Most people love window shades, but many dislike the tedium of having to open and close them over the course of each day. While there are automation options here, if you’re in a rental place like [Rooster Robotics], then you’d prefer something less intrusive, as well as less cloud-bound. This is basically why he opted to build his own solution from scratch to open and close roller shades via Home Assistant.

The comments to the video helpfully point out that technically his point about there not being commercial options with a forced remote account ‘feature’ is false, as the Aqara Roller Shade Driver E1 for example is just a regular Zigbee device which can be used with a wide range of home automation ecosystems. That said, it’s always nice to have your own device that you fully control.

Of course, these devices are deceptively simple, as you still have to somehow know how far open the curtain is, which is also useful if you just want to open the curtain a certain amount. The other issue is the need to have the motor parallel with the wall unless you enjoy having a big wart sticking out from the wall.

Solving the first issue was attempted with a Hall effect sensor, and the second with angled gearing. With some refinements this led to a functioning design, allowing the development of a custom PCB with an ESP32-S3 module for WiFi control. In the final design the Hall effect sensor and magnets were replaced with an AS5600 magnetic rotatory position sensor that requires just one magnet and offers a much higher resolution.

Currently the design files are not available, but [Rooster Robotics] has indicated that they are looking at open sourcing the files in the future.

youtube.com/embed/KTIXB88X1M8?…

hackaday.com/2026/05/14/automa…

If you own a modern smartphone, there’s an excellent chance that its battery has run dangerously low on you at least a few times. Murphy’s Law dictates that this will naturally occur at the worst possible moment, say when you need to make an important phone call or when you’re lost and need to navigate home.

With this in mind, it’s not hard to see how a product like the ChargeTab would have a certain appeal. A small $10 USD device that you can keep in the car or pack in a bag that’s always available to charge your phone in an emergency.

Because it’s not meant to be used regularly — indeed it may never get used at all — it’s not completely unreasonable that such a device would only be good for one or two charges before its spent and must be replaced. It’s a bit like keeping a road flare in the car; it’s unlikely you’ll ever use the thing, but if you do, it only needs to work once.

But then what? According to ChargeTab, once the gadget has depleted its internal ~3,000 mAh battery it cannot be recharged and is no longer usable. Now to be fair, they specifically tell you to not throw it in the trash. They’ll send you a free return label to ship it back to them, at which point it will be refurbished and put back into circulation. The company argues that this recycling program, combined with the fact that the batteries inside the ChargeTabs were supposedly diverted from landfills in the first place, makes their entire operation eco-friendly.

Yet here we have a pair of ChargeTabs that were thrown in the regular garbage and would have taken a one-way trip to the local landfill if it wasn’t for the fact that I habitually dig through garbage cans like a raccoon. So let’s take a look at what’s inside one of these emergency phone chargers and if the idea is as green as the company claims.

Paper, Not Plastic

If nothing else, the enclosure of the ChargeTab is pretty unique. As part of the whole eco-friendly shtick they have going on, the device is encased in a biodegradable paper shell. Usually I wouldn’t approve of a device that’s sealed up rather than put together with fastners, but it’s hard to complain when you can cut the thing open with a pair of scissors. Of course reassembly would be tricky, but clearly that’s not something they were concerned with.

As for the internals, there’s really not much going on. Just a chunky LiPo pouch battery and a thin PCB with an SOIC8 IC, an inductor, a couple of capacitors, and a single LED.

The battery is marked YL 104058, has a capacity of 2,900 mAh, and a date code of 2017. Somewhat surprisingly a close inspection of the IC shows that its markings are intact, identifying it as a HotChip HT4928S.

Chips Ahoy

Being able to positively identify a chip when taking a consumer gadget apart is great, but actually being able to look it up and find a proper datasheet is a real treat. Turns out that the HT4928S is a very popular IC commonly used in USB power banks. It’s a highly integrated solution that offers battery management as well as 5 V boost with only a few support components.

At first, I found this somewhat surprising. Given the unusual single-use nature of the ChargeTab, I had expected a more bespoke solution. But of course it makes perfect sense to use one of these power bank ICs. They can be had for pennies, and functionally, the device is pretty much a USB power bank anyway, it just doesn’t recharge.

Truth be told, the HT4928S seems like a pretty slick part to have around. It’s unusually hacker-friendly: the SOIC8 package is easy to work with, and compared to the venerable TP4056 you get integrated battery protection, not to mention 5 V boost. All for about $1 USD a piece in quantities of ~10. I plan on ordering a few to go into the parts bin for sure.

But wait…if this chip has a charge controller, why is the ChargeTab single-use? What about the design prevents the user from simply charging it up like any other USB power bank that uses the HT4928S?

A look at the application diagram from the datasheet shows that the HT4928S uses the same pin for both power input and output. That is, the same pin that puts out the boosted 5 V from the battery will also charge said battery if you apply power to it. In the old days, the input would have been a female USB-A port, but in the era of USB-C you could simply have a female port that does double duty.

But the ChargeTab only has a male USB-C connector. Technically you could plug that into something that’s providing power, but the HT4928S doesn’t talk USB Power Delivery and the PCB doesn’t have the necessary resistors to enable legacy mode.

Security Through Obscurity

The only differences between the application circuit and the PCB in the ChargeTab is the missing LED and USB port. So unless they are using some custom modified version of the HT4928S, it stands to reason that injecting 5 V into the male USB-C connector should flip the chip over to charging mode.

As mentioned previously, it won’t work with proper USB-C devices and cables. But through the magic of Amazon Prime, you can have all manner of shady adapters delivered to your door in just a few hours. So if we combine a USB-A to USB-C cable with a female-female USB-C coupler, we can stick 5 V where the ChargeTab least expects it. According to the HT4928S datasheet, a blinking LED will indicate the charging process has started.

Well, so much for that whole single-use thing.

Charging as a Service

So in the end, the only thing that’s keeping you from reusing the ChargeTab is a cheap USB-C coupler and an old cable. No return label, no sending it off to the mothership to get “refurbished.” It’s quite simply a USB power bank in a paper enclosure and with intentionally obtuse connectivity.

A devil’s advocate might argue that the recycling program makes it more likely the batteries inside the ChargeTabs will actually stay out of the waste stream compared to normal power banks. Rather than dropping them off in some random battery recycling box and having them go who knows where, the returned ChargeTabs are guaranteed to be put back into use properly. (On the other hand, I fished these out of the trash.)

But let’s be clear, this isn’t some benevolent initiative — the company ends up selling the recycled ChargeTabs again at full price. So if you really think about it, they are essentially just renting them out to the consumer. Is that a service worth $10? Regardless of how we might feel about it personally, the fact that these things are being sold would seem to indicate a not insignificant number of people feel it is.

All I know is that if you end up seeing one of these in the trash, you should definitely take it home and charge it up yourself.

Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group’s latest campaigns.

Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021. Our monitoring indicates various strategic updates to the group’s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language. This expanding set of tools underscores the group’s ongoing adaptation and evolution.

Specifically, Kimsuky leveraged legitimate VSCode tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities. These activities affected various sectors in South Korea, impacting both public and private entities.

This article covers both previously undocumented attacks and a deeper technical analysis of incidents within this campaign that have been reported before — offering new insight beyond what has already been published.

Executive summary

• Kimsuky obtains initial access to target systems by delivering spear-phishing emails containing malicious attachments disguised as documents. They also contact targets via messengers in some cases.
• Kimsuky uses a variety of droppers in different formats, such as JSE, PIF, SCR, EXE, etc.
• The droppers deliver malware mainly belonging to two big clusters: PebbleDash and AppleSeed. These clusters are considered the most technically advanced in the group’s toolset. The report covers the following PebbleDash malware: HelloDoor, httpMalice, MemLoad, httpTroy. It also covers AppleSeed and HappyDoor from AppleSeed cluster.
• For post-exploitation activities Kimsuky uses legitimate tools Visual Studio Code (VSCode) and DWAgent. For VSCode, the attacker uses GitHub authentication method.
• For hosting C2 infrastructure the group mainly uses domains registered at a free South Korean hosting provider. It also occasionally relies on hacked South Korean websites and tunneling tools, such as Ngrok or VSCode.
• Kimsuky mainly targets South Korean entities. However, PebbleDash attacks were also seen in Brazil and Germany. This malware cluster focuses on defense sector, while AppleSeed most often targets government organizations.

Background

First identified by Kaspersky in 2013, Kimsuky has been active for over 10 years and is considered less technically proficient compared to other Korean-speaking APT groups. The group has targeted a wide range of entities and demonstrated capability in creating tailored spear-phishing emails. The group’s arsenal includes proprietary malware such as PebbleDash, BabyShark, AppleSeed, and RandomQuery, as well as open-source RATs like xRAT, XenoRAT, and TutRAT. This blog post examines the evolving PebbleDash-based malware (referred to as the PebbleDash cluster) and its connections to the AppleSeed-based malware (referred to as the AppleSeed cluster).

The PebbleDash and AppleSeed clusters are considered the most technically advanced in Kimsuky’s toolset. Since at least 2019, these clusters have masqueraded as legitimate documents and application installers, manifesting as JSE droppers or executables with .EXE, .SCR and .PIF extensions. Both are particularly adept at establishing backdoors and stealing information, and ongoing development of their variants has been observed. They even occasionally utilize stolen legitimate certificates from South Korean organizations to avoid detection.

Timeline of the AppleSeed and PebbleDash malware families

AppleSeed and PebbleDash have primarily targeted the public and private sectors in South Korea. The PebbleDash cluster has shown a particular interest in the medical, military and defense industries worldwide. The PebbleDash cluster compromised Brazilian and South Korean defense organizations throughout the past several years, as well as a German defense firm. In 2024, the South Korean government released a security advisory regarding the AppleSeed cluster, detailing how the malware was distributed by replacing a security software installer required to access a construction entity’s website.

Initial access

Kimsuky meticulously crafts and delivers spear-phishing emails to its targets in an attempt to entice them into opening attachments. According to recent research, the group also occasionally approaches targets by contacting them via messengers. In all cases, the initial contact leads to the delivery of a malicious attachment disguised as a document. These attachments often consist of compressed files containing droppers in formats such as .JSE, .EXE, .PIF, or .SCR. The filenames are consistent with the message content and are meant to convince the recipient to open the attachment. The malicious files are often disguised as product quotations, job offers, information guides, surveys, government documents, and personal photos.

Here are some recently discovered examples:

JSE droppers contain a minimum of two Base64-encoded blobs: one serving as a benign lure file and one or more containing malicious code. Additional blobs may exist within the dropper, but they are unused. The two blobs are decoded using JScript and stored in an arbitrary location on disk, such as C:\ProgramData, with the malicious filenames randomly generated according to the scheme [random]{7}.[random]{4}. The lure file is opened immediately. The malicious payload leverages powershell.exe -windowstyle hidden certutil -decode [src path] [dst path] for the second Base64 decoding before execution. Ultimately, the malicious payload is executed via command-line instructions such as regsvr32.exe /s [file path] or rundll32.exe [file path] [export function].

Reger Dropper (.SCR) and Pidoc Dropper (.PIF) also contain benign lure files and malicious payloads that, in both cases, are encrypted using XOR operations. Specifically, Reger Dropper employs a hard-coded key #RsfsetraW#@EsfesgsgAJOPj4eml;, while Pidoc Dropper utilizes single-byte XOR with 0xFF to decrypt the internal data for execution. Pidoc Dropper is fully obfuscated using dummy data and encrypted strings. Both droppers deploy files in specific directories such as %temp% or C:\ProgramData before executing the malware using regsvr32.exe.

In addition to these droppers, Kimsuky employed a variety of executable droppers, including those crafted in Go or packaged with Inno Setup.

Deployed malware

In this section, we describe several malware families recently dropped by the droppers discussed above.

HelloDoor: first Rust-based PebbleDash variant

Written in Rust, a programming language rarely used by Kimsuky, HelloDoor is a DLL-based backdoor first identified in August 2025. It is deployed via a malicious JSE dropper. Since it has limited capabilities and a simplistic communication mechanism, the backdoor is most probably in the early stages of development. Nevertheless, it is noteworthy that HelloDoor employs a C2 server hosted through TryCloudflare, a temporary tunneling service provided by Cloudflare. This service allows users to expose a local web service to the internet with no setup or account, making the infrastructure behind it difficult to trace.

HelloDoor establishes persistence upon execution by registering itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key with the value name tdll and the command regsvr32.exe /s [current file path].

The implant communicates with the C2 server (hxxp://female-disorder-beta-metropolitan.trycloudflare[.]com/index.php) over the HTTP protocol. Depending on whether the process is executing with an elevated token, it binds to a specific local port: 5555 if the token is elevated, or 5554 if not. Before initiating communication, it generates a unique identifier by collecting device information, such as the MAC address, computer name, and the string “windows”, then computes a hash value from this information.

The malware then constructs a query string in the format aaaaaaaaaa=2&bbbbbbbbbb=[the unique identifier]&cccccccccc=1, which is a traditional format used across the PebbleDash cluster. Subsequent server responses are Base64-decoded and then decrypted using RC4 with the key fwr3errsettwererfs. The decrypted content contains command strings. Possible commands are:

Though interesting, it is no longer surprising that we found comments in the code that appear to have been generated by an LLM service rather than a human developer. This is based on traces that include emojis used for logging debugging messages.
✅ Port is now listening (no accepting)
❌ Port is already in use
🔍 regsvr32.exe detected as parent. Attempting to terminate...
This is a common trait of LLM services that provides users with better visibility. We previously observed similar comments in the PowerShell-based stealer suite used by BlueNoroff. HelloDoor’s simple structure and the fact that no other Rust-based malware from the group has been discovered yet support our claim.

Even though the code is believed to have been developed using an LLM service, we still found some typos and grammatical errors, such as:

• result send fail (grammatically incorrect text)
• server request fail (grammatically incorrect text)
• command execute failed (grammatically incorrect text)
• decrytion failed (typos)
• autorum failed (typos)

It is likely that the flawed comments were added manually before or after AI was used.

httpMalice: latest backdoor variant of PebbleDash

The latest PebbleDash-based backdoor, httpMalice, emerged no later than December 2025 and is deployed by the JSE Dropper. Although we found limited direct connections to both the AppleSeed and PebbleDash clusters, the malware is closer to PebbleDash. The following shared characteristics have been identified:

• (PebbleDash cluster) Ability to run commands received from the C2 server with the S-1-12-12288 SID, indicating a high integrity level – a feature also observed in PebbleDash and httpTroy.
• (PebbleDash cluster) Unique identifier generated by combining the volume serial number of the root directory with the elevation status of the current token, mirroring a technique used since the appearance of NikiDoor.
• (PebbleDash cluster) Communication with its C2 server utilizing three HTTP parameters, consistent with other PebbleDash-based families.
• (PebbleDash cluster) Core command set more closely aligned with PebbleDash than with AppleSeed-based malware.
• (AppleSeed cluster) Use of the m= parameter in C2 communication.
• (AppleSeed cluster) Gathering system details using PowerShell and Windows commands similar to those found in AppleSeed and Troll Stealer.

Our analysis revealed two distinct versions of httpMalice based on their C2 communications: version 1.9 communicates over HTTP and version 1.8 uses Dropbox. The latter, the older variant, leverages the Dropbox API by utilizing pre-defined application credentials. Unlike its predecessor, the HTTP variant employs HTTP/HTTPS protocols to interact with its C2 server and maintains persistent access to the victim device through a Windows service named CacheDB. This mirrors tactics observed in similar threats, such as httpSpy.

The more recent variant gathers critical information from the compromised system, such as the current directory path, volume serial numbers, user privileges, username, local IP address, and the name and size of the currently executed httpMalice DLL file. It then combines the root drive’s volume serial number with the user’s access token privilege level to create a unique identifier for each infected system, formatted as [volume serial]{8}_[elevation status].

Depending on the token privilege, the backdoor then establishes persistence by either creating a service or registering itself to autostart at user logon. If the token is elevated, a service named CacheDB is created that executes the command cmd.exe /c “rundll32.exe [current DLL path], load”. The service’s display name is set to Administrator, and its description is defined as CacheDB Service. If the token is not elevated, the backdoor registers the same command under the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the value name Everything 1.9a-[filesize]. The older version used Everything 1.8a-[filesize] as a value name.

The latest version can execute a combination of Windows commands by default to perform host profiling, while the older version fetches the command set from Dropbox. In httpMalice, commands are mostly executed using the format cmd.exe /c chcp 949 [command] > [temporary filename], which redirects the output to separate files, with the consistent prefix 2Ato6478s added to their names. The chcp 949 command changes the code page to 949, indicating that the malware targets users of the Korean language (EUC-KR charset).

Windows commands used to gather system details

httpMalice transmits the result of host profiling to its C2 server as a URL parameter, using the POST method over the HTTP/HTTPS protocol, with the header x-www-form-urlencoded. The URL includes two or three parameters: operation mode, unique identifier (referred to as UID), and data. The operation mode, or parameter m, supports the following values:

As shown in the table above, the mode is set to 13 at the host profiling stage. The UID is formatted as [volume serial]{8}_[elevation status], and the data contains the ChaCha20-encrypted and Base64-encoded output of the command set stored in the temporary file. The resulting URL format is: m=13&u=[volume serial]{8}_[elevation status]&d=[Chacha20 encrypted + Base64-encoded data to be sent].

The key and nonce used for ChaCha20 encryption are derived from the pointer address of the buffer, resulting in nearly randomized keys. To ensure proper decryption on the attacker side, the nonce and key values are appended after the encrypted data, and the combined blob is then Base64-encoded. The counter is initialized to 0. The following figure illustrates how the encrypted data is structured after performing Base64 decoding.

Structure of the ChaCha20-encrypted data blob

After sending the host profiling data, the backdoor continuously transmits a screen capture with mode 12 and a ping message with mode 11. Finally, it sends a session identifier, which is a combination of the current username and local IP address separated by an ‘@’ symbol. In this case, the mode is set to 1 and the a parameter (current state) is set to 0, indicating that the C2 operation has been activated. The following table provides other possible values of the a parameter:

The whole process from sending the host profile to the backdoor activation repeats every two minutes until the C2 server returns a “success!” message.

C2 communication sequence of httpMalice

When the backdoor receives the message from the C2 server, it creates two threads dedicated to processing commands and sending the current state, including the session identifier. The first thread receives a command from the C2 server. It requests a command by sending mode 2 and, if successful, immediately sends mode 10 along with the string “.cmd” in the d parameter.

The commands supported by httpMalice are as follows:

MemLoad downloads httpTroy

Since early 2025, we have observed several versions of MemLoad; specifically, MemLoad V2 emerged in March, and V3 appeared by September. The payload that began being deployed through the Reger Dropper this year has been identified as an updated variant of MemLoad, slightly modified from the V3 version (referred to internally as MemLoader.dll).

Kimsuky leverages MemLoad to evade detection of its final backdoor and to carefully assess the value of targeted systems through anti-VM checks and reconnaissance. Upon installation, it requests an additional payload from the C2 server, executing it reflectively in memory if deemed suitable. Notably, all versions of MemLoad V2 and later use the same RC4 key.

Below are the key operations of MemLoad:

1. Creates a flag file. Creates a file containing a random eight-character string from the set 0123456789abcdefABCDEF with another random eight-character string as the name and “.dat.cfg” extension at the current file path.
2. Generates an ID. Generates an ID value by adding either ‘A-‘ or ‘U-‘ to the beginning of the random bytes. The choice of symbol is determined by attempting to create a random file in the C:\Windows\system32 directory. If successful, the ID starts with ‘A-‘ (indicating administrative privileges); otherwise, it starts with ‘U-‘.
3. Persistence via a scheduled task. Checks for the existence of the .dat.cfg file, and if confirmed, a scheduled task is set up for persistence. The task name is determined by whether the process is running with elevated privileges. If elevated, the task is named ChromeCheck, and the command schtasks/create/tn<task name>/tr"regsvr32 /s <current file path>"/sc minute/mo1/rl highest/f is executed. Otherwise, the task is named EdgeCheck, and the command schtasks/create/tn<task name>/tr"regsvr32 /s <current file path>"/sc minute/mo1/f is executed.
4. C2 communication and payload download. Requests an additional payload from its C2 server, with the header Authorization: Bearer {ID} or X-Browser-Validation: {ID} for authentication. The ID is set to the previously generated ID value.
5. Payload decryption and execution. Once the download is successful, the payload is decrypted using the RC4 algorithm with the key #RsfsetraW#@EsfesgsgAJOPj4eml;. The decrypted payload is then reflectively loaded into memory, and its hello export function is invoked.

The payload downloaded and executed by MemLoad is identified as the httpTroy backdoor. This backdoor serves as the primary role for long-term access and data exfiltration. Similar to MemLoad, it employs stealth techniques by creating a flag file and writing eight random bytes to it. However, in this case the file is created at [current file path]:HUI in the ADS (Alternative Data Stream) area. The backdoor then checks its privileges to determine if it is elevated and assigns an ID value in the format A-[random-8-chars] or U-[random-8-chars].

Since Gen Digital covers httpTroy’s features and functionality in detail elsewhere, we will not provide a thorough explanation here to avoid redundancy. Instead, we will simply note that it communicates with the C2 server at hxxps://file.bigcloud.n-e[.]kr/index.php.

AppleSeed

AppleSeed first appeared in 2019 and reached version 3.0. However, we now only see version 2.1. It originally consisted of two components: a dropper and the main AppleSeed. Since 2022, the updated AppleSeed chain has involved two droppers, an additional component referred to as the installer, and the main payload. It is mostly delivered through JSE Dropper.

Updated AppleSeed infection chain

There are two versions of the main AppleSeed: Dropper and Spy. The Dropper variant is responsible for downloading additional malware and executing commands received from its C2 server, while the Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives. A notable change in version 2.1 is the inclusion, since 2022, of collecting the C:\GPKI directory – functionality that is also implemented in Troll Stealer. This directory contains a digital certificate used by the South Korean government to securely authenticate public officials and government systems.

HappyDoor

HappyDoor, an AppleSeed-based backdoor malware disclosed by AhnLab in 2024, is less visible than AppleSeed. HappyDoor shares several features with AppleSeed, including the same string obfuscation algorithm, the data types it collects, and the use of RSA encryption. Given these similarities, we assess with medium confidence that HappyDoor is an advanced variant evolved from AppleSeed.

Post-exploitation

We observed interesting post-exploitation activities involving VSCode and DWAgent. All of the observed VSCode droppers used the same lure files as the PebbleDash malware cluster. While we are unsure of the exact reason for this strategy, we suspect that the actor prepared both PebbleDash and VSCode droppers in anticipation of the PebbleDash infection chain being detected by security products because of its backdoor capabilities. In contrast, the use of VSCode is designed to have fewer detection points.

VSCode (launched by the JSE dropper)

Since last year, Kimsuky has been leveraging the legitimate Visual Studio Code Remote Tunneling feature to establish covert remote access to the victim’s device, bypassing detection designed for traditional malware-based C2 channels (first described by Darktrace researchers). In these attacks, instead of dropping malware, the JSE dropper downloads a legitimate Visual Studio Code (VSCode) CLI onto the infected device. The script establishes persistence by creating a tunnel via the application, with the tunnel name “bizeugene”, using the command below.

The Remote Tunneling feature in VSCode supports establishing a tunnel using either a Microsoft or GitHub account. When the code tunnel command is executed, the CLI initiates an authentication flow and returns a login URL along with a device code. The user must then navigate to the URL, enter the device code, and authenticate with their account. Once authentication is successful, the tunnel is created and the CLI outputs a URL for tunneling that enables browser-based access to the remote host.

The GitHub authentication method is selected in this instance because GitHub is configured as the default provider in non-interactive execution contexts. By using echo |, the script injects a \r\n (Carriage Return and Line Feed) into the standard input stream, effectively confirming the default prompt selection without manual interaction. As a result, the CLI automatically initiates the GitHub authentication flow. Next, all CLI output that includes a login URL and a device code is saved to out.txt.

Out.txt content

The JScript code in the JSE dropper monitors the out.txt file for a URL that begins with hxxps://vscode[.]dev/tunnel. This URL contains the full address of the established tunnel. Once detected, the file content containing the URL and the device code is sent to a compromised legitimate South Korean website (hxxps://www.yespp.co[.]kr/common/include/code/out[.]php) using the HTTP POST method. The request contains the file contents in the application/x-www-form-urlencoded header data formatted as out=URLencoded{result of the command}&token=URLencoded{"bizeugene"}. After authentication is complete, the attacker can access the compromised host externally through a web browser by authenticating with their own GitHub account.

VSCode (launched by VSCode installer)

While searching our telemetry for artifacts related to a different infection, we identified a new VSCode tunnel installer written in Go. A previous version of this installer was implemented using JScript and was limited to secure channels because of its reliance on a specific tunnel name. The new variant, named vscode_payload by the developer based on the embedded Go path, is fully operational and supports every tunnel on each targeted device. It includes features that are nearly identical to those of the previous version, such as downloading, unarchiving, and executing the VSCode CLI.

After the VSCode CLI file has been successfully downloaded, it is unzipped into the C:\Users\Public directory, and the extracted code.exe is executed with the tunnel command.

This is how the installer works:

1. Executes code.exe tunnel.
2. Searches for the “Microsoft Account” string in the stdout.
3. Sends the 0x1B 0x5B 0x42 (Down Arrow) and 0x0A (Enter) escape sequence to the pseudo-terminal, which enables tunnel creation via a GitHub account.
4. Searches for the “use code” string in the stdout.
5. Sends the printed code for authentication, prepended with the “hxxps://github[.]com/login/device” => prefix. The attacker authorizes Visual Studio Code with the logged-in GitHub account using the printed code.
6. Searches for the “What would you like to call this machine?” string in the stdout.
7. Sends the 0x0A escape sequence to the pseudo-terminal to use the current machine name as the identifier.
8. Searches for the “vscode.dev/tunnel/” string in the stdout.
9. Sends the printed URL for tunneling to the Slack WebHook.

The following figure illustrates the sequence for creating a tunnel using the VSCode CLI. Red boxes highlight the strings that the installer searches for. Yellow boxes indicate standard input operations sent from the installer using escape sequences. Sky blue boxes represent the values that are necessary to create the tunnel on the attacker’s side. (The “Microsoft Account” string in the second step is not shown in this figure because the second “GitHub Account” was already selected during the process.)

Creating a tunnel using VSCode CLI

Once the process is complete, the attacker can access the targeted host through the tunnel on their remote machine using their GitHub account via a browser or VSCode. The targeted device then begins communicating with Microsoft-owned servers without the user realizing that the communication is from an attacker.

An interesting feature of this variant is that it sends debugging messages and necessary values to a Slack channel via a WebHook. Upon execution, it sends "[strong]+++ I am started +++"[/strong], as well as a heartbeat message "[strong]~~~ I am alive ~~~"[/strong] approximately every second during tunneling authentication.

DWAgent

DWAgent is a remote administration tool that is frequently exploited by threat actors, including ransomware and APT groups, to easily access compromised endpoints with minimal risk of detection. Kimsuky is one of the threat actors that uses this tool in its operations.

We observed that the group delivered DWAgent in at least two ways. The first involved delivering a compressed file containing DWAgent, along with separate commands, to a host infected with httpMalice for installation. The second method involved creating a separate installer.

This installer is very similar to the Reger Dropper. It uses the same RC4 key and has a similar code structure. It includes an archived binary and a legitimate unrar.exe binary, both encrypted with RC4. When executed, the installer decrypts the archived binary and saves it as 1.zip in the C:\ProgramData directory. It also creates an unrar.exe file in the same location using the decrypted unrar.exe binary. The dropper then uses the command C:\programdata\unrar.exe x C:\programdata\1.zip C:\programdata\ to extract the contents of the ZIP file. Finally, it executes the commands necessary to install DWService as a service on the target host:

• c:\programdata\dwagent\native\dwagsvc.exe installService
• c:\programdata\dwagent\native\dwagsvc.exe startService

The compressed file contains a pre-packaged, ready-to-use DWAgent, as well as a predefined config file. The actor deployed the agent with a config.json file linked to their own account to covertly control the device. As a result, the remote session is immediately activated by the above command, granting the attacker control.

The predefined config file is as follows. Note that the servers are legitimate DWAgent relay servers.
{
"enabled": true,
"key": "kDRNGmWGTMpjQmREgQzU",
"listen_port": 7950,
"nodes": [
{
"id": "ND896147",
"port": "443",
"server": "node896147.dwservice[.]net"
},
{
"id": "ND828765",
"port": "443",
"server": "node828765.dwservice[.]net"
},
{
"id": "ND484265",
"port": "443",
"server": "node484265.dwservice[.]net"
}
],
"password": "eJwrynEqD0r294twTXLKCHWqDPLPCql0Kg/JDqpIdk4HAKYMCso=",
"url_primary": "hxxps://www.dwservice[.]net/"
}

Infrastructure

For years, Kimsuky has relied heavily on the South Korea-based free domain hosting service 내도메인[.]한국 (pronounced as “naedomain[.]hankook) to mimic legitimate sites with domains like .p-e.kr, .o-r.kr, .n-e.kr, .r-e.kr, and .kro.kr. This service has been utilized to create C2 servers for PebbleDash and AppleSeed clusters, and the background infrastructures have been mostly resolved to the virtual private servers belonging to InterServer. It has also been noted that many other malicious actors have exploited this free domain hosting service, so it alone cannot be considered proof of a connection to Kimsuky.

The actor also occasionally exploits South Korean websites as C2 servers to evade network-IoC-based detection and increase the success rate of attacks. Furthermore, they actively leverage tunneling services such as Cloudflare Quick Tunnels, VSCode Tunneling, and Ngrok to hide their infrastructure. These traits are mostly observed across the PebbleDash cluster.

Victims

We identified multiple infection logs uploaded to the Dropbox storage used for httpMalice’s C2 server. They were analyzed as having been stolen from infected systems across various organizations or individuals in South Korea. Notably, each victim’s folder contained a user.txt file with detailed information such as target details, the presence of something named “http” (possibly a backdoor, such as httpTroy or httpMalice), DWAgent existence, and relationships between infected devices and targets. While we could not verify the exact creation process of these files, they were likely created manually by attackers to manage victims using Korean words.

Below you can see an example of this type of file content. In this context, “장악” means “take over” and “있음” means “exists”.
[Target's name] [Description] [Infection date] 장악, http 있음, DWService 있음.
While both clusters have mainly focused on targeting the private and public sectors in South Korea, the AppleSeed malware cluster shows more interest in government entities. The PebbleDash cluster has also shown particular interest in the defense sector worldwide.

Attribution

Over the past few years, we have observed two clusters using overlapping distribution methods – JSE, EXE, SCR, and PIF droppers. The targets are also increasingly aligning. Furthermore, we noted that several samples from both malware clusters were signed with the same stolen certificate and used identical mutex patterns. These findings suggest that a single actor is likely controlling both clusters and has the capability to modify code as needed. This concept was also described in another research paper at the Virus Bulletin conference.

Since its emergence, AppleSeed has been linked to Kimsuky operations, with each variant showing ties to the group. Since 2021, PebbleDash has been found exclusively in Kimsuky attacks. Based on our analysis of targets, infrastructure, and malware characteristics, we assess with medium-high confidence that attacks associated with these malware families are conducted by Kimsuky-affiliated clusters.

These two clusters share technical links to the threat actor known as Ruby Sleet, one of the names Microsoft uses for Kimsuky activity. In previous reports, Mandiant also referred to these clusters as Cerium, but now they appear to consider them part of the broader APT43 designation – another name for Kimsuky.

Conclusion

Our analysis shows that the actor retains access to the original source code of the malware clusters and the ability to modify it. Over time, malware undergoes updates and modifications, sometimes being repurposed or reused by other actors. Although analyzing malware may seem repetitive and time-consuming, understanding how these tools evolve helps us grasp the threat actor’s changing tactics.

Two clusters have overlapping target sectors that span the defense, military, government, medical, machinery, and energy industries. The AppleSeed cluster is shifting its focus to data exfiltration, and GPKI certificate extraction has become a signature capability. Meanwhile, the PebbleDash cluster demonstrates advanced remote control capabilities and an expanding set of targets.

Although AI may offer full automation for some attacks, many groups stick with the tools and strategies they have used for years. Structuring a fully automated attack is not trivial. Despite ongoing changes, we will continue to track advanced threat actors by comprehensively considering malware, initial vectors, targets, post-exploitation activities, and ultimate goals.

Indicators of compromise

File hashes

JSE Dropper
995a0a49ae4b244928b3f67e2bfd7a6e [별지 제8호서식] 개인정보(열람 정정삭제 처리정지) 요구서(개인정보 보호법 시행규칙).hwp.jse
52f1ff082e981cbdfd1f045c6021c63f 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류.hwpx.jse
9fe43e08c8f446554340f972dac8a68c 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse
8e15c4d4f71bdd9dbc48cd2cabc87806 노현정님.pdf.jse

Reger Dropper
65fc9f06de5603e2c1af9b4f288bb22c security_20260126.scr
c19aeaedbbfc4e029f7e9bdface495b9 secu.scr

Pidoc Dropper
8983ffa6da23e0b99ccc58c17b9788c7 대국민서비스관리운영체계_현장점검_증적(초안).pif

AppleSeed (Dropper)
a7f0a18ac87e982d6f32f7a715e12532
f4465403f9693939fe9c439f0ab33610
5c373c2116ab4a615e622f577e22e9be

HappyDoor
d1ec20144c83bba921243e72c517da5e

MemLoad
58ac2f65e335922be3f60e57099dc8a3
f73ba062116ea9f37d072aa41c7f5108 jhsakqvv.dat

httpTroy
7e0825019d0de0c1c4a1673f94043ddb c:\programdata\config.db

httpMalice
08160acf08fccecde7b34090db18b321
94faed9af49c98a89c8acc55e97276c9

HelloDoor
c42ae004badddd3017adadbdd1421e00

VSCode Tunnel installer
9ca5f93a732f404bbb2cee848f5bbda0 xipbkmaw.exe

DWAgent installer
678fb1a87af525c33ba2492552d5c0e2

Domains and IPs

opedromos1.r-e[.]kr C2 of AppleSeed
morames.r-e[.]kr C2 of AppleSeed
load.ssangyongcne.o-r[.]kr C2 of MemLoad
load.yju.o-r[.]kr C2 of MemLoad
attach.docucloud.o-r[.]kr C2 of MemLoad
load.supershop.o-r[.]kr C2 of MemLoad
load.erasecloud.n-e[.]kr C2 of MemLoad

cms.spaceyou.o-r[.]kr C2 of HappyDoor
erp.spaceme.p-e[.]kr C2 of HappyDoor

file.bigcloud.n-e[.]kr C2 of httpTroy
load.auraria[.]org C2 of httpTroy

female-disorder-beta-metropolitan.trycloudflare[.]com C2 of HelloDoor
hxxps://www.pyrotech.co[.]kr/common/include/tech/default.php C2 of httpMalice
hxxp://newjo-imd[.]com/common/include/library/default.php C2 of httpMalice
hxxps://www.yespp.co[.]kr/common/include/code/out.php VSCode Tunneling using JScript

securelist.com/kimsuky-applese…

The world of open source — and in particular open source licenses — is something we cover regularly here at Hackaday with respect to hardware and software, but it’s not so often we find open source data stories. Today’s case of the open British address data then is a bit of an outlier, but it may have implications for open source data further than British counties.

UK government data is released under the Open Government Licence, which is why we Brits can peer into all sorts of datasets our taxes paid for. This includes data from local government, so English counties release data sets of local addresses as part of their auditing of council taxes under the licence.
This is a picture of Barbra Streisand, the patron saint of unintended consequences.
[Owen Boswarva] has been collating these databases in order to produce a national open source address database, but has found himself at the receiving end of a legal threat from the Ordnance Survey, the UK mapping agency. They claim the data is theirs, not open.

British address data is in a sense open to all, in that there’s nothing to stop anyone walking down Acacia Avenue and noting the position of Number 1, Number 2, Number 3, and so on. This is what happened with OpenStreetMap worldwide, as people with GPS devices contributed their data and mapped the UK and everywhere else. The Ordnance Survey used to have a nice little earner charging top dollar for UK geospatial data which has been slashed by the arrival of OpenStreetMap, and we’re guessing that the prospect of losing another income stream to an open source equivalent has them worried.

The question of whether the councils should have released the data is one which will no doubt be settled at some point by the courts, and [Owen] goes into some detail on the subject in his analysis. There’s a good case to be made that the mapping agency are pushing it a little, but whatever the outcome it could set a dangerous precedent for open source data. We’ll keep you posted if there’s more on this story.

British street: Bill Harrison, CC BY-SA 2.0

Barbra Streisand: Unknown author, Public domain

hackaday.com/2026/05/14/britis…

[Mellow_Labs] picked up a few LiDAR matrix sensors and found them very exciting. While a normal time-of-flight sensor can accurately determine a range, the matrix sensor is like an array of 64 sensors that can build a 2D map of distances from 2 cm to 3.5 m. [Mellow] wanted to add the sensor to his robot to help it see what was in front of it. You can see how it worked out in the video below.

The robot in question is Zippy, a 3D printed tank-like robot with an ESP32. By default, the robot requires control inputs, but using the sensor will enable autonomous operation. For good or ill, the sensor mounted to Zippy was seeing the floor with about half of the rows. That means about 50% of the data went to waste. However, we think having a robot be able to see the floor in front of it might be a good thing.

[Mellow] used an LLM to write most of the code, so there were a number of iterations required to get things working. This required decimating even more of the data from the sensor. Still, pretty impressive.

Want to learn more about ToF sensors? Or if you want to focus on the practical, there’s code you can borrow.

youtube.com/embed/FyJQ0Z0wMtk?…

hackaday.com/2026/05/14/lidar-…

Fire arrow versus the recreated fire dart. (Credit: Tod’s Workshop, YouTube)
The Mary Rose was a carrack in the English Tudor Navy of King Henry VIII that fought in multiple battles during the 16th century before it was sunk in 1545. After its wreck was located in 1971 and raised in 1982 the ship and all the items contained within the partially preserved hull became the focus of intense study. Among these items are the weaponry found, including the canons, but also massive darts that seemed to have been designed for an incendiary payload. Recently [Tod’s Workshop] collaborated with others to test these presumed incendiary darts.

Although fire arrows have been around for a while, seeing what appears to be super-sized versions of these is somewhat unusual, but could make sense in taking out enemy ships of the time. The main questions are how you would even fire them, and how effective they would be. Were the darts thrown by hand from e.g. the crow’s nest, or fired from a canon?

The reproduction darts used are based on the recovered remnants of the original darts, with an incendiary mixture inside a pitch-covered cloth covering. This mixture would be ignited by wooden fuses after a set amount of time, at which point the resulting fire would be basically impossible to put out. Obviously, this also means that if you were to throw one of these darts, it can absolutely not fall onto your own ship.

First tested was throwing the dart by hand, which seems like it would clear the ship. Of course, the three recovered darts were found near a rather special canon that appeared to be both a miscast and angled upwards. Whether that canon was used for launching apparently somewhat experimental darts is hard to say, but it can be tested. Sadly, lacking a full-sized black powder canon a scale model dart was fired using compressed air.

From that scale test it’s clear that at full charge the dart would disintegrate due to the rapid acceleration, but a ‘soft’, or reduced, charge could work against nearby targets. Once the dart lodges itself into the enemy ship’s structure, it would definitely cause severe damage as further tests in the video demonstrate. Having a salvo of these fire darts fired at you from a nearby ship would definitely make for a pretty bad day.

youtube.com/embed/_c6LyEH8RD8?…

hackaday.com/2026/05/13/testin…

If you’ve watched a Saturn V launch, you’ve probably seen how a large rocket will often jettison a stage on the way up. There are several reasons for this — there is no reason to haul an empty fuel container, for example. However, you can probably imagine how the separation works. You release something — probably explosive bolts — and gravity pulls the old stage away from you as you climb on the next stage’s engines. But what about on the way back? The command module drops the service module before reentry. [Apollo11Space] has a video explaining just how complicated that was to pull off. You can watch it below.

The main problem? The service module has almost everything you need: oxygen, a big engine, fuel, and electrical generation capability. If you’ve ever seen a real command module, they are tiny. Somehow, you need to get the command module prepared to be on its own for the amount of time it takes to land, and get the service module safely away.

In orbit, gravity isn’t a big help in pulling the two pieces apart. For that reason, the mission design called for a very specific orientation for the separation. There are a number of other details you might not have known about.

Landing Apollo 11 successfully depended on some spy tech. We imagine the separation of the LEM had some similar issues, although even the moon’s weak gravity would have helped.

youtube.com/embed/jcC0ddrI2zQ?…

hackaday.com/2026/05/13/how-di…

If you’ve been interested in FreeCAD but haven’t known where to start, here’s a wonderful video tutorial for FreeCAD 1.1 by [Deltahedra] aimed squarely at how to model a 3D part from scratch while also following best engineering practices for part design. It focuses on a concise and meaningful workflow that respects your time and doesn’t make assumptions about skill level. It even starts by taking a few moments to explain how to navigate the interface, a courtesy many will appreciate.

FreeCAD can do quite a lot, so a tutorial that focuses on a specific yet broadly-applicable task with a clear context is a great way to narrow the scope into something manageable, and be comprehensive without getting bogged down in minutiae. [Deltahedra] does this by exclusively using the part design workbench, demonstrating what to do to make a part step-by-step, and showing common mistakes that can happen and how to fix them if they occur. Beyond that, it’s left up to the curious hacker to delve for themselves into what else FreeCAD has to offer.

Since 1.1 is (at this writing) the latest stable release, one can also be confident that the tutorial will match the user interface and features one sees on their own screen. After all, it can be frustrating to attempt to follow a tutorial only to find out things are a few versions behind and nothing is where one expects it to be.

Best practices aren’t just fussy rules about how to do things, and [Deltahedra] demonstrates this by showing how certain procedures just plain make more sense when designing shapes. Our own Arya Voronova has also shared best practices for FreeCAD, so check that out for some added perspective. You’ll be wielding FreeCAD in confidence and comfort in no time.

Thanks for the tip, [Vik Olliver]!

youtube.com/embed/KmtqNaGPiiQ?…

hackaday.com/2026/05/13/freeca…

As time marches on, the retro gaming community gets more and more access to older systems. This is partially a product of modern computing having much more power to emulate more demanding systems, but also because many in the community have spent more time with their favorite systems. Such is the case for [tschicki] who has spent considerable time and effort reverse engineering the Playstation 2 to come up with this custom mainboard for a handheld version that still uses some of the original chips from the console.

This Playstation 2 handheld console is designed almost completely from the ground up, not just including the impressive main board but also its modernized features, including USB power delivery handled by an RP2040, digital video output, support for modern storage media like SD cards, a customized boot ROM, and upgraded audio. The DualShock 2 controller is also implemented within the handheld, and the case itself is designed to be 3D printed. It’s an impressive effort which preserves the original feel of the console without relying too much on ancient hardware for everything.

Before jumping in to building one yourself, though, [tschicki] cautions that this project is not for the faint of heart, as it requires some specilized tools and a high degree of skill, but for those still wishing to attempt this build all of the instructions are available on the project site. For such a popular console it’s no surprise we’ve seen plenty of other handheld PS2s before, from this one which uses an original PS2 mainboard to this one we featured way back in 2010.

Thanks to [raz] for the tip!

hackaday.com/2026/05/13/custom…

Along with Velcro, zippers have become an integral part of every day life, being a quick and easy way to usually temporarily join fabric together. Which isn’t to say that you cannot do more with the basic zipper concept, including using them to turn floppy 2D shapes into rigid 3D ones, such as with the Y-zipper concept proposed and demonstrated by [Jiaji Li] et al.

Although not a fully new idea, the Y-zipper is compared with a range of similar mechanisms that do not feature the same abilities, including the standard zipper ease of zipping up, the possibility of having curved geometry and automatic actuation.

Plus there is that the Y-zipper is designed from the start to be 3Dprinted, while still following the same basic pattern of interlocking teeth that the slider mechanism alternately pushes together or pulls apart.

By modifying the basic straight design of the flat strips, the resulting zipped-up form can take on a distinct bend, as well as turn into a coil or a screw. With a demonstrated joint design it is then possible to join multiple Y-zipper rods together, which could make for an interesting alternative to traditional pop-up tent supports, for example.

Also demonstrated is the use of TPU to create compliant bridges, as well as the direct integration of fabric, to show the versatility of the technology. With the used materials (PLA, TPU) the researchers estimate a maximum viable length of about 3 meters before the printed structures begin to disintegrate.

hackaday.com/2026/05/13/y-zipp…

You’ve probably seen a Foucault pendulum in a museum. This Victorian-era science demonstration is named after physicist Léon Foucault and shows how the Earth rotates compared to a pendulum moving in a fixed plane. [RyanCreates] shows you how you can make your own, and it is surprisingly simple.

All you need is a heavy weight like a small mushroom anchor, fishing line, and a swivel — all things you can pick up at any sporting goods store. You’ll need a way to suspend it all, such as an eye hook in the ceiling.

In addition to the mechanical parts, the build calls for a camera to record the results and a lighter or other source of flame. The reason? To release the pendulum, you burn a thread that prevents it from swinging. This allows for a clean release with no sideways force.

The amount of your rotation depends on your latitude. At 33 degrees north, for example, you can expect 360*sin(33)/24 or 8.17 degrees per hour of rotation. [Ryan] measured a somewhat larger number, which was probably due to an error source, especially since he is measuring the angle using captured camera frames in Photoshop. That has to introduce some error, and small pendulums like this are incredibly sensitive to errors.

If you try it and find the source of the error, we’re sure [Ryan] would love to hear from you. Museum pieces are typically much larger, have ultra-low-friction pivots, and use electromagnets to keep the pendulum moving since, after all, even a Foucault pendulum can’t run forever.

hackaday.com/2026/05/13/measur…

Originally envisioned as a simple DIY laptop project, [kati]’s PinkPad V1 ended up being considerably more involved than expected. But the end result is a perfectly usable, stunningly pink, and remarkably sturdy portable laptop that looks nothing like a hack job.
Originally a VTech toy, the PinkPad is a perfectly functional DIY laptop.
The PinkPad V1 started as a toy laptop for toddlers, repurposed into a DIY laptop running Linux while keeping the original clamshell design and cute aesthetic. As [kati] herself points out, while it may not seem particularly difficult to yank out a toy’s insides and stuff it with a Raspberry Pi, most of the real challenges were related to actually getting all the necessary parts and connectors and wiring to actually fit in a useful way. As anyone with experience in building something knows, working around existing enclosures or hardware almost always brings unexpected challenges.

The original toy laptop? Produced by none other than VTech, whose products have been hacked to create things like a punch card-reading cyberdeck and Z80 hacking station. Our own [Tom Nardi] has also shared his fondness for these devices in several teardowns over the years.

In the end, [kati]’s PinkPad ended up sporting a mini keyboard (whose black keys were turned pink with a little nail polish) and a 5 inch touchscreen LCD. Combined with a rechargeable power supply, it provides all the comforts of an Arch Linux ARM mini laptop.

Thanks [alex] for the tip!

hackaday.com/2026/05/13/vtech-…

It’s possible that among Hackaday readers are the largest community of people who have designed their own CPU in the world. We have featured many here, but it’s possible that not so many of them have gone on to power an everyday project. Step forward [Baltazar Studios] then, with a scientific calculator sporting a self-designed CPU on an FPGA.

The calculator itself is nice enough, with a smart 3D printed case, an OLED display which almost evokes a VFD, and very well made buttons. But it’s the CPU which is of most interest, because while it follows a conventional Harvard architecture with a 12-bit instruction set, it works with 4-bit nibbles. This choice follows one used by HP in their calculator designs, seemingly because it can be optimised for the binary coded decimal which the calculator uses.

With calculators being yet another app on our spartphones or comnputers, there seems to be less use of calculators outside of education in 2026. But if you are a calculator user there’s nothing like a calculator you made yourself, and with a CPU of your own design it has few equals. We like this project almost as much as we like the Flapulator!

hackaday.com/2026/05/13/build-…

The Hindenburg disaster recently marked its 89th anniversary, and [The History Guy] marked the event with a video that dispels many of the myths surrounding the airship. Example: the disaster did not actually occur on the airship’s maiden voyage. That isn’t true. The ship was on its 63rd voyage. However, it was the first flight of the 1937 season.

The giant ship burned because of the hydrogen gas inside, but the cause of the fire remains debatable and was likely not solely due to hydrogen. In fact, from a technical standpoint, the ship didn’t explode. It only burned.

Some of the myths are just from sloppy reporting or the tendency of people to misunderstand things. Others are a blurring in the common consciousness of the Hindenburg and the Titanic.

It is easy to think of the necessity for safe engineering when you are building, say, a bomb or a spacecraft. But anything capable of wreaking havoc requires careful design and testing. However, ships like the Hindenburg had made many trips without incident. Sure, the Hindenburg was a spectacle, but even the fatality rate was fairly low. Many of those who died jumped to the ground — they might have survived if they had waited a minute.

There are many myths around [Herb Morrison]’s famous “Oh the humanity!” report. We’ve noted before that it was played back at the wrong speed for decades. Airships have a stranger history than you might imagine.

youtube.com/embed/2KxbATAhBiU?…

hackaday.com/2026/05/12/the-tr…

Arbitrary command execution with the Wi-Fi password. (Credit: Benn Jordan)
Continuing on his quest to expose the dark underbelly of modern technology, [Benn Jordan] recently did a deep-dive into the rise of so-called robot dogs. Although their most striking resemblance with biological dogs is that they also have four legs and generally follow commands, [Benn] found many issues with them that range from safety issues due to limited sensory capabilities, to basic security vulnerabilities, all the way to suspicious network traffic from Unitree’s robot dog firmware.

Although not the only seller of this type of quadruped robot, Unitree Robotics has made a name for itself by offering very capable and yet very cheap products. Their basic quadruped robot costs only a few thousand clams and features Lidar and heaps of processing power, all of which should make it a pretty useful device.

Despite this, [Benn] found that the original task that he’d envisioned for the robot, as in protecting his chickens from uninvited visitors, wouldn’t quite work as the robot is rather blind. The reason for this is the placement of the Lidar below the head, which obscures most of what’s behind and around the robot. Rather than risk trampled chickens and chicks, this plan was thus abandoned.

When digging further into the robot, he found an easy to exploit arbitrary command execution flaw via the Wi-Fi password entry field, a year-old CVE-2025-2894 exploit, as well as highly suspicious traffic to Chinese servers whenever the robot’s software figured that it was not being watched.

Although much of this can be circumvented with hacks, issues like the sensory limitations and general distrust of firmware updates makes using these robots a rather daunting and often ill-advised proposition.

youtube.com/embed/lA8WuXDXfcI?…

hackaday.com/2026/05/12/the-da…

In the search for more exciting broken electronics to repair, [Hugh Jeffreys] bought a GoPro Hero 10 for US$100 with an apparently rather common issue of no camera input, along with a cracked display. This particular camera issue is rather obvious, with just darkness where the camera’s input should appear on the display. Since [Hugh] already needed a spare display, he figured that he might as well get an even more broken GoPro Hero 10 for parts.

Another US$40 later, [Hugh] found himself the proud owner of a second GoPro, this one being water damaged and no longer turning on. Getting to the internals requires removing the glued-in display, which is even trickier than with a smartphone. By inserting a thin blade, adding solvents and not prying, you can slowly work it loose.

With two disassembled GoPros it was now possible to swap modules. After a factory reset and firmware update had failed to fix the first GoPro, the camera module from the donor unit was inserted, but this made no difference. Amusingly, after cleaning the water-damaged unit’s PCBs, it was found to be in good working condition, so ultimately the second GoPro was repaired, leaving the ‘no camera input’ issue undiagnosed.

It’s possible that a board-level repair on the first unit can address the original issue, but without schematics this would likely entail a lot of blindly poking around, in the hope of finding a damaged MLCC or other obvious fault. There is also the possibility that this is a firmware issue, with some reporting luck mashing the report button, but others disagree.

Since [Hugh] did do the firmware reset and updating steps, and even inserted a whole new working camera module, it would seem to narrow the problem down to a board-level issue. Whatever the case may be, it’s a frustrating issue with a rather expensive device.

youtube.com/embed/R1fHld9Nwww?…

hackaday.com/2026/05/12/trying…

Aside from nostalgia, people claim to like CRTs because they’re apprehendable– the technology just makes more sense than the arcane wibbly-wobbly solid-state madness going on inside the driver chip of your new OLED. CRTs weren’t the first technology used to display moving images though, and their mechanical forebears were even easier to understand. For that reason we suppose it was only a matter of time before one of The Youths– in this case a British YouTuber by the name of [smill]–tried gaming on a mechanical television display.

The game in question was Minecraft— because of course it was, that’s the new generation’s DOOM–and the mechanical TV in question is not a priceless 1920s antique but a commercial kit that reproduces [John Logie Baird]s 1925 televisor. If you’re not familiar, it uses a flat disk– called a Nipkow disk after its inventor– with a series of holes in a spiral to demodulate a single lamp’s brightness variations into monochrome image made of scan-lines. As you might imagine, the resolution depends both on the size of the disk and its speed, so with a tabletop example you’re not going to get much– in this case, 32 holes for 32 lines. At least they’re not interlaced this time.

Getting a video signal from the computer to the LED in the televisor kit was the hard part of the hack. Aside from actually playing on the diminutive monochrome display, that is. There is a “video2NBTV” tool that can do the job, as the Narrow Band TV signal used by amateur radio enthusiasts still has the compatible timing values and modulation as what the televisor kit uses. We suspect that’s because the Televisor people used the modern NBTV standard as a starting point for their electronics, since [Baird]’s device reportedly ran 30 lines at only 5 frames per second, compared to the 32 lines at 15 FPS here.

Some of you may turn your nose up at this as a mere YouTube stunt, which is fair enough. At the same time, we cannot wait for the eventual arms race. Imagine when someone decides to go for 4K cred? Staring through a supersonic Nipkow disk makes pointing a particle accelerator at your face downright mundane. The kit [smill] used was monochrome, but if you want to repeat his antics in glorious colour, you can 3D print your own TV.

youtube.com/embed/9-0OKkkqMc0?…

hackaday.com/2026/05/12/crts-a…

In the time Hackaday has been in existence we must have brought you plenty of projects housed in Altoids tins, as well as a sizeable number of cyberdecks. But until today with [Exercising Ingenuity]’s build, we’ve never brought you a project that combines the two. It’s a fully functional computer that runs Linux, and with its Altoids tin enclosure, looks for all the world like a miniature clamshell laptop.

Hardware wise it’s a Pi Zero with a UPS PHAT and an SPI display, but perhaps it’s arguably the home-made keyboard that really sets it apart. There’s a full-size USB port as well, and a selection of GPIOs are broken out to a header. It wasn’t all plain sailing though, the Altoids hinges needed modifying to make it close, and he driver for the SPI screen required an older version of Raspberry Pi OS. We will forgive it those foibles.

It’s fair to say we’ve not seen anything quite like this, in that there have been plenty of tiny laptops but never one as integrated as this. There’s a demo video with details of the build, that we’ve placed below.

youtube.com/embed/j262kCYZxZI?…

hackaday.com/2026/05/12/a-cybe…

With Hackaday Europe no more than two days away, we want to help you wrap up all of the last loose ends. And that means last-minute changes in the workshop schedule, details on the Thursday night pre-party, and more! Some tickets for the event itself, the workshops, and the pre-party (reservations required) are still available right here.

Pre-Party, Thurs May 15th

Kick off the weekend with us at the official Hackaday Europe pre-party at Soqquadro Restaurant, Piazza Era 7, 23900 Lecco, Italy. Enjoy the Italian aperitivi on the gorgeous Lago di Lecco waterfront. Your ticket includes two drinks and an array of delicious snacks. It’s the Italian way to pregame the weekend ahead. Bring a hack, or just relax and hang out. Your choice. Either way, make sure you pre-register. (On the preregistration page, scroll all the way down past the workshops.)

Workshops

Unfortunately, the Let’s Mesh workshop has been canceled, but the good news, thanks to our incredible sponsors, we’ve added two great new workshops to the lineup. On Saturday, May 16th, we’ll have Tiny Tapeout, When Code Needs a Body, and Fault Injection 101. Sunday features EchoGlow: Arduino UNO Q Workshop with the brand-new Arduino Q devices, from 11:00 AM – 2:00 PM.

Tickets and full descriptions are available at registration.

Lightning Talks

On Sunday afternoon, we’ll dedicate some time to Lightning Talks. These are short, seven-minute talks, with or without slides, on whatever interests you at the moment. If you’ve got hacks or deep thoughts to share with us, you’ll never find a more receptive audience. Register now! Talk slots are FIFO.

Thanks, and See You Soon!

If you’ve never attended a Hackaday event before, we’re excited to see you. Half the fun is the crowd that convenes. If you want to bring along a hack to informally show-and-tell, it’s a great icebreaker. You won’t have to bring food or drinks – we’ve got that covered all weekend.

If you’re an old Hackaday hand, we’re stoked to see you again! A first at Hackaday Europe is going to be whatever large fraction of our SAO collection fits into carry-on luggage, and a sweet-looking SAO wall made by Hackaday Superfriend [Thomas Flummer]. If you have an SAO that you’d like to add to our pile, bring it along! It’s about time for us to do a photo gallery and write-up of everything we’ve got.

And we can’t leave without thanking our broad array of sponsors who make Hackaday Europe possible:

• element14
• Makera
• Espressif
• Arduino
• iFixit
• Edge Impulse
• FibreSeek
• Tiny Tapeout
• And as always, Supplyframe!

hackaday.com/2026/05/12/2026-h…

If you bought computer audio hardware a few decades ago, you may remember coming across products from Altec Lansing. That you probably haven’t thought of that name in some time doesn’t surprise us, the company has not fared well in recent years and has changed hands multiple times. [The Last Shift] tells the company’s history in a video you can watch below.

James Lansing started Lansing Manufacturing, offering high-end speakers for the fledgling “talkie” movie industry. It had some success, but the depression put them on shaky footing. Meanwhile, a company named All Technical Service Company, or Altec, was a large organization that serviced Western Electric movie theater equipment. Flush with cash, they merged with Lansing Manufacturing to form Altec Lansing. With a large infrastructure and Lansing’s engineering, they became a significant supplier to the military during World War II.

After the war, the company produced a landmark theater speaker system that became the gold standard in theater audio. However, Lansing didn’t like the big company environment and left to found a company that bore his full name, James B. Lansing, which you may know as JBL.

Altec Lansing continued to grow. However, a series of mergers and sales starting in 1969 caused the Altec Lansing company to decline. By the 1990s, Altec Lansing was making cheap PC speakers. A far cry from the gold-standard massive speakers made by the company during its heyday.

We love the history of technology and the people that drove them. Bing Crosby, for example. Or the lesser-known heroes like Edwin Armstrong.

youtube.com/embed/l1URAymcu6Y?…

hackaday.com/2026/05/12/the-hi…

The quest for true randomness has roots in cryptography and is a rabbit hole that gets surprisingly deep with alarmingly rapidity. Still, the generation of random-enough numbers is a popular hacker project. Part of the appeal is the way these devices strive to incorporate physical phenomena, and in [Joshua Coleman]’s case, his Neon Entropy (Pseudo) Random Number Generator uses a trio of vintage neon lamps.
Neon lamps discharge at rates that vary unpredictably. They’re also pretty to look at.
[Joshua] chose neon lamps in part because the discharge rate of an energized lamp is a variable, physical process that makes a good source of entropy. They also have an attractive visual appeal that fits the concept [Joshua] had in mind. Unlike random number generators that kick off by measuring radiation or some other imperceptible thing, it’s possible — at least in a sense — to see this one working.

The small variations in the three neon lamps are measured optically by three TEPT4400 ambient light sensors (isolated from the neon lamps themselves) and turned into analog signals. A Raspberry Pi Pico W reads these signals, then uses them in a process that culminates in SHA-256 64-bit values that can be used as random seeds.

There’s also a web dashboard that shows everything live, furthering the “watch it work” concept [Joshua] is aiming for. The video below shows the project in action if you want to see how the sausage gets made.

Earlier we mentioned how random number generators are popular projects among hackers, and here are a few selected ones. Don’t miss the stylish glow and slick enclosure of this Nixie tube RNG, or the lava lamp RNG which is in fact not a gimmick. And while it is commonly understood that meaningful randomness must come from outside a digital chip, uninitialized internal volatile RAM — if accessed correctly — can be a remarkably good source of entropy.

youtube.com/embed/FoSpGV7inyA?…

hackaday.com/2026/05/12/this-p…

As the foremost boffins of Europe toil deep underneath the border between Switzerland and France in their never-ending quest to truly understand the fabric of the Universe, they rely on a vast amount of electronics. The PCB layout team at the particle accelerator thus work with a huge array of parts, for which of course they create KiCad libraries. Now the folks at CERN have made those libraries available as open source, so you can benefit from their work.

The libraries themselves can be found in a GitLab repository, and at the moment are offered only for KiCad version 9.x. We tried installing it in our KiCad 10.0 installation and it refused complaining of a missing JSON file, but we’re assuming that with more time and effort we could have made it happen. We’re told official 10.x compatibility is on the way.

Browsing the repository shows what a multiplicity of parts are included, so we can see this becoming a standard install for many people and the CERN footprints turning up in many projects featured here.

Thanks [Daniel] for the tip!

hackaday.com/2026/05/12/anothe…

Manifesti, e "costituzioni" sono fanfaronate di chi essendosi arricchito vuole anche sentirsi importante. E come sempre non c'è carenza di cantori che diano a questi ignoranti una dignità culturale.
Da oggi, lo script dell'episodio su dk.dataknightmare.eu!

dk.dataknightmare.eu/dk-10x30-…

dataKnightmare Archive

2026-05-11 09:00:00

DK 10x30 - Fanfaroni e cantori

Ascolta l'episodio su Spreaker.com

Prima di tutto una notiziola di servizio. Dopo anni mi sono deciso a mettere online gli script di DataKnightmare. C'è voluto un po', per trovare un software e un provider che dipendessero il minimo possibile dagli Stati Uniti. Soprattutto se siete come me e, se non siete incazzati, l'inutilità di tutto vi fa perdere d'animo. Non esattamente l'atteggiamento per un marketing vincente.

Per fortuna c'è Elena Rossini, che si è posta lo stesso problema e ha condiviso con me la sua soluzione. Quindi, da oggi, se DataKnightmare ha finalmente una casa testuale su dk.dataknightmare.eu, lo dobbiamo anche a Elena. Per ora ho caricato due stagioni in inglese e l'ultima in italiano. Ci vorrà un po', ma non altri dieci anni.

Veniamo a noi. Nel rumore infernale delle novità inutili che escono ogni quarto d'ora, mi è sembrato di cogliere qualcosa di interessante.

Avrete letto e straletto del cosiddetto "manifesto di Palantir", quella ventina di punti su Twitter che riassumono il libro di Alex Karp, CEO di Palantir. E avrete letto e straletto della cosiddetta "intervista a Claude" fatta nientemeno che da Walter Veltroni sul Corriere.

Prima che smettiate di ascoltare vi dico subito che non ho nessuna intenzione di entrare nel dettaglio dell'una né dell'altra. I tweet di Palantir li ho letti di sfuggita, e l'intervista di Veltroni, qualsiasi cosa contenga, non la valuto il tempo che mi ci vorrebbe per leggerla.

E quindi?

E quindi voglio parlare non dell'una o dell'altra cosa, perché sono chiaramente due stupidate, ma di quello che rappresentano, che invece secondo me è interessante.

Partiamo da lontano.

La mia generazione ha portato l'informatica in azienda. Siccome non ho combattuto a Waterloo, l'automazione in azienda c'era già, ma è la mia generazione che ha visto sparire macchine per scrivere e fax e arrivare prima Wordstar, Word e poi tutto il cucuzzaro.

Sono stati decenni tumultuosi durante i quali è stato digitalizzato tutto il digitalizzabile, alcune volte bene, altre così così, altre ancora, citando René Ferretti, a cazzo di cane.

È stato un periodo in cui ognuno ha sognato una propria versione della mitologica "organizzazione piatta" su cui le varie business school scrivevano interi scaffali di trattati.

Ma il punto è che un'organizzazione non è una struttura tecnologica. È una struttura socio-tecnica complessa, in cui la tecnologia gioca una parte. Il risultato è che il semplice arrivo di una tecnologia non determina cambiamenti automatici nei processi e nella struttura sociale dell'organizzazione, per via delle interazioni e delle retroazioni fra tutte le componenti del sistema.

Detto in termini più diretti: qualsiasi cosa ne pensino i tecnologi, non ci sono soluzioni esclusivamente tecnologiche ai problemi di un sistema socio-tecnico.

Una delle dimostrazioni più lampanti può essere per esempio "il superamento della carta", tema sul quale personalmente ho speso molti anni e molto sangue. Credo che possiamo essere tutti d'accordo sul fatto che non c'è mai stata tanta carta negli uffici da quando i documenti sono diventati digitali.

E siccome i documenti sono diventati digitali, ne esistono innumerevoli versioni, tutte sottilmente incompatibili tra loro, che continuano la loro vita indipendente in diverse parti dell'organizzazione.

Per fare un esempio semplice, una volta esisteva la carta intestata (spoiler alert, esiste ancora, ma solo per i contratti firmati dai megadirettori); oggi ogni singola sede locale, e ogni ufficio dentro quella, ha la propria versione "ufficiale" della carta intestata, con una specifica versione del logo, diversa da tutte le altre.

Se invece vi sentite troppo tecnologici per la carta intestata, possiamo parlare di processi, software, API e della relativa documentazione, di cui esistono tante versioni quanti sono i gruppi di developer.

Ogni incompatibilità che emerge durante un progetto viene risolta ad hoc, e a volte documentata, dai diversi gruppi che devono collaborare, con il solo risultato che alla fine esisterà un'altra versione in più del codice, e a volte anche della documentazione. E non venitemi a raccontare che il vostro Confluence o il vostro github sono in ordine.

Quello che è successo con i documenti è successo con tutto, ovviamente. Processi, mansioni, gerarchie.

La questione della gerarchia è interessante. Dicevamo prima che tutti hanno sognato una propria versione della mitologica "organizzazione piatta" che le business school ci assicuravano essere il futuro.

Per me e per quelli come me, organizzazione piatta significava un vertice che avrebbe dettato le linee strategiche, e subito sotto una linea di operativi ad altissima competenza con completa autonomia, eliminando ogni intromissione del top management nelle decisioni tecniche e liberandosi dell'inutile terzo del middle management.

Per il middle management, "organizazione piatta" significava automatizzare o esternalizzare, ma comunque eliminare l'inutile terzo degli operativi, con la loro fissazione di avere obiezioni tecniche alle direttive strategiche del vertice e alle loro interpretazioni da parte del middle management.

Per i vertici, "organizzazione piatta" significava eliminare l'inutile terzo degli operativi e interfacciarsi esclusivamente con il middle management, così da superare finalmente il bisogno di considerare i cosiddetti "dettagli tecnici".

Se vi guardate attorno oggi, non è difficile capire chi ha vinto. I vertici sono ancora tutti lì, e il middle management ha ranghi più pieni che mai. L'appiattimento delle organizzazioni, se c'è stato, ha significato estromettere ed esternalizzare perlopiù le competenze tecniche.

Allo stesso tempo, c'è stata una evoluzione notevole nei ruoli apicali. Con l'avvento del venture capital dagli anni 2000 in poi, le figure apicali sono passate dall'essere figure gestionali ad essere figure sempre più performative. In nessun ruolo questo è più evidente che nel ruolo del CEO. Oggi, il CEO è sopratuttto qualcuno in grado di intessere una narrazione convincente della propria visione del futuro, per poter raccogliere, sul mercato o da investitori privati, i finanziamenti necessari a costruirlo.

Che quel futuro abbia tecnicamente o economicamente senso, che sia perfino possibile, o che abbia una qualche relazione col futuro raccontato nell'ultimo esercizio, non ha alcuna importanza.

Quello che conta è che la figura del CEO, e la narrazione che propone per questo semestre, continui a ispirare la fiducia degli investitori. Null'altro conta.

Il CEO oggi non deve essere capace di "fare", e nemmeno più di dirigere. Deve solo saper convincere. Incessamente, cambiando storia ogni volta che serve senza battere ciglio. Le sue qualità distintive sono la testardaggine e un'inflazionato senso del proprio valore, che purtroppo sono caratteristiche distintive anche del narcisista patologico.

Pensate a Zuckerberg, partito con l'idea geniale di fare un social dove i suoi compagni di corso potevano votare la scopabilità delle studentesse, fortuna che poi è arrivata Sheryl Sandberg a fargli fare davvero i soldi; poi ha cercato di reinventare il denaro (ricordate Libra?), poi ha venduto il metaverso, e adesso è in coda al carrozzone dell'AI dopo il disastroso esordio con chiusura in 72 ore di Galactica.

Pensate a Musk, che ha l'immaginario di un adolescente mediocre nel 1975, e alle puttanatein serie su macchine a guida autonoma, colonizzazione di Marte, e megacostellazioni di satelliti.

Pensate al migliore di tutti, Sam Altman, un altro che scrive un blog e sembra che Giovanni Evangelista abbia dato alle stampe una versione aggiornata. Altman ha imbonito l'intero mondo del venture capital con l'unica promessa di bruciare tutti i soldi degli investitori per poi raccoglierne ancora di più.

Da una fanfaronata alla successiva, tutti loro pensano che il proprio successo non sia frutto di fortuna, conoscenze, contratti pubblici e monopolio, ma del loro essere speciali e visionari. Quando Taleb ci insegna che mentre un buon successo si spiega con capacità e impegno, un successo travolgente si spiega con la varianza.

Non divaghiamo. Oggi un CEO del digitale deve poter sentenziare:

“Guidiamo l’evoluzione sinergica del nostro ecosistema valoriale attraverso un approccio olistico e data-driven, abilitando paradigmi scalabili di innovazione sostenibile orientata alla centralità del cambiamento.”

e farlo con un'aria di profonda convinzione. È ovviamente solo aria fritta, ma chi si mette a ridere o pensa che la frase non abbia alcun senso, non sarà mai un C-level, e non otterrà mai un'intervista.

Di pari passo con la virata performativa di CEO e founder, anche il sistema mediatico si è adattato. Con fallimenti, ristrutturazioni, acquisizioni, oggi i media sono, con poche eccezioni, marketing esternalizzato in mano agli stessi industriali che i media dovrebbero tenere sotto indagine. Intendiamoci, ogni potente ha sempre avuto sicofanti e agiografi in ogni testata, ma oggi ai media viene richiesto di limitarsi a dare risonanza alla narrazione aziendale.

A questo ha contribuito, e non poco, anche una certa lettura mitica, molto statunitense, del settore digitale e dei suoi attori. Dai "cowboy della tastiera" di William Gibson, agli "eroi della frontiera digitale" di Steven Levy, si è fatto ogni sforzo per riproporre il mito fondativo della frontiera, con tutto il suo bagaglio tossico, in salsa digitale.

Il risultato è che oggi sono gli stessi protagonisti a vedere se stessi in termini mitici. E d'altronde non potrebbe essere altrimenti, nessuno vuole pensare di essere soltanto un fortunato raccontatore di favolette semestrali, per quanto bravo.

No, sono invece tutti "visionari", "costruttori del futuro" quando non addirittura "rivoluzionari", ovviamente nel senso capitalistico del termine, ovvero distruttori di industrie e comunità a esclusivo vantaggio proprio e dei propri investitori.

Questo ci porta finalmente a Palantir e a Karp. Che non si accontenta di aver fondato un'azienda che si ingrassa di commesse militari, perché ai capitalisti lo Stato piace ridotto ai minimi termini tranne che come cliente, ma propone la propria immagine mitica di difensore di un occidente convenientemente assediato soltanto da quei problemi che i suoi prodotti dichiarano di affrontare.

E non, per dire, da una disparità economica e sociale senza precedenti, da mutamenti sociali e climatici globali e da una casta di miliardari esentasse in fregola oligarchica. Di nuovo, assistiamo alle fanfaronate di qualcuno che non ha un'idea originale in testa e per questo ha fatto fortuna.

Che Karp, come tutti gli altri miliardari amichetti suoi, ritenga di avere una "visione" da comunicare al pubblico, al di là della trimestrale di cassa, non stupisce. E non stupisce nemmeno che ribadisca i temi del libro in una serie di tweet, forse per compensare vendite meno che travolgenti: tutti, alla fine, vogliono essere visti.

Ma se si gratta appena la superficie delle narrazioni dei CEO, ci si accorge che la Silicon Valley produce soltanto variazioni sul tema di chi l'ha creata e finanziata da sempre: il Pentagono della Guerra Fredda.

Leggete fin che volete Amodei, Altman, Karp, Zuckerberg, Thiel. Ci troverete sempre supremazia statunitense attraverso la tecnologia, esportazione dei valori del capitalismo a stelle e strisce, controllo sociale, contenimento dello sviluppo di qualsiasi potenza concorrente sulla placca euroasiatica.

Roba che non è cambiata di una virgola dal 1946, scritta e sistematizzata da fior di cervelli come Bush (Vannevar, consigliere scientifico di Roosevelt e Truman, omonimo ma non parente dei successivi presidenti George Bush e George Bush il Minore), Kissinger, Brzezinski, Cheney, gente che ha guidato la politica statunitense per decenni mentre i presidenti di turno facevano i fighi in TV recitando le parole chiave di stagione.

Questo non significa che i deliri oligarchici di Karp e compagnia siano innocui, tutt'altro. Ma non sono geni del male. Sono solo attori che, fuori dal teatro, credono ancora di essere Giulio Cesare.

Questi finti campioni della libera iniziativa con i soldi pubblici questo autonominati "inventori del futuro", stanno solo scimmiottando le parole chiave di chi li ha fatti nascere e li mantiene.

Ora, il potere attira servi e sicofanti, l'ho già detto. Ma non si accontenta di quelli, che in fondo disprezza. Ogni potente, e a maggior ragione ogni fanfarone arricchito, ha bisogno di sentirsi validato da qualcuno di cui segretamente invidia la statura, sociale o culturale.

Ed ecco arrivare il cantore. Quello che nel XX secolo si chiamava "intellettuale organico", il cui compito è di usare la propria cultura per dare un po' di densità e di smalto alle narrazioni del potente di turno. Il cantore è più astuto del sicofante, e si può perfino permettere un atteggiamento superficialmente critico, perché il suo ruolo non è confermare punto per punto la narrazione del potente, quello lo fanno già servi e sicofanti, ma validarla dandola completamente per scontata, e distrarre l'attenzione dai problemi con una discussione molto colta su qualche dettaglio insignificante.

Così, mentre gli AI bro imboniscono gli investitori con favole di macchine senzienti e di eliminazione dei lavoratori, pardon, superamento del lavoro, il cantore non si abbassa a entrare nel merito, ma intervista l'intelligenza artificiale. Da Veltroni mi sarei aspettato, se non più dignità, almeno più tempismo. L'intervista con l'Intelligenza Artificiale fa tanto autunno-inverno 2023.

Il cantore è più subdolo del sicofante, perché non si spende pro o contro. Si limita a includere la narrazione del potente nel dibattito "colto".

Se il potente di turno parla di nucleare di nuova generazione, il servo griderà ai quattro venti che il solare e l'eolico sono superati, il sicofante farà notare che l'area verde attorno alla centrale è l'ideale per un picnic con la famiglia.

Il cantore, invece, si mette a discorrere di come le torri di raffreddamento possano rappresentare l'evoluzione dei cipressi del Carducci che "van da San Vito in duplice filar".

Il cantore del digitale, con tutta la sua cultura, non ha niente da dire di specifico, ma lo dice con parole ricercate e citazioni altisonanti. Il suo compito non è discutere o confutare la narrazione del potente, ma tagliare le gambe a ogni dibattito serio dandola per scontata e costruendo una apparente discussione dotta su dettagli completamente marginali.

E in questo, Veltroni ha fatto il suo lavoro. Il fatto stesso di "intervistare" (si sentono le virgolette?) un generatore automatico di testo, e scegliere di farlo su questioni che sarebbero profonde se l'interlocutore fosse un essere umano e non uno specchio retorico, è quanto di più devastante si possa mettere in campo a supporto dei deliri millenaristici dei fanfaroni del digitale.

Se ha ancora un senso l'intellettuale pubblico, il pezzo di Veltroni è il completo tradimento di quel ruolo, l'asservimento della cultura alle ragioni di chi cultura non ne ha nessuna, ma ha soldi a valanghe.

Mentre da sempre chi ha competenza sul tema fa notare quanto sia dannoso, e quali interessi sostenga, antropomorfizzare una tecnologia come la cosiddetta Intelligenza Artificiale, Veltroni arriva bel bello e l'Intelligenza Artificiale te la intervista sul senso dell'esistenza. Non importa che non abbia nulla da dire al riguardo, perché non ce l'ha. Importa solo che un generatore di testo improvvisamente passa per qualcosa con cui si può addirittura "parlare" del senso della vita.

Veltroni avrebbe potuto fare davvero l'intellettuale, e parlare di che senso abbia un'Europa che vuole rincorrere gli Stati Uniti in una bolla speculativa. Avrebbe potuto parlare dei problemi dell'uso dell'Intelligenza Artificiale nelle professioni, nei media, nell'istruzione.

Avrebbe perfino potuto fare l'intellettuale di sinistra e parlare di oligopoli e rendite di posizione, di tecnofeudalesimo, del ruolo politico dell'Intelligenza Artificiale nella demolizione del potere contrattuale del lavoro.

Avrebbe potuto parlare di tutto questo e di molto altro.

Invece ha scelto di fare il cantore dei fanfaroni arricchiti e, facendolo, credo abbia stabilito quale sia il suo posto nella gerarchia in cui Sciascia annoverava uomini, mezz'uomini, ominicchi, pigliainculo e quaqquaraqquà.

Io un'idea ce l'ho.

DK 10x30 - Fanfaroni e cantori

^{Runtime Radio (Spreaker)}

With International Anti-Ransomware Day taking place on May 12, Kaspersky presents its annual report on the evolving global and regional ransomware cyberthreat landscape.

Ransomware remains one of the most persistent and adaptive cyberthreats. In 2026:

• New families continue to emerge, adopting post-quantum cryptography ciphers.
• As ransom payments drop, some groups implement encryptionless extortion attacks.
• In a constantly changing ecosystem of threat actors, initial access brokers maintain a relevant role in this market, showing increased focus on access to RDWeb as the preferred method of remote access.

Ransomware attacks decline but remain a major threat

According to Kaspersky Security Network, the share of organizations affected by ransomware decreased in 2025 across all regions compared to 2024.

Percentage of organizations affected by ransomware attacks by region, 2025 (download)

Despite the formal decrease, organizations across all sectors continue to face a high likelihood of attack, as ransomware operators refine their tactics and scale their operations with increasing efficiency. Kaspersky and VDC Research have found that in the manufacturing sector alone, ransomware attacks may have caused over $18 billion in losses in the first three quarters of the year.

The continued rise of EDR killers and defense evasion tooling

In 2026, ransomware operators increasingly prioritize neutralizing endpoint defenses before executing their payloads. Tools commonly referred to as “EDR killers” have become a standard component of attack playbooks. This reflects a continuing trend toward more deliberate and methodical intrusions.

Attackers attempt to terminate security processes and disable monitoring agents, often by exploiting trusted components such as signed drivers. This technique is called Bring Your Own Vulnerable Driver (BYOVD) and allows adversaries to blend into legitimate system activity while gradually degrading defensive visibility.

Thus, evasion is no longer an opportunistic step but a planned and repeatable phase of the attack lifecycle. As a result, organizations are increasingly challenged not just to detect ransomware but also to maintain control in environments where security controls themselves are actively targeted.

The appearance of new families adopting post-quantum cryptography

We predicted that quantum-resistant ransomware would appear in 2025. Looking back at the previous year, we see that advanced ransomware groups indeed started using post-quantum cryptography as quantum computing evolved. The encryption techniques used by this quantum-proof ransomware could be used to resist decryption attempts from both classical and quantum computers, making it nearly impossible for victims to decrypt their data without having to pay a ransom.

One example is the appearance of the PE32 ransomware family (link in Russian); it leverages the cutting-edge ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard to secure its AES keys. This specific cryptographic framework was recently selected by NIST as the primary standard for post-quantum defense.

Within the PE32 ransomware architecture, this is realized through the Kyber1024 algorithm, a robust mechanism providing Level 5 security, roughly equivalent in strength to AES-256. Its primary function is the secure generation and transmission of shared secrets between parties, specifically engineered to withstand future quantum computing attacks. This shift toward post-quantum readiness is part of a broader industry trend; for instance, TLS 1.3 and QUIC protocols have already adopted the X25519Kyber768 hybrid model, which fuses classical encryption with quantum-resistant security.

The shift to encryptionless extortion

In 2025, the share of ransoms paid dropped to 28%. As a response to this, one of the developments in the 2026 landscape is the growing prevalence of extortion incidents in which no file encryption takes place at all. Instead, attackers leave out the “ware” in “ransomware” and focus on extracting sensitive data and leveraging the threat of public disclosure as their primary means of extortion. ShinyHunters is an excellent example of such a group, using a data leak site to publicize its victims.

By avoiding encryption, attackers may aim at reducing the likelihood of immediate detection, shortening the duration of the attack, and eliminating dependencies on stable encryption routines. Often, this model is used alongside traditional tactics in so-called double extortion schemes, but an increasing number of campaigns rely exclusively on data theft.

For victims, this shift fundamentally changes the nature of the risk. While backups remain effective against encryption-based disruption, they provide no protection against data exposure, regulatory consequences, and reputational damage. Ransomware is therefore evolving from a business continuity issue into a broader data security and compliance challenge.

Industrialization of initial access (Access-as-a-Service)

The ransomware ecosystem continues to evolve toward a highly industrialized and specialized model, with initial access remaining as one of its most critical components. In 2026, many ransomware operators keep relying on IABs (initial access brokers), a network of intermediaries who supply pre-compromised access to corporate environments, aiming to no longer perform full intrusions themselves.

This “access-as-a-service” model is fueled by credential theft operations, and the widespread availability of compromised accounts harvested through infostealers and phishing campaigns.

The primary access vectors offered for sale have not changed: RDP, VPN, and RDWeb are still the top access vectors. Consequently, remote access infrastructure remains the primary attack surface for initial access sales. In response to the measures against public exposure of RDP access points to the internet, attackers are now targeting RDWeb portals, which are frequently vulnerable and occasionally inadequately safeguarded.

The result is a threat landscape where unauthorized access is increasingly commoditized, and the barrier to launching ransomware attacks declines. This means that preventing initial compromise is only part of the challenge; equal emphasis must be placed on detecting misuse of legitimate credentials and limiting lateral movement within already-breached environments.

Ransomware developments on the dark web

Telegram channels and underground forums increasingly function as platforms for the distribution and sale of compromised datasets and access credentials including those that were obtained as a result of ransomware attacks.

Advertisements posted on these resources typically include the nature of the access, a description of the exfiltrated or compromised data, price terms, and contact information for prospective buyers. In addition, some malicious actors mention their collaboration with other ransomware groups. Lesser-known gangs can use this name-dropping to promote themselves

Multiple threat actors not related to ransomware groups distribute datasets downloaded from ransomware blogs on underground forums and Telegram. By re-publishing download links and files, they spread compromised data as well as information on the ransomware attack within the community.

The ransomware itself is also sold or offered for subscription on the dark web platforms. The sellers underscore the uniqueness of their malware, as well as its encryption and defense evasion features.

Law enforcement actions

Law enforcement agencies are actively shutting down dark web platforms and ransomware data leak sites. A major underground forum, RAMP, which also functioned as a platform for threat actors to advertise their ransomware services and publish service‑related updates, was seized by authorities in January 2026. Another underground forum, LeakBase, where malicious actors distributed exfiltrated and compromised data, was seized in March 2026. In 2025, law enforcement agencies seized well-known forums like Nulled, Cracked, and XSS. Also in 2025, the DLSs of BlackSuit and 8Base ransomware groups were seized. These takedowns cause inconvenience to ransomware coordination, specifically for initial access brokers and affiliates, though similar forums are expected to fill the void over time.

Top ransomware groups in 2025

RansomHub’s sudden dormancy in 2025 marked a shift, and Qilin became the dominant player from Q2 onward. According to Kaspersky research, Qilin was the most active group executing targeted attacks in 2025.

Each group’s share of victims according to its data leak site (DLS) as a percentage of all reported victims of all groups during the period under review (download)

Qilin stands out as one of the fastest-growig and dominant RaaS platforms. Its combination of high-volume operations and structured affiliate model positions it as a central player in the current ecosystem.

Clop, the second most active group in 2025, is distinguished through its large-scale, supply-chain-style attacks, exploiting widely used file transfer and enterprise software to compromise hundreds of victims simultaneously. This one-to-many approach sets it apart from more traditional, single-target campaigns.

Third place is occupied by Akira, which remains notable for its consistency and operational stability, maintaining a steady stream of victims without major disruption. Its ability to sustain activity over time makes it one of the most reliable indicators of baseline ransomware threat levels.

Although no longer active, RansomHub stands out for its rapid rise and equally rapid disappearance in 2025, highlighting the volatility of the RaaS market. Its shutdown created a vacuum that significantly reshaped affiliate distribution across other groups.

DragonForce is also notable – not just for its own operations, but for its broader influence within the ransomware ecosystem, including reported involvement in infrastructure conflicts and possible links to the disruption of competing groups. Thus, the group claims that RansomHub “has moved to their infrastructure.” This positions it as more than just an operator and potentially an ecosystem-level actor.

New actors in 2026

While emerging actors generally operate on a smaller scale, they provide insight into the continuous churn and low barrier to entry within the ransomware ecosystem.

The Gentlemen group caught our attention in early 2026, as they managed to attack a significant number of victims over a short time. This actor is also notable for reflecting a broader shift toward professionalization and controlled operations within the ransomware ecosystem. Unlike many emerging groups that rely on opportunistic attacks and inconsistent leak activity, The Gentlemen demonstrate a more deliberate approach: structured intrusion workflows, selective targeting, and measured communication with victims. This signals a move away from chaotic, high-noise campaigns toward predictable, business-like execution models that are easier to scale and harder to disrupt. Their TTPs include the massive exploitation of hardware very common on big corporations, such as FortiOS/FortiProxy, SonicWall VPN, and Cisco ASA appliances. The group might be comprised of professional cybercriminals who left other prominent groups.

The group is also notable for its emphasis on data-centric extortion strategies, often prioritizing exfiltration and leverage over purely disruptive encryption. This aligns with one of the defining trends of 2026: ransomware evolving into a form of data breach monetization rather than just system denial. By focusing on controlled pressure and reputational risk instead of immediate operational damage, The Gentlemen exemplify how attackers are adapting to lower ransom payment rates and improved backup practices among victims.
Some other groups to take note of in 2026:

• Devman appears to be an emerging actor with limited but growing activity, likely leveraging existing tooling rather than developing custom capabilities.
• MintEye hasn’t been very active yet, with just five known victims, suggesting opportunistic campaigns without a consistent operational tempo.
• DireWolf is associated with small-scale, targeted attacks, though its overall footprint remains relatively limited compared to larger RaaS groups.
• NightSpire demonstrates characteristics of an amateur group, such as mistakes during its operations, uncommon communication channels with the victims, and sometimes giving them insufficient time to pay up. Although they both encrypt and leak data, they prioritize publication rather than encryption.
• Vect shows low-volume activity. It is yet unclear whether they use a completely new codebase or are rather a rebrand of an existing group.
• Tengu is a less prominent actor, with limited public reporting and no clear distinguishing tactics beyond standard extortion models.
• Kazu appears to be created by ransomware operators previously engaged with multiple other groups. As of now, they don’t stand out for scale or technique.

Although there is little to say about these groups at the time of writing this report, each of them may be equally likely to disappear from the threat landscape or grow into a prominent threat. That’s why it’s important to track them from their early days. Moreover, collectively, these groups illustrate how dynamic the ransomware landscape is, with new entrants constantly replenishing it.

Conclusion and protection recommendations

Despite the growing effort by law enforcement agencies across the globe to seize and disrupt dark web platforms and threat actor infrastructures, ransomware operations remain stable, with new groups quickly taking the place of those who went silent. In 2026, we see a shift towards encryptionless extortion, with data leaks increasingly becoming the main threat to target organizations. At the same time, data encryption is also upgrading to the next level with the emergence of post-quantum ransomware.

To resist the evolving threat, Kaspersky recommends organizations:

Prioritize proactive prevention through patching and vulnerability management. Many ransomware attacks exploit unpatched systems, so organizations should implement automated patch management tools to ensure timely updates for operating systems, software, and drivers. For Windows environments, enabling Microsoft’s Vulnerable Driver Blocklist is critical to thwarting BYOVD attacks. Regularly scan for vulnerabilities and prioritize high-severity flaws, especially in widely used software.

Strengthen remote access: RDP and RDWeb connections should never be directly exposed to the internet, only through VPN or ZTNA (Zero Trust Network Access). It’s highly recommended to adopt multi-factor authentication on everything; the architecture may require continuous authentication for access, as one valid credential captured is enough to cause a breach. Monitoring the underground for stolen employee credentials is essential. Audit open ports across the entire attack surface. The adoption of the “Principle of Least Privilege” (PoLP), where users, systems, or processes are granted only the minimum access rights, such as read, write, or execute permissions, necessary to perform their specific job functions, is highly recommended.

Strengthen endpoint and network security with advanced detection and segmentation. Deploy robust endpoint detection and response solutions such as Kaspersky NEXT EDR to monitor for suspicious activity like driver loading or process termination. Network segmentation is equally important. Limit lateral movement by isolating critical systems and using firewalls to restrict traffic. Complete and immediate offboarding for employees is necessary as well as periodic permission reviews, with automatic revocation of unused access. Sessions with complete logging for privileged accounts are more than necessary. Monitoring the traffic divergence to new sites or even to legitimate endpoints can help the defenders to spot a new insider threat.

Invest in backups, training, and incident response planning. Maintain offline or immutable backups that are tested regularly to ensure rapid recovery without paying a ransom. Backups should cover critical data and systems and be stored in air-gapped environments to resist encryption or deletion. User education is essential to combatting phishing, which remains one of the top attack vectors. Conduct simulated phishing exercises and train employees to recognize AI-crafted emails. Kaspersky Global Emergency Response Team (GERT) can help develop and test an incident response plan to minimize potential downtime and costs.

The recommendation to avoid paying a ransom remains robust, especially given the risk of unavailable keys due to dismantled infrastructure, affiliate chaos, or malicious intent. By investing in backups, incident response, and preventive measures like patching and training, organizations can avoid funding criminals and mitigate the impact.

Kaspersky also offers free decryptors for certain ransomware families. If you get hit by ransomware, check to see if there’s a decryptor available for the ransomware family used against you.

securelist.com/state-of-ransom…

Between 2000 and 2002 the Fisher Price Pixter was sold to children as an educational handheld toy with a touch screen that enabled drawing and listening to music in addition to cartridge-based games and more. It was followed up by multiple new iterations of the system, but as an ecosystem didn’t last beyond 2007. This has left much of the system in obscurity, with people like [Dmitry] doing their best to reverse-engineer, dump and document what they can, such as recently for the entire range of Pixter devices and most of the games.

One of the reasons why [Dmitri] got interested in the second-generation Pixter Color originally was as a potential PalmOS porting target, which gives somewhat of an idea of how these devices were meant to be used.

With absolutely no remaining known official documentation on how to develop software for the hardware reverse-engineering posed somewhat of a challenge. Fortunately this was made somewhat easier by the Pixter Color using the ARM-based LH7541, but worse by just how much of a minimal ARM7 implementation the SoC is. This was meant to go into a cheap-ish kid’s toy after all.

Where things got wild was that the firmware implements a 16-bit stack-based virtual machine, possibly due to initially having selected a completely different SoC. From here things get even crazier with how audio output is implemented, with [Dmitry] descending into a long-winded rant on this and all the weird things encountered during reverse-engineering.

After the Color Pixter its Multimedia sibling with slightly better SoC was also reverse-engineered, as well as the Classic device that started it all. This particular device uses an 8-bit VM, but a black-blob 6502 processor, which is rather astounding for a 2000-era device, but then again it was meant to be a toy.

In addition to getting a lot of reverse-engineering woes off his chest, [Dmitri] also details how he reverse-engineered and dumped the cartridges, as well as writing emulators to ensure that the Pixter legacy will endure, for better or worse.

Top image: Pixter with opened case. (Credit: Raimond Spekking, Wikimedia)

hackaday.com/2026/05/11/revers…

You normally think of fiber optic as something used in network cables. However, scientists employ dedicated fibers to detect earthquakes. In simple terms, they fire a laser down the fiber and watch reflections caused by imperfections. When vibrations hit the cable, it changes the defects, which show up in the return pattern. However, with the right techniques, those vibrations could just as easily be from people speaking near the cable.

If you are alarmed, there’s good news and bad news. The good news is that the technique seems to be limited to coils of fiber that are not buried, and you have to be within about 5 meters of the fiber. The bad news is that there is plenty of dark cable all over the place. Besides, if researchers can do this successfully, you would imagine three-letter agencies around the world could do it even better.

There have been several recent papers about the same topic. Of course, you can also read laser bounces from windows. Noisy keyboards can also give you away.

Title image from [Compare Fibre] via Unsplash.

hackaday.com/2026/05/11/the-wa…

If you ride a motorcycle, you know it is a bit of an art to manage the transmission on a typical bike. Electric motorcycles lose some of that. You usually just have a throttle and a brake. No transmission and, crucially, no clutch. Honda just patented a simulated clutch for those who want the old-school experience, according to [Ben Purvis], writing for Australian Motorcycle News.

This isn’t just a do-nothing lever on the handlebar. There’s haptic feedback to feel when the clutch engages. The motor responds to your actions on the lever. If you pull the clutch in part of the way, the motor loses power up to the point where there is no engine power with the clutch fully in.

Most interestingly, the software understands that when you raise the throttle with the clutch in and then release the clutch, you expect a sudden burst of torque, and it will accommodate the request.

If you are a casual driver, this may seem like a gimmick. However, according to the post, motocross racers rely on precise power control like this.

If you do your own conversion, you could probably do something similar. Or, we suppose, a new build, if you prefer.

hackaday.com/2026/05/11/honda-…

Guess what time it is– that’s right, clock time! It’s always clock time, and when it’s clock time at Hackaday the weirder the better. So, how about a water clock that’s not actually a water clock? The water here has nothing to do with timekeeping, but is what’s driving the display. Fair to say that [Strange Inventions] is living up to the name of his YouTube channel.

You can get the idea from the header image: each digit is formed by a fifteen-segment display made up of glass bottles. A stepper-driven peristaltic pump and some membrane-pump boosters fills the bottles as needed with dyed water, while emptying is accomplished simply by having a servo dump the water into a trough. It’s an interesting, albeit messy, way to generate a display.

It wasn’t the original idea– well, the bottles were the original concept, but flipping them was not. Dumping the bottles has the advantage of not needing oodles of pumps or taking five minutes to sequentially fill and drain the bottles at each digit. The linkage to get the servo to flip all nine bottles in one go took some troubleshooting– we can relate, since the physical half of such projects usually is the hard part– but after many modifications the 3D printed mechanism worked, and we think the results are worth it.

If you’re looking for the other kind of water clock, we featured one of those before, too. This one is also of ancient style, but makes use of modern electronics. It occurs to us that if one was really, really ambitious, they could expand this [Strange] project into a very damp flip-dot style display.

youtube.com/embed/YKB5-sgexI0?…

hackaday.com/2026/05/11/its-a-…

A computer the size of a credit card is nothing new. There have been many single-board computers following the familiar dimensions. [Krauseler]’s credit card computer is different, though. It packs an ESP32-C3, e-paper display, NFC reader, and, incredibly, a Li-Po battery into a credit card form factor in three dimensions rather than two. That’s right, this computer is only 1mm thick.

To ensure perfect compliance with the form factor, the enclosure, if that’s what it can be called, is a real NFC card with the middle cut out to take the electronics. The PCB is flexible, and the battery is the thinnest available. The e-paper display is an ultra-thin, flexible variant. A display connector would have been too thick, so a very fine wire-and-solder job was required.

On its own, an ESP32-C3-based computer with an NFC reader and an e-paper display would be a pretty cool project, depending on what software was on it. This one, however, redefines the term “credit card-sized.”

It’s not the first piece of electronics we’ve seen that tries for the full credit card format, but it’s certainly the only one so far to slim down to 1 millimetre.

Thanks [Joey] for the tip!

hackaday.com/2026/05/11/this-c…

Humanoid robots are a thing now, and here’s an interesting research project that explores using one as a form of haptic media. Specifically, using a humanoid robot to move a chair while one plays a VR driving simulator.

Here’s how it works: a Unitree G1 robot sits behind a player’s chair and grasps it with its hands. Spherical markers on the chair help the robot’s depth camera know the chair’s position, and real-time G-force signals fed from the simulator (Assetto Corsa, running on PC) tell the robot how much and in what direction to shift the chair to match in-simulator events.

While a humanoid robot (especially one equipped with articulated, human-like hands) makes for an awfully expensive force feedback chair, this approach is interesting because it specifically explores using an already-existing humanoid robot as a general-purpose device. It sits in a chair, looks with its camera, grasps with its hands, and moves the player’s chair in response to game events; no hardware modifications required.

So how well does it work? Pretty well, apparently! Participants found the synchronized motion feedback accurate and highly enjoyable, although it does seem like there were some rough edges. Some testers reported that the sustained motion and constant vibration were tiring, and in some cases seemed to worsen VR sickness.

Still, using a robot in this way seems to be a conceptual success and showcases the potential of humanoid robots as flexible, general-purpose devices. We’ve seen a robot used to provide interactive force feedback in VR before, but a driving simulator makes for a pretty fun demonstration.

The video is embedded below, and for more information, check out the team’s research paper.

youtube.com/embed/ggsCDhQv6Hg?…

hackaday.com/2026/05/11/want-d…

Seminario di studi presso l’Isituto comprensivo di Anguillara Sabazia

dicorinto.it/formazione/progag…

When most people think about vacuum tubes, they picture big glass bottles glowing inside antique radios or early computers. History often treats tubes as a dead-end technology that was suddenly swept away by the transistor in the 1950s. But the reality is much more interesting. Vacuum tube technology did not simply stop evolving when the transistor appeared. In fact, some of the most sophisticated and technically impressive tube designs emerged after the transistor had already been invented.

During the final decades of mainstream tube development, manufacturers pushed the technology in remarkable directions. Tubes became smaller, faster, quieter, more rugged, and more specialized. Designers experimented with exotic geometries, ceramic construction, metal envelopes, ultra-high-frequency operation, and even hybrid tube-semiconductor systems. Devices such as acorn tubes, lighthouse tubes, compactrons, and nuvistors represented a last gasp of thermionic electronics.

Ironically, many of these innovations arrived just as solid-state electronics were becoming commercially practical. Vacuum tubes were improving rapidly right up until the market abandoned them.

The Pressure to Improve

By the 1930s and 1940s, vacuum tubes dominated electronics. Radios, radar systems, military communications, industrial controls, and the first digital computers all depended on them. But everyone was painfully aware of their problems.

Traditional tubes were fragile, generated heat, consumed significant power, and suffered from limitations at high frequencies. Internal lead lengths created parasitic inductance and capacitance. At radio frequencies and especially microwave frequencies, those unwanted effects made design difficult.

Military requirements during World War II accelerated development dramatically. Radar systems needed tubes capable of operating at VHF, UHF, and microwave frequencies. Vehicle equipment required devices that could withstand punishment. Computers with tubes suffered from frequent failures, took up entire rooms, and needed special cooling equipment, often bigger than the computer. These pressures drove tube designers into an intense period of innovation.

Acorn Tubes: Tiny Tubes for High Frequencies

One of the earliest major departures from conventional tube geometry was the acorn tube. Developed in the 1930s by RCA, the acorn tube got its name from its distinctive shape, which resembled an acorn with wire leads protruding from the base and sides. Unlike ordinary tubes, where the internal elements had relatively long leads, the acorn design minimized lead length to reduce parasitic capacitance and inductance. At high frequencies, this reduction was crucial.

One famous example was the 955 acorn triode. These tubes found use in experimental television receivers, military radios, and laboratory equipment. Acorn tubes also reflected an important trend in late tube development: engineers were increasingly treating tubes not merely as amplifying devices, but as microwave structures requiring careful electromagnetic design.

youtube.com/embed/POeim3qf5Sw?…

The Lighthouse Tube

If acorn tubes were specialized, lighthouse tubes were positively futuristic. Lighthouse tubes abandoned the classic cylindrical glass form almost entirely. Instead, they used stacked disk-like electrodes arranged in a compact coaxial structure. The resulting geometry minimized transit times and parasitic reactances, allowing operation into microwave frequencies.

The tubes vaguely resembled a lighthouse tower. These tubes became essential in radar systems during World War II and the early Cold War period. Some lighthouse designs could operate in the gigahertz range, something impossible for conventional receiving tubes.

Their construction also introduced new manufacturing techniques. Many used ceramic and metal rather than large glass envelopes. This improved heat resistance and mechanical stability while reducing losses at high frequencies.
In many ways, lighthouse tubes represented the transition from classic vacuum tubes and true microwave devices like klystrons and traveling-wave tubes.

youtube.com/embed/S1lFS_N0kaY?…

Metal Tubes and Ruggedization

Another path of tube evolution focused on durability and compactness. Early tubes used fragile glass envelopes that were easily broken and susceptible to microphonics and vibration. During the 1930s, manufacturers introduced all-metal tube designs. These tubes replaced the glass envelope with a metal shell, improving shielding and mechanical ruggedness.

Metal tubes were particularly attractive for military and automotive applications. Shielding reduced interference, while the smaller physical size allowed more compact equipment layouts.

Hybrid glass-metal constructions also became common. Engineers experimented constantly with new materials and packaging approaches to reduce noise, improve reliability, and extend tube lifespan.

Subminiature Tubes

One of the most impressive developments was the subminiature tube. These tiny devices often looked more like oversized resistors than conventional tubes. Some were less than an inch long and designed to be soldered directly into circuits rather than plugged into sockets.

Subminiature tubes emerged largely from military demands during and after World War II. Proximity fuzes for artillery shells required electronics small enough to survive being fired from a cannon. Traditional tubes would simply shatter under the acceleration.

The resulting ruggedized miniature tubes were shock-resistant and compact enough for portable military electronics. After the war, subminiature tubes appeared in hearing aids, portable radios, test instruments, and early miniaturized computers.

youtube.com/embed/jegSJ0039-A?…

The Nuvistor: The Ultimate Receiving Tube

One of the most interesting late-stage vacuum tube was the RCA Nuvistor. Introduced by RCA in 1959, the nuvistor represented an attempt to create a truly modern vacuum tube for the transistor age.

Unlike classic glass tubes, nuvistors used a compact metal-and-ceramic construction. They were extremely small, highly reliable, vibration-resistant, and capable of excellent high-frequency performance. They also exhibited very low noise characteristics. At first glance, a nuvistor hardly resembles a traditional tube at all. You could easily mistake these for some other component in a metal can.

Technically, nuvistors were excellent devices. They offered superior performance in many RF applications compared to early transistors, particularly in television tuners, instrumentation, and aerospace electronics.

High-end studio microphones also adopted nuvistors because of their low noise and desirable electrical behavior. Some audiophiles still use nuvistor-based equipment today.

But despite their capabilities, nuvistors arrived too late. Semiconductor technology was improving rapidly. Silicon transistors were becoming cheaper, more reliable, and easier to manufacture in large quantities. Integrated circuits loomed on the horizon. The nuvistor may have been the best small receiving tube ever made, but it was competing against a technology whose economics would soon become overwhelming.

youtube.com/embed/5NJbeDd6sJ4?…

Compactrons

As semiconductor electronics advanced, tube manufacturers attempted another strategy: integration. The Compactron, introduced by General Electric in the early 1960s, combined multiple tube functions into a single envelope. A compactron might contain several triodes, pentodes, or diode sections in one package. This reduced component count, simplified wiring, and lowered manufacturing costs for television sets and other consumer electronics. Of course, tubes with multiple electrodes weren’t new. They dated back to at least 1926. However, GE’s aggressive marketing of the brand was an attempt to prevent designers from defecting to the solid-state camp.

In some sense, compactrons were the vacuum tube answer to integrated circuits. Engineers were trying to achieve greater functional density while keeping tube-based designs economically competitive. GE’s Porta-Color, the first portable color television, used 13 tubes, including 10 Compactrons. They usually have 12-pin bases and an evacuation tip at the bottom of the tube rather than at the top.

Compactrons saw widespread use in televisions, stereos, and industrial electronics during the 1960s and early 1970s. But again, semiconductor integration advanced even faster. The battle was becoming impossible to win.

Specialized Tubes Survived

Even after transistors took over consumer electronics, vacuum tubes remained important in specialized fields. Microwave tubes such as klystrons, magnetrons, and traveling-wave tubes continued to dominate high-power RF applications. Radar systems, satellite communications, particle accelerators, and broadcast transmitters all relied on advanced vacuum devices. In some areas, they still do.

A modern microwave transmitter aboard a communications satellite may still use a traveling-wave tube amplifier because tubes can handle very high frequencies and power levels efficiently.

No Instant Win

One misconception about electronics history is that the transistor immediately rendered tubes obsolete after its invention at Bell Labs in 1947. That is not what happened.

Early transistors had many limitations. They were noisy, temperature-sensitive, low-power, and expensive. Tubes often outperformed them in RF circuits, audio applications, and high-power systems well into the 1960s.

For a significant period, designers genuinely did not know which technology would dominate certain markets. Tube designers were still making substantial advances. Nuvistors and Compactrons were not desperate relics; they were serious engineering efforts intended to compete in a changing world.

Ultimately, however, semiconductors possessed overwhelming long-term advantages. Transistors required less power, generated less heat, occupied less space, and could be manufactured using scalable photolithographic processes. Once integrated circuits became practical, the economics shifted decisively. Vacuum tubes could evolve, but they could not shrink into millions of devices on a silicon chip.

The final years of vacuum tube development are often overlooked because history tends to focus on winners. Yet this period produced some of the most elegant and specialized electronic devices ever created. By the late tube era, vacuum tube manufacturing had become quite refined. Engineers could produce tubes with tightly controlled characteristics and surprisingly long operating lives.

youtube.com/embed/Ycr8EJUpKw0?…

Some early transistorized devices still retained subminiature tubes in certain high-frequency or low-noise stages because transistors had not yet surpassed tube performance in every application. This overlap period is often forgotten today. Electronics did not instantly switch from tubes to semiconductors. For years, many systems used both. For many years, a typical ham radio transmitter, for example, would be all solid-state except for the power amplifier finals, which were often a pair of 6146 tubes.

You can, of course, make your own tubes. If you’ve had enough of making your own tubes, maybe try reproducing some of these advanced models.

hackaday.com/2026/05/11/the-va…

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and will be in Brussels all next week for this conference (where I'll be moderating a panel on May 20 at 11:50 CET.) If you're around and want to grab coffee, ping me here.

— Countries want to build sovereign AI infrastructure. I crunched the numbers to see how much that would actually cost.

— Digital antitrust cases were supposed to rein in the power of dominant players. But when it comes to online advertising, market power is on the rise.

— Spending on government-focused AI systems will rise 35 percent this year to over $80 billion.

Let's get started:

digitalpolitics.co/newsletter0…

Although the term ‘dry ice’ is generally used for solid CO₂, it’s much more accurate to call this ‘dry snow’, as, rather than being actual solid blocks, they are effectively snow that’s been compressed really tightly. While not really necessary for most applications of dry ice, it is possible to make blocks of actual CO₂ ice, and thus [Hyperspace Pirate], as someone with a healthy obsession with cold things had to make some of his own.

As a first step, you, of course, have to chill down CO₂ in a container, for which Mr. [Pirate] used a Joule-Thomson cryocooler, with a 15% butane, 35% propane, and 50% ethylene gas mixture. Of course, as ethylene is only easy to get if you have a lot of money to spend, you will want to make it yourself from ethanol. This involves boiling and 400°C aluminum oxide to capture the produced ethylene.

With the CO₂ pressure chamber cooled in its refrigerated bath, the process didn’t take long. After opening the pressure chamber, the results were interesting to say the least. Although there was definite ice formation along the sides that contacted the metal chamber the closest, the closer to the center, the more the CO₂ resembled the usual fluffy, compressed dry ice.

This is encouraging as it shows that it’s definitely possible to make nice ice pucks or cubes, but the method needs further refinement to get more ice and less snow.

youtube.com/embed/uxmJ5qT2Gaw?…

hackaday.com/2026/05/11/making…

We feature a lot of DIY portable computers — rehash the “is that a cyberdeck” in the comments to your heart’s content — but how many of them are explicitly girly? Certainly, none of the ones that come to mind oozed the distilled femme energy of [cc] AKA [bossbratox]’s project, playfully titled “Mermaid in the Shell”.

The build started with a frame clutch purse, which, given that it comes with nice hinges and latches, is really a brilliant starting point for a project case. The fact that you can find them shaped like pink seashells really seals the deal for this particular project. A ZitaoTech BB Q10 keyboard — in white, naturally — pairs with a 3.5″ touchscreen as the interface for a Raspberry Pi 3A+. You might be thinking, “great, another toy with an old Pi inside. What can you really do with a Pi3 in 2026?” Well, admittedly, for full-fat desktop Linux, the 3A+ is looking a bit long in the tooth and short in the RAM.

If you are willing to work within its constraints and not run a full Linux desktop, though, 512 MB is plenty of RAM to work with. [cc] has set up a custom terminal user interface (TUI) to give her everything she needs — wifi, bluetooth, a full terminal, a remote serial monitor, a local LLM chatbot, a PDF reader, a text editor, and, of course, a mermaid digital pet. That last one is user-skinnable, though, so if you want a terminal tamagotchi of your own, you can grab the code off GitHub and swap the spites for whatever you want.

Thanks to [cc] for the tip. Whether your next build is dripping the femme-ergy and kawaii as heck, or just utilitarian tacticool, please let us know in the tips line.

Remember, too, that an aesthetic doesn’t need to be skin-deep. We have some tips for good-looking PCBs here that are relevant because they now come in pink — as we saw with this wearable circuit sculpture.

hackaday.com/2026/05/11/mermai…

We notice there are a lot of hacks on YouTube lately, but we don’t share enough hacks about YouTube. That’s why [PortalRunner]’s latest oeuvre is interesting: it’s a video that gives you a different picture depending on the selected bitrate.

Watch it at 1080p, you get one thing; at 360p, the image is completely different. The hack relies on understanding precisely how YouTube cuts down videos — because if you haven’t uploaded a video there before, you might not know the creator doesn’t have to encode all of those options; they’re invited to upload in the highest possible definition, and YouTube reencodes the rest.

1080p and 720p films are shown at 60FPS, while 360p and below are 30FPS– so that’s one way to hide the difference. Since YouTube drops every second frame when encoding the lower-quality video, images you want in the HD version can be kept only in even-numbered frames that YouTube will remove. That seems easy enough, but how does [PortalRunner] avoid the low-quality image flickering in at 30 FPS when watching in higher definition?

Well, that relies on understanding exactly how downsampling works: going from 1080p to 360p means tossing out every third pixel in both the horizontal and vertical directions. If you’re careful, it turns out you can craft an image that vanishes when the 3×3 grid of pixels it’s made of at 1080p is averaged to a single background-colored pixel at 360p. [Portal Runner] is using vertical stripes here, but that’s not the only way to do it. Just to be sure the message came through loud and clear at 1080p, though, the original image, not the stripy one, is used on the odd-numbered, discarded frames.

Hiding the 1080p video is only half the battle: he needs to get those frames not to average specifically to the background color, but to make his new images. That’s a bit tricky, which is why the demonstration uses “1080p” and “lower” as its easter eggs: they fit well inside one another, with the characters lining up one-to-one. That’s without even getting into the hack he’s using with extra i-frames to create thumbnails on the timeline to tell you to ‘subscribe’. Look, it is YouTube, what else can you expect? We’re just glad to see a totally benign hack of the platform that’s holding so many hacks these days.

Of course, real hackers live on the command line, and you can play YouTube there, too.

youtube.com/embed/UCBAqaT4SQc?…

hackaday.com/2026/05/10/hacked…

For as many speakers as someone can cram into a surround sound system, humans still (generally) only have two ears to listen to those sounds with. This means that, for recording purposes, it’s possible to create incredibly vivid three-dimensional sounds with just two microphones, provided that there’s an actual physical replica of a human ear attached to each microphone. This helps ensure that all the qualities of the sounds are preserved in a way a real human would experience them, and as [David Green] demonstrates, these systems don’t need to be very expensive.

This build doesn’t just use models of human ears for recording sounds through. The silicone ears are mounted on a styrofoam mannequin head as well, which provides some sound isolation between the two microphones, much like a real human head. The ears are mounted in appropriate locations with the microphones installed inside, and the entire microphone apparatus is positioned on a PVC rig with a camera so that binaural audio will be recorded for anything [David] points it at.

Although he had some issues interfacing two microphones using 19th-century technology instead of soldering everything together, the build still eventually came together, and only for around $70 USD. However, this build is a bit dated now, so prices may have changed by now. It’s still a great way to produce realistic stereo sound without breaking the bank, but it’s not the only way of getting this job done.

youtube.com/embed/Xg5TmoPUEAk?…

hackaday.com/2026/05/10/binaur…

While Artemis II was primarily a demonstration flight of the architecture NASA plans to use for future lunar missions, it was also an excellent excuse for the crew to snap some photos of the Moon and Earth with the benefit of modern camera technology. If you’ve been looking forward to seeing more of the crew’s images, you’re in luck, as thousands of new images have recently been released.

Now we don’t mean to beat up on the folks at NASA, but browsing through these images, we couldn’t help but be reminded of an article we saw on PetaPixel that discussed the space agency’s haphazard approach to sharing images online.

It’s really more like an unsorted file dump than anything, made worse by the fact that you have to access it through a government website that looks and performs like it was designed in the early 2000s. There’s even a prominent button that attempts to load a gallery feature that relies on the long-deprecated Adobe Flash. It would be nice to see the situation improved by the time astronauts actually touch down on the lunar surface, but we wouldn’t count on it.

Speaking of old tech, we’ve been following the resurgence of keyboard-equipped smartphones with great interest, as we imagine many of you have been. A recent CNBC article addresses the trend, although it didn’t quite take the nerd contingent into account. We want physical keys so we can work in the terminal and write code without fighting an on-screen keyboard, but of course, that’s not exactly what your average consumer is looking for.

It’s quite the opposite, in fact. A 20-something user referenced in the article explained how the younger generations see the physical keyboard as a way to be less connected to their phones, describing it as “an extra barrier of inconvenience that adds more steps into the thinking process.” If you need us, we’ll be collecting dust in the corner.

As regular readers may know, we’ve also taken an interest in plug-in solar panels recently. So-called “solar balconies” have become quite popular in Europe, but regulatory friction in the United States has prevented them from achieving similar success here. An article in the MIT Technology Review talks about the process of bringing solar balconies to the US, and we’re not overly thrilled with some of the developments it highlights.

As the key hurdle appears to be safety, UL Solutions recommends that balcony solar panels be plugged into a specialized outlet. If putting a regular AC plug on the end of a solar panel can lead to potentially dangerous situations, they believe the solution is to require a different plug that no one could mistake for anything else, with built-in safety features to reduce the risk of electric shock.

That might not seem unreasonable at first, but it actually represents a pretty serious hurdle for many users. Consider that the whole advantage of these panels is the convenience: you can simply open the box, plug them in, and start collecting energy. But if you need to install a special outlet, potentially requiring an electrician, the whole concept falls apart. Expect to hear more from us on this particular subject as it develops.

Finally, Spirit Airline customers weren’t the only ones running into issues this week — a Southwest flight in California was delayed due to complications with a robotic passenger. The bot actually had a ticket, but the flight crew said it still violated the airline’s rules for large carry-on luggage and had to be moved to a different seat. Then somebody realized the robot’s relatively large lithium-ion battery was also in violation of carry-on limits, and it had to be removed and confiscated by authorities. Important details to keep in mind if you happen to be a robot planning your summer vacation.

See something interesting that you think would be a good fit for our weekly Links column? Drop us a line, we’d love to hear about it.

hackaday.com/2026/05/10/hackad…

The idea of using cardboard for a sloppy PC case isn’t new; it’s a time-honored tradition dating back to at least the 1990s. That said, with today’s CNC cutters and other advanced tooling available to hobbyists, you might be curious to see how far you can push the concept. As demonstrated in a recent video by [mryeester], the answer appears to be that good planning and a solid understanding of cardboard’s limitations are as essential as ever.

After having the PC case drawn up in CAD and cut on a professional CNC cutter by a buddy who makes commercial cardboard displays, the installation procedure for the PC components showed where a bit of foresight could have saved a lot of time and effort.

The first problem was that the GPU couldn’t be installed due to wrong measurements on where the IO bracket normally is screwed into the case. Some cardboard cutting later, the GPU slid into place, but of course, there’s no way to screw it down, putting the full weight on the PCIe slot of the mainboard. Fortunately, the mainboard was quite literally bolted into place, and the case consists of multiple layers of corrugated cardboard to add some rigidity.

Next was more carving as the PSU cut-out was designed for an SFX PSU, not an ATX one. After that ordeal, one could say that perhaps a nice thing about a cardboard case is that you get to pick where buttons are located, though this comes with its own logistical issues.

Finally, mounting side panels turned into another chore, with perhaps some engineering possible to make it work better. For example, we recently looked at making cardboard hinges that would look pretty good on a cardboard PC case. You can also waterproof cardboard and make it much stronger, turning a throwaway, temporary cardboard solution into something that will last for years, even with occasional exposure to moisture and a water-cooling leak.

youtube.com/embed/udnBfP4_Mg4?…

hackaday.com/2026/05/10/why-us…

For the last few years, the must-have feature that companies are competing to show off on their filament deposition 3D printers is multi-material printing. Be it tool swapping or a material-changing system, everyone wants to show they can give you the capability to make multicoloured plastic tchotchkes. So far, that hasn’t really been the case in the world of at-home resin printing — until now. A company called Polysynth, headed by a fellow named [Eric], hopes you’ll pay a premium for the ability to make multimaterial resin prints, and they show some interesting use cases in the video below.

The technique is simple: instead of one resin tank underneath the dipping build plate, [Eric]’s Polysynth printer has a carousel of up to eight small circular tanks. To avoid cross-contamination from uncured resin, the print needs to be cleansed between alternating dips in the different resin vats. Rather than add a wash vat and slow the process down that way, [Eric] and his team decided to use centrifugal force: they just spin the print really, really fast to fling all the uncured resin to the sides of the vat. Yes, really.

The hard part isn’t the resin-removing spin cycle — the hard part is stopping the spin at the precise orientation the part started at, to within a few microns. For that, he’s using a sort of kinematic linkage to lock the spinning portion back into place using a servo. It seems to work, based on the demonstration in the video embedded below. Even better, [Eric] shows off a resin conductive enough to use for fully printed, multilayer PCBs. We doubt SLS will ever compete with traditional fabs on volume, but for fast turnaround without waiting on parts from China, the conductive resins could open up some killer apps for this kind of printer. That and dental: printing gums and teeth of dentures in one solid go is likely to appeal to users in that space.

What do you think? Tipster [Aaron Tagliaboschi] was interested enough to send in the video, and we’re grateful that he did. It’s early days yet, and you cannot buy one of these machines just yet. Since it’s a commercial product, you’ll be starting from scratch if you want to build your own.

It wasn’t that long ago that the only way to get a home resin printer was to build it yourself, and it’s still an option that might save some coin. If you go that route, why not try spinning? We hear that’s a good trick, so let us know if you try it.

youtube.com/embed/g7RS8YON2_s?…

hackaday.com/2026/05/10/multim…