In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.

The group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts. This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels.

Technical details

Initial infection

As for the primary compromise, Cloud Atlas remains consistent in using phishing. In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment.

Malware execution flow

Attackers use LNK shortcuts to covertly execute PowerShell scripts hosted on external resources. The command line of the shortcut:

Example of the PowerShell script downloaded and executed by the shortcut:

Example of the PowerShell script downloaded by the shortcut

Actions performed by the downloaded PowerShell:

Step	Action	Description
1	Drops “$temp\fixed.ps1”	Pre-staging: places the main payload locally in advance to ensure an execution capability independent of subsequent network connectivity or C2 availability.
2	Creates “Run” registry key “YandexBrowser_setup” for “$temp\fixed.ps1” startup	Early persistence: guarantees execution upon the next logon or reboot. If the script is interrupted during later stages, the payload will still activate automatically.
3	Downloads and drops “$temp\rar.zip” Extracts “*.pdf” from the downloaded “$temp\rar.zip”	Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase.
4	Extracts “*.pdf” from the downloaded “$temp\rar.zip”	Decoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction.
6	Opens extracted decoy document “*.pdf” with user’s default software	User distraction: opens a convincing document to maintain user engagement and creates a legitimate workflow appearance to buy additional 30–120 seconds for background operations.
6	Executes “taskkill.exe /F /Im winrar.exe”	Process concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity.
7	Searches and deletes “rar.zip”, “*.pdf.zip” and “*.pdf.lnk”	Anti-forensic cleanup: removes the initial infection artifacts before activating the main payload, reducing the number of disk traces available for incident response or EDR correlation.
8	Executes “$temp\fixed.ps1”	Controlled execution: launches the main payload only after persistence is secured, the user is distracted, and access traces are cleaned up.

Fixed.ps1 (loader)

The primary purpose of the Fixed.ps1 script is to deliver and install subsequent malware onto the compromised system, specifically VBCloud and PowerShower. Fixed.ps1 establishes persistence (by adding itself to registry Run keys), creates a decoy for the user (by opening a PDF document), and executes the next stages of the attack.

Fixed.ps1::Payload (VBCloud dropper)

Example of the fixed.ps1::Payload (VBCloud dropper)

This module functions as a dropper for the VBCloud backdoor. It drops two files onto the infected machine:

• video.vbs: the loader of the backdoor,VBCloud::Launcher. This is a VBScript that decrypts the contents of video.mds (typically using RC4 with a hardcoded key) and executes it in memory.
• video.mds: the encrypted body of the backdoor, VBCloud::Backdoor. This is the main module that connects to a C2 server to receive additional scripts or execute built-in commands. This backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them.

Fixed.ps1::Payload (PowerShower)

This module installs a second backdoor called PowerShower on the system. We don’t have the specific script that performs this installation, but we assume it’s performed by a script similar to fixed.ps1::Payload (VBCloud dropper).

Unlike VBCloud, which focuses on file theft, PowerShower is primarily used for network reconnaissance and lateral movement within the victim’s infrastructure. PowerShower can perform the following tasks:

• Collect information about running processes, administrator groups, and domain controllers.
• Download and execute PowerShell scripts from the C2 server.
• Conduct “Kerberoasting” attacks (stealing password hashes of Active Directory accounts).

PowerShower is dropped onto the system via the path ‘C:\Users\[username]\Pictures\googleearth.ps1’.

Contents of the googleearth.ps1(PowerShower)

PowerShower::Payload (credential grabber)

PowerShower downloads an additional script for stealing credentials. It performs the following actions:

• Creates a Volume Shadow Copy of the C:\ drive.
• Copies the SAM (stores local user password hashes) and SECURITY system files from this shadow copy to C:\Users\Public\Documents\, disguising them as PDF files.
• The script is launched in several stages. To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility). This allows PowerShell to run as an administrator without directly prompting the user, which could otherwise raise suspicion.

The full launch chain looks like this:

The full Base64-decoded script is given below.

Multi-user RDP by patching termsrv.dll

Moving laterally across the victim’s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247):

The script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file. Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules.

By default, Windows limits the number of simultaneous RDP sessions. Removing this restriction allows attackers to operate on the machine in the background without disconnecting the legitimate user, thereby reducing the likelihood of detection.

At first, the script enables RDP on the firewall and downgrades the RDP security settings:

Before modifying termsrv.dll, the script takes ownership and assigns itself full permissions. Then the script finds the sequence of bytes 39 81 3C 06 00 00 ?? ?? ?? ?? ?? ?? and replaces it with B8 00 01 00 00 89 81 38 06 00 00 90. After these manipulations, the script restarts the RDP service.

Example of script

The patched version allows multiple concurrent logins so attackers can stay connected without disrupting the legitimate user, thereby reducing suspicion.

Reverse SSH tunneling

As mentioned above, during this wave of attacks, the adversaries widely deployed reverse SSH tunnels to many hosts of interest. The compromised machine initiates an SSH connection to an attacker-controlled server, which allows attackers to bypass standard firewall rules via establishing outbound connections.

That way, even if the primary backdoor is discovered, the attackers can maintain control through the SSH tunnel.

To install a reverse SSH tunnel on a victim’s host, the attackers run VBS scripts via PAExec or PsExec.

We’ve seen three types of scripts:

• Gen.vbs (WriteToSchedulerGenerateKey.vbs) generates key for SSH tunnel.
• Run.vbs (WriteToSchedulerRunSSH.vbs) runs reverse SSH tunnel.
• Kill.vbs (WriteToSchedulerKillSSH.vbs) stops reverse SSH tunnel via taskkill.exe.

To achieve persistence, the attackers added a new scheduled task in Windows:

In some cases, before establishing a reverse SSH tunnel, attackers set new access permissions to the folder containing the private key to prevent the legitimate user or system administrators from easily accessing or modifying it:

Patched OpenSSH

Some OpenSSH binaries used by the attackers had their imports modified. Instead of libcrypto.dll, the SSH executable imports syruntime.dll, which was placed in the same folder as the binary. This was likely done to evade detection and ensure stealth.

In addition, we found a portable version of OpenSSH, presumably compiled by the adversaries:

RevSocks

In addition to Reverse SSH tunnels, the attackers installed RevSocks using the same infrastructure. RevSocks is an alternative tool to SSH for establishing tunnels and proxy connections, written in Golang. This tool allows direct connection to workstations on the local network. It also allows attackers to gain access to other segments of the victim’s network by using the machine as a gateway. In some cases, C2 addresses were hardcoded into the binary; in other cases, the C2 was passed in command line arguments.

There were also reverse SOCKS samples with hardcoded C2 addresses:

Tor tunneling

To maintain control over the compromised host, the Tor network was used in some cases. A minimal set of a Tor executable and configuration files, necessary for launching HiddenService, was copied to the system directories of infected devices. The name of the Tor Browser executable file was modified. As a result, the infected machine was accessible via RDP from the Tor network when accessing the generated .onion domain.
Below is an example of a configuration file for routing connections from Tor to RDP ports on the local network, as well as example command lines for logging into Tor.

Example of TOR configuration file

PowerCloud

We analyzed a new Cloud Atlas tool, PowerCloud. It collects user data with administrator privileges and writes this information to Google Sheets in Base64 format.

The tool represents an obfuscated PowerShell script. In most cases, it is packaged into an executable file using the PS2EXE utility, but we have also encountered variants in the form of a separate PowerShell script.

To find administrators on the victim host, the tool executes the following command:

This information is appended with the computer name and current date, the data is encoded in base64, and then the collected data is added to an existing Google Sheet.

PowerCloud script

Browser checker

Additionally, the attackers used another PowerShell script (MD5 5329F7BFF9D0D5DB28821B86C26D628F), compiled into an executable file via PS2EXE, which checks whether browser processes (Chrome, Edge, Firefox, and other) are running. This helps detect when the user is working on the computer. This can be used to choose the optimal time for conducting attacks (for example, when the user is away but their browser is still open) or simply to gather information about the victim’s habits.

The information about running browsers is written to a log file on the local host.

Fragment of the deobfuscated script

Victims

According to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus. The targeted industries mostly include government agencies and diplomatic entities.

We attribute the activity described in this report to the Cloud Atlas APT group with a high degree of confidence. The group used techniques and tools described previously, such as the initial access vector, the Python script for information gathering, and the Tor application for forwarding ports to the Tor network. The victim profile and geography also matches the Cloud Atlas targets.

We couldn’t help but notice some parallels with recent Head Mare activity. The PhantomHeart backdoor (available in Russian only), attributed to Head Mare and used to create an SSH tunnel, was placed in directories actively used by Cloud Atlas:

• C:\Windows\ime
• C:\Windows\System32\ime
• C:\Windows\pla
• C:\Windows\inf
• C:\Windows\migration
• C:\Windows\System32\timecontrolsvc
• C:\Windows\SKB

However, TTPs are still differentiated.

Conclusion

For more than ten years, the Cloud Atlas group has continued its activities and expanded its arsenal. Over the course of last year, many targeted campaigns in general were found to employ ReverseSocks, SSH and Tor, and the use of these utilities was no exception for Cloud Atlas. Creating such backup control channels using publicly available utilities significantly complicates the complete disruption of attackers’ actions on compromised systems. We will continue to closely monitor the group’s activity and describe their new tools and techniques.

Indicators of compromise

PowerCloud

7A95360B7E0EB5B107A3D231ABBC541A C:\Windows\wininet.exe
C0D1EAA15A2CEFBAB9735787575C8D8E C:\Windows\LiveKernelReports\update.exe
D5B38B252CF212A4A32763DE36732D40 C:\Windows\ime\imejp\dicts\i39884.exe
3C75CEDB1196DF5EAB91F31411ED4B33 C:\pla\reports.exe
42AC350BFBC5B4EB0FEDBA16C81919C7 C:\ProgramData\update_[redacted].exe
493B901D1B33EB577DB64AADD948F9CE C:\Windows\migration\wtr\MicrosoftBrowser.exe
2CABB721681455DAE1B6A26709DEF453 C:\Windows\pla\reports\winlog.exe
1B39E86EB772A0E40060B672B7F574F1 C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe
1D401D6E6FC0B00AAA2C65A0AC0CFD6B C:\Windows\setup\scripts\install\software\activation\aact\dfsvc.exe
40A562B8600F843B717BC5951B2E3C29 C:\Windows\branding\scat.exe
F721A76DEB28FD0B80D27FCE6B8F5016 C:\Windows\ime\imekr\dicts\dfsvc.exe
D3C8AFD22BAA306FF659DB1FAC28574A C:\ProgramData\update_[redacted].exe
6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe
C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe
9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe
63B6BE9AE8D8024A40B200CCCB438F1D C:\Windows\notepad.exe
6AA586BCC45CA2E92A4F0EF47E086FA1 C:\Windows\splwow32.exe
EBA3BCDB19A7E256BF8E2CC5B9C1CCA9 C:\Users\[redacted]\Desktop\soc\stant.exe
B4E183627B7399006C1BC47B3711E419 C:\WINDOWS\ime\service.exe
F56B31A4B47AD3365B18A7E922FBA1A8 dfsvc.exe
F6F62456FB0FCC396FB654CBED339BC3 –
25C8ED0511375DCA57EF136AC3FA0CCA C:\branding\dwmw.exe

Browser checker

5329F7BFF9D0D5DB28821B86C26D628F C:\ProgramData\checker_[redacted].exe

ReverseSocks

2B4BA4FACF8C299749771A3A4369782E C:\Windows\PLA\System\bounce.exe
C:\Windows\pla\print_status.exe
BA9CE06641067742F2AFC9691FAFF1DC C:\ProgramData\hp\client.exe
FB0F8027ACF1B1E47E07A63D8812ED50 C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe
BBF1FA694122E07635DEEAC11AD712F8 C:\Windows\System32\HostManagement.exe
F301AA3D62B5095EEC4D8E34201A4769 C:\Windows\ime\imejp\msfu.exe
F9C3BBE108566D1A6B070F9C5FB03160 C:\Windows\ime\imetc\help\IMTCEN14.exe

Malicious MS Office documents

369B75BDCDED16469EDE7AB8BEDCFAE1
9EAAE9491F6A50D6DF0BE393734A44CB
3E6E9DF00A764B348EC611EE8504ACA0
9BD788F285E32A05E6591D1EB36EBFFC
F42085522EC2EBB16EDCF814E7C330AD
2042EB5D52F0B535A1CE6B6F954C8C2B
2AA1E9765EF6B00B94A9B6BE0041436A
36120F5E9411BCBAC7104EF3FA964ED2
5000A353399500BC78381DC95B6ED2DC
579A9952D31CAD801A3988DBE7914CE7
867B634588C0FD6B26684D502C15AB03
38FA4306FA4406BA31CF171AF4D36E34
83EDDE9F7EEEFAC0363413972F35572B
CC751619BFEC0DC4607C17112B9E3B2C
A632858F14B36F03D0F213F5F5D6BFF2
097CA205AD9E3B72018750280904718C
69121C36EB8BF77962DCA825FCFFD873
C5702EB250F855C8C872FFFB9BB656ED
ED34F5A136FBA4FDEA976570FAA33ED7
0577DB70844E88B32B954906E2F20798
28ECF8FB6719E14231B94B4D37629B0E
0857C84B62289A1A9F29E19244E9A499
0C514E137860F489E3801213460EF938
50568B1F9335A7E3BA4E5DF035A8FB86
7F776AD200287D6DE14A29158C457179
51F7F794ED43FB90D0F8EBBB5EFFE628
B8C753DD254509FBA5077FFD5067EAB0
BC3739DEC8CD8F54F3F60A85F3ED600E
EC076CD21C483A40156F4E40D08DADED
216CB7F31D383C0DD892B284DF05A495
116F59E70A9DF97F4ADAEA71EECB1E9A
7242AC065B50BCDE9308756B49DBADCB
8158552950D2E13B075001CE0C52AA97
A75DBED984963B9AB21309C5B2F8FD9B
0320DD389FDBAB25D46792BD2817675E
5339D1A666F3E40FE756505CF1D87D4B
67D7E3AEEB673BF60C59361C12A4ED81
89572F0ED20791A5AC9FC4267D67CCB0
B6AAE073E7BFEBF4D643C2BBEB5C02E1
344CA9EA07CD4AC90EF27F8890D4EC05

Domains and IPs

Reverse SSH/Socks domains

tenkoff[.]org
cloudguide[.]in
goverru[.]com
kufar[.]org
ultimatecore[.]net
spbnews[.]net
onedrivesupport[.]net

Malicious and compromised domains used in MS Office documents

amerikastaj[.]com
bigbang[.]me
paleturquoise-dragonfly-364512.hostingersite[.]com
wizzifi[.]com
totallegacy[.]org
mamurjor[.]com
landscapeuganda[.]com
lafortunaitalian.co[.]uk
kommando[.]live
internationalcommoditiesllc[.]com
humanitas[.]si
fishingflytackle[.]com
firsai.tipshub[.]net
alnakhlah.com[.]sa
allgoodsdirect.com[.]au
agenciakharis.com[.]br

Powershell payload staging

istochnik[.]org
znews[.]neti
investika-club[.]com
194.102.104[.]207
46.17.45[.]56
46.17.45[.]49
46.17.44[.]125
46.17.44[.]212
185.22.154[.]73
194.87.196[.]163
195.58.49[.]9
93.125.114[.]193
93.125.114[.]57
45.87.219[.]116
37.228.129[.]224
185.53.179[.]136
185.126.239[.]77
5.181.21[.]75
146.70.53[.]171
45.15.65[.]134
185.250.181[.]207
81.30.105[.]71

File paths

VBS scripts

WriteToSchedulerKillSSH.vbs
Create_task_day.vbs
WriteToSchedulerGenerateKey.vbs
C:\Windows\INF\Run.vbs
c:\Windows\INF\install.vbs
Update.vbs
c:\Windows\PLA\System\Gen.vbs
C:\Windows\INF\GenK.vbs
c:\Windows\PLA\System\Kill.vbs
c:\Windows\PLA\System\Run.vbs

ssh.exe

c:\Windows\ime\imejp\Asset.exe
c:\Windows\PLA\System\conhosts.exe
c:\Windows\INF\BITS\esentprf.exe
c:\Windows\INF\MSDTC\RuntimeBrokers.exe
c:\Windows\inf\diagnostic.exe

ReverseSocks

C:\Windows\PLA\System\bounce.exe
C:\ProgramData\hp\client.exe
C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe

Tor client

C:\Windows\Resources\Update\Intel.exe
C:\Windows\INF\package.exe

securelist.com/cloud-atlas-202…

If you’ve played Cyberpunk 2077, you might have seen the rad jacket that has a screen in the collar. Once upon a time, such a thing would be solely the preserve of science fiction—you certainly wouldn’t be achieving that look with cathode ray tubes, that much is for sure. However, technology has advanced to the point where [Zibartas] was able to produce just such a jacket in real life.

The key to the build is the advent of the flexible OLED screen. [Zibartas] was able to source four such panels in a smartphone-like aspect ratio, which came in at the hefty price of $300 each. Two Raspberry Pi 4s were enlisted to drive two screens each. The older model Pi was chosen as it was capable of achieving a neat hack to better play smooth video across two displays. A rudimentary sync system was whipped up using GPIO pins to keep video from both Pis playing together. From there, it was simply a matter of figuring out how to create a structure to hold the screens within the large collar of the scratch built cyberpunk-styled jacket. As it turns out they don’t actually flex much in the final install, as they’re held in a 3D printed structure to keep them safe from damage.

The final result is quite something, very accurately recreating the jacket from the game itself. While technically a simple build, actually pulling it off required some delicate work and smart design decisions to make it practical to wear. We’ve featured some other fun jackets over the years, too.

youtube.com/embed/5UXCVEk83kE?…

hackaday.com/2026/05/22/jacket…

Nearly all modern PCBs are designed with the help of EDA software, but not all of them. [ALTco] shows us the process of plotting out a board the old-fashioned way — by hand.

Back in the day, drawing out the traces on a PCB lead to beautiful, smooth lines that [ALTco] wanted to imitate. But first, he needed to figure out how the rest of the fabrication process worked. He starts by just experimenting, both with the “resist” markers and paint, and the etching compound. Things rarely work first-try, and neither did his home-made etchant. So then it was time to buy some ferric chloride, the standard copper etchant for PBCs. A few more tests sorted out which permanent marker worked best.

[ALTco] starts by thoroughly cleaning a raw copper-clad board so the marker sticks properly, then draws the circuit for a little analog fan controller. The board is then laid in a bath of the etchant for several minutes while gently rocking it to keep the reaction going. Finally the board is taken out, etchant stored for re-use, and the board washed with water and then presumably IPA to remove the remaining marker. Some assembly of the newly-printed circuit board later and you have a cute little smoke absorber for your soldering projects.

youtube.com/embed/iJwyHakxCe4?…

hackaday.com/2026/05/21/making…

Do you want to go back to an era when Windows was… simpler? Back when things worked, before the AI and the bloat took over your hard drive and RAM space in equal measure? You might like to give Classic 7 a spin (via The Register).

From the drop, we should state that Classic 7 is not Windows 7 at all. Instead, it’s a reskin of Windows 10, specifically, the IoT Enterprise LTSC version. This is a particularly attractive version of Windows 10, as Microsoft has promised long-term support in terms of security updates until 2032. It also strips out annoying consumer-focused bloat like the Xbox gaming overlay and Cortana, and it eliminates forced feature updates that have become the norm in modern Windows installs. Combine all those niceties with the clean and simple feel of the recreated Windows 7 interface, and you have a beautiful operating system that has everything you need and nothing you don’t.

There are, of course, some hurdles to jump over; you’d need to find an appropriate license for this version of Windows and all that jazz. But if you long for the days before Microsoft so cruelly eviscerated the Start Menu and started making everything worse, you might find that Classic 7 is for you.

[Thanks to Stephen Walters for the tip!]

hackaday.com/2026/05/21/get-th…

Will your next project be a success? Only time will tell, but if you build [gokux]’s tiny ESP32 fortune cookie, we predict that, at the very least, there won’t be any crumbs involved.

After briefly entertaining the idea of shoving an ESP32 in a standard fortune cookie, [gokux] thought better of it and came up with this instead. Once shaken, this small gadget displays a fortune on its e-paper screen. It can store over 3,000 fortunes and works entirely offline, so you’re never without an oracle.

Inside you’ll find a Seeed Xiao ESP32-S3 Plus and a matching e-paper display board. [gokux] is detecting the shakes with an MPU-6050 accelerometer, and powers everything with a small Li-Po pouch.

If you tire of the fortunes that shake out, the small buttons on the left side will get you into the other modes, which are a dice roller and a coin flipper. Again, you just shake the thing until you get what you want. Be sure to check it out in the video after the break.

Want to know how an MPU-6050 works, and what it looks like under the hood? Yeah, we thought so.

youtube.com/embed/Mc15yoheJ4g?…

hackaday.com/2026/05/21/e-fort…

[Jankbu] needed a new computer, but had little interest in purchasing a modern laptop off the shelf. Instead, it was time to build a cyberdeck with a neat modular design to suit his exact needs.

The heart of the build is a Raspberry Pi 5, which provides a good amount of computing power for regular tasks. It’s wrapped up in a 3D-printed enclosure with rail mounts on the back, along with a NOS 450 TKL mechanical keyboard, offering full-travel keys in a compact layout. The 10.1″ IPS touchscreen display is mounted on sliding rails to cover the keyboard when it’s not needed. A smattering of buttons live around the screen, in a manner akin to so many industrial controllers. On either side, the deck has large grab handles, with one side featuring custom horizontal and vertical scroll controls, while the other rocks a trackball. Power is via NP-F batteries, which are more commonly used to run Sony camcorders.

Unlike so many cyberdecks, [Jankbu] didn’t just build the device to look cool—it also serves a practical purpose. It’s great for running Freecad, and the rail mounts on the rear make it perfect for mounting around the workshop during a job as needed. Files are on Github for those eager to learn more.

What’s fun about this build is that it’s not just a show piece, it’s something that gets used every day. That’s a testament to [Jankbu’s] well-reasoned design, that considered what the device was for before it was put together. We’ve featured plenty of other fantastic cyberdecks in the past, too. Video after the break.

youtube.com/embed/gIWp_F9PPzI?…

hackaday.com/2026/05/21/slidin…

Circa 2015 or so, it seemed like you couldn’t move a finger without being bombarded with ads and articles about ‘smart homes’ and the ‘internet of things’ — all of which would make our lives so much easier and more automated. Fast-forward a decade and this dream has mostly evaporated along with many of the players in the space. Why this happened is the topic of a recent video by [Caya].

An interesting bit of context that the video starts off with is that home automation really kicked off back in 1975, when the X10 protocol and related devices using power lines for signaling began being sold. These fully integrated solutions generally worked reasonably well, but what all changed when the IoT and ‘smart home’ craze kicked off and brought with it an explosion of new standards.

Over the past decade we have seen the concept of a ‘smart home’ collapse into a nightmare of abandoned IoT devices, subscription services, forced ads, privacy violations, and an increasingly more congested 2.4 GHz spectrum that everything from WiFi and Zigbee to Bluetooth and others ended up competing for, with a corresponding collapse in reliability of data transmissions.

As raised in the video, a big issue is that of the financial viability of running the remote services for a smart home solution, even if this is the part that should make it as plug-and-play as a 1990s-era smart home solution. To the average user setting up their own locally hosted smart home solution isn’t really a straightforward option.

Although at the end [Caya] demonstrates using Home Assistant (HA) as a locally hosted alternative, this is still not something that a non-techie will be able to set up or maintain. Even if you shell out a cool two-hundred clams for the Home Assistant Green plug-and-play hardware solution, the average person will be lost the second any of the prescribed steps in provided documentation do not work. Woe to whoever is the person who is ‘good with computers’ in those cases.

Ultimately another problem with ‘smart homes’ is that they’re really not that smart, as you can definitely set up all kinds of rules in HA and similar solutions, but this is more painstaking manual automation with all the excitement of programming PID controllers. Having an actual intelligence behind the system that could react to what’s happening would make it a far easier sell, yet which is where all the ‘smart assistants’ like Alexa keep falling flat.

Currently [Caya] has set up his HA-based lighting configuration to be used by OpenClaw ‘agentic AI’, as a way to add some actual ‘smarts’, but it’s telling that he hasn’t integrated the smart lock of his apartment into the system yet. Nobody wants to have the OpenClaw agent tell you that it ‘cannot open the front door’ for you, after all.

youtube.com/embed/dVM3fzPavMg?…

hackaday.com/2026/05/21/why-th…