obviously the two chips were meant to exist together. It certainly had the desired effect on his frame rate, though we’re not sure how many other Euro PC users will need it. It does make us curious though, as to how quickly a modern microcontroller could emulate an 8087 for an even faster render time. Meanwhile if you’re curious about the 8087, of course [Ken Shirriff] has taken a look at it.

hackaday.com/2025/02/17/a-forg…

The world of computer enthusiasts has over time generated many subcultures and fandoms, each of which has in turn spawned its own media. [Intric8] has shared the tale of his falling down a rabbit hole as he traced one of them, a particularly esoteric disk magazine for the Commodore 64. The disks are bright yellow, and come with intricate home-made jackets and labels. Sticking them into a 1541 drive does nothing, because these aren’t standard fare, instead they require GEOS and a particularly upgraded machine. They appear at times in Commodore swap meets, and since they formed a periodical there are several years’ worth to collect that extend into the 2000s, long after the heyday of the 64.

Picking up nuggets of information over time, he traces them to Oregon, and the Astoria Commodore User Group, and to [Lord Ronin], otherwise known as David Mohr. Sadly the magazine ended with his death in 2009, but until then he produced an esoteric selection of stories, adventure games, and other software for surely one of the most exclusive computer clubs in existence. It’s a fascinating look into computer culture from before the Internet, even though by 2009 the Internet had well and truly eclipsed it, when disks like these were treasured for the information they contained. So if you find any of these yellow Penny Farthing disks, make sure that they or at least their contents are preserved.

Surprisingly, this isn’t the only odd format disk magazine we’ve seen.

hackaday.com/2025/02/17/probab…

Although the Earth’s magnetic field is reliable enough for navigation and is also essential for blocking harmful solar emissions and for improving radio communications, it’s not a uniform strength everywhere on the planet. Much like how inconsistencies in the density of the materials of the planet can impact the local gravitational force ever so slightly, so to can slight changes impact the strength of the magnetic field from place to place. And it doesn’t take too much to measure this impact on your own, as [efeyenice983] demonstrates here.

To measure this local field strength, the first item needed is a working compass. With the compass aligned to north, a magnet is placed with its poles aligned at a right angle to the compass. The deflection angle of the needle is noted for varying distances of the magnet, and with some quick math the local field strength of the Earth’s magnetic field can be calculated based on the strength of the magnet and the amount of change of the compass needle when under its influence.

Using this method, [efeyenice983] found that the Earth’s magnetic field strength at their location was about 0.49 Gauss, which is well within 0.25 to 0.65 Gauss that is typically found on the planet’s surface. Not only does the magnetic field strength vary with location, it’s been generally decreasing in strength on average over the past century or so as well, and the poles themselves aren’t stationary either. Check out this article which shows just how much the poles have shifted over the last few decades.

hackaday.com/2025/02/17/measur…

Doesn’t this look fantastic? Hard to believe it, but the base of this keyboard began life as a cutting board, and there’s a gallery to prove it. This is actually [androidbrick]’s second foray into this type of upcycling.

This time, [androidbrick] used a FiiO KB3 and replaced the bottom half of the plastic shell with a hand-routed kitchen cutting board. The battery has been disabled and it works only in wired mode, which is fine with me, because then you get to use a curly cord if you want.

Image by [androidbrick] via redditThe switches are mostly Gateron EF Currys, though [androidbrick] left some of the original Gateron G Pro 3.0 on the stabilized keys just for comparison. As you might imagine, the overall sound is much deeper with a wooden bottom. You can check out the sound test on YouTube if you’d like, though it’s pretty quiet, so turn it up.

Those keycaps look even nicer from top-down, which you’ll see in the sound test video linked above. Just search ‘JCM MOA GMK’ on Ali and you’ll find them in a bunch of colorways for around $20. Apparently, [androidbrick] was saving them for months, just waiting for this build.

Via reddit

Why You Should Always Re-flash New Keyboards

About a month ago, [Artistic-Art-3985] bought the cheapest Corne available on Ali and posted a breakdown of the security and electronics.

Image by [Artistic-Art-3985] via redditThe firmware turned out to be different from the current release in the original repo, which of course is a concern. When asked about it, the seller went silent. So did some other sellers when asked these types of questions.

In a follow-up post, [Artistic] does a great job outlining why you should always re-flash your new keyboards, especially the cheap ones. Although it may seem like a long shot, the threat is real, and he points to a couple examples of shenanigans, like keyloggers.

In a comment to his original post, [Artistic] explains that this particular Ali Corne comes with QMK Vial, which allows you to change the layout on a whim and have it update instantly. This means you don’t have to flash it, but you should, and it’s easy to do and either stick with Vial, or move to straight QMK. He also outlines how it’s done.

The Centerfold: the Hackaday Every Day Carry

Image by [devpew] via redditDid I do it? Did I find the ideal Hackaday centerfold? I’ll totally forgive the lack of desk mat, or just pretend that it’s really big and resembles the surface of the moon.

So what we’ve got here is a Skeletyl keyboard along with some friends, like a Flipper Zero and a Pwnagotchi. Who knows why the knife, but then again knives are useful I suppose. I really dig the cute little trackball, though it seems like it would be fiddly to actually use. This series of posts by [devpew] kicked off a whole everyday carry thing on reddit, which was enjoyable.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: My Own Personal Holy Grail

So your girl did some wheeling and dealing this weekend and traded four machines plus some cash for her holy grail typewriter, a blue correcting IBM Selectric II. She also got a typewriter table and a dust cover in the deal. It was quite a weekend, really. Got a surprise band saw for late-Christmas, too.

Here’s the best part. When I bought Selectric Blue (it was between that and calling her “Bertha the Bluegirl”), she was in a tan case. A grail for sure, but not the holy grail. I was happy enough to get a working II, mind you. But on a whim, I asked the guy if he ever saw any green ones come across his bench. I don’t know why I didn’t ask about blue; it’s my favorite color after all. But then he tells me he has blue and black cases available right then, though they probably wouldn’t fit the machine I bought. But then we figured out that they did, and I met up with him the following day to turn her blue. Now she’s all I ever wanted. I even got the type ball of my dreams — Adjutant.

(Note: I still love my IBM Wheelwriter 5, which is basically the 80s version of the Selectric. I just love them differently, is all, like having a pair of cats. The Wheelwriter is plastic, for one thing, and the Selectric is almost solid steel. But the Wheelwriter is so snappy and types so crisply, so…)

So, you probably want to know things about the Selectric II. It is the sequel to the Selectric I, which was only called the I after the II came out. The original Selectric wowed the world with its spinning golf ball type element, which replaced the swinging type bars of most typewriters and hearkened back to. My machine is in a way the Selectric II.5, as the first IIs introduced in 1971 didn’t have correction built in — that came along in 1973.

So much has been written about Selectrics. But did you know they were part of Cold War-era espionage?

ICYMI: Casio Calculator Gets New Keyboard

Image by [Poking Technology] via YouTubeDo you recall the 1985 Casio FX-451 calculator? It was a pocket-sized foldout scientific wonder, with both hard keys and a set of membrane keys built into the case.

[Poking Technology] had one with a broken membrane keyboard and decided to upgrade it to a mechanical keyboard. Of course, it’s no longer pocket-sized, but who’s counting?

If you like build detail, you’re in for a treat, because there are two videos covering the entire process. It was a challenge to disassemble the thing, and soldering wires to the keyboard was no picnic, either — some lines are on the back of PCB and go under the main IC on their way to the top. Excellent work, [Poking]!

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/02/17/keebin…

There are a few vehicles on the road that are targeted often by car thieves, whether that’s because they have valuable parts, the OEM security is easily bypassed, or even because it’s an antique vehicle that needs little more than a screwdriver to get started. For those driving one of these vehicles an additional immobilization feature is often added, like a hidden switch to deactivate the fuel pump. But, in the continual arms race between thieves and car owners, this strategy is easily bypassed. [Drive Science] hopefully took one step ahead though and added a decoy killswitch instead which triggers the alarm.

The decoy switch is placed near the steering column, where it would easily be noticed by a thief. Presumably, they would think that this was the reason the car wouldn’t start and attempt to flip the switch and then start the ignition. But secretly, the switch activates a hidden relay connected to the alarm system, so after a few seconds of the decoy switch activating, the alarm will go off regardless of the position of this switch. This build requires a lot of hiding spots to be effective, so a hidden method to deactivate the alarm is also included which resets the relay, and another killswitch which actually disables the fuel pump is also added to another secret location in the car.

As far as “security through obscurity” goes, a build like this goes a long way to demonstrate how this is an effective method in certain situations. All that’s generally needed for effective car theft prevention is to make your car slightly more annoying to steal than any other car on the road, and we think that [Drive Science] has accomplished that goal quite well. Security through obscurity is generally easily broken on things deployed on a much larger scale. A major European radio system was found to have several vulnerabilities recently thanks in part to the designers hoping no one would look to closely at them.

youtube.com/embed/lA-nVzeukkg?…

hackaday.com/2025/02/17/decoy-…

OpenAI ha modificato la politica di restrizione dei contenuti per ChatGPT, consentendo la generazione di contenuti erotici e violenti in contesti “appropriati”. Nella nuova versione del documento «Specifiche del modello “, pubblicato mercoledì, si afferma che l’intelligenza artificiale può creare tali materiali senza preavviso se vengono utilizzati in contesti scientifici, storici, giornalistici o altri scenari legittimi.

L’aggiornamento si basa sul lavoro iniziato a maggio 2024, quando OpenAI annunciò per la prima volta la sua intenzione di esplorare la possibilità di fornire agli utenti impostazioni più flessibili per la generazione di contenuti di categoria.
Parte della nuova policy di Chat-GPT su contenuti erotici o violenti
In base alle nuove norme, restano vietate solo alcune forme di contenuto, come le descrizioni di attività illegali e non consensuali. Tuttavia, a determinate condizioni, sono consentiti elementi di erotismo e violenza in formato testo, audio o anche immagine.

Gli utenti di Reddit hanno già notato l’attenuazione dei filtri. Alcuni sono riusciti a creare scenari espliciti o violenti senza alcun preavviso, cosa che prima era impossibile. OpenAI sottolinea che la sua politica di utilizzo rimane in vigore: la creazione di contenuti sessuali destinati ai minori è severamente vietata.

In passato, ChatGPT si rifiutava spesso di generare materiali basati sul principio di “attenzione all’utente”, il che creava difficoltà agli specialisti che lavoravano con referti forensi, documenti legali o testi medici. Ora OpenAI ha riconosciuto la necessità di creare una versione meno censurata di ChatGPT, che consenta agli utenti di ottenere le informazioni di cui hanno bisogno senza restrizioni artificiali.

L’azienda afferma che la decisione è stata presa dopo le numerose risposte della comunità a sostegno dell’idea di una “modalità per adulti”. Sebbene questa modalità non sia un’opzione separata, la politica aggiornata di OpenAI offre agli utenti maggiore flessibilità.

Il CEO di OpenAI, Sam Altman, ha già espresso in passato la necessità di un simile passo. L’azienda ha ora ufficialmente implementato restrizioni più flessibili, sebbene sul mercato esistano da tempo modelli di intelligenza artificiale alternativi che offrono completa libertà, tra cui LLM lanciati localmente.

Le regole aggiornate di OpenAI suddividono i contenuti sensibili in tre categorie. I contenuti proibiti riguardano solo materiale relativo ai minori, sebbene sia consentita la discussione di tali argomenti in contesti educativi e medici. I contenuti riservati includono informazioni pericolose, come istruzioni su come costruire armi, nonché informazioni personali. Ora è possibile generare contenuti sensibili se hanno una giustificazione educativa, storica o artistica.

Nonostante permangano alcune restrizioni, OpenAI sta compiendo un chiaro passo avanti verso una maggiore libertà nell’uso dell’intelligenza artificiale.

L'articolo OpenAI sblocca ChatGPT: ora può generare contenuti erotici e violenti proviene da il blog della sicurezza informatica.

We like drinking out of glass. In many ways, it’s an ideal material for the job. It’s hard-wearing, and inert in most respects. It doesn’t interact with the beverages you put in it, and it’s easy to clean. The only problem is that it’s rather easy to break. Despite its major weakness, glass still reigns supreme over plastic and metal alternatives.

But what if you could make glassware that didn’t break? Surely, that would be a supreme product that would quickly take over the entire market. As it turns out, an East German glassworks developed just that. Only, the product didn’t survive, and we lumber on with easily-shattered glasses to this day. This is the story of Superfest.

Harder, Better, Glasser, Stronger

It all started in the German Democratic Republic in the 1970s; you might know it better as East Germany. The government’s Council of Ministers deemed it important to develop higher-strength glass. Techniques for the chemical strengthening of glass were already known by the 1960s, and work on developing the technology further began in earnest.
The patent goes into great detail on design of the production line, indicating how perforated plates create a “rain” of molten potassium salt upon the glassware. Credit: patent
These efforts came to fruition in the form of a patent filed on the 8th of August, 1977. It was entitled Verfahren und Vorrichtung Zur Verfestigung Von Glaserzeugnissen Durch Ioenenaustausch—or, translated to English—Process and Apparatus for Strengthening Glassware By Ion Exchange. The patent regarded an industry-ready process, which was intended for use in the production of hollow glass vessels—specifically, drinking glassware.

The researchers understood that glasses typically broke in part due to microscopic cracks in the material, which are introduced in the production process. These microcracks could be mitigated by replacing the sodium ions in the surface of the glass with larger potassium ions. The larger ions thus cause a state of compression in the surface layer. Glass is far more capable of resisting compression rather than tension. The high compressive stresses baked into the material help resist tension forces that occur during impact events, thus making the material far more resistant to breakage.

The process of exchanging sodium ions in the glass with potassium ions was simple enough. The patent outlined a process for raining down a molten potassium salt solution onto the glassware, which would harden the outside surface significantly. This process was chosen for multiple reasons. It was desired to avoid immersing glassware into a huge bath of molten potassium salt, as the large bath of hot material would present safety hazards. There were also concerns that excessive time spent at high temperatures following immersion would lead to a relaxation of the crucial compressive stresses that built up in the glass from the ion exchange. Interior surfaces of the glassware could also be hardened by rotating the glasses on a horizontal axis under the “salt rain” so they were also exposed to the potassium salt to enable the ion exchange.
While the design of apparatus to strengthen drinking glassware is novel, the fundamental chemical process is not dissimilar to that used in the production of Gorilla Glass. Credit: patent
Recognizing the value of this patent, the Council of Ministers fast-tracked the technology into commerical production at the Sachsenglas Schwepnitz factory. The glassware was originally named CEVERIT, which was a portmanteau of the German words chemisch verfestigt—meaning “chemically solidified.” It also wore the name CV-Glas for the same reason. Production began in earnest in 1980, primarily centered around making beer glasses for hospitality businesses in East German—bars, restaurants, and the like. The glass instantly lived up to its promise, proving far more durable in commercial use. While not completely indestructible, the glasses were lasting ten to fifteen times longer than traditional commercial glassware.
A Superfest glass marked for 250 mL. Today, the only real way to source Superfest glassware is to buy used. Much remains in commercial use. Credit: Kaethe17, CC BY-SA 4.0
Despite the political environment of the time, there were hopes to expand sales to the West. On the urging of sales representative Eberhard Pook, the glasses were referred to by the name Superfest. The aim was to avoid negative connotations of “chemicals” in the name when it came to drinking glasses. Despite efforts made at multiple trade fairs, however, international interest in the tough glassware was minimal. Speaking to ZEITMagazin in 2020, Pook noted the flat response from potential customers. “We built a wall where we stacked the glasses… Look at it, it’s unbreakable!” says Pook, translated from the original German. “No reaction.” He was told that the material’s strength was also a great weakness from a sales perspective. “At Coca Cola, for example, they said, why should we use a glass that doesn’t break, we make money with our glasses,” he explained. “The dealers understandably said, who would cut off the branch they’re sitting on?”

Production nevertheless continued apace, with 120 million glasses made for the domestic market. Hardened glassware was manufactured in all shapes and sizes, covering everything from vases to tea cups and every size of beer glass. Stock eventually began piling up at the factory, as restaurants and bars simply weren’t ordering more glassware. Their chemically-strengthened glasses were doing exactly what they were supposed to do, and replacements weren’t often necessary.
Superfest glass was also used in the production of vases and other hollow glass items. Credit: Mernst1806/TeKaBe, CC BY-SA 4.0
Regardless, the future was unkind to Superfest. Urban legend says that the reunification of Germany was the beginning of the end, but it’s not entirely true. As covered by ZEITMagazin, the production of Superfest glassware was ended in July 1990 because it simply wasn’t profitable for the company. Production of other glassware continued, but the chemically-hardened line was no more. The patent for the process was allowed to lapse in 1992, and pursued no more.

The question remains why we don’t have chemically-hardened glassware today. The techniques behind Superfest are scarcely different to those used in Gorilla Glass or other chemically-strengthened glasses. The manufacturing process is well-documented, and the world is full of factories that ignore any concept of intellectual property if there was even an issue to begin with. Indeed, a German crowdfunding effort even attempted to replicate the material—only to fall into insolvency this year.

It seems that either nobody can make stronger drinking glasses, or nobody wants to—perhaps because, as Superfest seemed to indicate—there simply isn’t any money in it in the long term. It’s a shame, because the world demands nice things—and that includes beer glasses that last seemingly forever.

Featured image: “Superfest glasses in five sizes” by Michael Ernst

hackaday.com/2025/02/17/the-un…

In Corea del Sud ha sospeso la possibilità di scaricare l’app DeepSeek a causa di violazioni della privacy. Il divieto è entrato in vigore il 15 febbraio e rimarrà in vigore fino a quando tutte le violazioni non saranno eliminate.

Secondo l’autorità di regolamentazione PIPC, la società cinese ha parzialmente omesso di tenere conto dei requisiti della legislazione sudcoreana sulla protezione dei dati personali. DeepSeek ha già nominato rappresentanti legali nel Paese e ha riconosciuto le discrepanze. Tuttavia, la versione web del servizio rimane a disposizione degli utenti.

A gennaio, misure simili sono state applicate anche in Italia, dove il Garante per la Privacy ha chiesto il blocco del chatbot DeepSeek a causa di carenze nella politica sulla privacy, anche se tale blocco ad oggi non è attivo. Nonostante l’attenzione internazionale sulle possibili violazioni, i rappresentanti della startup cinese non hanno ancora commentato la situazione.

In questo contesto, il Ministero degli Esteri cinese ha sottolineato che il governo cinese prende sul serio le questioni relative alla protezione dei dati. Un portavoce dell’agenzia ha affermato che Pechino non chiede mai ad aziende o individui di raccogliere e conservare informazioni violando la legge. Ovviamente le loro leggi, come le leggi degli Stati Uniti D’America e ci stiamo riferendo al FISA.

In precedenza, l’intelligence sudcoreana ha incolpato l’app DeepSeek di una raccolta “eccessiva” di dati personali e nell’utilizzo di tutti i dati inseriti dall’utente per addestrare il modello. L’agenzia ha anche messo in dubbio l’obiettività delle risposte dell’IA alle domande relative all’identità nazionale.

Alcuni ministeri sudcoreani hanno già bloccato l’accesso all’app, unendosi ad Australia e Taiwan, che hanno già espresso preoccupazione e sono state introdotte delle restrizioni riguardo DeepSeek. La possibilità di divieto è in fase di valutazione anche negli Stati Uniti D’America.

Inoltre, il procuratore generale del Texas Ken Paxton ha annunciato l’avvio di un’indagine contro la società cinese DeepSeek, sospettata di aver violato le leggi statali sulla privacy dei dati. Nell’ambito delle indagini, la procura ha anche inviato delle richieste a Google e Apple, chiedendo loro di fornire un’analisi dell’app DeepSeek e la documentazione necessaria per posizionare il programma negli app store.

L'articolo I Muri Digitali Crescono! Anche La Corea Blocca l’utilizzo di DeepSeek proviene da il blog della sicurezza informatica.