Un nuovo pericoloso Remote Access Trojan (RAT) altamente sofisticato, denominato StilachiRAT, sta circolando con l’obiettivo di sottrarre credenziali, dati sensibili e criptovalute. Questo malware utilizza tecniche avanzate di evasione per rimanere inosservato, garantire la persistenza e permettere ai cybercriminali di operare indisturbati.

Un RAT su misura per lo spionaggio e il furto

Scoperto a novembre 2024 dai ricercatori di Microsoft Incident Response, StilachiRAT si distingue per la sua capacità di infiltrarsi nei sistemi target senza destare sospetti.

Tra le sue principali funzioni troviamo:

• Furto di credenziali: estrae informazioni sensibili salvate nei browser, inclusi i dati delle criptovalute.
• Monitoraggio dell’attività utente: raccoglie dati di sistema, rileva la presenza di telecamere, analizza sessioni RDP attive e le applicazioni in esecuzione.
• Attacco alle criptovalute: scansiona la configurazione di oltre 20 wallet digitali, tra cui Coinbase Wallet, Metamask e Trust Wallet.
• Persistenza e movimento laterale: sfrutta Windows Service Control Manager per rimanere attivo e persiste anche dopo tentativi di rimozione.

Attacco silenzioso e pericoloso

StilachiRAT non si limita a raccogliere informazioni, ma implementa anche funzionalità avanzate per evitare il rilevamento:

• Cancellazione dei log di sistema: elimina tracce dell’attacco per impedire indagini forensi.
• Evasione da sandbox: utilizza chiamate API offuscate per rendere l’analisi più complessa.
• Manipolazione delle finestre di sistema: monitora l’attività dell’utente per carpire password e dati sensibili direttamente dallo schermo.

Una volta insediato, StilachiRAT permette ai criminali di controllare il dispositivo infetto tramite comandi da un server C2. Questi comandi includono:

• Esecuzione di applicazioni malevole;
• Riavvio o sospensione del sistema;
• Modifica di chiavi di registro di Windows;
• Creazione di proxy per camuffare il traffico malevolo.

Difendersi è possibile

Sebbene Microsoft non abbia ancora attribuito StilachiRAT a un gruppo specifico, la sua pericolosità è evidente. Per ridurre il rischio di infezione, è essenziale adottare alcune contromisure:

• Scaricare software esclusivamente da fonti ufficiali;
• Utilizzare soluzioni di sicurezza avanzate che blocchino domini e allegati sospetti;
• Monitorare le sessioni RDP e implementare autenticazione a più fattori;
• Effettuare controlli di sicurezza regolari per individuare attività anomale.

Conclusione

Il panorama delle minacce informatiche non mostra segni di rallentamento e StilachiRAT ne è l’ennesima dimostrazione. Questo malware rappresenta un rischio concreto per aziende e utenti, con il suo focus su credenziali, criptovalute e accessi remoti. La difesa efficace passa attraverso la consapevolezza e l’adozione di misure di sicurezza mirate. L’informazione e la prevenzione sono le armi più potenti contro queste minacce in continua evoluzione.

L'articolo StilachiRAT: il malware fantasma che ruba credenziali e criptovalute senza lasciare traccia! proviene da il blog della sicurezza informatica.

Il team di threat hunting di Trend Zero Day Initiative™ (ZDI) ha identificato casi significativi di sfruttamento di un bug di sicurezza in una serie di campagne risalenti al 2017. L’analisi ha rivelato che 11 gruppi sponsorizzati da stati provenienti da Corea del Nord, Iran, Russia e Cina hanno impiegato il bug monitorato con il codice ZDI-CAN-25373 in operazioni motivate principalmente da cyber spionaggio e furto di dati.

Trendmicro ha scoperto quasi mille campioni Shell Link (.lnk) che sfruttano ZDI-CAN-25373; tuttavia, è probabile che il numero totale di tentativi di sfruttamento sia molto più alto. Successivamente, i ricercatori hanno inviato un exploit proof-of-concept tramite il programma bug bounty di Trend ZDI a Microsoft, che ha rifiutato di risolvere questa vulnerabilità con una patch di sicurezza.
Numero di campioni da gruppi APT che sfruttano ZDI-CAN-25373 (fonte TrendMicro)
La vulnerabilità, identificata come ZDI-CAN-25373, consente agli aggressori di eseguire comandi dannosi nascosti sui computer delle vittime sfruttando file di collegamento di Windows (.lnk) appositamente creati. Questa falla di sicurezza influisce sul modo in cui Windows visualizza il contenuto dei file di collegamento tramite la sua interfaccia utente. Quando gli utenti esaminano un file .lnk compromesso, Windows non riesce a visualizzare i comandi dannosi nascosti al suo interno, nascondendo di fatto il vero pericolo del file.

Ad oggi sono stati scoperti quasi 1.000 artefatti del file .LNK che sfruttano ZDI-CAN-25373, la maggior parte dei quali è collegata a Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi) e ScarCruft (Earth Manticore).

Degli 11 attori di minacce sponsorizzati dallo stato che sono stati scoperti ad abusare della falla, quasi la metà di loro proviene dalla Corea del Nord. Oltre a sfruttare la falla in vari momenti, la scoperta serve come indicazione di collaborazione incrociata tra i diversi cluster di minacce che operano all’interno dell’apparato informatico di Pyongyang.
Paesi di origine APT che hanno sfruttato ZDI-CAN-25373 (fonte TrendMicro)
Nello specifico, il bug comporta l’aggiunta degli argomenti con i caratteri di spazio (0x20), tabulazione orizzontale (0x09), avanzamento riga (0x0A), tabulazione verticale (\x0B), avanzamento pagina (\x0C) e ritorno a capo (0x0D) per eludere il rilevamento.

I dati di telemetria indicano che governi, enti privati, organizzazioni finanziarie, think tank, fornitori di servizi di telecomunicazione e agenzie militari/difesa situate negli Stati Uniti, in Canada, Russia, Corea del Sud, Vietnam e Brasile sono diventati i principali obiettivi degli attacchi che sfruttano questa vulnerabilità.

Negli attacchi analizzati da ZDI, i file .LNK fungono da veicolo di distribuzione per famiglie di malware note come Lumma Stealer, GuLoader e Remcos RAT, tra gli altri. Tra queste campagne, degna di nota è lo sfruttamento di ZDI-CAN-25373 da parte di Evil Corp.

Vale la pena notare che .LNK è tra le estensioni di file pericolose bloccate nei prodotti microsoft come Outlook, Word, Excel, PowerPoint e OneNote. Di conseguenza, il tentativo di aprire tali file scaricati dal Web avvia automaticamente un avviso di sicurezza che consiglia agli utenti di non aprire file da fonti sconosciute.

L'articolo 8 Anni di Sfruttamento! Il Bug 0day su Microsoft Windows Che Ha Alimentato 11 Gruppi APT proviene da il blog della sicurezza informatica.

Il panorama delle minacce ransomware è in costante evoluzione, con gruppi sempre più strutturati che adottano strategie sofisticate per massimizzare il profitto. VanHelsing è un nuovo attore che si sta posizionando nel mercato del Ransomware-as-a-Service (RaaS), un modello che consente anche a cybercriminali con competenze limitate di condurre attacchi avanzati grazie a una piattaforma automatizzata.

Dopo l’annuncio del 23 febbraio 2025 sul forum underground riguardante il programma di affiliazione VanHelsing RaaS, il gruppo ransomware ha ufficialmente pubblicato la prima possbile vittima sul proprio Data Leak Site (DLS).

A meno di un mese dal lancio, la comparsa della prima organizzazione colpita conferma che il gruppo ha iniziato ad operare attivamente. Sebbene il DLS sia ancora scarno, il debutto di una vittima suggerisce che gli affiliati stiano già distribuendo il ransomware e che il numero di attacchi potrebbe aumentare rapidamente.

VanHelsing RaaS: Un Programma Strutturato per gli Affiliati

L’annuncio del 23 febbraio ha rivelato dettagli significativi sul funzionamento del programma VanHelsing RaaS, che si distingue per una strategia di reclutamento selettivo e strumenti avanzati.

Punti chiave del programma di affiliazione:

• Ingresso su invito: gli affiliati con una reputazione consolidata nel cybercrime possono aderire gratuitamente.
• Quota di ingresso per nuovi affiliati: chi non ha una reputazione pregressa deve pagare $5.000 per accedere alla piattaforma.
• Strumenti avanzati: accesso a un pannello web, un sistema di chat privato, un locker per chiavi di cifratura, strumenti di esfiltrazione dati e funzionalità di attacco ransomware automatizzate.
• Revenue sharing: gli affiliati trattengono l’80% del riscatto, mentre VanHelsing trattiene il 20%.
• Escrow su blockchain: i fondi vengono rilasciati dopo due conferme, riducendo i rischi di frode tra affiliati e sviluppatori.
• Crittografia avanzata: utilizzo di protocolli di cifratura di alto livello per rendere il ransomware resiliente alle contromisure.
• Automazione completa: il ransomware è interamente gestito tramite il pannello di controllo, eliminando errori operativi e riducendo la necessità di intervento manuale.

La Prima Possibile Vittima Pubblicata sul DLS

La prima possibile organizzazione colpita da VanHelsing RaaS opera nel settore pubblico, con funzioni amministrative Questo suggerisce che il gruppo potrebbe prendere di mira enti governativi, municipalità o servizi pubblici, categorie spesso vulnerabili a ransomware.

L’attacco sembra seguire una strategia di doppia estorsione, con un countdown di 10 giorni prima della pubblicazione dei dati esfiltrati. Questo lascia intendere che il gruppo stia negoziando un riscatto con l’ente colpito, cercando di massimizzare il profitto prima di rendere pubbliche eventuali informazioni sensibili.

Anatomia del DLS

Al momento, il DLS di VanHelsing contiene una sola possibile vittima, il che potrebbe indicare diverse possibilità:

1. Il gruppo sta testando l’infrastruttura prima di pubblicare attacchi su larga scala.
2. Ci sono altre vittime in fase di negoziazione, che non sono ancora state elencate nel DLS.
3. Gli affiliati stanno ancora adottando il ransomware, e il numero di attacchi potrebbe aumentare esponenzialmente nelle prossime settimane.

L’esperienza con altri gruppi RaaS dimostra che il numero di vittime può crescere rapidamente man mano che nuovi cybercriminali iniziano ad utilizzare il servizio.

VanHelsing Chat: La Piattaforma di Comunicazione Privata

Un altro elemento distintivo di VanHelsing è la presenza di un portale di chat privato, accessibile solo tramite un Session ID. Questa piattaforma suggerisce che il gruppo gestisce direttamente le negoziazioni con le vittime e le comunicazioni con gli affiliati, senza affidarsi a strumenti pubblici come Telegram o forum underground.

L’adozione di una chat privata offre diversi vantaggi operativi:

• Maggiore sicurezza → Riduce il rischio di infiltrazioni da parte delle forze dell’ordine o di ricercatori di cybersecurity.
• Gestione diretta delle richieste di riscatto → Le vittime possono comunicare direttamente con il team di VanHelsing o con l’affiliato responsabile dell’attacco.
• Coordinamento degli affiliati → I membri del programma RaaS possono ricevere supporto tecnico e aggiornamenti operativi in tempo reale.

Questa infrastruttura è indicativa di un gruppo ransomware che punta a una gestione centralizzata e professionale degli attacchi, un elemento distintivo rispetto a operatori meno organizzati.

Conclusioni

L’emergere di VanHelsing RaaS rappresenta un’ulteriore evoluzione del modello ransomware, con un’infrastruttura altamente scalabile e strumenti avanzati per affiliati. La loro attenzione all’automazione e alla sicurezza operativa suggerisce che potremmo assistere a un aumento degli attacchi nei prossimi mesi, con impatti significativi su aziende e infrastrutture critiche.

L'articolo VanHelsing RaaS: Un Nuovo Modello di Ransomware-as-a-Service in Espansione proviene da il blog della sicurezza informatica.

Laser microphones have been around since the Cold War. Back in those days, they were a favorite tool of the KGB – allowing spies to listen in on what was being said in a room from a safe distance. This project by [SomethingAbtScience] resurrects that concept with a DIY build that any hacker worth their soldering iron can whip up on a modest budget. And let’s face it, few things are cooler than turning a distant window into a microphone.

At its core this hack shines a laser on a window, detects the reflected light, and picks up subtle vibrations caused by conversations inside the room. [SomethingAbtScience] uses an ordinary red laser (visible, because YouTube rules) and repurposes an amplifier circuit ripped from an old mic, swapping the capsule for a photodiode. The build is elegant in its simplicity, but what really makes it shine is the attention to detail: adding a polarizing filter to cut ambient noise and 3D printing a stabilized sensor mount. The output is still a bit noisy, but with some fine tuning – and perhaps a second sensor for differential analysis – there’s potential for crystal-clear audio reconstruction. Just don’t expect it to pass MI6 quality control.

While you probably won’t be spying on diplomats anytime soon, this project is a fascinating glimpse into a bygone era of physical surveillance. It’s also a reminder of how much can be accomplished with a laser pointer, some ingenuity, and the curiosity to see how far a signal can travel.

youtube.com/embed/EiVi8AjG4OY?…

hackaday.com/2025/03/18/spy-te…

Here’s the thing about coding. When you’re working on embedded projects, it’s quite easy to run into hardware limitations, and quite suddenly, too. You find yourself desperately trying to find a way to speed things up, only… there are no clock cycles to spare. It’s at this point that you might reach for the magic of direct memory access (DMA). [Larry] is here to advocate for its use.

DMA isn’t just for the embedded world; it was once a big deal on computers, too. It’s just rarer these days due to security concerns and all that. Whichever platform you’re on, though, it’s a valuable tool to have in your arsenal. As [Larry] explains, DMA is a great way to move data from memory location to memory location, or from memory to peripherals and back, without involving the CPU. Basically, a special subsystem handles trucking data from A to B while the CPU gets on with whatever other calculations it had to do. It’s often a little more complicated in practice, but that’s what [Larry] takes pleasure in explaining.

Indeed, back before I was a Hackaday writer, I was no stranger to DMA techniques myself—and I got my project published here! I put it to good use in speeding up an LCD library for the Arduino Due. It was the perfect application for DMA—my main code could handle updating the graphics buffer as needed, while the DMA subsystem handled trucking the buffer out to the LCD quicksmart.

If you’re struggling with updating a screen or LED strings, or you need to do something fancy with sound, DMA might just be the ticket. Meanwhile, if you’ve got your own speedy DMA tricks up your sleeve, don’t hesitate to let us know!

hackaday.com/2025/03/18/speedi…

Electricity can be a pretty handy tool when it stays within the bounds of its wiring. It’s largely responsible for our modern world and its applications are endless. When it’s not running in wires or electronics though, things can get much more complicated even for things that seem simple on the surface. For example, measuring moisture in soil seems straightforward, but corrosion presents immediate problems. To combat the problems with measuring things in the natural world with electricity, [David] built this capacitive soil moisture sensor which also has the benefit of using an extremely small amount of energy to operate.

The sensor is based on an STM32 microcontroller, in this case one specifically optimized for low-power applications. The other low-power key to this build is the small seven-segment e-ink display. The segments are oriented as horizontal lines, making this a great indicator for measuring a varying gradient of any type. The microcontroller only wakes up every 15 minutes, takes a measurement, and then updates the display before going back to sleep.

To solve the problem resistive moisture sensors have where they’re directly in contact with damp conditions and rapidly corrode, [David] is using a capacitive sensor instead which measures a changing capacitance as moisture changes. This allows the contacts to be much more isolated from the environment. The sensor has been up and running for a few months now with the coin cell driving the system still going strong and the house plants still alive and properly watered. Of course if you’re looking to take your houseplant game to the next level you could always build a hydroponics system which automates not only the watering of plants but everything else as well.

hackaday.com/2025/03/18/ultra-…

It’s 2025, and you’re still probably pressing modifier keys on your keyboard like a… regular person. But it doesn’t have to be this way! You could use foot pedals instead, as [Jan Herman] demonstrates.

Now, if you’re a diehard embedded engineer, you might be contemplating your favorite USB HID interface chip and how best to whip up a custom PCB for the job. But it doesn’t have to be that complicated! Instead, [Jan] goes for an old school hack—he simply ripped the guts out of an cheap USB keyboard. From there, he wired up a few of the matrix pads to 3.5 mm jack connectors, and put the whole lot in a little metal project box. Then, he hooked up a few foot pedal switches with 3.5 mm plugs to complete the project.

[Jan] has it set up so he can plug foot pedals in to whichever keys he needs at a given moment. For example, he can plug a foot pedal in to act as SPACE, ESC, CTRL, ENTER, SHIFT, ALT, or left or right arrow. It’s a neat way to make the project quickly reconfigurable for different productivity tasks. Plus, you can see what each pedal does at a glance, just based on how it’s plugged in.

It’s not an advanced hack, but it’s a satisfying one. We’ve seen some other great builds in this space before, too. If you’re cooking up your own keyboard productivity hacks, don’t hesitate to let us know!

hackaday.com/2025/03/18/a-foot…

Somewhere between the period of 1999 and 2007 a plague swept through the world, devastating lives and businesses. Identified by a scourge of electrolytic capacitors violently exploding or splurging their liquid electrolyte guts all over the PCB, it led to a lot of finger pointing and accusations of stolen electrolyte formulas. In a recent video by [Asianometry] this story is summarized.
Blown electrolytic capacitors. (Credit: Jens Both, Wikimedia)
The bad electrolyte in the faulty capacitors lacked a suitable depolarizer, which resulted in more gas being produced, ultimately leading to build-up of pressure and the capacitor ultimately failing in a way that could be rather benign if the scored top worked as vent, or violently if not.

Other critical elements in the electrolyte are passivators, to protect the aluminium against the electrolyte’s effects. Although often blamed on a single employee stealing an (incomplete) Rubycon electrolyte formula, the video questions this narrative, as the problem was too widespread.

More likely it coincided with the introduction of low-ESR electrolytic capacitors, along with computers becoming increasingly more power-hungry, and thus stressing the capacitors in a much warmer environment than in the early 1990s. Combine this with the presence of counterfeit capacitors in the market and the truth of what happened to cause the Capacitor Plague probably involves a bit from each column, a narrative that seems to be the general consensus.

youtube.com/embed/rSpzAVpnXo4?…

hackaday.com/2025/03/18/the-ca…

Let’s just kick things off in style with the fabulously brutalist Bayleaf wireless split from [StunningBreadfruit30], shall we? Be sure to check out the wonderful build log/information site as well for the full details.

Image by [StunningBreadfruit30] via redditHere’s the gist: this sexy split grid of beautiful multi-jet fusion (MJF) keycaps sits on top of Kailh PG1316S switches. The CNC-machined aluminium enclosure hides nice!nano boards with a sweet little dip in each one that really pull the keyboard together.

For the first serious custom build, [StunningBreadfruit30] wanted a polished look and finish, and to that I say wow, yes; good job, and nod enthusiastically as I’m sure you are. Believe it or not, [StunningBreadfruit30] came into this with no CAD skills at all. But it was an amazing learning experience overall, and an even better version is in the works.

I didn’t read the things. Is it open-source? It’s not, at least not at this time. But before you get too-too excited, remember that it cost $400 to build, and that doesn’t even count shipping or the tools that this project necessitated purchasing. However, [StunningBreadfruit30] says that it may be for sale in the future, although the design will have an improved sound profile and ergonomics. There’s actually a laundry list of ideas for the next iteration.

Apiaster Aims to Be the Beginner’s Endgame

That’s right — [Saixos]’ adjustable 50-key Apiaster is designed to be endgame right from the start, whether you’re just getting into the ergo side of the hobby, or are already deep in and are just now finding out about this keyboard. Sorry about that!

Image by [Saixos] via redditSo, it’s adjustable? Yes, in more ways than one. It can utilize either a single RP2040 Zero, or else one or multiple XIAO BLEs. The thumb cluster snaps off and can be moved wherever you like.

And [Saixos] didn’t stop there. In the magnificent repo, there’s a Python-generated case that’s highly customizable, plus MX and Choc versions of the PCB. Finally, Apiaster can use either LiPo batteries or a coin cell.

The other main crux of the biscuit here is price, and the Apiaster can be built for about $37 total minus shipping/customs/tariffs and/or tooling. That’s pretty darn good, especially if this really becomes your endgame.

The Centerfold: A ’90s Kid Works Here

Image by [nismology5] via redditAfter using a Durgod Taurus K320 rectangle for a number of years, [nismology5] decided to lean into ergo and acquired a Keychron Q8 with a knob and the Alice layout after falling in love with the look of GMK Panels keycaps and the Alice herself.

Perhaps the biggest change is going from clacky blues on the Taurus to silent and slinky reds. Who knows why such a drastic change, but [nismology5] is digging the smoothness and quietude underneath those GMK Panels clones from Ali.

Now, let’s talk about that sweet trackball. It’s a Clearly Superior Technologies (CST) KidTRAC with a pool ball swapped in. They are discontinued, sadly, but at least one was available as NOS on eBay. Not to worry — they are being produced by another company out of the UK and come in that sweet UNO Draw 4 Wild drip.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Fox was Quite Fetching

The lovely Fox was named not for its primary inventor Glenn J. Barrett, but instead for company president William R. Fox. Although this may seem unfair, the Fox is a pretty great name for a good-looking typewriter.
Image via The Classic Typewriter Page
This nineteenth-century Fox appeared in 1898, shortly after it was patented and had a number of nice features, like a notably light touch. The carriage can be removed easily for cleaning and maintenance. And the machine had a “speed escapement”, which affects the carriage advancement timing. It could be set to advance either when a typebar returns to rest, or as soon as the typebar starts off for the platen.

The first Foxes were understroke machines, which is another term for blind writer, meaning that one must lift something out of the way to see what one had written as the typebars strike the platen from underneath. In the case of the Fox, one need only turn the platen slightly.

Frontstroke or ‘visible’ typewriters were coming into vogue already, so the company introduced a frontstroke machine in 1906. It had many of the same features as the blind-writing Foxen, such as the dual-speed escapement. A one- or two-color ribbon could be used, and the machine could be set to oscillate the ribbon so as not to waste the entire bottom half as most typewriters did. I’d like to see it set to oscillate with a two-color ribbon, that’s for sure!

To capitalize on the portable craze, they built the so-called “Baby Fox” in 1917. Corona found the resemblance to their own portables quite striking and successfully sued Fox. The company went out of business in 1921, possibly because of this litigation. Ah, well.

Finally, a Keyboard for Mice

Image by [RobertLobLaw2] via redditMuch like the fuzzy-bezeled cat keyboard from a few Keebins ago, [RobertLobLaw2]’s keyboard isn’t quite as cheesy as may first appear. For one thing, most of the legends are in this Swiss cheese-inspired font that’s a little bit hard to read, so you’d better have your QWERTY straight.

Probably the best thing about these delicious-looking 3D-printed keycaps are the cheese knife Backspace, Enter, and right Shift along with the novelties like the mousy Esc. Underneath all that fromage is a Keychron V6 Max with unknown switches.

[RobertLobLaw2] explains that cheese and keyboards have more in common than you think, as both hobbies use ‘pretentious adjectives to describe the sensory experience (of the hobby)’. Boy, if that isn’t the thocking truth. Should you require such a charcuter-key board for yourself, the files are freely available.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/03/18/keebin…

There’s something that kills coding speed—iteration time. If you can smash a function key and run your code, then watch it break, tweak, and smash it again—you’re working fast. But if you have to first compile your code, then plug your hardware in, burn it to the board, and so on… you’re wasting a lot of time. It’s that problem that inspired [Larry] to create an embedded system simulator to speed development time for simple projects.

The simulator is intended for emulating Arduino builds on iPhone and Mac hardware. For example, [Larry] shows off a demo on an old iPhone, which is simulating an ESP32 playing a GIF on a small LCD display. The build isn’t intended for timing-delicate stuff, nor anything involving advanced low-level peripherals or sleep routines and the like. For that, you’re better off with real hardware. But if you’re working on something like a user interface for a small embedded display, or just making minor tweaks to some code… you can understand why the the simulator might be a much faster way to work.

For now, [Larry] has kept the project closed source, as he’s found that it wouldn’t reasonably be possible for him to customize it for everyone’s unique hardware and use cases. Still, it’s a great example of how creating your own tools can ease your life as a developer. We’ve seen [Larry]’s great work around here before, like this speedy JPEG decoder library.

youtube.com/embed/j1ryXNiYefc?…

hackaday.com/2025/03/18/simula…

An Instruction Set Architecture (ISA) defines the software interface through which for example a central processor unit (CPU) is controlled. Unlike early computer systems which didn’t define a standard ISA as such, over time the compatibility and portability benefits of having a standard ISA became obvious. But of course the best part about standards is that there are so many of them, and thus every CPU manufacturer came up with their own.

Throughout the 1980s and 1990s, the number of mainstream ISAs dropped sharply as the computer industry coalesced around a few major ones in each type of application. Intel’s x86 won out on desktop and smaller servers while ARM proclaimed victory in low-power and portable devices, and for Big Iron you always had IBM’s Power ISA. Since we last covered the ISA Wars in 2019, quite a lot of things have changed, including Apple shifting its desktop systems to ARM from x86 with Apple Silicon and finally MIPS experiencing an afterlife in the form of LoongArch.

Meanwhile, six years after the aforementioned ISA Wars article in which newcomer RISC-V was covered, this ISA seems to have not made the splash some had expected. This raises questions about what we can expect from RISC-V and other ISAs in the future, as well as how relevant having different ISAs is when it comes to aspects like CPU performance and their microarchitecture.

RISC Everywhere

Unlike in the past when CPU microarchitectures were still rather in flux, these days they all seem to coalesce around a similar set of features, including out-of-order execution, prefetching, superscalar parallelism, speculative execution, branch prediction and multi-core designs. Most of the performance these days is gained from addressing specific bottlenecks and optimization for specific usage scenarios, which has resulted in such things like simultaneous multithreading (SMT) and various pipelining and instruction decoder designs.

CPUs today are almost all what in the olden days would have been called RISC (reduced instruction set computer) architectures, with a relatively small number of heavily optimized instructions. Using approaches like register renaming, CPUs can handle many simultaneous threads of execution, which for the software side that talks to the ISA is completely invisible. For the software, there is just the one register file, and unless something breaks the illusion, like when speculative execution has a bad day, each thread of execution is only aware of its own context and nothing else.

So if CPU microarchitectures have pretty much merged at this point, what difference does the ISA make?

Instruction Set Nitpicking

Within the world of ISA flamewars, the battle lines have currently mostly coalesced around topics like the pros and cons of delay slots, as well as those of compressed instructions, and setting status flags versus checking results in a branch. It is incredibly hard to compare ISAs in an apple-vs-apples fashion, as the underlying microarchitecture of a commercially available ARMv8-based CPU will differ from a similar x86_64- or RV64I- or RV64IMAC-based CPU. Here the highly modular nature of RISC-V adds significant complications as well.

If we look at where RISC-V is being used today in a commercial setting, it is primarily as simple embedded controllers where this modularity is an advantage, and compatibility with the zillion other possible RISC-V extension combinations is of no concern. Here, using RISC-V has an obvious advantage over in-house proprietary ISAs, due to the savings from outsourcing it to an open standard project. This is however also one of the major weaknesses of this ISA, as the lack of a fixed ISA along the pattern of ARMv8 and x86_64 makes tasks like supporting a Linux kernel for it much more complicated than it should be.

This has led Google to pull initial RISC-V support from Android due to the ballooning support complexity. Since every RISC-V-based CPU is only required to support the base integer instruction set, and so many things are left optional, from integer multiplication (M), atomics (A), bit manipulation (B), and beyond, all software targeting RISC-V has to explicitly test that the required instructions and functionality is present, or use a fallback.

Tempers are also running hot when it comes to RISC-V’s lack of integer overflow traps and carry instructions. As for whether compressed instructions are a good idea, the ARMv8 camp does not see any need for them, while the RISC-V camp is happy to defend them, and meanwhile x86_64 still happily uses double the number of instruction lengths courtesy of its CISC legacy, which would make x86_64 twice as bad or twice as good as RISC-V depending on who you ask.

Meanwhile an engineer with strong experience on the ARM side of things wrote a lengthy dissertation a while back on the pros and cons of these three ISAs. Their conclusion is that RISC-V is ‘minimalist to a fault’, with overlapping instructions and no condition codes or flags, instead requiring compare-and-branch instructions. This latter point cascades into a number of compromises, which is one of the major reasons why RISC-V is seen as problematic by many.

In summary, in lieu of clear advantages of RISC-V against fields where other ISAs are already established, its strong points seem to be mostly where its extreme modularity and lack of licensing requirements are seen as convincing arguments, which should not keep anyone from enjoying a good flame war now and then.

The China Angle

The Loongson 3A6000 (LS3A6000) CPU. (Credit: Geekerwan, Wikimedia)
Although everywhere that is not China has pretty much coalesced around the three ISAs already described, there are always exceptions. Unlike Russia’s ill-fated very-large-instruction-word Elbrus architecture, China’s CPU-related efforts have borne significantly more fruit. Starting with the Loongson CPUs, China’s home-grown microprocessor architecture scene began to take on real shape.

Originally these were MIPS-compatible CPUs. But starting with the 3A5000 in 2021, Chinese CPUs began to use the new LoongArch ISA. Described as being a ‘bit like MIPS or RISC-V’ in the Linux kernel documentation on this ISA, it features three variants, ranging from a reduced 32-bit version (LA32R) and standard 32-bit (LA32S) to a 64-bit version (LA64). In the current LS3A6000 CPU there are 16 cores with SMT support. In reviews these chips are shown to be rapidly catching up to modern x86_64 CPUs, including when it comes to overclocking.

Of course, these being China-only hardware, few Western reviewers have subjected the LS3A6000, or its upcoming successor the LS3A7000, to an independent test.

In addition to LoongArch, other Chinese companies are using RISC-V for their own microprocessors, such as SpacemiT, an AI-focused company, whose products also include more generic processors. This includes the K1 octa-core CPU which saw use in the MuseBook laptop. As with all commercial RISC-V-based cores out today, this is no speed monsters, and even the SiFive Premier P550 SoC gets soundly beaten by even a Raspberry Pi 4’s already rather long-in-the-tooth ARM-based SoC.

Perhaps the most successful use of RISC-V in China are the cores in Espressif’s popular ESP32-C range of MCUs, although here too they are the lower-end designs relative to the Xtensa Lx6 and Lx7 cores that power Espressif’s higher-end MCUs.

Considering all this, it wouldn’t be surprising if China’s ISA scene outside of embedded will feature mostly LoongArch, a lot of ARM, some x86_64 and a sprinkling of RISC-V to round it all out.

It’s All About The IP

The distinction between ISAs and microarchitecture can be clearly seen by contrasting Apple Silicon with other ARMv8-based CPUs. Although these all support a version of the same ARMv8 ISA, the magic sauce is in the intellectual property (IP) blocks that are integrated into the chip. These range from memory controllers, PCIe SerDes blocks, and integrated graphics (iGPU), to encryption and security features. Unless you are an Apple or Intel with your own GPU-solution, you will be licensing the iGPU block along with other IP blocks from IP vendors.

These IP blocks offer the benefit of being able to use off-the-shelf functionality with known performance characteristics, but they are also where much of the cost of a microprocessor design ends up going. Developing such functionality from scratch can pay for itself if you reuse the same blocks over and over like Apple or Qualcomm do. For a start-up hardware company this is one of the biggest investments, which is why they tend to license a fully manufacturable design from Arm.

The actual cost of the ISA in terms of licensing is effectively a rounding error, while the benefit of being able to leverage existing software and tooling is the main driver. This is why a new ISA like LoongArch may very well pose a real challenge to established ISAs in the long run, beacause it is being given a chance to develop in a very large market with guaranteed demand.

Spoiled For Choice

Meanwhile, the Power ISA is also freely available for anyone to use without licensing costs; the only major requirement is compliance with the Power ISA. The OpenPOWER Foundation is now also part of the Linux Foundation, with a range of IBM Power cores open sourced. These include the A2O core that’s based on the A2I core which powered the XBox 360 and Playstation 3’s Cell processor, as well as the Microwatt reference design that’s based on the much newer Power ISA 3.0.

Whatever your fancy is, and regardless of whether you’re just tinkering on a hobby or commercial project, it would seem that there is plenty of diversity in the ISA space to go around. Although it’s only human to pick a favorite and favor it, there’s something to be said for each ISA. Whether it’s a better teaching tool, more suitable for highly customized embedded designs, or simply because it runs decades worth of software without fuss, they all have their place.

hackaday.com/2025/03/18/checki…

Il ricercatore Yohanes Nugroho ha rilasciato uno strumento per decifrare i dati danneggiati dalla variante Linux del ransomware Akira. Lo strumento sfrutta la potenza della GPU per ottenere chiavi di decrittazione e sbloccare i file gratuitamente.

L’esperto ha affermato di aver trovato la soluzione dopo che un amico gli ha chiesto aiuto. Ha stimato che il sistema crittografato potrebbe essere violato in circa una settimana (in base al modo in cui Akira genera le chiavi di crittografia utilizzando i timestamp).

Alla fine, il progetto ha richiesto tre settimane per essere completato e il ricercatore ha dovuto spendere circa 1.200 dollari in risorse GPU necessarie per decifrare la chiave di crittografia. Ma alla fine il metodo ha funzionato.

Lo strumento di Nugroho è diverso dai tradizionali decryptor, in cui gli utenti forniscono una chiave per sbloccare i file. Al contrario, utilizza la forza bruta per ottenere chiavi di crittografia (uniche per ogni file), sfruttando il fatto che Akira genera chiavi di crittografia in base all’ora corrente (in nanosecondi) e la utilizza come seed.

Akira genera dinamicamente chiavi di crittografia univoche per ogni file utilizzando quattro diversi timestamp con una precisione al nanosecondo e ne esegue l’hashing utilizzando 1500 cicli di SHA-256.

Queste chiavi vengono crittografate utilizzando RSA-4096 e aggiunte alla fine di ogni file crittografato, rendendone difficile la decifratura senza la chiave privata. Il livello di precisione dei timestamp crea oltre un miliardo di possibili valori al secondo, rendendo difficili gli attacchi brute-force. Inoltre, Nugroho ha scoperto che la versione Linux del malware crittografa più file contemporaneamente utilizzando il multithreading, il che rende ancora più difficile determinare la marca temporale.

Il ricercatore ha ristretto i possibili timestamp dell’attacco brute force esaminando i log condivisi dal suo amico. Ciò ha permesso di rilevare il tempo di esecuzione del ransomware e i metadati del file hanno aiutato a stimare il tempo di completamento della crittografia.

I primi tentativi di hacking furono effettuati sulla RTX 3060 e si rivelarono troppo lenti: il limite era di soli 60 milioni di test al secondo. Nemmeno l’aggiornamento alla RTX 3090 ha aiutato molto.

Alla fine Nugroho si è rivolto ai servizi GPU cloud RunPod e Vast.ai, che hanno fornito potenza sufficiente e hanno contribuito a confermare l’efficacia dello strumento da lui creato. L’esperto ha utilizzato sedici RTX 4090 e ci sono volute circa 10 ore per forzare la chiave. Tuttavia, a seconda del numero di file crittografati da recuperare, questo processo potrebbe richiedere diversi giorni.

Tuttavia, il ricercatore fa notare che gli specialisti delle GPU possono chiaramente ottimizzare il suo codice, quindi le prestazioni possono probabilmente essere migliorate.

Nugroho ha già pubblicato il suo decryptor su GitHub, dove ha anche pubblicato istruzioni dettagliate su come recuperare i file Akira crittografati.

L'articolo Ogni tanto una gioia… anzi mezza! Scoperto un modo per decifrare Akira su server Linux proviene da il blog della sicurezza informatica.

GPS is an incredible piece of modern technology. Not only does it allow for locating objects precisely anywhere on the planet, but it also enables the turn-by-turn directions we take for granted these days — all without needing anything more than a radio receiver and some software to decode the signals constantly being sent down from space. [Chris] took that last bit bit as somewhat of a challenge and set off to write a software-defined GPS receiver from the ground up.

As GPS started as a military technology, the level of precision needed for things like turn-by-turn navigation wasn’t always available to civilians. The “coarse” positioning is only capable of accuracy within a few hundred meters so this legacy capability is the first thing that [Chris] tackles here. It is pretty fast, though, with the system able to resolve a location in 24 seconds from cold start and then displaying its information in a browser window. Everything in this build is done in Python as well, meaning that it’s a great starting point for investigating how GPS works and for building other projects from there.

The other thing that makes this project accessible is that the only other hardware needed besides a computer that runs Python is an RTL-SDR dongle. These inexpensive TV dongles ushered in a software-defined radio revolution about a decade ago when it was found that they could receive a wide array of radio signals beyond just TV.

hackaday.com/2025/03/18/writin…