Gli esperti di Check Point avvertono che lo sfruttamento di una nuova vulnerabilità NTLM di Windows ha avuto inizio circa una settimana dopo il rilascio delle patch il mese scorso.

La vulnerabilità in questione è il CVE-2025-24054 (punteggio CVSS 6,5), che è stata risolta come parte del Patch Tuesday di marzo 2025. Questo problema determina la divulgazione dell’hash NTLM, consentendo agli aggressori di eseguire attacchi di spoofing.

Secondo Microsoft, per sfruttare con successo questo bug è necessaria un’interazione minima da parte dell’utente. Pertanto, la vulnerabilità può essere attivata semplicemente selezionando un file dannoso o cliccandoci sopra con il tasto destro.

Come hanno ora segnalato gli analisti di Check Point, appena una settimana dopo il rilascio delle patch per CVE-2025-24054, gli aggressori hanno iniziato a sfruttare la vulnerabilità per attaccare agenzie governative e organizzazioni private in Polonia e Romania.

“La vulnerabilità viene esposta quando un utente decomprime un archivio ZIP contenente un file .library-ms dannoso. Questo evento fa sì che Esplora risorse di Windows avvii una richiesta di autenticazione SMB al server remoto e, di conseguenza, porta alla perdita dell’hash NTLM dell’utente senza la sua partecipazione”, scrivono gli esperti.

Una volta esposto l’hash NTLM, gli aggressori possono eseguire un attacco brute-force per ottenere la password dell’utente o organizzare un attacco relay.

A seconda dei privilegi dell’account compromesso, gli hacker hanno la possibilità di muoversi nella rete, aumentare i propri privilegi e potenzialmente compromettere l’intero dominio.

Sebbene Microsoft non abbia ancora annunciato che la vulnerabilità CVE-2025-24054 sia stata sfruttata dagli hacker, i ricercatori affermano di aver scoperto più di una dozzina di campagne dannose che prendevano di mira la vulnerabilità tra il 19 e il 25 marzo. Gli hash NTLM sono stati estratti su server SMB in Australia, Bulgaria, Paesi Bassi, Russia e Turchia.

“Una campagna sembra aver avuto luogo intorno al 20-21 marzo 2025. I suoi obiettivi principali erano i governi polacco e rumeno e organizzazioni private. Alle vittime sono stati inviati via email link di phishing contenenti un file di archivio scaricato da Dropbox“, spiega Check Point.

Uno dei file nell’archivio era collegato a un’altra vulnerabilità simile, il CVE-2024-43451, utilizzata anch’essa per esporre l’hash NTLM. Un altro file faceva riferimento a un server SMB associato al gruppo APT Fancy Bear (noto anche come APT28, Forest Blizzard e Sofacy). Tuttavia, va notato che non ci sono ancora dati sufficienti per attribuire con certezza gli attacchi.

Check Point avverte inoltre che almeno una campagna del 25 marzo 2025 ha distribuito il file dannoso .library-ms in formato non compresso.

L'articolo Un Clic e sei fregato! La nuova vulnerabilità Windows viene già sfruttata proviene da il blog della sicurezza informatica.

Upgrading RAM on most computers is often quite a straightforward task: look up the supported modules, purchase them, push a couple of levers, remove the old, and install the new. However, this project submitted by [Mads Chr. Olesen] is anything but a simple.

In this project, he sets out to double the RAM on a Olimex A20-OLinuXino-LIME2 single-board computer. The Lime2 came with 1 GB of RAM soldered to the board, but he knew the A20 processor could support more and wondered if simply swapping RAM chips could double the capacity. He documents the process of selecting the candidate RAM chip for the swap and walks us through how U-Boot determines the amount of memory present in the system.

While your desktop likely has RAM on removable sticks, the RAM here is soldered to the board. Swapping the chip required learning a new skill: BGA soldering, a non-trivial technique to master. Initially, the soldering didn’t go as planned, requiring extra steps to resolve issues. After reworking the soldering, he successfully installed both new chips. The moment of truth arrived—he booted up the LIME2, and it worked! He now owns the only LIME2 with 2 GB of RAM.

Be sure to check out some other BGA soldering projects we’ve featured over the years.

hackaday.com/2025/04/22/making…

Spesso si pensa che, per evitare i pericoli online, basti non effettuare pagamenti o non inserire credenziali durante la navigazione. Questo approccio, seppur apparentemente prudente, è profondamente sbagliato per diverse ragioni — soprattutto quando si utilizzano reti aperte, come i WiFi pubblici.

Uno: I dati possono essere intercettati comunque

Anche senza compiere azioni “sensibili”, come l’accesso ad account o l’inserimento di carte di credito, i nostri dispositivi e le nostre connessioni trasmettono continuamente dati. Su reti non protette, come quelle WiFi aperte, questi dati possono essere intercettati con estrema facilità. Tra le informazioni più esposte ci sono:

• Cookie di sessione:
  Piccoli file utilizzati per mantenere l’accesso ai servizi online. Queste informazioni di autenticazione se intercettate, possono permettere a un hacker di accedere ai nostri account senza bisogno di password.
• Dati di navigazione: Cronologie, preferenze e siti visitati possono essere raccolti e utilizzati per pianificare attacchi futuri o creare profili dettagliati su di noi.

Due: La sicurezza non dipende dal “tipo di traffico”

Come RHC riteniamo un errore grave. affidarsi al presunto basso valore delle proprie attività online:

“non ho fatto nulla di importante”

Gli attaccanti sfruttano ogni opportunità per accedere alle nostre informazioni e ai nostri dispositivi. Una volta che riescono a infiltrarsi, possono rimanere nascosti per lunghi periodi, raccogliendo dati preziosi e pianificando attacchi più mirati.

Il vero rischio non è solo la perdita di una password, ma il furto della nostra identità digitale.
Questo può tradursi in:

• Accessi non autorizzati a social, email o piattaforme di lavoro.
• Frodi a nostro nome (apertura conti, stipula contratti, persino crimini informatici o nella vita reale).
• Attacchi di tipo spear phishing contro di noi o i nostri contatti personali e aziendali. Sfruttando i dati raccolti per costruire messaggi altamente personalizzati e convincenti.

Noi di RHC lo abbiamo sempre sostenuto..

Come abbiamo sottolineato in diversi articoli pubblicati su Red Hot Cyber, tra cui questi due del 2023:

• Che cos’è la Sicurezza Informatica. Tra minacce, cybercrime, protezione e lavoro
• Cosa si intende per ICT Risk Management. Un processo a supporto della sicurezza informatica

la cybersecurity non è un singolo strumento o un semplice antivirus, ma un insieme di tecnologie, processi e pratiche progettati per proteggere le reti, i dispositivi e i dati da attacchi informatici, frodi e altre minacce digitali.

A rafforzare questa protezione viene in aiuto l’ICT Risk Management.

Un po’ di prevenzione si chiama… gestione del rischio

Nella vita reale, facciamo ogni giorno scelte per ridurre i rischi: chiudiamo la porta di casa, allacciamo le cinture in auto, evitiamo zone pericolose.

Online dovrebbe funzionare allo stesso modo. Ed è qui che entra in gioco un concetto fondamentale anche per chi non è “del mestiere”:
la gestione del rischio digitale, o come viene chiamata in gergo: ICT Risk Management.

Tradotto in parole semplici, significa:

• Essere consapevoli dei pericoli quando si è online.
• Capire cosa potrebbe succedere se qualcosa va storto.
• Adottare piccoli accorgimenti per evitarlo (come evitare reti aperte e non protette).
• Controllare ogni tanto se tutto è a posto, aggiornando app, cambiando password o informandosi su nuove truffe in circolazione.

Non dobbiamo essere per forza degli esperti. Spesso e volentieri basta un po’ di buon senso, curiosità e voglia di proteggersi.

Evidenza attraverso il DNS Spoofing

In questo video realizzato da Matteo Brandi, vogliamo dare un’evidenza concreta di quanto sia facile cadere in una trappola digitale quando si naviga senza protezione.

youtube.com/embed/cgwOgS9tj6o?…

Attraverso una dimostrazione semplice e diretta, il video mostra:

• Cos’è il DNS Spoofing e come funziona realmente.
• Come un attaccante può intercettare la tua navigazione e reindirizzarti su un sito falso, anche se pensi di essere al sicuro.
• Perché anche una semplice connessione a una rete WiFi pubblica può diventare un varco d’ingresso per i cybercriminali.

⚠️ Questo video è realizzato a scopo educativo e di sensibilizzazione sulla sicurezza informatica. NON usare queste informazioni per scopi illeciti!

Autore del video: Matteo Brandi: Esperto di sicurezza informatica con focus sulla defensive cybersecurity, ha conquistato le certificazioni TCM PNPT e CompTIA Security+. Con la sua attività aiuta le PMI a blindare i loro sistemi. Membro del Team HackerHood di RHC, Hacker etico per passione, difensore digitale per missione.

Conclusione

Il rischio digitale non si limita al furto di dati bancari e deve essere sempre valutato in tutte le sue parti. Anche attività che ci sembrano “innocue”, possono esporci a pericoli seri, se fatte su reti non sicure.

Il modo in cui navighiamo, le reti che usiamo, le app che apriamo: tutto conta.

Proteggere la propria identità online oggi è importante quanto proteggere la propria casa.
E il primo passo è una connessione sicura, che è essenziale per proteggere la propria presenza digitale in ogni momento.

In questa serie di articoli vogliamo aumentare la consapevolezza sui reali pericoli delle reti WiFi. Nei prossimi tratteremo altri falsi miti che spesso, invece di proteggerci, ci espongono a pericoli non calcolati.

Essere consapevoli, informati e vigili è il primo e più importante passo verso una reale sicurezza digitale.

L'articolo Falsi Miti: Se non faccio pagamenti o login online, sono davvero al sicuro? proviene da il blog della sicurezza informatica.

Il collettivo di ricerca in sicurezza informatica HackerHood, parte dell’universo della community di Red Hot Cyber, ha recentemente scoperto due nuove vulnerabilità nei dispositivi Zyxel, dimostrando ancora una volta l’importanza della ricerca proattiva nel contrasto alle minacce cibernetiche non documentate (cd. zeroday).

Entrambi i bug monitorati come CVE-2025-1731 e CVE-2025-1732 sono stati firmati dal ricercatore di Bug Alessandro Sgreccia mentre per il bug CVE-2025-1732 c’è anche la firma di un altro ricercatore di bug: Marco Ivaldi. Le vulnerabilità sono state isolate e prontamente inviate allo PSIRT di Zyxel.

CVE-2025-1731: Remote Code Execution on Zyxel USG FLEX H Series

• Prodotto: Zyxel USG FLEX H Series
• Ricercatore: Alessandro Sgreccia
• Link NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-1731
• CVSSv3: 7,8

Durante le attività di ricerca di vulnerabilità non documentate sugli apparaty di Zyxel, è stato identificato un problema di sicurezza legato a un’applicazione di terze parti (PostgreSQL). Sebbene non siano state riscontrate vulnerabilità nella versione stessa di PostgreSQL, una configurazione errata consente a un utente malintenzionato di stabilire un tunnel SSH con port forwarding, esponendo il servizio di database (porta 5432) all’accesso esterno.

Normalmente, l’istanza di PostgreSQL è accessibile solo tramite localhost, limitando così la sua esposizione. Tuttavia, sfruttando il tunneling SSH, un utente malintenzionato può creare un canale di comunicazione diretto con il database da un sistema remoto. Il rischio è ulteriormente aggravato dall’assenza di requisiti di autenticazione per l’accesso al database, che consente a un aggressore di eseguire query arbitrarie e di ottenere l’esecuzione di codice remoto (RCE) creando una shell inversa come utente Postgres.

Zyxel USG FLEX H Series è una serie di firewall ad alte prestazioni progettata per soddisfare le esigenze di reti esigenti e ad alta velocità. Offre tempi di avvio più rapidi e migliori prestazioni delle CPU, che la rendono superiore alla serie USG FLEX standard.

CVE-2025-1732: Privilege Escalation

• Prodotto: Zyxel USG FLEX H Series
• Ricercatore: Alessandro Sgreccia e Marco Ivaldi
• Link NIST: nvd.nist.gov/vuln/detail/CVE-2…
• CVSSv3: 6,7

Questa vulnerabilità riguarda l’escalation dei privilegi attraverso l’uso improprio del bit SetUID su un binario personalizzato. Un utente non privilegiato può ottenere l’accesso root eseguendo una shell compilata staticamente con SetUID abilitato, che è stata precedentemente impacchettata in un archivio ZIP, trasferita tramite la funzione di recovery RMA di uOS ed estratta come root su un sistema vulnerabile.

In particolare, l’eseguibile della shell imposta esplicitamente UID e GID a 0 per aumentare i privilegi ed è compilato staticamente per evitare problemi di dipendenza che potrebbero impedire l’esecuzione. Impatto della vulnerabilità:

• Escalation dei privilegi → L’attaccante può ottenere una shell di root.
• Persistenza → L’attaccante può creare una backdoor per accessi futuri.
• Compromissione completa del sistema → L’attaccante può modificare i file critici del sistema.

Il ruolo di HackerHood nella scoperta

HackerHood, con 19 CVE emesse in due anni di attività, è il collettivo di ethical hacker di Red Hot Cyber che si impegna nella ricerca di vulnerabilità non documentate per garantire una sicurezza informatica più robusta. Il gruppo si basa su un manifesto che promuove la condivisione della conoscenza e il miglioramento della sicurezza collettiva, identificando e segnalando vulnerabilità critiche per proteggere utenti e aziende.

Secondo quanto riportato nel manifesto di HackerHood, il collettivo valorizza l’etica nella sicurezza informatica e incentiva la collaborazione tra i professionisti del settore. Questo caso dimostra l’importanza della loro missione: mettere al servizio della comunità globale le competenze di hacker etici per individuare minacce ancora sconosciute.

Unisciti a HackerHood

Se sei un bug hunter o un ricercatore di sicurezza e vuoi contribuire a iniziative di questo tipo, HackerHood è sempre aperto a nuovi talenti. Il collettivo accoglie esperti motivati a lavorare su progetti concreti per migliorare la sicurezza informatica globale. Invia un’email con le tue esperienze e competenze a info@hackerhood.it per unirti a questa squadra di professionisti.

La scoperta di CVE-2024-12398 è un ulteriore esempio del contributo significativo di HackerHood al panorama della sicurezza informatica. È essenziale che aziende e utenti finali prestino attenzione a tali scoperte, adottando le misure necessarie per prevenire eventuali exploit. La collaborazione tra ethical hacker, aziende e comunità resta una pietra miliare nella lotta contro le minacce cibernetiche.

Disclosure Timeline

• 2025-02-11: ZYXEL was notified via security@zyxel.com.tw.
• 2025-02-12: ZYXEL acknowledged receipt of my vulnerability report.
• 2025-02-20: ZYXEL’s Product team was unable to use the stolen ‘authtok’ to create an admin account
• and could not reproduce the issue. I provided them with a code modification to improve the exploit.
• 2025-02-25: ZYXEL’s Product team was still unable to reproduce the issue, so I requested access to the
• device for further investigation.
• 2025-02-25: ZYXEL PSIRT informed me that the RD Team Leader would contact me to grant access to
• their device.
• 2025-02-26: ZYXEL’s RD Team notified me that they were finally able to reproduce the issue.
• 2025-03-06: ZYXEL assigned CVE-2025-1731 and CVE-2025-1732 to the reported issues and
• informed me of their intention to publish their security advisory on 2025-04-15.
• 2025-04-08: ZYXEL requested to postpone the public disclosure date to April 22, 2025, as the firmware
• patch is scheduled for release on April 14, 2025, allowing users adequate time to apply the update and
• secure their systems before the vulnerability is disclosed.
• 2025-04-22: ZYXEL published their security advisory, following my coordinated disclosure timeline.

L'articolo HackerHood di RHC Rivela due nuovi 0day sui prodotti Zyxel proviene da il blog della sicurezza informatica.

Gli scienziati avvertono che la tecnologia di sequenziamento del DNA potrebbe diventare un nuovo bersaglio per gli hacker. Stiamo parlando del cosiddetto sequenziamento di nuova generazione (NGS), uno strumento fondamentale nella medicina e nella biotecnologia moderne.

Questa tecnologia è alla base della medicina personalizzata, della diagnosi del cancro, del monitoraggio delle infezioni, dell’agrobiotecnologia e della medicina legale. Ma oltre alla sua ampia gamma di possibilità, porta con sé anche minacce inaspettate, se non ci si prende cura della sua protezione in tempo.

Una nuova ricarica pubblicata su IEEE Access, è stata la prima analisi completa delle minacce informatiche che ha coperto l’intero ciclo NGS, dalla preparazione dei campioni biologici all’analisi dei dati genetici. Il progetto è stato guidato dalla Dott.ssa Nasreen Anjum dell’Università di Portsmouth, in collaborazione con ricercatori di diverse università del Regno Unito e del Pakistan.

Il nocciolo del problema è che ogni fase della complessa catena di elaborazione del DNA coinvolge non solo attrezzature di laboratorio, ma anche software specializzati, sistemi connessi ed enormi quantità di dati. Tutti questi componenti possono essere vulnerabili, soprattutto considerando che alcuni dati genetici sono spesso resi pubblici. E questo crea spazio per abusi: dalla sorveglianza e discriminazione alla creazione di armi biologiche basate sulle informazioni ottenute.

Il Dott. Anjum avverte: “Vogliamo chiarire che la protezione dei dati genomici non è solo una questione di crittografia. Dobbiamo essere in grado di anticipare attacchi che non esistono ancora. Abbiamo bisogno di un nuovo approccio alla sicurezza nella medicina di precisione“. La sicurezza informatica e la biosicurezza restano un settore fortemente sottovalutato, nonostante la loro importanza critica, ha affermato.

Tra i possibili vettori di attacco, i ricercatori citano l’introduzione di codice maligno nel DNA sintetico, l’uso dell’intelligenza artificiale per falsificare o modificare informazioni genetiche, nonché metodi per reidentificare le persone utilizzando dati resi anonimi. Secondo la Dott.ssa Mahreen-Ul-Hassan, microbiologa e coautrice della Shaheed Benazir Bhutto University, se le informazioni genomiche dovessero trapelare, le conseguenze sarebbero ben più gravi di un semplice attacco informatico: “Si tratta di una delle forme di dati più personali. La compromissione può avere conseguenze di vasta portata sia per l’individuo che per la società“.

Gli autori del lavoro sottolineano che senza una cooperazione interdisciplinare (tra specialisti IT, biotecnologi ed esperti di sicurezza) è impossibile garantire la protezione dell’NGS. Nel frattempo, le misure di protezione restano frammentate e l’interazione tra i principali settori scientifici è insufficiente.

In conclusione, i ricercatori hanno proposto misure specifiche per rafforzare la sicurezza, dai protocolli di sequenziamento sicuro alla crittografia dei dati e all’uso di sistemi di intelligenza artificiale per rilevare anomalie. Ma la cosa più importante è che hanno stilato un elenco unico di tutte le potenziali minacce associate all’uso della tecnologia NGS. Questo dovrebbe essere il punto di partenza per sviluppare una strategia completa di biosicurezza informatica prima che la tecnologia cada nelle mani sbagliate.

L'articolo Arriva la Biosicurezza! Il sequenziamento del DNA è nel mirino degli hacker proviene da il blog della sicurezza informatica.

This Short from [ProShorts 101] shows us how to make an incandescent light bulb from a jar, a pencil lead, two bolts, and a candle.

Prepare the lid of the jar by melting in two holes to contain the bolts, you can do this with your soldering iron, but make sure your workspace is well ventilated and don’t breathe the fumes. Install the two bolts into the lid. Take a pencil lead and secure it between the two bolts. Chop off the tip of a candle and glue it inside the lid. Light the candle and while it’s burning cover it with the jar and screw on the lid. Apply power and your light bulb will glow.

The incandescent light bulb was invented by Thomas Edison and patented in patent US223898 in 1879. It’s important to remove the oxygen from the bulb so that the filament doesn’t burn up when it gets hot. That’s what the candle is for, to burn out all the oxygen in the jar before it’s sealed.

Of course if you want something that is energy efficient you’re going to want an LED light bulb.

youtube.com/embed/_ItOFyOTb8M?…

hackaday.com/2025/04/21/making…

Recently a team at Fudan University claimed to have developed a picosecond-level Flash memory device (called ‘PoX’) that has an access time of a mere 400 picoseconds. This is significantly faster than the millisecond level access times of NAND Flash memory, and more in the ballpark of DRAM, while still being non-volatile. Details on the device technology were published in Nature.

In the paper by [Yutong Xing] et al. they describe the memory device as using a two-dimensional Dirac graphene-channel Flash memory structure, with hot carrier injection for both electron and hole injection, meaning that it is capable of both writing and erasing. Dirac graphene refers to the unusual electron transport properties of typical monolayer graphene sheets.

Demonstrated was a write speed of 400 picoseconds, non-volatile storage and a 5.5 × 10⁶ cycle endurance with a programming voltage of 5 V. It are the unique properties of a Dirac material like graphene that allow these writes to occur significantly faster than in a typical silicon transistor device.

What is still unknown is how well this technology scales, its power usage, durability and manufacturability.

hackaday.com/2025/04/21/pox-su…

RepRap was the origin of pushing hobby 3D printing boundaries, and here we see a RepRap scaled down to the smallest detail. [Vik Olliver] over at the RepRap blog has been working on getting a printer working printing down to the level of micron accuracy.

The printer is constructed using 3D printed flexures similar to the OpenFlecture microscope. Two flexures create the XYZ movement required for the tiny movements needed for micron level printing. While still in the stages of printing simple objects, the microscopic scale of printing is incredible. [Vik] managed to print a triangular pattern in resin at a total size of 300 µm. For comparison SLA 3D printers struggle at many times that scale. Other interesting possibilities from this technology could be printing small scale circuits from conductive resins, though this might require some customization in the resin department.

In addition to printing with resin, µRepRap can be seen making designs in marker ink such as our own Jolly Wrencher! At only 1.5 mm the detail is impressive especially when considering the nature of scratching away ink.

If you want to make your own µRepRap head over to [Vik Olliver]’s GitHub. The µRepRap project has been a long going project. From the time it started the design has changed quite a bit. Check out an older version of the µRepRap project based around OpenFlexture!

hackaday.com/2025/04/21/jolly-…

Perhaps the most famous adage of journalism — get the truth and print it — continues to face attacks in our courts, and judges often fail to stop them.

A recent case comes from Victoria County, Texas, where last month a judge entered a temporary order preventing the publication of a book about alleged sexual harassment by former Phi Theta Kappa Honor Society director Rod Risley.

The court lifted the order on April 8, but only after the honor society had stopped the book from being published on the first day of its national convention, when it would have had the greatest impact.

Phi Theta Kappa, which sought the restraining order against author Toni Marek, hadn’t claimed that the information in her book is false. By its own admission, Marek received the information legally, either through public records requests or by speaking to former employees. But the honor society argued that the book shouldn’t be published because information in it is “confidential.” A judge initially agreed.

This isn’t the only order barring publication, known as a prior restraint, that Phi Theta Kappa has sought in recent times and won.

In a separate lawsuit, Phi Theta Kappa obtained an order prohibiting the competing HonorSociety.org from speaking about it online. Among other things, the order forbade HonorSociety.org from editing Phi Theta Kappa’s Wikipedia page or publishing independent reporting on Risley, regardless of whether those edits or publications were true.

A federal court of appeals recently struck down the order as overly broad.

The initial decisions granting the ban on Marek’s book and the gag on HonorSociety.org both suffer from the same glaring problem: the First Amendment.

The First Amendment prohibits prior restraints in all but the most extreme circumstances. In 1971, the Supreme Court even rebuffed the government’s attempt to stop the press from publishing the Pentagon Papers, documents the government claimed contained state secrets that could harm national security.

Censorship orders harm our freedom of speech no matter how long they last.

The Court has also repeatedly affirmed the First Amendment right to publish lawfully obtained, truthful information on matters of public concern.

But even though these censorship orders are supposed to be extremely rare and are almost always unconstitutional, prior restraints seem to be persisting.

One reason may be that judges are failing to recognize the First Amendment interests at stake when someone asks for a prior restraint on an "emergency" basis, as Phi Theta Kappa did in the case of Marek’s book. Because the honor society sought a temporary restraining order, Marek didn’t have a chance to appear in court and argue her side before the judge entered the initial order banning publication.

This isn’t a problem isolated to Texas. In February, a Mississippi court ordered The Clarksdale Press Register to remove an editorial criticizing Democratic Mayor Chuck Espy’s office for failing to properly notify the public of a special meeting, as required by state law. The city government claimed the editorial was defamatory, even though the city clerk admitted in an affidavit that she had failed to follow the notification law.

First Amendment experts immediately condemned the order. But as in Marek’s case, the city sought a temporary restraining order and the court granted it without giving the Press Register a chance to respond to the allegations or raise First Amendment arguments. Only after a national outcry did the city drop its suit and the court lift its censorship order.

Even though courts eventually ended the prior restraints on Marek, HonorSociety.org, and The Clarksdale Press Register, the fact that they entered them at all is a huge problem. Censorship orders harm our freedom of speech no matter how long they last.

It’s also a problem that nobody involved stopped to think about the First Amendment, at least at first. Both lawyers and judges need to do more to protect the constitutional rights of the public and the press.

Every lawyer in America is taught constitutional law, and even the most cursory legal research would turn up Supreme Court precedent on prior restraints. Lawyers seeking prior restraints have an ethical obligation to disclose law that cuts against their case to the court. But far too many emergency requests to censor speech fail to mention even the most well-known First Amendment decisions.

Judges, too, should hear First Amendment alarm bells ringing when they’re asked to restrain speech. When someone seeks an emergency order prohibiting speech, judges shouldn’t simply accept their arguments. They must independently research the law to be sure that their orders don’t violate the Constitution. They also can and should sanction lawyers who fail to mention any of the many cases prohibiting prior restraints.

Giving the proper attention and weight to freedom of speech isn’t too much to ask of our legal system. When lawyers and judges neglect their professional responsibility and neglect the Constitution, we all become vulnerable to censorship.

freedom.press/issues/free-spee…

A recent project over on Hackaday.io from [Michael Gardi] is Trekulator – Where No Maker Has Gone Before.

This is a fun build and [Michael] has done a very good job of emulating the original device. [Michael] used the Hackaday.io logging feature to log his progress. Starting in September 2024 he modeled the case, got his original hardware working, got the 7-segment display working, added support for sound, got the keypad working and mounted it, added the TFT display and mounted it, wired up the breadboard implementation, designed and implemented the PCBs, added some finishing touches, installed improved keys, and added a power socket back in March.

It is perhaps funny that where the original device used four red LEDs, [Michael] has used an entire TFT display. This would have been pure decadence by the standards of 1977. The software for the ESP32 microcontroller was fairly involved. It had to support audio, graphics, animations, keyboard input, the 7-segment display, and the actual calculations.

The calculations are done using double-precision floating-point values and eight positions on the display so this code will do weird things in some edge cases. For instance if you ask it to sum two eight digit numbers as 90,000,000 and 80,000,000, which would ordinarily sum to the nine digit value 170,000,000, the display will show you a different value instead, such as maybe 17,000,000 or 70,000,000. Why don’t you put one together and let us know what it actually does! Also, can you find any floating-point precision bugs?

This was a really fun project, thanks to [Michael] for writing it up and letting us know via the tips line!

youtube.com/embed/DtQb22XuGGM?…

youtube.com/embed/IBBv7u4kOjA?…

hackaday.com/2025/04/21/trekul…

Long before the Java Virtual Machine (JVM) was said to take the world by storm, the p-System (pseudo-system, or virtual machine) developed at the University of California, San Diego (UCSD) provided a cross-platform environment for the UCSD’s Pascal dialect. Later on, additional languages would also be made available for the UCSD p-System, such as Fortran (by Apple Computer) and Ada (by TeleSoft), not unlike the various languages targeting the JVM today in addition to Java. The p-System could be run on an existing OS or as its own OS directly on the hardware. This was extremely attractive in the fragmented home computer market of the 1980s.

After the final release of version IV of UCSD p-System (IV.2.2 R1.1) in 1987, the software died a slow death, but this doesn’t mean it is forgotten. People like [Hans Otten] have documented the history and technical details of the UCSD p-System, and the UCSD Pascal dialect went on to inspire Borland Pascal.

Recently [Mark Bessey] also reminisced about using the p-System in High School with computer programming classes back in 1986. This inspired him to look at re-experiencing Apple Pascal as well as UCSD Pascal on the UCSD p-System, possibly writing a p-System machine. Even if it’s just for nostalgia’s sake, it’s pretty cool to tinker with what is effectively the Java Virtual Machine or Common Language Runtime of the 1970s, decades before either of those were a twinkle in a software developer’s eyes.

Another common virtual runtime of the era was CHIP-8. It is also gone, but not quite forgotten.

hackaday.com/2025/04/21/rememb…

If you do a lot of 3D computer work, I hear a Spacemouse is indispensable. So why not build a keyboard around it and make it a mouse-cropad?

Image by [DethKlawMiniatures] via redditThat’s exactly what [DethKlawMiniatures] did with theirs. This baby is built with mild steel for the frame, along with some 3D-printed spacers and a pocket for the Spacemouse itself to live in.

Those switches are Kailh speed coppers, and they’re all wired up to a Seeed Xiao RP2040. [DethKlawMiniatures] says that making that lovely PCB by hand was a huge hassle, but impatience took over.

After a bit of use, [DethKlawMiniatures] says that the radial curve of the macro pad is nice, and the learning curve was okay. I think this baby looks fantastic, and I hope [DethKlawMiniatures] gets a lot of productivity out of it.

Kinesis Rides Again After 15 Years

Fifteen years ago, [mrmarbury] did a lot of ergo keyboard research and longed for a DataHand II. Once the sticker shock wore off, he settled on a Kinesis Advantage with MX browns just like your girl is typing on right now.

Image by [mrmarbury] via redditNot only did [mrmarbury] love the Kinesis to death, he learned Dvorak on it and can do 140 WPM today. And, much like my own experience, the Kinesis basically saved his career.

Anyway, things were going gangbusters for over a decade until [mrmarbury] spilled coffee on the thing. The main board shorted out, as did a thumb cluster trace. He did the Stapelberg mod to replace the main board, but that only lasted a little while until one of the key-wells’ flex boards came up defective. Yadda yadda yadda, he moved on and eventually got a Svalboard, which is pretty darn close to having a DataHand II.

But then a couple of months ago, the Kinesis fell on [mrmarbury]’s head while cleaning out a closet and he knew he had to fix it once and for all. He ripped out the flex boards and hand-wired it up to work with the Stapelberg mod. While the thumb clusters still have their browns and boards intact, the rest were replaced with Akko V3 Creme Blue Pros, which sound like they’re probably pretty amazing to type on. So far, so good, and it has quickly become [mrmarbury]’s favorite keyboard again. I can’t say I’m too surprised!

The Centerfold: Swingin’ Bachelor Pad

Image by [weetek] via redditIsn’t this whole thing just nice? Yeah it is. I really like the lighting and the monster monstera. The register is cool, and I like the way it the panels on the left wall mimic its lines. And apparently that is a good Herman Miller chair, and I dig all the weird plastic on the back, but I can’t help but think this setup would look even cleaner with an Aeron there instead. (Worth every penny!)

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the IBM Selectric Composer

And what do we have here? This beauty is not a typewriter, exactly. It’s a typesetter. What this means is that, if used as directed, this machine can churn out text that looks like it was typeset on a printing press. You know, with the right margin justified.

Image by [saxifrageous] via redditYou may be wondering how this is achieved at all. It has to do with messing with the kerning of the type — that’s the space between each letter. The dial on the left sets the language of the type element, while the one one the right changes the spacing. There’s a lever around back that lets you change the pitch, or size of the type. The best part? It’s completely mechanical.

To actually use the thing, you had to type your text twice. The first time, the machine measured the length of the line automatically and then report a color and number combination (like red-5) which was to be noted in the right margin.

The IBM Selectric Composer came out in 1966 and was a particularly expensive machine. Like, $35,000 in 2025 money expensive. IBM typically rented them out to companies and then trashed them when they came back, which, if you’re younger than a certain vintage, is why you’ve probably never seen one before.

If you just want to hear one clack, check out the short video below of a 1972 Selectric Composer where you can get a closer look at the dials. In 1975, the first Electronic Selectric Composer came out. I can’t even imagine how much those must have cost.

youtube.com/embed/Ba92fcE0bkI?…

Finally, a Keyboard Part Picker

Can’t decide what kind of keyboard to build? Not even sure what all there is to consider? Then you can’t go wrong with Curatle, a keyboard part picker built by [Careless-Pay9337] to help separate you from your hard-earned money in itemized fashion.

The start screen for Curatle made by [Careless-Pay9337].So this is basically PCPartPicker, but for keyboards, and those are [Careless-Pay9337]’s words. Essentially, [Careless-Pay9337] scraped a boatload of keyboard products from various vendors, so there is a lot to choose from already. But if that’s not enough, you can also import products from any store.

The only trouble is that currently, there’s no compatibility checking built in. It’ll be a long road, but it’s something that [Careless-Pay9337] does plan to implement in the future.

What else would you like to see? Be sure to let [Careless-Pay9337] know over in the reddit thread.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/04/21/keebin…

Although the video game crash of the mid-80s caused a major decline in arcades from their peak popularity, the industry didn’t completely die off. In fact, there was a revival that lasted until the 90s with plenty of companies like Capcom, Midway, SEGA, and Konami all competing to get quarters, francs, loonies, yen, and other coins from around the world. During this time, Namco — another game company — built a colossal 28-player prototype shooter game. Eventually, they cut it down to a (still titanic) six-player game that was actually released to the world. [PhilWIP] and his associates are currently restoring one of the few remaining room-sized games that are still surviving.

The game is called Galaxian 3, with this particular one having been upgraded to a version called “Attack of the Zolgear”. Even though it’s “only” a six-person shooter, it’s still enormous in scale. The six players sit side-by-side in an enclosed room, each with their own controller. Two projectors handle the display, which is large even by modern standards, and a gauntlet of early-90s technology, including LaserDisc players, is responsible for all of the gameplay. When [PhilWIP] first arrived, the game actually powered on, but there were several problems to solve before it was playable. They also wanted to preserve the game, which meant imaging the LaserDiscs to copy their data onto modern storage. Some of the player input PCBs needed repairs, and there were several issues with the projectors. Eventually the team got the system working well enough to play.

[PhilWIP] and the others haven’t gotten all the issues ironed out yet. The hope is that subsequent trips will restore this 90s novelty to working order shortly. It turns out there were all kinds of unique hardware from this wild-west era that’s in need of restoring, as we saw a few years ago with this early 3D cabinet from the same era.

hackaday.com/2025/04/21/restor…

Internet non è più quello di una volta. Uno Studio pubblicato da Imperva, ha dimostrato che più della metà dell’intero traffico Internet non proviene da persone, ma da bot. È la prima volta nella storia che i programmi automatizzati cominciano a dominare lo spazio digitale.

Il motivo di questa impennata è il rapido sviluppo dell’intelligenza artificiale generativa. Sono queste le tecnologie alla base dei moderni bot in grado di imitare il comportamento umano, condurre conversazioni, scrivere lettere ed eseguire azioni automatiche sui siti web. Non tutti sono innocui: una parte significativa viene utilizzata per scopi dannosi.

Secondo Imperva, dal 2016 i bot “cattivi”, ovvero quelli progettati per attaccare, rubare dati o bypassare i sistemi, hanno iniziato a superare in numero quelli “buoni”. Nel 2024, i bot dannosi rappresentavano il 37% di tutto il traffico, mentre quelli benigni solo il 14%. Allo stesso tempo, un anno fa la quota di bot dannosi era del 32%, il che indica una crescita costante della minaccia.

Uno dei compiti principali di questi bot era intercettare gli account degli utenti. Lo scenario di attacco è semplice: il bot prova password e accessi rubati su diversi siti, sperando che qualcuno utilizzi la stessa password in più posti. Nel corso di un anno, il numero di tali attacchi è quasi raddoppiato, passando da 190 mila a dicembre 2023 a 330 mila a dicembre 2024. L’aumento potrebbe essere stato innescato da un’ondata di fughe di dati che ha aumentato il numero di coppie di dati utente disponibili.

Altre azioni dei bot dannosi includono il download in massa (web scraping) di informazioni da siti web, che minaccia sia i segreti commerciali sia i dati personali. Sono frequenti i casi in cui i bot sono coinvolti in frodi sui pagamenti sfruttando le vulnerabilità dei sistemi. Sono diventati particolarmente diffusi i cosiddetti scalping bot: acquistano biglietti o beni di successo per poi rivenderli a prezzi gonfiati, lasciando a bocca asciutta i veri acquirenti.

Il rapporto presta particolare attenzione ai settori che soffrono maggiormente dell’attività dei bot. Nel 2024, il settore turistico è diventato leader, rappresentando il 27% del traffico dannoso. Si tratta di una cifra superiore a quella del 2023, quando la quota era del 21%. I bot in questo segmento spesso simulano la prenotazione dei biglietti senza completare il processo. Di conseguenza, la determinazione dei prezzi viene alterata e il sistema di contabilità della domanda veniva fuorviato. Al secondo posto si è classificato il commercio al dettaglio con il 15%, mentre al terzo posto si è classificato l’istruzione con l’11%.

I bot stanno diventando più sofisticati. Mentre prima falsificavano solo l’aspetto del browser, ora utilizzano gli indirizzi IP degli utenti abituali e le VPN per nascondere la fonte del traffico. Alcuni di loro hanno imparato a eludere il CAPTCHA e ad adattarsi a un ambiente specifico, cambiando tattica se incontrano protezione.

Inoltre, sempre più bot non utilizzano una normale interfaccia web, ma interagiscono direttamente con la parte server dei siti tramite API: ciò semplifica la raccolta dei dati e rende le azioni invisibili ai sistemi di monitoraggio. Anche se gli utenti normali possono migliorare un po’ la propria sicurezza, la responsabilità principale della lotta ai bot ricade sui proprietari dei servizi online. Tuttavia, alcuni semplici accorgimenti possono aiutare a ridurre i rischi.

Pertanto, non dovresti mai usare la stessa password per account diversi, perché questo facilita la vita agli aggressori. Un gestore di password affidabile ti aiuterà a salvare combinazioni complesse. È anche importante installare antivirus e monitorare lo stato del computer in modo che non diventi parte di una botnet.

Infine, non fidarti dei servizi VPN dubbi: alcuni di essi potrebbero vendere il tuo indirizzo IP a terzi. Si consiglia inoltre di controllare il router di casa e di aggiornarne il firmware: i modelli più vecchi potrebbero essere vulnerabili ai tentativi di hackeraggio.

L'articolo Internet è invaso dai bot: ora il traffico umano è sotto il 50% e sono quasi tutte AI proviene da il blog della sicurezza informatica.

Over on his YouTube channel [Aaron Danner] explains biasing transistors with current sources in the 29th video of his Transistors Series. In this video, he shows how to replace a bias resistor (and consequently an additional capacitor) with a current source for both common-emitter and common-collector amplifiers.

A current source provides electrical energy with a constant current. The implication is that if the resistance of the load changes the current source will vary the voltage to compensate. In reality, this is exactly what you want. The usual resistor biasing arrangement just simulates this over a narrow voltage range, which is generally good enough, but not as good as a true current source.

As [Aaron] explains there are various advantages to biasing transistors with current sources instead of resistors, chief among them is that it allows you to get rid of a capacitor (capacitors are expensive to make in integrated circuits and often among the lowest-quality components in a design). You can also avoid losing some of your gain through the bias resistor.

The current source that [Aaron] uses in this video is known as a current mirror.

youtube.com/embed/kpd0uMzng8o?…

hackaday.com/2025/04/21/biasin…

La Cina introdurrà corsi di intelligenza artificiale per gli studenti delle scuole primarie e secondarie questo autunno. L’iniziativa prevede che i bambini a partire dai sei anni imparino a conoscere i chatbot, la tecnologia dell’intelligenza artificiale e l’etica, nell’ambito di un’iniziativa volta a rafforzare la propria posizione nel campo dell’intelligenza artificiale.

L’iniziativa fa parte di un piano più ampio per sviluppare un curriculum pluriennale di intelligenza artificiale, istituire un sistema di formazione e promuovere l’istruzione in materia di intelligenza artificiale a livello nazionale. L’espansione della formazione in intelligenza artificiale in Cina segue la rapida ascesa di DeepSeek, un’azienda nazionale di intelligenza artificiale che ha attirato l’attenzione globale.

Il Ministero dell’Istruzione ha designato 184 scuole come istituti pilota per programmi di intelligenza artificiale, gettando le basi per un’implementazione a livello nazionale. Il Ministro dell’Istruzione Huai Jinpeng ha definito l’intelligenza artificiale la “chiave d’oro” per il futuro dell’istruzione del Paese.

La Cina non è l’unica a integrare l’intelligenza artificiale nell’istruzione. Secondo e-Estonia, l’Estonia ha annunciato di recente che il programma AI Leap 2025 verrà lanciato il 1° settembre per offrire a 20.000 studenti delle classi 10-11 e a 3.000 insegnanti l’accesso gratuito alle principali applicazioni e alla formazione in materia di intelligenza artificiale.

“Stiamo iniziando un nuovo capitolo nello sviluppo del nostro sistema educativo e della società digitale”, ha affermato il presidente estone Alar Karis riporta Fortune. “L’intelligenza artificiale ha cambiato il mondo in modo permanente e, come tutti i settori, il sistema educativo deve adattarsi a questi cambiamenti”.

Il Canada e la Corea del Sud hanno introdotto libri di testo digitali basati sull’intelligenza artificiale e programmi di supporto agli insegnanti, mentre una scuola privata nel Regno Unito ha inaugurato un’aula “senza insegnante” in cui gli studenti utilizzano visori per la realtà virtuale e piattaforme di intelligenza artificiale al posto dell’insegnamento tradizionale.

Nonostante il potenziale rivoluzionario dell’intelligenza artificiale nell’apprendimento, molte aziende e ministeri dell’istruzione restano prudenti nell’affidarsi completamente a questi strumenti. L’IA può diventare un tutor personale gratuito, disponibile ovunque e in qualsiasi momento, ma porta con sé anche sfide etiche e di sicurezza.

Le Nazioni Unite hanno messo in guardia su questi rischi, chiedendo un uso inclusivo e responsabile dell’IA, con linee guida che mettano al centro l’umanità e la tutela dei minori. Anche i principali leader del settore educativo concordano su questa visione.

Ora però tocca all’Italia: è il momento di dare un segnale concreto e lungimirante, non tra dieci anni quando sarà troppo tardi, ma oggi, cogliendo questa occasione per guidare l’innovazione educativa con coraggio e responsabilità.

L'articolo A lezione di IA a 6 anni: la Cina prepara i suoi bambini alla rivoluzione dell’intelligenza artificiale proviene da il blog della sicurezza informatica.

Introduction

The evolution of Malware-as-a-Service (MaaS) has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma. Initially marketed as LummaC2, this information stealer quickly gained traction in underground forums, with prices starting at $250. As of March 2025, its presence on dark web marketplaces and Telegram channels continues to grow, with over a thousand active subscribers.

LummaC2 seller’s official website

Lumma delivery usually involves human interaction, such as clicking a link, running malicious commands, etc. Recently, while investigating an incident as part of our incident response services, our Global Emergency Response Team (GERT) encountered Lumma on a customer’s system. The analysis revealed that the incident was triggered by human interaction, namely the user was tricked into executing a malicious command by a fake CAPTCHA page. In this article, we will review in detail how the fake CAPTCHA campaign works and share a list of IoCs that we discovered during our analysis and investigation of the campaign. Although we already described this distribution method in an earlier article, more details about this campaign have been discovered since then.

Lumma Stealer’s distribution vectors

Lumma Stealer’s distribution methods are diverse, using common techniques typically seen in information-stealing malware campaigns. Primary infection vectors include phishing emails with malicious attachments or links, as well as trojanized legitimate applications. These deceptive tactics trick users into executing the malware, which runs silently in the background harvesting valuable data. Lumma has also been observed using exploit kits, social engineering, and compromised websites to extend its reach and evade detection by security solutions. In this article, we’ll focus mainly on the fake CAPTCHA distribution vector.

This vector involves fake verification pages that resemble legitimate services, often hosted on platforms that use Content Delivery Networks (CDNs). These pages typically masquerade as frequently used CAPTCHAs, such as Google reCAPTCHA or Cloudflare CAPTCHA, to trick users into believing they are interacting with a trusted service.

Fake CAPTCHA distribution vectors

Fake CAPTCHA distribution scheme

There are two types of resources used to promote fake CAPTCHA pages:

• Pirated media, adult content, and cracked software sites. The attackers clone these websites and inject malicious advertisements into the cloned page that redirect users to a malicious CAPTCHA.
• Fake Telegram channels for pirated content and cryptocurrencies. The attackers create Telegram channels with names containing keywords related to cryptocurrencies or pirated content, such as software, movies, etc. When a user searches for such content, the fraudulent channels appear at the top of the search. The attackers also use social media posts to lure victims to these channels. When a user joins such a channel, they are prompted to complete an identity verification via a fraudulent “Safeguard Captcha” bot.
  
  Safeguard Captcha bot

  Once the user clicks the Verify button, the bot opens a pop-up page with a fake CAPTCHA.

Fake CAPTCHA page

Users are presented with a pop-up page that looks like a standard CAPTCHA verification, prompting them to click I’m not a robot/Verify/Copy or some similar button. However, this is where the deception begins.

Fake CAPTCHA page examples

Fake page malicious content

When the I’m not a robot/Verify/Copy button is clicked, the user is instructed to perform an unusual sequence:

• Open the Run dialog(Win+R)
• Press Ctrl+V
• Hit Enter

Without the user’s knowledge, clicking the button automatically copies a PowerShell command to the clipboard. Once the user pastes the command into the Run dialog and presses Enter, the system executes the command.

Examples of scripts copied to the clipboard and executed via the Run dialog

The command may vary slightly from site to site and changes every few days, but it is typically used to download Lumma Stealer from a remote server, which is usually a known CDN with a free trial period or a legitimate code hosting and collaboration platform such as GitHub, and begin the malware installation process. Let’s take a closer look at this infection chain using the following command that was executed in our customer’s incident as an example:

Command triggering Lumma’s infection chain

The command is rather simple. It decodes and runs the contents from the remote win15.txt file hosted at https[:]//win15.b-cdn[.]net/win15.txt. The win15.txt file contains a Base64-encoded PowerShell script that then downloads and runs the Lumma Stealer. When decoded, the malicious PowerShell script looks like this:

Contents of win15.txt

The script performs the following actions:

1. Downloads the malware. It downloads the win15.zip file from https[:]//win15.b-cdn[.]net/win15.zip to [User Profile]\AppData\Roaming\bFylC6zX.zip.
2. Extracts the malware. The downloaded ZIP file is extracted to C:\Users\[User]\AppData\Roaming\7oCDTWYu, a hidden folder under the user’s AppData directory.
3. Executes the malware. The script runs the Set-up.exe file from the unpacked archive, which is now located at C:\Users\[User]\AppData\Roaming\7oCDTWYu\Set-up.exe.
4. Establishes persistence mechanism. The script creates an entry in the Windows Registry for persistency, ensuring that the malware runs every time the system starts. The registry key is added under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The key name is 5TQjtTuo, with the value pointing to Set-up.exe.

However, in some cases, the malware delivery mechanism can be more complex. In the following example, the delivery script is a JavaScript code hidden in what looks like an .mp3 file (other file formats such as .mp4 and .png have also been used). In fact, in addition to the JavaScript, the file may contain a corrupt .mp3/.mp4 file, legitimate software code, or just random data.

The script is executed using the Microsoft HTML Application engine mshta.exe by prompting the user to paste the following command into the Run dialog box:

Command triggering JS-based infection chain

The mshta command parses the file as an HTA file (Microsoft HTML Application) and executes any JavaScript code within the <script> tag, triggering the following infection chain:

Layer (1)

The JS script inside the .mp3 file is executed by mshta.

JS script within the never.mp3 file

Layer (2)

After calculating the Kwb value, the following script is obtained, which is then executed by the eval function.

Layer (2) JS script

Layer (3)

After calculating the values for kXN and zzI, the final ActiveX command is built and executed. It contains an encoded PowerShell script in the $PBwR variable.

Deobfuscated Layer (2) JS script

Layer (4)

After decoding the PowerShell script, we found that its main purpose is to download and execute another PowerShell file from the C2 path hXXps://connect[.]klipfuzj[.]shop/firefire[.]png.

Decrypted Layer (3) PowerShell script

Analysis for firefire.png

The file firefire.png is a huge PowerShell file (~31MB) with several layers of obfuscation and anti-debugging. After deobfuscating and removing unnecessary code, we could see that the main purpose of the file is to generate and execute an encrypted PowerShell script as follows:

firefire.png

The decryption key is the output of the Invoke-Metasploit command, which is blocked if the AMSI is enabled. As a result, an error message is generated by the AMSI: AMSI_RESULT_NOT_DETECTED, which is used as the key. If the AMSI is disabled, the malware will fail to decrypt the script.

The decrypted PowerShell script is approximately 1.5MB in size and its main purpose is to create and run a malicious executable file.

Decrypted PowerShell script

Infection methods and techniques

Lumma Stealer has been observed in the wild using a variety of infection methods, with two primary techniques standing out in its distribution campaigns: DLL sideloading and injection of a malicious payload into the overlay section of legitimate free software. These techniques are particularly effective at evading detection because they exploit the trust that users place in widely used applications and system processes.

• DLL sideloading
  DLL sideloading is a well-known technique where malicious dynamic link libraries (DLLs) are loaded by a legitimate application. This technique exploits vulnerabilities or misconfigurations in software that inadvertently load DLL files from untrusted directories. Attackers can drop the Lumma Stealer DLL in the same directory as a trusted application, causing it to load when the application is executed. Because the malicious DLL is loaded in the context of a trusted process, it is much harder for traditional security measures to detect the intrusion.
• Injection of malicious payload into the overlay section of software
  Another method commonly used by Lumma Stealer is to inject a malicious payload into the overlay section of free software. The overlay section is typically used for legitimate software functionality, such as displaying graphical interfaces or handling certain input events. By modifying this section of the software, the adversary can inject the malicious payload without disrupting the normal operation of the application. This method is particularly insidious because the software continues to appear legitimate while the malicious code silently executes in the background. It also helps the malware evade detection by security tools that focus on system-level monitoring.

Both of these methods rely on exploiting trusted applications, which significantly increases the chances of successful infection. These techniques can be used in combination with others, such as phishing or trojanized software bundles, to maximize the spread of Lumma Stealer to multiple targets.

Sample analysis

To demonstrate how the Lumma Stealer installers work and the impact on systems and data security, we’ll analyze the stealer sample we found in the incident at our customer. This sample utilizes the overlay injection technique. Below is a detailed breakdown of the infection chain and the various techniques used to deploy and execute Lumma Stealer.

Initial execution and self-extracting RAR (SFX)

The initial payload in this sample is delivered as ProjectorNebraska.exe, which consists of a corrupt legitimate file and the malware in the overlay section. It is executed by the victim. Upon execution, the file extracts and runs a self-extracting RAR (SFX) archive. This archive contains the next stage of the infection: a Nullsoft Scriptable Install System (NSIS) installer. NSIS is a widely used tool for creating Windows installers.

NSIS installer components

The NSIS installer drops several components that are critical to the malware’s execution:

NSIS installer components

These include AutoIt components and an obfuscated batch script loader named Hose.cmd. The following AutoIt components are dropped:

• Fragments of a legitimate AutoIt executable: These are pieces of a genuine AutoIt executable that are dropped to the victim’s system, and then reassembled during the infection process.
• Compiled AutoIt script: The compiled script carries the core functionality of Lumma Stealer, including operations such as credential theft and data exfiltration.

These components are later reassembled into the final executable payload using the batch script loader that concatenates and executes the various fragments.

Hose.cmd orchestrates the final steps of the malware’s execution. Below is a breakdown of its key components (after deobfuscation):

Deobfuscated batch script code

Process tree after executing the batch script

The batch script performs the following actions:

• Security product evasion
  
  • The script scans for the presence of security software (SecureAnywhere and Quick Heal AntiVirus) using the tasklist If either of them is detected, it delays execution via the ping -n 198 command, which pings localhost 198 times. This trick is used to avoid sandbox detection, as the sandbox typically exits before the script completes the ping task.
  • The script checks for the presence of any of the following: Avast, AVG, McAfee, Bitdefender, Sophos, using the tasklist If one of them is detected, it keeps the executable name for AutoIt as AutoIt3.exe; otherwise, it renames it to Suggests.pif.

  
  

• Environment setup and payload preparation. It sets environment variables for the AutoIt executable and the final payload. It also creates a working directory named 195402 in the Temp directory to store malicious components.
• Obfuscation and extraction. The script filters and cleans a file named Sitting from the NSIS installer by removing the string OptimumSlipProfessionalsPerspective, and storing the result as Suggests.pif. It then uses the copy /b command to merge Suggests.pif with an additional component from the NSIS installer named Oclc into the AutoIt executable, saving it again as Suggests.pif.
• Payload assembly. It concatenates multiple files from the NSIS installer: Italy, Holmes, True, etc. to generate the final executable with the name h.a3x, which is an AutoIt script.
• Execution of Lumma Stealer. Finally, the script runs Suggests.pif, which in turn executes h.a3x, triggering the AutoIt-based execution of Lumma Stealer.

AutoIt script analysis

During the analysis, the AutoIt Extractor utility was used to decompile and extract the script from the h.a3x file. The script was heavily obfuscated and required additional deobfuscation to get a clean and analyzable .au3 script. Below is the analysis of the AutoIt loader’s behavior.

AutoIt script extraction

Anti-analysis checks

The script begins by validating the environment to detect analysis tools or sandbox environments. It checks for specific computer names and usernames often associated with testing environments.

Environment validation

It then checks for processes from popular antivirus tools such as Avast (avastui.exe), Bitdefender (bdagent.exe), and Kaspersky (avp.exe).

Anti-AV checks

If any of these conditions are met, the script halts execution to evade detection.

Executing loader shellcode

If the anti-analysis checks are passed, the script dynamically selects 32-bit or 64-bit shellcode based on the system architecture, which is located in the $vinylcigaretteau variable inside the script. To do this, it allocates executable memory and injects the shellcode into it. The shellcode then initializes the execution environment and prepares for the second-stage payload.

Part of the AutoIt loader responsible for the shellcode execution

Processing the $dayjoy payload

After executing the loader shellcode, the script processes the second-stage payload located in the $dayjoy variable. The payload is decrypted using RC4 with a hardcoded key 1246403907690944.

The encrypted payload

To decrypt the payload independently, we wrote a custom Python script that you can see in the screenshot below.

Python script for payload decryption

The decrypted payload is decompressed using the LZNT1 algorithm.

Payload decompression

Final payload execution

After decryption and decompression, the $dayjoy payload is executed in memory. The script uses DllCallAddress to invoke the payload directly in the allocated memory. This ensures the payload is executed stealthily without being written to disk.

Final payload execution

This final payload is the stealer itself. The malware’s comprehensive data theft capabilities target a wide range of sensitive information, including:

• Cryptocurrency wallet credentials (e.g., Binance, Ethereum) and associated browser extensions (e.g., MetaMask)
• Two-factor authentication (2FA) data and authenticator extensions
• Browser-stored credentials and cookies
• Stored credentials from remote access tools such as AnyDesk
• Stored credentials from password managers such as KeePass
• System and application data
• Financial information such as credit card numbers

C2 communication

Once Lumma Stealer is executed, it establishes communication with its command and control (C2) servers to exfiltrate the stolen data. The malware sends the collected information back to the attacker’s infrastructure for further exploitation. This communication is typically performed over HTTP or HTTPS, often disguised as legitimate traffic to avoid detection by network security monitoring tools.

C2 servers identified

The following C2 domains used by Lumma Stealer to communicate with the attackers were identified in the analyzed sample:

• reinforcenh[.]shop
• stogeneratmns[.]shop
• fragnantbui[.]shop
• drawzhotdog[.]shop
• vozmeatillu[.]shop
• offensivedzvju[.]shop
• ghostreedmnu[.]shop
• gutterydhowi[.]shop

These domains are used to receive stolen data from infected systems. Communication with these servers is typically via encrypted HTTP POST requests.

Conclusions

As a mass-distributed malicious program, Lumma Stealer employs a complex infection chain that includes a number of anti-analysis and detection evasion techniques, to stealthily infiltrate the victim’s device. Although the initial infection via dubious pirated software and cryptocurrency-related websites and Telegram channels suggests that individuals are the primary targets of these attacks, we saw Lumma in an incident at one of our customers, which illustrates that organizations can also fall victim to this threat. The information stolen by such malware may end up in the hands of more prominent cybercriminals, such as ransomware operators. That’s why it’s important to prevent stealer infections at the early stages. By understanding the infection techniques, security professionals can better defend against this growing threat and develop more effective detection and prevention strategies.

IoCs

The following list contains the URLs detected during our research. Note that the attackers change the malicious URLs and Telegram channels almost daily, and the IoCs provided in this section were already inactive at the time of writing. However, they may be useful for retrospective threat detection.

Malicious fake CAPTCHA pages

• seenga[.]com/page/confirm.html
• serviceverifcaptcho[.]com
• downloadsbeta[.]com
• intelligenceadx[.]com
• downloadstep[.]com
• nannyirrationalacquainted[.]com
• suspectplainrevulsion[.]com
• streamingsplays[.]com
• bot-detection-v1.b-cdn[.]net
• bot-check-v5.b-cdn[.]net
• spam-verification.b-cdn[.]net
• human-test.b-cdn[.]net
• b-cdn[.]net
• b-cdn[.]net

Telegram channels distributing Lumma

• t[.]me/hitbase
• t[.]me/sharmamod

securelist.com/lumma-fake-capt…

ANOTHER MONDAY, ANOTHER DIGITAL POLITICS. I'm Mark Scott, and you find me enjoying the four-day Easter weekend here in the United Kingdom. In honor of that, I give you my new favorite podcast.

In my day job, I'll be interviewing Brad Smith, Microsoft's president, in Brussels on April 30 at 10am CET. You can watch along here. For those of you who would like to attend in person, drop me a line here.

— Policymakers worldwide are now seriously considering a future where digital policymaking excludes the United States. Let's unpick what that means.

— It's official: Google is most definitely a monopoly, on both sides of the Atlantic. That will have far-reaching consequences — but it will take time.

— Digital rights civil society groups have been severely impacted by cuts in US government support. Here are the charts that explain the impact.

Let's get started:

digitalpolitics.co/newsletter0…