For the last few years or so, the story in the artificial intelligence that was accepted without question was that all of the big names in the field needed more compute, more resources, more energy, and more money to build better models. But simply throwing money and GPUs at these companies without question led to them getting complacent, and ripe to be upset by an underdog with fractions of the computing resources and funding. Perhaps that should have been more obvious from the start, since people have been building various machine learning algorithms on extremely limited computing platforms like this one built on the Atari 800 XL.

Unlike other models that use memory-intensive applications like gradient descent to train their neural networks, [Jean Michel Sellier] is using a genetic algorithm to work within the confines of the platform. Genetic algorithms evaluate potential solutions by evolving them over many generations and keeping the ones which work best each time. The changes made to the surviving generations before they are put through the next evolution can be made in many ways, but for a limited system like this a quick approach is to make small random changes. [Jean]’s program, written in BASIC, performs 32 generations of evolution to predict the points that will lie on a simple mathematical function.

While it is true that the BASIC program relies on stochastic methods to train, it does work and proves that it’s effective to create certain machine learning models using limited hardware, in this case an 8-bit Atari running BASIC. In previous projects he’s also been able to show how similar computers can be used for other complex mathematical tasks as well. Of course it’s true that an 8-bit machine like this won’t challenge OpenAI or Anthropic anytime soon, but looking for more efficient ways of running complex computation operations is always a more challenging and rewarding problem to solve than buying more computing resources.

youtube.com/embed/hpES5umcEyo?…

hackaday.com/2025/02/21/geneti…

If you think shorting a transformer’s winding means big sparks and fried wires: think again. In this educational video, titled The Magnetic Bypass, [Sam Ben-Yaakov] flips this assumption. By cleverly tweaking a reluctance-based magnetic circuit, this hack channels flux in a way that breaks the usual rules. Using a simple free leg and a switched winding, the setup ensures that shorting the output doesn’t spike the current. For anyone who is obsessed with magnetic circuits or who just loves unexpected engineering quirks, this one is worth a closer look.

So, what’s going on under the hood? The trick lies in flux redistribution. In a typical transformer, shorting an auxiliary winding invites a surge of current. Here, most of the flux detours through a lower-reluctance path: the magnetic bypass. This reduces flux in the auxiliary leg, leaving voltage and current surprisingly low. [Sam]’s simulations in LTspice back it up: 10 V in yields a modest 6 mV out when shorted. It’s like telling flux where to go, but without complex electronics. It is a potential stepping stone for safer high-voltage applications, thanks to its inherent current-limiting nature.

The original video walks through the theory, circuit equivalences, and LTspice tests. Enjoy!

youtube.com/embed/q4uQFt9Bm6g?…

hackaday.com/2025/02/21/hackin…

There’s no shortage of cheap & cheerful power supplies which you can obtain from a range of online retailers, but with no listed certification worth anything on them calling them ‘dodgy’ is more of a compliment. On the [DiodeGoneWild] YouTube channel an adjustable power supply by the model name BSK-602 is tested and torn down to see exactly what less than $5 off sites like Alibaba will get you.

Perhaps unsurprisingly, voltage regulation is very unstable with massive drifting when left to heat up for a few hours, even though it does hit the 3 V to 24 V DC and 3 A output that it’s optimistically rated for. After popping open the adapter, a very basic switching mode power supply is revealed with an abysmal component selection and zero regard for safety or primary and secondary side isolation. With the case open, the thermal camera reveals that the secondary side heats up to well over 150 °C, explaining why the case was deforming and the sticker peeling off after a few hours of testing.

The circuit itself is based around a (possibly legit) UC3843RN 500 kHz current mode PWM controller, with the full schematic explained in the video. Highlights include the lack of inrush protection, no EMI filtering, a terrible & temperature-dependent voltage reference, not to mention poor component selection and implementation. Basically it’s an excellent SMPS if you want to blast EMI, fry connected electronics and conceivably burn down your home.

UC3843-based BSK-602 circuit schematic in all its dodgy glory. (Credit: Diode Gone Wild, YouTube)
youtube.com/embed/0kTX8vBChQ0?…

hackaday.com/2025/02/21/review…

Ever been at a party and landed in a heated argument about exactly where the International Space Station (ISS) is passing over at that very instant? Me neither, but it’s probably happened to someone. Assuming you were in that situation, and lacked access to your smartphone or any other form of internet connected device, you might like the pocket-sized Screen Tracker from [mars91].

The concept is simple. It’s a keychain-sized item that combines an ESP32, a Neopixel LED, and a small LCD screen on a compact PCB with a couple of buttons. It’s programmed to communicate over the ESP32’s WiFi connection to query a small custom website running on AWS. That website processes orbit data for the ISS and the positions of the planets, so they can be displayed on the LCD screen above a map of the Earth. We’re not sure what font it uses, but it looks pretty cool—like something out of a 90s sci-fi movie.

It’s a great little curio, and these sort of projects can have great educational value to boot. Creating something like this will teach you about basic orbits, as well as how to work with screens and APIs and getting embedded devices online. It may sound trivial when you’ve done it before, but you can learn all kinds of skills pursuing builds like these.

youtube.com/embed/Hi2Znc4YRa0?…

hackaday.com/2025/02/21/pocket…

This week Hackaday Editors Elliot Williams and Tom Nardi start things off with updates on the rapidly approaching Hackaday Europe and the saga of everyone’s favorite 3D printed boat.

From there they’ll cover an impressive method of seeing the world via WiFi, Amazon’s latest changes to the Kindle ecosystem, and an alternate reality in which USB didn’t take over the peripheral world. You’ll also hear about a multi-level hack that brings the joys of Linux into the world of Animal Crossing, 3D printed circuit components, and the imminent release of KiCAD 9.

Stick around until the end to learn about a unique hardened glass from East Germany and the disappointing reality of modern voice control systems.

html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Download the DRM-free MP3 for safe keeping.

Episode 309 Show Notes:

News:

• Hackaday Europe 2025: Speakers, Lightning Talks, And More!
• 3DBenchy Sets Sail Into The Public Domain

What’s that Sound?

• Know that sound? Fill out this form for a chance to win a Hackaday Podcast t-shirt!

Interesting Hacks of the Week:

• Octet Of ESP32s Lets You See WiFi Like Never Before
  
  • Building Your Own SDR-based Passive Radar On A Shoestring
  • Open-Source Passive Radar Taken Down For Regulatory Reasons
  • [2502.09405] ESPARGOS: An Ultra Low-Cost, Realtime-Capable Multi-Antenna WiFi Channel Sounder

  
  

• Auto-Download Your Kindle Books Before February 26th Deadline
• In A World Without USB…
• Give Your Animal Crossing Villagers The Gift Of Linux
  
  • Because You Can: Linux On An Arduino Uno

  
  

• A Unique Linear Position Sensor Using Magnetostriction
  
  • 2024 :: fischertechnik Community

  
  

• MIT Demonstrates Fully 3D Printed, Active Electronic Components

Quick Hacks:

• Elliot’s Picks:
  
  • You Know This Font, But You Don’t Really Know It
  • Measuring Local Variances In Earth’s Magnetic Field
  • Probably The Most Esoteric Commodore 64 Magazine

  
  

• Tom’s Picks:
  
  • Get Ready For KiCAD 9!
  • Vacuum Forming With 3D Printed Moulds And Sheets
  • Belfry OpenSCAD Library (BOSL2) Brings Useful Parts And Tools Aplenty

  
  

Can’t-Miss Articles:

• The “Unbreakable” Beer Glasses Of East Germany
  
  • The High-Tech Valor Glass Vials Used To Deliver The Coronavirus Vaccine

  
  

• Be Careful What You Ask For: Voice Control

hackaday.com/2025/02/21/hackad…

One-wheels use motion-tracking hardware and fine motor control to let you balance on a single wheel. That’s neat and all, but [Michael Rechtin] had another idea in mind—what if a one-wheel used a track instead?

The idea behind the track was to make the one-wheel more capable on surfaces where wheels simply can’t compete. The tracked drivetrain was largely 3D printed, including some massive gears that are supplemented by a big old 150 mm ball bearing which sits around the drive motor itself. If you love planetary gear trains with a 4:1 reduction, this project is for you. Carbon-fiber reinforced filament was used for many of the parts to give them some additional strength. Control is a little different than a traditional one-wheel, since the flat-bottomed track means lean controls won’t work. Instead, a wireless hand throttle was constructed to enable the rider to command the direction of travel.

It’s not easy to ride, but the one-track does actually work. It’s capable of crawling its way around on grass and snow quite well. There were some issues with the printed tracks and rollers, particularly when turning, but tweaks to round out the track profile helped solve that issue to a degree. There’s a reason we often use wheels instead of tracks, but somehow tracks are still just cool.

youtube.com/embed/VicrABEfr3U?…

hackaday.com/2025/02/21/buildi…

La scorsa settimana, le autorità del Regno Unito hanno chiesto ad Apple di creare una “back door” per poter accedere ai contenuti caricati nel cloud dagli utenti di tutto il mondo. La fonte? Un’inchiesta del Washington Post, che cita persone informate dei fatti. Secondo il quotidiano americano, il segretario dell’Interno britannico, Yvette Cooper, ha notificato al colosso Apple una Technical Capability Notice ai sensi dell’Investigatory Powers Act del 2016.

Questa legge obbliga le aziende tecnologiche, come provider di servizi di comunicazione o produttori di dispositivi (ad esempio Apple), a fornire alle forze dell’ordine o alle agenzie di intelligence accesso a dati o sistemi, spesso superando protezioni tecniche come la crittografia. Soprannominata dai critici Snoopers’ Charter (la Carta dei Ficcanaso), questa norma rende addirittura reato rivelare l’esistenza di una tale richiesta governativa. La domanda, che risale a quasi un anno fa, avrebbe incontrato una strenua resistenza interna da parte di Apple, ma ora il caso sta assumendo una dimensione politica inedita per la netta opposizione del Congresso americano.

Gli Stati Uniti respingono la richiesta del Governo Starmer

Come nota il giornalista dei Twitter Files Matt Taibbi su Racket News, esponenti di entrambi gli schieramenti hanno chiesto al Governo di opporsi alla richieste delle autorità britanniche. Il senatore democratico dell’Oregon Ron Wyden e il deputato repubblicano dell’Arizona Andy Biggs, infatti, si sono uniti per chiedere al nuovo Direttore dell’Intelligence Nazionale, Tulsi Gabbard, di opporsi alla richiesta del Governo di Sua Maestà.

Wyden, in particolare, ha chiesto a Gabbard di confermare la sua opposizione allo “sfruttamento” governativo dei dati criptati. Perché è importante? Fino ad oggi, non c’era mai stata una seria opposizione alle richieste straniere di accesso ai dati, criptati o meno, per quasi nove anni. Europa, Fbi e l’apparato di sicurezza americano hanno generalmente mantenuto un fronte unito. Con l’insediamento di Donald Trump, tuttavia, il clima politico è cambiato e uno spazio di “resistenza” si è aperto: Apple, che finora ha cercato di contrastare la richiesta britannica in silenzio, potrebbe trovare un alleato in Tulsi Gabbard e nei due deputati che si sono espressi in merito.

L’accesso ai dati criptati

In passato più volte le autorità hanno obbligato i colossi tecnologici a fornire i dati criptati. Il 2 dicembre 2015, ricorda sempre Taibbi, due attentatori aprirono il fuoco all’Inland Center di San Bernardino, California, uccidendo 14 persone e ferendone 22. Due mesi dopo, l’Fbi tentò di obbligare Apple a sbloccare l’iPhone di uno degli attentatori, Syed Rizwan Farook, chiedendo di disattivare le protezioni crittografiche.

La battaglia legale, guidata dal Consigliere Generale dell’Fbi Jim Baker (poi passato a Twitter), vide i federali ottenere un ordine per costringere Apple a creare un software per decifrare la password. Successivamente, l’Fbi risolse il caso assumendo la società australiana Azimuth, che hackerò il telefono nel 2016. Il nome di Azimuth fu rivelato dal Washington Post nel 2021, citando fonti anonime.

L'articolo Starmer ordina a Apple di aprirgli la porta degli account criptati: no degli Usa proviene da InsideOver.

OpenSSH has a newly fixed pair of vulnerabilities, and while neither of them are lighting the Internet on fire, these are each fairly important.

The central observation made by the Qualsys Threat Research Unit (TRU) was that OpenSSH contains a code paradigm that could easily contain a logic bug. It’s similar to Apple’s infamous goto fail; SSL vulnerability. The setup is this: An integer, r, is initialized to a negative value, indicating a generic error code. Multiple functions are called, with r often, but not always, set to the return value of each function. On success, that may set r to 0 to indicate no error. And when one of those functions does fail, it often runs a goto: statement that short-circuits the rest of the checks. At the end of this string of checks would be a return r; statement, using the last value of r as the result of the whole function.
1387 int
1388 sshkey_to_base64(const struct sshkey *key, char **b64p)
1389 {
1390 int r = SSH_ERR_INTERNAL_ERROR;
....
1398 if ((r = sshkey_putb(key, b)) != 0)
1399 goto out;
1400 if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) {
1401 r = SSH_ERR_ALLOC_FAIL;
1402 goto out;
1403 }
....
1409 r = 0;
1410 out:
....
1413 return r;
1414 }

The potential bug? What if line 1401 was missing? That would mean setting r to the success return code of one function (1398), then using a different variable in the next check (1400), without re-initializing r to a generic error value (1401). If that second check fails at line 1400, the code execution jumps to the return statement at the end, but instead of returning an error code, the success code from the intermediary check is returned. The TRU researchers arrived at this theoretical scenario just through the code smell of this particular goto use, and used the CodeQL code analysis tool to look for any instances of this flaw in the OpenSSH codebase.

The tool found 50 results, 37 of which turned out to be false positives, and the other 13 were minor issues that were not vulnerabilities. Seems like a dead end, but while manually auditing how well their CodeQL rules did at finding the potentially problematic code, the TRU team found a very similar case, in the VerifyHostKeyDNS handling, that could present a problem. The burning question on my mind when reaching this point of the write-up was what exactly VerifyHostKeyDNS was.

SSH uses public key cryptography to prevent Man in the Middle (MitM) attacks. Without this, it would be rather trivial to intercept an outgoing SSH connection, and pretend to be the target server. This is why SSH will warn you The authenticity of host 'xyz' can't be established. upon first connecting to a new SSH server. And why it so strongly warns that IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! when a connection to a known machine doesn’t verify properly. VerifyHostKeyDNS is an alternative to trusting a server’s key on first connection, instead getting the cryptographic fingerprint in a DNS lookup.

So back to the vulnerability. TRU found one of these goto out; cases in the VerifyHostKeyDNS handling that returned the error code from a function on failure, but the code a layer up only checked for a -1 value. On one layer of code, only a 0 was considered a success, and on the other layer, only a -1 was considered a failure. Manage to find a way to return an error other than -1, and host key verification automatically succeeds. That seems very simple, but it turns out the only other practical error that can be returned is an out of memory error. This leads to the second vulnerability that was discovered.

OpenSSH has its own PING mechanism to determine whether a server is reachable, and what the latency is. When it receives a PING, it sends a PONG message back. During normal operation, that’s perfectly fine. The messages are sent and the memory used is freed. But during key exchange, those PONG packets are simply queued. There are no control mechanisms on how many messages to queue, and a malicious server can keep a client in the key exchange process indefinitely. In itself it’s a denial of service vulnerability for both the client and server side, as it can eat up ridiculous amount of memory. But when combined with the VerifyHostKeyDNS flaw explained above, it’s a way to trigger the out of memory error, and bypass server verification.

The vulnerabilities were fixed in the 9.9p2 release of OpenSSH. The client attack (the more serious of the two) is only exploitable if your client has the VerifyHostKeyDNS option set to “yes” or “ask”. Many systems default this value to “no”, and are thus unaffected.

JumbledPath

We now have a bit more insight into how Salt Typhoon recently breached multiple US telecom providers, and deployed the JumbledPath malware. Hopefully you weren’t expecting some sophisticated chain of zero-day vulnerabilities, because so far the answer seems to be simple credential stealing.

Cisco Talos has released their report on the attacks, and the interesting parts are what the attackers did after they managed to access target infrastructure. The JumbledPath malware is a Go binary, running on x86-64 Linux machines. Lateral movement was pulled off using some clever tricks, like changing the loopback address to an allowed IP, to bypass Access Control Lists (ACLs). Multiple protocols were abused for data gathering and further attacks, like SNMP, RADIUS, FTP, and SSH. There’s certainly more to this story, like where the captured credentials actually came from, and whose conversations were actually targeted, but so far those answers are not available.

Ivanti Warp-Speed Audit

The preferred method of rediscovering vulnerabilities is patch diffing. Vendors will often announce vulnerabilities, and even release updates to correct them, and never really dive into the details of what went wrong with the old code. Patch diffing is looking at the difference between the vulnerable release and the fixed one, figuring out what changed, and trying to track that back to the root cause. Researchers at Horizon3.ai knew there were vulnerabilities in Ivanti’s Endpoint manager, but didn’t have patches to reverse engineer. Seems like a bummer, but was actually serendipity, as the high-speed code audit looking for the known vulnerability actually resulted in four new ones being found!

They are all the same problem, spread across four API endpoints, and all reachable by an unauthenticated user. The code is designed to look at files on the local filesystem, and generate hashes for the files that are found. The problem is that the attacker can supply a file name that actually resolves to an external Universal Naming Convention (UNC) path. The appliance will happily reach out and attempt to authenticate with a remote server, and this exposes the system to credential relay attacks.

RANsacked

The Florida Institute for Cybersecurity Research have published a post and paper (PDF) about RANsacked, their research into various LTE and 5G systems. This is a challenging area to research, as most of us don’t have any spare LTE routing hardware laying around to research on. The obvious solution was to build their own, using open source software like Open5GS, OpenAirInterface, etc. The approach was to harness a fuzzer to find interesting vulnerabilities in these open implementations, and then apply that approach to closed solutions. Serious vulnerabilities were found in every target the fuzzing system was run against.

Their findings break down into three primary categories of vulnerabilities. The first is untrusted Non-Access Stratum (NAS) control messages getting handled by the “core”, the authentication, routing, and processing part of the cellular system. These messages aren’t properly sanitized before processing, leading to the expected crashes and exploits we see in every other insufficiently hardened system that processes untrusted data. The second category is the uncertainty in the protocol specifications and mismatch between what those specifications seem to indicate and the reality of cellular traffic. And finally, deserialization of ASN.1 data itself is subject to deserialization attacks. This group of research found a staggering 119 vulnerabilities in total.

Bits and Bytes

[RyotaK] at GMO Flatt Security found an interesting vulnerability in Chatwork, a popular messaging application in Japan. The desktop version of this tool is just an electron app, and it makes use of webviewTag, an obsolete Electron feature. This quirk can be combined with a dangerous method in the preload context, allowing for arbitrary remote code execution when a user clicks a malicious link in the application.

Once upon a time, Microsoft published Virtual Machines for developers to use for testing websites inside Edge and IE. Those VM images had the puppet admin engine installed, but no configuration set. And that’s not great, because in this state puppet will look for machine using the puppet hostname on the local network, and attempt to download a configuration from there. And because puppet is explicitly designed to administer machines, this automatically results in arbitrary code execution. The VMs are no longer offered, so we’re past the expiration date on this particular trick, but what an interesting quirk of these once-official images.

[Anurag] has an analysis of the Arechclient2 Remote Access Trojan (RAT). It’s a bit of .NET malware, aggressively obfuscated, that collects and exfiltrates data and credentials. There’s a browser element, in the form of a Chrome extension that reports itself as Google Docs. This is more data collection, looking for passwords and other form fills.

Signal users are getting hacked by good old fashioned social engineering. The trick is to generate a QR code from Signal that will permit the account scanning the code to log in on another device. It’s advice some of us have learned the hard way, but QR codes are just physical manifestations of URLs, and we really shouldn’t trust them lightly. Don’t click that link, and don’t scan that QR code.

hackaday.com/2025/02/21/this-w…

It is easy to port C compilers to architectures that look like old minicomputers or bigger CPUs. However, as the authors of the Small Device C Compiler (SDCC) found, pushing C into a typical 8-bit CPU is challenging. Lessons learned from SDCC inspired a new 8-bit architecture, F8. This isn’t just a theoretical architecture. You can find an example Verilog implementation in the SDDC project and on GitHub. The name choice may turn out to be unfortunate as there was an F8 CPU from Fairchild back in the 1970s that apparently few people remember.

In the video from FOSDEM 2025, [Phillip Krause] provides a nice overview of the how and why of F8. While it might seem odd to create a new 8-bit CPU when you can get bigger CPUs for pennies, you have to consider that 8-bit machines are more than enough for many jobs, and if you can squeeze one into an FPGA, it might be a good choice as opposed to having to get a bigger FPGA to hold your design and a 32-bit CPU.

Many 8-bit computers struggle with efficient C code mainly because the data size is smaller than the width of a pointer. Doing things like adding two numbers takes more code, even in common situations. For example, suppose you have a pointer to an array, and each element of the array is four bytes wide. To find the address of the n’th element, you need to compute: element_n = base_address + (n *4). On, say, an 8086 with 16-bit pointers and many 16-bit instructions and addressing modes can do the calculation very succinctly.

Other problems you frequently run into with compiling code for small CPUs include segmented address spaces, dedicated registers for memory indexing, and difficulties putting wider items on a stack (or, for some very small CPUs, even having a stack, at all).

The wish list was to include stack-relative addressing, hardware 8-bit multiplication, and BCD support to help support an efficient printf implementation.

Keep in mind, it isn’t that you can’t compile C for strange 8-bit architectures. SDDC is proof that you can. The question is how efficient is the generated code. F8 provides features that facilitate efficient binaries for C programs.

We’ve seen other modern 8-bit CPUs use SDCC. Writing C code for the notorious PIC (with it’s banked memory, lack of stack, and other hardships) was truly a surreal experience.

hackaday.com/2025/02/21/a-new-…

Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors. Given that the bait files are written in fluent Russian, we infer that the attackers are likely native Russian speakers.

We’ve identified hundreds of victims of this attack in Russia, several in Belarus, and additional incidents in other countries. We believe that the attackers are primarily targeting organizations in Russia and Belarus, while the other victims were incidental—perhaps researchers using sandbox environments or exit nodes of Tor and VPN networks.

At the beginning of 2024, several cybersecurity vendors published reports on Angry Likho. However, in June, we detected new attacks from this group, and in January 2025, we identified malicious payloads confirming their continued activity at the moment of our research.

Technical details

Initial attack vector

The initial attack vector used by Angry Likho consists of standardized spear-phishing emails with various attachments. Below is an example of such an email containing a malicious RAR archive.

Contents of spear-phishing email inviting the victim to join a videoconference

The archive includes two malicious LNK files and a legitimate bait file.

Bait document from spear-phishing email inviting the victim to join a videoconference

The content of this document is almost identical to the body of the phishing email.

This example illustrates how the attackers gain access to victims’ systems. All these emails (and others like them in our collection) date back to April 2024. We observed no further activity from this group until we discovered an unusual implant, described below. Based on our telemetry, the attackers operate periodically, pausing their activities for a while before resuming with slightly modified techniques.

Previously unknown Angry Likho implant

In June 2024, we discovered a very interesting implant associated with this APT. The implant was distributed under the name FrameworkSurvivor.exe from the following URL:

hxxps://testdomain123123[.]shop/FrameworkSurvivor.exe

This implant was created using the legitimate open-source installer, Nullsoft Scriptable Install System, and functions as a self-extracting archive (SFX). We’ve previously observed this technique in multiple Awaken Likho campaigns.

Below are the contents of the archive, opened using the 7-Zip archiver.

Contents of the malicious SFX archive

The archive contains a single folder, $INTERNET_CACHE, filled with many files without extensions.

Installation script of the self-extracting archive

To understand how the SFX archive infects a system when launched, we had to find and analyze its installation script. The latest versions of 7-Zip do not allow extraction of this script, but it can be retrieved using older versions. We used 7-Zip version 15.05 (the last version supporting extraction of the installation script):

Contents of the malicious SFX archive opened in 7-Zip version 15.05

The installation script was named [NSIS].nsi, and was partially obfuscated.

Obfuscated contents of the installation script

After deobfuscation, we were able to determine its primary purpose:

Deobfuscated installation script from the malicious SFX implant

The script searches for the folder on the victim’s system using the $INTERNET_CACHE macro, extracts all the files from the archive into it, renames the file “Helping” to “Helping.cmd”, and executes it.

Helping.cmd command file

Below are the contents of the Helping.cmd file:

Contents of the Helping.cmd file

This file is heavily obfuscated, with several meaningless junk lines inserted between each actual script command. Once deobfuscated, the script’s logic becomes clear. Below is the code, with some lines modified for readability:

Deobfuscated Helping.cmd

The Helping.cmd script launches a legitimate AutoIt interpreter (Child.pif) with the file i.a3x as a parameter. The i.a3x file contains a compiled AU3 script. With that in mind, we can assume that this script implements the core logic of the malicious implant.

AU3 script

To recover the original AU3 file used when creating the i.a3x file, we created a dummy executable with a basic AutoIt script, swapped its content with i.a3x, and used a specialized tool to extract the original AU3 script.
We ended up with the original AU3 file:

Restored AU3 script

The script is heavily obfuscated, with all strings encrypted. After deobfuscating and decrypting the code, we analyzed it. The script begins with a few verification procedures:

The AU3 script checks the environment

The script checks for artifacts associated with emulators and research environments of security vendors. If a match is found, it either terminates or executes with a 10,000 ms delay to evade detection.

Interestingly, we’ve seen similar checks in the Awaken Likho implants. This suggests that the attackers behind these two campaigns share the same technology or are the same group using different tools for different targets and tasks.

The script next sets an error-handling mode by calling SetErrorMode() from the kernel32.dll with the flags SEM_NOALIGNMENTFAULTEXCEPT, SEM_NOGPFAULTERRORBOX, and SEM_NOOPENFILEERRORBOX, thus hiding system error messages and reports. If this call fails, the script terminates.

Afterward, the script deletes itself from disk by calling FileDelete(“i”) and generates a large text block, as shown below.

Code for generating “shellcode”

This block is presumably shellcode that will be loaded into memory and executed. However, it is also packed and encrypted. Once unpacked and decrypted, the AU3 script attempts to inject the malicious payload into the legitimate AutoIt process.

Final activity of the AU3 script

Main payload

To obtain the shellcode, we saved a dump of the decrypted and unpacked payload once the AU3 malicious script had fully processed it. After removing unnecessary bytes from the dump, we recovered the original payload of the attack. It turned out to be not shellcode but a full-fledged MZ PE executable file.

The decrypted and unpacked payload—an MZ PE file

Our products detect this payload with the following verdicts:

• HEUR:Trojan.MSIL.Agent.pef
• HEUR:Trojan.Win32.Generic

We examined this payload and concluded that it is the Lumma Trojan stealer (Trojan-PSW.Win32.Lumma).

The Lumma stealer gathers system and installed software information from the compromised devices, as well as sensitive data such as cookies, usernames, passwords, banking card numbers, and connection logs. It also steals data from 11 browsers, including Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, Mozilla Firefox and Waterfox, as well as cryptocurrency wallets such as Binance and Ethereum. Additionally, it exfiltrates data from cryptowallet browser extensions (MetaMask) and authenticators (Authenticator), along with information from applications such as the remote access software AnyDesk and the password manager KeePass.

Command servers

This sample contains encoded and encrypted addresses of command servers. Using a simple decryption procedure in the executable file code, we restored the original domain names used as command servers.

• averageorganicfallfaw[.]shop
• distincttangyflippan[.]shop
• macabrecondfucews[.]shop
• greentastellesqwm[.]shop
• stickyyummyskiwffe[.]shop
• sturdyregularrmsnhw[.]shop
• lamentablegapingkwaq[.]shop
• Innerverdanytiresw[.]shop
• standingcomperewhitwo[.]shop

By identifying the command server names from this malware variant, we were able to identify other related samples. As a result, we discovered over 60 malicious implants. Some of them had the same payload, and we managed to find additional attacker-controlled command servers (the addresses listed below were used in the identified samples alongside the original command servers):

• uniedpureevenywjk[.]shop
• spotlessimminentys[.]shop
• specialadventurousw[.]shop
• stronggemateraislw[.]shop
• willingyhollowsk[.]shop
• handsomelydicrwop[.]shop
• softcallousdmykw[.]shop

We’re convinced that the main objectives of this APT group are to steal sensitive data using stealers and establish full control over infected machines via malicious remote administration utilities.

New activity

We’ve been tracking the attacks of this campaign since June 2024. However, in January 2025, the attackers showed a new surge in activity, as reported by our colleagues from F6 (previously known as F.A.C.C.T.). We analyzed the indicators of compromise they published and identified signs of a potential new wave of attacks, likely in preparation since at least January 16, 2025:

Files found in Angry Likho’s payload repositories

We managed to download malicious files hosted in repositories seen in the January Angry Likho attack while they were still accessible. Analysis of the files test.jpg and test2.jpg revealed that they contained the same .NET-based payload, encoded using Base64. Last year, we documented Angry Likho attacks that used image files containing malicious code. Moreover, the filenames match those of the samples we recently discovered.

This further confirms that the Angry Likho group, responsible for these attacks, remains an active threat. We are continuing to monitor this threat and providing up-to-date cyber intelligence data about it and the TTPs used by the group.

Victims

At the time of our investigation, our telemetry data showed hundreds of victims in Russia and several in Belarus. Most of the SFX archives had filenames and bait documents in Russian, thematically linked to government institutions in Russia. These institutions and their contractors are the primary targets of this campaign.

Attribution

We attribute this campaign to the APT group Angry Likho with a high degree of confidence. It shares certain similarities with findings from our colleagues at BI.ZONE and F6, as well as previous attacks by the group:

1. The same initial implant structure (an archive with similar contents, sent in an email).
2. Similar bait documents with the same naming patterns and themes, mostly written in Russian.
3. Command files and AutoIt scripts used to install the implant are obfuscated similarly. Newer versions contain more sophisticated installation scripts, with extra layers of obfuscation to complicate analysis.
4. The implant described in this report contains a known payload—the Lumma stealer (Trojan-PSW.Win32.Lumma). We have not previously seen this tool used in Angry Likho campaigns, but earlier attacks showed similar data exfiltration tactics, suggesting the group is still targeting cryptowallet files and user credentials.

Conclusion

We are continuing to monitor the activity of the Angry Likho APT, which targets Russian organizations. The group’s latest attacks use the Lumma stealer, which collects a vast amount of data from infected devices, including browser-stored banking details and cryptowallet files. As before, the complex infection chain was contained in a self-extracting archive distributed via email. We believe that the attackers crafted spear-phishing emails tailored to specific users, attaching bait files designed to attract their interest. Additionally, we identified more malicious samples linked to this campaign based on common command servers and repositories.
Let’s sum up by highlighting the notable features of this campaign and other similar ones:

1. The attack techniques remain relatively consistent over time, with only minor modifications. Despite this, the attackers are successfully achieving their objectives.
2. The attackers occasionally pause their activity, only to return with a new wave of attacks after a certain period.
3. The group relies on readily available malicious utilities obtained from darknet forums, rather than developing its own tools. The only work they do themselves is writing mechanisms of malware delivery to the victim’s device and crafting targeted phishing emails.

To protect against such attacks, organizations need a comprehensive security solution that provides proactive threat hunting, 24/7 monitoring, and incident detection. Our product line for businesses helps identify and prevent attacks of any complexity at an early stage. The campaigns in this article rely on phishing emails as the initial attack vector, highlighting the importance of regular employee training and awareness programs for corporate security.

Indicators of compromise

File hashes

Implants

f8df6cf748cc3cf7c05ab18e798b3e91
ef8c77dc451f6c783d2c4ddb726de111
de26f488328ea0436199c5f728ecd82a
d4b75a8318befdb1474328a92f0fc79d
ba40c097e9d06130f366b86deb4a8124
b0844bb9a6b026569f9baf26a40c36f3
89052678dc147a01f3db76febf8441e4
842f8064a81eb5fc8828580a08d9b044
7c527c6607cc1bfa55ac0203bf395939
75fd9018433f5cbd2a4422d1f09b224e
729c24cc6a49fb635601eb88824aa276
69f6dcdb3d87392f300e9052de99d7ce
5e17d1a077f86f7ae4895a312176eba6
373ebf513d0838e1b8c3ce2028c3e673
351260c2873645e314a889170c7a7750
23ce22596f1c7d6db171753c1d2612fe
0c03efd969f6d9e6517c300f8fd92921
277acb857f1587221fc752f19be27187

Payload

faa47ecbcc846bf182e4ecf3f190a9f4
d8c6199b414bdf298b6a774e60515ba5
9d3337f0e95ece531909e4c8d9f1cc55
6bd84dfb987f9c40098d12e3959994bc
6396908315d9147de3dff98ab1ee4cbe
1e210fcc47eda459998c9a74c30f394e
fe0438938eef75e090a38d8b17687357

Bait files

e0f8d7ec2be638fbf3ddf8077e775b2d
cdd4cfac3ffe891eac5fb913076c4c40
b57b13e9883bbee7712e52616883d437
a3f4e422aecd0547692d172000e4b9b9
9871272af8b06b484f0529c10350a910
97b19d9709ed3b849d7628e2c31cdfc4
8e960334c786280e962db6475e0473ab
76e7cbab1955faa81ba0dda824ebb31d
7140dbd0ca6ef09c74188a41389b0799
5c3394e37c3d1208e499abe56e4ec7eb
47765d12f259325af8acda48b1cbad48
3e6cf927c0115f76ccf507d2f5913e02
32da6c4a44973a5847c4a969950fa4c4

Malicious domains

testdomain123123[.]shop
averageorganicfallfaw[.]shop
distincttangyflippan[.]shop
macabrecondfucews[.]shop
greentastellesqwm[.]shop
stickyyummyskiwffe[.]shop
sturdyregularrmsnhw[.]shop
lamentablegapingkwaq[.]shop
innerverdanytiresw[.]shop
standingcomperewhitwo[.]shop
uniedpureevenywjk[.]shop
spotlessimminentys[.]shop
specialadventurousw[.]shop
stronggemateraislw[.]shop
willingyhollowsk[.]shop
handsomelydicrwop[.]shop
softcallousdmykw[.]shop

securelist.com/angry-likho-apt…

If you think sonic booms from supersonic aircraft are a nuisance, wait until the sky is full of planes propelled by up-scaled versions of this interesting but deafening audio resonance engine.

Granted, there’s a lot of work to do before this “Sonic Ramjet” can fly even something as small as an RC plane. Creator [invalid_credentials] came up with the idea for a sound-powered engine after listening to the subwoofers on a car’s audio system shaking the paint off the body. The current design uses a pair of speaker drivers firing into 3D printed chambers, which are designed based on Fibonacci ratios to optimize resonance. When the speakers are driven with a low-frequency sine wave, the chambers focus the acoustic energy into powerful jets, producing enough thrust to propel a small wheeled test rig across a table.

It’s fair to ask the obvious question: is the engine producing thrust, or is the test model moving thanks to the vibrations caused by the sound? [invalid_credentials] appears to have thought of that, with a video showing a test driver generating a powerful jet of air. Downloads to STL files for both the large and small versions of the resonating chamber are provided, if you want to give it a try yourself. Just be careful not to annoy the neighbors too much.

Thanks to [cabbage] for the tip via [r/3Dprinting].

hackaday.com/2025/02/21/acoust…

Gli hacker di NoName057(16) continuano i loro attacchi di Distributed Denial-of-Service (DDoS) contro gli obiettivi italiani. Molti dei loro canali Telegram sono stati eliminati negli scorsi giorni, sinonimo che la moderazione del social network di Durov sta iniziando a portare i miglioramenti decantati.

Oggi gli obiettivi rivendicati in un post sul nuovo canale Telegram sono i seguenti:
❌Negozio online Parmalat SpA
check-host.net/check-report/234a0982kba8

❌Marcegaglia è un gruppo industriale che produce acciaio al carbonio e inox
check-host.net/check-report/234a0b66ka64

❌TechnoAlpin, specializzato nella produzione di sistemi di innevamento manuale e completamente automatico.
check-host.net/check-report/234a0cbek311

❌Leonardo è una delle più grandi aziende di ingegneria meccanica in Italia (dead on ping)
check-host.net/check-report/234a0ce3k64a

❌Alpi Aviation - produttore italiano di velivoli ultraleggeri
check-host.net/check-report/234a0de4k9a7
Mentre altri siti risentono delle connessioni anomale, il sito di Leonardo è perfettamente raggiungibile. Sinonimo che l’azienda ha tutte le mitigazioni del caso attive per poter reagire ad attacchi come quelli sferrati dal progetto DDoSia.

Ricordiamo sempre che gli attacchi DDoS non arrecano danni ai sistemi, ma per un periodo temporaneamente limitato non permettono un corretto accesso alle pagine web delle aziende colpite. Dopo l’attacco, tutto ritorna nuovamente disponibile.

NoName057(16) è un gruppo di hacker che si è dichiarato a marzo del 2022 a supporto della Federazione Russa. Hanno rivendicato la responsabilità di attacchi informatici a paesi come l’Ucraina, gli Stati Uniti e altri vari paesi europei. Questi attacchi vengono in genere eseguiti su agenzie governative, media e siti Web di società private

Che cos’è un attacco Distributed Denial of Service

Un attacco DDoS (Distributed Denial of Service) è un tipo di attacco informatico in cui vengono inviate una grande quantità di richieste a un server o a un sito web da molte macchine diverse contemporaneamente, al fine di sovraccaricare le risorse del server e renderlo inaccessibile ai suoi utenti legittimi.

Queste richieste possono essere inviate da un grande numero di dispositivi infetti da malware e controllati da un’organizzazione criminale, da una rete di computer compromessi chiamata botnet, o da altre fonti di traffico non legittime. L’obiettivo di un attacco DDoS è spesso quello di interrompere le attività online di un’organizzazione o di un’azienda, o di costringerla a pagare un riscatto per ripristinare l’accesso ai propri servizi online.

Gli attacchi DDoS possono causare danni significativi alle attività online di un’organizzazione, inclusi tempi di inattività prolungati, perdita di dati e danni reputazionali. Per proteggersi da questi attacchi, le organizzazioni possono adottare misure di sicurezza come la limitazione del traffico di rete proveniente da fonti sospette, l’utilizzo di servizi di protezione contro gli attacchi DDoS o la progettazione di sistemi resistenti agli attacchi DDoS.

Occorre precisare che gli attacchi di tipo DDoS, seppur provocano un disservizio temporaneo ai sistemi, non hanno impatti sulla Riservatezza e Integrità dei dati, ma solo sulla loro disponibilità. pertanto una volta concluso l’attacco DDoS, il sito riprende a funzionare esattamente come prima.

Che cos’è l’hacktivismo cibernetico

L’hacktivismo cibernetico è un movimento che si serve delle tecniche di hacking informatico per promuovere un messaggio politico o sociale. Gli hacktivisti usano le loro abilità informatiche per svolgere azioni online come l’accesso non autorizzato a siti web o a reti informatiche, la diffusione di informazioni riservate o il blocco dei servizi online di una determinata organizzazione.

L’obiettivo dell’hacktivismo cibernetico è di sensibilizzare l’opinione pubblica su questioni importanti come la libertà di espressione, la privacy, la libertà di accesso all’informazione o la lotta contro la censura online. Gli hacktivisti possono appartenere a gruppi organizzati o agire individualmente, ma in entrambi i casi utilizzano le loro competenze informatiche per creare un impatto sociale e politico.

È importante sottolineare che l’hacktivismo cibernetico non deve essere confuso con il cybercrime, ovvero la pratica di utilizzare le tecniche di hacking per scopi illeciti come il furto di dati personali o finanziari. Mentre il cybercrime è illegale, l’hacktivismo cibernetico può essere considerato legittimo se mira a portare all’attenzione pubblica questioni importanti e a favorire il dibattito democratico. Tuttavia, le azioni degli hacktivisti possono avere conseguenze legali e gli hacktivisti possono essere perseguiti per le loro azioni.

Chi sono gli hacktivisti di NoName057(16)

NoName057(16) è un gruppo di hacker che si è dichiarato a marzo del 2022 a supporto della Federazione Russa. Hanno rivendicato la responsabilità di attacchi informatici a paesi come l’Ucraina, gli Stati Uniti e altri vari paesi europei. Questi attacchi vengono in genere eseguiti su agenzie governative, media e siti Web di società private

Le informazioni sugli attacchi effettuati da NoName057(16) sono pubblicate nell’omonimo canale di messaggistica di Telegram. Secondo i media ucraini, il gruppo è anche coinvolto nell’invio di lettere di minaccia ai giornalisti ucraini. Gli hacker hanno guadagnato la loro popolarità durante una serie di massicci attacchi DDOS sui siti web lituani.

Le tecniche di attacco DDoS utilizzate dal gruppo sono miste, prediligendo la “Slow http attack”.

La tecnica del “Slow Http Attack”

L’attacco “Slow HTTP Attack” (l’articolo completo a questo link) è un tipo di attacco informatico che sfrutta una vulnerabilità dei server web. In questo tipo di attacco, l’attaccante invia molte richieste HTTP incomplete al server bersaglio, con lo scopo di tenere occupate le connessioni al server per un periodo prolungato e impedire l’accesso ai legittimi utenti del sito.

Nello specifico, l’attacco Slow HTTP sfrutta la modalità di funzionamento del protocollo HTTP, che prevede che una richiesta HTTP sia composta da tre parti: la richiesta, la risposta e il corpo del messaggio. L’attaccante invia molte richieste HTTP incomplete, in cui il corpo del messaggio viene inviato in modo molto lento o in modo incompleto, bloccando la connessione e impedendo al server di liberare le risorse necessarie per servire altre richieste.

Questo tipo di attacco è particolarmente difficile da rilevare e mitigare, poiché le richieste sembrano legittime, ma richiedono un tempo eccessivo per essere elaborate dal server. Gli attacchi Slow HTTP possono causare tempi di risposta molto lenti o tempi di inattività del server, rendendo impossibile l’accesso ai servizi online ospitati su quel sistema.

Per proteggersi da questi attacchi, le organizzazioni possono implementare soluzioni di sicurezza come l’uso di firewall applicativi (web application firewall o WAF), la limitazione delle connessioni al server e l’utilizzo di sistemi di rilevamento e mitigazione degli attacchi DDoS

L'articolo NoName057(16) avvia la quarta Giornata di Attacchi DDoS. Qualcuno giù, Leonardo senza problemi proviene da il blog della sicurezza informatica.

Su BreachForum un utente dallo pseudonimo EDRVendor ha venduto, dopo poche ore dall’annuncio, l’accesso ad una cassetta postale della polizia di stato italiana.

Oltre alla mail viene offerto anche l’accesso ai pannelli riservati alle forze dell’ordine dei principali social network: Meta (Facebook, WhatsApp e Instagram), TikTok e X.

Il prezzo di vendita è di 220 dollari e con 60 dollari in più era possibile avere in bundle anche un “mandato di perquisizione e un mandato di cattura”.

La reputazione di EDRVendor è molto alta su BreachForum e lo stesso utente, a garanzia della transazione, riporta i suoi feedback a 5 stelle su Escrow.

Abbiamo approfondito il profilo di EDRVendor e pare essere specializzato nella vendita di accessi governativi.

Istruzioni pronte all’uso direttamente dall’IaB

Cosa è possibile fare comprando accessi di questo tipo? La risposta è ovvia, ma se per caso avessimo qualche dubbio, EDRVendor offre anche qualche suggerimento.

Avere accesso alla cassetta postale di una forza di polizia genera una “credibilità” tale da commettere ogni sorta di illecito, proviamo a fare qualche riflessione in merito:

• Presentare richieste di dati di emergenza/richieste di ricerca che includono: Registri delle chiamate/Richieste di conformità delle forze dell’ordine (in combinazione con un mandato di comparizione/ordine del tribunale o come EDR);
• Sfruttare le Industrie Osint: (iscrivendosi alla posta elettronica del governo e richiedendo crediti gratuiti, soggetti ad approvazione);
• Estorsione/Scamming/Spooking/Vanità: Avere il potere di influenzare chi si vuole, quando si vuole;
• Diffondere il ransomware tra i ranghi del governo o dei singoli: Quale miglior catalizzatore per diffondere il ransomware?
• Phishing di governi o individui: È più probabile che le persone cadano nel vostro phishing se questo viene diffuso da una mail governativa;
• Richiedere l’accesso a pannelli di social media/forze dell’ordine e servizi di crittografia: Fingetevi un funzionario governativo e richiedete l’accesso ovunque. Scrivere e inviare lettere di raccomandazione: Perché no;
• Social Engineering contro altri funzionari governativi per aumentare i privilegi all’interno dell’infrastruttura governativa: Pivot, pivot, pivot!

Viene quindi riportata la possibilità di accedere ai portali dedicati alle forze dell’ordine (messi a disposizione dai social network) consente di richiedere informazioni di qualsiasi natura in merito ai profili degli utenti, giustificando la richiesta come relativa ad un’indagine in corso.

Inoltre, da quanto riporta l’Initial Access Broker, è possibile richiedere un EDR (Emergency Data Request) a seguito del quale vengono fornite informazioni quali: log di accesso, IP, numeri di telefono ecc. Per un EDR potrebbero essere richiesti anche documenti comprovanti l’indagine in corso, ecco perché nel bundle in vendita venivano offerti anche un “mandato di attesto e un mandato di perquisizione”.

EDRVendor, nel suo post di vendita, mette anche degli screenshot che dimostrano l’effettiva capacità di eseguire un EDR nei confronti dei vari social media.

Poter recuperare così “facilmente” informazioni su qualsiasi utente di un social media, apre a scenari di CSINT (Closed Source Intelligence) molto evoluti.

Sempre EDRVendor in uno suo post del 23 gennaio 2025 regala una guida molto evoluta sui tool e le tecniche di OSINT/Doxxing: post dal titolo “Best and Most Comprehensive Guide To Doxing/OSINT You Will Find. [FREE!|”.

Per concludere è importante capire che ruolo giocano gli IAB (Initial Access Broker) nel panorama dell’underground, aprendo le porte a gruppi hacker che poi sfruttano questi accessi per portare a segno attacchi più importanti e potenzialmente devastanti.

Abbiamo informato prima di scrivere questo articolo la polizia postale che ci ha detto che stanno già indagando sulla questione.

L'articolo 220$ per entrare nella Polizia di Stato Italiana: l’inquietante offerta di EDRVendor proviene da il blog della sicurezza informatica.

Split flap displays! They’re mechanical, clickety-clackity, and largely commercially irrelevant in our screen-obsessed age. That doesn’t mean you can’t have a ball making one of your own, though! [Morgan Manly] did just that, with tidy results.

An ESP32 C3 SuperMini serves as the boss of the operation, running the whole display. The display is designed to be modular, so you can daisy chain multiple characters together to spell longer words. Each module has 37 characters, so it can display the alphabet, numerals 0 to 9, and a blank. Each module contains a 28BYJ-48 stepper motor for controlling the flaps, and a ULN2003 driver board to run it and a PCF8575 IO expander to handle communciation. An A3144 hall effect sensor is also used for positional feedback to ensure the display always shows the right character. The flap mechanism itself is relatively straightforward—a drum with all 37 flaps is until the correct character is reached, with the blank flaps hosting a magnet to trigger the aforementioned hall effect sensor. The flaps themselves are 3D-printed, with filament changes used to color the characters against the background.

If you’ve ever dreamed of building a flap-display clock or ticker, you needn’t dream of finding the perfect vintage example. You can just build your own! The added bonus is that you can make it as big or as small as you like. We’ve seen some interesting variations on the split flap concept recently, too. If you’re cooking up your own kooky electromechanical displays, don’t hesitate to let us know!

hackaday.com/2025/02/20/3d-pri…

As the fundamental flaw of today’s quantum computers, improving qubit stability remains the focus of much research in this field. One such stability attempt involves so-called topological quantum computing with the use of anyons, which are two-dimensional quasiparticles. Such an approach has been claimed by Microsoft in a recent paper in Nature. This comes a few years after an earlier claim by Microsoft for much the same feat, which was found to be based on faulty science and hence retracted.

The claimed creation of anyons here involves Majorana fermions, which differ from the much more typical Dirac fermions. These Majorana fermions are bound with other such fermions as a Majorana zero mode (MZM), forming anyons that are intertwined (braided) to form what are in effect logic gates. In theNature paper the Microsoft researchers demonstrate a superconducting indium-arsenide (InAs) nanowire-based device featuring a read-out circuit (quantum dot interferometer) with the capacitance of one of the quantum dots said to vary in a way that suggests that the nanowire device-under-test demonstrates the presence of MZMs at either end of the wire.

Microsoft has a dedicated website to their quantum computing efforts, though it remains essential to stress that this is not a confirmation until their research is replicated by independent researchers. If confirmed, MZMs could provide a way to create more reliable quantum computing circuitry that does not have to lean so heavily on error correction to get any usable output. Other, competing efforts here include such things as hybrid mechanical qubits and antimony-based qubits that should be more stable owing to their eight spin configurations.

hackaday.com/2025/02/20/micros…

Whether it’s a game of D&D or encrypting top-secret information, a wide array of methods are available for generating the needed random numbers with high enough entropy for their use case. For a tabletop game this might be a single die but for more sensitive applications a more robust method of generating random numbers is needed. Programmers might reach for a rand() function of some sort, but these pseudorandom numbers don’t cut the mustard for encryption. For that you’ll need a true random number generator (RNG), and this open-source hardware RNG uses one of the better methods we’ve seen.

The device, called RAVA, is based on a property found in many electronic devices called avalanche breakdown. Avalanche breakdown occurs when a high voltage (in this case approximately 25V) is applied in the reverse bias direction, with this device using a pair of Zener diodes. When this high voltage is applied, an “avalanche” of electrons occurs which allows the diodes conduct in the opposite direction that they would when they are forward biased. This isn’t a constant current flow, though; there are slight variations over time which can be amplified and used as the random number generator. The noise is amplified over a series of op amps and then fed to an ATmega32U4 microcontroller which can provide the user with 136.0 Kbit/s of random data.

Unlike other random number generators, this device is based on a method generally accepted to be truly random. Not only that, but since it’s based on discrete hardware it can be accessed directly for monitoring and replacement in case of faults, unlike other methods which are more “black boxes” and are more opaque in their processes which are thus harder to audit. We also appreciate it’s open-source nature as well, and for some more information on it be sure to check out the paper on it in IEEE. If you’re looking for something to generate random numbers but will also bring some extra flair to the next game night, take a look at this radioactive dice replacement.

hackaday.com/2025/02/20/open-s…

LoRa gear can be great for doing radio communications in a light-weight and low-power way. However, it can also work over great distances if you have the right hardware—and the right antennas in particular. [taste_the_code] has been experimenting in this regard, and whipped up a simple yagi antenna that can work at distances of up to 40 kilometers.

The basic mathematics behind the yagi antenna are well understood. To that end, [taste_the_code] used a simple online calculator to determine the correct dimensions to build a yagi out of 2 mm diameter wire that was tuned for the relevant frequency of 868 MHz. The build uses a 3D-printed boom a handle and holes for inserting each individual wire element in the right spot—with little measuring required once the wires are cut, since the print is dimensionally accurate. It was then just a matter of wiring it up to the right connector to suit the gear.

The antenna was tested with a Reyas RYLR998 module acting as a base station, with the DIY yagi hooked up to a RYLR993 module in the field. In testing, [taste_the_code] was able to communicate reliably from 40 kilometers away.

We’ve featured some other unique LoRa antenna builds before, too. Video after the break.

youtube.com/embed/gA5SCXw_E1Q?…

hackaday.com/2025/02/20/diy-ya…

In 1997 a set of DEC tapes were provided by Dennis Ritchie, as historical artifacts for those interested in the gestation of the UNIX operating system. The resulting archive files have recently been analysed by [Yfeng Gao], who has succeeded in recovering a working UNIX version from 1972. What makes it particularly interesting is that this is not a released version, instead it’s a work in progress sitting somewhere between versions 1 and 2. He’s therefore taken the liberty of naming it “V2 Beta”.

If you happen to have a PDP-11/20 you should be able to run this operating system for yourself, and for those of us without he’s provided information on which emulator will work. The interesting information for us comes in the README accompanying the tapes themselves, and in those accompanying the analysis. Aside from file fragments left over from previous users of the same tape, we learn about the state of UNIX time in 1972. This dates from the period when increments were in sixtieths of a second due to the ease of using the mains power frequency in a PDP, so with a 32-bit counter they were facing imminent roll-over. The 1970-01-01 epoch and one second increments would be adopted later in the year, but meanwhile this is an unusual curio.

If you manage to run this OS, and especially if you find anything further in the files, we’d love to hear. Meanwhile, this is not the oldest UNIX out there.

PDP-11/20 image: Don DeBold, CC BY 2.0.

hackaday.com/2025/02/20/unix-a…

Il ruolo dell’informatica forense nel prevenire e risolvere i reati informatici continua ad evolversi parallelamente alle innovazioni tecnologiche, rendendo sempre più vitale un approccio proattivo nel combattere i crimini informatici.

Inoltre la scienza forense informatica, che ha il principale compito di concentrarsi sul recupero, l’analisi e l’esame delle prove digitali – in procedimenti legali o penali – diventa sempre più vitale per la sicurezza informatica e la sicurezza delle informazioni, per questo gli investigatori forensi cercano di perfezionare ogni giorno le loro strategie concentrandosi su indagini svolte ad esempio sui reati informatici, come: frodi e accessi non autorizzati, il furto di proprietà intellettuale, le violazioni di dati, le analisi dei malware e infine le indagini sul traffico non autorizzato e sul traffico di rete in un attacco web. In tal proposito stanno emergendo nuovi strumentazioni per la bonifica contro Trojan Software Spy particolarmente pericolosi e attacchi Man-in-the-middle, una delle minacce più insidiose in rete, poiché il più delle volte una vittima il più delle volte può non rendersi conto di essere stata presa di mira.

Ultimamente vengono sempre più presi di mira i cellulari: questo consente ai criminali di accedere a dati sensibili, intercettare il traffico e le conversazioni o la posizione di un individuo, o addirittura manipolare i dispositivi.

Abbiamo intervistato al riguardo l’esperto in analisi forense Gabriele Gardella della società G&G Computers Forense, che ci ha illustrato il funzionamento di M2Bridge NEW, un progetto Made in Italy nel settore degli AntiSpy, oltre che le diverse minacce parallelamente ad alcune operazioni preliminari di controllo sul dispositivo per testare se si è stati presi di mira da software dannosi.

M2Bridge NEW: monitorare e analizzare il traffico per rilevare i Trojan Software Spy e proteggere contro le minacce digitali più sofisticate

M2Bridge NEW di G&G Computers Forense è un dispositivo che utilizza la tecnologia di Sniffing – “Man in the Middle” passivo, che consente di monitorare e analizzare il traffico dati di qualsiasi cellulare o tablet, rilevando l’eventuale presenza di Trojan – Software Spy in un dispositivo. Ciò diventa spesso necessario per mettere in sicurezza il dispositivo in una convergenza tra sicurezza informatica e sicurezza fisica.
Immagine: M2Bridge New della società G&G Computers Forense

Software spia: le tipologie di attacco e le vulnerabilità da tenere sotto controllo

Per comprendere quanto siano diffusi i software spia e i pericoli in rete basterebbe leggere uno dei rapporti di Amnesty internationalin cui si evidenzia la scoperta – con prove forensi – di come le autorità serbe abbiano utilizzato alcuni prodotti ( tra cui Cellebrite o NoviSpy) per mettere sotto controllo i telefoni cellulari di attivisti e giornalisti. Tali software sfruttavano una vulnerabilità zero-day nei dispositivi Android, aggirando così le impostazioni di sicurezza. Tale vulnerabilità ha interessato infatti milioni di dispositivi in tutto il mondo che utilizzavano i popolari chipset Qualcomm. Successivamente potremmo anche parlare del caso Paragon. Il cui spyware Graphite è stato utilizzato per colpire almeno 90 persone in due dozzine di Paesi. Anche in questo caso sono stati presi di mira giornalisti investigativi e attivisti. Vicenda che ha suscitato un forte dibattito politico in Italia. Ma il software Trojan Spy non è utilizzato solo per la sorveglianza: i dispositivi cellulari sono un punto di accesso per i criminali informatici per ottenere password e informazioni critiche per poi infiltrarsi nelle reti aziendali. Soprattutto è importante considerare che alcuni di questi software spia finiscono nel mercato nero della Drak Web: ciò è accaduto quando l’accesso al software Pegasus è stato messo in vendita per la cifra esorbitante di 1.500.000$, pubblicizzato da “un canale Telegram di supposta origine russa, noto per essere un punto d’incontro per malintenzionati digitali”.

I Trojan-Spy sono software subdoli che ottengono i privilegi di sistema e possono spiare il modo in cui viene utilizzato un dispositivo prendendone il controllo e persino portandolo al KO, oltre a poter monitorare e manipolare i dati o a catturare schermate o ottenere un elenco delle applicazioni in esecuzione. Le possibilità di spionaggio e intercettazione telefonica di questi software spia sono sorprendentemente invasive: un dispositivo sotto controllo può diventare un vero e proprio localizzatore GPS. Abbiamo chiesto a Gabriele Gradella quali pericoli rappresenti un malware di questo tipo alla luce della crescita dei crimini informatici e quale è il pericolo per l’utente infettato da un Trojan-Spy, oltre ai problemi di privacy.

Gabriele Gardella: L’aumento dei crimini informatici rende i Trojan Software Spy particolarmente pericolosi. Questi software malevoli, subdoli e difficili da individuare, possono compromettere seriamente la tua sicurezza e la tua privacy. Tra i principali pericoli vi sono:

1. Il Furto di dati sensibili come le informazioni personali, i dati aziendali e le conversazioni private. Per quanto riguarda le Informazioni personali, I trojan possono rubare password, dati bancari, numeri di carte di credito, documenti d’identità, indirizzi, numeri di telefono e altre informazioni personali, che possono essere utilizzate per furto d’identità, frodi finanziarie o ricatti. Riguardo ai dati aziendali se il tuo dispositivo infetto è utilizzato per lavoro, i criminali informatici possono accedere a informazioni riservate dell’azienda, come progetti, contratti, dati finanziari o segreti industriali, causando gravi danni economici e reputazionali. Infine per ciò che concerne le conversazioni private i malware possono intercettare chiamate, messaggi, email e altre comunicazioni, violando la tua privacy e ottenendo informazioni che possono essere usate contro di te.
2. Spionaggio e controllo remoto: i trojan possono operare una sorveglianza costante: possono attivare la webcam e il microfono del tuo dispositivo a tua insaputa, permettendo ai criminali informatici di spiarti e ascoltarti in qualsiasi momento. In alcuni casi, i criminali possono prendere il controllo completo del dispositivo consentendo loro di rubare dati, installare altri malware, inviare email o messaggi a tuo nome – con rischi economici e relativi alla reputazione – o compiere altre azioni dannose che possono danneggiare il dispositivo.

Ma come mettersi al riparo?

Gabriele Gardella di G&G Computers Forense ci ha parlato delle varie tipologie di attacco alle quali ognuno di noi può essere vulnerabile.

Oltre al popolare Phishing che ci spinge a scaricare allegati dannosi o malware tramite anche ingegneria sociale, esistono purtroppo “Wi-Fi pubblici non sicuri, che possono esporre il cellulare a rischi di intercettazione dei dati” ha evidenziato Gabriele. Oltre poi alla vulnerabilità dei nostri dispositivi, del loro sistema operativo o delle applicazioni scaricate, che possono compromettere la nostra sicurezza, si aggiungono “SMS e chiamate spam, che possono essere utilizzati per inviare link o allegati dannosi, o per truffare la vittima”, ha aggiunto. Per finire vi sono gli attacchi di “SIM swapping”, tramite i quali il numero di telefono della vittima viene trasferito su una nuova SIM card, quindi controllata dal criminale per accedere a messaggi, chiamate, e-mail e altri dati della vittima. Ultimi ma non meno importanti sono gli “attacchi Man-in-the-Middle (MitM), che consistono nell’intercettare le comunicazioni tra il cellulare e un server, per rubare dati o modificare le informazioni scambiate”.

RHC: Quali sono le operazioni preliminari di controllo sul dispositivo per accorgersi di essere stato preso di mira?

Gabriele Gardella: Prevalentemente ci sono fattori che possono allertare l’utilizzatore come:

• Il rallentamento generale del dispositivo, che è diventato più lento del solito, le app si aprono con difficoltà o si bloccano spesso.
• Un surriscaldamento anomalo: Il telefono si surriscalda anche quando non lo si utilizza intensamente.
• Un consumo eccessivo della batteria: La batteria si scarica molto più rapidamente del solito, anche in modalità standby.

M2 Bridge New: da dove nasce il progetto Made in Italy e quali sono le sue caratteristiche principali

Spesso i Trojan-Spy vengono distribuiti attraverso siti Web e false app e rappresentano un problema serio: rimuoverli immediatamente è una priorità elevata. Qui arriva M2 Bridge New di MgExtreme. Abbiamo chiesto a Gabriele Gardella di raccontarci da dove nasce il progetto e quali evoluzioni ha avuto nel tempo per affrontare i nuovi rischi in materia di sicurezza informatica.

Gabriele Gardella: Il progetto prende vita inizio 2021 da un’idea di Marco Muratori (www.mgextreme.com), ancora non esisteva un apparato hardware il tutto veniva gestito da un pc, a maggio dello stesso anno nasce il primo prototipo nominato M2 Bridge ad agosto un’evoluzione di questo ovvero il prodotto definitivo. Luglio 2024 una data veramente importante, grazie ad esperti collaboratori che coordino e supervisiono e un’accurata ricerca ingegneristica, prende vita M2 Bridge New come lo conosciamo oggi.

E’ importante evidenziare chelL’apparato M2 Bridge New è provvisto di regolare certificazione CE, attestandone la conformità agli standard europei di sicurezza e la piena idoneità all’uso e alla commercializzazione. Tale conformità si estende anche nella validità dei report generati.
Immagine: M2Bridge New, Sniffing (Man in the Middle passivo).
RHC: Gli strumenti investigativi hanno fatto molta strada nella scienza forense digitale e continuano a svolgere un ruolo importante nei casi penali e civili. Come avviene l’analisi e la bonifica di un dispositivo con M2 Bridge New? L’intercettazione del traffico rispetta i parametri privacy utente?

Gabriele Gardella: E’ indispensabile che il proprietario del cellulare si trovi nello stesso ambiente in cui è presente M2 Bridge New; ed è sufficiente che si agganci alla rete Wi-Fi locale che M2 Bridge New andrà a generare e segua le indicazioni dell’operatore. Quindi assicuriamo massima riservatezza e rispetto della privacy, infatti il Cellulare o Tablet da analizzare non viene neppure “toccato dall’operatore”.

In automatico verrà generato un Report (pdf in italiano) il quale produce documentazione certificata ammissibile ed utilizzabile in corso di procedimento legale più un file capture.pcap per utilizzo ed analisi da parte di un operatore specializzato in informatica forense. È possibile analizzare qualsiasi dispositivo con qualunque sistema operativo e l’analisi è estremamente veloce e automatizzata.
Immagine: M2 Bridge New,esempio di un file capture.pcap generato automaticamente

RHC: Rilevando uno spyware su un dispositivo si mette in sicurezza una rete di persone: a vostro parere come M2 Bridge New contribuisce alla sicurezza informatica e come può essere utile per una risposta immediata agli incidenti e per comprendere gli attacchi in corso?

Gabriele Gardella:M2 Bridge New, innovazione nella Sicurezza Informatica, rappresenta un salto qualitativo nel campo della cybersecurity, offrendo una soluzione all’avanguardia per la protezione contro le minacce digitali più sofisticate. Questo sistema intelligente è il risultato di un’approfondita analisi delle tattiche utilizzate dai cyber criminali nelle loro campagne contro istituzioni governative, imprese, organizzazioni della società civile e privati cittadini.

L'articolo Informatica forense e indagini digitali: uno strumento di bonifica Made in Italy contro spyware e attacchi Man-in-the-middle proviene da il blog della sicurezza informatica.

The release notes for the 2.1.1 Raspberry Pi Pico SDK have a late holiday present: The RP2040 chip is now certified to run at 200 MHz if you use at least 1.15V as the supply voltage.

Previously, the certified speed was 125 MHz, although it was well-known you could overclock the device. By default, the 125 MHz figure is still what you’ll get, though. If you want a higher frequency, you need to set SYS_CLK_MHZ to 200 or even 250 before doing a build.

They hint that more speed increases may happen in the future. If you want do go as fast as they’ll allow, you can set PICO_USE_FASTEST_SUPPORTED_CLOCK=1 instead. This will always pick the highest frequency which is currently 250 MHz.

There are other updates, too, of course. We noted several bug fixes and a new version of TinyUSB. There are also some new examples, including a few that they forgot to mention in version 2.1.0. We were particularly interested in the mqtt examples, a PIO/DMA UART example, and the multi CDC USB example, something we’ve struggled to work around before on other projects.

So what will you do with a faster Pico? We doubt we are going to see a practical 1 GHz overclock. The emphasis is on the word practical. But we have seen 312 MHz.

hackaday.com/2025/02/20/pico-g…

Nel attività di analisi delle underground del gruppo DarkLab, ci siamo avventurati su un sito onion che a quanto pare è un Data Leak Site (DLS) di una nuoa cyber gang ransomware.

Questo nuovo attore chiamato Linkc, è stato autore di un recente colpo ai danni di H2O.ai. Il loro Data Leak Site—una pagina minimalista e priva di ulteriori informazioni—lascia intravedere solo l’essenziale: un leak di dati sensibili e codice sorgente appartenenti a una realtà specializzata in Intelligenza Artificiale.

Nuovo Gruppo, Vecchi Schemi?

Nonostante Linkc si mostri come un gruppo inedito, l’operazione ricalca il modello ormai consolidato del doppio ricatto:

1. Compromissione e cifratura dei sistemi dell’azienda vittima.
2. Sottrazione e pubblicazione graduale dei dati sensibili su un Data Leak Site.

La novità, in questo caso, è l’estrema scarnezza del portale di leak, che presenta:

• Un logo e un breve post.
• I dettagli relativi alla compromissione di H2O.ai.
• Nessuna sezione aggiuntiva (FAQ, contatti, “chi siamo”).

Questa scelta potrebbe avere finalità di sicurezza operativa (minor tracciabilità) e di maggiore impatto mediatico: mostrare subito la preda e i dati rubati.

La Prima Presunta Vittima: H2O.ai

Il gruppo Linkc ha scelto come primo obiettivo un’azienda specializzata nello sviluppo di piattaforme di Machine Learning e servizi IA. Secondo quanto riportato:

• Sono stati sottratti dataset non anonimizzati di clienti, destinati al training dei modelli AI.
• È stato esfiltrato il codice sorgente completo di progetti Git, incluso software per la guida autonoma e modelli GPT.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

Perché Proprio H2O.ai?

• Alta Visibilità: colpire un’azienda che lavora con l’IA fa più “rumore” mediatico.
• Valore dei dati: dataset proprietari e codice sorgente AI sono risorse di grande interesse per concorrenza scorretta, spionaggio industriale e attività di cybercrime.
• Pressione di immagine: le aziende tech sono spesso giudicate (e a volte penalizzate) per eventuali falle di sicurezza.

Conclusioni

Linkc ha fatto il proprio debutto sulla scena del cybercrime con un approccio intimidatorio e un portale minimalista. La scelta di prendere di mira H2O.ai ha subito evidenziato la loro inclinazione a colpire realtà legate all’Intelligenza Artificiale, potenzialmente per monetizzare dati e tecnologie ad alto valore. Per chi si occupa di sicurezza informatica, è fondamentale:

• Tenere alto il livello di guardia su piattaforme IA e asset sensibili.
• Studiare gli Indicatori di Compromissione (IoC) e le TTP di nuovi gruppi come Linkc.
• Condividere informazioni di threat intelligence in tempo reale, unendo forze e competenze per arginare il fenomeno ransomware.

Il mondo del cybercrime è in costante evoluzione, e Linkc ne è l’ennesima conferma. Resta da vedere se questo gruppo continuerà con altre offensive di alto profilo o se si limiterà a casi selezionati. Nel frattempo, gli esperti di sicurezza dovranno affinare ulteriormente i propri strumenti di monitoraggio e difesa, preparandosi a nuove tattiche di estorsione digitale.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Linkc Ransomware: La Nuova Cyber Gang che Punta All’Intelligenza Artificiale proviene da il blog della sicurezza informatica.

Your garden variety motion detector uses IR, but these days, there are fancier technologies for achieving similar goals. If so desired, you can source yourself a microwave-based presence sensor instead. Indeed, like [N-08 Labs], you might like to whip one up into a basic intrusion detection system.

The idea is simple enough—take a RCWL-0516 microwave presence sensor, and set it up to detect motion and warn you when it happens. It’s a simple part to use—it simply drives a 3.3 volt logic output high if it detects someone or something. It basically just emits a microwave signal and detects a change in phase when someone or something—usually something fleshy—is in front of it. [N-08 Labs] simply hooked one up to an IO pin on an ESP8266, with the microcontroller board set up to communicate wirelessly with a Blynk IoT app, which then in turn fires off a smartphone notification that the sensor picked something up. The whole thing is built inside the shell of an AC adapter that provides power and let it easily hide in plain sight.

A project like this doesn’t just have to be for security purposes. You might even just use it to determine when your pet (or a racoon) is using the cat door, or similar. Indeed, we’ve seen great solutions to that particular problem, too. Video after the break.

youtube.com/embed/LwFUjJAT_88?…

hackaday.com/2025/02/20/microw…

Most Christmas ornaments just hang there and look pretty. [Sean Hodgins] decided to whip up something altogether fancier and more mechanical. It’s a real working marble machine that hangs from the tree!

The build is simple enough, beginning with a translucent Christmas ornament shell readily available from most craft stores. Inside, a small motor spins a pinion, which turns a larger gear inside the body. As the larger gear spins, magnets embedded inside pick up steel balls from the base of the ornament and lift them up to the top. As they reach their zenith, they’re plucked off by a scoop, and then they roll down a spiral inside. As for power, [Sean] simply handled that with a couple of wires feeding the motor from a USB power bank. Just about any small battery pack would do fine.

The build is beautiful to watch and to listen to, with a gentle clacking as the balls circulate around. Files are on MakerWorld for the curious. We’ve featured some great Christmas decorations before, too. Video after the break.

youtube.com/embed/PUvCP1_2Gww?…

hackaday.com/2025/02/20/youve-…

Gli hacker di NoName057(16) continuano a colpire obiettivi italiani attraverso attacchi di Distributed Denial-of-Service (DDoS). Questo avviene mentre un’altra “guerra” è stata sferrata da Telegram contro gli Hacktivisti costretti a ricreare i loro canali dopo le cancellazioni dei moderatori del messenger.

Nello specifico oggi, dopo un’altra cancellazione del gruppo Telegram in lingua Russa, avviano altre raffiche di DDoS su obiettivi italiani. Alcuni di questi abbiamo visto collassare in altri episodi simili. Questa volta nel gruppo del progetto DDoSia gli hacktivisti riportano:
Inviate raffiche di DDoS a siti italiani

Porto di Olbia e Golfo Arancia
check-host.net/check-report/2342e893k8db

❌Gestione del sistema portuale del Mar Adriatico centro-settentrionale (morto al ping)
check-host.net/check-report/2342eb89kf38

❌ Autorità portuale del Nord Adriatico
check-host.net/check-report/2342e9ebkc6c

❌GENOI PORTI hanno 4 bacini portuali: Genova, Pra, Savona e Vado Ligure, che insieme formano il sistema portuale più importante d'Italia e il terzo porto crocieristico d'Europa, nonché la quinta piattaforma di trasporto container in Europa.
check-host.net/check-report/2342ec89k5be

❌ Autorità di Sistema Portuale del Mar Tirreno Centro Settentrionale Porti di Civitavecchia - Fiumicino - Gaeta
check-host.net/check-report/2342edf4ka1

❌Trasporti pubblici a Bergamo
check-host.net/check-report/2342eec7kb18

❌Trasporto pubblico di Cagliari (chiuso per motivi geo)
check-host.net/check-report/2342efe5kb85

❌Organismo italiano di standardizzazione
check-host.net/check-report/2342f0fdkbbe
NoName057(16) è un gruppo di hacker che si è dichiarato a marzo del 2022 a supporto della Federazione Russa. Hanno rivendicato la responsabilità di attacchi informatici a paesi come l’Ucraina, gli Stati Uniti e altri vari paesi europei. Questi attacchi vengono in genere eseguiti su agenzie governative, media e siti Web di società private.

Che cos’è un attacco Distributed Denial of Service

Un attacco DDoS (Distributed Denial of Service) è un tipo di attacco informatico in cui vengono inviate una grande quantità di richieste a un server o a un sito web da molte macchine diverse contemporaneamente, al fine di sovraccaricare le risorse del server e renderlo inaccessibile ai suoi utenti legittimi.

Queste richieste possono essere inviate da un grande numero di dispositivi infetti da malware e controllati da un’organizzazione criminale, da una rete di computer compromessi chiamata botnet, o da altre fonti di traffico non legittime. L’obiettivo di un attacco DDoS è spesso quello di interrompere le attività online di un’organizzazione o di un’azienda, o di costringerla a pagare un riscatto per ripristinare l’accesso ai propri servizi online.

Gli attacchi DDoS possono causare danni significativi alle attività online di un’organizzazione, inclusi tempi di inattività prolungati, perdita di dati e danni reputazionali. Per proteggersi da questi attacchi, le organizzazioni possono adottare misure di sicurezza come la limitazione del traffico di rete proveniente da fonti sospette, l’utilizzo di servizi di protezione contro gli attacchi DDoS o la progettazione di sistemi resistenti agli attacchi DDoS.

Occorre precisare che gli attacchi di tipo DDoS, seppur provocano un disservizio temporaneo ai sistemi, non hanno impatti sulla Riservatezza e Integrità dei dati, ma solo sulla loro disponibilità. pertanto una volta concluso l’attacco DDoS, il sito riprende a funzionare esattamente come prima.

Che cos’è l’hacktivismo cibernetico

L’hacktivismo cibernetico è un movimento che si serve delle tecniche di hacking informatico per promuovere un messaggio politico o sociale. Gli hacktivisti usano le loro abilità informatiche per svolgere azioni online come l’accesso non autorizzato a siti web o a reti informatiche, la diffusione di informazioni riservate o il blocco dei servizi online di una determinata organizzazione.

L’obiettivo dell’hacktivismo cibernetico è di sensibilizzare l’opinione pubblica su questioni importanti come la libertà di espressione, la privacy, la libertà di accesso all’informazione o la lotta contro la censura online. Gli hacktivisti possono appartenere a gruppi organizzati o agire individualmente, ma in entrambi i casi utilizzano le loro competenze informatiche per creare un impatto sociale e politico.

È importante sottolineare che l’hacktivismo cibernetico non deve essere confuso con il cybercrime, ovvero la pratica di utilizzare le tecniche di hacking per scopi illeciti come il furto di dati personali o finanziari. Mentre il cybercrime è illegale, l’hacktivismo cibernetico può essere considerato legittimo se mira a portare all’attenzione pubblica questioni importanti e a favorire il dibattito democratico. Tuttavia, le azioni degli hacktivisti possono avere conseguenze legali e gli hacktivisti possono essere perseguiti per le loro azioni.

Chi sono gli hacktivisti di NoName057(16)

NoName057(16) è un gruppo di hacker che si è dichiarato a marzo del 2022 a supporto della Federazione Russa. Hanno rivendicato la responsabilità di attacchi informatici a paesi come l’Ucraina, gli Stati Uniti e altri vari paesi europei. Questi attacchi vengono in genere eseguiti su agenzie governative, media e siti Web di società private

Le informazioni sugli attacchi effettuati da NoName057(16) sono pubblicate nell’omonimo canale di messaggistica di Telegram. Secondo i media ucraini, il gruppo è anche coinvolto nell’invio di lettere di minaccia ai giornalisti ucraini. Gli hacker hanno guadagnato la loro popolarità durante una serie di massicci attacchi DDOS sui siti web lituani.

Le tecniche di attacco DDoS utilizzate dal gruppo sono miste, prediligendo la “Slow http attack”.

La tecnica del “Slow Http Attack”

L’attacco “Slow HTTP Attack” (l’articolo completo a questo link) è un tipo di attacco informatico che sfrutta una vulnerabilità dei server web. In questo tipo di attacco, l’attaccante invia molte richieste HTTP incomplete al server bersaglio, con lo scopo di tenere occupate le connessioni al server per un periodo prolungato e impedire l’accesso ai legittimi utenti del sito.

Nello specifico, l’attacco Slow HTTP sfrutta la modalità di funzionamento del protocollo HTTP, che prevede che una richiesta HTTP sia composta da tre parti: la richiesta, la risposta e il corpo del messaggio. L’attaccante invia molte richieste HTTP incomplete, in cui il corpo del messaggio viene inviato in modo molto lento o in modo incompleto, bloccando la connessione e impedendo al server di liberare le risorse necessarie per servire altre richieste.

Questo tipo di attacco è particolarmente difficile da rilevare e mitigare, poiché le richieste sembrano legittime, ma richiedono un tempo eccessivo per essere elaborate dal server. Gli attacchi Slow HTTP possono causare tempi di risposta molto lenti o tempi di inattività del server, rendendo impossibile l’accesso ai servizi online ospitati su quel sistema.

Per proteggersi da questi attacchi, le organizzazioni possono implementare soluzioni di sicurezza come l’uso di firewall applicativi (web application firewall o WAF), la limitazione delle connessioni al server e l’utilizzo di sistemi di rilevamento e mitigazione degli attacchi DDoS

L'articolo NoName057(16) rivendica un nuovo giorno di attacchi DDoS alle infrastrutture Italiane proviene da il blog della sicurezza informatica.

There are a whole bunch of different ways to create 3D scans of objects these days. Researchers at the [UW Graphics Lab] have demonstrated how to use a small, cheap time-of-flight sensor to generate scans effectively.
Not yet perfect, but the technique does work…
The key is in how time-of-flight sensors work. They shoot out a distinct pulse of light, and then determine how long that pulse takes to bounce back. This allows them to perform a simple ranging calculation to determine how far they are from a surface or object.

However, in truth, these sensors aren’t measuring distance to a single point. They’re measuring the intensity of the received return pulse over time, called the “transient histogram”, and then processing it. If you use the full mathematical information in the histogram, rather than just the range figures, it’s possible to recreate 3D geometry as seen by the sensor, through the use of some neat mathematics and a neural network. It’s all explained in great detail in the research paper.

The technique isn’t perfect; there are some inconsistencies with what it captures and the true geometry of the objects its looking at. Still, the technique is young, and more work could refine its outputs further.

If you don’t mind getting messy, there are other neat scanning techniques out there—like using a camera and some milk.

youtube.com/embed/4m9GzPTr8y4?…

hackaday.com/2025/02/20/recons…

I ricercatori del MIT hanno presentato il Sistema MiFly, che consente ai droni di navigare in spazi chiusi senza GPS. Questa nuova tecnologia potrebbe semplificare notevolmente la navigazione in magazzini, tunnel e altri luoghi con illuminazione limitata.

A differenza delle tecnologie esistenti che richiedono più sensori e telecamere, MiFly utilizza un solo tag RF compatto. Questo tag funziona come un riflettore passivo: cattura e restituisce le onde millimetriche emesse dal drone. Queste onde possono attraversare la plastica e il cartone e funzionare anche in completa oscurità.

La caratteristica principale di MiFly è la sua capacità di separare i segnali dall’ambiente. Poiché le superfici circostanti riflettono le onde a una frequenza e il tag a un’altra, il drone può estrarre solo i dati di cui ha bisogno. Ciò migliora la precisione della navigazione riducendo l’influenza delle interferenze estranee.

Durante i test nei laboratori del MIT, nei tunnel sotterranei e in altre aree riservate, il sistema ha raggiunto una precisione di localizzazione entro i 7 centimetri. Ciò lo rende adatto all’uso commerciale.

Uno dei problemi principali quando si lavora con le onde millimetriche è la soppressione dei riflessi indesiderati provenienti da pareti e pavimenti. Gli sviluppatori hanno utilizzato un metodo di modulazione in cui il tag modifica la frequenza dei segnali riflessi, il che aiuta il drone a filtrare meglio il rumore.

MiFly apre nuove possibilità per l’automazione dei magazzini. I droni saranno in grado di spostare carichi in modo indipendente, senza bisogno di infrastrutture complesse o di una supervisione umana costante. Inoltre, la tecnologia potrebbe trovare applicazione in situazioni in cui i metodi di navigazione tradizionali non funzionano, come ad esempio nelle operazioni di ricerca e soccorso.

Gli sviluppatori intendono migliorare MiFly ampliandone la portata e la resistenza alle interferenze, il che renderà il sistema adatto a un uso commerciale diffuso.

L'articolo Addio GPS: il nuovo drone del MIT vola con onde millimetriche! proviene da il blog della sicurezza informatica.

Carving pumpkins by hand is hot, sweaty, messy work, and a great way to slice your way into a critical artery. Why not let a water jet do it for you? It’ll be cleaner and more precise to boot, and [Jo_Journey] is here to show us how.
So sharp!
Obviously, you’ll need a water jet machine, there’s no getting around that. You’ll also still have to do the basic preparation of the pumpkin yourself—cutting a porthole into the top and mucking it out is your job. With that done, you must then mount the pumpkin on two metal rods which will be used to mount it in the water jet machine’s working area.

You can then create a vector file of your design, and use your chosen software to generate the G-code to run the water jet. [Jo_Journey] uses Scribe, and recommends cutting at a speed of around 200 in/min at low pressure. Remember, it’s pumpkin you’re cutting, not high-strength steel.

There is some inaccuracy, of course—your pumpkin’s surface is not a flat plane, after all—but the results are good enough for most Halloween-related purposes. Even despite the geometrical issues, though, [Jo_Journey] shows us that you can get pleasantly sharp edges on your design. That’s very hard to achieve by hand!

We do love a good holiday hack around these parts, even if it’s out of season. If you’ve been cooking up your own pumpkinous plans, don’t hesitate to let us know! Earlier is sometimes better—after all, who has time to hack together a project if you’ve just read about it on October 29?

hackaday.com/2025/02/20/water-…

Kaspersky Managed Detection and Response service (MDR) provides round-the-clock monitoring and threat detection, based on Kaspersky technologies and expertise. The annual MDR analyst report presents insights based on the analysis of incidents detected by Kaspersky’s SOC team. It sheds light on the most prevalent attacker tactics, techniques, and tools, as well as the characteristics of identified incidents and their distribution across regions and industry sectors among MDR customers.
This report answers key questions, including:

• Who are the potential attackers?
• What methods are they using today?
• How can their activities be effectively detected?

Security incident statistics for 2024

In 2024, the MDR infrastructure received and processed on average 15,000 telemetry events per host every day, generating security alerts as a result. Around 26% of these alerts were processed by machine learning algorithms and the rest were analyzed by the SOC team. On average, more than two high-severity incidents were detected daily. MDR customers were informed about all identified incidents via the MDR portal.

Geography of MDR customers

Kaspersky MDR customers span the globe, giving us a comprehensive and objective view of regional attack behaviors and tactics. The largest concentration of customers is in Europe, the CIS, and the META regions.

Kaspersky MDR customers by region

Distribution of incidents by industry

In 2024, the MDR team observed the highest number of incidents in the industrial (25.7%), financial (14.1%), and government (11.7%) sectors. However, if we consider only high-severity incidents, the distribution is somewhat different: 22.8% in IT, 18.3% in government, 17.8% in industrial, and 11.9% in the financial sector.

The most attacked industries

General observations and recommendations

In 2024, we observed the following trends in the incidents detected by our SOC team:

• High-severity incidents decreased, but complexity increased. The number of high-severity incidents decreased by 34% compared to 2023. However, the mean time to investigate and report these incidents increased by 48%, indicating a rise in the average complexity of attacks. This is supported by the fact that the vast majority of triggered detection rules and IoAs were from specialized XDR tools. This marks a shift from previous years, where OS log-based detection played a significant role. Given this trend, specialized tools like XDR are essential for effectively detecting and investigating modern threats.
• Human-driven targeted attacks are increasing. Human-driven targeted attacks accounted for 43% of high-severity incidents – 74% more than in 2023 and 43% more than in 2022. Despite advances in automated detection tools, motivated attackers continue to find ways to bypass them. To counter such threats, human-driven solutions like Managed Detection and Response are critical. For organizations with in-house security operations teams, internal processes and technologies must be equipped to handle the modern threat landscape. Comprehensive SOC consulting services can help achieve this.
• Attackers often return after a successful breach. The statistics consistently show that attackers often return after a successful attack. This is especially evident in the government sector, where attackers aim to persist in the system long-term for espionage purposes. In such cases, combining an XDR-equipped in-house SOC or outsourced MDR with regular Compromise Assessments is an effective way to detect and investigate incidents that may be missed by existing security measures.
• Living off the Land techniques remain prevalent. Attackers often use Living off the Land (LotL) methods in infrastructures lacking proper system configuration controls. A significant number of incidents are linked to unauthorized changes, such as adding accounts to privileged groups or weakening secure configurations. To minimize false positives in these scenarios, effective configuration management and formal procedures for implementing changes and managing access are crucial.
• User Execution and Phishing remain top threats. User Execution and Phishing techniques ranked again in the top three threats, with nearly 5% of high-severity incidents involving successful social engineering. Users are still the weakest link, making Security Awareness training an important focus for corporate information security planning.

To explore these and other trends in detail, download full report (PDF).

securelist.com/kaspersky-manag…

Il browser Google Chrome ha aggiornato la funzionalità di protezione avanzata. L’azienda afferma che d’ora in poi utilizzerà l’intelligenza artificiale per proteggere gli utenti in tempo reale da siti, download ed estensioni pericolosi.

La protezione avanzata basata sull’intelligenza artificiale è stata individuata per la prima volta a novembre dell’anno scorso, quando la descrizione della funzionalità in Chrome Canary è cambiata da protezione proattiva a protezione basata sull’intelligenza artificiale.

Ora, dopo diversi mesi di test, questo aggiornamento ha raggiunto la versione stabile del browser su tutte le piattaforme. Tuttavia, non è ancora del tutto chiaro in che modo la funzione aggiornata differisca dalla vecchia versione senza intelligenza artificiale.

La scorsa settimana, Google ha affermato che la protezione avanzata potrebbe utilizzare l’intelligenza artificiale per identificare determinati modelli in tempo reale e avvisare gli utenti della presenza di siti potenzialmente pericolosi che Google non aveva precedentemente rilevato. Inoltre, secondo gli sviluppatori, la protezione AI esegue una scansione approfondita per rilevare download sospetti.

Secondo Google, a febbraio 2025, più di un miliardo di utenti di Chrome hanno scelto la protezione avanzata rispetto alla modalità di navigazione sicura standard e ora sono “due volte più protetti contro il phishing e altri tipi di frode”.

L'articolo Google Chrome ora usa l’IA per proteggerti: addio ai siti pericolosi? proviene da il blog della sicurezza informatica.

I giornalisti di TechCrunch e gli esperti di sicurezza informatica hanno scoperto che in Italia esiste un’azienda che produce uno spyware commerciale chiamato Spyrtacus per clienti governativi. L’azienda è dietro una serie di app Android dannose che si spacciano per WhatsApp e altro ancora.

La storia ha avuto inizio alla fine dell’anno scorso, quando un lettore anonimo di TechCrunch ha fornito alla rivista tre app Android, sostenendo che si trattava di spyware governativi utilizzati contro vittime sconosciute in Italia. TechCrunch si è rivolta a Google e alla società di sicurezza mobile Lookout per chiedere aiuto nell’analisi delle app.

Entrambe le aziende hanno confermato che le app contenevano spyware.

Lo spyware Spyrtacus

Lookout ha concluso che lo spyware si chiamava Spyrtacus dopo aver trovato la parola nel codice di un vecchio campione di malware. Secondo i ricercatori, Spyrtacus presenta tutte le caratteristiche degli spyware governativi. Allo stesso tempo, le conclusioni degli analisti di Lookout sono state confermate in modo indipendente da specialisti di un’altra azienda di sicurezza informatica che hanno preferito rimanere anonimi.

Gli esperti affermano che Spyrtacus è in grado di rubare messaggi di testo e conversazioni da Facebook Messenger, Signal e WhatsApp, trasmettendo informazioni sui contatti della vittima ai suoi operatori, intercettando e registrando telefonate e suoni ambientali tramite il microfono del dispositivo, nonché immagini dalla fotocamera del dispositivo, e può svolgere altre attività di spionaggio.

Secondo gli esperti, Spyrtacus e molti altri campioni di malware studiati in precedenza sono stati creati dall’azienda italiana SIO. L’azienda sviluppa e distribuisce prodotti dannosi per Android che impersonano app popolari, tra cui WhatsApp e gli strumenti di assistenza clienti che gli operatori di telefonia mobile.

Pertanto, gli analisti di Lookout che hanno studiato il malware hanno riferito di aver già scoperto un totale di 13 diversi campioni di Spyrtacus, il più vecchio dei quali risale al 2019 e il più recente al 17 ottobre 2024. Altri campioni sono stati trovati tra il 2020 e il 2022, alcuni dei quali impersonavano app di operatori di telefonia mobile italiani (TIM, Vodafone e WINDTRE).

Spyware per campagne mirate

Dato che le app stesse, così come i siti web utilizzati per distribuirle, utilizzano la lingua italiana, i ricercatori suggeriscono che lo spyware sia stato utilizzato dalle forze dell’ordine italiane. Tuttavia, al momento non si sa contro quali obiettivi sia stato utilizzato Spyrtacus.

Google ha affermato che al momento non sono state trovate app nel Google Play Store che contengano il malware. Secondo Google, i campioni delle applicazioni ottenuti dalla pubblicazione sono stati utilizzati come parte di una “campagna mirata”. Quando i giornalisti hanno chiesto se versioni precedenti di Spyrtacus fossero già penetrate in Google Play, l’azienda ha risposto di non avere informazioni in merito.

È interessante notare che un rapporto di Kaspersky Lab del 2024 ha menzionato che nel 2018 Spyrtacus era distribuito tramite Google Play, ma nel 2019 gli autori del malware avevano iniziato a ospitare app su siti Web dannosi camuffati da quelli dei principali ISP italiani.

Contemporaneamente, i ricercatori di Kaspersky Lab hanno scoperto anche una versione di Spyrtacus per Windows e hanno trovato indizi che indicano l’esistenza di versioni di questo spyware per iOS e macOS.

Diversi segnali indicano immediatamente che dietro la creazione di Spyrtacus c’è SIO. In particolare, gli analisti di Lookout hanno scoperto che alcuni dei server di comando e controllo utilizzati per controllare da remoto lo spyware erano registrati a nome della società ASIGINT. Secondo un documento pubblico del 2024, ASIGINT è una sussidiaria di SIO e sviluppa software e servizi correlati all’intercettazione informatica.

Inoltre, l’organizzazione italiana indipendente The Lawful Intercept Academy, che rilascia certificati di conformità ai produttori di spyware che operano nel Paese, elenca SIO come titolare di un certificato per un prodotto spyware denominato SIOAGENT e afferma inoltre che il proprietario del prodotto è ASIGINT.

Il codice sia stato scritto da sviluppatori di Napoli?

Nel codice sorgente di uno degli esempi di Spyrtacus è stata trovata anche una riga che indicava che gli sviluppatori potevano essere di Napoli. Quindi, il codice sorgente contiene le parole “Scetáteve guagliune ‘e malavita”, e questo è un verso del testo della canzone tradizionale napoletana “Guapparia“.

I rappresentanti del governo italiano e del Ministero della Giustizia non hanno risposto alla richiesta di commento di TechCrunch. La SIO ha ignorato anche numerose richieste dei giornalisti. TechCrunch fa notare di aver provato a contattare il presidente e CEO di SIO e diversi dirigenti, tra cui il CFO e il CTO dell’azienda ma di non aver ricevuto risposta.

La pubblicazione ricorda che SIO è ben lungi dall’essere il primo produttore di spyware commerciali in Italia. Ad esempio, nel 2003 è stata fondata Hacking Team, una delle prime aziende a dimostrare che il mercato internazionale aveva bisogno di sistemi spyware facili da usare e pronti all’uso per le forze dell’ordine e le agenzie di intelligence.

L'articolo Spy Italia: Spyrtacus, lo Spyware realizzato in Italia che spia WhatsApp e Signal proviene da il blog della sicurezza informatica.

Like so many of us, [aforsberg] found themselves fascinated with the WOPR computer from WarGames — something about all those blinking LEDs must speak to nerds on some subconscious level. But rather than admire the light show from afar, they decided to recreate it at a scale suitable for a 1U server rack.

So what goes into this WOPR display? In this case, the recipe simply calls for three MAX7219 dot matrix LED modules and a Raspberry Pi Pico, although you could swap that out for your favorite microcontroller if you wish. You should probably stick with something that at least runs MicroPython though, or else you won’t be able to use the included Python code to mimic the light patterns seen in the film.

What we like most about this project is how simple and inexpensive it is to recreate. There’s no custom PCB, and all the parts are mass produced enough that the economies of scale have made them comically cheap. Even at Amazon prices, you’re looking at around $50 USD in parts, and quite a bit less if you’ve got the patience to order everything through AliExpress.

Critics will note that, in its current state, this display just shows gibberish (admittedly stylish gibberish, but still). But as we’ve seen with similar projects, that’s simply a matter of software.

hackaday.com/2025/02/19/add-a-…

While not impossible, replicating the machines and processes of a modern semiconductor fab is a pretty steep climb for the home gamer. Sure, we’ve seen it done, but nanoscale photolithography is a demanding process that discourages the DIYer at every turn. So if you want to make semiconductors at home, it might be best to change the rules a little and give something like this pulsed laser deposition prototyping apparatus a try.

Rather than building up a semiconductor by depositing layers of material onto a silicon substrate and selectively etching features into them with photolithography, [Sebastián Elgueta]’s chips will be made by adding materials in their final shape, with no etching required. The heart of the process is a multi-material pulsed laser deposition chamber, which uses an Nd:YAG laser to ablate one of six materials held on a rotating turret, creating a plasma that can be deposited onto a silicon substrate. Layers can either be a single material or, with the turret rapidly switched between different targets, a mix of multiple materials. The chamber is also equipped with valves for admitting different gases, such as oxygen when insulating layers of metal oxides need to be deposited. To create features, a pattern etched into a continuous web of aluminum foil by a second laser is used as a mask. When a new mask is needed, a fresh area of the foil is rolled into position over the substrate; this keeps the patterns in perfect alignment.

We’ve noticed regular updates on this project, so it’s under active development. [Sebastián]’s most recent improvements to the setup have involved adding electronics inside the chamber, including a resistive heater to warm the substrate before deposition and a quartz crystal microbalance to measure the amount of material being deposited. We’re eager to see what else he comes up with, especially when those first chips roll off the line. Until then, we’ll just have to look back at some of [Sam Zeloof]’s DIY semiconductors.

hackaday.com/2025/02/19/pulsed…

Something that you generally don’t expect as a North-America-based enthusiast, is to listen in on Russian military communications during their war in Ukraine via WebSDR, or that these communications would be passing through US military satellites that are happy to just broadcast anything. Yet that’s the situation that the Saveitforparts YouTube channel recently described. As it turns out, there is a gaggle of UFOs up there, as the US DoD lovingly calls them.

Between 1979 and 1989 eight FLTSATCOM launches took place, with FLTSATCOM 7 and 8 still operating today. They were later joined by their successor UHF Follow-On (UFO) with 11 launches between 1993 and 2003. All of these operate in the UHF spectrum, with some UFO satellites also covering other bands. Their goal is to provide communication for the military’s forces, with these satellites for the most part acting as simple repeaters. Over time non-military parties learned to use these satellites too, even if it’s technically illegal in many jurisdictions.

As described in the video, if you listen in on WebSDR streams from Ukraine, you can not only find encrypted military comms, but also unencrypted Russian radio traffic. It seems that in lieu of being provided with proper (encrypted) radio systems, Russian forces are using these US military satellites for communication much like how US (and NATO) forces would have. This is reminiscent of how Russian troops were caught using Discord via Starlink for communication, before Russian command shutdown Discord.

youtube.com/embed/EUuQwPAPR-E?…

Thanks to [Stephen Walters] for the tip.

hackaday.com/2025/02/19/the-us…

[James Sharman] designed and built his own 8-bit computer from scratch using TTL logic chips, including a VGA adapter, and you can watch it run a glorious rotating cube demo in the video below.

The rotating cube is the product of roughly 3,500 lines of custom assembly code and looks fantastic, running at 30 frames per second with shading effects from multiple light sources. Great results considering the computing power of his system is roughly on par with vintage 8-bit home computers, and the graphics capabilities are limited. [James]’s computer uses a tile map instead of a frame buffer, so getting 3D content rendered was a challenge.

The video is about 20 seconds of demo followed by a detailed technical discussion on how exactly one implements everything required for a 3D cube, from basic math to optimization. If a deep dive into that sort of thing is up your alley, give it a watch!

We’ve featured [James]’ fascinating work on his homebrew computer before. Here’s more detail on his custom VGA adapter, and his best shot at making it (kinda) run DOOM.

youtube.com/embed/kYb4Io7TQp4?…

hackaday.com/2025/02/19/homebr…

This week, Jonathan Bennett talks Rocky Linux with Gregory Kurtzer and Krista Burdine! Where did the project come from, and what’s the connection with CIQ and RESF? Listen to find out!

• CentOS primer
• Migration from CentOS
• Rocky Linux
• RESF FAQ
• CIQ Open Source Ethos

youtube.com/embed/3PoDpHK5I2Y?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/02/19/floss-…

Those of us who worked in TV repair shops, back when there was such a thing, will likely remember the cardinal rule of TV repair: Never touch the yoke if you can help it. The complex arrangement of copper wire coils and ferrite beads wrapped around a plastic cone attached to the neck of the CRT was critical to picture quality, and it took very little effort to completely screw things up. Fixing it would be a time-consuming and frustrating battle with the cams, screws, and spacers that kept the coils in the right orientation, both between themselves and relative to the picture tube. It was best to leave it the way the factory set it and to look elsewhere for solutions to picture problems.

But how exactly did the factory set up a deflection yoke? We had no idea at the time, only learning just recently about the wonders of automated deflection yoke yamming. The video below was made by Thomson Consumer Electronics, once a major supplier of CRTs to the television and computer monitor industry, and appears directed to its customers as a way of showing off their automated processes. They never really define yamming, but from the context of the video, it seems to be an industry term for the initial alignment of a deflection yoke during manufacturing. The manual process would require a skilled technician to manipulate the yoke while watching a series of test patterns on the CRT, slowly tweaking the coils to bring everything into perfect alignment.

Automating this process would have been a huge competitive advantage for a company like Thomson. Being able to provide correctly aligned CRT assemblies to a manufacturer would have been a productivity booster, especially since Thomson claimed to be able to adjust the process to the customer’s assembly line needs. They also say that the automated yamming process took just 30 seconds per tube thanks to a series of sensors and cameras watching the screen. The human element wasn’t completely eliminated, though; at the 3:50 mark, some unlucky QA tech is shown watching an endless carousel of tubes flashing a few test patterns to confirm the process. And you think your job sucks.

It’s not exactly clear when this video was made. The title suggests it was 1995, and that seems about right from the technology in the video, which includes a computer running a version of Windows from around that timeframe. Ironically, the LCD monitor on that touchscreen display was a harbinger of things to come for Thomson, which was out of the CRT business in the US less than a decade later.

youtube.com/embed/R3tS6T48_2Y?…

hackaday.com/2025/02/19/retrot…

La Cybersecurity and Infrastructure Security Agency (CISA) degli Stati Uniti ha aggiunto al suo catalogo delle vulnerabilità note sfruttate ( KEV ) due falle di sicurezza che interessano Palo Alto Networks PAN-OS e SonicWall SonicOS SSLVPN, sulla base di prove concrete di sfruttamento attivo.

La società di intelligence sulle minacce GreyNoise ha affermato che ben 25 indirizzi IP dannosi stanno sfruttando attivamente CVE-2025-0108, con il volume di attività degli aggressori in aumento di 10 volte da quando è stato rilevato quasi una settimana fa. Le prime tre fonti di traffico di attacco sono Stati Uniti, Germania e Paesi Bassi.

I difetti sono elencati di seguito:

• CVE-2025-0108 (punteggio CVSS: 7,8) – Una vulnerabilità di bypass dell’autenticazione nell’interfaccia web di gestione PAN-OS di Palo Alto Networks che consente a un aggressore non autenticato con accesso di rete all’interfaccia web di bypassare l’autenticazione normalmente richiesta e richiamare determinati script PHP
• CVE-2024-53704 (punteggio CVSS: 8,2) – Una vulnerabilità di broken authentication nel meccanismo di autenticazione SSLVPN che consente a un aggressore remoto di aggirare l’autenticazione

“Palo Alto Networks ha osservato tentativi di exploit che collegano CVE-2025-0108 con CVE-2024-9474 e CVE-2025-0111 su interfacce di gestione web PAN-OS non protette e non corrette”, si legge in un avviso aggiornato.

Per quanto riguarda il CVE-2024-53704, la società di sicurezza informatica Arctic Wolf ha rivelato che gli autori della minaccia stanno sfruttando la falla come arma poco dopo che Bishop Fox ha reso disponibile una proof-of-concept (PoC).

L'articolo Allarme CISA: vulnerabilità critiche in PAN-OS e SonicOS sotto attacco! proviene da il blog della sicurezza informatica.

We get it. We also watched Star Trek and thought how cool it would be to talk to our computer. From Kirk setting a self-destruct sequence, to Scotty talking into a mouse, or Picard ordering Earl Grey, we intuitively know that talking to a computer is better than typing, right? Well, computers talking back and forth to us is no longer science fiction, and maybe we aren’t as happy about it as we thought we’d be.

We weren’t able to pinpoint the first talking computer in fiction. Asimov and van Vogt had talking computers in the 1940s. “I, Robot” by Eando Binder, and not the more famous Asimov story, had a fully speaking robot in 1939. You could argue that “The Machine” in E. M. Forster’s “The Machine Stops” was probably speaking — the text is a little vague — and that was in 1909. The robot from Metropolis (1927) spoke after transforming, but you could argue that doesn’t count.

Meanwhile, In Real Life

In real life, computers weren’t as quick to speak. Before the middle of the twentieth century, machine-generated speech was an oddity. In 1779, a mechanical contrivance by Wolfgang von Kempelen, famous for the mechanical Turk chess-playing automaton, could form simple words. By 1939, Bell Labs could do even better speech synthesis electronically but with a human operator. It didn’t sound very good, as you can see in the video below, but it was certainly expressive.

youtube.com/embed/0rAyrmm7vv0?…

Speech recognition would wait until 1952, when Bell Labs showed a system that required training to understand someone speaking numbers. IBM could recognize 16 different utterances in 1961 with “Shoebox,” and, of course, that same year, they made an IBM 704 sing “Daisy Bell,” which would later inspire HAL 9000 to do the same.

youtube.com/embed/gQqCCzrS5_I?…

Recent advances in neural network systems and other AI techniques mean that now computers can generate and understand speech at a level even most fiction didn’t anticipate. These days, it is trivially easy to interact with your phone or your PC by using your voice. Of course, we sometimes question if every device needs AI smarts and a voice. We can maybe do without a smart toaster, for instance.

So What’s the Problem?

Patrick Blower’s famous cartoon about Amazon buying Whole Foods is both funny and tragically possible. In it, Jeff Bezos says, “Alexa, buy me something from Whole Foods.” To which Alexa replies, “Sure, Jeff. Buying Whole Foods.” Misunderstandings are one of the problems with voice input.

Every night, I say exactly the same phrase right before I go to sleep: “Hey, Google. Play my playlist sleep list.” About seven times out of ten, I get my playlist going. Two times out of ten, I get children’s lullabies or something even stranger. Occasionally, for variety, I get “Something went wrong. Try again later.” You can, of course, make excuses for this. The technology is new. Maybe my bedroom is noisy or has lousy acoustics. But still.

That’s not the only problem. Science fiction often predicts the future and, generally, newer science fiction is closer than older science fiction. But Star Trek sometimes turns that on its head. Picard had an office. Kirk worked out of his quarters at a time when working from home was almost unheard of. Offices are a forgotten luxury for many people, and if you are working from home, that’s fine. But if you are in a call center, a bullpen, or the bridge of the Enterprise, all this yakking back and forth with your computer will drive everyone crazy. Even if you train the computer to only recognize the user’s voice, it will still annoy you to have to hear everyone else’s notifications, messages, and alerts.

Today, humans are still better at understanding people than computers are. We all have a friend who consistently mispronounces “Arduino,” but we still know what he means. Or the colleague with a very thick accent, like Checkov trying to enter authorization code “wictor wictor two” in the recent movie. You knew what he meant, too.

youtube.com/embed/yMOp-1r2ras?…

Some of the problems are social. I can’t tell you the number of times I’m in the middle of dictating an e-mail, and someone just comes up and starts talking to me, which then shows up in the middle of my sentence. Granted, that’s not a computer issue. But it is another example of why voice input systems are not always as delightful as you’d think.

Solutions?

Probably got great battery life.
Sure, maybe you could build a cone of silence over each station, but that has its own problems. Then again, Spock and Uhuru sometimes wore the biggest Bluetooth Earbud ever, so maybe that’s half of the answer. The other half could be subvocalization, but that’s mostly science fiction, although not entirely.

What do you think? Even telepathy probably has some downsides. You’d have to be careful what you think, right? What is the ideal human-computer interface? Or will future Star Fleet officers be typing on molecular keyboards? Or will it wind up all in our brains? Tell us what you think in the comments.

hackaday.com/2025/02/19/be-car…

It is easy to forget that many technology juggernauts weren’t always the only game in town. Ethernet seems ubiquitous today, but it had to fight past several competing standards. VHS and Blu-ray beat out their respective competitors. But what about USB? Sure, it was off to a rocky start in the beginning, but what was the real competition at that time? SCSI? Firewire? While those had plusses and minuses, neither were really in a position to fill the gap that USB would inhabit. But [Ernie Smith] remembers ACCESS.bus (or, sometimes, A.b) — what you might be using today if USB hadn’t taken over the world.

Back in the mid-1980s, there were several competing serial bus systems including Apple Desktop Bus and some other brand-specific things from companies like Commodore (the IEC bus) and Atari (SIO). The problem is that all of these things belong to one company. If you wanted to make, say, keyboards, this was terrible. Your Apple keyboard didn’t fit your Atari or your IBM computer. But there was a very robust serial protocol already in use — one you’ve probably used yourself. IIC or I2C (depending on who you ask).

I2C is robust, simple, and cheap to implement with reasonable licensing from Philips. It just needed a little tweaking to make it suitable for peripheral use, and that was the idea behind ACCESS.bus. [Ernie] tracked down a 1991 article that covered the technology and explained a good bit of the how and why. You can also find a comparison of A.b, I2C, and SMBus in this old datasheet. You can even find the 3.0 version of the spec online. While DEC was instrumental in the standard, some of their equipment used SERIAL.bus, which was identical except for using 12 V power and having a slightly different pinout.

The DEC Station 5000 was an early adopter of ACCESS.bus. From the user’s guide:

In theory, one ACCESS.bus port could handle 125 devices. It didn’t have a hub architecture like USB, but instead, you plugged one device into another. So your mouse plugs into your keyboard, which plugs into your printer, and finally connects to your PC.

The speed wasn’t that great — about 100 kilobits per second. So if ACCESS.bus had won, it would have needed to speed up when flash drives and the like became popular. However, ACCESS.bus does sort of live even today. Computer monitors that support DDC — that is, all of them in modern times — use a form of ACCESS.bus so the screen you are reading this on is using it right now so the monitor and PC can communicate things like refresh rates.

We love to read (and write) these deep dives into obscure tech. The Avatar Shark comes to mind. Or drives that used photographic film.

hackaday.com/2025/02/19/in-a-w…

The year in figures

• 27% of all emails sent worldwide and 48.57% of all emails sent in the Russian web segment were spam
• 18% of all spam emails were sent from Russia
• Kaspersky Mail Anti-Virus blocked 125,521,794 malicious email attachments
• Our Anti-Phishing system thwarted 893,216,170 attempts to follow phishing links
• Chat Protection in Kaspersky mobile solutions prevented more than 60,000 redirects via phishing links from Telegram

Phishing and scams in 2024

Phishing for travelers

In 2024, cybercriminals targeted travel enthusiasts using fake hotel and airline booking websites. In one simple scheme, a fraudulent site asked users to enter their login credentials to complete their booking — these credentials ended up in criminal hands. Sometimes, the fake login form appeared under multiple brand names at once (for example, both Booking and Airbnb).

Another scheme involved a more sophisticated fake site, where users could even select the purpose of their trip (business or leisure). To complete the booking, the scammers requested bank card details, claiming that a certain sum would be temporarily blocked on the account to verify the card’s authenticity. Legitimate booking services regularly request payment details, so the victim may not suspect anything in this case. To rush users into entering their data carelessly, on the phishing page, the scammers displayed warnings about dwindling accommodation availability and an imminent payment deadline for the booking. If the victim entered their data, the funds were not frozen but went straight into the criminals’ pockets.

Cyberthreats in the travel sector affected not only tourists but also employees of travel agencies. By gaining access to a corporate account, criminals could conduct financial transactions on behalf of employees and gain access to large customer databases.

Fake accommodation sites often sent messages to property owners, telling them to log in to “manage their property.” This scheme targeted people renting out their homes through online booking platforms.

Other scam pages featured surveys, offering respondents gifts or prize draws for participating. In this case, victims risked both their credentials and their money. Such fake giveaways are a classic scam tactic. They are often timed to coincide with a significant date for the travel industry or a specific company. For example, the screenshot below shows an offer to take part in a giveaway of airline tickets to celebrate Ryanair’s birthday.

After completing the survey, users may be asked to share the offer with a certain number of contacts, and then pay a small fee to receive the expensive gift. Of course, these prizes are non-existent.

Trapped in social networks

To steal credentials for social media and messenger accounts, scammers used another classic technique: asking users to verify themselves. In one scheme, the victim was redirected to a website that completely replicated WhatsApp’s design. The user entered their phone number and login code, handing their credentials straight over to the cybercriminals.

Beyond verification scams, fraudsters also lured victims with attractive offers. For example, in the screenshot below, the victim is promised free Instagram followers.

Some cybercriminals also used the promise of adult content to lure victims into entering their credentials in a fake authorization form.

Other scammers took advantage of Facebook and Instagram being owned by the same company. On a fraudulent page, they claimed to offer a service that allowed users to find Instagram profiles by entering their Facebook login and password.

Some scams offered users a surprise “gift” — a free Telegram Premium subscription. To enable the messenger’s premium features, the victim only had to enter their phone number and a one-time code on a fraudulent website.

Some fake social media and messenger pages were designed not to steal login credentials but to install malware on victims’ devices. Taking advantage of the popularity of Facebook Lite for Android, scammers offered users a “more advanced official version”, claiming it had extra features missing in the original app. However, instead of an upgraded app, users downloaded malware onto their devices.

Similarly, installing a supposedly free Telegram client with an activated Premium subscription often led to downloading malware.

Social media business services were increasingly used as a pretext for credential theft, as they play a key role in developing and promoting businesses and are directly linked to financial operations. Cybercriminals tricked Telegram channel owners into logging in to a phishing platform imitating the official Telegram Ads tool, thereby stealing their Telegram credentials. To make the scam more convincing, the attackers detailed how Telegram advertising works and promised millions of ad views per month.

TikTok users have also been targeted. TikTok Shop allows sellers to list curated products—items featured in videos—for potential buyers to find and purchase. Scammers created fake TikTok Shop pages to steal seller credentials, potentially leading to both reputational and financial damage.

In another case, fraudsters informed Facebook fan page owners of unusual activity in their accounts. Potential victims were prompted to check their profile by entering their login credentials into a phishing form.

Cryptocurrency: don’t mistake scams for real deals

One of last year’s most sensational stories was the cryptocurrency game Hamster Kombat. This clicker game, simulating the creation of a crypto exchange in a gamified format, quickly attracted a massive audience. Players eagerly awaited the moment when the in-game coins could be exchanged for real virtual currency. But while the official listing was delayed, the fraudulent schemes wasted no time.

Fraudsters claimed to offer cash-out services for in-game coins by converting them into rubles. To withdraw money, criminals claimed, users just had to log in through a fake Telegram page.

The growing anticipation for the new cryptocurrency’s market launch was frequently exploited by cybercriminals to steal seed phrases from crypto wallets. Scammers announced an early token sale, requiring users to log in through a fake page to participate. Of course, there was no mention of such promotions on official resources.

The popularity of Hamster Kombat was also abused in scam schemes. For example, users were offered access to a crypto wallet supposedly containing a significant sum in virtual coins. To claim it, the unsuspecting victims had to share information about the “opportunity” with a certain number of contacts in messaging apps. Having made their potential victim an accomplice in spreading false information, the scammers demanded a small commission for the withdrawal and disappeared with the stolen money.

A more elaborate scam also aimed to trick users into paying a “commission”, but with a slightly different approach. First, visitors to the page were asked to register to learn about some new activity related to Hamster Kombat.

Once registered, they were suddenly informed of having won a large amount of the HMSTR cryptocurrency supposedly as part of an experiment conducted on the platform. Exploiting uncertainty around the token’s listing, scammers urged victims to bypass the official trading launch and exchange their in-game currency for Bitcoin immediately.

To make it more convincing, the page displayed an exchange rate at which the “prize” would be converted.

However, after clicking the “Exchange coins” button, users were prompted to pay a commission for the service.

Everyone who paid this fee lost their money and received no Bitcoin.

Phishing attacks also targeted TON wallet users. In this case, scammers lured victims with promises of bonuses, requiring them to link their crypto wallets on fraudulent websites.

TON cryptocurrency was also used as bait in scam schemes. In a classic scenario, users were promised a quick way to earn digital currency. Fraudsters advertised a cloud mining service that allegedly generated high profits without any effort. After registering, unsuspecting users could monitor their “earnings” but had to pay a commission in cryptocurrency to withdraw funds.

Another “profitable” crypto scam resembled a Ponzi scheme: victims were required to recruit at least five new participants into the program—without receiving any money, of course. The scam site mimicked an online earning platform.

Visitors were instructed to install Telegram and use an unofficial bot to activate a crypto wallet where profits would supposedly be deposited.

According to the instructions, users then had to buy Toncoin and register in the program through a referral link from another participant. The scam worked by enticing people to make a small investment in the hopes of making big profits—the victims used their own funds to purchase the cryptocurrency for registration. But as with any pyramid scheme, only those at the top profited, while everyone else was left with nothing but empty dreams.

All or nothing: multipurpose phishing

Victims of phishing frequently included bank clients and users of government service portals. In such schemes, users first received a notification that they needed to update their account credentials. Cybercriminals used various communication channels to contact their victims: email, text messages, and chats in messaging apps. The victims were then led to fake sites where they were asked to provide their personal data. First, they entered their personal login credentials on the organization’s website.

Next, they were prompted to provide their email account credentials. The scammers also attempted to collect identity document details and other data, including the bank card PIN code.

Additionally, these phishing forms requested answers to security questions commonly used for additional verification in banking transactions.

This way, the cybercriminals gained full access to the victim’s account. Even the PIN code could be useful for the scammers in gaining access to the account. Security questions served as an extra safeguard for fraudsters in case the bank’s security service detected suspicious activity.

False idols

Phishing schemes also exploited the images of real people. For example, users browsing YouTube could stumble upon ad videos of celebrities announcing giveaways for their fans. Clicking the link in such a video led users to a page containing a post supposedly from the celebrity’s social media account, explaining how to claim the prize. However, when attempting to collect the “winnings”, visitors were asked to pay a small commission—insignificant compared to the value of the “gift.” Needless to say, those who paid the fee lost their money. The prize never existed, and the video was nothing more than a deepfake.

Spam in 2024

Scams

Token giveaway scam

Throughout the year, we frequently encountered emails announcing fake cryptocurrency airdrops, allegedly from teams of well-known crypto projects. The recipients, referred to as the platform’s “most valuable users,” were invited to participate in an “exclusive” event as a thank you for their loyalty and exceptional engagement.

New users unfamiliar with cryptocurrency were lured in with a unique opportunity to take part in the token giveaway and win a large sum—all they had to do was register on the platform, which was, of course, fake.

Scammers in 2024 closely monitored cryptocurrency market news. For example, in the spring, ahead of Notcoin’s upcoming listing, scam messages appeared featuring countdown timers, urging potential victims to participate in an airdrop allegedly arranged just for them.

Scam emails also targeted users of the cryptocurrency game Hamster Kombat, popular among Russian-speakers. Players eagerly awaited the HMSTR token listing, which was repeatedly postponed—a delay that scammers were quick to exploit. In the fall of 2024, they began sending emails pretending to be from the Hamster Kombat team, promising generous cash prizes if victims clicked a link to a fake game site.

Similar offers were distributed via a fraudulent website mimicking a major cryptocurrency exchange. In both cases, to claim the coveted tokens, victims had to link their cryptocurrency wallets.

“Nigerian” scam

In 2024, the Nigerian scam remained popular among spammers. Furthermore, fraudsters used both time-tested and trending themes to deceive victims. Cybercriminals employed various tricks and manipulations to engage with email recipients, with the ultimate goal of extracting money.

Most often, users were lured into classic schemes: fraudsters posed as terminally ill wealthy individuals seeking a worthy heir, lottery winners eager to share their prize, or investors offering opportunities in a promising business. Sometimes, to evade suspicion, scammers “rescued” their victims from other fraudsters and offered to compensate them for any financial losses. For example, in the summer of 2024, we came across an interesting case where an alleged victim of crypto fraud suggested that fellow sufferers contact a group of noble hackers for help recovering lost cryptocurrency.

Some scam offers were quite unexpected, as they didn’t promise vast riches, and, therefore, might not attract such a wide audience. In mid-to-late 2024, we saw scam emails claiming to be looking for new owners for pianos due to relocation or the previous owner’s passing.

We also encountered even more creative scam narratives. For example, an email allegedly sent from a secret society of Illuminati promising to share their wealth, power and fame if the recipients agree to join their grand brotherhood.

Other “Nigerian” scam emails capitalized on current news events. Thus, the most talked-about event of 2024, the US presidential election, significantly influenced the types of scams we saw. For example, one scam email claimed that the recipients were incredibly lucky to be eligible to receive millions of dollars from Donald Trump’s foundation.

Scam in the Russian segment

Last year, the Russian segment of the internet was not spared from mass scam mailings. We frequently encountered schemes mimicking investment projects of major banks, promising users easy earnings and bonuses. Fraudsters also sent out emails with promotional offers from home appliance and electronics stores. Customers were informed of huge discounts on sales that were supposedly about to end.

The links in such emails led to fraudulent websites that looked identical to legitimate online stores but stood out with extremely low prices. After paying for their desired items, customers lost their money, as orders were never actually placed.

Beyond electronics, scammers also offered other discounted products. In one such campaign, users received an email advertising a sneaker store selling popular models at affordable prices.

Judging by the technical headers of the emails, both the sneaker store and electronics store promotions were sent by the same fraudsters.

Additionally, we came across emails offering recipients to apply for debit or credit cards under favorable conditions. Unlike the electronics and shoe sale scams, these messages were legitimate referral programs from major banks, which enterprising spammers tried to monetize. Technically, such emails are not scams, as their links lead to real banking websites, and recipients do not face any risks. However, senders profit from registrations via the referral program. Nevertheless, we do not recommend clicking links from unknown senders, as seemingly harmless emails from a referral platform could be phishing or scam messages.

Emails with malicious links and attachments

Password-protected archives

In 2024, there was an increase in emails distributing password-protected archives containing malicious content. Sometimes, these files were included not as attachments but via download links, which also required a password. Presumably, this was the attackers’ attempt to bypass email security filters. Typically, the archive password was mentioned in the email text, and sometimes in the attachment’s filename. Notably, fraudsters often disguised malicious archives or links as files with other extensions, such as PDF, XLS, or DOC.

Since April 2024, we have been recording similar distributions of files with the double extension .PDF.RAR, targeting employees of Russian companies in the government, financial, manufacturing, and energy sectors.

We assume that these messages were sent from compromised email accounts of the recipients’ business partners. Some emails contained real correspondence, to which attackers replied with an email containing the malware. All the emails we examined in this campaign were unique. The attackers likely crafted messages to closely mimic the style of the compromised business partner.

Similar messages containing malicious files were also found in other languages. However, unlike campaigns targeting Russian-speaking users, these had more general themes—attachments were disguised as invoices, commercial offers, supply orders, tender schedules, court notices, and other documents.

Pre-trial claims and lawsuits

Last year, attackers frequently threatened legal action to convince victims to click dangerous links or open malicious attachments. These messages primarily targeted Russian companies but were also observed in other languages. Typically, fraudsters posed as business partners, demanding debt repayment; otherwise, they “would be forced to take the matter to arbitration court.” In one such campaign, pre-trial claims in attachments were .DOC files containing VBA scripts. These scripts established connections with command servers and downloaded, saved, and executed malicious files on the victim’s device. Kaspersky’s products detect this payload with the verdict HEUR:Trojan-Downloader.MSOffice.Sload.gen.

In some cases, cybercriminals gave no reason for their legal threats but instead attempted to shock victims with an already “filed” lawsuit to pressure them into opening the attachment. Of course, it contained malware.

Emails with malicious SVG files

According to our observations, the past year saw a rise in the distribution of malicious SVG files. Disguised as harmless images, these files contained scripts that downloaded and installed additional malware on the victim’s device. (Our solutions detect these scripts as Trojan.Script.Agent.sy and Trojan.Script.Agent.qe.) The emails we encountered were written in Spanish and posed as fake legal case notifications and court summons. The text included a password for opening the attached file.

Threats to businesses

Fake deals

A special category of emails that users complained about in 2024 was requests for quotation from suspicious senders. These emails were sent either from free email addresses or recently created domains. Attackers signed the emails with the names of large companies, included links to their websites, and sometimes even used official company logos. These emails followed a uniform template: the “buyers” briefly introduced themselves, expressed interest in the recipient’s products, and requested a catalog or price list. Interestingly, the fraudsters did not seem to care about the type of goods involved.

If the recipient responded, events could unfold in two ways. In some cases, after receiving a reply to the initial seemingly legitimate request, the fraudsters sent malicious attachments or links in the next email.

In another scenario, the “buyers” engaged in further correspondence with their “potential partner”—the victim—discussing details and insisting on their conditions, including post-payment and requiring the seller to cover customs duties. This meant that the supplier bore all the risks of delivery and could lose their goods without receiving any payment.

Facebook

In the spring of 2024, we discovered an interesting phishing email scheme that leveraged legitimate Facebook notifications. The service sent entirely legitimate emails to users mentioned in threatening posts. The attackers used compromised Facebook accounts, renamed to “24 Hours Left To Request Review. See Why,” and changed the profile picture to an icon featuring an orange exclamation mark.

Then, the fraudsters created posts on these pages tagging the business accounts of potential victims. The tagged users received notifications from the alarmingly-named pages.

These posts contained more details than the emails: victims were warned about an impending account ban due to a complaint from another user. To dispute the ban for violating service terms, the recipient of the “notification” was required to follow a phishing link from the post—leading to a fake site with Meta logos that requested Facebook login credentials.

We also found phishing emails containing legitimate Facebook links in October 2024, but this time without using the platform’s infrastructure. These emails contained notifications of lawsuits for copyright infringement and the removal of unlawful posts from the recipient’s profile. The target was warned that their personal and business pages would be blocked within 24 hours, pressuring them to take hasty and careless action.

However, they were immediately offered the chance to appeal by contacting the “Appeal Support Center.” The link in the email led to a phishing site disguised as Meta’s support service, where the victim was also asked to enter their profile password. To make the phishing link more convincing, a legitimate mechanism for redirecting users to external Facebook resources was used.

At the end of 2024, we noticed an email campaign targeting companies promoting their business pages on Facebook. These emails mimicked official Meta for Business notifications and threatened to block the user’s account and business page for violating the platform’s rules and community policies.

To dispute these accusations, the fraudsters urged the profile owners to click a link to contact “Facebook support” in a legitimate messenger. However, in reality, the victim was communicating with the owner of a fan page called “Content Moderation Center,” imitating an official support service employee. The scam could have been identified by the “Fan Page” label in the chat, though it was easy to miss.

News agenda

In 2024, scammers continued to exploit news agenda in spam campaigns.

During the UEFA Euro 2024 football championship in Germany, emails began to appear offering merchandise with UEFA EURO 2024 logos.

After Pavel Durov’s arrest in Paris, we noticed English-language messages calling for donations to supposedly fund his legal defense.

In the fall of last year, a scam campaign began circulating, offering not-yet-released MacBook Pro M4 devices at low prices or even for free. The links in these emails led to fake websites imitating major marketplaces.

Before Black Friday, we recorded a surge in spam offering exclusive discounts. The links in these messages lured victims to sites disguised as marketplaces, electronics stores, and financial institutions.

B2B spam campaigns

Online promotion services

One of the most common categories of spam email in 2024, complained of frequently by our corporate clients, was commercial offers for online promotion. Users were offered services such as creating or redesigning websites, setting up SEO tools, and purchasing databases with potential client contacts and other information. Other advertised services included guest post placement with backlinks to the client’s site, writing positive reviews, removing negative reviews, and creating personalized email campaigns. While these messages are not malicious or fraudulent, they are mass-distributed and unsolicited, causing inconvenience to users. The popularity of this type of spam is likely driven by the development of digital marketing tools and the search for new clients for small- and medium-sized businesses amid growing online competition.

Buying likes and followers on social media

We also frequently encountered business offers for the online promotion of company accounts on social media. Spammers sell fake likes and followers. They often pose as employees of real social media marketing firms, claiming to be industry leaders. At the end of their emails, the spammers included a link to a marketing platform and payment options for their services. One such campaign, which we observed throughout the past year and is still active, stood out due to the variety of languages used in the emails and the diversity of domain names. With these tactics, the spammers aimed to reach a global audience.

AI in B2B emails

The growing popularity of neural networks has led companies to actively integrate AI into their business processes. We assume that clients of such organizations, in turn, are drawn to service offers that incorporate neural networks. As a natural consequence of this trend, AI-driven solutions began appearing in spam campaigns advertising online marketing services.

Spammers emphasized using AI, particularly ChatGPT, to perform various business tasks. We identified the following themes in these emails:

• Attracting website traffic
• Creating advanced lead generation strategies
• Developing unique approaches tailored to a brand’s identity
• Producing and publishing content
• Launching personalized multi-channel marketing campaigns
• Creating custom videos for YouTube channels

Other topics also appeared in spam emails, but they all shared the same goal—enhancing business processes and attracting potential clients.

Another particularly popular category of spam related to neural networks was advertising online events. Last year, we encountered numerous examples of emails promoting webinars about the promising capabilities and practical applications of AI in business operations.

Targeted phishing in 2024

In 2024, two main trends were observed in targeted phishing:

1. Notifications on behalf of a company’s HR department. Employees were asked to fill out or sign a document, such as a vacation schedule, accessible via a link in an email. Sometimes, instead of routine requests, attackers resorted to more extravagant tactics—such as inviting employees to check if they were on a list of staff to be dismissed.

Phishing email from HR

In all these cases, the common factor was that clicking the link led the employee to a phishing login page instead of the actual corporate portal. Most often, attackers targeted Microsoft accounts, though some phishing forms mimicked internal corporate resources.

Fake login form

1. Emails from a seller to a buyer, or vice versa. One common scheme involved a buyer or seller asking the victim to review an offer or respond to questions about product delivery and required specifications. These emails contained attached documents that actually concealed phishing links.

Example of a phishing email from a seller

When attempting to open the attachment, the user was redirected to a phishing page. As in the previous case, these fake forms harvested Microsoft credentials and corporate account logins.

Fake password entry form

Statistics: phishing

The number of phishing attacks in 2024 increased compared to the previous year. Kaspersky solutions blocked 893,216,170 attempts to follow phishing links—26% more than in 2023.

Number of Anti-Phishing triggerings, 2024 (download)

Map of phishing attacks

Users from Peru (19.06%) encountered phishing most often. Greece (18.21%) ranked second, followed by Vietnam (17.53%) and Madagascar (17.17%). They are closely followed by Ecuador (16.90%), Lesotho (16.87%) and Somalia (16.70%). The final places in the TOP 10 are occupied by Brunei (16.55%), Tunisia (16.51%) and Kenya (16.38%).

* Share of users who encountered phishing out of the total number of Kaspersky users in the country/territory, 2024

Top-level domains

The most common domain zone hosting phishing sites remains the COM zone (29.78%)—its popularity has increased one and a half times compared to 2023. In second place is the XYZ domain (7.10%), which ranked fifth last year, followed by TOP (6.97%), which retained its position in the top ten. Next, with a slight margin from each other, are the ONLINE (4.25%) and SITE (3.87%) domain zones, where phishing sites were less actively hosted last year. The Russian RU domain (2.23%) and the global NET domain (2.02%) are in sixth and seventh place, respectively. Following them are CLICK (1.41%) and INFO (1.35%)—the year before, these zones were not frequently used. Closing the top ten is another national domain: UK, with a share of 1.33%.

Most frequent top-level domains for phishing pages, 2024 (download)

Organizations targeted by phishing attacks

The rating of organizations targeted by phishers is based on the detections of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database.

In 2024, the highest number of attempts to access phishing links blocked by Kaspersky solutions was associated with pages imitating various web services (15.75%), surpassing global internet portals (13.88%), which held the top position in 2023. The third and fourth positions in last year’s top ten also swapped places: banks moved ahead (12.86%), overtaking online stores at 11.52%. Attackers were also interested in social media (8.35%) and messengers (7.98%): attacks targeting them strengthened their positions in the ranking. For websites imitating delivery services, we observed a decline in phishing activity (6.55%), while the share of payment systems remained unchanged at 5.82%. Also included in the list of the most frequently targeted organizations were online games (5.31%) and blogs (3.75%).

Distribution of organizations targeted by phishers, by category, 2024 (download)

Statistics: spam

Share of spam in email traffic

In 2024, spam emails accounted for 47.27% of the total global email traffic, an increase of 1.27 p.p. compared to the previous year. The lowest spam levels were recorded in October and November, with average shares dropping to 45.33% and 45.20%, respectively. In December, we observed a seemingly slight upward trend in junk emails, resulting in the fourth quarter of the year being the calmest. Spam activity peaked in the summer, with the highest number of emails recorded in June (49.52%) and July (49.27%).

Share of spam in global email traffic, 2024 (download)

In the Russian internet segment, the average spam share exceeded the global figure, reaching 48.57%, which is 1.98 p.p. higher than in 2023. As in the rest of the world, spammers were least active at the end of the year: in the fourth quarter, 45.14% of emails were spam. However, unlike global trends, in Runet, we recorded four months during which the spam share exceeded half of all traffic: March (51.01%), June (51.53%), July (51.02%), and September (51.25%). These figures identified the third quarter as the most active, with a share of 50.46%. December was the calmest month, and interestingly, despite spam levels being generally high or the same in Russia, the number of spam emails in December was lower than the global figure: 44.56%.

Share of spam in Runet email traffic, 2024 (download)

Countries and territories where spam originated

We continue to observe an increase in the share of spam sent from Russia—from 31.45% to 36.18%. The United States and mainland China, which held second and third place last year, swapped positions, with China’s share increasing by 6 p.p. (17.11%) and the US share decreasing by 3 p.p. (8.40%). Kazakhstan, which entered the top twenty for the first time last year, rose from eighth to fourth place (3.82%), pushing Japan (2.93%) down, and causing Germany, previously in fifth place, to drop one position with a share of 2.10%. India’s share slightly decreased, but the country moved up two positions from last year to seventh place. Conversely, the amount of spam sent from Hong Kong more than doubled (1.75%), allowing this territory to take eighth place in the top twenty. Next come Brazil (1.44%) and the Netherlands (1.25%), whose shares continued to decline.

TOP 20 countries and territories where spam originated in 2024 (download)

Malicious email attachments

In 2024, Kaspersky solutions detected 125,521,794 attempts to open malicious email attachments, ten million fewer than the previous year. Interestingly, one of the peaks in email antivirus detections occurred in April—in contrast to 2023, when this month had the lowest malicious activity. In January and December, we observed a relative decrease in detections, while increases were noted in spring and autumn.

Number of email antivirus detections, 2024 (download)

The most common malicious email attachments were Agensla stealers (6.51%), which ranked second last year. Next were Badun Trojans (4.51%), which spread in archives disguised as electronic documents. The Makoob family moved from eighth to third place (3.96%), displacing the Noon spyware (3.62%), which collects browser passwords and keystrokes. The malicious Badur PDFs, the most common attachments in 2023, dropped to fifth place with a 3.48% share, followed by phishing HTML forms from the Hoax.HTML.Phish family (2.93%). Next in line were Strab spyware Trojans (2.85%), capable of tracking keystrokes, taking screenshots, and performing other typical spyware actions. Rounding out the top ten were SAgent VBS scripts (2.75%), which were not as actively used last year, the Taskun family (2.75%), which maintained its previous share, and PDF documents containing phishing links, Hoax.PDF.Phish (2.11%).

TOP 10 malware families distributed as email attachments, 2024 (download)

The list of the most widespread malware reflects trends similar to the distribution of families, with a few exceptions: the Hoax.HTML.Phish variant of malicious HTML forms dropped two positions (2.20%), and instead of a specific Strab Trojan sample, the top ten included the ISO image Trojan.Win32.ISO.gen, distributed via email (1.39%).

TOP 10 malicious programs distributed as email attachments, 2024 (download)

Countries and territories targeted by malicious mailings

In 2024, users in Russia continued to face malicious email attachments more frequently than other countries, although the share of email antivirus detections in this country decreased compared to last year, to 11.37%. China ranked second (10.96%), re-entering the top twenty after several years. Next came Spain (8.32%), Mexico (5.73%), and Turkey (5.05%), which dropped one position each with a slight decline in malicious attachments. Switzerland (4.82%) took sixth place, appearing in the ranking for the first time. Following them were Vietnam (3.68%), whose share declined, and the UAE (3.24%), which strengthened its position in the ranking. Also among frequent targets of malicious spam were users from Malaysia (2.99%) and Italy (2.54%).

TOP 20 countries and territories targeted by malicious mailings, 2024 (download)

Conclusion

Political and economic crises will continue to provide new pretexts for fraudulent schemes. In some cases presented in the 2024 report, we can observe the “greed” of cybercriminals: the use of two different company brands on the same page; a credible fake of a resource aimed not at stealing credentials but at stealing money; comprehensive questionnaires that can lead not only to loss of access to funds but also to identity theft. Such multi-layered threats may become a new trend in phishing and scam attacks.

We continue to observe major news events being exploited in spam campaigns that promise easy earnings and discounted goods or services. The growing user interest in artificial intelligence tools is actively being leveraged by spammers to attract an audience, and this trend will undoubtedly continue.

securelist.com/spam-and-phishi…