The plethora of smart home devices available today deliver all manner of opportunities, but it’s fair to say that interfacing with them is more often done in the browser or an app than in the terminal. WattWise from [Naveen Kulandaivelu] is a tool which changes all that, it’s a command-line interface (CLI) for power monitoring smart plugs.

Written in Python, the tool can talk either directly to TP-Link branded smart plugs, or via Home Assistant. It tracks the power consumption with a simple graph, but the exciting part lies in how it can be used to throttle the CPU of a computer in order to use power at the points in the day when it is cheapest. You can find the code in a GitHub repository.

We like the idea of using smart plugs as instruments, even if they may not be the most accurate of measurement tools. It takes them even further beyond the simple functionality and walled-garden interfaces provided by their manufacturers, which in our view can only be a good thing.

Meanwhile, for further reading we’ve looked at smart plugs in detail in the past.

hackaday.com/2025/04/02/monito…

Somewhere in the universe, there’s a place that lists every x86 operating system from scratch. Not just some bootloaders, or just a kernel stub, but documentation to build a fully functional, interrupt-handling, multitasking-capable OS. [Erik Helin and Adam Renberg] did just that by documenting every step in The Little Book About OS Development.

This is not your typical dry academic textbook. It’s a hands-on, step-by-step guide aimed at hackers, tinkerers, and developers who want to demystify kernel programming. The book walks you through setting up your environment, bootstrapping your OS, handling interrupts, implementing virtual memory, and even tackling system calls and multitasking. It provides just enough detail to get you started but leaves room for exploration – because, let’s be honest, half the fun is in figuring things out yourself.

Completeness and structure are two things that make this book stand out. Other OS dev guides may give you snippets and leave you to assemble the puzzle yourself. This book documents the entire process, including common pitfalls. If you’ve ever been lost in the weeds of segmentation, paging, or serial I/O, this is the map you need. You can read it online or fetch it as a single 75-page long PDF.

Mockup photo source: Matthieu Dixte

hackaday.com/2025/04/02/one-bo…

Nel luglio 2024, i ricercatori di ESET hanno rilevato una nuova ondata di attività attribuita al gruppo APT FamousSparrow, noto per aver condotto campagne di cyberespionaggio contro obiettivi governativi e istituzionali di alto profilo. Dopo un apparente periodo di inattività durato dal 2022 al 2024, il gruppo è tornato alla ribalta con nuove varianti del backdoor SparrowDoor, miglioramenti tecnici significativi e un arsenale che ora include anche ShadowPad, impiegato per la prima volta.

Target strategici: USA e Messico nel mirino

L’analisi ESET ha rivelato che FamousSparrow ha compromesso una organizzazione del settore finanziario statunitense e un istituto di ricerca messicano. La scelta dei target non è casuale: entrambi rivestono ruoli strategici, rispettivamente nella geopolitica e nello sviluppo tecnologico della regione. Gli attacchi sono avvenuti tra il 11 e il 25 luglio 2024, sfruttando server vulnerabili e sistemi obsoleti, presumibilmente con versioni di Microsoft Exchange Server e Windows Server non aggiornate.

Evoluzione dello strumento: SparrowDoor 2.0

Due nuove versioni del malware SparrowDoor sono state scoperte durante l’analisi forense. La prima è una versione migliorata del backdoor classico, mentre la seconda è modulare e presenta caratteristiche di parallelizzazione dei comandi, una novità assoluta per il gruppo. Entrambe mostrano un salto di qualità a livello architetturale, riducendo l’uso di codice ridondante e migliorando la capacità di evasione.

Una delle due versioni mostra forti analogie con CrowDoor, un backdoor usato da Earth Estries, altro gruppo APT allineato alla Cina. Questo ha portato i ricercatori a ipotizzare una collaborazione o un framework condiviso all’interno di una più ampia infrastruttura offensiva cinese.

ShadowPad: il malware modulare che si evolve

Per la prima volta nella storia operativa del gruppo, FamousSparrow ha fatto uso di ShadowPad, backdoor modulare inizialmente scoperta nel 2017. ShadowPad è stato già collegato a diversi gruppi sponsorizzati dalla Cina ed è noto per le sue capacità di post-exploitation, grazie a un’architettura plugin-based.

Il suo utilizzo da parte di FamousSparrow rappresenta un cambio di passo e una professionalizzazione degli strumenti adottati, coerente con le recenti tendenze di convergenza tra gruppi APT cinesi.

Persistenza e invisibilità

Uno degli aspetti più interessanti di questa campagna è l’evidenza che FamousSparrow non era inattivo, ma semplicemente sotto il radar. Dal 2022 al 2024, infatti, il gruppo ha continuato a sviluppare e perfezionare i propri tool, segno di una pianificazione strategica a lungo termine e di un’elevata OPSEC (Operational Security). L’attacco mostra inoltre un uso bilanciato di:

• Strumenti custom proprietari (SparrowDoor, HemiGate)
• Malware condivisi (ShadowPad)
• Strumenti open source
• Shell web distribuite su server IIS

Analisi Threat Intelligence

Questi aspetti sono ben rappresentati nella mappa relazionale elaborata dai ricercatori, dove FamousSparrow è posto al centro di un ecosistema che collega paesi colpiti (tra cui Stati Uniti, Messico e Honduras), settori strategici (governo e finanza), e una triade di strumenti offensivi: SparrowDoor, HemiGate e ShadowPad. Quest’ultimo è stato utilizzato dal gruppo per la prima volta, segnando un’evoluzione nella loro dotazione tecnica. ShadowPad, noto per essere un backdoor modulare ad alto potenziale, è già stato impiegato da altri gruppi APT cinesi come APT41, Winnti e Earth Lusca. Il suo impiego da parte di FamousSparrow rafforza l’ipotesi di convergenza tattica e tecnica tra più gruppi APT allineati alla Cina, e viene evidenziato nel grafo attraverso l’interconnessione di numerosi indicatori di compromissione condivisi, IP malevoli e tecniche MITRE ATT&CK.

L’immagine è eloquente anche nel mostrare le evidenze digitali che sostengono l’attribuzione: indirizzi IP, hash di file, e payloads tracciati nella rete. Da notare la presenza di tecniche come T1055 (Injection di codice), T1190 (exploit di servizi esposti), e T1543.003 (persistenza tramite servizi di sistema), tutti usati in combinazione per garantire accesso continuo e capacità di comando e controllo.rna difesa cibernetica.

Conclusioni

La rinnovata attività di FamousSparrow dimostra che i gruppi APT di alto profilo continuano a evolversi, raffinando le proprie tecniche in silenzio e colpendo con precisione chirurgica quando si presentano le condizioni favorevoli. L’integrazione di backdoor avanzati come ShadowPad, lo sviluppo modulare e l’uso di tecniche avanzate come la parallelizzazione dei comandi dimostrano un salto qualitativo nelle capacità offensive.

Per le aziende e le istituzioni, è un chiaro segnale: l’apparente silenzio di un attore APT non va mai scambiato per inattività. La minaccia spesso si cela sotto il livello di rilevamento e agisce con sofisticazione, attendendo il momento giusto per colpire.

L'articolo ShadowPad e SparrowDoor 2.0: la nuova minaccia APT che spia governi e istituzioni proviene da il blog della sicurezza informatica.

Macro pads are handy for opening up your favorite programs or executing commonly used keyboard shortcuts. But why stop there?

That’s what [Jeroen Brinkman] must have been thinking while creating the Programmer’s Macro Pad. Based on the Arduino Pro Micro, this hand-wired pad is unique in that a single press of any of its 16 keys can virtually “type” out multiple lines of text. In this case, it’s a capability that’s being used to prevent the user from having to manually enter in commonly used functions, declarations, and conditional statements.

For example, in the current firmware, pressing the “func” key will type out a boilerplate C function:
int () { //
;
return 0;
}; // f
It will also enter in the appropriate commands to put the cursor where it needs to be so you can actually enter in the function name. The other keys such as “array” and “if” work the same way, saving the user from having to enter (and potentially, even remember) the correct syntax.

The firmware is kept as simple as possible, meaning that the functionality of each key is currently hardcoded. Some kind of tool that would let you add or change macros without having to manually edit the source code and flash it back to the Arduino would be nice…but hey, it is a Programmers Macro Pad, after all.

Looking to speed up your own day-to-day computer usage? We’ve covered a lot of macro pads over the years, we’re confident at least a few of them should catch your eye.

hackaday.com/2025/04/02/progra…

This week, Jonathan Bennett chats with Bashonly about yt-dlp, the audio/video downloader that carries the torch from youtube-dl! Why is this a hard problem, and what does the future hold for this swiss-army knife of video downloading? Watch to find out!

• github.com/bashonly
• github.com/yt-dlp/yt-dlp
• discord.gg/H5MNcFW63r

youtube.com/embed/ed93yLiUqxM?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/04/02/floss-…

Tattoos. Body paint. Henna. All these are popular kinds of body art with varying histories and cultural connotations, many going back centuries or even longer. They all have something in common, though—they all change how the body reflects light back to the viewer. What if, instead, body art could shine a light of its very own?

This is the precise topic which [Katherine Connell] came to discuss at the 2024 Hackaday Supercon. Her talk concerns rethinking body art with the use of light emitting diodes—and is both thoroughly modern and aesthetically compelling. Beyond that, it’s an engineering development story with liquid metal and cutting-edge batteries that you simply don’t want to miss!

youtube.com/embed/nitjlnkYz0Q?…

[Katherine] wearing her stick-on LED body art, known as Sprite Lights. Credit: SpriteLights.comIn her quest to create self-glowing body art, [Katherine] invented Sprite Lights. In her own words, “these body safe light up temporary tattoos combine art, flex PCBs, screen printed batteries, and a body-safe adhesive tape.” Basically, you can place them on your skin, and they’ll shine and catch eyes for as long as there’s juice left in the sticker.

The inspiration behind this project was simple. [Katherine] grew up in the 80s, and being exposed to that neon-soaked era gave her a desire to glow-in-the-dark. However, she didn’t want to get into any hardcore body modification—hence, she pursued a non-invasive stick-on solution.

As you might imagine, creating these wasn’t trivial. They need to stick to the skin for long periods of time without causing irritation, while also being lightweight and slim enough to be practical to wear. Indeed, to that end, Sprite Lights are less than 1.5 mm thick—an impressive engineering feat.

Her first attempts involved creating a synthetic skin-like material using latex, with LEDs stuck underneath. However, this wasn’t a particularly desirable solution. Latex allergies are relatively common, and producing the designs took a lot of careful hand-soldering and manual work. It was also difficult to attach the latex to the skin, and to color match it with the wearer to make it look right.
Early experiments with latex had a few flaws.
From there, [Katherine] experimented with 3D-printing thin films with transparent PLA, with LEDs underneath. This was a much quicker way to work, but still didn’t attach well to the skin and had some aesthetic flaws. Another 3D-printing attempt saw [Katherine] create molds to produce transparent silicone films with LEDs embedded underneath, but this again proved very labor intensive and it’s difficult to get silicone to stick to anything, including humans. [Katherine] even tried experimenting with Galinstan, a very off-beat metallic alloy, to make circuits inside flexible silicone. She created viable stretchable circuits but they were not very robust, particularly since the Galinstan tends to melt at body temperature.

Undeterred from early hurdles, [Katherine] persevered with new techniques, using 3D-printing, silicone molds, and even strange gallium alloys to create real glowing body art.Later experiments with copper tape enabled [Katherine] to make flexible circuits a bit more easily. She used a Cricut to cut out traces in copper tape, and then stuck them on clear heat-resistant plastic. From there, she used a Walmart griddle to heat the assembly until solder paste liquified and her components were soldered in place. It required careful attention and speed to avoid melting everything, but it worked.

Having developed decent flexible circuits that could light up, power was next on the agenda. Desiring to create stick-on devices with an ultra-thin form factor, there was no room to include a traditional battery, so [Katherine] had to figure out how to power Sprite Lights effectively. She found flexible batteries from a company called Zinergy that could deliver 3V and 20 mAh. She was able to specify a custom flat round design, with the company able to make them just 0.7mm thick and 55 mm round. They use a compound similar to regular AA batteries, which is screen printed onto one layer of plastic and sealed with another layer on top. The batteries have the benefit of being safe to place on skin, with no risk of explosion or chemical exposure, even if they happen to be punctured or cut while worn. Perhaps the only drawback is that they’re non-rechargeable—they’re safe, but single-use.
Custom ultra-thin non-rechargeable batteries made Sprite Lights possible.
Armed with her new batteries, [Katherine] developed her concept further. She stepped up to using commercially-available flex PCBs produced by JLCPCB, in place of her homebrewed concepts used previously. She combined these with the flexible Zinergy batteries underneath, and custom-made die-cut stickers from MakeStickers on top. This gave her an art layer, an LED circuit layer, and a battery layer underneath, with a hypoallergenic medical tape used as the final layer to stick the assembly to the skin. An intermediate fabric tape layer is included to connect the battery’s contacts to the flex PCB, which is populated with LEDs. By leaving a paper layer on the fabric tape between the contacts, this allows the Sprite Light to remain off until it’s ready to be used. The combination comes in under 1.5 mm thick.

ED NOTE: Grabbed some pictures from the SpriteLights website.

[Katherine] has developed Sprite Lights into a super-clean final product. Credit: SpriteLights.com[Katherine] went through a great deal of iteration and development to get Sprite Lights to where they are today. She notes that you can learn anything online if you put in the work and connect to the right communities—it was through self-directed research that she taught herself the skills to get the project over the line. Beyond that, it’s also worth noting that technology might not be quite up to what you need right now—her project relies heavily on brand-new custom Zinergy batteries to be as thin as possible. Her next challenge is mass production—something she has pursued via a crowd-funding campaign.

Ultimately, Sprite Lights are a super-cool piece of body art. But beyond that, [Katherine] told us the great engineering story behind these astounding self-glowing stickers. As her fine example demonstrates, you can do really cool things if you just keep working at it and teach yourself the right skills along the way!

hackaday.com/2025/04/02/superc…

If you want to dip your toes into the deep, deep water of synth DIY but don’t know where to start, [Atarity] has just the resource for you. He’s compiled a list of 70 wonderful DIY synth and noise-making projects and put them all in one place. And as connoisseurs of the bleepy-bloopy ourselves, we can vouch for his choices here.

The collection runs that gamut from [Ray Wilson]’s “Music From Outer Space” analog oddities, through faithful recreations like Adafruit’s XOXBOX, and on to more modern synths powered by simple microcontrollers or even entire embedded Linux devices. Alongside the links to the original projects, there is also an estimate of the difficulty level, and a handy demo video for every example we tried out.

Our only self-serving complaint is that it’s a little bit light on the Logic Noise / CMOS-abuse side of synth hacking, but there are tons of other non-traditional noisemakers, sound manglers, and a good dose of musically useful devices here. Pick one, and get to work!

hackaday.com/2025/04/02/70-diy…

The list of countries to achieve their own successful orbital space launch is a short one, almost as small as the exclusive club of states that possess nuclear weapons. The Soviet Union was first off the rank in 1957, with the United States close behind in 1958, and a gaggle of other aerospace-adept states followed in the 1960s, 1970s, and 1980s. Italy, Iran, North Korea and South Korea have all joined the list since the dawn of the new millennium.

Absent from the list stands Australia. The proud island nation has never stood out as a player in the field of space exploration, despite offering ground station assistance to many missions from other nations over the years. However, the country has continued to inch its way to the top of the atmosphere, establishing its own space agency in 2018. Since then, development has continued apace, and the country’s first orbital launch appears to be just around the corner.

Space, Down Under

The Australian Space Agency has played an important role in supporting domestic space projects, like the ELO2 lunar rover (also known as “Roo-ver”). Credit: ASA
The establishment of the Australian Space Agency (ASA) took place relatively recently. The matter was seen to be long overdue from an OECD member country; by 2008, Australia was the only one left without a national space agency since previous state authorities had been disbanded in 1996. This was despite many facilities across the country contributing to international missions, providing critical radio downlink services and even welcoming JAXA’s Hayabusa2 spacecraft back to Earth.

Eventually, a groundswell grew, pressuring the government to put Australia on the right footing to seize growing opportunities in the space arena. Things came to a head in 2018, when the government established ASA to “support the growth and transformation of Australia’s space industry.”

ASA would serve a somewhat different role compared to organizations like NASA (USA) and ESA (EU). Many space agencies in other nations focus on developing launch vehicles and missions in-house, collaborating with international partners and aerospace companies in turn to do so. However, for ASA, the agency is more focused on supporting and developing the local space industry rather than doing the engineering work of getting to space itself.

Orbital Upstarts

Just because the government isn’t building its own rockets, doesn’t mean that Australia isn’t trying to get to orbit. That goal is the diehard mission of Gilmour Space Technologies. The space startup was founded in 2013, and established its rocketry program in 2015, and has been marching towards orbit ever since. As is often the way, the journey has been challenging, but the payoff of genuine space flight is growing ever closer.

Gilmour Space moved fast, launching its first hybrid rocket back in 2016. The successful suborbital launch proved to be a useful demonstration of the company’s efforts to produce a rocket that used 3D-printed fuel. This early milestone aided the company to secure investment that would support its push to grander launches at greater scale. The company’s next major launch was planned for 2019, but frustration struck—when the larger One Vision rocket suffered a failure just 7 seconds prior to liftoff. Undeterred, the company continued development of a larger rocket, taking on further investment and signing contracts to launch payloads to orbit in the ensuing years.

youtube.com/embed/5vyhef00ebY?…

Gilmour Space has worked hard to develop its hybrid rocket engines in-house.

With orbital launches and commercial payload deliveries the ultimate goal, it wasn’t enough to just develop a rocket. Working with the Australian government, Gilmour Space established the Bowen Orbital Spaceport in early 2024—a launchpad suitable for the scale of its intended space missions. Located on Queensland’s Gold Coast, it’s just 20 degrees south of the equator—closer than Cape Canaveral, and useful for accessing low- to mid-inclination equatorial orbits. The hope was to gain approval to launch later that year, but thus far, no test flights have taken place. Licensing issues around the launch have meant the company has had to hold back on shooting for orbit.

The rocket with which Gilmour Space intends to get there is called Eris. In Block 1 configuration, it stands 25 meters tall, and is intended to launch payloads up to 300 kg into low-Earth orbits. It’s a three-stage design. It uses four of Gilmour’s Sirius hybrid rocket motors in the first stage, and just one in the second stage. The third stage has a smaller liquid rocket engine of Gilmour’s design, named Phoenix. The rocket was first staged vertically on the launch pad in early 2024, and a later “dress rehearsal” for launch was performed in September, with the rocket fully fueled. However, flight did not take place, as launch permits were still pending from Australia’s Civil Aviation Safety Authority (CASA).

youtube.com/embed/-h8g1CfXopo?…

The Eris rocket was first vertically erected on the launchpad in 2024, but progress towards launch has been slow since then.

After a number of regulatory issues, the company’s first launch of Eris was slated for March 15, 2025. However, that day came and passed, even with CASA approval, as the required approvals were still not available from the Australian Space Agency. Delays have hurt the company’s finances, hampering its ability to raise further funds. As for the rocket itself, hopes for Eris’s performance at this stage remain limited, even if you ask those at Gilmour Space. Earlier this month, founder Adam Gilmour spoke to the Sydney Morning Heraldon his expectations for the initial launch. Realistic about the proposition of hitting orbit on the company first attempt, he expects it to take several launches to achieve, with some teething problems to come. “It’s very hard to test an orbital rocket without just flying it,” he told the Herald. “We don’t have high expectations we’ll get to orbit… I’d personally be happy to get off the pad.”

Despite the trepidation, Eris stands as Australia’s closest shot at hitting the bigtime outside the atmosphere. Government approvals and technical hurdles will still need to be overcome, with the Australian Space Agency noting that the company still has licence conditions to meet before a full launch is approved. Still, before the year is out, Australia might join that vaunted list of nations that have leapt beyond the ground to circle the Earth from above. It will be a proud day when that comes to pass.

hackaday.com/2025/04/02/austra…

Gli analisti di Sucuri hanno scoperto che gli hacker utilizzano la directory MU-plugins (Must-Use Plugins) di WordPress per nascondere codice dannoso ed eseguirlo senza essere rilevati. La tecnica è stata individuata per la prima volta nel febbraio 2025, ma la sua adozione è in crescita: gli aggressori stanno attualmente sfruttando i plugin MU per lanciare tre diversi tipi di codice dannoso.

Questo genere di plugin sono un tipo speciale di plugin di WordPress che vengono eseguiti a ogni caricamento di pagina e non richiedono l’attivazione nel pannello di amministrazione. Si tratta di file PHP memorizzati nella directory wp-content/mu-plugins/ che vengono eseguiti automaticamente quando la pagina viene caricata e non vengono visualizzati nel pannello di amministrazione nella pagina Plugin, a meno che non venga selezionato il filtro Must-Use.

Tali plugin vengono utilizzati, ad esempio, per applicare regole di sicurezza personalizzate su scala dell’intero sito, migliorare le prestazioni, modificare dinamicamente le variabili e così via. Poiché i plugin MU vengono eseguiti a ogni caricamento di pagina e non compaiono nell’elenco dei plugin standard, possono essere utilizzati per eseguire segretamente un’ampia gamma di attività dannose, tra cui il furto di credenziali, l’iniezione di codice dannoso o la modifica dell’output HTML.

Gli specialisti di Sucuri hanno scoperto tre payload che gli aggressori inseriscono nella directory MU-plugins:

• redirect.php : reindirizza i visitatori (esclusi i bot e gli amministratori registrati) a un sito dannoso (updatesnow[.]net) che visualizza una falsa richiesta di aggiornamento del browser per indurre la vittima a scaricare malware;
• index.php : una web shell che funge da backdoor, recuperando ed eseguendo codice PHP da un repository GitHub;
• custom-js-loader.php : carica JavaScript che sostituisce tutte le immagini sul sito con contenuti espliciti e intercetta tutti i link esterni, aprendo invece pop-up fraudolenti.

I ricercatori ritengono che la web shell sia il più pericoloso tra questi esempi, poiché consente agli aggressori di eseguire comandi da remoto sul server, rubare dati e condurre successivi attacchi agli utenti e ai visitatori della risorsa.

Gli altri due tipi di malware hanno maggiori probabilità di danneggiare la reputazione e la SEO di un sito attraverso reindirizzamenti sospetti e tentativi di installare malware sui computer dei visitatori.

Finora i ricercatori di Sucuri non sono riusciti a determinare il metodo esatto con cui sono stati infettati i siti web interessati. Si ritiene che gli aggressori sfruttino vulnerabilità note nei plugin e nei temi di WordPress oppure credenziali di amministratore deboli.

L'articolo Attacco invisibile su WordPress: gli hacker stanno sfruttando i MU-Plugins per colpire i siti web proviene da il blog della sicurezza informatica.