Mi va di scrivere anche qualcosa di bello.

Durante il lockdown era nato un progetto che poi, purtroppo, abbiamo abbandonato.
Avevamo iniziato a raccogliere testi e poesie scritti da persone rifugiate in Ticino, con l’idea di pubblicare un libro che contenesse i testi originali e la loro traduzione in italiano.
Poi tutto si è fermato... testi incompleti, traduzioni a metà...

Nei giorni scorsi, un ragazzo che non sapeva nulla di questo progetto, mi ha mandato alcune sue poesie scritte nei momenti più difficili del suo percorso migratorio.
Ora che conosce bene l'italiano, le ha tradotte da solo, per poter condividere in confidenza con me, il suo passato.
Sono bellissime, sul serio!

E mi ha fatto venire voglia di riprendere in mano il progetto 💕

#poesie #percorsimigratori #rifugiati #traduzione

ecco, dopo 3 settimane del nuovo lavoro le mie impressioni sono le stesse, o forse peggiori, rispetto a quelle della prima settimana.

Ho socializzato un po' con altri colleghi, capito meglio delle cose riguardo il lavoro vero e proprio ma.. non mi sento molto bene e ho dei brutti presentimenti.
Vero qui è tutto nuovo, e io sono molto stanca perché ho tante altre cose difficili da gestire (che ora non mi va di condividere), e può darsi che veda le cose in modo poco razionale al momento. Però, la sensazione di disagio è costante anche quando torno a casa, nei fine settimana o quando sto con le persone che amo.

Pochi anni fa ho avuto un pesante burnout e ci ho messo molto tempo a riprendermi dalla depressione, complice anche il covid e l'inaspettata malattia e morte di mio padre.
Certo, ho imparato molto da questa esperienza: prendermi il tempo per me stessa, ascoltarmi, riposare, mettere qualche paletto (no, forse questo non l'ho ancora imparato bene 🙄), riconoscere i campanelli d'allarme.
Eh sì, infatti l'ultimo lavoro l'ho lasciato io un paio di mesi fa, proprio perché tutti i campanelli d'allarme si erano attivati.

Ieri mattina purtroppo è capitata una cosa spiacevole in ufficio. Oserei definirla mobbing.
E adesso non so ...è colpa della mia stanchezza? degli ultimi campanelli d'allarme che non erano ancora completamente silenziati o è un allarme vero?

It was probably Montesquieu who coined the proto-hacker motto “the best is the mortal enemy of the good”. He was talking about compromises in drafting national constitutions for nascent democracies, of course, but I’ll admit that I do hear his voice when I’m in get-it-done mode and start cutting corners on a project. A working project is better than a gold-plated one.

But what should I do, Monte, when good enough turns out to also be the mortal enemy of the best? I have a DIY coffee roaster that is limping along for years now on a blower box that uses a fan scavenged in anger from an old Dust Buster. Many months ago, I bought a speed-controllable and much snazzier brushless blower fan to replace it, that would solve a number of minor inconveniences with the current design, but which would also require some building and another dive into the crufty old firmware.

So far, I’ve had good enough luck that the roaster will break down from time to time, and I’ll use that as an excuse to fix that part of the system, and maybe even upgrade another as long as I have it apart. But for now, it’s running just fine. I mean, I have to turn the fan on manually, and the new one could be automatic. I have only one speed for the fan, and the new one would be variable. But the roaster roasts, and a constant source of coffee is mission critical in this house. The spice must flow!

Reflecting on this situation, it seems to me that the smart thing to do is work on smoothing the transitions from good enough to best. Like maybe I could prototype up the new fan box without taking the current one apart. Mock up some new driver code on the side while I’m at it?

Maybe Montesquieu was wrong, and the good and the best aren’t opposites after all. Maybe the good enough is just the first step on the path toward the best, and a wise man spends his energy on making the two meet in the middle, or making the transition from one to the other as painless as possible.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

hackaday.com/2025/04/26/from-g…

Sto qui a guardare il portatile ASUS da gaming, acquistato nuovo 2 anni e mezzo fa.

Ha 24 GB di RAM e un Core i7 di 12° Generazione e un SDD che 2 anni fa era al top per prestazioni (ora non ricordo marca e modello, ma era ottimo).

Installato Windows da capo, con i soli programmi che uso legati alla fotografia e un paio di browser.

Scarico un'immagine iso di Debian e nel frattempo ho aperto vivaldi con una chat di whatsapp.

Il sistema arranca. Si congela tutto, non si muove neanche più il mouse. Poi si sblocca, per 20 secondi funziona tutto molto lentamente e poi ricomincia da capo.

Per me, non è casuale.

Questo portatile, con Linux, è una bomba e va ancora benissimo, non si blocca mai ed è sempre fluido e scattante. Ovviamente mi riferisco alle stesse condizioni del sistema, cioè a parità di alimentazione ed impostazioni sulle performance: con Windows è sempre una fatica, anche quando i programmi sono gli stessi (es. Darktable).

La mia teoria è che...sì, tutti gli articoli che parlano di obsolescenza programmata SONO VERI.

Non è possibile che con lo stesso hardware con cui qualche anno fa giocavi ai giochi più recenti,e ora a distanza di 2 anni non riesci manco a chattare.

E se state pensando che "avrò preso qualcosa", no, credetemi, non è il caso: come detto, è formattato di fresco e uso tutte le precauzioni del caso.

Ma si può? 😡

Il Presidente Zelensky ha tranquillizzato la popolazione sopravvissuta: "non temete, presto avremo missili al 100% di fabbricazione statunitense".

#trump #putin #ucraina #nordcorea #Kyev #ironia

SAP ha rilasciato una patch non programmata per una vulnerabilità critica nella piattaforma NetWeaver, che ha ottenuto il punteggio massimo di 10 su 10. Gli esperti sospettano che il bug sia già stato utilizzato dagli hacker come zero-day, ma è impossibile affermarlo con certezza: l’azienda tedesca ha accesso limitato ai dettagli della vulnerabilità, rendendoli disponibili solo per i clienti con un abbonamento a pagamento.

Tuttavia, l’identificatore della vulnerabilità è noto: CVE-2025-31324. Secondo la breve descrizione contenuta nel National Vulnerability Database (NVD) degli Stati Uniti, il problema è correlato al componente di caricamento dei metadati nello strumento di creazione di applicazioni senza codice Visual Composer. Il database NVD afferma che il loader di metadati in SAP NetWeaver Visual Composer non è adeguatamente protetto tramite autorizzazione, consentendo ad aggressori non autenticati di caricare file eseguibili potenzialmente dannosi. Ciò può avere un impatto serio sulla riservatezza, l’integrità e la disponibilità del sistema attaccato.

Secondo Onapsis, azienda specializzata nella sicurezza SAP, la vulnerabilità è stata effettivamente sfruttata in attacchi zero-day. Gli hacker che sfruttano questa vulnerabilità possono ottenere il controllo completo sui dati e sui processi aziendali in SAP, aprendo la strada alla distribuzione di ransomware e al loro spostamento laterale sulla rete. Onapsis consiglia vivamente ai clienti SAP di installare immediatamente la patch di emergenza rilasciata oggi e di analizzare i sistemi vulnerabili per individuare eventuali compromissioni.

Alcuni esperti di sicurezza informatica hanno notato delle somiglianze tra la descrizione della vulnerabilità e una pubblicazione di ReliaQuest di inizio settimana. Ha riferito di aver indagato su “diversi incidenti” di ambienti SAP infettati da webshell basate su JSP. I sistemi interessati erano completamente aggiornati e contenevano tutte le patch installate.

ReliaQuest ha osservato che le webshell scaricate hanno consentito agli aggressori di trasferire file ed eseguire codice sui server. Al momento della pubblicazione, l’azienda aveva ipotizzato che il problema potesse essere correlato a una vecchia vulnerabilità di NetWeaver (CVE-2017-9844, punteggio 9,8) oppure a un nuovo errore, allora sconosciuto. Durante la risposta all’incidente, è stato scoperto che gli hacker utilizzavano lo strumento Brute Ratel, molto diffuso tra i penetration tester, nonché la tecnica Heaven’s Gate per aggirare i sistemi di rilevamento ed eseguire il codice.

ReliaQuest ha inoltre avvertito che eventuali attacchi riusciti sfruttando questa vulnerabilità potrebbero compromettere obiettivi di alto valore. Poiché SAP è ampiamente utilizzato da grandi aziende ed enti governativi in ​​tutto il mondo, compreso il governo del Regno Unito, qualsiasi vulnerabilità zero-day in tali sistemi rappresenta un bersaglio facile per i criminali informatici, soprattutto se consente il lancio di ransomware

L'articolo SAP sotto attacco: nuova vulnerabilità 0-day con score 10 potrebbe colpire aziende e governi proviene da il blog della sicurezza informatica.

In the 90s, a video game craze took over the youth of the world — but unlike today’s games that rely on powerful PCs or consoles, these were simple, standalone devices with monochrome screens, each home to a digital pet. Often clipped to a keychain, they could travel everywhere with their owner, which was ideal from the pet’s perspective since, like real animals, they needed attention around the clock. [ViciousSquid] is updating this 90s idea for the 20s with a digital pet squid that uses a neural network to shape its behavior.

The neural network that controls the squid’s behavior takes a large number of variables into account, including whether or not it’s hungry or sleepy, or if it sees food. The neural network adapts as different conditions are encountered, allowing the squid to make decisions and strengthen its algorithms. [ViciousSquid] is using a Hebbian learning algorithm which strengthens connections between neurons which activate often together. Additionally, the squid’s can form both short- and long-term memories, and the neural network can even form new neurons on its own as needed.

[ViciousSquid] is still working on this project, and hopes to eventually implement a management system in the future, allowing the various behavior variables to be tracked over time and overall allow it to act in a way more familiar to the 90s digital pets it’s modeled after. It’s an interesting and fun take on those games, though, and much of the code is available on GitHub for others to experiment with as well. For those looking for the original 90s games, head over to this project where an emulator for Tamagotchis was created using modern microcontroller platforms.

hackaday.com/2025/04/26/digita…

Sono giorni che non si parla altro che del papa morto, anche dal palco del 25 aprile di Milano la prima frase è stata un ricordo del papa.

Ma, praticamente, che ha fatto 'sto papa per meritarsi tutti questi elogi?

Quanto sarebbe bello vivere in un paese dove i cattolici se lo incensano quanto vogliono e tutti gli altri si limitano a dire un "poverino, mi spiace" e a passare oltre, come si farebbe per qualunque altra persona.

E, soprattutto, che ha da incensare la destra?

A parte l'omofobia, quali altri punti di contatto ci sono tra i valori di questo papa e i loro? Sui migranti erano all'opposto, sui detenuti erano all'opposto, sul sostegno agli ultimi erano all'opposto... basta l'aver parlato di "frociaggine" per farlo diventare un papa da 5 giorni di lutto, che neanche se muore un ayatollah in Iran?

Classic demos from the demoscene are all about showing off one’s technical prowess, with a common side order of a slick banging soundtrack. That’s precisely what [BUS ERROR Collective] members [DJ_Level_3] and [Marv1994] delivered with their prize-winning Primer demo this week.

This demo is a grand example of so-called “oscilloscope music”—where two channels of audio are used to control an oscilloscope in X-Y mode. The sounds played determine the graphics on the screen, as we’ve explored previously.

The real magic is when you create very cool sounds that also draw very cool graphics on the oscilloscope. The Primer demo achieves this goal perfectly. Indeed, it’s intended as a “primer” on the very artform itself, starting out with some simple waveforms and quickly spiraling into a graphical wonderland of spinning shapes and morphing patterns, all to a sweet electronic soundtrack. It was created with a range of tools, including Osci-Render and apparently Ableton 11, and the recording performed on a gorgeous BK Precision Model 2120 oscilloscope in a nice shade of green.

If you think this demo is fully sick, you’re not alone. It took out first place in the Wild category at the Revision 2025 demo party, as well as the Crowd Favorite award. High praise indeed.

We love a good bit of demoscene magic around these parts.

youtube.com/embed/6DifrkaALOg?…

Thanks to [STrRedWolf] for the tip!

hackaday.com/2025/04/26/amazin…

Microsoft ha annunciato che aumenterà il suo programma bug bounty a 30.000 dollari per le vulnerabilità dell’intelligenza artificiale riscontrate nei servizi e nei prodotti Dynamics 365 e Power Platform.

Power Platform contiene app che aiutano le aziende ad analizzare i dati e ad automatizzare i processi, mentre Dynamics 365 è una suite di applicazioni aziendali per la pianificazione delle risorse aziendali (ERP) e la gestione delle relazioni con i clienti (CRM).

“Invitiamo individui e organizzazioni a identificare vulnerabilità nelle applicazioni Dynamics 365 e Power Platform e a condividerle con il nostro team. Le segnalazioni potrebbero essere idonee a ricevere premi da 500 a 30.000 dollari”, ha dichiarato l’azienda in un comunicato.

Le vulnerabilità legate all’intelligenza artificiale includono lo spoofing dell’output, la manipolazione del modello e la fuga di informazioni sensibili critiche o gravi tramite query.

Per avere diritto a un premio, una vulnerabilità deve essere classificata come critica o grave, secondo il sistema di classificazione delle vulnerabilità dell’intelligenza artificiale di Microsoft, e il problema deve essere riproducibile in uno specifico prodotto o servizio idoneo per il programma.

Allo stesso tempo, la società fa notare che la remunerazione potrebbe addirittura superare l’importo dichiarato dei pagamenti. Tutto dipende dall’entità e dalla gravità delle vulnerabilità riscontrate, nonché dalla qualità della domanda presentata.

Vale la pena notare che l’anno scorso Microsoft ha ampliato il suo programma bug bounty lanciando Zero Day Quest, un evento di hacking dedicato ai prodotti cloud e alle piattaforme di intelligenza artificiale. Come è emerso questa settimana, l’azienda ha finito per pagare più di 1 milione di dollari ai ricercatori che hanno scoperto più di 600 vulnerabilità.

L'articolo Microsoft offre fino a 30.000$ per chi scopre bug AI su Dynamics 365 e Power Platform! proviene da il blog della sicurezza informatica.

Il problema nel runtime Linux è correlato all’interfaccia io_uring e consente ai rootkit di passare inosservati, aggirando i moderni strumenti di sicurezza aziendale. Questa caratteristica è stata scoperta dai ricercatori di ARMO, che hanno creato unrootkit proof-of-concept chiamato Curing, che dimostra gli attacchi utilizzando io_uring.

io_uring è un’interfaccia del kernel Linux per operazioni di I/O asincrone. È stato introdotto nel 2019 in Linux 5.1 per risolvere i problemi di prestazioni e scalabilità nel sistema I/O tradizionale.

Invece di affidarsi a chiamate di sistema che causano carichi pesanti e portano al blocco dei processi, io_uring utilizza buffer ad anello condivisi tra i programmi e il kernel di sistema e mette in coda le richieste di I/O in modo che possano essere elaborate in modo asincrono.

Secondo i ricercatori, il problema si verifica perché la maggior parte degli strumenti di sicurezza monitora le chiamate di sistema e gli hook sospetti (come ptrace o seccomp), ma ignora completamente tutto ciò che riguarda io_uring, creando un pericoloso “punto cieco” nel sistema.

Gli esperti spiegano che io_uring supporta un’ampia gamma di operazioni, tra cui la lettura e la scrittura di file, la creazione e l’accettazione di connessioni di rete, l’avvio di processi, la modifica dei permessi dei file e la lettura del contenuto delle directory, il che lo rende uno strumento potente, soprattutto quando si tratta di rootkit. I rischi erano così grandi che gli sviluppatori di Google decisero di disabilitare io_uring di default su Android e ChromeOS.

Per mettere alla prova la loro teoria, ARMO ha sviluppato Curing, un rootkit che utilizza io_uring per ricevere comandi da un server remoto ed eseguire operazioni arbitrarie senza richiamare chiamate di sistema. I test di Curing con diverse soluzioni di sicurezza note hanno dimostrato che la maggior parte di esse non era in grado di rilevarne l’attività.

Inoltre, ARMO riferisce di aver testato strumenti commerciali e di aver confermato la loro incapacità di rilevare malware tramite io_uring. Tuttavia, i ricercatori non hanno rivelato quali soluzioni commerciali sono state testate. Per coloro che desiderano testare la resilienza dei propri ambienti contro tali minacce, ARMO ha già ospitato Curing su GitHub .

I ricercatori ritengono che il problema possa essere risolto utilizzando Kernel Runtime Security Instrumentation (KRSI), che consentirà di collegare i programmi eBPF agli eventi del kernel correlati alla sicurezza.

L'articolo Scoperto un nuovo rootkit per Linux invisibile agli antivirus: la minaccia si chiama Curing proviene da il blog della sicurezza informatica.

Microsoft ha riportato recentemente di aver risolto un problema in uno dei suoi modelli di apprendimento automatico che causava l’errata interpretazione come spam delle e-mail di Adobe in Exchange Online.

L’azienda ha spiegato che a partire dal 22 aprile gli utenti hanno riscontrato problemi di accesso agli URL negli avvisi di Adobe, ricevendo al contempo avvisi che era stato rilevato un clic potenzialmente dannoso su un URL sospetto. Questi tipi di avvisi in genere vengono visualizzati quando gli utenti di Exchange Online fanno clic su un collegamento presente in un’e-mail che in seguito si rivela dannoso.

“Abbiamo scoperto che il nostro modello di apprendimento automatico che protegge Exchange Online dalle e-mail pericolose identificava erroneamente le e-mail legittime come spam a causa della loro somiglianza con le e-mail utilizzate negli attacchi spam”, ha affermato Microsoft in una nota. — Per risolvere il problema, abbiamo avviato un nuovo controllo Replay Time Travel (RTT) per gli URL interessati, per attenuare completamente l’impatto. L’incidente ha interessato solo alcuni utenti serviti tramite l’infrastruttura interessata.”

Infine, l’azienda ha affermato di aver già implementato misure per ridurre il numero di falsi positivi migliorando la logica di apprendimento automatico per eliminare la possibilità che e-mail legittime vengano classificate erroneamente come spam e che in futuro si verifichino problemi di recapito.

Microsoft non ha fornito ulteriori dettagli sulle regioni interessate o sul numero di utenti interessati.

Vale la pena notare che il mese scorso Microsoft ha risolto un problema simile in Exchange Online che riguardava falsi positivi. Poi, le email di alcuni utenti sono state messe in quarantena per errore.

L'articolo Microsoft blocca per errore le email di Adobe in Exchange Online: la colpa è dell’AI proviene da il blog della sicurezza informatica.

Sometimes, a flat display just won’t cut it. If you’re looking for something a little rounder, perhaps your vision could persist in in looking at [lhm0]’s rotating LED sphere RP2040 POV display.

As you might have guessed from that title, this persistence-of-vision display uses an RP2040 microcontroller as its beating (or spinning, rather) heart. An optional ESP01 provides a web interface for control. Since the whole assembly is rotating at high RPM, rather than slot in dev boards (like Pi Pico) as is often seen, [lhm0] has made custom PCBs to hold the actual SMD chips. Power is wireless, because who wants to deal with slip rings when they do not have to?
The LED-bending jig is a neat hack-within-a-hack.
[lhm0] has also bucked the current trend for individually-addressable LEDs, opting instead to address individual through-hole RGB LEDs via a 24-bit shift-register. Through the clever use of interlacing, those 64 LEDs produce a 128 line display. [lhm0] designed and printed an LED-bending jig to aid mounting the through-hole LEDs to the board at a perfect 90 degree angle.

What really takes this project the extra mile is that [lhm0] has also produced a custom binary video/image format for his display, .rs64, to encode images and video at the 128×256 format his sphere displays. That’s on github,while a seperate library hosts the firmware and KiCad files for the display itself.

This is hardly the first POV display we’ve highlighted, though admittedly it isn’t the cheapest one. There are even other spherical displays, but none of them seem to have gone to the trouble of creating a file format.

If you want to see it in action and watch construction, the video is embedded below.

youtube.com/embed/TCV0LSV6ubA?…

hackaday.com/2025/04/25/rp2040…

In the realm of computer science, it’s hard to go too far without encountering hashing or hash functions. The concept appears throughout security, from encryption to password storage to crypto, and more generally whenever large or complex data must be efficiently mapped to a smaller, fixed-size set. Hashing makes the process of looking for data much faster for a computer than performing a search and can be incredibly powerful when mastered. [Malte] did some investigation into hash functions and seems to have found a method called Fibonacci hashing that not only seems to have been largely forgotten but which speeds up this lookup process even further.

In a typical hashing operation, the data is transformed in some way, with part of this new value used to store it in a specific location. That second step is often done with an integer modulo function. But the problem with any hashing operation is that two different pieces of data end up with the same value after the modulo operation is performed, resulting in these two different pieces of data being placed at the same point. The Fibonacci hash, on the other hand, uses the golden ratio rather than the modulo function to map the final location of the data, resulting in many fewer instances of collisions like these while also being much faster. It also appears to do a better job of using the smaller fixed-size set more evenly as a consequence of being based around Fibonacci numbers, just as long as the input data doesn’t have a large number of Fibonacci numbers themselves.

Going through the math that [Malte] goes over in his paper shows that, at least as far as performing the mapping part of a hash function, the Fibonacci hash performs much better than integer modulo. Some of the comments mention that it’s a specific type of a more general method called multiplicative hashing. For those using hash functions in their code it might be worth taking a look at either way, and [Malte] admits to not knowing everything about this branch of computer science as well but still goes into an incredible amount of depth about this specific method. If you’re more of a newcomer to this topic, take a look at this person who put an enormous bounty on a bitcoin wallet which shows why reverse-hashing is so hard.

hackaday.com/2025/04/25/hash-f…

[IMSAI Guy] grabbed an obsolete XOR gate and tried a classic circuit to turn it into a frequency doubler. Of course, being an old part, it won’t work at very high frequencies, but the circuit is super simple, just using the gate and an RC network. You can see a video of his exploration below.

The simple circuit seems like it should work, but in practice, it needed an extra component. In theory, the RC circuit acts as an edge detector. So, each edge of the input signal causes a pulse on the output as the second input lags the first.

That sounds good, but it looked terrible on the scope until a 1K resistor tied to the capacitor shifted the bias point of the gate. In all fairness, the original schematic used a Schmitt trigger gate, which may have made a difference had one been available. There were slight differences, though, depending on the type of device. An LS part, for example, didn’t need the extra resistor.

Of course, an RC network is just one way to delay the input, and the delay determines the width of the output pulse and constrains the input frequency and duty cycle. However, you could use other gates, including the other XOR gates in the package to realize a fast delay.

Frequency doublers are very common at microwave frequencies, but they don’t work in the same way. There are several ways to do it, but a common method is to use a nonlinear element to generate plenty of harmonics and then filter off everything but the second one. Or the third one, if you wanted a tripler instead.

youtube.com/embed/oaiqkirNTsM?…

hackaday.com/2025/04/25/xor-ga…

Introduction

Older versions of Android contained various vulnerabilities that allowed gaining root access to the device. Many malicious programs exploited these to elevate their system privileges and gain persistence. The notorious Triada Trojan also used this attack vector. With time, the vulnerabilities were patched, and restrictions were added to the firmware. Specifically, system partitions in recent Android versions cannot be edited, even with superuser privileges. Ironically, this has inadvertently benefited malicious actors. While external malware now faces greater permission restrictions, pre-installed malware within system partitions has become impossible to remove. Attackers are leveraging this by embedding malicious software into Android device firmware. This is how one of our earlier findings, the Dwphon loader, functioned. It was built into system apps for over-the-air (OTA) updates. In March 2025, our research highlighted the Triada Trojan’s evolved tactics to overcome Android’s enhanced privilege restrictions. Attackers are now embedding a sophisticated multi-stage loader directly into device firmware. This allows the Trojan to infect the Zygote process, thereby compromising every application running on the system.

Key takeaways:

• We discovered new versions of the Triada Trojan on devices whose firmware was infected even before they were available for sale. These were imitations of popular smartphone brands, and they remained available from various online marketplaces at the time of our research.
• A copy of the Trojan infiltrates every application launched on an infected device. The modular architecture of the malware gives attackers virtually unlimited control over the system, enabling them to tailor functionality to specific applications.
• In the current version of Triada, the payloads we have analyzed exhibit several malicious behaviors depending on the host application. Specifically, they can modify cryptocurrency wallet addresses during transfer attempts, replace links in browsers, send arbitrary text messages and intercept replies, and steal login credentials for messaging and social media apps.

The complete infection chain looks like this:

Triada Trojan infection chain

Kaspersky products detect the new version of Triada as Backdoor.AndroidOS.Triada.z..

System framework with a malicious dependency

Our initial investigation focused on native libraries included in the firmware of several devices, located in:

• /system/framework/arm/binder.so
• /system/framework/arm64/binder.so

The file is not present in a reference Android version. We discovered that the suspicious library was loaded into Zygote, the parent process for every Android application, by an infected AOT-compiled Android system framework ( boot-framework.oat) located in the same directory.

Malicious dependency in boot-framework.oat

The binder.so library registers a native method, println_native, for the android.util.Log class, used by applications installed on the device to write messages to Logcat. The implementation of this method calls a suspicious function, _config_log_println.

Call to the suspicious function

The _config_log_println function then calls two other functions that deploy three modules, contained in the rodata section of the malicious library, into every process launched on the device. One of the functions runs every time, while the other one only runs if the Android OS on the device is Version 9 or earlier.

Execution of the two malicious functions

Let us take a closer look at the modules that these launch.

1. Auxiliary module

This module from the rodata section of the malicious library is written to the application’s internal data directory under the name systemlibarm64\_%N%.jar, where N is a random number.

Loading the auxiliary module

The auxiliary module registers a receiver that can load arbitrary code files, although we did not see this happen in the cases described below. We would later call this module auxiliary because other payloads relied on it to perform their malicious functions. For example, for the com.android.core.info.config.JvmCore class from this module, binder.so registers native methods that can intercept calls to arbitrary methods within the process where the malware is running.

2. The mms-core.jar backdoor

This module undergoes a double XOR decryption process with different keys pulled from the rodata section of the malicious library. After decryption, it is saved to disk as /data/data/%PACKAGE%/mms-core.jar and then loaded using DexClassLoader. Once the loading is complete, the payload file is deleted.

Loading the backdoor

This mms-core.jar is a new iteration of a backdoor we mentioned in our earlier reports. In contrast to past versions, which exploited and modified system files to load itself into Zygote, the malware now achieves reliable Zygote access by leveraging a compromised system framework. Similar to previous versions, the backdoor downloads and executes other payloads.

3. Crypto stealer or dropper?

Immediately upon starting, the binder.so library reads the file /proc/%PID%/cmdline, with %PID% representing the system process ID. This is how the Trojan determines the package name of a running app.

Package name check

Based on the package name, binder.so loads either a crypto stealer loader (if the application is cryptocurrency-related) or a dropper from the rodata section. Neither payload is encrypted.

Triada crypto stealer

In previous Triada versions we analyzed, cryptocurrency applications were immediately infected with a crypto stealer. However, in these latest samples, the malicious module is a loader specifically targeting apps with the following package names:
com.binance.dev
com.wrx.wazirx
com.coinex.trade.play
com.okinc.okex.gp
pro.huobi
com.kubi.kucoin
The entry point for this malicious loader is the onCreate method within the com.hwsen.abc.SDK class. In latest versions this module requests a configuration from a GitHub repository. Using a pseudo-random number generator, the sample selects a number (0, 1, or 2), each corresponding to a specific repository address.

Loading the configuration

All field values within the configuration are encrypted using AES-128 in ECB mode and then encoded with Base64. An example of a decrypted configuration is shown below:
{
addr: {
durl: app-file.b-cdn[.]net/poctest/p…
durl2: app-file.b-cdn[.]net/poctest/p…
durl3: app-file.b-cdn[.]net/poctest/p…
ver: 17,
vname: pc2215202501061400.zip,
online: true,
rom: true,
update: true,
pkg: com.android.system.watchdog.x.Main,
method: onCreate,
param: t
}
}
If online equals true, the loader downloads a payload from the URL specified in the durl field. If errors occur, it uses durl2 and durl3 as backup links. The downloaded payload is decrypted using XOR with a hardcoded key and saved to the application’s internal data directory under the name specified in the vname parameter. The pkg and method fields represent the class name and method, respectively, that will be called after the crypto stealer is loaded via DexClassLoader.

The downloaded payload attempts to steal the victim’s cryptocurrency using various methods. For example, it monitors running activities at preset intervals. This allows the Trojan to intercept attempts at withdrawing cryptocurrency and replace the victim’s crypto wallet addresses in the relevant text fields with addresses belonging to the attackers. To achieve this, the malware runs a depth-first search for all graphical sub-elements within the current frame, identifying the blockchain to which the funds are being sent. The Trojan then swaps the crypto wallet address with a hardcoded one and replaces the click handlers of all buttons in the application with a proxy handler that swaps the crypto wallet address again, ensuring the attackers can steal the funds. Interestingly, the crypto stealer also replaces image elements with generated QR codes containing attacker-controlled wallet addresses.

Text and image replacement

The Trojan also monitors the clipboard contents and, if it finds a crypto wallet address, it gets replaced with an address belonging to the attackers.

Clipboard hijacking

Dropper

If the binder.so library happens to run in an app unrelated to cryptocurrency, it downloads a different payload. This is a dropper that calls the onCreate method within the com.system.framework.api.vp2130.services class. Depending on the version, it can extract up to three Base64-encoded additional modules from its own contents.

• The dropper loads a com.android.packageinstaller.apiv21.ApiV21 class from the first module inside the system APK installer app. This class registers a receiver that allows other modules to install arbitrary APKs on the device and also uninstall any apps.

Malicious receiver

Beginning with Android 13, apps from untrusted sources are restricted from accessing sensitive permissions, such as those for accessibility services. To bypass these restrictions for sideloaded apps, the receiver installs them through an installation session in newer Android versions.

• The com.system.framework.audio.Audio class is loaded from the second module to block network connections. Depending on the system architecture, it decodes and loads a native helper library. This library uses the xhook library to intercept calls to the getaddrinfo and android_getaddrinfofornet functions. These functions handle communication with the dnsproxyd service in Android, which performs DNS requests using a client-server model. If the attackers have sent a command to block a specific domain, its name is replaced by a hook redirecting to 127.0.0.1, making access to the original domain impossible.

Intercepting the dnsproxyd communications functions

Thus, the malware can block requests to anti-fraud services unless they use a custom DNS implementation.

• The com.system.framework.api.init.services class is also loaded from the third module to download arbitrary payloads. For this purpose, the malware periodically transmits a wealth of device information (MAC address, model, CPU, manufacturer, IMEI, IMSI, etc.), along with the host application name and version, to its command-and-control server. Before being sent, the data is encrypted using AES-128 in CBC mode and then encoded with Base64. The C2 responds with a JSON file containing information about the payload, also encrypted with AES-128 in CBC mode. The infected device receives the key and initialization vector (IV) RSA-encrypted from the C2 within the same JSON.

Decoding, loading, and running the payload

For convenience, we will refer to this module as the Triada backdoor going forward. It is this module that holds the greatest interest for our research, as it provides the malware with a wide range of capabilities. A closer look at the Triada threat actor’s objectives yielded a somewhat surprising result. Whereas previous malicious samples mainly displayed ads and signed users up for paid subscriptions, the attackers’ priorities have now drastically changed.

What Triada downloads

To understand exactly how the attackers’ priorities have shifted, we decided to try downloading the payloads for various popular apps. We observed that the binder.so malicious library passes a flag to the dropper upon starting if the application’s name is on a list within its code. This list included both system apps and popular apps from official stores.

Some apps from binder.so

This list served as the starting point for our investigation. For all the listed applications, we sent requests to the malware C2, and some of them returned links to download payloads. As an example, this is the response we received from the Trojan after requesting a payload for Telegram:
{
a: 0,
b: 40E315FB00M8EP2G49008INIK7000002,
c: 1373225559,
d: [{
a: 72,
b: ompe2.7u6h8[.]xyz/tgzip/44a08d…
c: com.tgenter.tmain.Engine,
d: start,
e: 32,
f: 44a08dc22b45b9418ed427fd24c192c6,
g: mp2y3.sm20j[.]xyz/tgzip/44a08d…
}, {
a: 127,
b: ompe2.7u6h8[.]xyz/tgzip/tgnetu…
c: com.androidx.tlttl.tg.CkUtils,
d: init,
e: 7,
f: 37fd87f46e95f431b1977d8c5741d2d5,
g: mp2y3.sm20j[.]xyz/tgzip/tgnetu…
}
],
e: 245,
g: [com.instagram.android],
h: org.telegram.messenger.web,org.telegram.messenger,com.whatsapp.w4b,com.fmwhatsapp,com.gbwhatsapp,com.yowhatsapp,com.facebook.lite,com.facebook.orca,com.facebook.mlite,com.skype.raider,com.zhiliaoapp.musically,com.obwhatsapp,com.ob3whatsapp,com.ob2whatsapp,com.jtwhatsapp,com.linkedin.android,com.zhiliaoapp.musically.go,com.opera.browser.afin,com.heytap.browser,com.sec.android.app.sbrowser,org.mozilla.firefox,com.microsoft.emmx,com.microsoft.emmx.canary,com.opera.browser
}
The payload information from the C2 server was received as an array of objects, with each containing two download URLs (primary and backup), the MD5 hash of the file to download, the module’s entry point details, and its ID. After downloading, the modules were decrypted twice using XOR with different keys.

Triada decrypting the payload

In addition to this, the response from the C2 contained other package names. By using these, we were able to obtain various further payloads.

It should be noted that according to the Android security model, unprivileged users do not normally have access to certain application data. However, as mentioned earlier, the malware is loaded by the Zygote process, which allows it to bypass OS restrictions because each payload runs within the process of the app it targets. This means the modules can obtain any application data, and the attackers actively exploit this in subsequent stages of infection. Furthermore, each additional malware payload can use all the permissions available to the app.

During module analysis, we also noted the significant skill of the Triada creators: each payload is tailored to the target app’s characteristics. Let us see which modules the Trojan loaded into some popular Android apps.

Telegram modules

For the Telegram messaging app, the Triada backdoor downloaded two modules at the time of this research. The first module (b8a745bdc0e083ffc88a524c7f465140) launches a malicious task within the messaging app’s context once every 24 hours. We believe that the attackers thoroughly examined Telegram’s internal workings before coding this task.

Malicious task code

Initially, the malicious task tries to obtain the victim’s account details. To do this, the module reads a string associated with the user key from the key-value pairs saved using SharedPreferences in the app settings XML file named userconfig. The string contains Base64-encoded serialized data about the Telegram user, which the messaging client code deserializes to communicate with the API. The malware takes advantage of this: Triada tries several reflection-based methods to read the user data.

Deserializing victim account details

The malware sends the following user information to the C2 server if it has not done so previously:

• A serialized string containing the victim’s account details.
• The victim’s phone number.
• The contents of the tgnet.dat file from the application’s data directory.
  This file stores Telegram authentication data including the user’s token, which allows the attackers to gain complete control over the victim’s account.
• The string with id=1 from the params table in the cache4.db database.

This payload also contains unused code for displaying ads.

The second module (fce117a9d7c8c73e5f56bda7437bdb28) uses Base64 to decode and then execute another payload (8f0e5f86046faed1d06bca7d3e48c0b8). This payload registers its own observer for new Telegram messages, which checks their content. If the message text matches regular expressions received by the Trojan from the C2 server, the message is deleted from the client. This module also attempts to delete Telegram notifications about new sessions.

Filtering messages based on content

Additionally, the malware tries to initiate a conversation with a bot that was no longer there at the time of our research.

Initiating communication with an unknown bot

Instagram module

This module (3f887477091e67c6aaca15bce622f485) starts by requesting the device’s advertising ID from Google Play services, which it then uses as the victim ID. After that, a malicious task runs once every 24 hours, sequentially scanning all XML files used by SharedPreferences until it finds the first file whose name begins with UserCookiePrefsFile_. This file contains the cookies for active Instagram sessions, and intercepting these sessions allows the attackers to take over the victim’s account. The task also collects all files ending in batch from the analytics directory inside data.

The malware reading the internal files

These files, along with information about the infected device, are encoded in Base64 and sent to the C2 server.

Browser module

This module (98ece45e75f93c5089411972f9655b97) is loaded into the browsers with the following package names:

• com.android.chrome
• org.mozilla.firefox
• com.microsoft.emmx
• com.microsoft.emmx.canary
• com.heytap.browser
• com.opera.browser
• com.sec.android.app.sbrowser
• com.chrome.beta

First, it establishes a connection with the C2 server over TCP sockets. Then, using the RSA algorithm, it encrypts an IV and key concatenation for AES-128 in CBC mode. The Trojan uses AES to encrypt the information about the infected device and then combines it with the key and IV into a single large buffer, which it sends to the TCP socket.

Code snippet for C2 communication

The C2 server responds with a buffer encrypted with the same parameters as the request it received from the infected device. The response contains a task to periodically substitute links opened in the browser. An example of this task is shown below.
{
a: 0,
b: 1,
c: 65,
d: {
a: 17,
b: stas.a691[.]com/,
c: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23],
d: 2880
}
}
The link replacement works as follows. The module first checks the version and name of the browser that it is running in to register hooks for the methods that the browser uses for opening links.

Launching browser-specific functionality

We noted earlier that in the initial stages, the Trojan downloaded an auxiliary module that implements its functionality to intercept arbitrary methods. The browser module utilizes this to interfere with the process of opening pages in various browsers.

Using the auxiliary module

In addition, the malware uses reflection to replace the Instrumentation class instance for the app. The execStartActivity method, which launches app activities, is replaced in the proxy class.

Malicious call in the Instrumentation proxy class

In Android, application activities are launched by broadcasting an intent with a specific action. If the application has an activity with an intent filter that declares the ability to handle the action, Android will launch it. When an application opens a link in a browser, it creates and sends an Intent instance with the action android.intent.action.VIEW, including the URI to be opened. Triada substitutes the URI in the received Intent instance.

Replacing the link in the Intent instance

In the samples we analyzed, the C2 server sent links to advertising resources. However, we believe that the malware creators could also use this functionality for, say, phishing.

WhatsApp modules

For WhatsApp, the Trojan’s C2 server would provide two modules. One of these (d5bc1298e436424086cb52508fb104b1) runs a malicious task within the WhatsApp client’s context every five minutes. This task reads various keys essential for the client’s operation, as well as data about the active session.

The Trojan reading WhatsApp login credentials

This data, along with information about the victim’s device, is forwarded to the C2 server, giving the attackers complete access to the victim’s WhatsApp account.

The other module (dc731e55a552caed84d04627e96906d5) starts by intercepting WhatsApp client functions that send and receive messages. The threat actor employed an interesting technique to work around class name obfuscation in WhatsApp code. The module’s code contains the names of the class and method being intercepted, specific to different WhatsApp versions. This likely required the attackers to manually analyze how each version worked. It is worth noting too that if the module’s code lacks the class names for the specific client version, the malware can request an interception configuration from the attackers’ C2 server.

If the interception is successful, the module continues its operation by sending data about the infected device to the C2 server and receiving a TCP socket IP address in response. Commands are then transmitted through this socket, allowing the malware to perform the following actions:

• Send arbitrary WhatsApp messages.
• Delete sent messages on the device to cover its tracks.
• Close the connection.

Snippet of the command handler

LINE module

This module (1d582e2517905b853ec9ebfe77759d15) runs inside the LINE messaging app. First, the malware gathers information about the infected device and sends it to the C2 server. Subsequently, every 30 seconds, it collects internal app data, specifically the PROFILE_AUTH_KEY and PROFILE_MID values from the settings table in the naver_line database. The malicious module also obtains the User-Agent string and additional information to mimic HTTP requests as if they were coming from the messaging client itself. Additionally, the malware decrypts the user’s phone number and region from the naver_line database and uses reflection to obtain the application’s access token, which allows it to take over the victim’s account.

Obtaining an access token

The module sends the data it collects to the C2 server.

Collecting and sending data

Skype module

This module (b87706f7fcb21f3a4dfdd2865b2fa733) runs a malicious task every two minutes that attempts to send information about the infected device to the C2. Once the C2 accepts the request, the task stops, and the Trojan begins reading internal Skype files every hour. Initially, the module tries to extract a token that allows access to the Skype account from the React Native framework keychain.

Triada extracting a token from the keychain

Failing to obtain the token through this method, the malware then tries to locate it within WebView cookies.

Extracting a token from the cookies

This token is then sent to the Trojan’s C2 server, thus compromising the victim’s account.

The versions of Triada we have seen contain no payloads for Microsoft Teams or Skype for Business. However, we believe that after Microsoft sunsets Skype, the attackers might add new malicious modules for these apps.

TikTok module

This module (993eb2f8bf8b5c01b30e3044c3bc10a3) sends information about the infected device to the attackers’ server once a day. Additionally, the malware collects a variety of data about the victim’s account. For example, it reads cached TikTok cookies from an internal directory, which might have been used by WebView within the app. The attackers are interested in the msToken in these cookies, as it is necessary for interacting with the TikTok API. The module also extracts other information from the TikTok client, such as the user ID ( secUID), the User-Agent for API requests, and more. We believe that the attackers need this data to bypass TikTok API restrictions and simulate a real device when making API requests. Every five minutes, the malicious module attempts to send all data it collects to the attackers’ server.

Stealing TikTok account data

Facebook modules

One of such modules (b187551675a234c3584db4aab2cc83a9) runs a malicious task every minute that compares the parent app package name against the following list:

• com.facebook.lite
• com.facebook.mlite
• com.facebook.orca

If the name matches one of the above, the malware steals the Facebook authentication cookies.

Stealing Facebook credentials

Another module (554f0de0bddf30589482315fe336ea72) sends data about the infected device to the C2. The server responds with a link to be opened in WebView, as well as JavaScript code to execute on the page. The malware can upload certain elements from this page to the C2 server, which potentially could be used by attackers to steal the victim’s account data.

SMS modules

These malicious components are injected into SMS apps. One of them (195e0f334beb34c471352179d422c42f) starts by registering its own proxy receiver for incoming SMS and MMS messages, as well as its own message observer. Following this, the malware retrieves rules from the C2 server, storing these in a separate database. The content of each received message is filtered on the basis of these rules.

Checking message content

The flexibility of these rules enables the malware to respond to specific SMS messages by extracting codes using regular expressions. We believe the Trojan creators primarily use this capability to sign victims up for paid subscriptions. Additionally, the module can send arbitrary SMS messages when instructed by the C2 server.

Interestingly, the module contains unused code snippets that are valuable for analysis — they also function as message filtering rules. Each rule includes a string value that defines its type: an MD5 hash of certain data. The module code contains methods named matchWhatsapp and matchRegister that use the same rule type. Analysis of matchWhatsapp revealed that this malicious component previously could cover other modules’ tracks and delete SMS messages containing verification codes for logging in to the victim’s WhatsApp account. The use of the same rule type suggests that matchRegister is also employed by the malicious module to conceal its activity, possibly to secretly register accounts. This method is likely obsolete because the malware now supports receiving rules from the C2 server.

Rule for intercepting WhatsApp verification SMS messages

The second module (2ac5414f627f8df2e902fc34a73faf44) is likely an auxiliary component for the first one. The thing is, Android performs a check on the addressee when an SMS is being sent. If the message is being sent to a short code (premium SMS), the user will be prompted to confirm their intention to send. This measure aims to prevent financial losses for device owners encountering SMS Trojans. The SMSDispatcher class in the Android framework checks if the app has permission to send premium SMS messages. To do this, it calls the getPremiumSmsPermission method within the SmsUsageMonitor class, which stores premium SMS sending policies for each application using the SharedPreferences mechanism with the key premium-sms-policy. The policies are integers that can take the following values:

• 1: User confirmation is required before sending a premium SMS.
• 2: The app is prohibited from sending premium SMS messages.
• 3: Sending premium SMS messages is allowed, and user confirmation is not required.

The malicious module sets the policy value for SMS messaging apps to 3, thereby clearing obstacles for the previous module. Notably, this is an undocumented Android feature, which further highlights the malware authors’ advanced skill level.

Method for overriding premium SMS sending policies

Reverse proxy

As far as we know, this module (3dc21967e6fab9518275960933c90d04), integrates into the Google Play Services app. Immediately upon starting, it transmits information about the infected device to the C2 server. The server responds with an IP address and port, which the malware uses to listen for commands via a modified version of the EasySocket library. The commands are integers that can take three values:

• 1: Establish a connection with an arbitrary TCP endpoint, assigning to it the ID transmitted in the command.
• 2: Terminate the TCP connection with the specified ID.
• 4: Send data over the TCP connection with the specified ID.

Processing received data

Thus, the main purpose of this module is to turn the infected device into a reverse proxy, essentially giving the attackers network access through the victim’s device.

Call interception

This module (a4f16015204db28f5654bb64775d75ad) is injected into the device’s phone app. It registers a malicious receiver that, upon receiving intents, can execute arbitrary JavaScript code using WebView.

Executing arbitrary code via the malicious receiver

The malware provides the JavaScript code with an interface to call certain Java functions. One of these functions takes the victim’s phone number and sends an intent that includes it.

An intent with a phone number

The command number is transmitted in the type field of the intent. However, the module lacks a handler for this number. We assume that it is implemented in a different payload that we were unable to obtain during our investigation.

We also believe that this module is still under development. For example, similar to the browser module, it replaces the Instrumentation class to substitute the number opened using the android.intent.action.VIEW intent. However, the module lacks number substitution code.

Instrumentation proxy class

We strongly believe the number substitution functionality exists in another version of this module or will be added in the near future.

Clipper

Our data indicates that this module (04e485833e53aceb259198d1fcba7eaf) integrates into the Google Play app. Upon starting, it requests a comma-separated list of attackers’ cryptocurrency wallet addresses from the C2 server. If it cannot get the addresses, the Trojan uses hardcoded ones. After that, the module checks the clipboard every two seconds. If it finds a cryptocurrency wallet address, it replaces it with one controlled by the attackers. Additionally, the malware registers an event handler for clipboard changes, where it also checks and swaps the content.

Clipboard hijacking

Additional module

In our previous report, we described the malicious modules downloaded by the initial Triada backdoor. We decided to check if the list of payloads had changed. Unfortunately, at the time of our research, the backdoor C2 server was not sending links to download additional modules. However, we noticed that the module entry points used a consistent special naming format – we will discuss this in more detail later. This allowed us to find another Triada malware sample in our telemetry. The module is named BrsCookie_1004 (952cc6accc50b75a08bb429fb838bff7), and is designed for stealing Instagram cookies from web browsers.

Stealing cookies

Campaign features

Our analysis of this Trojan revealed several interesting details. For example, it shows similarities to earlier versions of Triada (308e35fb48d98d9e466e4dfd1ba6ee73): these implement the same logic for loading additional modules as the mms-core.jar backdoor deployed by the infected framework.

Loading modules in older Triada versions

Loading modules in mms-core.jar

Furthermore, lines starting with PPP appear regularly in the module code.

Creating log entries in an older Triada version

Loading a module in binder.so in a newer Triada version

Functions from the binder.so malicious library set system properties similar to those in previous Triada versions. These and other similarities lead us to believe that the sample we analyzed is a new version of Triada.

While analyzing the modules, we encountered comments in Chinese, suggesting that the developers are Chinese native speakers. Additionally, one of the C2 servers used by the Triada modules, g.sxim[.]me, caught our attention. This domain was also used as a C2 server for a module of the Vo1d backdoor, suggesting a potential link to Triada.

Distribution vector

In all known infection cases, the device firmware had a build fingerprint whose last letter differed from officially published firmware fingerprints. Searching for similar fingerprints led us to discussion boards where users complained about counterfeit devices purchased from online stores. It is likely that a stage in the supply chain was compromised, with the vendors in online stores possibly being unaware that they were distributing fake devices infected with Triada.

User complaining about a counterfeit device

Translation:
“The journey of a counterfeit device bought in [redacted]. <…> Please keep this discussion in case it helps some poor fellow like me to restore the phone on their own. <…> Previous version: 8Gb / 256Gb / 14.0.6.0 (TGPMIXN). Current version: 4Gb / 128Gb / 14.0.6.0 (TGPMIXM)”

Victims

According to KSN telemetry, our security solutions have detected over 4500 infected devices worldwide. The highest numbers of affected users were detected in Russia, the United Kingdom, the Netherlands, Germany, and Brazil. However, the actual number of infected devices could be much higher, given the unusual distribution method described in this article. The diagram below shows the TOP 10 countries with the highest numbers of users attacked between March 13 and April 15, 2025.

TOP 10 countries with the highest numbers of users attacked by Triada, March 13 – April 15, 2025 (download)

Separately, we decided to calculate the amount of cryptocurrency the Triada creators have stolen. To do this, we queried the Trojan’s C2 servers, receiving replacement wallet addresses in response. Findings from open-source research indicated that since June 13, 2024, the attackers had amassed more than $264,000 in various cryptocurrencies in wallets under their control. Below is a diagram showing the balance of several attacker-controlled wallets.

A profitability chart for the threat actor’s TRON wallets (download)

Conclusion

The new version of the Triada Trojan is a multi-stage backdoor giving attackers unlimited control over a victim’s device. The modular architecture provides its authors with a range of malicious capabilities, including targeted delivery of new modules and mass infection of specific applications. If your phone has been infected with Triada, we recommend following these rules to minimize the consequences of malicious activity:

• Install a clean firmware on your device.
• Avoid using messaging apps, crypto wallets, or social media clients currently on your device before installing new firmware.
• Use a reliable security solution to be promptly notified of similar threats on your device.

Indicators of compromise

Infected system frameworks

f468a29f836d2bba7a2b1a638c5bebf0
72cbbc58776ddc44abaa557325440bfb
fb937b1b15fd56c9d8e5bb6b90e0e24a
2ac4d8e1077dce6f4d2ba9875b987ca7
7b8905af721158731d24d0d06e6cb27e
9dd92503bd21d12ff0f2b9740fb6e529

Infected native libraries

89c3475be8dba92f4ee7de0d981603c1
01dff60fbf8cdf98980150eb15617e41
18fef4b6e229fc01c8b9921bb0353bb0
21be50a028a505b1d23955abfd2bdb3e
43adb868af3812b8f0c47e38fb93746a
511443977de2d07c3ee0cee3edae8dc8
716f0896b22c2fdcb0e3ee56b7c5212f
83dbc4b95f9ae8a83811163b301fe8c7
8892c6decebba3e26c57b20af7ad4cca
a7127978fac175c9a14cd8d894192f78
a9a106b9df360ec9d28f5dfaf4b1f0b5
c30c309e175905ffcbd17adb55009240
c4efe3733710d251cb041a916a46bc44
e9029811df1dd8acacfe69450b033804
e961cb0c7d317ace2ff6159efe30276a

Modules

Module C2 servers

lnwxfq[.]qz94[.]com
8.218.194[.]192
g.sxim[.]me
68u91[.]66foh90o[.]com
jmll4[.]66foh90o[.]com
w0g25[.]66foh90o[.]com
tqq6g[.]66foh90o[.]com
zqsvl[.]uhabq9[.]com
hm1es[.]uhabq9[.]com
0r23b[.]uhabq9[.]com
vg1ne[.]uhabq9[.]com
is5jg[.]3zweuj[.]com
qrchq[.]vrhoeas[.]com
xjl5a[.]unkdj[.]xyz
lvqtcqd[.]pngkcal[.]com
xc06a[.]0pk05[.]com
120.79.89[.]98
xcbm4[.]0pk05[.]com
lptkw[.]s4xx6[.]com
ad1x7[.]mea5ms[.]com
v58pq[.]mpvflv[.]com
bincdi[.]birxpk[.]com
773i8h[.]k6zix6[.]com
ya27fw[.]k6zix6[.]com

CDN servers for delivery of malicious modules

mp2y3[.]sm20j[.]xyz
ompe2[.]7u6h8[.]xyz
app-file.b-cdn[.]net

GitHub configurations

hxxps://raw.githubusercontent[.]com/adrdotocet/ott/main/api.json
hxxps://raw.githubusercontent[.]com/adrdotocet2/ott/main/api.json
hxxps://raw.githubusercontent[.]com/adrdotocet3/ott/main/api.json

Triada system properties

os.config.ppgl.ext.hws.cd
os.config.ppgl.btcore.devicekey
os.config.ppgl.version
os.config.opp.build.model
os.config.opp.build.status
os.config.ppgl.status
os.config.ppgl.status.rom
os.config.ppgl.build.vresion
os.config.hk.status
os.config.ppgl.cd
os.config.ppgl.dir
os.config.ppgl.dexok
os.config.ppgl.btcore.sericode
os.config.verify.status
os.config.alice.build.channel
os.config.alice.build.time
os.config.alice.service.status
os.android.version.alice.sure

securelist.com/triada-trojan-m…

[Tazer] built a small desktop-sized robotic arm, and it was more or less functional. However, he wanted to improve its ability to pick things up, and attaching a pneumatic gripper seemed like the perfect way to achieve that. Thus began the build!

The concept of [Tazer]’s pneumatic gripper is simple enough. When the pliable silicone gripper is filled with air, the back half is free to expand, while the inner section is limited in its expansion thanks to fabric included in the structure. This causes the gripper to deform in such a way that it folds around as it fills with air, which lets it pick up objects. [Tazer] designed the gripper so that that could be cast in silicone using 3D printed molds. It’s paired with a 3D printed manifold which delivers air to open and close the gripper as needed. Mounted on the end of [Tazer]’s robotic arm, it’s capable of lifting small objects quite well.

It’s a fun build, particularly for the lovely sounds of silicone parts being ripped out of their 3D printed molds. Proper ASMR grade stuff, here. We’ve also seen some other great work on pneumatic robot grippers over the years.

youtube.com/embed/_zdSNFIP8Lo?…

hackaday.com/2025/04/25/robot-…

This week Elliot Williams was joined by fellow Europe-based Hackaday staffer Jenny List, to record the Hackaday Podcast as the dusk settled on a damp spring evening.

On the agenda first was robotic sport, as a set of bipedal robots competed in a Chinese half-marathon. Our new Robot overlords may have to wait a while before they are fast enough chase us meatbags away, but it demonstrated for us how such competitions can be used to advance the state of the art.

The week’s stand-out hacks included work on non-planar slicing to improve strength of 3D prints. It’s safe to say that the Cartesian 3D printer has matured as a device, but this work proves there’s plenty more in the world of 3D printing to be developed. Then there was a beautiful record cutting lathe project, far more than a toy and capable of producing good quality stereo recordings.

Meanwhile it’s always good to see the price of parts come down, and this time it’s the turn of LIDAR sensors. There’s a Raspberry Pi project capable of astounding resolution, for a price that wouldn’t have been imaginable only recently. Finally we retrned to 3D printing, with an entirely printable machine, including the motors and the hot end. It’s a triumph of printed engineering, and though it’s fair to say that you won’t be using it to print anything for yourself, we expect some of the very clever techniques in use to feature in many other projects.

The week’s cant-miss articles came from Maya Posch with a reality check for lovers of physical media, and Dan Maloney with a history of x-ray detection. Listen to it all below, and you’ll find all the links at the bottom of the page.

html5-player.libsyn.com/embed/…

Still mourning the death of physical media? Download an MP3 and burn it to CD like it’s 1999!
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 318 Show Notes:

News:

• China Hosts Robot Marathon
• Announcing The Hackaday Pet Hacks Contest

What’s that Sound:

• Congrats to [Bultza] for knowing what that sound was better than we did!
• It was thrusters firing aboard the Dragon (Instagram link)

Interesting Hacks of the Week:

• 
  
  • Non-planar Slicing Is For The Birds
    
    • Unique 3D Printer Has A Print Head With A Twist
    • 3D Printering: Non-Planar Layer FDM
    • A Universal, Non-planar Slicer For 3D Printing Is Worth Thinking About
    • Improved And Open Source: Non-Planar Infill For FDM

    
    

  • DIY Record Cutting Lathe Is Really Groovy
  • A Pi-Based LiDAR Scanner
  • The Evertop: A Low-Power, Off-Grid Solar Gem
  • Robot Picks Fruit And Changes Light Bulbs With Measuring Tape
    
    • Compliant Robot Gripper Won’t Scramble Your Eggs
    • Dead Simple Jamming Gripper Design

    
    

  • The Most Printable 3D Printer Yet

  
  

Quick Hacks:

• 
  
  • 
    
    • Elliot’s Picks:
      
      • Printed Perpetual Calendar Clock Contains Clever Cams
      • Haircuts In Space: How To Keep Your Astronauts Looking Fresh
      • Jolly Wrencher Down To The Micron

      
      

    • Jenny’s Picks:
      
      • Low Cost Oscilloscope Gets Low Cost Upgrades
      • Open Source DMR Radio
      • A Scratch-Built Commodore 64, Turing Style
      • Restoration Of Six-Player Arcade Game From The Early 90s

      
      

    
    

  
  

Can’t-Miss Articles:

• 
  
  • Why Physical Media Deserved To Die
  • To See Within: Detecting X-Rays

  
  

hackaday.com/2025/04/25/hackad…

When it comes to open source signal analysis software for logic analyzers and many other sensors, Sigrok is pretty much the only game in town. Unfortunately after an issue with the server hosting, the website, wiki, and other documentation is down until a new hosting provider is found and the site migrated. This leaves just the downloads active, as well as the IRC channel (#sigrok) over at Libera.chat.

This is not the first time that the Sigrok site has gone down, but this time it seems that it’s more final. Although it seems a new server will be set up over the coming days, this will do little to assuage those who have been ringing the alarm bells about the Sigrok project. Currently access to documentation is unavailable, except via the WaybackMachine’s archive.

A tragic reality of FOSS projects is that they are not immortal, with them requiring constant time, money and effort to keep servers running and software maintained. This might be a good point for those who have a stake in Sigrok to consider what the project means to them, and what it might mean if it were to shutdown.

hackaday.com/2025/04/25/sigrok…