A Friendly Reminder That Your Unpowered SSDs Are Probably Losing Data
Save a bunch of files on a good ol’ magnetic hard drive, leave it in a box, and they’ll probably still be there a couple of decades later. The lubricants might have all solidified and the heads jammed in place, but if you can get things moving, you’ll still have your data. As explained over at [XDA Developers], though, SSDs can’t really offer the same longevity.
It all comes down to power. SSDs are considered non-volatile storage—in that they hold on to data even when power is removed. However, they can only do so for a rather limited amount of time. This is because of the way NAND flash storage works. It involves trapping a charge in a floating gate transistor to store a single bit of data. You can power down an SSD, and the trapped charge in all the NAND flash transistors will happily stay put. But over longer periods of time, from months to years, that charge can leak out. When this happens, data is lost.
Depending on your particular SSD, and the variety of NAND flash it uses (TLC, QLC, etc), the safe storage time may be anywhere from a few months to a few years. The process takes place faster at higher temperatures, too, so if you store your drives in a warm area, you could see surprisingly rapid loss.
Ultimately, it’s worth checking your drive specs and planning accordingly. Going on a two-week holiday? Your PC will probably be just fine switched off. Going to prison for three to five years with only a slim chance of parole? Maybe back up to a hard drive first, or have your cousin switch your machine on now and then for safety’s sake.
On a vaguely related note, we’ve even seen SSDs that can self-destruct on purpose. If you’ve got the low down on other neat solid-state stories, don’t hesitate to notify the tipsline.
Benchmarking Chinese CPUs
When it comes to PCs, Westerners are most most familiar with x86/x64 processors from Intel and AMD, with Apple Silicon taking up a significant market share, too. However, in China, a relatively new CPU architecture is on the rise. A fabless semiconductor company called Loongson has been producing chips with its LoongArch architecture since 2021. These chips remain rare outside China, but some in the West have been benchmarking them.
[Daniel Lemire] has recently blogged about the performance of the Loongson 3A6000, which debuted in late 2023. The chip was put through a range of simple benchmarking tests, involving float processing and string transcoding operations. [Daniel] compared it to the Intel Xeon Gold 6338 from 2021, noting the Intel chip pretty much performed better across the board. No surprise given its extra clock rate. Meanwhile, the gang over at [Chips and Cheese] ran even more exhaustive tests on the same chip last year. The Loongson was put through typical tasks like compressing archives and encoding video. The outlet came to the conclusion that the chip was a little weaker than older CPUs like AMD’s Zen 2 line and Intel’s 10th generation Core chips. It’s also limited as a four-core chip compared to modern Intel and AMD lines that often start at 6 cores as a minimum.
If you find yourself interested in Loongson’s product, don’t get too excited. They’re not exactly easy to lay your hands on outside of China, and even the company’s own website is difficult to access from beyond those shores. You might try reaching out to Loongson-oriented online communities if you seek such hardware.
Different CPU architectures have perhaps never been more relevant, particularly as we see the x86 stalwarts doing battle with the rise of desktop and laptop ARM processors. If you’ve found something interesting regarding another obscure kind of CPU, don’t hesitate to let the tipsline know!
“It was like playing the lottery,” said astronomer Tomonori Totani, adding that he hopes other scientists will verify the possible detection of a new dark matter signature.#TheAbstract
A Lone Astronomer Has Reported a Dark Matter ‘Annihilation’ Breakthrough
🌘
Subscribe to 404 Media to get The Abstract, our newsletter about the most exciting and mind-boggling science news and studies of the week.An astronomer has reported a possible new signature of dark matter, a mysterious substance that makes up most of the universe, according to a study published on Tuesday in the Journal of Cosmology and Astroparticle Physics.
Dark matter accounts for 85 percent of all matter in the universe, but its existence has so far been inferred only from its indirect effects on the familiar “baryonic” matter that makes up stars, planets, and life.
Tomonori Totani, a professor of astronomy at the University of Tokyo and the author of the study, believes he has spotted novel indirect traces of dark matter particles in the “halo” surrounding the center of our galaxy using new observations from NASA’s Fermi Gamma-ray Space Telescope. When these speculative particles collide—a process called dark matter annihilation—the crash is predicted to emit bright gamma rays, which is the light that Totani thinks he has identified.
“The discovery was made possible by focusing on the halo region (excluding the galactic center), which had received little attention, and by utilizing data accumulated over 15 years from the Fermi satellite,” Totani told 404 Media in an email. “After carefully removing all components other than dark matter, a signal resembling dark matter appeared.”
“It was like playing the lottery, and at first I was skeptical,” he added. “But after checking meticulously and thinking it seemed correct, I got goosebumps!”
If the detection is corroborated by follow-up studies, it could confirm a leading hypothesis that dark matter is made of a hypothetical class of weakly interacting massive particles, or “WIMPs”—potentially exposing the identity of this mysterious substance for the first time. But that potential breakthrough is still a ways off, according to other researchers in the field.
“Any new structure in the gamma-ray sky is interesting, but the dark matter interpretation here strikes me as quite preliminary,” said Danielle Norcini, an experimental particle physicist and
assistant professor at Johns Hopkins University, in an email to 404 Media.
Gamma-ray intensity map excluding components other than the halo, spanning approximately 100 degrees in the direction of the Galactic center. The horizontal gray bar in the central region corresponds to the Galactic plane area, which was excluded from the analysis to avoid strong astrophysical radiation. Image: Tomonori Totani, The University of Tokyo
Dark matter has flummoxed scientists for almost a century. In the 1930s, astronomer Fritz Zwicky observed that the motions of galaxies hinted that they are much more massive than expected based solely on visible baryonic matter. Since then, astronomers have confirmed that dark matter, which accumulates into dense halos at the centers of galaxies, acts like a gravitational glue that holds structures together. Dark matter is also the basis of a vast cosmic web of gaseous threads that links galaxy clusters across billions of light years.But while dark matter is ubiquitous, it does not interact with the electromagnetic force, which means it does not absorb, reflect, or emit light. This property makes it difficult to spot with traditional astronomy, a challenge that has inspired the development of novel instruments designed to directly detect dark matter such as the subterranean LUX-ZEPLIN in South Dakota and the forthcoming DAMIC-M in France.
For years, scientists have been probing possible emission from dark matter annihilation at the center of the Milky Way, which is surrounded by a halo of densely-clustered dark matter. Those previous studies focus on an excess emission pattern of about 2 gigaelectronvolts (GeV). Tontani’s study spotlights a new and different pattern with extremely energetic gamma rays at 20 GeV.
“A part of the Fermi data showed a peculiar excess that our model couldn't explain, leading me to suspect it might be due to radiation originating from dark matter,” he said. “The most difficult part is removing gamma-ray emissions of origins other than dark matter, such as those from cosmic rays and celestial objects.”
This tentative report may finally fill in a major missing piece of our understanding of the universe by exposing the true nature of dark matter and confirming the existence of WIMPs. But given that similar claims have been made in the past, more research is needed to assess the significance of the results.
“For any potential indirect signal, the key next steps are independent checks: analyses using different background models, different assumptions about the Milky Way halo, and ideally complementary data sets,” Norcini said.
“Gamma-ray structures in the halo can have many astrophysical origins, so ruling those out requires careful modeling and cross-comparison,” she continued. “At this point the result seems too new for that scrutiny to have played out, and it will take multiple groups looking at the same data before a dark matter interpretation could be considered robust.”
Though Totani is confident in his interpretation of his discovery, he also looks forward to the input of other dark matter researchers around the world.
“First, I would like other researchers to independently verify my analysis,” he said. “Next, for everyone to be convinced that this is truly dark matter, the decisive factor will be the detection of gamma rays with the same spectrum from other regions, such as dwarf galaxies. The accumulation of further data from the Fermi satellite and large ground-based gamma-ray telescopes, such as the Cherenkov Telescope Array Observatory (CTAO) will be crucial.”
🌘
Subscribe to 404 Media to get The Abstract, our newsletter about the most exciting and mind-boggling science news and studies of the week.
Artist Tega Brain is fighting the internet’s enshittification by turning back the clock to before ChatGPT existed.#AISlop #GoogleSearch #searchengines
'Slop Evader' Lets You Surf the Web Like It’s 2022
It’s hard to believe it’s only been a few years since generative AI tools started flooding the internet with low quality content-slop. Just over a year ago, you’d have to peruse certain corners of Facebook or spend time wading through the cultural cesspool of Elon Musk’s X to find people posting bizarre and repulsive synthetic media. Now, AI slop feels inescapable — whether you’re watching TV, reading the news, or trying to find a new apartment.That is, unless you’re using Slop Evader, a new browser tool that filters your web searches to only include results from before November 30, 2022 — the day that ChatGPT was released to the public.
The tool is available for Firefox and Chrome, and has one simple function: Showing you the web as it was before the deluge of AI-generated garbage. It uses Google search functions to index popular websites and filter results based on publication date, a scorched earth approach that virtually guarantees your searches will be slop-free.
Slop Evader was created by artist and researcher Tega Brain, who says she was motivated by the growing dismay over the tech industry’s unrelenting, aggressive rollout of so-called “generative AI”—despite widespread criticism and the wider public’s distaste for it.
Slop Evader in action. Via Tega Brain
“This sowing of mistrust in our relationship with media is a huge thing, a huge effect of this synthetic media moment we’re in,” Brain told 404 Media, describing how tools like Sora 2 have short-circuited our ability to determine reality within a sea of artificial online junk. “I’ve been thinking about ways to refuse it, and the simplest, dumbest way to do that is to only search before 2022.”
One under-discussed impact of AI slop and synthetic media, says Brain, is how it increases our “cognitive load” when viewing anything online. When we can no longer immediately assume any of the media we encounter was made by a human, the act of using social media or browsing the web is transformed into a never-ending procession of existential double-takes.
This cognitive dissonance extends to everyday tasks that require us to use the internet—which is practically everything nowadays. Looking for a house or apartment? Companies are using genAI tools to generate pictures of houses and rental properties, as well as the ads themselves. Trying to sell your old junk on Facebook Marketplace? Meta’s embrace of generative AI means you may have to compete with bots, fake photos, and AI-generated listings. And when we shop for beauty products or view ads, synthetic media tools are taking our filtered and impossibly-idealized beauty standards to absurd and disturbing new places.
In all of these cases, generative AI tools further thumb the scales of power—saving companies money while placing a higher cognitive burden on regular people to determine what’s real and what’s not.
“I open up Pinterest and suddenly notice that half of my feed are these incredibly idealized faces of women that are clearly not real people,” said Brain. “It’s shoved into your face and into your feed, whether you searched for it or not.”
Currently, Slop Evader can be used to search pre-GPT archives of seven different sites where slop has become commonplace, including YouTube, Reddit, Stack Exchange, and the parenting site MumsNet. The obvious downside to this, from a user perspective, is that you won’t be able to find anything time-sensitive or current—including this very website, which did not exist in 2022. The experience is simultaneously refreshing and harrowing, allowing you to browse freely without having to constantly question reality, but always knowing that this freedom will be forever locked in time—nostalgia for a human-centric world wide web that no longer exists.
Of course, the tool’s limitations are part of its provocation. Brain says she has plans to add support for more sites, and release a new version that uses DuckDuckGo’s search indexing instead of Google’s. But the real goal, she says, is prompting people to question how they can collectively refuse the dystopian, inhuman version of the internet that Silicon Valley’s AI-pushers have forced on us.
“I don’t think browser add-ons are gonna save us,” said Brain. “For me, the purpose of doing this work is mostly to act as a provocation and give people examples of how you can refuse this stuff, to furnish one’s imaginary for what a politics of refusal could look like.”
With enough cultural pushback, Brain suggests, we could start to see alternative search engines like DuckDuckGo adding options to filter out search results suspected of having synthetic content (DuckDuckGo added the ability to filter out AI images in search earlier this year). There’s also been a growing movementpushing back against the new AI data centers threatening to pollute communities andraise residents’ electricity bills. But no matter what form AI slop-refusal takes, it will need to be a group effort.
“It’s like with the climate debate, we’re not going to get out of this shitshow with individual actions alone,” she added. “I think that’s the million dollar question, is what is the relationship between this kind of individual empowerment work and collective pushback.”
Data centers are concentrated in these states. Here's what's happening to electricity prices
Residential utility bills rose 6% on average nationwide in August compared with the same period last year, according to the Energy Information Administration.Spencer Kimball (CNBC)
Building a Low-Cost Satellite Tracker
Looking up at the sky just after sunset or just before sunrise will reveal a fairly staggering amount of satellites orbiting overhead, from tiny cubesats to the International Space Station. Of course these satellites are always around, and even though you’ll need specific conditions to view them with the naked eye, with the right radio antenna and only a few dollars in electronics you can see exactly which ones are flying by at any time.
[Josh] aka [Ham Radio Crash Course] is demonstrating this build on his channel and showing every step needed to get something like this working. The first part is finding the correct LoRa module, which will be the bulk of the cost of this project. Unlike those used for most Meshtastic nodes, this one needs to be built for the 433 MHz band. The software running on this module is from TinyGS, which we have featured here before, and which allows a quick and easy setup to listen in to these types of satellites. This build goes much further into detail on building the antenna, though, and also covers some other ancillary tasks like mounting it somewhere outdoors.
With all of that out of the way, though, the setup is able to track hundreds of satellites on very little hardware, as well as display information about each of them. We’d always favor a build that lets us gather data like this directly over using something like a satellite tracking app, although those do have their place. And of course, with slightly more compute and a more directed antenna there is all kinds of other data beaming down that we can listen in on as well, although that’s not always the intent.
youtube.com/embed/V6RJG9q7R8M?…
FLOSS Weekly Episode 856: QT: Fix It Please, My Mom is Calling
This week Jonathan chats with Maurice Kalinowski about QT! That’s the framework that runs just about anywhere, making it easy to write cross-platform applications. What’s the connection with KDE? And how has this turned into a successful company? Watch to find out!
youtube.com/embed/pMSStjolrRA?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/11/26/floss-…
Elli Furedy Brings Cyberpunk Games to Life
When you’re designing a bounty hunter game for a five-day cyberpunk live-action-role-play out in the middle of the Mojave desert, you’ve got to bring something extra cool. But [Elli]’s Hackaday Supercon talk isn’t just about the hardware; it’s as much about the design philosophy behind the game – how you bring something immersive and exciting to hundreds of players.
Sandbox Systems
The game itself is fairly simple: bounty hunters try to find the bounty, and when they do, they have a quick-draw to see who wins. Everyone is issued a color-coded Portable Data Node device, and when a hunter jacks into a bounty’s Node, a countdown begins, and the first to press the button after the display say “Go” wins.
But the simplicity of the game is by design, and [Elli] talks about the philosophy that she and her team followed to make it a success. If you’re designing a conference badge or an immersive game for a large group of people, take note.
The first principle is to focus on the people first before the tech. Here, that essentially means making the experience as simple as possible in order to leave room for the players to put their own spin on it – it’s a role-play event after all.
Next is providing opportunities over demands. In this game, for instance, if you’re playing the bounty hunter role, you have to deliver a “Declaration of Intent to Seize” when you encounter a bounty player, but what deciding on your personal catchphrase for this is left up to you.
Selling the story of the game with the tech is also important. For instance, there is a part of the Node that [Elli] calls “the doodad” which is just pure LED and greebles. It doesn’t do anything, but it looks cool.
Finally, [Elli] mentions that her team puts an effort into making the game as accessible for everyone as possible. The onboarding video has cyberpunk-styled closed captioning, for instance. While originally designed for folks who don’t hear well, it ended up providing an aesthetic that everyone can enjoy – an example of the curb-cut effect at work.
The end result? 374 players played 3,838 matches over five days, but that’s just the stats. As [Elli] points out, the real point of the game is as an ice-breaker, to allow people room to explore whatever character they’re playing, and to connect people in real-space. It sounds like it was a complete success on all fronts.
The Sandbox
This is a talk on design principles, but it’s also a talk at Supercon, and [Elli] gets pulled into the hardware side of things many times throughout the talk. The Nodes have OLEDs and haptic motors for feedback, they use and ESP32 with WiFi for the score reporting, and there’s even discussion of the serial protocol that they speak to each other when they get connected up via an audio jack.
[Elli] gets some great questions about ways to expand the game, and you’re just going to have to watch the video to appreciate them all. Or join in: after all, it’s an open-source project and it’s intended to be a sandbox!
There seems to be a lot of room to play along, and [Elli]’s talk is definitely food for thought if you’re designing hardware with the end goal of creating and encouraging human interaction through building up an engaging story.
youtube.com/embed/ndodsA254HA?…
Ministero dell'Istruzione
Da oggi e fino al #29novembre il #MIM parteciperà alla 34ª edizione di JOB&Orienta con un ampio programma di eventi, laboratori, seminari, per un totale di circa 70 appuntamenti dedicati a scuole, studenti e famiglie e cinque dedicati a temi di maggi…Telegram
The Busch Electronic Digital-Technik 2075 Digital Lab from the 1970s
In a recent video, [Jason Jacques] demos the Busch Electronic Digital-Technik 2075 which was released in West Germany in the 1970s.
The Digital-Technik 2075 comes with a few components including a battery holder and 9 V battery, a push button, two 1 K resistors, a red LED, a 100 nF ceramic capacitor, a 100 µF electrolytic capacitor, a quad NAND gate IC, and a counter module which includes an IC and a 7-segment display. The kit also comes with wires, plugs, a breadboard, and a tool for extracting modules.
The Digital-Technik 2075 doesn’t use the spring terminals we see in other project labs of the time, such as the Science Fair kits from Radio Shack, and it doesn’t use modular Denshi blocks, such as we saw from the Gakken EX-150, but rather uses wire in conjunction with yellow plastic plugs. This seems to work well enough.
In the video, after showing us how to do switch debouncing, [Jason] runs us through making a counter with the digital components and then getting the counter to reset after it counts to five. This is done using NAND gates. Before he gets stuck into doing a project he takes a close look at the manual (which is in German) including some of the advertisements for other project labs from Busch which were available at the time. As he doesn’t speak German [Jason] prints out an English translation of the manual before working through it.
We’ve heard from [Jason] at Hackaday in recent history when we saw his Microtronic Phoenix Computer System which referenced the 2090 Microtronic Computer System which was also made by Busch.
youtube.com/embed/AhI8z8OgQyY?…
Chinese Regulators May Kill Retractable Car Door Handles That Never Should Have Existed
Headlights. Indicators. Trunk releases. Seatbelts. Airbags. Just about any part of a car you can think of is governed by a long and complicated government regulation. It’s all about safety, ensuring that the car-buying public can trust that their vehicles won’t unduly injure or maim them in regular operation, or in the event of accident.
However, one part of the modern automobile has largely escaped regulation—namely, the humble door handle. Automakers have been free to innovate with new and wacky designs, with Tesla in particular making waves with its electronic door handles. However, after a series of deadly incidents where doors wouldn’t open, regulators are now examining if these door handles are suitable for road-going automobiles. As always, regulations are written in blood, but it raises the question—was not the danger of these complicated electronic door handles easy to foresee?
Trapped
A number of automakers have developed fancy retractable door handles in recent years. They are most notably seen on electric vehicles, where they are stated to have a small but measurable aerodynamic benefit. They are often paired with buttons or other similar electronic controls to open the doors from the inside. Compared to mechanical door handles, however, these door handles come with a trade-off in complexity. They require electricity, motors, and a functioning control system to work. When all is well, this isn’t a problem. However, when things go wrong, a retractable electronic door handle often proves inaccessible and useless.
It’s not hard to find case reports of fatal incidents involving vehicles with electronic door handles—both inside and out. Multiple cases have involved occupants burning alive inside Tesla vehicles, in which electronic door handles failed after a crash. Passengers inside the vehicles have failed to escape due to not finding emergency release door pulls hidden in the door panels, while bystanders have similarly been unable to use the retracted outside door handles to free those trapped inside.
In response, some Tesla owners have gone so far as to release brightly-colored emergency escape ripcords to replace the difficult-to-spot emergency release pulls that are nearly impossible to find without prior knowledge. In the case of some older models, though, there’s less hope of escape. For example, in the Tesla Model 3 built from 2017 to 2023, only front doors have an emergency mechanical release. Rear passengers are out of luck, and must find another route of escape if their electronic door handles fail to operate. No Tesla vehicles feature an easily-accessible mechanical release that can be used from outside the vehicle.
It’s worth noting that in the US market, federal regulations have mandated glow-in-the-dark trunk releases be fitted to all sedans from the 2002 model year onwards. You could theoretically escape from the trunk of certain Teslas more easily than a Cybertruck or Model 3 with a failed electrical system.
Tesla isn’t the only company out there building cars with retractable door handles. It does, however, remain the most prominent user of this technology, and its vehicles have been involved in numerous incidents that have made headlines. Other automakers, such as Audi and Fiat, have experimented with electronic door handles, both for ingress and egress, with varying degrees of mechanical backup available. In some cases, automakers have used smart two-stage latches. A small pull activates the electronic door release, while a stronger pull will engage a mechanical linkage that unlatches the door. It’s smart engineering—the door interface responds to the exact action a passenger would execute if trying to escape the vehicle in a panic. There are obviously less concerns around electronic door releases that have easily-accessed mechanical backups; it’s just that Tesla is particularly notable for not always providing them.
Over the years, national automotive bodies have thrown up their arms about all sorts of emerging automotive technologies. In the United States specifically, NHTSA has famously slow-walked the approval of things like camera-based rear-view mirror systems and replaceable-bulb headlamps, fearing the worst could occur if these technologies were freely allowed on the market.
Meanwhile, despite the obvious risks, electronic door handles have faced no major regulatory challenges. There were no obvious written rules standing in the way of Tesla making the choice to eliminate regular old door handles. Nor were there strict regulations on emergency door releases for passengers inside the vehicle. Tesla spent years building several models with no mechanical door release for the rear passengers. If your door button failed, you’d have to attempt escape by climbing out through the front doors, assuming you could figure out how to open them. Even today, the models with mechanical door releases still often hide them behind interior trim pieces or carpets, where few passengers would ever think to look in an emergency.
Obvious Mistakes
Things are beginning to change, however. Chinese regulators have led the charge, with reports stating that electronic retractable door handles could be banned as soon as 2027. While some semi-retractable styles will potentially avoid an outright ban, it’s believed new regulations will require a mechanically redundant release system as standard.
As for the US, the sleeping giant of NHTSA has finally awoken in the wake of Bloomberg‘s reporting on the matter. As reported by CNBC, Tesla has been given a deadline of December 10 to deliver records to the federal regulator, regarding design, failures, and customer issues around its electronic door release systems. The Office of Defects Investigations within NHTSA has already recorded 16 reports of failed exterior door releases in the a single model year of the Tesla Model Y. It’s likely a drop in the ocean compared to the full population of Tesla vehicles currently on roads. Meanwhile, the US automaker also faces multiple lawsuits over the matter from those who have lost family members in fatal crashes and fires involving the company’s vehicles.
In due time, it’s likely that automotive regulators in most markets will come out against electronic door handles from a safety perspective alone. No matter how well designed the electrical system in a modern vehicle, it’s hard to beat a lever flipping a latch for simplicity and robustness. The benefits of these electronic door handles are spurious in the first place—a fraction of a percent reduction in drag, and perhaps a little more luxury appeal. If the trade-off is trapping passengers in the event of a fire, it’s hard to say they’re worthwhile.
The electronic door handle, then, is perhaps the ultimate triumph of form over function. They’re often slower and harder to use than a regular door handle, and particularly susceptible to becoming useless when iced over on a frosty morning. For a taste of the future, lives were put at risk. Anyone could see that, so it’s both strange and sad that automakers and regulators alike seemed not to notice until it was far too late. Any new regulations will, once again, be written in blood.
Datenspende: „Digitaler Omnibus“ könnte Forschung zu Big-Tech erschweren
netzpolitik.org/2025/datenspen…
Digital Omnibus – A Single Rulebook or a License to Trespass Fundamental Rights?
What is Digital Omnibus?
Digital policy lobbies across the European Union are buzzing with one word: Digital Omnibus, a proposal aimed at consolidating and simplifying the existing EU digital framework. The idea, according to the proposal’s advocates, is to reduce overlap in obligations and the compliance burden on businesses.
The Digital Omnibus is presented as a measure to simplify Europe’s complex digital rulebook. The aim is to streamline a wide array of Digital rules into a coherent, updated framework. It touches several key areas, including the GDPR, the AI Act, the Data Act, and cybersecurity reporting frameworks.
The Commission proposed the Digital Omnibus on 19 November 2025. The core idea behind pushing for the digital Omnibus is to eliminate red tape and boost EU competitiveness. Thirteen EU Member States have argued that tech companies in the EU face a higher degree of regulation and greater hassles than their counterparts across the Atlantic.
A Quick Look at What the Proposal Includes
- Clarifying GDPR concepts such as pseudonymised vs non-personal data
- Allowing limited use of sensitive data for detecting AI bias
- Adjusting some obligations under the AI Act and delaying certain requirements
- Creating a European Business Wallet for corporate digital identities
- Merging various data laws into a more unified Data Act
- Introducing a single entry point for cybersecurity incident reporting
These are framed as efficiency measures, cost-reduction initiatives, and efforts to make Europe more attractive to digital innovation.
Critics Warn: What Does Streamlining Actually Mean for OurRights?
For policymakers looking at the issue from strictly a business perspective, the digital Omnibus is a proposal long overdue. But as with any sweeping reform, the details matter, and this is where the debate becomes intense.
This is where concerns sharpen, especially among civil society groups, privacy advocates, and parties committed to defending digital freedoms such as the European Pirates.
European Digital Rights (EDRI) and other Digital rights advocates warn that simplifying the rulebook will come with a quiet erosion of our rights that were hard-won over the past decade.
Key Concerns Raised Against the Digital Omnibus
1. Roll-Back of Digital Protection Laws
The Omnibus is seen as reopening and weakening major protections, including the GDPR, ePrivacy, and the AI Act. This is viewed as a blow to the decades of work on digital rights.
2. Weakening of ePrivacy Rules
According to EDRi, the proposal would shift some “device access” rules from ePrivacy into GDPR, reducing mandatory consent in some cases. It is feared that this could permit tracking on devices without users’ explicit approval.
3. Narrowing the Definition of “Personal Data”
A redefinition of personal data could give companies more leeway to process information. Critics argue that this redefinition could reduce transparency and control for individuals.
4. Undermining AI Accountability
According to TechPolicy.Press article, amendments that give AI providers too much discretion, including a loophole that allows them to opt out of certain “high-risk” obligations without publicly declaring it. Rights groups argue this removes a key transparency check, weakening the AI Act’s purpose of managing risk.
5. Privileging Business Over People
Supporters of digital rights strongly believe that these reforms will shift power toward companies, thereby reducing individuals’ leverage under data protection laws. Precisely, these reforms have corporate interests as their focal point rather than citizens’ rights.
6. Weak Democratic Process
The way Omnibus is being fast-tracked with limited consultation and impact assessment, EDRi and others argue that such sweeping changes deserve more thorough democratic scrutiny.
7. Risk to Minoritised and Vulnerable Groups
EDRi highlights that under the proposed changes, marginalised communities could face a higher risk of profiling or automated discrimination. Reduced oversight and transparency could make it harder to challenge unfair or biased automated decisions.
So, Where Does This Leave Us?
For the European Pirates, the question is not whether Europe should innovate, but how. Efficiency cannot come at the cost of loosening the protections that set the EU apart in the global digital landscape.
The Digital Omnibus, on the surface, may appear to be an effort to overcome the hurdles that impede the EU’s innovation and growth. However, the implications of this proposal have far-reaching consequences from a social perspective.
The debate around the Digital Omnibus is only beginning. What is at stake is the balance between modernising Europe’s digital framework and guarding the rights of the people who live within it.
Fair Play for Life 2025: l’emozione e la bellezza autentica dell’etica
@Giornalismo e disordine informativo
articolo21.org/2025/11/fair-pl…
Un’iniziativa emozionante ha caratterizzato la quarta edizione del Fair Play for Life 2025, svoltasi il 25 novembre presso il Salone d’Onore del CONI. L’evento ha visto
Giornalismo e disordine informativo reshared this.
“La bugia dell’orchidea” di Donato Carrisi – (ovvero: La Labia sericea, di Victoria Anthon)
@Giornalismo e disordine informativo
articolo21.org/2025/11/la-bugi…
“Quel massacro che sembrava la fine di tutto era soltanto l’inizio”. Una storia sulla scrittura e sul potere della
Giornalismo e disordine informativo reshared this.
Crudele staccare una “famiglia” dal bosco e portarla nelle istituzioni
@Giornalismo e disordine informativo
articolo21.org/2025/11/crudele…
Io difendo la famiglia nel bosco. È vero, La Russa ha le sopracciglia troppo folte e il volto coperto da una barba irsuta; Nordio continua a ruminare radici di
Giornalismo e disordine informativo reshared this.
#Cina e #Giappone, guerra per #Taiwan
Cina e Giappone, guerra per Taiwan
Sono bastate poco più di due settimane alla neo-premier giapponese, Sanae Takaichi, per precipitare le relazioni del suo paese con la Cina al punto più basso almeno degli ultimi dieci anni.www.altrenotizie.org
Il nuovo video di Pasta Grannies: youtube.com/shorts/FKLS4FtK--o
@Cucina e ricette
(HASHTAG)
Cucina e ricette reshared this.
Il caso Bose e l'appello alla UE
Lampi di Cassandra/ Abituarsi alla morte nell'IoT, reloaded. La morte degli oggetti informatici è diventato un fatto comune e ricorrente. (ZEUS News)ZEUS News
Digital Omnibus – A Single Rulebook or a License to Trespass Fundamental Rights?
@politics
european-pirateparty.eu/digita…
Digital Omnibus – A Single Rulebook or a License to Trespass Fundamental Rights? What is Digital Omnibus? Digital policy lobbies across
Come leggere la trasformazione dell’accordo tra Fincantieri e Us Navy per le Fregate Constellation
@Notizie dall'Italia e dal mondo
La decisione dell’amministrazione Trump e della US Navy di rivedere radicalmente il programma delle fregate classe Constellation non rappresenta la rottura di un rapporto industriale, ma l’esito di una più ampia trasformazione
Notizie dall'Italia e dal mondo reshared this.
Un nuovo carro tedesco per il fianco orientale della Nato. Ecco il Leopard 2A8
@Notizie dall'Italia e dal mondo
La Germania compie un nuovo passo nel rafforzamento della propria postura di difesa e di quella della Nato con la presentazione ufficiale della nuova versione del carro armato Leopard, denominata “2A8”. Il mezzo, sviluppato dal consorzio europeo (a trazione tedesca) Knds e svelato
Notizie dall'Italia e dal mondo reshared this.
Dagli Stati Uniti all’Europa, l’industria della Difesa al bivio tra passato e futuro
@Notizie dall'Italia e dal mondo
C’è un filo che negli ultimi anni sta attraversando l’industria della Difesa in Occidente, un filo che con il tempo si è trasformato in una crepa e che oggi assomiglia a una vera e propria faglia. Non è una frattura improvvisa né il risultato di un
Notizie dall'Italia e dal mondo reshared this.
L’UE lancia l’industria bellica continentale con la benedizione dei socialisti
@Notizie dall'Italia e dal mondo
Con un voto trasversale, il parlamento europeo approva l'Edip, un programma di finanziamento dell'industria militare europea diretto a diminuire la dipendenza di Bruxelles dagli Stati Uniti e a potenziare la produzione di armi
L'articolo L’UE lancia
Notizie dall'Italia e dal mondo reshared this.
HashJack: quando un cancelletto nell’URL inganna l’IA nel browser
@Informatica (Italy e non Italy 😁)
C’è una nuova, sottile minaccia che sfrutta uno dei simboli più innocui del web – il cancelletto (hashtag) “#” – per aggirare le difese di sicurezza e manipolare gli assistenti IA integrati nei browser. Si chiama HashJack, ed è stata identificata dai ricercatori di Cato Networks come
Informatica (Italy e non Italy 😁) reshared this.
A che serve cambiare ora la legge elettorale? Meloni e i suoi all’assalto di Costituzione e Mattarella
@Giornalismo e disordine informativo
articolo21.org/2025/11/a-che-s…
Se la destra ha vinto le Regionali, come dicono loro, perché mai la
Nicola Pizzamiglio likes this.
reshared this
Incontro sulla violenza di genere, bilancio
Dunque, sono partito con l'organizzazione questa primavera.
Ho contattato diverse associazioni che si occupano di violenza di genere, una mi ha risposto e ha messo a disposizione una psicologa delle loro (che arrivava da fuori Firenze). Ho contattato un sindacato della scuola perché facessero arrivare la notizia a qualche insegnante/dirigente scolastico nel tentativo di coinvolgere gli studenti (scelta sbagliatissima perché non hanno fatto assolutamente nulla, la prossima volta contatterò direttamente i rappresentanti degli studenti). Ho prenotato la sala alla casa del popolo. Come RSU abbiamo convocato un'assemblea dei lavoratori di 4 ore in modo che la gente potesse partecipare senza prendere permessi o ferie. Ho fatto la locandina. Stamattina mi sono alzato alle 6:30 per andare lì a preparare la sala (sistemazione PC per fare un video, impianto amplificazione, sistemazione sedie, ecc.).
Risultato: 10 persone (su più di 150 dipendenti della mia azienda).
E niente...
Poliversity - Università ricerca e giornalismo reshared this.
La Gran Bretagna si propone come garante armato della pace in Ucraina
@Notizie dall'Italia e dal mondo
“Waddle, Gobble & Volodymyr” è la battuta che circola a Washington. I primi due sono i tacchini che, come è ormai tradizione alla vigilia della festa del Ringraziamento, hanno ricevuto la grazia del presidente americano.Metaforicamente, il terzo graziato dal tycoon è il presidente
Notizie dall'Italia e dal mondo reshared this.
La nuova difesa Ue? Passa dai distretti italiani. Parla Donazzan
@Notizie dall'Italia e dal mondo
Un jolly chiamato distretti. L’Italia lo offre come modello di sviluppo al macro tema della difesa europea, dopo che nel marzo 2024 la Commissione ha pubblicato una proposta di regolamento sul programma per l’industria europea della difesa e sul quadro di misure per garantire la
Notizie dall'Italia e dal mondo reshared this.
A breach shows people are making AI porn of ordinary people at scale; X exposes the location of its biggest MAGA grifters; and how we contributed to the shut down of a warrantless surveillance program.#Podcast
Podcast: A Massive Breach Reveals the Truth Behind 'Secret Desires AI'
We start this week with Sam's piece about a massive leak of an AI chatbot, and how it showed that people were taking ordinary women’s yearbook photos and using them to make AI porn. After the break, Jason explains how a recent change on X exposed a bunch of grifters all around the world. In the subscribers-only section, we talk about how our reporting contributed to the shut down of a warrantless surveillance program.
playlist.megaphone.fm?e=TBIEA9…
Listen to the weekly podcast on Apple Podcasts,Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.
youtube.com/embed/UgOtR_bDft4?…
1:23 - Intro - Please, please do our reader survey
3:57 - Story 1 - Massive Leak Shows Erotic Chatbot Users Turned Women’s Yearbook Pictures Into AI Porn
30:05 - Story 2 - America’s Polarization Has Become the World's Side Hustle
49:39 - Story 3 - Airlines Will Shut Down Program That Sold Your Flights Records to GovernmentThe 404 Media Podcast
Tech News Podcast · Updated Weekly · Welcome to the podcast from 404 Media where Joseph, Sam, Emanuel, and Jason catch you up on the stories we published this week. 404 Media is a journalist-owned digital media company exploring the way …Apple Podcasts
Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025
Just like the 2000s
Flip phones grew popular, Windows XP debuted on personal computers, Apple introduced the iPod, peer-to-peer file sharing via torrents was taking off, and MSN Messenger dominated online chat. That was the tech scene in 2001, the same year when Sir Dystic of Cult of the Dead Cow published SMBRelay, a proof-of-concept that brought NTLM relay attacks out of theory and into practice, demonstrating a powerful new class of authentication relay exploits.
Ever since that distant 2001, the weaknesses of the NTLM authentication protocol have been clearly exposed. In the years that followed, new vulnerabilities and increasingly sophisticated attack methods continued to shape the security landscape. Microsoft took up the challenge, introducing mitigations and gradually developing NTLM’s successor, Kerberos. Yet more than two decades later, NTLM remains embedded in modern operating systems, lingering across enterprise networks, legacy applications, and internal infrastructures that still rely on its outdated mechanisms for authentication.
Although Microsoft has announced its intention to retire NTLM, the protocol remains present, leaving an open door for attackers who keep exploiting both long-standing and newly discovered flaws.
In this blog post, we take a closer look at the growing number of NTLM-related vulnerabilities uncovered over the past year, as well as the cybercriminal campaigns that have actively weaponized them across different regions of the world.
How NTLM authentication works
NTLM (New Technology LAN Manager) is a suite of security protocols offered by Microsoft and intended to provide authentication, integrity, and confidentiality to users.
In terms of authentication, NTLM is a challenge-response-based protocol used in Windows environments to authenticate clients and servers. Such protocols depend on a shared secret, typically the client’s password, to verify identity. NTLM is integrated into several application protocols, including HTTP, MSSQL, SMB, and SMTP, where user authentication is required. It employs a three-way handshake between the client and server to complete the authentication process. In some instances, a fourth message is added to ensure data integrity.
The full authentication process appears as follows:
- The client sends a NEGOTIATE_MESSAGE to advertise its capabilities.
- The server responds with a CHALLENGE_MESSAGE to verify the client’s identity.
- The client encrypts the challenge using its secret and responds with an AUTHENTICATE_MESSAGE that includes the encrypted challenge, the username, the hostname, and the domain name.
- The server verifies the encrypted challenge using the client’s password hash and confirms its identity. The client is then authenticated and establishes a valid session with the server. Depending on the application layer protocol, an authentication confirmation (or failure) message may be sent by the server.
Importantly, the client’s secret never travels across the network during this process.
NTLM is dead — long live NTLM
Despite being a legacy protocol with well-documented weaknesses, NTLM continues to be used in Windows systems and hence actively exploited in modern threat campaigns. Microsoft has announced plans to phase out NTLM authentication entirely, with its deprecation slated to begin with Windows 11 24H2 and Windows Server 2025 (1, 2, 3), where NTLMv1 is removed completely, and NTLMv2 disabled by default in certain scenarios. Despite at least three major public notices since 2022 and increased documentation and migration guidance, the protocol persists, often due to compatibility requirements, legacy applications, or misconfigurations in hybrid infrastructures.
As recent disclosures show, attackers continue to find creative ways to leverage NTLM in relay and spoofing attacks, including new vulnerabilities. Moreover, they introduce alternative attack vectors inherent to the protocol, which will be further explored in the post, specifically in the context of automatic downloads and malware execution via WebDAV following NTLM authentication attempts.
Persistent threats in NTLM-based authentication
NTLM presents a broad threat landscape, with multiple attack vectors stemming from its inherent design limitations. These include credential forwarding, coercion-based attacks, hash interception, and various man-in-the-middle techniques, all of them exploiting the protocol’s lack of modern safeguards such as channel binding and mutual authentication. Prior to examining the current exploitation campaigns, it is essential to review the primary attack techniques involved.
Hash leakage
Hash leakage refers to the unintended exposure of NTLM authentication hashes, typically caused by crafted files, malicious network paths, or phishing techniques. This is a passive technique that doesn’t require any attacker actions on the target system. A common scenario involving this attack vector starts with a phishing attempt that includes (or links to) a file designed to exploit native Windows behaviors. These behaviors automatically initiate NTLM authentication toward resources controlled by the attacker. Leakage often occurs through minimal user interaction, such as previewing a file, clicking on a remote link, or accessing a shared network resource. Once attackers have the hashes, they can reuse them in a credential forwarding attack.
Coercion-based attacks
In coercion-based attacks, the attacker actively forces the target system to authenticate to an attacker-controlled service. No user interaction is needed for this type of attack. For example, tools like PetitPotam or PrinterBug are commonly used to trigger authentication attempts over protocols such as MS-EFSRPC or MS-RPRN. Once the victim system begins the NTLM handshake, the attacker can intercept the authentication hash or relay it to a separate target, effectively impersonating the victim on another system. The latter case is especially impactful, allowing immediate access to file shares, remote management interfaces, or even Active Directory Certificate Services, where attackers can request valid authentication certificates.
Credential forwarding
Credential forwarding refers to the unauthorized reuse of previously captured NTLM authentication tokens, typically hashes, to impersonate a user on a different system or service. In environments where NTLM authentication is still enabled, attackers can leverage previously obtained credentials (via hash leakage or coercion-based attacks) without cracking passwords. This is commonly executed through Pass-the-Hash (PtH) or token impersonation techniques. In networks where NTLM is still in use, especially in conjunction with misconfigured single sign-on (SSO) or inter-domain trust relationships, credential forwarding may provide extensive access across multiple systems.
This technique is often used to facilitate lateral movement and privilege escalation, particularly when high-privilege credentials are exposed. Tools like Mimikatz allow extraction and injection of NTLM hashes directly into memory, while Impacket’s wmiexec.py, PsExec.py, and secretsdump.py can be used to perform remote execution or credential extraction using forwarded hashes.
Man-in-the-Middle (MitM) attacks
An attacker positioned between a client and a server can intercept, relay, or manipulate authentication traffic to capture NTLM hashes or inject malicious payloads during the session negotiation. In environments where safeguards such as digital signing or channel binding tokens are missing, these attacks are not only possible but frequently easy to execute.
Among MitM attacks, NTLM relay remains the most enduring and impactful method, so much so that it has remained relevant for over two decades. Originally demonstrated in 2001 through the SMBRelay tool by Sir Dystic (member of Cult of the Dead Cow), NTLM relay continues to be actively used to compromise Active Directory environments in real-world scenarios. Commonly used tools include Responder, Impacket’s NTLMRelayX, and Inveigh. When NTLM relay occurs within the same machine from which the hash was obtained, it is also referred to as NTLM reflexion attack.
NTLM exploitation in 2025
Over the past year, multiple vulnerabilities have been identified in Windows environments where NTLM remains enabled implicitly. This section highlights the most relevant CVEs reported throughout the year, along with key attack vectors observed in real-world campaigns.
CVE-2024‑43451
CVE-2024‑43451 is a vulnerability in Microsoft Windows that enables the leakage of NTLMv2 password hashes with minimal or no user interaction, potentially resulting in credential compromise.
The vulnerability exists thanks to the continued presence of the MSHTML engine, a legacy component originally developed for Internet Explorer. Although Internet Explorer has been officially deprecated, MSHTML remains embedded in modern Windows systems for backward compatibility, particularly with applications and interfaces that still rely on its rendering or link-handling capabilities. This dependency allows .url files to silently invoke NTLM authentication processes through crafted links without necessarily being open. While directly opening the malicious .url file reliably triggers the exploit, the vulnerability may also be activated through alternative user actions such as right clicking, deleting, single-clicking, or just moving the file to a different folder.
Attackers can exploit this flaw by initiating NTLM authentication over SMB to a remote server they control (specifying a URL in UNC path format), thereby capturing the user’s hash. By obtaining the NTLMv2 hash, an attacker can execute a pass-the-hash attack (e.g. by using tools like WMIExec or PSExec) to gain network access by impersonating a valid user, without the need to know the user’s actual credentials.
A particular case of this vulnerability occurs when attackers use WebDAV servers, a set of extensions to the HTTP protocol, which enables collaboration on files hosted on web servers. In this case, a minimal interaction with the malicious file, such as a single click or a right click, triggers automatic connection to the server, file download, and execution. The attackers use this flaw to deliver malware or other payloads to the target system. They also may combine this with hash leaking, for example, by installing a malicious tool on the victim system and using the captured hashes to perform lateral movement through that tool.
The vulnerability was addressed by Microsoft in its November 2024 security updates. In patched environments, motion, deletion, right-clicking the crafted .url file, etc. won’t trigger a connection to a malicious server. However, when the user opens the exploit, it will still work.
After the disclosure, the number of attacks exploiting the vulnerability grew exponentially. By July this year, we had detected around 600 suspicious .url files that contain the necessary characteristics for the exploitation of the vulnerability and could represent a potential threat.
BlindEagle campaign delivering Remcos RAT via CVE-2024-43451
BlindEagle is an APT threat actor targeting Latin American entities, which is known for their versatile campaigns that mix espionage and financial attacks. In late November 2024, the group started a new attack targeting Colombian entities, using the Windows vulnerability CVE-2024-43451 to distribute Remcos RAT. BlindEagle created .url files as a novel initial dropper. These files were delivered through phishing emails impersonating Colombian government and judicial entities and using alleged legal issues as a lure. Once the recipients were convinced to download the malicious file, simply interacting with it would trigger a request to a WebDAV server controlled by the attackers, from which a modified version of Remcos RAT was downloaded and executed. This version contained a module dedicated to stealing cryptocurrency wallet credentials.
The attackers executed the malware automatically by specifying port 80 in the UNC path. This allowed the connection to be made directly using the WebDAV protocol over HTTP, thereby bypassing an SMB connection. This type of connection also leaks NTLM hashes. However, we haven’t seen any subsequent usage of these hashes.
Following this campaign and throughout 2025, the group persisted in launching multiple attacks using the same initial attack vector (.url files) and continued to distribute Remcos RAT.
We detected more than 60 .url files used as initial droppers in BlindEagle campaigns. These were sent in emails impersonating Colombian judicial authorities. All of them communicated via WebDAV with servers controlled by the group and initiated the attack chain that used ShadowLadder or Smoke Loader to finally load Remcos RAT in memory.
Head Mare campaigns against Russian targets abusing CVE-2024-43451
Another attack detected after the Microsoft disclosure involves the hacktivist group Head Mare. This group is known for perpetrating attacks against Russian and Belarusian targets.
In past campaigns, Head Mare exploited various vulnerabilities as part of its techniques to gain initial access to its victims’ infrastructure. This time, they used CVE 2024-43451. The group distributed a ZIP file via phishing emails under the name “Договор на предоставление услуг №2024-34291” (“Service Agreement No. 2024-34291”). This had a .url file named “Сопроводительное письмо.docx” (translated as “Cover letter.docx”).
The .url file connected to a remote SMB server controlled by the group under the domain:
document-file[.]ru/files/documents/zakupki/MicrosoftWord.exe
The domain resolved to the IP address 45.87.246.40 belonging to the ASN 212165, used by the group in the campaigns previously reported by our team.
According to our telemetry data, the ZIP file was distributed to 121 users, 50% of whom belong to the manufacturing sector, 35% to education and science, and 5% to government entities, among other sectors. Of all the targets, 22 users interacted with the .url file.
To achieve their goals at the targeted companies, Head Mare used a number of publicly available tools, including open-source software, to perform lateral movement and privilege escalation, forwarding the leaked hashes. Among these tools detected in previous attacks are Mimikatz, Secretsdump, WMIExec, and SMBExec, with the last three being part of the Impacket suite tool.
In this campaign, we detected attempts to exploit the vulnerability CVE-2023-38831 in WinRAR, used as an initial access in a campaign that we had reported previously, and in two others, we found attempts to use tools related to Impacket and SMBMap.
The attack, in addition to collecting NTLM hashes, involved the distribution of the PhantomCore malware, part of the group’s arsenal.
CVE-2025-24054/CVE-2025-24071
CVE-2025-24071 and CVE-2025-24054, initially registered as two different vulnerabilities, but later consolidated under the second CVE, is an NTLM hash leak vulnerability affecting multiple Windows versions, including Windows 11 and Windows Server. The vulnerability is primarily exploited through specially crafted files, such as .library-ms files, which cause the system to initiate NTLM authentication requests to attacker-controlled servers.
This exploitation is similar to CVE-2024-43451 and requires little to no user interaction (such as previewing a file), enabling attackers to capture NTLMv2 hashes and gain unauthorized access or escalate privileges within the network. The most common and widespread exploitation of this vulnerability occurs with .library-ms files inside ZIP/RAR archives, as it is easy to trick users into opening or previewing them. In most incidents we observed, the attackers used ZIP archives as the distribution vector.
Trojan distribution in Russia via CVE-2025-24054
In Russia, we identified a campaign distributing malicious ZIP archives with the subject line “акт_выполненных_работ_апрель” (certificate of work completed April). These files inside the archives masqueraded as .xls spreadsheets but were in fact .library-ms files that automatically initiated a connection to servers controlled by the attackers. The malicious files contained the same embedded server IP address 185.227.82.72.
When the vulnerability was exploited, the file automatically connected to that server, which also hosted versions of the AveMaria Trojan (also known as Warzone) for distribution. AveMaria is a remote access Trojan (RAT) that gives attackers remote control to execute commands, exfiltrate files, perform keylogging, and maintain persistence.
CVE-2025-33073
CVE-2025-33073 is a high-severity NTLM reflection vulnerability in the Windows SMB client’s access control. An authenticated attacker within the network can manipulate SMB authentication, particularly via local relay, to coerce a victim’s system into authenticating back to itself as SYSTEM. This allows the attacker to escalate privileges and execute code at the highest level.
The vulnerability relies on a flaw in how Windows determines whether a connection is local or remote. By crafting a specific DNS hostname that partially overlaps with the machine’s own name, an attacker can trick the system into believing the authentication request originates from the same host. When this happens, Windows switches into a “local authentication” mode, which bypasses the normal NTLM challenge-response exchange and directly injects the user’s token into the host’s security subsystem. If the attacker has coerced the victim into connecting to the crafted hostname, the token provided is essentially the machine’s own, granting the attacker privileged access on the host itself.
This behavior emerges because the NTLM protocol sets a special flag and context ID whenever it assumes the client and server are the same entity. The attacker’s manipulation causes the operating system to treat an external request as internal, so the injected token is handled as if it were trusted. This self-reflection opens the door for the adversary to act with SYSTEM-level privileges on the target machine.
Suspicious activity in Uzbekistan involving CVE-2025-33073
We have detected suspicious activity exploiting the vulnerability on a target belonging to the financial sector in Uzbekistan.
We have obtained a traffic dump related to this activity, and identified multiple strings within this dump that correspond to fragments related to NTLM authentication over SMB. The dump contains authentication negotiations showing SMB dialects, NTLMSSP messages, hostnames, and domains. In particular, the indicators:
- The hostname localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA, a manipulated hostname used to trick Windows into treating the authentication as local
- The presence of the IPC$ resource share, common in NTLM relay/reflection attacks, because it allows an attacker to initiate authentication and then perform actions reusing that authenticated session
The incident began with exploitation of the NTLM reflection vulnerability. The attacker used a crafted DNS record to coerce the host into authenticating against itself and obtain a SYSTEM token. After that, the attacker checked whether they had sufficient privileges to execute code using batch files that ran simple commands such as whoami:
%COMSPEC% /Q /c echo whoami ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
Persistence was then established by creating a suspicious service entry in the registry under:
reg:\\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YlHXQbXO
With SYSTEM privileges, the attacker attempted several methods to dump LSASS (Local Security Authority Subsystem Service) memory:
- Using rundll32.exe:
C:\Windows\system32\cmd.exe /Q /c CMD.exe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, #+0000^24 ^%B \Windows\Temp\vdpk2Y.sav fullThe command locates the lsass.exe process, which holds credentials in memory, extracts its PID, and invokes an internal function of comsvcs.dll to dump LSASS memory and save it. This technique is commonly used in post-exploitation (e.g., Mimikatz or other “living off the land” tools). - Loading a temporary DLL (BDjnNmiX.dll):
C:\Windows\system32\cmd.exe /Q /c cMd.exE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tAsKLISt /fi "Imagename eq lSAss.ex*" | find "lsass""') do rundll32.exe C:\Windows\Temp\BDjnNmiX.dll #+0000^24 ^%B \Windows\Temp\sFp3bL291.tar.log fullThe command tries to dump the LSASS memory again, but this time using a custom DLL. - Running a PowerShell script (Base64-encoded):
The script leverages MiniDumpWriteDump via reflection. It uses the Out-Minidump function that writes a process dump with all process memory to disk, similar to running procdump.exe.
Several minutes later, the attacker attempted lateral movement by writing to the administrative share of another host, but the attempt failed. We didn’t see any evidence of further activity.
Protection and recommendations
Disable/Limit NTLM
As long as NTLM remains enabled, attackers can exploit vulnerabilities in legacy authentication methods. Disabling NTLM, or at the very least limiting its use to specific, critical systems, significantly reduces the attack surface. This change should be paired with strict auditing to identify any systems or applications still dependent on NTLM, helping ensure a secure and seamless transition.
Implement message signing
NTLM works as an authentication layer over application protocols such as SMB, LDAP, and HTTP. Many of these protocols offer the ability to add signing to their communications. One of the most effective ways to mitigate NTLM relay attacks is by enabling SMB and LDAP signing. These security features ensure that all messages between the client and server are digitally signed, preventing attackers from tampering with or relaying authentication traffic. Without signing, NTLM credentials can be intercepted and reused by attackers to gain unauthorized access to network resources.
Enable Extended Protection for Authentication (EPA)
EPA ties NTLM authentication to the underlying TLS or SSL session, ensuring that captured credentials cannot be reused in unauthorized contexts. This added validation can be applied to services such as web servers and LDAP, significantly complicating the execution of NTLM relay attacks.
Monitor and audit NTLM traffic and authentication logs
Regularly reviewing NTLM authentication logs can help identify abnormal patterns, such as unusual source IP addresses or an excessive number of authentication failures, which may indicate potential attacks. Using SIEM tools and network monitoring to track suspicious NTLM traffic enhances early threat detection and enables a faster response.
Conclusions
In 2025, NTLM remains deeply entrenched in Windows environments, continuing to offer cybercriminals opportunities to exploit its long-known weaknesses. While Microsoft has announced plans to phase it out, the protocol’s pervasive presence across legacy systems and enterprise networks keeps it relevant and vulnerable. Threat actors are actively leveraging newly disclosed flaws to refine credential relay attacks, escalate privileges, and move laterally within networks, underscoring that NTLM still represents a major security liability.
The surge of NTLM-focused incidents observed throughout 2025 illustrates the growing risks of depending on outdated authentication mechanisms. To mitigate these threats, organizations must accelerate deprecation efforts, enforce regular patching, and adopt more robust identity protection frameworks. Otherwise, NTLM will remain a convenient and recurring entry point for attackers.
cyrboost reshared this.