Although the video game crash of the mid-80s caused a major decline in arcades from their peak popularity, the industry didn’t completely die off. In fact, there was a revival that lasted until the 90s with plenty of companies like Capcom, Midway, SEGA, and Konami all competing to get quarters, francs, loonies, yen, and other coins from around the world. During this time, Namco — another game company — built a colossal 28-player prototype shooter game. Eventually, they cut it down to a (still titanic) six-player game that was actually released to the world. [PhilWIP] and his associates are currently restoring one of the few remaining room-sized games that are still surviving.

The game is called Galaxian 3, with this particular one having been upgraded to a version called “Attack of the Zolgear”. Even though it’s “only” a six-person shooter, it’s still enormous in scale. The six players sit side-by-side in an enclosed room, each with their own controller. Two projectors handle the display, which is large even by modern standards, and a gauntlet of early-90s technology, including LaserDisc players, is responsible for all of the gameplay. When [PhilWIP] first arrived, the game actually powered on, but there were several problems to solve before it was playable. They also wanted to preserve the game, which meant imaging the LaserDiscs to copy their data onto modern storage. Some of the player input PCBs needed repairs, and there were several issues with the projectors. Eventually the team got the system working well enough to play.

[PhilWIP] and the others haven’t gotten all the issues ironed out yet. The hope is that subsequent trips will restore this 90s novelty to working order shortly. It turns out there were all kinds of unique hardware from this wild-west era that’s in need of restoring, as we saw a few years ago with this early 3D cabinet from the same era.

hackaday.com/2025/04/21/restor…

Internet non è più quello di una volta. Uno Studio pubblicato da Imperva, ha dimostrato che più della metà dell’intero traffico Internet non proviene da persone, ma da bot. È la prima volta nella storia che i programmi automatizzati cominciano a dominare lo spazio digitale.

Il motivo di questa impennata è il rapido sviluppo dell’intelligenza artificiale generativa. Sono queste le tecnologie alla base dei moderni bot in grado di imitare il comportamento umano, condurre conversazioni, scrivere lettere ed eseguire azioni automatiche sui siti web. Non tutti sono innocui: una parte significativa viene utilizzata per scopi dannosi.

Secondo Imperva, dal 2016 i bot “cattivi”, ovvero quelli progettati per attaccare, rubare dati o bypassare i sistemi, hanno iniziato a superare in numero quelli “buoni”. Nel 2024, i bot dannosi rappresentavano il 37% di tutto il traffico, mentre quelli benigni solo il 14%. Allo stesso tempo, un anno fa la quota di bot dannosi era del 32%, il che indica una crescita costante della minaccia.

Uno dei compiti principali di questi bot era intercettare gli account degli utenti. Lo scenario di attacco è semplice: il bot prova password e accessi rubati su diversi siti, sperando che qualcuno utilizzi la stessa password in più posti. Nel corso di un anno, il numero di tali attacchi è quasi raddoppiato, passando da 190 mila a dicembre 2023 a 330 mila a dicembre 2024. L’aumento potrebbe essere stato innescato da un’ondata di fughe di dati che ha aumentato il numero di coppie di dati utente disponibili.

Altre azioni dei bot dannosi includono il download in massa (web scraping) di informazioni da siti web, che minaccia sia i segreti commerciali sia i dati personali. Sono frequenti i casi in cui i bot sono coinvolti in frodi sui pagamenti sfruttando le vulnerabilità dei sistemi. Sono diventati particolarmente diffusi i cosiddetti scalping bot: acquistano biglietti o beni di successo per poi rivenderli a prezzi gonfiati, lasciando a bocca asciutta i veri acquirenti.

Il rapporto presta particolare attenzione ai settori che soffrono maggiormente dell’attività dei bot. Nel 2024, il settore turistico è diventato leader, rappresentando il 27% del traffico dannoso. Si tratta di una cifra superiore a quella del 2023, quando la quota era del 21%. I bot in questo segmento spesso simulano la prenotazione dei biglietti senza completare il processo. Di conseguenza, la determinazione dei prezzi viene alterata e il sistema di contabilità della domanda veniva fuorviato. Al secondo posto si è classificato il commercio al dettaglio con il 15%, mentre al terzo posto si è classificato l’istruzione con l’11%.

I bot stanno diventando più sofisticati. Mentre prima falsificavano solo l’aspetto del browser, ora utilizzano gli indirizzi IP degli utenti abituali e le VPN per nascondere la fonte del traffico. Alcuni di loro hanno imparato a eludere il CAPTCHA e ad adattarsi a un ambiente specifico, cambiando tattica se incontrano protezione.

Inoltre, sempre più bot non utilizzano una normale interfaccia web, ma interagiscono direttamente con la parte server dei siti tramite API: ciò semplifica la raccolta dei dati e rende le azioni invisibili ai sistemi di monitoraggio. Anche se gli utenti normali possono migliorare un po’ la propria sicurezza, la responsabilità principale della lotta ai bot ricade sui proprietari dei servizi online. Tuttavia, alcuni semplici accorgimenti possono aiutare a ridurre i rischi.

Pertanto, non dovresti mai usare la stessa password per account diversi, perché questo facilita la vita agli aggressori. Un gestore di password affidabile ti aiuterà a salvare combinazioni complesse. È anche importante installare antivirus e monitorare lo stato del computer in modo che non diventi parte di una botnet.

Infine, non fidarti dei servizi VPN dubbi: alcuni di essi potrebbero vendere il tuo indirizzo IP a terzi. Si consiglia inoltre di controllare il router di casa e di aggiornarne il firmware: i modelli più vecchi potrebbero essere vulnerabili ai tentativi di hackeraggio.

L'articolo Internet è invaso dai bot: ora il traffico umano è sotto il 50% e sono quasi tutte AI proviene da il blog della sicurezza informatica.

Over on his YouTube channel [Aaron Danner] explains biasing transistors with current sources in the 29th video of his Transistors Series. In this video, he shows how to replace a bias resistor (and consequently an additional capacitor) with a current source for both common-emitter and common-collector amplifiers.

A current source provides electrical energy with a constant current. The implication is that if the resistance of the load changes the current source will vary the voltage to compensate. In reality, this is exactly what you want. The usual resistor biasing arrangement just simulates this over a narrow voltage range, which is generally good enough, but not as good as a true current source.

As [Aaron] explains there are various advantages to biasing transistors with current sources instead of resistors, chief among them is that it allows you to get rid of a capacitor (capacitors are expensive to make in integrated circuits and often among the lowest-quality components in a design). You can also avoid losing some of your gain through the bias resistor.

The current source that [Aaron] uses in this video is known as a current mirror.

youtube.com/embed/kpd0uMzng8o?…

hackaday.com/2025/04/21/biasin…

La Cina introdurrà corsi di intelligenza artificiale per gli studenti delle scuole primarie e secondarie questo autunno. L’iniziativa prevede che i bambini a partire dai sei anni imparino a conoscere i chatbot, la tecnologia dell’intelligenza artificiale e l’etica, nell’ambito di un’iniziativa volta a rafforzare la propria posizione nel campo dell’intelligenza artificiale.

L’iniziativa fa parte di un piano più ampio per sviluppare un curriculum pluriennale di intelligenza artificiale, istituire un sistema di formazione e promuovere l’istruzione in materia di intelligenza artificiale a livello nazionale. L’espansione della formazione in intelligenza artificiale in Cina segue la rapida ascesa di DeepSeek, un’azienda nazionale di intelligenza artificiale che ha attirato l’attenzione globale.

Il Ministero dell’Istruzione ha designato 184 scuole come istituti pilota per programmi di intelligenza artificiale, gettando le basi per un’implementazione a livello nazionale. Il Ministro dell’Istruzione Huai Jinpeng ha definito l’intelligenza artificiale la “chiave d’oro” per il futuro dell’istruzione del Paese.

La Cina non è l’unica a integrare l’intelligenza artificiale nell’istruzione. Secondo e-Estonia, l’Estonia ha annunciato di recente che il programma AI Leap 2025 verrà lanciato il 1° settembre per offrire a 20.000 studenti delle classi 10-11 e a 3.000 insegnanti l’accesso gratuito alle principali applicazioni e alla formazione in materia di intelligenza artificiale.

“Stiamo iniziando un nuovo capitolo nello sviluppo del nostro sistema educativo e della società digitale”, ha affermato il presidente estone Alar Karis riporta Fortune. “L’intelligenza artificiale ha cambiato il mondo in modo permanente e, come tutti i settori, il sistema educativo deve adattarsi a questi cambiamenti”.

Il Canada e la Corea del Sud hanno introdotto libri di testo digitali basati sull’intelligenza artificiale e programmi di supporto agli insegnanti, mentre una scuola privata nel Regno Unito ha inaugurato un’aula “senza insegnante” in cui gli studenti utilizzano visori per la realtà virtuale e piattaforme di intelligenza artificiale al posto dell’insegnamento tradizionale.

Nonostante il potenziale rivoluzionario dell’intelligenza artificiale nell’apprendimento, molte aziende e ministeri dell’istruzione restano prudenti nell’affidarsi completamente a questi strumenti. L’IA può diventare un tutor personale gratuito, disponibile ovunque e in qualsiasi momento, ma porta con sé anche sfide etiche e di sicurezza.

Le Nazioni Unite hanno messo in guardia su questi rischi, chiedendo un uso inclusivo e responsabile dell’IA, con linee guida che mettano al centro l’umanità e la tutela dei minori. Anche i principali leader del settore educativo concordano su questa visione.

Ora però tocca all’Italia: è il momento di dare un segnale concreto e lungimirante, non tra dieci anni quando sarà troppo tardi, ma oggi, cogliendo questa occasione per guidare l’innovazione educativa con coraggio e responsabilità.

L'articolo A lezione di IA a 6 anni: la Cina prepara i suoi bambini alla rivoluzione dell’intelligenza artificiale proviene da il blog della sicurezza informatica.

Introduction

The evolution of Malware-as-a-Service (MaaS) has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma. Initially marketed as LummaC2, this information stealer quickly gained traction in underground forums, with prices starting at $250. As of March 2025, its presence on dark web marketplaces and Telegram channels continues to grow, with over a thousand active subscribers.

LummaC2 seller’s official website

Lumma delivery usually involves human interaction, such as clicking a link, running malicious commands, etc. Recently, while investigating an incident as part of our incident response services, our Global Emergency Response Team (GERT) encountered Lumma on a customer’s system. The analysis revealed that the incident was triggered by human interaction, namely the user was tricked into executing a malicious command by a fake CAPTCHA page. In this article, we will review in detail how the fake CAPTCHA campaign works and share a list of IoCs that we discovered during our analysis and investigation of the campaign. Although we already described this distribution method in an earlier article, more details about this campaign have been discovered since then.

Lumma Stealer’s distribution vectors

Lumma Stealer’s distribution methods are diverse, using common techniques typically seen in information-stealing malware campaigns. Primary infection vectors include phishing emails with malicious attachments or links, as well as trojanized legitimate applications. These deceptive tactics trick users into executing the malware, which runs silently in the background harvesting valuable data. Lumma has also been observed using exploit kits, social engineering, and compromised websites to extend its reach and evade detection by security solutions. In this article, we’ll focus mainly on the fake CAPTCHA distribution vector.

This vector involves fake verification pages that resemble legitimate services, often hosted on platforms that use Content Delivery Networks (CDNs). These pages typically masquerade as frequently used CAPTCHAs, such as Google reCAPTCHA or Cloudflare CAPTCHA, to trick users into believing they are interacting with a trusted service.

Fake CAPTCHA distribution vectors

Fake CAPTCHA distribution scheme

There are two types of resources used to promote fake CAPTCHA pages:

• Pirated media, adult content, and cracked software sites. The attackers clone these websites and inject malicious advertisements into the cloned page that redirect users to a malicious CAPTCHA.
• Fake Telegram channels for pirated content and cryptocurrencies. The attackers create Telegram channels with names containing keywords related to cryptocurrencies or pirated content, such as software, movies, etc. When a user searches for such content, the fraudulent channels appear at the top of the search. The attackers also use social media posts to lure victims to these channels. When a user joins such a channel, they are prompted to complete an identity verification via a fraudulent “Safeguard Captcha” bot.
  
  Safeguard Captcha bot

  Once the user clicks the Verify button, the bot opens a pop-up page with a fake CAPTCHA.

Fake CAPTCHA page

Users are presented with a pop-up page that looks like a standard CAPTCHA verification, prompting them to click I’m not a robot/Verify/Copy or some similar button. However, this is where the deception begins.

Fake CAPTCHA page examples

Fake page malicious content

When the I’m not a robot/Verify/Copy button is clicked, the user is instructed to perform an unusual sequence:

• Open the Run dialog(Win+R)
• Press Ctrl+V
• Hit Enter

Without the user’s knowledge, clicking the button automatically copies a PowerShell command to the clipboard. Once the user pastes the command into the Run dialog and presses Enter, the system executes the command.

Examples of scripts copied to the clipboard and executed via the Run dialog

The command may vary slightly from site to site and changes every few days, but it is typically used to download Lumma Stealer from a remote server, which is usually a known CDN with a free trial period or a legitimate code hosting and collaboration platform such as GitHub, and begin the malware installation process. Let’s take a closer look at this infection chain using the following command that was executed in our customer’s incident as an example:

Command triggering Lumma’s infection chain

The command is rather simple. It decodes and runs the contents from the remote win15.txt file hosted at https[:]//win15.b-cdn[.]net/win15.txt. The win15.txt file contains a Base64-encoded PowerShell script that then downloads and runs the Lumma Stealer. When decoded, the malicious PowerShell script looks like this:

Contents of win15.txt

The script performs the following actions:

1. Downloads the malware. It downloads the win15.zip file from https[:]//win15.b-cdn[.]net/win15.zip to [User Profile]\AppData\Roaming\bFylC6zX.zip.
2. Extracts the malware. The downloaded ZIP file is extracted to C:\Users\[User]\AppData\Roaming\7oCDTWYu, a hidden folder under the user’s AppData directory.
3. Executes the malware. The script runs the Set-up.exe file from the unpacked archive, which is now located at C:\Users\[User]\AppData\Roaming\7oCDTWYu\Set-up.exe.
4. Establishes persistence mechanism. The script creates an entry in the Windows Registry for persistency, ensuring that the malware runs every time the system starts. The registry key is added under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The key name is 5TQjtTuo, with the value pointing to Set-up.exe.

However, in some cases, the malware delivery mechanism can be more complex. In the following example, the delivery script is a JavaScript code hidden in what looks like an .mp3 file (other file formats such as .mp4 and .png have also been used). In fact, in addition to the JavaScript, the file may contain a corrupt .mp3/.mp4 file, legitimate software code, or just random data.

The script is executed using the Microsoft HTML Application engine mshta.exe by prompting the user to paste the following command into the Run dialog box:

Command triggering JS-based infection chain

The mshta command parses the file as an HTA file (Microsoft HTML Application) and executes any JavaScript code within the <script> tag, triggering the following infection chain:

Layer (1)

The JS script inside the .mp3 file is executed by mshta.

JS script within the never.mp3 file

Layer (2)

After calculating the Kwb value, the following script is obtained, which is then executed by the eval function.

Layer (2) JS script

Layer (3)

After calculating the values for kXN and zzI, the final ActiveX command is built and executed. It contains an encoded PowerShell script in the $PBwR variable.

Deobfuscated Layer (2) JS script

Layer (4)

After decoding the PowerShell script, we found that its main purpose is to download and execute another PowerShell file from the C2 path hXXps://connect[.]klipfuzj[.]shop/firefire[.]png.

Decrypted Layer (3) PowerShell script

Analysis for firefire.png

The file firefire.png is a huge PowerShell file (~31MB) with several layers of obfuscation and anti-debugging. After deobfuscating and removing unnecessary code, we could see that the main purpose of the file is to generate and execute an encrypted PowerShell script as follows:

firefire.png

The decryption key is the output of the Invoke-Metasploit command, which is blocked if the AMSI is enabled. As a result, an error message is generated by the AMSI: AMSI_RESULT_NOT_DETECTED, which is used as the key. If the AMSI is disabled, the malware will fail to decrypt the script.

The decrypted PowerShell script is approximately 1.5MB in size and its main purpose is to create and run a malicious executable file.

Decrypted PowerShell script

Infection methods and techniques

Lumma Stealer has been observed in the wild using a variety of infection methods, with two primary techniques standing out in its distribution campaigns: DLL sideloading and injection of a malicious payload into the overlay section of legitimate free software. These techniques are particularly effective at evading detection because they exploit the trust that users place in widely used applications and system processes.

• DLL sideloading
  DLL sideloading is a well-known technique where malicious dynamic link libraries (DLLs) are loaded by a legitimate application. This technique exploits vulnerabilities or misconfigurations in software that inadvertently load DLL files from untrusted directories. Attackers can drop the Lumma Stealer DLL in the same directory as a trusted application, causing it to load when the application is executed. Because the malicious DLL is loaded in the context of a trusted process, it is much harder for traditional security measures to detect the intrusion.
• Injection of malicious payload into the overlay section of software
  Another method commonly used by Lumma Stealer is to inject a malicious payload into the overlay section of free software. The overlay section is typically used for legitimate software functionality, such as displaying graphical interfaces or handling certain input events. By modifying this section of the software, the adversary can inject the malicious payload without disrupting the normal operation of the application. This method is particularly insidious because the software continues to appear legitimate while the malicious code silently executes in the background. It also helps the malware evade detection by security tools that focus on system-level monitoring.

Both of these methods rely on exploiting trusted applications, which significantly increases the chances of successful infection. These techniques can be used in combination with others, such as phishing or trojanized software bundles, to maximize the spread of Lumma Stealer to multiple targets.

Sample analysis

To demonstrate how the Lumma Stealer installers work and the impact on systems and data security, we’ll analyze the stealer sample we found in the incident at our customer. This sample utilizes the overlay injection technique. Below is a detailed breakdown of the infection chain and the various techniques used to deploy and execute Lumma Stealer.

Initial execution and self-extracting RAR (SFX)

The initial payload in this sample is delivered as ProjectorNebraska.exe, which consists of a corrupt legitimate file and the malware in the overlay section. It is executed by the victim. Upon execution, the file extracts and runs a self-extracting RAR (SFX) archive. This archive contains the next stage of the infection: a Nullsoft Scriptable Install System (NSIS) installer. NSIS is a widely used tool for creating Windows installers.

NSIS installer components

The NSIS installer drops several components that are critical to the malware’s execution:

NSIS installer components

These include AutoIt components and an obfuscated batch script loader named Hose.cmd. The following AutoIt components are dropped:

• Fragments of a legitimate AutoIt executable: These are pieces of a genuine AutoIt executable that are dropped to the victim’s system, and then reassembled during the infection process.
• Compiled AutoIt script: The compiled script carries the core functionality of Lumma Stealer, including operations such as credential theft and data exfiltration.

These components are later reassembled into the final executable payload using the batch script loader that concatenates and executes the various fragments.

Hose.cmd orchestrates the final steps of the malware’s execution. Below is a breakdown of its key components (after deobfuscation):

Deobfuscated batch script code

Process tree after executing the batch script

The batch script performs the following actions:

• Security product evasion
  
  • The script scans for the presence of security software (SecureAnywhere and Quick Heal AntiVirus) using the tasklist If either of them is detected, it delays execution via the ping -n 198 command, which pings localhost 198 times. This trick is used to avoid sandbox detection, as the sandbox typically exits before the script completes the ping task.
  • The script checks for the presence of any of the following: Avast, AVG, McAfee, Bitdefender, Sophos, using the tasklist If one of them is detected, it keeps the executable name for AutoIt as AutoIt3.exe; otherwise, it renames it to Suggests.pif.

  
  

• Environment setup and payload preparation. It sets environment variables for the AutoIt executable and the final payload. It also creates a working directory named 195402 in the Temp directory to store malicious components.
• Obfuscation and extraction. The script filters and cleans a file named Sitting from the NSIS installer by removing the string OptimumSlipProfessionalsPerspective, and storing the result as Suggests.pif. It then uses the copy /b command to merge Suggests.pif with an additional component from the NSIS installer named Oclc into the AutoIt executable, saving it again as Suggests.pif.
• Payload assembly. It concatenates multiple files from the NSIS installer: Italy, Holmes, True, etc. to generate the final executable with the name h.a3x, which is an AutoIt script.
• Execution of Lumma Stealer. Finally, the script runs Suggests.pif, which in turn executes h.a3x, triggering the AutoIt-based execution of Lumma Stealer.

AutoIt script analysis

During the analysis, the AutoIt Extractor utility was used to decompile and extract the script from the h.a3x file. The script was heavily obfuscated and required additional deobfuscation to get a clean and analyzable .au3 script. Below is the analysis of the AutoIt loader’s behavior.

AutoIt script extraction

Anti-analysis checks

The script begins by validating the environment to detect analysis tools or sandbox environments. It checks for specific computer names and usernames often associated with testing environments.

Environment validation

It then checks for processes from popular antivirus tools such as Avast (avastui.exe), Bitdefender (bdagent.exe), and Kaspersky (avp.exe).

Anti-AV checks

If any of these conditions are met, the script halts execution to evade detection.

Executing loader shellcode

If the anti-analysis checks are passed, the script dynamically selects 32-bit or 64-bit shellcode based on the system architecture, which is located in the $vinylcigaretteau variable inside the script. To do this, it allocates executable memory and injects the shellcode into it. The shellcode then initializes the execution environment and prepares for the second-stage payload.

Part of the AutoIt loader responsible for the shellcode execution

Processing the $dayjoy payload

After executing the loader shellcode, the script processes the second-stage payload located in the $dayjoy variable. The payload is decrypted using RC4 with a hardcoded key 1246403907690944.

The encrypted payload

To decrypt the payload independently, we wrote a custom Python script that you can see in the screenshot below.

Python script for payload decryption

The decrypted payload is decompressed using the LZNT1 algorithm.

Payload decompression

Final payload execution

After decryption and decompression, the $dayjoy payload is executed in memory. The script uses DllCallAddress to invoke the payload directly in the allocated memory. This ensures the payload is executed stealthily without being written to disk.

Final payload execution

This final payload is the stealer itself. The malware’s comprehensive data theft capabilities target a wide range of sensitive information, including:

• Cryptocurrency wallet credentials (e.g., Binance, Ethereum) and associated browser extensions (e.g., MetaMask)
• Two-factor authentication (2FA) data and authenticator extensions
• Browser-stored credentials and cookies
• Stored credentials from remote access tools such as AnyDesk
• Stored credentials from password managers such as KeePass
• System and application data
• Financial information such as credit card numbers

C2 communication

Once Lumma Stealer is executed, it establishes communication with its command and control (C2) servers to exfiltrate the stolen data. The malware sends the collected information back to the attacker’s infrastructure for further exploitation. This communication is typically performed over HTTP or HTTPS, often disguised as legitimate traffic to avoid detection by network security monitoring tools.

C2 servers identified

The following C2 domains used by Lumma Stealer to communicate with the attackers were identified in the analyzed sample:

• reinforcenh[.]shop
• stogeneratmns[.]shop
• fragnantbui[.]shop
• drawzhotdog[.]shop
• vozmeatillu[.]shop
• offensivedzvju[.]shop
• ghostreedmnu[.]shop
• gutterydhowi[.]shop

These domains are used to receive stolen data from infected systems. Communication with these servers is typically via encrypted HTTP POST requests.

Conclusions

As a mass-distributed malicious program, Lumma Stealer employs a complex infection chain that includes a number of anti-analysis and detection evasion techniques, to stealthily infiltrate the victim’s device. Although the initial infection via dubious pirated software and cryptocurrency-related websites and Telegram channels suggests that individuals are the primary targets of these attacks, we saw Lumma in an incident at one of our customers, which illustrates that organizations can also fall victim to this threat. The information stolen by such malware may end up in the hands of more prominent cybercriminals, such as ransomware operators. That’s why it’s important to prevent stealer infections at the early stages. By understanding the infection techniques, security professionals can better defend against this growing threat and develop more effective detection and prevention strategies.

IoCs

The following list contains the URLs detected during our research. Note that the attackers change the malicious URLs and Telegram channels almost daily, and the IoCs provided in this section were already inactive at the time of writing. However, they may be useful for retrospective threat detection.

Malicious fake CAPTCHA pages

• seenga[.]com/page/confirm.html
• serviceverifcaptcho[.]com
• downloadsbeta[.]com
• intelligenceadx[.]com
• downloadstep[.]com
• nannyirrationalacquainted[.]com
• suspectplainrevulsion[.]com
• streamingsplays[.]com
• bot-detection-v1.b-cdn[.]net
• bot-check-v5.b-cdn[.]net
• spam-verification.b-cdn[.]net
• human-test.b-cdn[.]net
• b-cdn[.]net
• b-cdn[.]net

Telegram channels distributing Lumma

• t[.]me/hitbase
• t[.]me/sharmamod

securelist.com/lumma-fake-capt…

ANOTHER MONDAY, ANOTHER DIGITAL POLITICS. I'm Mark Scott, and you find me enjoying the four-day Easter weekend here in the United Kingdom. In honor of that, I give you my new favorite podcast.

In my day job, I'll be interviewing Brad Smith, Microsoft's president, in Brussels on April 30 at 10am CET. You can watch along here. For those of you who would like to attend in person, drop me a line here.

— Policymakers worldwide are now seriously considering a future where digital policymaking excludes the United States. Let's unpick what that means.

— It's official: Google is most definitely a monopoly, on both sides of the Atlantic. That will have far-reaching consequences — but it will take time.

— Digital rights civil society groups have been severely impacted by cuts in US government support. Here are the charts that explain the impact.

Let's get started:

digitalpolitics.co/newsletter0…

At Hackaday, it is always clock time, and clock time is a great time to check in with [shiura], whose 3D Printed Perpetual Calendar Clock is now at Version 2. A 3D printed calendar clock, well, no big deal, right? Grab a few steppers, slap in an ESP32 to connect to a time server, and you’re good. That’s where most of us would probably go, but most of us aren’t [shiura], who has some real mechanical chops.
There’s also a 24-hour dial, because why not?
This clock isn’t all mechanical. It probably could be, but at its core it uses a commercial quartz movement — you know, the cheap ones that take a single double-A battery. The only restriction is that the length of the hour axis must be twelve millimeters or more. Aside from that, a few self-tapping screws and an M8 nut, everything else is fully 3D printed.

From that simple quartz movement, [shiura]’s clock tracks not only the day of the week, the month and date — even in Febuary, and even compensating for leap years. Except for the inevitable drift (and battery changes) you should not have to adjust this clock until March 2100, assuming both you and the 3D printed mechanism live that long. Version one actually did all this, too, but somehow we missed it; version two has some improvements to aesthetics and usability. Take a tour of the mechanism in the video after the break.

We’ve featured several of [shiura]’s innovative clocks before, from a hybrid mechanical-analog display, to a splitless flip-clock, and a fully analog hollow face clock. Of course [shiura] is hardly our only clock-making contributor, because it it always clock time at Hackaday.

youtube.com/embed/H03xxuqXKgE?…

hackaday.com/2025/04/21/printe…

With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML attachments that either host the entire phishing site or use JavaScript to launch it. Lately, we have noticed a new trend where attackers are distributing attachments in SVG format, the kind normally used for storing images.

SVG format

SVG (Scalable Vector Graphics) is a format for describing two-dimensional vector graphics using XML. This is how an SVG file appears when opened in image viewing software.

SVG image

But if you open it in a text editor, you can see the XML markup that describes the image. This markup allows for easy editing of image parameters, eliminating the need for resource-intensive graphics editors.

This is what an SVG file looks like when opened in a text editor

Since SVG is based on XML, it supports JavaScript and HTML, unlike JPEG or PNG. This makes it easier for designers to work with non-graphical content like text, formulas, and interactive elements. However, attackers are exploiting this by embedding scripts with links to phishing pages within the image file.

Sample SVG file with embedded HTML code. The tag introduces HTML markup

Phishing email campaigns leveraging SVG files

At the start of 2025, we observed phishing emails that resembled attacks with an HTML attachment, but instead utilized SVG files.

Phishing email with an SVG attachment

A review of the email’s source code shows that the attachment is identified as an image type.

The file as displayed in the email body

However, opening the file in a text editor reveals that it is essentially an HTML page with no mention of vector graphics.

Code of the SVG file

In a browser, this file appears as an HTML page with a link that supposedly points to an audio file.

SVG file viewed as HTML

Clicking the link redirects the user to a phishing page masquerading as Google Voice.

Phishing page mimicking Google Voice

The audio track at the top of the page is a static image. Clicking “Play Audio” redirects the user to a corporate email login page, allowing attackers to capture their credentials. This page, too, mentions Google Voice. The page also includes the target company’s logo, aiming to lower the user’s guard.

Login form

In a separate instance, mimicking a notification from an e-signature service, attackers presented an SVG attachment as a document that required review and signature.

Phishing e-signature request

Unlike the first example, where the SVG file acted as an HTML page, in this case it contains JavaScript that, when the file is opened, launches a browser window with a phishing site featuring a fake Microsoft login form.

Code of the SVG file

Phishing login form

Statistics

Our telemetry data indicates a significant increase in SVG campaigns during March 2025. We found 2,825 of these emails in just the first quarter of the year.

Emails with SVG attachments, January through March 2025 (download)

In April, the upward trend continued: in the first half of the month, we detected 1324 emails with SVG attachments – more than two-thirds of March’s figure.

Takeaways

Phishers are relentlessly exploring new techniques to circumvent detection. They vary their tactics, sometimes employing user redirection and text obfuscation, and other times, experimenting with different attachment formats. The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers. Despite not being widespread at the time of this study, SVG attachment attacks are showing a clear upward trend. These attacks, while currently relatively basic – much like HTML attachment scenarios – involve SVG files containing either a phishing link page or a redirection script to a fraudulent site. However, the use of SVG as a container for malicious content can also be employed in more sophisticated targeted attacks.

securelist.com/svg-phishing/11…

Gli aggressori utilizzano sempre più spesso metodi di promozione sui motori di ricerca per attirare gli utenti verso siti dannosi. Vengono utilizzati sia il “black SEO” sia gli annunci a pagamento, il tutto per garantire che le risorse dannose appaiano il più in alto possibile nei risultati di ricerca.

Questo approccio è chiamato SEO poisoning. I criminali mascherano contenuti dannosi da siti legittimi, sfruttando la fiducia nei marchi noti. In particolare, sono state identificate campagne in cui siti web falsi imitavano pagine di download di applicazioni popolari, come Firefox, WhatsApp e Telegram, e raccoglievano informazioni riservate da utenti ignari.

I ricercatori dell’ESET hanno analizzato delle campagne in cui i truffatori promuovevano falsi annunci Google per attirare le vittime su siti web falsi. Alcuni di essi erano in grado di assumere il controllo completo dei dispositivi della vittima.

Il settore finanziario continua a rappresentare un obiettivo particolarmente interessante. Nel 2022 si sono verificati casi in America Latina in cui sono stati distribuiti annunci pubblicitari dannosi sotto le mentite spoglie di Mastercard. Un altro esempio è un attacco di phishing sotto il marchio della compagnia di autobus argentina La Veloz del Norte, che ha portato al furto di dati personali e di pagamento degli utenti che cercavano di acquistare i biglietti.

L’intelligenza artificiale apre anche nuove opportunità per gli aggressori. I truffatori utilizzano attivamente la pubblicità per promuovere falsi servizi che si suppone siano basati sull’intelligenza artificiale, come i falsi siti ChatGPT. Il loro obiettivo è ottenere i dati della carta di credito. Spesso tali siti vengono progettati con i loghi di partner noti per apparire più convincenti.

I motori di ricerca si stanno impegnando per contrastare questo fenomeno. In un rapporto di Google Ads Safety 2023, gli esperti dell’azienda hanno bloccato o rimosso oltre 5,5 miliardi di annunci. Tuttavia, alcune minacce continuano a trapelare nei risultati di ricerca.

Per ridurre al minimo i rischi, gli esperti consigliano di controllare attentamente gli indirizzi dei siti web prima di cliccare su un link, di utilizzare soluzioni antivirus, di abilitare l’autenticazione a due fattori e di controllare gli annunci pubblicitari tramite gli strumenti integrati di Google.

La manipolazione dei motori di ricerca dimostra quanto sia importante fare attenzione ogni volta che si clicca su un link. Nonostante lo sviluppo della tecnologia e dell’intelligenza artificiale, la ricerca classica è ancora popolare.

L'articolo SEO Poisoning: Quando Google Diventa il Primo Alleato dei Cybercriminali proviene da il blog della sicurezza informatica.

La semplice installazione di una scheda SIM in un router può causare perdite finanziarie imprevedibili: lo si è scoperto dopo un incidente in Estonia, dove un utente ha ricevuto una fattura di quasi mille euro per aver inviato più di 10 mila SMS in pochi giorni.

Come riportato dalla pubblicazione di Digigeenius, la causa dell’attività imprevista è stata un router mobile infetto con supporto 4G/5G. Non si sa esattamente come il dispositivo sia stato compromesso, soprattutto considerando che è stato acquistato all’estero e da una fonte sconosciuta.

I router mobili, spesso utilizzati per creare hotspot portatili, possono inviare SMS: si tratta di una funzionalità standard destinata alle notifiche o ai messaggi tecnici. Tuttavia, spesso il malware sfrutta questa opportunità per inviare spam o messaggi fraudolenti, il che comporta costi aggiuntivi. Ciò è particolarmente rilevante per gli utenti che inseriscono schede SIM con servizi voce e SMS non disattivati ​​dall’operatore.

Molti piani hotspot mobili prevedono solo il traffico dati. Tuttavia, non tutti gli operatori limitano i servizi vocali e di testo e spesso gli utenti non sono consapevoli dei potenziali rischi. Sono proprio questi casi a diventare un comodo punto di accesso per gli attacchi, quando i router si trasformano silenziosamente in strumenti nelle mani dei criminali informatici.

Esiste un intero mercato di router economici di dubbia provenienza che sono vulnerabili agli attacchi, soprattutto se il loro firmware non viene aggiornato, le password di fabbrica non vengono modificate o i pannelli amministrativi vengono lasciati aperti. Casi simili sono stati registrati in passato, anche negli Stati Uniti. Ad esempio, la botnet che utilizzava una vulnerabilità nel TP-Link MR6400, trasformando i dispositivi infetti in un servizio di invio di SMS di massa con lo scopo di ingannare gli utenti.

La sicurezza di tali router è discutibile anche perché spesso diventano parte di botnet più ampie, attraverso le quali sono possibili altre minacce informatiche, dal phishing agli attacchi ad altri dispositivi in ​​rete. I ricercatori sottolineano che gli attacchi possono iniziare con una semplice ipotesi di password, soprattutto se il dispositivo ha un pannello di controllo aperto su Internet.

È possibile proteggersi da tali minacce seguendo alcune semplici regole: utilizzare solo router di produttori noti, aggiornare regolarmente il firmware, disabilitare l’accesso web da Internet, chiudere tutte le porte inutilizzate, assicurarsi di modificare le password di fabbrica, riavviare periodicamente il dispositivo e monitorare le impostazioni della scheda SIM e del piano tariffario.

Particolare attenzione va prestata alle funzioni SMS: se non vengono utilizzate, si consiglia di disattivarle subito dopo l’installazione della scheda SIM.

Tuttavia, se il router è già infetto, diventa estremamente difficile interferire con il suo funzionamento e qualsiasi impostazione può essere ignorata dal malware. Ecco perché la prevenzione e la scelta corretta delle attrezzature rimangono fattori chiave.

L'articolo Basta una SIM nel router e un malware per svuotarti il conto proviene da il blog della sicurezza informatica.

I ricercatori hanno svelato un nuovo modulo di linguaggio AI chiamato xTrimoPGLM in grado sia di comprendere che di creare sequenze proteiche utilizzando un unico approccio di apprendimento. Questa soluzione offre un modo fondamentalmente nuovo di lavorare con i dati biologici, a livello di sequenze di amminoacidi, come se si trattasse di testo in linguaggio naturale.

I modelli precedentemente esistenti che studiavano le proteine ​​si basavano su diversi metodi di pre-addestramento: alcuni ripristinavano le regioni mancanti (autocodifica), altri prevedevano l’amminoacido successivo (autoregressivo).

Tuttavia, ognuno di loro era bravo solo in un compito: comprendere la struttura di una proteina o generarne di nuove. xTrimoPGLM combina entrambe le strategie ed è il primo a imparare da un obiettivo comune, abbracciando entrambi gli approcci contemporaneamente. Ciò ha consentito al modello di raggiungere dimensioni senza precedenti: 100 miliardi di parametri e un trilione di token di addestramento.

I risultati sono impressionanti: xTrimoPGLM ha ottenuto i risultati migliori in 18 diverse attività di analisi proteica, tra cui classificazione, proprietà e previsione delle interazioni. Inoltre, il modello consente di comprendere la struttura delle proteine ​​a livello atomico e viene utilizzato come base per un nuovo modello 3D che prevede la struttura delle proteine ​​con una precisione superiore a strumenti simili basati su modelli linguistici.

Ma non solo analisi: il modello può anche creare. È in grado di generare nuove proteine ​​seguendo i principi delle sequenze naturali. Dopo un ulteriore addestramento su set di dati specializzati, è addirittura possibile eseguire una generazione mirata con proprietà specifiche, il che apre la strada allo sviluppo di nuovi farmaci ed enzimi.

I pesi del modello e i set di dati sono già pubblicati sulla piattaforma HuggingFace e sono a disposizione dei ricercatori, rendendo xTrimoPGLM un contributo significativo allo sviluppo di modelli di base proteici e ampliando gli orizzonti dell’intelligenza artificiale nelle scienze della vita.

L'articolo Capacità generative: xTrimoPGLM crea nuove sequenze proteiche proviene da il blog della sicurezza informatica.

Water is an excellent coolant, but the flip side is that it is also an excellent solvent. This, in short, is why any water cooling loop is also a prime candidate for an interesting introduction to the galvanic metal series, resulting in severe corrosion that commences immediately. In a recent video by [der8aer], this issue is demonstrated using a GPU cold plate. The part is made out of nickel-plated copper and features many small channels to increase surface area with the coolant.
The surface analysis of the sample cold plate after a brief exposure to distilled water shows the deposited copper atoms. (Credit: der8auer, YouTube)
Theoretically, if one were to use distilled water in a coolant loop that contains a single type of metal (like copper), there would be no issue. As [der8auer] points out, fittings, radiators, and the cooling block are nearly always made of various metals and alloys like brass, for example. This thus creates the setup for galvanic corrosion, whereby one metal acts as the anode and the other as a cathode. While this is desirable in batteries, for a cooling loop, this means that the water strips metal ions off the anode and deposits them on the cathode metal.

The nickel-plated cold plate should be immune to this if the plating were perfect. However, as demonstrated in the video, even a brief exposure to distilled water at 60°C induced strong galvanic corrosion. Analysis in an SEM showed that the imperfect nickel plating allowed copper ions to be dissolved into the water before being deposited on top of the nickel (cathode). In a comparison with another sample that had a coolant with corrosion inhibitor (DP Ultra) used, no such corrosion was observed, even after much longer exposure.

This DP Ultra coolant is mostly distilled water but has glycol added. The glycol improves the pH and coats surfaces to prevent galvanic corrosion. The other element is benzotriazole, which provides similar benefits. Of course, each corrosion inhibitor targets a specific environment, and there is also the issue with organic films forming, which may require biocides to be added. As usual, water cooling has more subtlety than you’d expect.

youtube.com/embed/7pIpKetQlZs?…

hackaday.com/2025/04/20/preven…

China played host to what, presumably, was the world’s first robot and human half-marathon. You can check out the action and the Tiangong Ultra robot that won in the video below. The event took place in Beijing and spanned 21.1 km. There was, however, a barrier between lanes for humans and machines.

The human rules were the same as you’d expect, but the robots did need a few concessions, such as battery swap stops. The winning ‘bot crossed the finish line in just over 160 minutes. However, there were awards for endurance, gait design, and design innovation.

Humans still took the top spots, though. We also noted that some of the robots had issues where they lost control or had other problems. Even the winner fell down once and had three battery changes over the course.

Of the 21 robots that started, only six made the finish line. We don’t know how many of the 12,000 humans finished, but we are pretty sure it was more than six, so we don’t think runners have to worry about robot overlords yet. But they’re getting better all the time.

youtube.com/embed/BYmCxYTbg50?…

hackaday.com/2025/04/20/china-…

We appear to be edging ever closer to a solid statement of “We are not alone” in the universe with this week’s announcement of the detection of biosignatures in the atmosphere of exoplanet K2-18b. The planet, which is 124 light-years away, has been the focus of much attention since it was discovered in 2015 using the Kepler space telescope because it lies in the habitable zone around its red-dwarf star. Initial observations with Hubble indicated the presence of water vapor, and follow-up investigations using the James Webb Space Telescope detected all sorts of goodies in the atmosphere, including carbon dioxide and methane. But more recently, JWST saw signs of dimethyl sulfide (DMS) and dimethyl disulfide (DMDS), organic molecules which, on Earth, are strongly associated with biological processes in marine bacteria and phytoplankton.

The team analyzing the JWST data says that the data is currently pretty good, with a statistical significance of 99.7%. That’s a three-sigma result, and while it’s promising, it’s not quite good enough to seal the deal that life evolved more than once in the universe. If further JWST observations manage to firm that up to five sigma, it’ll be the most important scientific result of all time. To our way of thinking, it would be much more significant than finding evidence of ancient or even current life in our solar system, since cross-contamination is so easy in the relatively cozy confines of the Sun’s gravity well. K2-18b is far enough away from our system as to make that virtually impossible, and that would say a lot about the universality of biochemical evolution. It could also provide an answer to the Fermi Paradox, since it could indicate that the galaxy is actually teeming with life but under conditions that make it difficult to evolve into species capable of making detectable techno-signatures. It’s hard to build a radio or a rocket when you live on a high-g water world, after all.

Closer to home, there’s speculation that the famous Antikythera mechanism may not have worked at all in its heyday. According to researchers from Universidad Nacional de Mar del Plata in Argentina, “the world’s first analog computer” could not have worked due to the accumulated mechanical error of its gears. They blame this on the shape of the gear teeth, which appear triangular on CT scans of the mechanism, and which they seem to attribute to manufacturing defects. Given the 20-odd centuries the brass-and-iron device spent at the bottom of the Aegean Sea and the potential for artifacts in CT scans, we’re not sure it’s safe to pin the suboptimal shape of the gear teeth on the maker of the mechanism. They also seem to call into question the ability of 1st-century BCE craftsmen to construct a mechanism with sufficient precision to serve as a useful astronomical calculator, a position that Chris from Clickspring has been putting the lie to with his ongoing effort to reproduce the Antikythera mechanism using ancient tools and materials. We’re keen to hear what he has to say about this issue.

Speaking of questionable scientific papers, have you heard about “vegetative electron microscopy”? It’s all the rage, having been mentioned in at least 22 scientific papers recently, even though no such technique exists. Or rather, it didn’t exist until around 2017, when it popped up in a couple of Iranian scientific papers. How it came into being is a bit of a mystery, but it may have started with faulty scans of a paper from the 1950s, which had the terms “vegetative” and “electron microscopy” printed in different columns but directly across from each other. That somehow led to the terms getting glued together, possibly in one of those Iranian papers because the Farsi spelling of “vegetative” is very similar to “scanning,” a much more sensible prefix to “electron microscopy.” Once the nonsense term was created, it propagated into subsequent papers of dubious scientific provenance by authors who didn’t bother to check their references, or perhaps never existed in the first place. The wonders of our AI world never cease to amaze.

And finally, from the heart of Silicon Valley comes a tale of cyber hijinks as several crosswalks were hacked to taunt everyone’s favorite billionaires. Twelve Palo Alto crosswalks were targeted by persons unknown, who somehow managed to gain access to the voice announcement system in the crosswalks and replaced the normally helpful voice messages with deep-fake audio of Elon Musk and Mark Zuckerberg saying ridiculous but plausible things. Redwood City and Menlo Park crosswalks may have also been attacked, and soulless city officials responded by disabling the voice feature. We get why they had to do it, but as cyberattacks go, this one seems pretty harmless.

youtube.com/embed/Uy1oNvsUQ0o?…

hackaday.com/2025/04/20/hackad…

Forth is popular on small computers because it is simple to implement, yet quite powerful. But what happens when you really need to shrink it? Well, if your target is the 6502, there’s milliForth-6502.

This is a port of milliForth, which is a fork of sectorforth. The sectorforth project set the standard, implementing a Forth so small it could fit in a 512-byte boot sector. The milliForth project took sectorforth and made it even smaller, weighing in at only 336 bytes. However, both milliForth and sectorforth are for the x86 architecture. With milliForth-6502, [Alvaro G. S. Barcellos] wanted to see how small he could make a 6502 implementation.

So how big is the milliForth-6502 binary? Our tests indicate: 1,110 bytes. It won’t quite fit in a boot sector, but it’s pretty small!

Most of the code for milliForth-6502 is assembly code in sector-6502.s. This code is compiled using tools from the cc65 project. To run the code lib6502 is used for 6502 emulation.

Emulation is all well and good as far as it goes, especially for development and testing, but we’d love to see this code running on a real 6502. Even better would be a 6502 built from scratch! If you get this code running we’d love to hear how it went!

youtube.com/embed/6P4tEYLEhU8?…

hackaday.com/2025/04/20/millif…

Le e-mail interne inviate dai dipendenti di Snapchat, la popolare app di messaggistica fotografica e video, dimostrano che l’azienda ha deliberatamente danneggiato adolescenti e giovani adulti, ovvero il pubblico a cui si rivolge.

Lo psicologo sociale e autore del best-seller Generation Anxious Jonathan Haidt ha pubblicato la scorsa settimana un articolo su Substack in cui detto che Snap Inc. riceve ogni mese migliaia di segnalazioni di “sextortion”, ovvero estorsione sessuale.

Insieme al ricercatore Zach Rush, ha presentato decine di estratti da rapporti interni, studi, e-mail e dichiarazioni pubbliche in cui i dipendenti e i consulenti di Snap riconoscono che Snapchat danneggia i minori. Secondo gli autori, queste confessioni possono essere raggruppate in cinque aree: uso compulsivo, accesso a droghe e armi, distribuzione di materiale pedopornografico e casi di rapporti intimi forzati, cyberbullismo e consapevolezza di danni e violazioni dell’età senza azioni appropriate da parte dell’azienda.

Così come nel caso Per quanto riguarda TikTok, Haidt e Rush affermano che i dipendenti di Snap erano ben consapevoli della portata del problema, ma non stavano adottando le misure necessarie. Alcune di queste problematiche sono note da tempo, come la funzione “streak“, che conta il numero di giorni consecutivi in ​​cui gli utenti condividono foto.

Ciò crea un falso senso di impegno e attaccamento negli adolescenti, e la perdita di questo “lato positivo” può essere percepita quasi come la perdita di un’amicizia. Allo stesso tempo, l’applicazione in sé rimane un mezzo di comunicazione superficiale: non garantisce un contatto reale e non sostituisce l’interazione dal vivo.

È noto che molti ex dirigenti di colossi della tecnologia, tra cui quelli che hanno partecipato alle riprese del documentario “The Social Dilemma“, non permettono ai propri figli di utilizzare gli smartphone. Sanno fin troppo bene cosa devono affrontare gli utenti, soprattutto quelli più giovani.

E se gli inventori di questi sistemi si rifiutano di affidarli ai propri figli, perché dovrebbero farlo i genitori comuni?

Gli autori del rapporto ritengono che sia giunto il momento di avviare una riflessione seria sulla dipendenza digitale e sulla responsabilità delle aziende tecnologiche.

Forse, con l’aumento delle cause legali e il cambiamento dell’opinione pubblica, più persone inizieranno a considerare il prezzo che pagano per essere costantemente presenti nel mondo digitale.

L'articolo Snapchat sapeva tutto: come l’app ha danneggiato milioni di adolescenti proviene da il blog della sicurezza informatica.

Despite the best efforts of the RepRap community over the last twenty years, self-replicating 3D printers have remained a stubbornly elusive goal, largely due to the difficulty of printing electronics. [Brian Minnick]’s fully-printed 3D printer could eventually change that, and he’s already solved an impressive number of technical challenges in the process.

[Brian]’s first step was to make a 3D-printable motor. Instead of the more conventional stepper motors, he designed a fully 3D-printed 3-pole brushed motor. The motor coils are made from solder paste, which the printer applies using a custom syringe-based extruder. The paste is then sintered at a moderate temperature, resulting in traces with a resistivity as low as 0.001 Ω mm, low enough to make effective magnetic coils.

Brushed motors are less accurate than stepper motors, but they do have a particularly useful advantage here: their speed can be controlled simply by varying the voltage. This enables a purely electromechanical control system – no microcontroller on this printer! A 3D-printed data strip encodes instructions for the printer as holes in a plastic sheet, which open and close simple switches in the motor controller. These switches control the speed, direction, and duration of the motors’ movement, letting the data strip encode motion vectors.

Remarkably, the hotend on this printer is also 3D-printed. [Brian] took advantage of the fact that PEEK’s melting point increases by about 110 ℃ when it’s annealed, which should allow an annealed hotend to print itself. So far it’s only extruded PLA, but the idea seems sound.

The video below the break shows a single-axis proof of concept in action. We haven’t been able to find any documentation of a fully-functional 3D printer, but nevertheless, it’s an impressive demonstration. We’ve covered similar printers before, and if you make progress in this area, be sure to send us a tip.

youtube.com/embed/xiygZo0YxBw?…

hackaday.com/2025/04/20/the-mo…