At this point, atomic clocks are old news. They’ve been quietly keeping our world on schedule for decades now, and have been through several iterations with each generation gaining more accuracy. They generally all work under the same physical principle though — a radio signal stimulates a gas at a specific frequency, and the response of the gas is used to tune the frequency. This yields high accuracy and high precision — the spacing between each “tick” of an atomic clock doesn’t vary by much, and the ticks cumulatively track the time with very little drift.

All of this had [alnwlsn] thinking about whether he could make an “atomic” clock that measures actual radioactive decay, rather than relying on the hyperfine transition states of atoms. Frustratingly, most of the radioactive materials that are readily available have pretty long half-lives — on the order of decades or centuries. Trying to quantify small changes in the energy output of such a sample over the course of seconds or minutes would be impossible, so he decided to focus on the byproduct of decay — the particles being emitted.

He used a microcontroller to count clicks from a Geiger-Müller tube, and used the count to calculate elapsed time by multiplying by a calibration factor (the expected number of clicks per second). While this is wildly inaccurate in the short term (he’s actually used the same system to generate random numbers), over time it smooths out and can provide a meaningful reading. After one year of continuous operation, the counter was only off by about 26 minutes, or 4.4 seconds per day. That’s better than most mechanical wristwatches (though a traditional Rubidium atomic clock would be less than six milliseconds off, and NIST’s Strontium clock would be within 6.67×10^-11 seconds).

The end result is a probabilistic radiometric timepiece that has style (he even built a clock face with hands, rather than just displaying the time on an LCD). Better yet, it’s got a status page where you can check on on how it’s running. We’ve seen quite a few atomic clocks over the years, but this one is unique and a great entry into the 2025 One Hertz Challenge.

hackaday.com/2025/08/19/2025-o…

Grazie ad un commento di @ricci ad un altro post ho trovato questo articolo di Dennis Schubert che secondo me vale la mezz'ora che serve per leggerlo (thanks a lot to @Dennis Schubert ).

overengineer.dev/blog/2019/04/…

#VPN

VPN - a Very Precarious Narrative - Dennis Schubert

A very long article about commercial VPNs, their marketing strategies, and the truth behind their privacy and security claims.

^{overengineer.dev}

Radiation is a bad thing that we don’t want to be exposed to, or so the conventional wisdom goes. We’re most familiar with it in the context of industrial risks and the stories of nuclear disasters that threaten entire cities and contaminate local food chains. It’s certainly not something you’d want anywhere near your dinner, right?

You might then be surprised to find that a great deal of research has been conducted into the process of food irradiation. It’s actually intended to ensure food is safer for human consumption, and has become widely used around the world.

Drop It Like It’s Hot

Food irradiation might sound like a process from an old science fiction movie, but it has a very real and very useful purpose. It’s a reliable way to eliminate pathogens and extend shelf life, with only a few specific drawbacks. Despite being approved by health organizations worldwide and used commercially since the 1950s, it remains one of the most misunderstood technologies in our food system.
The basic concept is simple—radiation can kill pathogens while leaving the food unharmed. Credit: IAEA
The fundamental concept behind food irradiation is simple. Food is exposed to ionizing radiation in controlled doses in order to disrupt the DNA of harmful microorganisms, parasites, and insects. The method is both useful in single serving contexts, such as individual meal rations, as well as in bulk contexts, such as shipping large quantities of wheat. Irradiation can outright kill bacteria in food that’s intended for human consumption, or leave pests unable to reproduce, ensuring a shipment of grain doesn’t carry harmful insects across national borders.

It’s important to note that food irradiation doesn’t make the food itself radioactive. This process doesn’t make food radioactive any more than a chest X-ray makes your body radioactive, since the energy levels involved simply aren’t high enough. The radiation passes through the food, breaking the chemical bonds that make up the genetic material of unwanted organisms. It effectively sterilizes or kills them, ideally without significantly changing the food itself. It also can be used to reduce sprouting of some species like potatoes or onions, and also delay ripening of fruits post-harvest, thanks to its effect on microbes and enzymes that influence these processes.

The concept of food irradiation dates back a long way, far beyond what we would typically call the nuclear age. At the dawn of the 20th century, there was some interest in using then-novel X-rays to deal with pests in food and aid with preservation. A handful of patents were issued, though these had little impact outside the academic realm.

It was only in the years after World War II that things really kicked off in earnest, with the US Army in particular investing a great deal of money to investigate the potential benefits of food irradiation (also known as radurization). With the aid of modern, potent sources of radiation, studies were undertaken at laboratories at the Quartermaster Food and Container Institute, and later at the Natick R&D Command. Much early research focused on meats—specifically beef, poultry, and pork products. A technique was developed which involved cooking food, portioning it, and sealing it in vacuum packs. It would then be frozen and irradiated at a set minimum dose. This process was developed to the point that refrigeration became unnecessary in some cases, and avoided the need to use potentially harmful chemical preservatives in food. These were all highly desirable attributes which promised to improve military logistics.

youtube.com/embed/pe6AKh_tLys?…

Food irradiation eventually spread beyond research and into the mainstream.

The technology would eventually spread beyond military research. By the late 1950s, a German effort was irradiating spices at a commercial level. By 1985, the US Food and Drug Administration had approved irradiation of pork, which became a key target for radurization in order to deal with trichinosis parasites. In time, commercialized methods would be approved in a number of countries to control insects in fruits, vegetables, and bulk foods like legumes and grain, and to prevent sprouting during transport. NASA even began using irradiated foods for space missions in the 1970s, recognizing that traditional food preservation methods aren’t always practical when you’re orbiting Earth. This space-age application highlights one of irradiation’s key advantages—it works without chemicals and eliminates the need for ongoing refrigeration to avoid spoilage. That’s a huge benefit for space missions which can save a great deal of weight by not taking a fridge with them. It also helps astronauts avoid foodborne illnesses, which are incredibly impractical in the confines of a spaceship. Irradiated food has also been used in hospitals to protect immune-compromised patients from another potential source of infection.

How It’s Done

A truck-mounted food irradiator, used in a demonstration tour around the United States in the late 1960s. Credit: US Department of Energy
Three main types of radiation are used commercially to treat food. Gamma rays from cobalt-60 or cesium-137 sources penetrate deeply into food, and it’s possible to use these isotopes to produce uniform and controlled doses of radiation. Cobalt-60 is more commonly used, as it is easier to obtain and can be used with less risks. Isotope sources can’t be switched “off,” so are stored in water pools when not in use to absorb their radiation output. Electron beams, generated by linear accelerators, offer precise control of dosage, but have limited penetration depth into food, limiting their use cases to specific foods. X-rays, produced when high-energy electrons strike a metal target, combine the benefits of both gamma rays and electron beams. They have excellent penetration and can be easily controlled by switching the X-ray source on and off. The choice depends on the specific application, with factors like food density, package size, and required dose uniformity all playing roles. Whatever method is used, there’s generally no real risk of food becoming irradiated. That’s because the X-rays, electron beams, and gamma rays used for irradiation are all below the energy levels that would be required to actually impact the nucleus of the atoms in the food. Instead, they’re only strong enough to break chemical bonds. It is thus important to ensure the irradiation process does not cause harmful changes in whatever material the food is stored in; much research has gone into finding safe materials that are compatible with the irradiation process.
A chamber used for gamma ray food irradiation with cobalt-60. Credit: Swimmaaj
The dosage levels used in food irradiation are carefully calibrated and measured in units in Grays (Gy) or more typically, kiloGrays (kGy). Low doses of 0.1 to 1 kGy can inhibit sprouting in potatoes and onions or delay ripening in fruits. Medium doses of 1 to 10 kGy eliminate insects and reduce pathogenic bacteria. High doses above 10 kGy can sterilize foods for long-term storage or for space-or hospital-based use, though these doses are not as widely used for commercial food products.

By and large, irradiation does not have a major effect on a food’s taste, appearance, or texture. Studies have shown that irradiation can cause some minor changes to food’s nutritional content, as noted by the World Health Organization. However, while irradiation can highly degrade vitamins in a pure solution, in food items, losses are typically on the order of a few percent at most. The losses are often comparable to or less than those from traditional processing methods like canning or freezing. Changes to carbohydrates, proteins, and lipids are usually very limited. The US FDA, World Health Organization, and similar authorities in many countries have approved food irradiation in many contexts, with studies bearing out its overall safety.
The Radura logo is used to mark foods that have been treated with irradiation. Credit: US FDA
In some extreme cases, though, irradiation can cause problems. In 2008, Orijen cat foods were recalled in Australia after the irradiated product was found to be causing illness in cats. This was not a result of any radioactive byproduct. Instead, the issue was that the high dose (>50 kGy) of radiation used had depleted vitamin A content in the food. Since pets are often fed a very limited diet, this led to nutrient deficiencies and the unfortunate deaths of a number of animals prior to being recalled.

The regulatory landscape varies significantly worldwide, both in dose levels and in labelling. While the United States allows irradiation of various foods including spices, fruits, vegetables, grains, and meats, rules mandate that irradiated products are clearly identified. The distinctive radura symbol—a stylized flower in a circle—must appear alongside text stating “treated with radiation” or “treated by irradiation.” Some countries have embraced the technology more fully; others less so. EU countries primarily allow radiation treatments for herbs and spices only, while in Brazil, just about any food may be irradiated to whatever dose deemed necessary, though doses above 10 kGy should have a legitimate technological purpose.

Overall, food irradiation is a a scary-sounding technology that actually makes food a lot safer. It’s not something we think about on the regular, but it has become an important part of the international food supply nonetheless. Where there are pests to prevent and pathogens to quash, irradiation can prove a useful tool to preserve the quality of food and protect those that eat it.

hackaday.com/2025/08/19/food-i…

People have long been interested in very low frequency (VLF) radio signals. But it used to be you pretty much had to build your own receiver which, luckily, wasn’t as hard as building your own VHF or UHF gear. But there is a problem. These low frequencies have a very long wavelength and, thus, need very large antennas to get any reception. [Electronics Unmessed] says he has an answer.

These days, if you want to explore any part of the radio spectrum, you can probably do it easily with a software-defined radio (SDR). But the antenna is the key part that you are probably lacking. A small antenna will not work well at all. While the video covers a fairly common idea: using a loop antenna, his approach to loops is a bit different using a matching transformer, and he backs his thoughts up with modeling and practical results.

Of course, transformers also introduce loss, but — as always — everything is a trade-off. Running hundreds of feet of wire in your yard or even in a loop is not always a possibility. This antenna looks like it provides good performance and it would be simple to duplicate.

Early radio was VLF. Turns out, VLF may provide an unexpected public service in space.

youtube.com/embed/1x8rcep6mRE?…

hackaday.com/2025/08/19/the-vl…

When we last brought you word of the SS United States, the future of the storied vessel was unclear. Since 1996, the 990 foot (302 meter) ship — the largest ocean liner ever to be constructed in the United States — had been wasting away at Pier 82 in Philadelphia. While the SS United States Conservancy was formed in 2009 to support the ship financially and attempt to redevelop it into a tourist attraction, their limited funding meant little could be done to restore or even maintain it. In January of 2024, frustrated by the lack of progress, the owners of the pier took the Conservancy to court and began the process of evicting the once-great liner.
SS United States docked at Pier 82 in Philadelphia
It was hoped that a last-minute investor might appear, allowing the Conservancy to move the ship to a new home. But unfortunately, the only offer that came in wasn’t quite what fans of the vessel had in mind: Florida’s Okaloosa County offered $1 million to purchase the ship so they could sink it and turn it into the world’s largest artificial reef.

The Conservancy originally considered it a contingency offer, stating that they would only accept it if no other options to save the ship presented themselves. But by October of 2024, with time running out, they accepted Okaloosa’s offer as a more preferable fate for the United States than being scrapped.

It at least means the ship will remain intact — acting not only as an important refuge for aquatic life, but as a destination for recreational divers for decades to come. The Conservancy has also announced plans to open a museum in Okaloosa, where artifacts from the ship will be on display.

Laying a Behemoth to Rest

Sinking a ship is easy enough, it happens accidentally all the time. But intentionally sinking a ship, technically referred to as scuttling, in such a way that it sits upright on the bottom is another matter entirely. Especially for a ship the size of the SS United States, which will officially become both the largest intact ocean liner on the seafloor (beating out HMHS Britannic and her sister RMS Titanic) and the largest artificial reef in the world (taking the title from the USS Oriskany) when it eventually goes down.

The SS United States is currently in Mobile, Alabama, where it is being prepared for scuttling by Modern American Recycling Services and Coleen Marine. After a complete survey of the ship’s structural state, holes will be strategically cut throughout the hull. These will let the ship take on water in a more predictable way during the sinking, and also allow access to the inside of the hull for both sea life and divers. Internally, hatches and bulkheads will be removed for the same reason, though areas deemed too dangerous for recreational divers may be sealed off for safety.

At the same time, the ship must be thoroughly cleaned before it makes its final plunge into the waters off of Florida’s coast. Any remaining fuel or lubricants must be removed, as will any loose paint. Plastics that could break down, and anything that might contain traces of toxins such as lead or mercury, will also be stripped from the ship. In the end, the goal is to have very little left beyond the hull itself and machinery that’s too large to remove.
The forward funnel of the SS United States is removed and loaded onto a barge.
Finally, there’s the issue of depth. While the final resting place of the SS United States has yet to be determined, the depth is limited by the fact that Okaloosa wants to encourage recreational divers to visit. The upper decks of the ship must be located at a depth that’s reasonable for amateur divers to reach safely, but at the same time, the wreck can’t present a hazard to navigation for ships on the surface.

Once on the bottom, the goal is to have the upper decks of the ship at a depth of approximately 55 feet (17 m), making it accessible to even beginner divers. Unfortunately, the ship’s iconic swept-back funnels stand 65 feet (20 m) off the deck. While the tips of the funnels breaking through the surface of the water might make for a striking visual, it would of course be completely impractical.

youtube.com/embed/56zZtvcc7Qk?…

As such, the funnels and mast of the United States have just recently been removed. But thankfully, they aren’t being sent off to the scrapper. Instead, they will become key components of what the Conservancy is calling the “SS United States Museum and Visitor Experience.”

Honoring America’s Flagship

While the SS United States will welcome visitors willing to get their feet wet, not everyone who wants to explore the legacy of the ship will have to strap on a scuba tank. As part of the deal to purchase the ship, Okaloosa County has been working with the Conservancy to develop a museum dedicated to the ship and the cultural milieu in which she was developed and built.

Naturally, the museum will house many artifacts from the ship’s career. The Conservancy is already in the process of recalling many of the items in their collection which were loaned out while the ship was docked in Philadelphia. But uniquely, the building will also incorporate parts of the ship itself, including the funnels, mast, anchor, and at least one of the propellers.
Concept art for the SS United States Museum and Visitor Experience by Thinc Design.
Combined with some clever architecture by Thinc Design, the idea is for the museum’s structure to invoke the look of the ship itself. The Conservancy has released a number of concept images that depict various approaches being considered, the most striking of which essentially recreates the profile of the great liner with its bow extended out over the Florida waters.

A Bittersweet Farewell

To be sure, this is not the fate that the SS United States Conservancy had in mind when they purchased the ship. Over the years, they put forth a number of proposals that would have seen the ship either turned into a static attraction like the Queen Mary or returned to passenger service. But the funding always fell through, and with each year that passed the ship’s condition only got worse, making its potential restoration even more expensive.
Image Credit: SS United States Conservancy
It’s an unfortunate reality that many great ships have ended up being sold for scrap. Consider the RMS Olympic; despite being the last surviving ship of her class after the sinking of her sisters Titanic and Britannic, and having a long and storied career that included service as a troop ship during the First World War, she ended up having her fittings auctioned off before ultimately being torn to pieces in the late 1930s. It was an ending so unceremonious that the exact date of her final demolition has been lost to time. Meanwhile her sunken sisters, safe from the scrapper’s reach on the sea floor, continue to be studied and explored to this day.

In an ideal world, the SS United States would be afforded the same treatment as the USS New Jersey — it would be lovingly restored and live on as a museum ship for future generations to appreciate. But failing that, it would seem that spending the next century or so playing host to schools of fish and awestruck scuba divers is a more fitting end to America’s flagship than being turned into so many paperclips.

hackaday.com/2025/08/19/how-to…

Su un popolare forum dedicato alle fughe di dati è apparso un annuncio pubblicitario per la vendita di un database che presumibilmente contiene 15,8 milioni di account PayPal con indirizzi email e password in chiaro. L’autore della pubblicazione afferma che le informazioni sono recenti e sono state ottenute a maggio di quest’anno. L’azienda stessa ha negato tali affermazioni, affermando che si tratta di un incidente risalente al 2022 e che non si sono verificati nuovi attacchi informatici.

Tuttavia, l’annuncio della vendita ha suscitato interesse a causa delle dimensioni del database dichiarato, ma non è ancora possibile verificarne l’autenticità. I ricercatori di Cybernews osservano che il frammento fornito è troppo piccolo per una verifica indipendente. Inoltre, il prezzo dell’intero archivio si è rivelato sospettosamente basso per un insieme così ampio di login e password, il che potrebbe indicare una qualità discutibile del materiale.

Secondo un portavoce di PayPal, gli aggressori si riferiscono a un attacco di credential stuffing del 2022 che ha colpito 35.000 utenti. L’azienda è stata poi indagata negli Stati Uniti e all’inizio del 2025 ha accettato di pagare 2 milioni di dollari per risolvere le accuse delle autorità di regolamentazione di New York secondo cui PayPal avrebbe violato i requisiti di sicurezza informatica.

Il database pubblicato, come sostengono i venditori, contiene non solo indirizzi email e password, ma anche campi aggiuntivi, URL correlati e cosiddette varianti, che consentono di utilizzare le informazioni in attacchi automatizzati al servizio. Se alcuni record fossero davvero recenti, ciò potrebbe semplificare le campagne di Credential Stuffing contro utenti in tutto il mondo. Allo stesso tempo, l’autore del post ammette che tra le righe sono presenti numerose ripetizioni e password già compromesse.

Gli esperti non escludono che la fonte di questi dati non sia PayPal stessa, ma i dispositivi infetti dei clienti. Negli ultimi anni, sul darknet sono stati attivamente promossi degli infostealer : programmi dannosi come RedLine, Raccoon o Vidar, che raccolgono password salvate, cookie del browser, dati di compilazione automatica e persino portafogli crittografici dai sistemi infetti. Tali software creano database sotto forma di un collegamento tra un indirizzo URL, un login e una password, che coincide perfettamente con il formato del “dump” presentato. Tali insiemi di informazioni hanno già causato perdite su larga scala, comprese quelle relative a Snowflake .

PayPal sottolinea che non sono mai state registrate gravi violazioni dei sistemi aziendali e che le affermazioni degli hacker non sono supportate da fatti.

Tuttavia, si consiglia agli utenti di non trascurare la protezione: utilizzare password complesse e univoche e abilitare l’autenticazione a più fattori, che rimane una barriera fondamentale per gli intrusi anche in caso di furto di credenziali di accesso e password.

L'articolo Il database di PayPal, in vendita con 15,8 milioni di account: cosa c’è da sapere proviene da il blog della sicurezza informatica.

Summary

In September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers used steganography to embed shellcode within image files. This shellcode downloads GodRAT from a Command-and-Control (C2) server.

GodRAT supports additional plugins. Once installed, attackers utilized the FileManager plugin to explore the victim’s systems and deployed browser password stealers to extract credentials. In addition to GodRAT, they also used AsyncRAT as a secondary implant to maintain extended access.

GodRAT is very similar to the AwesomePuppet, another Gh0st RAT-based backdoor, which we reported in 2023, both in its code and distribution method. This suggests that it is probably an evolution of AwesomePuppet, which is in turn likely connected to the Winnti APT.

As of this blog’s publication, the attack remains active, with the most recent detection observed on August 12, 2025. Below is a timeline of attacks based on detections of GodRAT shellcode injector executables. In addition to malicious .scr (screen saver) files, attackers also used .pif (Program Information File) files masquerading as financial documents.

Technical details

Malware implants

Shellcode loaders

We identified the use of two types of shellcode loaders, both of which execute the shellcode by injecting it into their own process. The first embeds the shellcode bytes directly into the loader binary, and the second reads the shellcode from an image file.

A GodRAT shellcode injector file named “2024-08-01_2024-12-31Data.scr” (MD5 d09fd377d8566b9d7a5880649a0192b4) is an executable that XOR-decodes embedded shellcode using the following hardcoded key: “OSEDBIU#IUSBDGKJS@SIHUDVNSO*SKJBKSDS#SFDBNXFCB”. A new section is then created in the memory of an executable process, where the decoded shellcode is copied. Then the new section is mapped into the process memory and a thread is spawned to execute the shellcode.

Another file, “2024-11-15_23.45.45 .scr” (MD5 e723258b75fee6fbd8095f0a2ae7e53c), serves as a self-extracting executable containing several embedded files as shown in the image below.

Content of self-extracting executable

Among these is “SDL2.dll” (MD5 512778f0de31fcce281d87f00affa4a8), which is a loader. The loader “SDL2.dll” is loaded by the legitimate executable Valve.exe (MD5 d6d6ddf71c2a46b4735c20ec16270ab6). Both the loader and Valve.exe are signed with an expired digital certificate. The certificate details are as follows:

• Serial Number: 084caf4df499141d404b7199aa2c2131
• Issuer Common Name: DigiCert SHA2 Assured ID Code Signing CA
• Validity: Not Before: Friday, September 25, 2015 at 5:30:00 AM; Not After: Wednesday, October 3, 2018 at 5:30:00 PM
• Subject: Valve

The loader “SDL2.dll” extracts shellcode bytes hidden within an image file “2024-11-15_23.45.45.jpg”. The image file represents some sort of financial details as shown below.

The loader allocates memory, copies the extracted shellcode bytes, and spawns a thread to execute it. We’ve also identified similar loaders that extracted shellcode from an image file named “2024-12-10_05.59.18.18.jpg”. One such loader (MD5 58f54b88f2009864db7e7a5d1610d27d) creates a registry load point entry at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyStartupApp” that points to the legitimate executable Valve.exe.

Shellcode functionality

The shellcode begins by searching for the string “godinfo,” which is immediately followed by configuration data that is decoded using the single-byte XOR key 0x63. The decoded configuration contains the following details: C2 IP address, port, and module command line string. The shellcode connects to the C2 server and transmits the string “GETGOD.” The C2 server responds with data representing the next (second) stage of the shellcode. This second-stage shellcode includes bootstrap code, a UPX-packed GodRAT DLL and configuration data. However, after downloading the second-stage shellcode, the first stage shellcode overwrites the configuration data in the second stage with its own configuration data. A new thread is then created to execute the second-stage shellcode. The bootstrap code injects the GodRAT DLL into memory and subsequently invokes the DLL’s entry point and its exported function “run.” The entire next-stage shellcode is passed as an argument to the “run” function.

GodRAT

The GodRAT DLL has the internal name ONLINE.dll and exports only one method: “run”. It checks the command line parameters and performs the following operations:

1. If the number of command line arguments is one, it copies the command line from the configuration data, which was “C:\Windows\System32\curl.exe” in the analyzed sample. Then it appends the argument “-Puppet” to the command line and creates a new process with the command line “C:\Windows\System32\curl.exe -Puppet”. The parameter “-Puppet” was used in AwesomePuppet RAT in a similar way. If this fails, GodRAT tries to create a process with the hardcoded command “%systemroot%\system2\cmd.exe -Puppet”. If successful, it suspends the process, allocates memory, and writes the shellcode buffer (passed as a parameter to the exported function “run”) to the allocated memory. A thread is then created to execute the shellcode, and the current process exits. This is done to execute GodRAT inside the curl.exe or cmd.exe process.
2. If the number of command line arguments is greater than one, it checks if the second argument is “-Puppet.” If true, it proceeds with the RAT’s functionality; otherwise, it acts as if the number of command line arguments is one, as described in the previous case.

The RAT establishes a TCP connection to the C2 server on the port from the configuration blob. It collects the following victim information: OS information, local hostname, malware process name and process ID, user account name associated with malware process, installed antivirus software and whether a capture driver is present. A capture driver is probably needed for capturing pictures, but we haven’t observed such behavior in the analyzed sample.

The collected data is zlib (deflate) compressed and then appended with a 15-byte header. Afterward, it is XOR-encoded three times per byte. The final data sent to the C2 server includes a 15-byte header followed by the compressed data blob. The header consists of the following fields: magic bytes (\x74\x78\x20) , total size (compressed data size + header size), decompressed data size, and a fixed DWORD (1 for incoming data and 2 for outgoing data). The data received from the C2 is only XOR-decoded, again three times per byte. This received data includes a 15-byte header followed by the command data. The RAT can perform the following operations based on the received command data:

• Inject a received plugin DLL into memory and call its exported method “PluginMe”, passing the C2 hostname and port as arguments. It supports different plugins, but we only saw deployment of the FileManager plugin
• Close the socket and terminate the RAT process
• Download a file from a provided URL and launch it using the CreateProcessA API, using the default desktop (WinSta0\Default)
• Open a given URL using the shell command for opening Internet Explorer (e.g. “C:\Program Files\Internet Explorer\iexplore.exe” %1)
• Same as above but specify the default desktop (WinSta0\Default)
• Create the file “%AppData%\config.ini”, create a section named “config” inside this file, and, create in that section a key called “NoteName” with the string provided from the C2 as its value

GodRAT FileManager plugin

The FileManager plugin DLL has the internal name FILE.dll and exports a single method called PluginMe. This plugin gathers the following victim information: details about logical drives (including drive letter, drive type, total bytes, available free bytes, file system name, and volume name), the desktop path of the currently logged-on user, and whether the user is operating under the SYSTEM account. The plugin can perform the following operations based on the commands it receives:

• List files and folders at a specified location, collecting details like type (file or folder), name, size, and last write time
• Write data to an existing file at a specified offset
• Read data from a file at a specified offset
• Delete a file at a specified path
• Recursively delete files at a specified path
• Check for the existence of a specified file. If the file exists, send its size; otherwise, create a file for writing.
• Create a directory at a specified path
• Move an existing file or directory, including its children
• Open a specified application with its window visible using the ShellExecuteA API
• Open a specified application with its window hidden using the ShellExecuteA API
• Execute a specified command line with a hidden window using cmd.exe
• Search for files at a specified location, collecting absolute file paths, sizes, and last write times
• Stop a file search operation
• Execute 7zip by writing hard-coded 7zip executable bytes to “%AppData%\7z.exe” (MD5 eb8d53f9276d67afafb393a5b16e7c61) and “%AppData%\7z.dll” (MD5 e055aa2b77890647bdf5878b534fba2c), and then runs “%AppData%\7z.exe” with parameters provided by the C2. The utility is used to unzip dropped files.

Second-stage payload

The attackers deployed the following second-stage implants using GodRAT’s FileManager plugin:

Chrome password stealer

The stealer is placed at “%ALLUSERSPROFILE%\google\chrome.exe” (MD5 31385291c01bb25d635d098f91708905). It looks for Chrome database files with login data for accessed websites, including URLs and usernames used for authentication, as well as user passwords. The collected data is saved in the file “google.txt” within the module’s directory. The stealer searches for the following files:

• %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data – an SQLite database with login and stats tables. This can be used to extract URLs and usernames used for authentication. Passwords are encrypted and not visible.
• %LOCALAPPDATA%\Google\Chrome\User Data\Local State – a file that contains the encryption key needed to decrypt stored passwords.

MSEdge password stealer

The stealer is placed at “%ALLUSERSPROFILE%\google\msedge.exe” (MD5 cdd5c08b43238c47087a5d914d61c943). The collected data is stored in the file “edge.txt” in the module’s directory. The module attempts to extract passwords using the following database and file:

• %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data – the “Login Data” SQLite database stores Edge logins in the “logins” table.
• %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State – this file contains the encryption key used to decrypt saved passwords.

AsyncRAT

The DLL file (MD5 605f25606bb925d61ccc47f0150db674) is an injector and is placed at “%LOCALAPPDATA%\bugreport\LoggerCollector.dll” or “%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll”. It verifies that the module name matches “bugreport_.exe”. The loader then XOR-decodes embedded shellcode using the key “EG9RUOFIBVODSLFJBXLSVWKJENQWBIVUKDSZADVXBWEADSXZCXBVADZXVZXZXCBWES”. After decoding, it subtracts the second key “IUDSY86BVUIQNOEWSUFHGV87QCI3WEVBRSFUKIHVJQW7E8RBUYCBQO3WEIQWEXCSSA” from each shellcode byte.

A new memory section is created, the XOR-decoded shellcode is copied into it, and then the section is mapped into the current process memory. A thread is started to execute the code in this section. The shellcode is used to reflectively inject the C# AsyncRAT binary. Before injection, it patches the AMSI scanning functions (AmsiScanBuffer, AmsiScanString) and the EtwEventWrite function to bypass security checks.
AsyncRAT includes an embedded certificate with the following properties:

• Serial Number: df:2d:51:bf:e8:ec:0c:dc:d9:9a:3e:e8:57:1b:d9
• Issuer: CN = marke
• Validity: Not Before: Sep 4 18:59:09 2024 GMT; Not After: Dec 31 23:59:59 9999 GMT
• Subject: CN = marke

GodRAT client source and builder

We discovered the source code for the GodRAT client on a popular online malware scanner. It had been uploaded in July 2024. The file is named “GodRAT V3.5_______dll.rar” (MD5 04bf56c6491c5a455efea7dbf94145f1). This archive also includes the GodRAT builder (MD5 5f7087039cb42090003cc9dbb493215e), which allows users to generate either an executable file or a DLL. If an executable is chosen, users can pick a legitimate executable name from a list (svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe and QQScLauncher.exe) to inject the code into. When saving the final payload, the user can choose the file type (.exe, .com, .bat, .scr and .pif). The source code is based on Gh0st RAT, as indicated by the fact that the auto-generated UID in “GodRAT.h” file matches that of “gh0st.h”, which suggests that GodRAT was originally just a renamed version of Gh0st RAT.

GodRAT.h

gh0st.h

Conclusions

The rare command line parameter “puppet,” along with code similarities to Gh0st RAT and shared artifacts such as the fingerprint header, indicate that GodRAT shares a common origin with AwesomePuppet RAT, which we described in a private report in 2023. This RAT is also based on the Gh0st RAT source code and is likely connected with Winnty APT activities. Based on these findings, we are highly confident that GodRAT is an evolution of AwesomePuppet. There are some differences, however. For example, the C2 packet of GodRAT uses the “direction” field, which was not utilized in AwesomePuppet.

Old implant codebases, such as Gh0st RAT, which are nearly two decades old, continue to be used today. These are often customized and rebuilt to target a wide range of victims. These old implants are known to have been used by various threat actors for a long time, and the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can still maintain a long lifespan in the cybersecurity landscape.

Indicator of Compromise

File hashes

cf7100bbb5ceb587f04a1f42939e24ab
d09fd377d8566b9d7a5880649a0192b4 GodRAT Shellcode Injector
e723258b75fee6fbd8095f0a2ae7e53c GodRAT Self Extracting Executable
a6352b2c4a3e00de9e84295c8d505dad
6c12ec3795b082ec8d5e294e6a5d6d01
bb23d0e061a8535f4cb8c6d724839883
160a80a754fd14679e5a7b5fc4aed672
2750d4d40902d123a80d24f0d0acc454
441b35ee7c366d4644dca741f51eb729
318f5bf9894ac424fd4faf4ba857155e GodRAT Shellcode Injector
512778f0de31fcce281d87f00affa4a8 GodRAT Shellcode Injector
6cad01ca86e8cd5339ff1e8fff4c8558 GodRAT Shellcode Injector
58f54b88f2009864db7e7a5d1610d27d GodRAT Shellcode Injector
64dfcdd8f511f4c71d19f5a58139f2c0 GodRAT FileManager Plugin(n)
8008375eec7550d6d8e0eaf24389cf81 GodRAT
04bf56c6491c5a455efea7dbf94145f1 GodRAT source code
5f7087039cb42090003cc9dbb493215e GodRAT Builder
31385291c01bb25d635d098f91708905 Chrome Password Stealer
cdd5c08b43238c47087a5d914d61c943 MSEdge Password Stealer
605f25606bb925d61ccc47f0150db674 Async RAT Injector (n)
961188d6903866496c954f03ecff2a72 Async RAT Injector
4ecd2cf02bdf19cdbc5507e85a32c657 Async RAT
17e71cd415272a6469386f95366d3b64 Async RAT

File paths

C:\users\[username]\downloads\2023-2024clientlist＆.scr
C:\users\[username]\downloads\2024-11-15_23.45.45 .scr
C:\Users\[username]\Downloads\2024-08-01_2024-12-31Data.scr
C:\Users\[username]\\Downloads\2025TopDataTransaction&.scr
C:\Users\[username]\Downloads\2024-2025Top&Data.scr
C:\Users\[username]\Downloads\2025TopClineData&1.scr
C:\Users\[username]\Downloads\Corporate customer transaction &volume.pif
C:\telegram desktop\Company self-media account application qualifications&.zip
C:\Users\[username]\Downloads\个人信息资料&.pdf.pif
%ALLUSERSPROFILE%\bugreport\360Safe2.exe
%ALLUSERSPROFILE%\google\chrome.exe
%ALLUSERSPROFILE%\google\msedge.exe
%LOCALAPPDATA%\valve\valve\SDL2.dll
%LOCALAPPDATA%\bugreport\LoggerCollector.dll
%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll
%LOCALAPPDATA%\bugreport\bugreport_.exe

Domains and IPs

103[.]237[.]92[.]191 GodRAT C2
118[.]99[.]3[.]33 GodRAT С2
118[.]107[.]46[.]174 GodRAT C2
154[.]91[.]183[.]174 GodRAT C2
wuwu6[.]cfd AsyncRAT C2
156[.]241[.]134[.]49 AsyncRAT C2
https://holoohg.oss-cn-hongkong.aliyuncs[.]com/HG.txt AsyncRAT URL
47[.]238[.]124[.]68 AsyncRAT C2

securelist.com/godrat/117119/

More and more car manufacturers these days are becoming interested in the recurring revenue model, with Volkswagen’s ID.3 BEV being the latest to have an optional ‘motor power upgrade’ that you can pay for either monthly or with a ‘lifetime’ payment.

As the BBC reports, this option is now available in the UK, with customers offered the option to pay £16.50 per month or £165 annually, or opt to shell out £649 for what is reportedly a ‘car lifetime’ subscription.

It appears that this subscription service has been in the works for a while already, with it being offered first last year in countries like Denmark, following which it appears to be rolled out in other countries too. The software unlock changes the maximum motor output from 150 kW to 170 kW, which some users report as being noticeable.

Regardless of whether you find this to be a good deal, the concept of Car-As-A-Service (CAAS) has becoming increasingly prevalent, with the BBC article referencing BMW’s heated seats subscription and Mercedes’ acceleration subscription. Considering that all the hardware is already in the car that you purportedly purchased, this is sure to rub people the wrong way, not to mention that from a car tuning perspective this seems to suggest that third-party tuners don’t need to apply.

Thanks to [Robert Piston] for the tip.

hackaday.com/2025/08/19/volksw…

Proofpoint ha pubblicato il secondo volume del suo studio annuale “Human Factor 2025” , incentrato sul phishing e sugli attacchi basati su URL. L’analisi dei dati da maggio 2024 a maggio 2025 mostra che gli aggressori utilizzano sempre più spesso il social engineering in combinazione con i link, che sono diventati il principale vettore per attaccare gli utenti.

Secondo le statistiche, i link sono stati riscontrati quattro volte più spesso degli allegati con contenuti dannosi. Oltre il 55% degli SMS con tracce di phishing conteneva un URL e il numero di campagne con la tecnica ClickFix è aumentato di quasi il 400% in un anno. In totale, i ricercatori hanno registrato 3,7 miliardi di tentativi di furto di credenziali tramite link dannosi, contro gli 8,3 milioni di tentativi di distribuzione di malware, il che conferma che l’obiettivo principale degli aggressori oggi è compromettere gli account.

Particolarmente preoccupante è il crescente numero di attacchi che utilizzano servizi legittimi. Gli aggressori mascherano URL dannosi come documenti su OneDrive o Google Drive e creano anche pagine di autorizzazione false, indistinguibili da quelle reali. L’uso diffuso di modelli di intelligenza artificiale generativa consente loro di perfezionare all’infinito i modelli di email di phishing, aumentandone la persuasività.

Tra gli strumenti principali ci sono kit di phishing già pronti all’uso come CoGUI e Darcula. Il primo è attivamente utilizzato da gruppi di lingua cinese e si rivolge principalmente agli utenti in Giappone, il secondo viene utilizzato negli attacchi SMS , spesso spacciandosi per messaggi provenienti da agenzie governative o aziende postali. Entrambi gli strumenti possono aggirare la protezione e persino intercettare i codici MFA.

Una delle tendenze più evidenti è stata la diffusione del programma ClickFix . Alla vittima viene mostrata una falsa finestra di errore o un CAPTCHA, che la invita a eseguire manualmente i comandi. Questo installa RAT , infostealer e downloader sul dispositivo. Le campagne ClickFix sono diventate una pratica comune, utilizzata sia da gruppi motivati finanziariamente che da attori statali.

Separatamente, gli esperti notano la crescita degli attacchi ai dispositivi mobili. Secondo il rapporto, nel 2024, il numero di minacce URL negli SMS è aumentato del 2534%. Nel 2025, almeno il 55% degli SMS di phishing conteneva link e il 75% delle organizzazioni ha confermato di aver subito tali attacchi. I principali attacchi sono le frodi con “multe stradali” e false notifiche di consegna.

Anche gli attacchi di phishing tramite QR code stanno guadagnando terreno. Solo nei primi sei mesi del 2025, Proofpoint ha identificato quasi 4,2 milioni di casi di abuso di codici QR. Questo vettore è comodo per i criminali, poiché consente loro di aggirare il filtro del gateway di posta: la vittima scansiona il codice su uno smartphone e finisce su un sito falso per rubare password o dati di carte di credito.

Il rapporto conclude che gli attacchi più distruttivi oggi non sono rivolti ai sistemi, ma alle persone. Tali campagne non possono avere successo senza un clic da parte dell’utente, il che significa che la principale linea di difesa è proteggere tutti i canali di comunicazione: dalle email aziendali alla messaggistica istantanea e ai servizi SaaS. Proofpoint consiglia soluzioni di intelligenza artificiale multilivello in grado di rilevare anche i più piccoli segnali di phishing in qualsiasi flusso digitale.

L'articolo Clicchi sui link degli SMS? Ecco 4,2 milioni di motivi per non farlo proviene da il blog della sicurezza informatica.