[IMSAI Guy] grabbed an obsolete XOR gate and tried a classic circuit to turn it into a frequency doubler. Of course, being an old part, it won’t work at very high frequencies, but the circuit is super simple, just using the gate and an RC network. You can see a video of his exploration below.
The simple circuit seems like it should work, but in practice, it needed an extra component. In theory, the RC circuit acts as an edge detector. So, each edge of the input signal causes a pulse on the output as the second input lags the first.
That sounds good, but it looked terrible on the scope until a 1K resistor tied to the capacitor shifted the bias point of the gate. In all fairness, the original schematic used a Schmitt trigger gate, which may have made a difference had one been available. There were slight differences, though, depending on the type of device. An LS part, for example, didn’t need the extra resistor.
Of course, an RC network is just one way to delay the input, and the delay determines the width of the output pulse and constrains the input frequency and duty cycle. However, you could use other gates, including the other XOR gates in the package to realize a fast delay.
Frequency doublers are very common at microwave frequencies, but they don’t work in the same way. There are several ways to do it, but a common method is to use a nonlinear element to generate plenty of harmonics and then filter off everything but the second one. Or the third one, if you wanted a tripler instead.
Older versions of Android contained various vulnerabilities that allowed gaining root access to the device. Many malicious programs exploited these to elevate their system privileges and gain persistence. The notorious Triada Trojan also used this attack vector. With time, the vulnerabilities were patched, and restrictions were added to the firmware. Specifically, system partitions in recent Android versions cannot be edited, even with superuser privileges. Ironically, this has inadvertently benefited malicious actors. While external malware now faces greater permission restrictions, pre-installed malware within system partitions has become impossible to remove. Attackers are leveraging this by embedding malicious software into Android device firmware. This is how one of our earlier findings, the Dwphon loader, functioned. It was built into system apps for over-the-air (OTA) updates. In March 2025, our research highlighted the Triada Trojan’s evolved tactics to overcome Android’s enhanced privilege restrictions. Attackers are now embedding a sophisticated multi-stage loader directly into device firmware. This allows the Trojan to infect the Zygote process, thereby compromising every application running on the system.
Key takeaways:
We discovered new versions of the Triada Trojan on devices whose firmware was infected even before they were available for sale. These were imitations of popular smartphone brands, and they remained available from various online marketplaces at the time of our research.
A copy of the Trojan infiltrates every application launched on an infected device. The modular architecture of the malware gives attackers virtually unlimited control over the system, enabling them to tailor functionality to specific applications.
In the current version of Triada, the payloads we have analyzed exhibit several malicious behaviors depending on the host application. Specifically, they can modify cryptocurrency wallet addresses during transfer attempts, replace links in browsers, send arbitrary text messages and intercept replies, and steal login credentials for messaging and social media apps.
The complete infection chain looks like this:
Triada Trojan infection chain
Kaspersky products detect the new version of Triada as Backdoor.AndroidOS.Triada.z..
System framework with a malicious dependency
Our initial investigation focused on native libraries included in the firmware of several devices, located in:
/system/framework/arm/binder.so
/system/framework/arm64/binder.so
The file is not present in a reference Android version. We discovered that the suspicious library was loaded into Zygote, the parent process for every Android application, by an infected AOT-compiled Android system framework ( boot-framework.oat) located in the same directory.
Malicious dependency in boot-framework.oat
The binder.so library registers a native method, println_native, for the android.util.Log class, used by applications installed on the device to write messages to Logcat. The implementation of this method calls a suspicious function, _config_log_println.
Call to the suspicious function
The _config_log_println function then calls two other functions that deploy three modules, contained in the rodata section of the malicious library, into every process launched on the device. One of the functions runs every time, while the other one only runs if the Android OS on the device is Version 9 or earlier.
Execution of the two malicious functions
Let us take a closer look at the modules that these launch.
1. Auxiliary module
This module from the rodata section of the malicious library is written to the application’s internal data directory under the name systemlibarm64\_%N%.jar, where N is a random number.
Loading the auxiliary module
The auxiliary module registers a receiver that can load arbitrary code files, although we did not see this happen in the cases described below. We would later call this module auxiliary because other payloads relied on it to perform their malicious functions. For example, for the com.android.core.info.config.JvmCore class from this module, binder.so registers native methods that can intercept calls to arbitrary methods within the process where the malware is running.
2. The mms-core.jar backdoor
This module undergoes a double XOR decryption process with different keys pulled from the rodata section of the malicious library. After decryption, it is saved to disk as /data/data/%PACKAGE%/mms-core.jar and then loaded using DexClassLoader. Once the loading is complete, the payload file is deleted.
Loading the backdoor
This mms-core.jar is a new iteration of a backdoor we mentioned in our earlier reports. In contrast to past versions, which exploited and modified system files to load itself into Zygote, the malware now achieves reliable Zygote access by leveraging a compromised system framework. Similar to previous versions, the backdoor downloads and executes other payloads.
3. Crypto stealer or dropper?
Immediately upon starting, the binder.so library reads the file /proc/%PID%/cmdline, with %PID% representing the system process ID. This is how the Trojan determines the package name of a running app.
Package name check
Based on the package name, binder.so loads either a crypto stealer loader (if the application is cryptocurrency-related) or a dropper from the rodata section. Neither payload is encrypted.
Triada crypto stealer
In previous Triada versions we analyzed, cryptocurrency applications were immediately infected with a crypto stealer. However, in these latest samples, the malicious module is a loader specifically targeting apps with the following package names: com.binance.dev com.wrx.wazirx com.coinex.trade.play com.okinc.okex.gp pro.huobi com.kubi.kucoin The entry point for this malicious loader is the onCreate method within the com.hwsen.abc.SDK class. In latest versions this module requests a configuration from a GitHub repository. Using a pseudo-random number generator, the sample selects a number (0, 1, or 2), each corresponding to a specific repository address.
Loading the configuration
All field values within the configuration are encrypted using AES-128 in ECB mode and then encoded with Base64. An example of a decrypted configuration is shown below: { addr: { durl: app-file.b-cdn[.]net/poctest/p… durl2: app-file.b-cdn[.]net/poctest/p… durl3: app-file.b-cdn[.]net/poctest/p… ver: 17, vname: pc2215202501061400.zip, online: true, rom: true, update: true, pkg: com.android.system.watchdog.x.Main, method: onCreate, param: t } } If online equals true, the loader downloads a payload from the URL specified in the durl field. If errors occur, it uses durl2 and durl3 as backup links. The downloaded payload is decrypted using XOR with a hardcoded key and saved to the application’s internal data directory under the name specified in the vname parameter. The pkg and method fields represent the class name and method, respectively, that will be called after the crypto stealer is loaded via DexClassLoader.
The downloaded payload attempts to steal the victim’s cryptocurrency using various methods. For example, it monitors running activities at preset intervals. This allows the Trojan to intercept attempts at withdrawing cryptocurrency and replace the victim’s crypto wallet addresses in the relevant text fields with addresses belonging to the attackers. To achieve this, the malware runs a depth-first search for all graphical sub-elements within the current frame, identifying the blockchain to which the funds are being sent. The Trojan then swaps the crypto wallet address with a hardcoded one and replaces the click handlers of all buttons in the application with a proxy handler that swaps the crypto wallet address again, ensuring the attackers can steal the funds. Interestingly, the crypto stealer also replaces image elements with generated QR codes containing attacker-controlled wallet addresses.
Text and image replacement
The Trojan also monitors the clipboard contents and, if it finds a crypto wallet address, it gets replaced with an address belonging to the attackers.
Clipboard hijacking
Dropper
If the binder.so library happens to run in an app unrelated to cryptocurrency, it downloads a different payload. This is a dropper that calls the onCreate method within the com.system.framework.api.vp2130.services class. Depending on the version, it can extract up to three Base64-encoded additional modules from its own contents.
The dropper loads a com.android.packageinstaller.apiv21.ApiV21 class from the first module inside the system APK installer app. This class registers a receiver that allows other modules to install arbitrary APKs on the device and also uninstall any apps.
Malicious receiver
Beginning with Android 13, apps from untrusted sources are restricted from accessing sensitive permissions, such as those for accessibility services. To bypass these restrictions for sideloaded apps, the receiver installs them through an installation session in newer Android versions.
The com.system.framework.audio.Audio class is loaded from the second module to block network connections. Depending on the system architecture, it decodes and loads a native helper library. This library uses the xhook library to intercept calls to the getaddrinfo and android_getaddrinfofornet functions. These functions handle communication with the dnsproxyd service in Android, which performs DNS requests using a client-server model. If the attackers have sent a command to block a specific domain, its name is replaced by a hook redirecting to 127.0.0.1, making access to the original domain impossible.
Intercepting the dnsproxyd communications functions
Thus, the malware can block requests to anti-fraud services unless they use a custom DNS implementation.
The com.system.framework.api.init.services class is also loaded from the third module to download arbitrary payloads. For this purpose, the malware periodically transmits a wealth of device information (MAC address, model, CPU, manufacturer, IMEI, IMSI, etc.), along with the host application name and version, to its command-and-control server. Before being sent, the data is encrypted using AES-128 in CBC mode and then encoded with Base64. The C2 responds with a JSON file containing information about the payload, also encrypted with AES-128 in CBC mode. The infected device receives the key and initialization vector (IV) RSA-encrypted from the C2 within the same JSON.
Decoding, loading, and running the payload
For convenience, we will refer to this module as the Triada backdoor going forward. It is this module that holds the greatest interest for our research, as it provides the malware with a wide range of capabilities. A closer look at the Triada threat actor’s objectives yielded a somewhat surprising result. Whereas previous malicious samples mainly displayed ads and signed users up for paid subscriptions, the attackers’ priorities have now drastically changed.
What Triada downloads
To understand exactly how the attackers’ priorities have shifted, we decided to try downloading the payloads for various popular apps. We observed that the binder.so malicious library passes a flag to the dropper upon starting if the application’s name is on a list within its code. This list included both system apps and popular apps from official stores.
Some apps from binder.so
This list served as the starting point for our investigation. For all the listed applications, we sent requests to the malware C2, and some of them returned links to download payloads. As an example, this is the response we received from the Trojan after requesting a payload for Telegram: { a: 0, b: 40E315FB00M8EP2G49008INIK7000002, c: 1373225559, d: [{ a: 72, b: ompe2.7u6h8[.]xyz/tgzip/44a08d… c: com.tgenter.tmain.Engine, d: start, e: 32, f: 44a08dc22b45b9418ed427fd24c192c6, g: mp2y3.sm20j[.]xyz/tgzip/44a08d… }, { a: 127, b: ompe2.7u6h8[.]xyz/tgzip/tgnetu… c: com.androidx.tlttl.tg.CkUtils, d: init, e: 7, f: 37fd87f46e95f431b1977d8c5741d2d5, g: mp2y3.sm20j[.]xyz/tgzip/tgnetu… } ], e: 245, g: [com.instagram.android], h: org.telegram.messenger.web,org.telegram.messenger,com.whatsapp.w4b,com.fmwhatsapp,com.gbwhatsapp,com.yowhatsapp,com.facebook.lite,com.facebook.orca,com.facebook.mlite,com.skype.raider,com.zhiliaoapp.musically,com.obwhatsapp,com.ob3whatsapp,com.ob2whatsapp,com.jtwhatsapp,com.linkedin.android,com.zhiliaoapp.musically.go,com.opera.browser.afin,com.heytap.browser,com.sec.android.app.sbrowser,org.mozilla.firefox,com.microsoft.emmx,com.microsoft.emmx.canary,com.opera.browser } The payload information from the C2 server was received as an array of objects, with each containing two download URLs (primary and backup), the MD5 hash of the file to download, the module’s entry point details, and its ID. After downloading, the modules were decrypted twice using XOR with different keys.
Triada decrypting the payload
In addition to this, the response from the C2 contained other package names. By using these, we were able to obtain various further payloads.
It should be noted that according to the Android security model, unprivileged users do not normally have access to certain application data. However, as mentioned earlier, the malware is loaded by the Zygote process, which allows it to bypass OS restrictions because each payload runs within the process of the app it targets. This means the modules can obtain any application data, and the attackers actively exploit this in subsequent stages of infection. Furthermore, each additional malware payload can use all the permissions available to the app.
During module analysis, we also noted the significant skill of the Triada creators: each payload is tailored to the target app’s characteristics. Let us see which modules the Trojan loaded into some popular Android apps.
Telegram modules
For the Telegram messaging app, the Triada backdoor downloaded two modules at the time of this research. The first module (b8a745bdc0e083ffc88a524c7f465140) launches a malicious task within the messaging app’s context once every 24 hours. We believe that the attackers thoroughly examined Telegram’s internal workings before coding this task.
Malicious task code
Initially, the malicious task tries to obtain the victim’s account details. To do this, the module reads a string associated with the user key from the key-value pairs saved using SharedPreferences in the app settings XML file named userconfig. The string contains Base64-encoded serialized data about the Telegram user, which the messaging client code deserializes to communicate with the API. The malware takes advantage of this: Triada tries several reflection-based methods to read the user data.
Deserializing victim account details
The malware sends the following user information to the C2 server if it has not done so previously:
A serialized string containing the victim’s account details.
The victim’s phone number.
The contents of the tgnet.dat file from the application’s data directory. This file stores Telegram authentication data including the user’s token, which allows the attackers to gain complete control over the victim’s account.
The string with id=1 from the params table in the cache4.db database.
This payload also contains unused code for displaying ads.
The second module (fce117a9d7c8c73e5f56bda7437bdb28) uses Base64 to decode and then execute another payload (8f0e5f86046faed1d06bca7d3e48c0b8). This payload registers its own observer for new Telegram messages, which checks their content. If the message text matches regular expressions received by the Trojan from the C2 server, the message is deleted from the client. This module also attempts to delete Telegram notifications about new sessions.
Filtering messages based on content
Additionally, the malware tries to initiate a conversation with a bot that was no longer there at the time of our research.
Initiating communication with an unknown bot
Instagram module
This module (3f887477091e67c6aaca15bce622f485) starts by requesting the device’s advertising ID from Google Play services, which it then uses as the victim ID. After that, a malicious task runs once every 24 hours, sequentially scanning all XML files used by SharedPreferences until it finds the first file whose name begins with UserCookiePrefsFile_. This file contains the cookies for active Instagram sessions, and intercepting these sessions allows the attackers to take over the victim’s account. The task also collects all files ending in batch from the analytics directory inside data.
The malware reading the internal files
These files, along with information about the infected device, are encoded in Base64 and sent to the C2 server.
Browser module
This module (98ece45e75f93c5089411972f9655b97) is loaded into the browsers with the following package names:
com.android.chrome
org.mozilla.firefox
com.microsoft.emmx
com.microsoft.emmx.canary
com.heytap.browser
com.opera.browser
com.sec.android.app.sbrowser
com.chrome.beta
First, it establishes a connection with the C2 server over TCP sockets. Then, using the RSA algorithm, it encrypts an IV and key concatenation for AES-128 in CBC mode. The Trojan uses AES to encrypt the information about the infected device and then combines it with the key and IV into a single large buffer, which it sends to the TCP socket.
Code snippet for C2 communication
The C2 server responds with a buffer encrypted with the same parameters as the request it received from the infected device. The response contains a task to periodically substitute links opened in the browser. An example of this task is shown below. { a: 0, b: 1, c: 65, d: { a: 17, b: stas.a691[.]com/, c: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23], d: 2880 } } The link replacement works as follows. The module first checks the version and name of the browser that it is running in to register hooks for the methods that the browser uses for opening links.
Launching browser-specific functionality
We noted earlier that in the initial stages, the Trojan downloaded an auxiliary module that implements its functionality to intercept arbitrary methods. The browser module utilizes this to interfere with the process of opening pages in various browsers.
Using the auxiliary module
In addition, the malware uses reflection to replace the Instrumentation class instance for the app. The execStartActivity method, which launches app activities, is replaced in the proxy class.
Malicious call in the Instrumentation proxy class
In Android, application activities are launched by broadcasting an intent with a specific action. If the application has an activity with an intent filter that declares the ability to handle the action, Android will launch it. When an application opens a link in a browser, it creates and sends an Intent instance with the action android.intent.action.VIEW, including the URI to be opened. Triada substitutes the URI in the received Intent instance.
Replacing the link in the Intent instance
In the samples we analyzed, the C2 server sent links to advertising resources. However, we believe that the malware creators could also use this functionality for, say, phishing.
WhatsApp modules
For WhatsApp, the Trojan’s C2 server would provide two modules. One of these (d5bc1298e436424086cb52508fb104b1) runs a malicious task within the WhatsApp client’s context every five minutes. This task reads various keys essential for the client’s operation, as well as data about the active session.
The Trojan reading WhatsApp login credentials
This data, along with information about the victim’s device, is forwarded to the C2 server, giving the attackers complete access to the victim’s WhatsApp account.
The other module (dc731e55a552caed84d04627e96906d5) starts by intercepting WhatsApp client functions that send and receive messages. The threat actor employed an interesting technique to work around class name obfuscation in WhatsApp code. The module’s code contains the names of the class and method being intercepted, specific to different WhatsApp versions. This likely required the attackers to manually analyze how each version worked. It is worth noting too that if the module’s code lacks the class names for the specific client version, the malware can request an interception configuration from the attackers’ C2 server.
If the interception is successful, the module continues its operation by sending data about the infected device to the C2 server and receiving a TCP socket IP address in response. Commands are then transmitted through this socket, allowing the malware to perform the following actions:
Send arbitrary WhatsApp messages.
Delete sent messages on the device to cover its tracks.
Close the connection.
Snippet of the command handler
LINE module
This module (1d582e2517905b853ec9ebfe77759d15) runs inside the LINE messaging app. First, the malware gathers information about the infected device and sends it to the C2 server. Subsequently, every 30 seconds, it collects internal app data, specifically the PROFILE_AUTH_KEY and PROFILE_MID values from the settings table in the naver_line database. The malicious module also obtains the User-Agent string and additional information to mimic HTTP requests as if they were coming from the messaging client itself. Additionally, the malware decrypts the user’s phone number and region from the naver_line database and uses reflection to obtain the application’s access token, which allows it to take over the victim’s account.
Obtaining an access token
The module sends the data it collects to the C2 server.
Collecting and sending data
Skype module
This module (b87706f7fcb21f3a4dfdd2865b2fa733) runs a malicious task every two minutes that attempts to send information about the infected device to the C2. Once the C2 accepts the request, the task stops, and the Trojan begins reading internal Skype files every hour. Initially, the module tries to extract a token that allows access to the Skype account from the React Native framework keychain.
Triada extracting a token from the keychain
Failing to obtain the token through this method, the malware then tries to locate it within WebView cookies.
Extracting a token from the cookies
This token is then sent to the Trojan’s C2 server, thus compromising the victim’s account.
The versions of Triada we have seen contain no payloads for Microsoft Teams or Skype for Business. However, we believe that after Microsoft sunsets Skype, the attackers might add new malicious modules for these apps.
TikTok module
This module (993eb2f8bf8b5c01b30e3044c3bc10a3) sends information about the infected device to the attackers’ server once a day. Additionally, the malware collects a variety of data about the victim’s account. For example, it reads cached TikTok cookies from an internal directory, which might have been used by WebView within the app. The attackers are interested in the msToken in these cookies, as it is necessary for interacting with the TikTok API. The module also extracts other information from the TikTok client, such as the user ID ( secUID), the User-Agent for API requests, and more. We believe that the attackers need this data to bypass TikTok API restrictions and simulate a real device when making API requests. Every five minutes, the malicious module attempts to send all data it collects to the attackers’ server.
Stealing TikTok account data
Facebook modules
One of such modules (b187551675a234c3584db4aab2cc83a9) runs a malicious task every minute that compares the parent app package name against the following list:
com.facebook.lite
com.facebook.mlite
com.facebook.orca
If the name matches one of the above, the malware steals the Facebook authentication cookies.
Stealing Facebook credentials
Another module (554f0de0bddf30589482315fe336ea72) sends data about the infected device to the C2. The server responds with a link to be opened in WebView, as well as JavaScript code to execute on the page. The malware can upload certain elements from this page to the C2 server, which potentially could be used by attackers to steal the victim’s account data.
SMS modules
These malicious components are injected into SMS apps. One of them (195e0f334beb34c471352179d422c42f) starts by registering its own proxy receiver for incoming SMS and MMS messages, as well as its own message observer. Following this, the malware retrieves rules from the C2 server, storing these in a separate database. The content of each received message is filtered on the basis of these rules.
Checking message content
The flexibility of these rules enables the malware to respond to specific SMS messages by extracting codes using regular expressions. We believe the Trojan creators primarily use this capability to sign victims up for paid subscriptions. Additionally, the module can send arbitrary SMS messages when instructed by the C2 server.
Interestingly, the module contains unused code snippets that are valuable for analysis — they also function as message filtering rules. Each rule includes a string value that defines its type: an MD5 hash of certain data. The module code contains methods named matchWhatsapp and matchRegister that use the same rule type. Analysis of matchWhatsapp revealed that this malicious component previously could cover other modules’ tracks and delete SMS messages containing verification codes for logging in to the victim’s WhatsApp account. The use of the same rule type suggests that matchRegister is also employed by the malicious module to conceal its activity, possibly to secretly register accounts. This method is likely obsolete because the malware now supports receiving rules from the C2 server.
Rule for intercepting WhatsApp verification SMS messages
The second module (2ac5414f627f8df2e902fc34a73faf44) is likely an auxiliary component for the first one. The thing is, Android performs a check on the addressee when an SMS is being sent. If the message is being sent to a short code (premium SMS), the user will be prompted to confirm their intention to send. This measure aims to prevent financial losses for device owners encountering SMS Trojans. The SMSDispatcher class in the Android framework checks if the app has permission to send premium SMS messages. To do this, it calls the getPremiumSmsPermission method within the SmsUsageMonitor class, which stores premium SMS sending policies for each application using the SharedPreferences mechanism with the key premium-sms-policy. The policies are integers that can take the following values:
1: User confirmation is required before sending a premium SMS.
2: The app is prohibited from sending premium SMS messages.
3: Sending premium SMS messages is allowed, and user confirmation is not required.
The malicious module sets the policy value for SMS messaging apps to 3, thereby clearing obstacles for the previous module. Notably, this is an undocumented Android feature, which further highlights the malware authors’ advanced skill level.
Method for overriding premium SMS sending policies
Reverse proxy
As far as we know, this module (3dc21967e6fab9518275960933c90d04), integrates into the Google Play Services app. Immediately upon starting, it transmits information about the infected device to the C2 server. The server responds with an IP address and port, which the malware uses to listen for commands via a modified version of the EasySocket library. The commands are integers that can take three values:
1: Establish a connection with an arbitrary TCP endpoint, assigning to it the ID transmitted in the command.
2: Terminate the TCP connection with the specified ID.
4: Send data over the TCP connection with the specified ID.
Processing received data
Thus, the main purpose of this module is to turn the infected device into a reverse proxy, essentially giving the attackers network access through the victim’s device.
Call interception
This module (a4f16015204db28f5654bb64775d75ad) is injected into the device’s phone app. It registers a malicious receiver that, upon receiving intents, can execute arbitrary JavaScript code using WebView.
Executing arbitrary code via the malicious receiver
The malware provides the JavaScript code with an interface to call certain Java functions. One of these functions takes the victim’s phone number and sends an intent that includes it.
An intent with a phone number
The command number is transmitted in the type field of the intent. However, the module lacks a handler for this number. We assume that it is implemented in a different payload that we were unable to obtain during our investigation.
We also believe that this module is still under development. For example, similar to the browser module, it replaces the Instrumentation class to substitute the number opened using the android.intent.action.VIEW intent. However, the module lacks number substitution code.
Instrumentation proxy class
We strongly believe the number substitution functionality exists in another version of this module or will be added in the near future.
Clipper
Our data indicates that this module (04e485833e53aceb259198d1fcba7eaf) integrates into the Google Play app. Upon starting, it requests a comma-separated list of attackers’ cryptocurrency wallet addresses from the C2 server. If it cannot get the addresses, the Trojan uses hardcoded ones. After that, the module checks the clipboard every two seconds. If it finds a cryptocurrency wallet address, it replaces it with one controlled by the attackers. Additionally, the malware registers an event handler for clipboard changes, where it also checks and swaps the content.
Clipboard hijacking
Additional module
In our previous report, we described the malicious modules downloaded by the initial Triada backdoor. We decided to check if the list of payloads had changed. Unfortunately, at the time of our research, the backdoor C2 server was not sending links to download additional modules. However, we noticed that the module entry points used a consistent special naming format – we will discuss this in more detail later. This allowed us to find another Triada malware sample in our telemetry. The module is named BrsCookie_1004 (952cc6accc50b75a08bb429fb838bff7), and is designed for stealing Instagram cookies from web browsers.
Stealing cookies
Campaign features
Our analysis of this Trojan revealed several interesting details. For example, it shows similarities to earlier versions of Triada (308e35fb48d98d9e466e4dfd1ba6ee73): these implement the same logic for loading additional modules as the mms-core.jar backdoor deployed by the infected framework.
Loading modules in older Triada versions
Loading modules in mms-core.jar
Furthermore, lines starting with PPP appear regularly in the module code.
Creating log entries in an older Triada version
Loading a module in binder.so in a newer Triada version
Functions from the binder.so malicious library set system properties similar to those in previous Triada versions. These and other similarities lead us to believe that the sample we analyzed is a new version of Triada.
While analyzing the modules, we encountered comments in Chinese, suggesting that the developers are Chinese native speakers. Additionally, one of the C2 servers used by the Triada modules, g.sxim[.]me, caught our attention. This domain was also used as a C2 server for a module of the Vo1d backdoor, suggesting a potential link to Triada.
Distribution vector
In all known infection cases, the device firmware had a build fingerprint whose last letter differed from officially published firmware fingerprints. Searching for similar fingerprints led us to discussion boards where users complained about counterfeit devices purchased from online stores. It is likely that a stage in the supply chain was compromised, with the vendors in online stores possibly being unaware that they were distributing fake devices infected with Triada.
User complaining about a counterfeit device
Translation: “The journey of a counterfeit device bought in [redacted]. <…> Please keep this discussion in case it helps some poor fellow like me to restore the phone on their own. <…> Previous version: 8Gb / 256Gb / 14.0.6.0 (TGPMIXN). Current version: 4Gb / 128Gb / 14.0.6.0 (TGPMIXM)”
Victims
According to KSN telemetry, our security solutions have detected over 4500 infected devices worldwide. The highest numbers of affected users were detected in Russia, the United Kingdom, the Netherlands, Germany, and Brazil. However, the actual number of infected devices could be much higher, given the unusual distribution method described in this article. The diagram below shows the TOP 10 countries with the highest numbers of users attacked between March 13 and April 15, 2025.
TOP 10 countries with the highest numbers of users attacked by Triada, March 13 – April 15, 2025 (download)
Separately, we decided to calculate the amount of cryptocurrency the Triada creators have stolen. To do this, we queried the Trojan’s C2 servers, receiving replacement wallet addresses in response. Findings from open-source research indicated that since June 13, 2024, the attackers had amassed more than $264,000 in various cryptocurrencies in wallets under their control. Below is a diagram showing the balance of several attacker-controlled wallets.
A profitability chart for the threat actor’s TRON wallets (download)
Conclusion
The new version of the Triada Trojan is a multi-stage backdoor giving attackers unlimited control over a victim’s device. The modular architecture provides its authors with a range of malicious capabilities, including targeted delivery of new modules and mass infection of specific applications. If your phone has been infected with Triada, we recommend following these rules to minimize the consequences of malicious activity:
Install a clean firmware on your device.
Avoid using messaging apps, crypto wallets, or social media clients currently on your device before installing new firmware.
[Tazer] built a small desktop-sized robotic arm, and it was more or less functional. However, he wanted to improve its ability to pick things up, and attaching a pneumatic gripper seemed like the perfect way to achieve that. Thus began the build!
The concept of [Tazer]’s pneumatic gripper is simple enough. When the pliable silicone gripper is filled with air, the back half is free to expand, while the inner section is limited in its expansion thanks to fabric included in the structure. This causes the gripper to deform in such a way that it folds around as it fills with air, which lets it pick up objects. [Tazer] designed the gripper so that that could be cast in silicone using 3D printed molds. It’s paired with a 3D printed manifold which delivers air to open and close the gripper as needed. Mounted on the end of [Tazer]’s robotic arm, it’s capable of lifting small objects quite well.
This week Elliot Williams was joined by fellow Europe-based Hackaday staffer Jenny List, to record the Hackaday Podcast as the dusk settled on a damp spring evening.
On the agenda first was robotic sport, as a set of bipedal robots competed in a Chinese half-marathon. Our new Robot overlords may have to wait a while before they are fast enough chase us meatbags away, but it demonstrated for us how such competitions can be used to advance the state of the art.
The week’s stand-out hacks included work on non-planar slicing to improve strength of 3D prints. It’s safe to say that the Cartesian 3D printer has matured as a device, but this work proves there’s plenty more in the world of 3D printing to be developed. Then there was a beautiful record cutting lathe project, far more than a toy and capable of producing good quality stereo recordings.
Meanwhile it’s always good to see the price of parts come down, and this time it’s the turn of LIDAR sensors. There’s a Raspberry Pi project capable of astounding resolution, for a price that wouldn’t have been imaginable only recently. Finally we retrned to 3D printing, with an entirely printable machine, including the motors and the hot end. It’s a triumph of printed engineering, and though it’s fair to say that you won’t be using it to print anything for yourself, we expect some of the very clever techniques in use to feature in many other projects.
The week’s cant-miss articles came from Maya Posch with a reality check for lovers of physical media, and Dan Maloney with a history of x-ray detection. Listen to it all below, and you’ll find all the links at the bottom of the page.
When it comes to open source signal analysis software for logic analyzers and many other sensors, Sigrok is pretty much the only game in town. Unfortunately after an issue with the server hosting, the website, wiki, and other documentation is down until a new hosting provider is found and the site migrated. This leaves just the downloads active, as well as the IRC channel (#sigrok) over at Libera.chat.
This is not the first time that the Sigrok site has gone down, but this time it seems that it’s more final. Although it seems a new server will be set up over the coming days, this will do little to assuage those who have been ringing the alarm bells about the Sigrok project. Currently access to documentation is unavailable, except via the WaybackMachine’s archive.
A tragic reality of FOSS projects is that they are not immortal, with them requiring constant time, money and effort to keep servers running and software maintained. This might be a good point for those who have a stake in Sigrok to consider what the project means to them, and what it might mean if it were to shutdown.
In the 2000s, the DVD industry was concerned about piracy, in particular the threat to their business model presented by counterfeit DVDs and downloadable movies. Their response was a campaign which could be found embedded into the intro sequences of many DVDs of the era, in which an edgy font on a black background began with “You wouldn’t steal a car.. “. It was enough of a part of the background noise of popular culture that it has become a meme in the 2020s, reaching many people with no idea of its origins. Now in a delicious twist of fate, it has been found that the font used in the campaign was itself pirated. Someone should report them.
The font in question is FF Confidential, designed by [Just van Rossum], whose brother [Guido] you may incidentally know as the originator of the Python programming language. The font in the campaign isn’t FF Confidential though, as it turns out it’s XBAND Rough, a pirated copy of the original. What a shame nobody noticed this two decades ago.
It’s a bit of fun to delight in an anti-piracy campaign being caught using a dodgy font, but if this story serves to tell us anything it’s that the web of modern intellectual property is so labyrinthine as to be almost impossible to navigate without coming a cropper somewhere. Sadly the people caught out in this case would be the last to call for reform of the intellectual property environment, but as any sane heads would surely agree, such reform is overdue.
Today Melissa Lewis over on BlueSky pointed out that the font used nin the infamous "You wouldn't steal a car" anti-piracy campaign was actually designed by Just van Rossum, whose brother, Guido, created the Python programming language (bsky.app/profile/melissa.news/post/3ln7hx5rhcj2v)
She also pointed out that the font had been cloned and released illegally for free under the name "XBAND Rough". Naturally, it would be hilarious if the anti-piracy campaign actually turned out to have used this pirated font, so I went sleuthing and quickly found a PDF from the campaign site with the font embedded (web.archive.org/web/20051223202935/http://www.piracyisacrime.com:80/press/pdfs/150605_8PP_brochure.pdf).
So I chucked it into FontForge and yep, turns out the campaign used a pirated font the entire time!
Researchers at Aikido run the Aikido Intel system, an LLM security monitor that ingests the feeds from public package repositories, and looks for anything unusual. In this case, the unusual activity was five rapid-fire releases of the xrpl package on NPM. That package is the XRP Ledger SDK from Ripple, used to manage keys and build crypto wallets. While quick point releases happen to the best of developers, these were odd, in that there were no matching releases in the source GitHub repository. What changed in the first of those fresh releases?
The most obvious change is the checkValidityOfSeed() function added to index.ts. That function takes a string, and sends a request to a rather odd URL, using the supplied string as the ad-referral header for the HTML request. The name of the function is intended to blend in, but knowing that the string parameter is sent to a remote web server is terrifying. The seed is usually the root of trust for an individual’s cryptocurrency wallet. Looking at the actual usage of the function confirms, that this code is stealing credentials and keys.
The releases were made by a Ripple developer’s account. It’s not clear exactly how the attack happened, though credential compromise of some sort is the most likely explanation. Each of those five releases added another bit of malicious code, demonstrating that there was someone with hands on keyboard, watching what data was coming in.
The good news is that the malicious releases only managed a total of 452 downloads for the few hours they were available. A legitimate update to the library, version 4.2.5, has been released. If you’re one of the unfortunate 452 downloads, it’s time to do an audit, and rotate the possibly affected keys.
Zyxel FLEX
More specifically, we’re talking about Zyxel’s USG FLEX H series of firewall/routers. This is Zyxel’s new Arm64 platform, running a Linux system they call Zyxel uOS. This series is for even higher data throughput, and given that it’s a new platform, there are some interesting security bugs to find, as discovered by [Marco Ivaldi] of hn Security and [Alessandro Sgreccia] at 0xdeadc0de. Together they discovered an exploit chain that allows an authenticated user with VPN access only to perform a complete device takeover, with root shell access.
The first bug is a wild one, and is definitely something for us Linux sysadmins to be aware of. How do you handle a user on a Linux system, that you don’t want to have SSH access to the system shell? I’ve faced this problem when a customer needed SFTP access to a web site, but definitely didn’t need to run bash commands on the server. The solution is to set the user’s shell to nologin, so when SSH connects and runs the shell, it prints a message, and ends the shell, terminating the SSH connection. Based on the code snippet, the FLEX is doing something similar, perhaps with -false set as the shell instead:
$ ssh user@192.168.169.1
(user@192.168.169.1) Password:
-false: unknown program '-false'
Try '-false --help' for more information.
Connection to 192.168.169.1 closed.
It’s slightly janky, but seems set up correctly, right? There’s one more step to do this completely: Add a Match entry to sshd_config, and disable some of the other SSH features you may not have thought about, like X11 forwarding, and TCP forwarding. This is the part that Zyxel forgot about. VPN-only users can successfully connect over SSH, and the connection terminates right away with the invalid shell, but in that brief moment, TCP traffic forwarding is enabled. This is an unintended security domain transverse, as it allows the SSH user to redirect traffic into internal-only ports.
Next question to ask, is there any service running inside the appliance that provides a pivot point? How about PostgreSQL? This service is set up to allow local connections on port 5432 — without a password. And PostgreSQL has a wonderful feature, allowing a COPY FROM command to specify a function to run using the system shell. It’s essentially arbitrary shell execution as a feature, but limited to the PostgreSQL user. It’s easy enough to launch a reverse shell to have ongoing shell access, but still limited to the PostgreSQL user account.
There are a couple directions exploitation can go from there. The /tmp/webcgi.log file is accessible, which allows for grabbing an access token from a logged-in admin. But there’s an even better approach, in that the unprivileged user can use the system’s Recovery Manager to download system settings, repack the resulting zip with a custom binary, re-upload the zip using Recovery Manager, and then interact with the uploaded files. A clever trick is to compile a custom binary that uses the setuid(0) system call, and because Recovery Manager writes it out as root, with the setuid bit set, it allows any user to execute it and jump straight to root. Impressive.
Power Glitching an STM32
Micro-controllers have a bit of a weird set of conflicting requirements. They need to be easily flashed, and easily debugged for development work. But once deployed, those same chips often need to be hardened against reading flash and memory contents. Chips like the STM32 series from ST Microelectronics have multiple settings to keep chip contents secure. And Anvil Secure has some research on how some of those protections could be defeated. Power Glitching.
The basic explanation is that these chips are only guaranteed to work when run inside their specified operating conditions. If the supply voltage is too low, be prepared for unforeseen consequences. Anvil tried this, and memory reads were indeed garbled. This is promising, as the memory protection settings are read from system memory during the boot process. In fact, one of the hardest challenges to this hack was determining the exact timing needed to glitch the right memory read. Once that was nailed down, it took about 6 hours of attempts and troubleshooting to actually put the embedded system into a state where firmware could be extracted.
MCP Line Jumping
Trail of Bits is starting a series on MCP security. This has echoes of the latest FLOSS Weekly episode, talking about agentic AI and how Model Context Protocol (MCP) is giving LLMs access to tools to interact with the outside world. The security issue covered in this first entry is Line Jumping, also known as tool poisoning.
It all boils down to the fact that MCPs advertise the tools that they make available. When an LLM client connects to that MCP, it ingests that description, to know how to use the tool. That description is an opportunity for prompt injection, one of the outstanding problems with LLMs.
Bits and Bytes
Korean SK Telecom has been hacked, though not much information is available yet. One of the notable statements is that SK Telecom is offering customers a free SIM swapping protection service, which implies that a customer database was captured, that could be used for SIM swapping attacks.
WatchTowr is back with a simple pre-auth RCE in Commvault using a malicious zip upload. It’s a familiar story, where an unauthenticated endpoint can trigger a file download from a remote server, and file traversal bugs allow unzipping it in an arbitrary location. Easy win.
SSD Disclosure has discovered a pair of Use After Free bugs in Google Chrome, and Chrome’s Miracleptr prevents them from becoming actual exploits. That technology is a object reference count, and “quarantining” deleted objects that still show active references. And for these particular bugs, it worked to prevent exploitation.
Alvin Lucier was an American experimental composer whose compositions were arguably as much science experiments as they were music. The piece he is best known for, I Am Sitting in a Room, explored the acoustics of a room and what happens when you amplify the characteristics that are imparted on sound in that space by repeatedly recording and playing back the sound from one tape machine to another. Other works have employed galvanic skin response sensors, electromagnetically activated piano strings and other components that are not conventionally used in music composition.
While he was still alive, Lucier entered into a collaboration with a team of artists and biologists to create an exhibit that would push art, science and our notions of what it means to live beyond one’s death into new ground.
The resulting exhibit, titled Revivication, is a room filled with gong-like cymbals being played via actuators by Lucier’s brain…sort of. It is a brain organoid, a bundle of neurons derived from a sample of his blood which had been induced into pluripotent stem cells. The organoid sits on a mesh of electrodes, providing an interface for triggering the cymbals. A brain organoid derived from Alvin Lucier’s blood cells sits on a mesh of electrodes. “But the organoid isn’t aware of what’s happening, it’s not performing” we hear you say. While it is true that the bundle of neurons isn’t likely to have intuited hundreds of years of music theory or its subversion by experimental methodology, it is part of a feedback loop that potentially allows it to “perceive” in some way the result of its “actions”.
Microphones mounted at each cymbal feed electrical stimulus back to the organoid, presumably providing it with something to respond to. Whether it does so in any meaningful way is hard to say.
The exhibit asks us to think about where creativity comes from. Is it innate? Is it “in our blood” so to speak? Do we have agency or are we being conducted? Can we live on beyond our own deaths through some creative act? What, if anything, do brain organoids experience?
Lo sviluppo di supercomputer per l’intelligenza artificiale sta entrando in una nuova orbita: in termini di scala, costi e consumi energetici e infrastrutture e megaprogetti. Uno studio condotto dagli analisti di Georgetown, Epoch AI e RAND fornisce un’idea di cosa potrebbe raggiungere il settore entro il 2030.
Dal 2019 al 2025, i costi hardware ed energetici dei centri di intelligenza artificiale avanzata sono raddoppiati ogni anno. Se questo ritmo continua, entro la fine del decennio un singolo supercomputer dotato di intelligenza artificiale potrebbe contenere due milioni di chip specializzati, costare 200 miliardi di dollari e consumare 9 gigawatt di elettricità, ovvero la stessa quantità di nove reattori nucleari. Ciò equivale al consumo energetico di 7-9 milioni di famiglie.
La crescita dell’efficienza non ha tenuto il passo con la crescita su scala. Le prestazioni per watt sono migliorate del 34% all’anno, ma il consumo energetico è migliorato del 100%. I ricercatori sottolineano che, nonostante l’ottimizzazione della tecnologia, il carico complessivo sui sistemi energetici continua a crescere.
Il supercomputer di intelligenza artificiale più potente oggi disponibile è Colossus di xAI. È stato costruito in 214 giorni, è costato 7 miliardi di dollari e funziona con 200.000 chip di intelligenza artificiale, consumando 300 megawatt, l’equivalente di 250.000 case.
Il settore del supercalcolo basato sull’intelligenza artificiale si sta rapidamente commercializzando. Nel 2019, il settore privato possedeva solo il 40% di tali capacità e nel 2025 sarà già all’80%. Nell’arco di sei anni, i sistemi di intelligenza artificiale commerciali sono cresciuti 2,7 volte più velocemente all’anno rispetto ai sistemi governativi (1,9 volte). Ciò riflette un cambiamento di paradigma: i supercomputer si sono evoluti da strumenti di ricerca a macchine industriali generatrici di profitto.
Grandi progetti confermano questo movimento: OpenAI sta implementando l’iniziativa Stargate da 500 miliardi di dollari e NVIDIA ha un piano simile su larga scala. In totale, negli ultimi sei anni il database Epoch AI ha registrato più di 500 dei più grandi centri di intelligenza artificiale.
Gli Stati Uniti restano il paese leader in termini di potenza: controllano circa il 75% di tutti i supercomputer dotati di intelligenza artificiale. La Cina è al secondo posto (15%), mentre i leader tradizionali come Giappone e Germania sono già in minoranza. Tuttavia, la posizione fisica dei data center non è sempre correlata al luogo di utilizzo: molti di essi sono accessibili tramite il cloud .
Tuttavia, il progresso tecnologico ha anche i suoi costi. Secondo Good Jobs First, almeno 10 stati degli Stati Uniti perdono più di 100 milioni di dollari in tasse ogni anno a causa degli incentivi per i data center. Inoltre, tali complessi consumano grandi volumi d’acqua e occupano vaste aree, esercitando pressione sugli ecosistemi.
All’inizio del 2025, gli analisti di Cowen hanno registrato segnali di un “raffreddamento” del mercato. I principali fornitori di cloud, tra cui AWS e Microsoft, hanno iniziato a ridimensionare o sospendere alcuni progetti.
Non è chiaro se si tratti di una pausa strategica o dell’inizio di un rallentamento del settore, ma è chiaro che l’era dell’intelligenza artificiale significa anche l’era delle macchine ad alto consumo energetico.
I ricercatori di ANY.RUN hanno identificato una fuga di dati su larga scala innescata da un falso positivo in Microsoft Defender XDR. La piattaforma di sicurezza ha erroneamente contrassegnato file innocui come dannosi, determinandone l’invio automatico alla sandbox pubblica ANY.RUN per l’analisi. Di conseguenza, oltre 1.700 documenti sensibili sono stati caricati e indicizzati pubblicamente.
La fuga di dati, che ha coinvolto dati aziendali di centinaia di aziende, ha fatto scattare l’allarme sui rischi di una classificazione errata nei sistemi di rilevamento delle minacce e sulle conseguenze indesiderate del comportamento degli utenti in risposta a tali errori.
“Oggi abbiamo notato un’impennata insolita nei caricamenti contenenti link ad Adobe Acrobat Cloud. Il nostro team ha ricondotto il problema a un falso positivo di Microsoft Defender XDR, che ha erroneamente contrassegnato come dannoso il seguente URL legittimo: acrobat[.]adobe[.]com/id/urn:aaid:sc:” hanno riportato i ricercatori di sicurezza.
L’incidente ha avuto inizio quando Microsoft Defender XDR, una piattaforma di protezione avanzata dalle minacce ampiamente utilizzata, ha erroneamente segnalato come dannosi i link legittimi di Adobe Acrobat Cloud, in particolare gli URL che iniziano con acrobat[.]adobe[.]com/id/urn:aaid:sc:.
Secondo il rapporto di ANYRUN, questo errore ha innescato un improvviso afflusso di link Adobe Acrobat Cloud caricati nel loro sandbox per l’analisi.
Molti di questi caricamenti sono stati avviati dagli utenti del piano gratuito di ANYRUN, che di default è impostato sulla modalità di condivisione pubblica, esponendo inavvertitamente documenti aziendali sensibili sulla rete Internet.
🚨 Important: False positive from MS Defender XDR has led to 1,700+ sensitive docs being shared publicly via #ANYRUN alone.
A couple of hours ago we saw a sudden inflow of Adobe Acrobat Cloud links being uploaded to ANYRUN's sandbox.
L’indagine di ANYRUN ha rivelato che il falso positivo ha indotto gli utenti del piano gratuito a caricare più di 1.700 file Adobe contenenti dati riservati, colpendo centinaia di organizzazioni.
In risposta, ANYRUN si è prontamente attivata per mitigare il danno convertendo tutte le analisi correlate in modalità privata, impedendo così un’ulteriore esposizione pubblica. Tuttavia, l’azienda ha notato che alcuni utenti continuavano a caricare documenti riservati pubblicamente, aggravando il problema.
“Abbiamo notato un improvviso afflusso di link di Adobe Acrobat Cloud caricati sulla sandbox di ANYRUN un paio d’ore fa.” “Per bloccare le fughe di notizie, stiamo rendendo private tutte queste analisi, ma gli utenti continuano a condividere pubblicamente documenti riservati. Utilizzate sempre una licenza commerciale per le attività lavorative, per garantire privacy e conformità.”
I documenti esposti contenevano un’ampia gamma di informazioni sensibili, sollevando preoccupazioni circa potenziali violazioni dei dati e l’uso improprio di informazioni aziendali proprietarie.
Purtroppo il titolo è vero. L’intelligenza artificiale sta semplificando di molto l’accesso ai sistemi di hacking e di truffe online e la Piattaforma PhaaS Dracula, sta apportando miglioramenti che consentono a chiunque di entrare nel mondo della criminalità informatica con pochi click.
La piattaforma Darcula, utilizzata dai criminali informatici per inviare messaggi di phishing di massa, è stata aggiornata con il supporto dell’intelligenza artificiale generativa (GenAI). Ora creare pagine fraudolente è diventato ancora più semplice: anche gli utenti senza competenze tecniche possono generare moduli personalizzati e falsi siti web aziendali in pochi minuti.
Darcula è apparso sui radar dei ricercatori nel marzo 2024 come un servizio di phishing che utilizzava iMessage e RCS per inviare false notifiche da presunti servizi di posta elettronica. Anche in quel caso, l’insieme di strumenti consentiva ai truffatori di ingannare gli utenti reindirizzandoli a link falsi. Ma con l’introduzione di GenAI, la situazione ha raggiunto un nuovo livello: ora gli aggressori possono non solo copiare siti di marchi esterni, ma anche adattare i moduli alla lingua e alla regione desiderate, senza ricorrere alla programmazione.
Il rapporto di Netcraft evidenzia che le nuove funzionalità stanno aprendo le porte al mondo del phishing anche a coloro che prima non avevano le conoscenze necessarie. La generazione di moduli multilingue e la loro personalizzazione automatica per una specifica vittima consentono attacchi più rapidi e precisi. Tutto ciò rende Darcula particolarmente pericoloso nelle mani di distributori di phishing di massa come il gruppo Smishing Triad, attivo a livello mondiale.
Uno studio recente di PRODAFT indica che Darcula è stato creato da un aggressore con lo pseudonimo LARVA-246 e che la piattaforma stessa è promossa tramite un canale Telegram. Allo stesso tempo, la funzionalità di Darcula si sovrappone ad altri noti costruttori di phishing: Lucid e Lighthouse. Sono tutti considerati parte di un grande cluster di criminalità informatica cinese, uniti da un obiettivo comune: semplificare e ampliare il phishing.
Oltre a creare e clonare siti web, il sistema consente di personalizzare facilmente i campi dei moduli, tradurli nella lingua desiderata e distribuire rapidamente una campagna di phishing. Questa accessibilità rende Darcula uno strumento ideale per gli aggressori alle prime armi, aumentando notevolmente il numero di potenziali attacchi.
Da marzo 2024, gli analisti hanno già rimosso oltre 25.000 pagine create utilizzando Darcula, bloccato circa 31.000 indirizzi IP e scoperto oltre 90.000 domini associati alla sua attività. Nonostante i massicci sforzi di contromisura, Darcula continua a evolversi e a diventare più accessibile.
L’ultimo aggiornamento è stato rilasciato ufficialmente il 23 aprile 2025 e ha immediatamente suscitato preoccupazione tra gli esperti. La possibilità di lanciare pagine di phishing complete in pochi minuti è ormai alla portata di chiunque: tutto ciò che bisogna fare è selezionare la destinazione e cliccare sul pulsante Genera.
Nel primo trimestre del 2025 sono stati registrati attacchi nel cyberspazio che hanno sfruttato 159 vulnerabilità univoche con identificatori CVE assegnati. Si tratta di un numero leggermente superiore rispetto alla fine dell’anno scorso, quando si registravano 151 vulnerabilità di questo tipo. Quasi un terzo di tutte queste vulnerabilità (il 28,3%) ha iniziato a essere utilizzato attivamente entro 24 ore dalla loro divulgazione ufficiale, il che indica la rapida trasformazione delle informazioni tecniche in uno strumento di attacco.
Sono state sfruttate 45 vulnerabilità in attacchi entro il primo giorno dalla pubblicazione. Altri 14 furono messi in funzione nel giro di un mese e altri 45 nel giro di un anno. I sistemi di gestione dei contenuti (CMS) sono stati gli obiettivi più frequenti, poiché erano quelli in cui venivano individuate le vulnerabilità più facilmente sfruttabili. Seguono i dispositivi di rete, i sistemi operativi, i componenti open source e il software server.
Tra le aziende i cui prodotti sono stati attaccati, Microsoft è in testa: il suo sistema operativo Windows è presente in 15 casi. Nella lista ci sono anche Broadcom VMware (6 vulnerabilità), Cyber PowerPanel (5), Litespeed Technologies (4) e i router TOTOLINK (4).
Secondo VulnCheck, in media ogni settimana si verificano più di 11 vulnerabilità critiche con sfruttamento noto, e il loro numero raggiunge le 53 al mese. Contemporaneamente, nel corso del trimestre il database delle vulnerabilità note sfruttate del CISA è stato arricchito con 80 vulnerabilità, ma solo 12 di queste non presentavano precedenti conferme di sfruttamento. Ciò evidenzia la rapidità con cui le informazioni pubbliche sulle vulnerabilità possono raggiungere gli aggressori.
Circa il 26% di tutte le vulnerabilità è ancora in fase di analisi nel NIST National Vulnerability Database e al 3% è già stato assegnato lo stato di “differito”, una nuova categoria introdotta nel 2025.
Un nuovo rapporto sugli incidenti di violazione dei dati di Verizon mostra che l’uso delle vulnerabilità come punto di ingresso per gli attacchi è aumentato del 34% e ora rappresenta un quinto di tutti gli incidenti. Ciò è sottolineato dai dati di Mandiant: per il quinto anno consecutivo, gli exploit restano il metodo più comune di infiltrazione iniziale nei sistemi. Al secondo posto si è piazzato ilphishing, soppiantato dal furto di credenziali.
Secondo la stessa Mandiant, un terzo di tutti gli attacchi nel 2025 è iniziato con lo sfruttamento di vulnerabilità. Si tratta di una percentuale leggermente inferiore rispetto al 2023, quando i casi erano pari al 38%, ma vicina al livello del 2022, pari al 32%. Nonostante l’attività degli aggressori, i meccanismi di difesa stanno diventando più efficaci: il tempo mediano di presenza di un aggressore nel sistema prima di essere rilevato è aumentato solo di un giorno, attestandosi a 11 giorni.
La situazione evidenzia la necessità non solo di aggiornamenti tempestivi, ma anche di un monitoraggio costante delle vulnerabilità, soprattutto nei servizi accessibili al pubblico e nei dispositivi di rete. Con il passare del trimestre, la finestra temporale tra la pubblicazione e il lancio si riduce, rendendo anche un piccolo ritardo nell’aggiornamento un rischio serio.
Con noi pellegrino di speranza, guida e compagno di cammino verso la grande meta alla quale siamo chiamati, il Cielo, il 21 aprile dell’Anno Santo 2025, alle ore 7,35 del mattino, mentre la luce della Pasqua illuminava il secondo giorno dell’Ottava, …
Un velo di seta bianca adagiato sul volto. È uno dei momenti più commoventi e significativi del rito di chiusura della bara del Pontefice defunto, consuetudine antica che hanno conosciuto tutti i predecessori di Francesco.
“Alla diffusione della pandemia da Covid-19, la sera del 27 marzo 2020 volle pregare da solo in piazza San Pietro, il cui colonnato simbolicamente abbracciava Roma e il mondo, per l’umanità impaurita e piagata dal morbo sconosciuto”.
“Ha esercitato il ministero petrino con instancabile dedizione a favore del dialogo con i musulmani e con i rappresentanti delle altre religioni, convocandoli talvolta in incontri di preghiera e firmando dichiarazioni congiunte a favore della concord…
“Fu un pastore semplice e molto amato nella sua arcidiocesi, che girava in lungo e in largo, anche in metropolitana e con gli autobus. Abitava in un appartamento e si preparava la cena da solo, perché si sentiva uno della gente”.
Chissà come si sentivano rincuorati gli “ultimi” nel sapere che il loro salvatore viaggiava in metropolitana solo per raccontarlo nei rogiti e preparava la cena da solo come fosse un’impresa eroica. Gli “scartati” ringraziano sentitamente per l’ispirazione da monolocale.
“Con noi pellegrino di speranza, guida e compagno di cammino verso la grande meta alla quale siamo chiamati, il Cielo, il 21 aprile dell’Anno Santo 2025, alle ore 7.
Papa Francesco: 250mila persone in basilica per l’omaggio alla salma
Dalla mattina di mercoledì 23 aprile alle 11 fino a questa sera alle 19 si sono recate nella basilica di San Pietro per rendere un saluto a Papa Francesco circa 250mila persone. Lo rende noto la Sala Stampa della Santa Sede.
Sono salite a 160 le delegazioni che hanno confermato, finora, la loro presenza ai funerali di Papa Francesco, che verranno presieduti domani alle ore 10 sul sagrato della basilica di San Pietro.
Here’s what we’re focused on this week, as officials across America continue their attacks on the free press.
Administration must release memos on abduction of op-ed writer
Secretary of State Marco Rubio claims the authority to unilaterally declare students who protest the Israel-Gaza war antisemites and terrorism supporters in order to kick them out of the country.
So when even Rubio’s State Department doubts the government has grounds to deport a student — especially an anti-war student from the Middle East — the administration’s position must be exceptionally weak. In the case of Tufts University student Rümeysa Öztürk, it is. According to The Washington Post, internal government memos admit that the only “evidence” against her was her co-authoring an op-ed criticizing the war and that, to state the obvious, this evidence is legally insufficient to justify deportation.
The administration needs to make these memos public. Read more here.
Journalist targeted by Trump 1.0 discusses Trump 2.0
When The Associated Press didn’t bow to President Donald Trump’s demand to refer to the Gulf of Mexico as the “Gulf of America,” he barred the news service from events in the Oval Office and on Air Force One. And when a judge deemed that decision unconstitutional, he spiked the permanent press pool slot for wire services entirely.
This (un)constitutional experiment started in his first term, when he revoked the credentials of individual journalists he disliked, including Brian Karem, a former White House correspondent who covered Trump for Playboy.
Karem spoke about that experience and today’s press restrictions in a webinar hosted by Freedom of the Press Foundation (FPF) last week. He was joined by Caitlin Vogus, senior adviser at FPF, and Stephanie Sugars, who regularly reports on issues of press access to the White House as senior reporter for the U.S. Press Freedom Tracker, a project of FPF. You can watch and read about the conversation here.
Investigating Medicaid fraud through public records
Our series on local journalists who use public-records-based reporting to make a difference continues with a profile of Hannah Bassett, who helped expose a deadly Medicaid fraud scheme targeting Native American communities in Arizona.
“In Arizona, the public records statute allows for the state agencies to claim an exemption if a record is in the state’s interest to withhold,” Bassett explained. “It’s understandable that some information coming out might not be in an agency’s interest, but that doesn’t mean it’s not in the public’s interest.”
“Indirectly, that ability to keep the trial going and his case getting kicked led to the whole uncovering of the Watergate scandal, which led to the downfall of Nixon, which led to him not dropping nuclear weapons on Vietnam,” documentarian Paul Jay told the Hollywood Reporter after Ellsberg died in 2023.
She kept Ellsberg out of jail for leaking the Pentagon Papers; now we’re continuing his fight to defend whistleblowers.
What we’re reading
Keep Texas free speech strong. Leave anti-SLAPP laws alone (Houston Chronicle). Two bills before the Texas Legislature would undermine critical protections against frivolous lawsuits by the powerful to censor their critics. Lawmakers need to listen to the bipartisan backlash and reject the bills.
Police officers who joined Jan. 6 rally ask Supreme Court for anonymity (The Washington Post). It sounds like the requester could just copy the officers’ brief on why their identities shouldn’t be disclosed and recaption it as a brief on why their identities should be disclosed. The First Amendment does not protect public officials from being embarrassed by their unpopular opinions.
Fairphone 3 Top Module 8MP. Vendo causa aggiornamento a versione superiore. Usato da Febbraio 2021 a Ottobre 2022 sul mio cellulare (di cui era equipaggiamento originale).
Price: 15 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
Fairphone 3 Top Module 8MP. Vendo causa aggiornamento a versione superiore. Usato da Febbraio 2021 a Ottobre 2022 sul mio cellulare (di cui era equipaggiamento originale).
Luogo: Torino
Price: 15 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
Televisore 15" senza decoder digitale aggiornato integrato (necessita di decoder TV esterno non incluso). Può essere utilizzato come monitor. Ingressi video SCART, RGB e HDMI. Ingresso USB. Telecomando e cavo alimentazione inclusi.
Price: 20 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
Televisore 15" senza decoder digitale aggiornato integrato (necessita di decoder TV esterno non incluso). Può essere utilizzato come monitor. Ingressi video SCART, RGB e HDMI. Ingresso USB. Telecomando e cavo alimentazione inclusi.
Luogo: Torino
Price: 20 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
Idoneo per l'installazione in PC fissi o per uso esterno attraverso adattatori. Ultimo controllo, funzionante: 08/05/2024 (15 settori danneggiati, come da foto). Formatterò/partizionerò prima della consegna. Posso consegnarlo senza formattazione o con File System a scelta (es. NTFS).
Vendita a Torino, no spedizioni. Prezzo trattabile,
Price: 25 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
Idoneo per l'installazione in PC fissi o per uso esterno attraverso adattatori. Ultimo controllo, funzionante: 08/05/2024 (15 settori danneggiati, come da foto). Formatterò/partizionerò prima della consegna. Posso consegnarlo senza formattazione o con File System a scelta (es. NTFS).
Vendita a Torino, no spedizioni. Prezzo trattabile,
Price: 25 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
Idoneo per l'installazione in PC fissi o per uso esterno attraverso adattatori. Ultimo controllo, funzionante: 08/05/2024. Formatterò/partizionerò prima della consegna. Posso consegnarlo senza formattazione o con File System a scelta (es. NTFS).
Vendita a Torino, no spedizioni. Prezzo trattabile.
Price: 25 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
Idoneo per l'installazione in PC fissi o per uso esterno attraverso adattatori. Ultimo controllo, funzionante: 08/05/2024. Formatterò/partizionerò prima della consegna. Posso consegnarlo senza formattazione o con File System a scelta (es. NTFS).
Vendita a Torino, no spedizioni. Prezzo trattabile.
Price: 25 € :: Questo è un articolo disponibile su FediMercatino.it
Si prega di rispondere con un messaggio diretto/privato al promotore dell'annuncio.
Dire "liberazione" oggi presuppone capire da chi e da che cosa ci dobbiamo liberare. Dire "fascismo" oggi presuppone riconoscerlo, e non è banale. Ciò che ci tiene legati oggi, che blocca la nostra liberazione, sono le abitudini, le comodità a cui ci hanno colpevolmente abituati. Il fascismo di oggi passa attraverso quelle. Creare una moda, che diventa un'abitudine collettiva, significa creare un bisogno che non c'era (che non aveva ragione d'essere), rendendolo un aspetto irrinunciabile della vita di tutti. E allora cercare di liberarsene diventa un'impresa. Ho sentito poco fa in televisione una ragazza ventenne affermare che essere antifascista oggi è una fatica, che comporta molta più vigilanza che in passato perché le nostre libertà, le nostre conquiste sono sempre più minacciate. Mi è piaciuta, ovviamente, tantissimo. Poi ho pensato che, con ogni probabilità, anche lei stasera aprirà Instagram e scorrerà qualche video, o seguirà i suoi personaggi di riferimento su X. Quando si inizia un percorso di terapia, il primo scoglio è vedere, riconoscere. Acquisire consapevolezza del problema. Me lo ricordo bene, mi ci sono voluti diversi anni. Io stasera sento tante persone di buona volontà che dicono cose meravigliose sulla lotta, sul fatto che in tempi come questi bisogna essere pronti a muoversi dal divano, a rinunciare all'inerzia, a mettersi in una posizione scomoda. Verissimo. Seguite la nostra trasmissione dove parliamo della necessità della lotta e della scomodità! Condividete su Facebook e Instagram! Seguiteci su X! Mandateci messaggi su Whatsapp che li leggiamo in diretta! Oggi ho letto un commento (stavolta era nel Fediverso) di un utente che aveva provato un'app alternativa alle solite mainstream per fare qualcosa e che lamentava che l'app era scadente e non ancora pronta a un uso quotidiano: a caricarsi ci aveva messo ben 5 secondi! Eh sì, è proprio una fatica. #25aprile
lucatambe
in reply to Francesca Martini • • •Francesca Martini
in reply to lucatambe • •