Looking for an educational microcontroller board to get you or a loved one into electronics? Consider the tinyCore – a small and nifty hexagon-shaped ESP32 board by [MR. INDUSTRIES], simplified for learning yet featureful enough to offer plenty of growth, and fully open.

The tinyCore board’s hexagonal shape makes it more flexible for building wearables than the vaguely rectangular boards we’re used to, and it’s got a good few onboard gadgets. Apart from already expected WiFi, BLE, and GPIOs, you get battery management, a 6DoF IMU (LSM6DSOX) in the center of the board, a micro SD card slot for all your data needs, and two QWIIC connectors. As such, you could easily turn it into, say, a smartwatch, a motion-sensitive tracker, or a controller for a small robot – there’s even a few sample projects for you to try.

You can buy one, or assemble a few yourself thanks to the open-source-ness – and, to us, the biggest factor is the [MR.INDUSTRIES] community, with documentation, examples, and people learning with this board and sharing what they make. Want a device with a big display that similarly wields a library of examples and a community? Perhaps check out the Cheap Yellow Display hacks!

youtube.com/embed/3Nd6zynJclk?…

We thank [Keith Olson] for sharing this with us!

hackaday.com/2025/12/11/tinyco…

In Inghilterra, i treni sono stati sospesi per diverse ore a causa del presunto crollo di un ponte ferroviario causato da un’immagine falsa generata da una rete neurale. In seguito al terremoto avvenuto durante la notte, avvertito dagli abitanti del Lancashire e del Lake District meridionale, sui social media sono circolate immagini che mostravano il Carlisle Bridge a Lancaster gravemente danneggiato.

Network Rail, la società statale che gestisce l’infrastruttura ferroviaria britannica, ha riferito di aver appreso dell’immagine intorno alle 00:30 GMT e, per precauzione, di aver sospeso il traffico ferroviario sul ponte fino a quando i tecnici non avessero potuto verificarne le condizioni.

Intorno alle 02:00 GMT, il binario è stato completamente riaperto, non sono stati riscontrati danni e un giornalista della BBC che ha visitato il sito ha confermato che la struttura del ponte era intatta.
Una foto scattata da un reporter della BBC North West Tonight ha mostrato che il ponte è intatto
Un giornalista della BBC ha sottoposto l’immagine a un chatbot con intelligenza artificiale, che ha evidenziato diversi segnali rivelatori di un possibile falso. Tuttavia, Network Rail sottolinea che qualsiasi avviso di sicurezza deve essere trattato come se l’immagine fosse autentica, poiché sono in gioco vite umane.

L’azienda ha riferito che 32 treni, sia passeggeri che merci, hanno subito ritardi a causa dell’incidente. Alcuni treni hanno dovuto essere fermati o rallentati in avvicinamento al ponte, mentre altri hanno subito ritardi perché il loro percorso era bloccato da servizi precedentemente in ritardo. Data la lunghezza della West Coast Main Line, le conseguenze hanno raggiunto anche i treni diretti a nord, verso la Scozia.

Network Rail ha esortato gli utenti a considerare le potenziali conseguenze di tali immagini false. Secondo un portavoce dell’azienda, la creazione e la distribuzione di tali immagini comporta ritardi del tutto inutili, comporta costi per i contribuenti e aumenta il carico di lavoro dei dipendenti, già impegnati al massimo per garantire il regolare e sicuro funzionamento della ferrovia.

L’azienda ha sottolineato che la sicurezza dei passeggeri e del personale rimane una priorità assoluta e che pertanto qualsiasi potenziale minaccia all’infrastruttura viene presa estremamente sul serio.

La polizia dei trasporti britannica ha confermato di essere stata informata della situazione, ma al momento non è in corso alcuna indagine specifica sull’incidente.

L'articolo Terremoto? No, AI-Fake! Un’immagine generata dall’IA paralizza i treni britannici proviene da Red Hot Cyber.

After you have written the code for some awesome application, you of course want other people to be able to use it. Although simply directing them to the source code on GitHub or similar is an option, not every project lends itself to the traditional configure && make && make install, with often dependencies being the sticking point.

Asking the user to install dependencies and set up any filesystem links is an option, but having an installer of some type tackle all this is of course significantly easier. Typically this would contain the precompiled binaries, along with any other required files which the installer can then copy to their final location before tackling any remaining tasks, like updating configuration files, tweaking a registry, setting up filesystem links and so on.

As simple as this sounds, it comes with a lot of gotchas, with Linux distributions in particular being a tough nut. Whereas on MacOS, Windows, Haiku and many other OSes you can provide a single installer file for the respective platform, for Linux things get interesting.

Windows As Easy Mode

For all the flak directed at Windows, it is hard to deny that it is a stupidly easy platform to target with a binary installer, with equally flexible options available on the side of the end-user. Although Microsoft has nailed down some options over the years, such as enforcing the user’s home folder for application data, it’s still among the easiest to install an application on.

While working on the NymphCast project, I found myself looking at a pleasant installer to wrap the binaries into, initially opting to use the NSIS (Nullsoft Scriptable Install System) installer as I had seen it around a lot. While this works decently enough, you do notice that it’s a bit crusty and especially the more advanced features can be rather cumbersome.

This is where a friend who was helping out with the project suggested using the more modern Inno Setup instead, which is rather like the well-known InstallShield utility, except OSS and thus significantly more accessible. Thus the pipeline on Windows became the following:

1. Install dependencies using vcpkg.
2. Compile project using NMake and the MSVC toolchain.
3. Run the Inno Setup script to build the .exe based installer.

Installing applications on Windows is helped massively both by having a lot of freedom where to install the application, including on a partition or disk of choice, and by having the start menu structure be just a series of folders with shortcuts in them.

The Qt-based NymphCast Player application’s .iss file covers essentially such a basic installation process, while the one for NymphCast Server also adds the option to download a pack of wallpaper images, and asks for the type of server configuration to use.

Uninstalling such an application basically reverses the process, with the uninstaller installed alongside the application and registered in the Windows registry together with the application’s details.

MacOS As Proprietary Mode

Things get a bit weird with MacOS, with many application installers coming inside a DMG image or PKG file. The former is just a disk image that can be used for distributing applications, and the user is generally provided with a way to drag the application into the Applications folder. The PKG file is more of a typical installer as on Windows.

Of course, the problem with anything MacOS is that Apple really doesn’t want you to do anything with MacOS if you’re not running MacOS already. This can be worked around, but just getting to the point of compiling for MacOS without running XCode on MacOS on real Apple hardware is a bit of a fool’s errand. Not to mention Apple’s insistence on signing these packages, if you don’t want the end-user to have to jump through hoops.

Although I have built both iOS and OS X/MacOS applications in the past – mostly for commercial projects – I decided to not bother with compiling or testing my projects like NymphCast for Apple platforms without easy access to an Apple system. Of course, something like Homebrew can be a viable alternative to the One True Apple Way if you merely want to get OSS o MacOS. I did add basic support for Homebrew in NymphCast, but without a MacOS system to test it on, who knows whether it works.

Anything But Linux

The world of desktop systems is larger than just Windows, MacOS and Linux, of course. Even mobile OSes like iOS and Android can be considered to be ‘desktop OSes’ with the way that they’re being used these days, also since many smartphones and tablets can be hooked up to to a larger display, keyboard and mouse.

How to bootstrap Android development, and how to develop native Android applications has been covered before, including putting APK files together. These are the typical Android installation files, akin to other package manager packages. Of course, if you wish to publish to something like the Google Play Store, you’ll be forced into using app bundles, as well as various ways to signing the resulting package.

The idea of using a package for a built-in package manager instead of an executable installer is a common one on many platforms, with iOS and kin being similar. On FreeBSD, which also got a NymphCast port, you’d create a bundle for the pkg package manager, although you can also whip up an installer. In the case of NymphCast there is a ‘universal installer’ built into the Makefile after compilation via the fully automated setup.sh shell script, using the fact that OSes like Linux, FreeBSD and even Haiku are quite similar on a folder level.

That said, the Haiku port of NymphCast is still as much of a Beta as Haiku itself, as detailed in the write-up which I did on the topic. Once Haiku is advanced enough I’ll be creating packages for its pkgman package manager as well.

The Linux Chaos Vortex

There is a simple, universal way to distribute software across Linux distributions, and it’s called the ‘tar.gz method’, referring to the time-honored method of distributing source as a tarball, for local compilation. If this is not what you want, then there is the universal RPM installation format which died along with the Linux Standard Base. Fortunately many people in the Linux ecosystem have worked tirelessly to create new standards which will definitely, absolutely, totally resolve the annoying issue of having to package your applications into RPMs, DEBs, Snaps, Flatpaks, ZSTs, TBZ2s, DNFs, YUMs, and other easily remembered standards.

It is this complete and utter chaos with Linux distros which has made me not even try to create packages for these, and instead offer only the universal .tar.gz installation method. After un-tar-ing the server code, simply run [url=https://github.com/MayaPosch/NymphCast/blob/master/setup.sh]setup.sh[/url] and lean back while it compiles the thing. After that, run install_linux.sh and presto, the whole shebang is installed without further ado. I also provided an uninstall_linux.sh script to complete the experience.

That said, at least one Linux distro has picked up NymphCast and its dependencies like Libnymphcast and NymphRPC into their repository: Alpine Linux. Incidentally FreeBSD also has an up to date package of NymphCast in its repository. I’m much obliged to these maintainers for providing this service.

Perhaps the lesson here is that if you want to get your neatly compiled and packaged application on all Linux distributions, you just need to make it popular enough that people want to use it, so that it ends up getting picked up by package repository contributors?

Wrapping Up

With so many details to cover, there’s also the easily forgotten topic that was so prevalent in the Windows installer section: integration with the desktop environment. On Windows, the Start menu is populated via simple shortcut files, while one sort-of standard on Linux (and FreeBSD as corollary) are Freedesktop’s XDC Desktop Entry files. Or .desktop files for short, which purportedly should give you a similar effect.

Only that’s not how anything works with the Linux ecosystem, as every single desktop environment has its own ideas on how these files should be interpreted, where they should be located, or whether to ignore them completely. My own experiences there are that relying on them for more advanced features, such as auto-starting a graphical application on boot (which cannot be done with Systemd, natch) without something throwing an XDG error or not finding a display is basically a fool’s errand. Perhaps that things are better here if you use KDE Plasma as DE, but this was an installer thing that I failed to solve after months of trial and error.

Long story short, OSes like Windows are pretty darn easy to install applications on, MacOS is okay as long as you have bought into the Apple ecosystem and don’t mind hanging out there, while FreeBSD is pretty simple until it touches the Linux chaos via X11 and graphical desktops. Meanwhile I’d strongly advise to only distribute software on Linux as a tarball, for your sanity’s sake.

hackaday.com/2025/12/11/creati…

Post-exploitation frameworks

Threat actors frequently employ post-exploitation frameworks in cyberattacks to maintain control over compromised hosts and move laterally within the organization’s network. While they once favored closed-source frameworks, such as Cobalt Strike and Brute Ratel C4, open-source projects like Mythic, Sliver, and Havoc have surged in popularity in recent years. Malicious actors are also quick to adopt relatively new frameworks, such as Adaptix C2.

Analysis of popular frameworks revealed that their development focuses heavily on evading detection by antivirus and EDR solutions, often at the expense of stealth against systems that analyze network traffic. While obfuscating an agent’s network activity is inherently challenging, agents must inevitably communicate with their command-and-control servers. Consequently, an agent’s presence in the system and its malicious actions can be detected with the help of various network-based intrusion detection systems (IDS) and, of course, Network Detection and Response (NDR) solutions.

This article examines methods for detecting the Mythic framework within an infrastructure by analyzing network traffic. This framework has gained significant traction among various threat actors, including Mythic Likho (Arcane Wolf) и GOFFEE (Paper Werewolf), and continues to be used in APT and other attacks.

The Mythic framework

Mythic C2 is a multi-user command and control (C&C, or C2) platform designed for managing malicious agents during complex cyberattacks. Mythic is built on a Docker container architecture, with its core components – the server, agents, and transport modules – written in Python. This architecture allows operators to add new agents, communication channels, and custom modifications on the fly.

Since Mythic is a versatile tool for the attacker, from the defender’s perspective, its use can align with multiple stages of the Unified Kill Chain, as well as a large number of tactics, techniques, and procedures in the MITRE ATT&CK® framework.

• Pivoting is a tactic where the attacker uses an already compromised system as a pivot point to gain access to other systems within the network. In this way, they gradually expand their presence within the organization’s infrastructure, bypassing firewalls, network segmentation, and other security controls.
• Collection (TA0009) is a tactic focused on gathering and aggregating information of value to the attacker: files, credentials, screenshots, and system logs. In the context of network operations, collection is often performed locally on compromised hosts, with data then packaged for transfer. Tools like Mythic automate the discovery and selection of data sought by the adversary.
• Exfiltration (TA0010) is the process of moving collected information out of the secured network via legitimate or covert channels, such as HTTP(s), DNS, or SMB, etc. Attackers may use resident agents or intermediate relays (pivot hosts) to conceal the exfiltration source and route.
• Command and Control (TA0011) encompasses the mechanisms for establishing and maintaining a communication channel between the operator and compromised hosts to transmit commands and receive status updates. This includes direct connections, relaying through pivot hosts, and the use of covert protocols. Frameworks like Mythic provide advanced C2 capabilities, such as scheduled command execution, tunneling, and multi-channel communication, which complicate the detection and blocking of their activity.

This article focuses exclusively on the Command and Control (TA0011) tactic, whose techniques can be effectively detected within the network traffic of Mythic agents.

Detecting Mythic agent activity in network traffic

At the time of writing, Mythic supports data transfer over HTTP/S, WebSocket, TCP, SMB, DNS, and MQTT. The platform also boasts over a dozen different agents, written in Go, Python, and C#, designed for Windows, macOS, and Linux.

Mythic employs two primary architectures for its command network:

• In this model, agents communicate with adjacent agents forming a chain of connections which eventually leads to a node communicating directly with the Mythic C2 server. For this purpose, agents utilize TCP and SMB.
• In this model, agents communicate directly with the C2 server via HTTP/S, WebSocket, MQTT, or DNS.

P2P communication

Mythic provides pivoting capabilities via named SMB pipes and TCP sockets. To detect Mythic agent activity in P2P mode, we will examine their network traffic and create corresponding Suricata detection rules (signatures).

P2P communication via SMB

When managing agents via the SMB protocol, a named pipe is used by default for communication, with its name matching the agent’s UUID.

Although this parameter can be changed, it serves as a reliable indicator and can be easily described with a regular expression. Example:
[a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}

For SMB communication, agents encode and encrypt data according to the pattern: base64(UUID+AES256(JSON)). This data is then split into blocks and transmitted over the network. The screenshot below illustrates what a network session for establishing a connection between agents looks like in Wireshark.

Commands and their responses are packaged within the MythicMessage data structure. This structure contains three header fields, as well as the commands themselves or the corresponding responses:

• Total size (4 bytes)
• Number of data blocks (4 bytes)
• Current block number (4 bytes)
• Base64-encoded data

The screenshot below shows an example of SMB communication between agents.

The agent (10.63.101.164) sends a command to another agent in the MythicMessage format. The first three Write Requests transmit the total message size, total number of blocks, and current block number. The fourth request transmits the Base64-encoded data. This is followed by a sequence of Read Requests, which are also transmitted in the MythicMessage format.

Below are the data transmitted in the fourth field of the MythicMessage structure.

The content is encoded in Base64. Upon decoding, the structure of the transmitted information becomes visible: it begins with the UUID of the infected host, followed by a data block encrypted using AES-256.

The fact that the data starts with a UUID string can be leveraged to create a signature-based detection rule that searches network packets for the identifier pattern.

To search for packets containing a UUID, the following signature can be applied. It uses specific request types and protocol flags as filters (Command: Ioctl (11), Function: FSCTL_PIPE_WAIT (0x00110018)), followed by a check to see if the pipe name matches the UUID pattern.
alert tcp any any -> any [139, 445] (msg: "Trojan.Mythic.SMB.C&C"; flow: to_server, established; content: "|fe|SMB"; offset: 4; depth: 4; content: "|0b 00|"; distance: 8; within: 2; content: "|18 00 11 00|"; distance: 48; within: 12; pcre: "/\x48\x00\x00\x00[\x00-\xFF]{2}([a-z0-9]\x00){8}\-\x00([a-z0-9]\x00){4}\-\x00([a-z0-9]\x00){4}\-\x00([a-z0-9]\x00){4}\-\x00([a-z0-9]\x00){12}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference: url, github.com/MythicC2Profiles/sm… classtype: ndr1; sid: 9000101; rev: 1;)
Agent activity can also be detected by analyzing data transmitted in SMB WriteRequest packets with the protocol flag Command: Write (9) and a distinct packet structure where the BlobOffset and BlobLen fields are set to zero. If the Data field is Base64-encoded and, after decoding, begins with a UUID-formatted string, this indicates a command-and-control channel.
alert tcp any any -> any [139, 445] (msg: "Trojan.Mythic.SMB.C&C"; flow: to_server, established; dsize: > 360; content: "|fe|SMB"; offset: 4; depth: 4; content: "|09 00|"; distance: 8; within: 2; content: "|00 00 00 00 00 00 00 00 00 00 00 00|"; distance: 86; within: 12; base64_decode: bytes 64, offset 0, relative; base64_data; pcre: "/^[a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}/"; threshold: type both, track by_src, count 1, seconds 60; reference: url, github.com/MythicC2Profiles/sm… classtype: ndr1; sid: 9000102; rev: 1;)
Below is the KATA NDR user interface displaying an alert about detecting a Mythic agent operating in P2P mode over SMB. In this instance, the first rule – which checks the request type, protocol flags, and the UUID pattern – was triggered.

It should be noted that these signatures have a limitation. If the SMBv3 protocol with encryption enabled is used, Mythic agent activity cannot be detected with signature-based methods. A possible alternative is behavioral analysis. However, in this context, it suffers from low accuracy and a high false-positive rate. The SMB protocol is widely used by organizations for various legitimate purposes, making it difficult to isolate behavioral patterns that definitively indicate malicious activity.

P2P communication via TCP

Mythic also supports P2P communications via TCP. The connection initialization process appears in network traffic as follows:

As with SMB, the MythicMessage structure is used for transmitting and receiving data. First, the data length (4 bytes) is sent as a big-endian DWORD in a separate packet. Subsequent packets transmit the number of data blocks, the current block number, and the data itself. However, unlike SMB packets, the value of the current block number field is always 0x00000000, due to TCP’s built-in packet fragmentation support.

The data encoding scheme is also analogous to what we observed with SMB and appears as follows: base64(UUID+AES256(JSON)). Below is an example of a network packet containing Mythic data.

The decoded data appears as follows:

Similar to communication via SMB, signature-based detection rules can be created for TCP traffic to identify Mythic agent activity by searching for packets containing UUID-formatted strings. Below are two Suricata detection rules. The first rule is a utility rule. It does not generate security alerts but instead tags the TCP session with an internal flag, which is then checked by another rule. The second rule verifies the flag and applies filters to confirm that the current packet is being analyzed at the beginning of a network session. It then decodes the Base64 data and searches the resulting content for a UUID-formatted string.
alert tcp any any -> any any (msg: "Trojan.Mythic.TCP.C&C"; flow: from_server, established; dsize: 4; stream_size: server, <, 6; stream_size: client, <, 3; content: "|00 00|"; depth: 2; pcre: "/^\x00\x00[\x00-\x5C]{1}[\x00-\xFF]{1}$/"; flowbits: set, mythic_tcp_p2p_msg_len; flowbits: noalert; threshold: type both, track by_src, count 1, seconds 60; reference: url, github.com/MythicC2Profiles/tc… classtype: ndr1; sid: 9000103; rev: 1;)

alert tcp any any -> any any (msg: "Trojan.Mythic.TCP.C&C"; flow: from_server, established; dsize: > 300; stream_size: server, <, 6000; stream_size: client, <, 6000; flowbits: isset, mythic_tcp_p2p_msg_len; content: "|00 00 00|"; depth: 3; content: "|00 00 00 00|"; distance: 1; within: 4; base64_decode: bytes 64, offset 0, relative; base64_data; pcre: "/^[a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}/"; threshold: type both, track by_src, count 1, seconds 60; reference: url, github.com/MythicC2Profiles/tc… classtype: ndr1; sid: 9000104; rev: 1;)
Below is the NDR interface displaying an example of the two rules detecting a Mythic agent operating in P2P mode over TCP.

Egress transport modules

Covert Egress communication

For stealthy operations, Mythic allows agents to be managed through popular services. This makes its activity less conspicuous within network traffic. Mythic includes transport modules based on the following services:

• Discord
• GitHub
• Slack

Of these, only the first two remain relevant at the time of writing. Communication via Slack (the Slack C2 Profile transport module) is no longer supported by the developers and is considered deprecated, so we will not examine it further.

The Discord C2 Profile transport module

The use of the Discord service as a mediator for C2 communication within the Mythic framework has been gaining popularity recently. In this scenario, agent traffic is indistinguishable from normal Discord activity, with commands and their execution results masquerading as messages and file attachments. Communication with the server occurs over HTTPS and is encrypted with TLS. Therefore, detecting Mythic traffic requires decrypting this.

Analyzing decrypted TLS traffic

Let’s assume we are using an NDR platform in conjunction with a network traffic decryption (TLS inspection) system to detect suspicious network activity. In this case, we operate under the assumption that we can decrypt all TLS traffic. Let’s examine possible detection rules for that scenario.

Agent and server communication occurs via Discord API calls to send messages to a specific channel. Communication between the agent and Mythic uses the MythicMessageWrapper structure, which contains the following fields:

• message: the transmitted data
• sender_id: a GUID generated by the agent, included in every message
• to_server: a direction flag – a message intended for the server or the agent
• id: not used
• final: not used

Of particular interest to us is the message field, which contains the transmitted data encoded in Base64. The MythicMessageWrapper message is transmitted in plaintext, making it accessible to anyone with read permissions for messages on the Discord server.

Below is an example of data transmission via messages in a Discord channel.

To establish a connection, the agent authenticates to the Discord server via the API call /api/v10/gateway/bot. We observe the following data in the network traffic:

After successful initialization, the agent gains the ability to receive and respond to commands. To create a message in the channel, the agent makes a POST request to the API endpoint /channels/<channel.id>/messages. The network traffic for this call is shown in the screenshot below.

After decoding the Base64, the content of the message field appears as follows:

A structure characteristic of a UUID is visible at the beginning of the packet.

After processing the message, the agent deletes it from the channel via a DELETE request to the API endpoint /channels/{channel.id}/messages/{message.id}.

Below is a Suricata rule that detects the agent’s Discord-based communication activity. It checks the API activity for creating HTTP messages for the presence of Base64-encoded data containing the agent’s UUID.
alert tcp any any -> any any (msg: "Trojan.Mythic.HTTP.C&C"; flow: to_server, established; content: "POST"; http_method; content: "/api/"; http_uri; content: "/channels/"; distance: 0; http_uri; pcre: "/\/messages$/U"; content: "|7b 22|content|22|"; depth: 20; http_client_body; content: "|22|sender_id"; depth: 1500; http_client_body; pcre: "/\x22sender_id\x5c\x22\x3a\x5c\x22[a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}/"; threshold: type both, track by_src, count 1, seconds 60; reference: url, github.com/MythicC2Profiles/di… classtype: ndr1; sid: 9000105; rev: 1;)
Below is the NDR user interface displaying an example of detecting the activity of the Discord C2 Profile transport module for a Mythic agent within decrypted HTTP traffic.

Analyzing encrypted TLS traffic

If Discord usage is permitted on the network and there is no capability to decrypt traffic, it becomes nearly impossible to detect agent activity. In this scenario, behavioral analysis of requests to the Discord server may prove useful. Below is network traffic showing frequent TLS connections to the Discord server, which could indicate commands being sent to an agent.

In this case, we can use a Suricata rule to detect the frequent TLS sessions with Discord servers:
alert tcp any any -> any any (msg: "NetTool.PossibleMythicDiscordEgress.TLS.C&C"; flow: to_server, established; tls_sni; content: "discord.com"; nocase; threshold: type both, track by_src, count 4, seconds 420; reference: url, github.com/MythicC2Profiles/di… classtype: ndr3; sid: 9000106; rev: 1;)
Another method for detecting these communications involves tracking multiple DNS queries to the discord.com domain.

The following rule can be applied to detect these:
alert udp any any -> any 53 (msg: "NetTool.PossibleMythicDiscordEgress.DNS.C&C"; content: "|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content: "|07|discord|03|com|00|"; nocase; distance: 0; threshold: type both, track by_src, count 4, seconds 60; reference: url, github.com/MythicC2Profiles/di… classtype: ndr3; sid: 9000107; rev: 1;)
Below is the NDR user interface showing an example of a custom rule in operation, detecting the activity of the Discord C2 Profile transport module for a Mythic agent within encrypted traffic based on characteristic DNS queries.

The proposed rule options have low accuracy and can generate a high number of false positives. Therefore, they must be adapted to the specific characteristics of the infrastructure in which they will run. Threshold and count parameters, which control the triggering frequency and time window, require tuning.

GitHub C2 Profile transport module

GitHub’s popularity has made it an attractive choice as a mediator for managing Mythic agents. The core concept is the same as in other covert Egress communication transport modules. Communication with GitHub utilizes HTTPS. Successful operation requires an account on the target platform and the ability to communicate via API calls. The transport module utilizes the GitHub API to send comments to pre-created Issues and to commit files to a branch within a repository controlled by the attackers. In this model, the agent interacts only with GitHub: it creates and reads comments, uploads files, and manages branches. It does not communicate with any other servers. The communication algorithm via GitHub is as follows:

1. The agent posts a comment (check-in) to a designated Issue on GitHub, intended for agents to report their results.
2. The Mythic server validates the comment, deletes it, and posts a reply in an issue designated for server use.
3. The agent creates a branch with a name matching its UUID and writes a get_tasking file to it (performs a push request).
4. The Mythic server reads the file and writes a response file to the same branch.
5. The agent reads the response file, deletes the branch, pauses, and repeats the cycle.

Analyzing decrypted TLS traffic

Let’s consider an approach to detecting agent activity when traffic decryption is possible.

Agent communication with the server utilizes API calls to GitHub. The payload is encoded in Base64 and published in plaintext; therefore, anyone who can view the repository or analyze the traffic contents can decode it.

Analysis of agent communication revealed that the most useful traffic for creating detection rules is associated with publishing check-in comments, creating a branch, and publishing a file.

During the check-in phase, the agent posts a comment to register a new agent and establish communication.

The transmitted data is encoded in Base64 and contains the agent’s UUID and the portion of the message encrypted using AES-256.

This allows for a signature that detects UUID-formatted substrings within GitHub comment creation requests.
alert tcp any any -> any any (msg: "Trojan.Mythic.HTTP.C&C"; flow: to_server, established; content: "POST"; http_method; content: "api.github.com"; http_host; content: "/repos/"; depth: 8; http_uri; pcre: "/\/comments$/U"; content: "|22|body|22|"; depth: 8; http_client_body; base64_decode: bytes 300, offset 2, relative; base64_data; pcre: "/^[a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}/"; threshold: type both, track by_src, count 1, seconds 60; reference: url, github.com/MythicC2Profiles/gi… classtype: ndr1; sid: 9000108; rev: 1;)
Another stage suitable for detection is when the agent creates a separate branch with its UUID as the name. All subsequent relevant communication with the server will occur within this branch. Here is an example of a branch creation request:

Therefore, we can create a detection rule to identify UUID-formatted strings within branch creation requests.
alert tcp any any -> any any (msg: "Trojan.Mythic.HTTP.C&C"; flow: to_server, established; content: "POST"; http_method; content: "api.github.com"; http_host; content: "/repos/"; depth: 100; http_uri; content: "/git/refs"; distance: 0; http_uri; content: "|22|ref|22 3a|"; depth: 10; http_client_body; content: "refs/heads/"; distance: 0; within: 50; http_client_body; pcre: "/refs\/heads\/[a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}\x22/"; threshold: type both, track by_src, count 1, seconds 60; reference: url, github.com/MythicC2Profiles/gi… classtype: ndr1; sid: 9000109; rev: 1;)
After creating the branch, the agent writes a file to it (sends a push request), which contains Base64-encoded data.

Therefore, we can create a rule to trigger on file publication requests to a branch whose name matches the UUID pattern.
alert tcp any any -> any any (msg: "Trojan.Mythic.HTTP.C&C"; flow: to_server, established; content: "PUT"; http_method; content: "api.github.com"; http_host; content: "/repos/"; depth:8; http_uri; content: "/contents/"; distance: 0; http_uri; content: "|22|content|22|"; depth: 100; http_client_body; pcre: "/\x22message\x22\x3a\x22[a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}\x22/"; threshold: type both, track by_src, count 1, seconds 60; reference: url, github.com/MythicC2Profiles/gi… classtype: ndr1; sid: 9000110; rev: 1;)
The screenshot below shows how the NDR solution logs all suspicious communications using the GitHub API and subsequently identifies the Mythic agent’s activity. The result is an alert with the verdict Trojan.Mythic.HTTP.C&C.

Analyzing encrypted TLS traffic

Communication with GitHub occurs over HTTPS; therefore, in the absence of traffic decryption capability, signature-based methods for detecting agent activity cannot be applied. Let’s consider a behavioral agent activity detection approach.

For instance, it is possible to detect connections to GitHub servers that are atypical in frequency and purpose, originating from network segments where this activity is not expected. The screenshot below shows an example of an agent’s multiple TLS sessions. The traffic reflects the execution of several commands, as well as idle time, manifested as constant polling of the server while awaiting new tasks.

Multiple TLS sessions with the GitHub service from uncharacteristic network segments can be detected using the rule presented below:
alert tcp any any -> any any (msg:"NetTool.PossibleMythicGitHubEgress.TLS.C&C"; flow: to_server, established; tls_sni; content: "api.github.com"; nocase; threshold: type both, track by_src, count 4, seconds 60; reference: url, github.com/MythicC2Profiles/gi… classtype: ndr3; sid: 9000111; rev: 1;)

Additionally, multiple DNS queries to the service can be logged in the traffic.

This activity is detected with the help of the following rule:
alert udp any any -> any 53 (msg: "NetTool.PossibleMythicGitHubEgress.DNS.C&C"; content: "|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content: "|03|api|06|github|03|com|00|"; nocase; distance: 0; threshold: type both, track by_src, count 12, seconds 180; reference: url, github.com/MythicC2Profiles/gi… classtype: ndr3; sid: 9000112; rev: 1;)
The screenshot below shows the NDR interface with an example of the first rule in action, detecting traces of the GitHub profile activity for a Mythic agent within encrypted TLS traffic.

The suggested rule options can produce false positives, so to improve their effectiveness, they must be adapted to the specific characteristics of the infrastructure in which they will run. The parameters of the threshold keyword – specifically the count and seconds values, which control the number of events required to generate an alert and the time window for their occurrence in NDR – must be configured.

Direct Egress communication

The Egress communication model allows agents to interact directly with the C2 server via the following protocols:

• HTTP(S)
• WebSocket
• MQTT
• DNS

The first two protocols are the most prevalent. The DNS-based transport module is still under development, and the module based on MQTT sees little use among operators. We will not examine them within the scope of this article.

Communication via HTTP

HTTP is the most common protocol for building a Mythic agent control network. The HTTP transport container acts as a proxy between the agents and the Mythic server. It allows data to be transmitted in both plaintext and encrypted form. Crucially, the metadata is not encrypted, which enables the creation of signature-based detection rules.

Below is an example of unencrypted Mythic network traffic over HTTP. During a GET request, data encoded in Base64 is passed in the value of the query parameter.

After decoding, the agent’s UUID – generated according to a specific pattern – becomes visible. This identifier is followed by a JSON object containing the key parameters of the host, collected by the agent.

If data encryption is applied, the network traffic for agent communication appears as shown in the screenshot below.

After decrypting the traffic and decoding from Base64, the communication data reveals the familiar structure: UUID+AES256(JSON).

Therefore, to create a detection signature for this case, we can also rely on the presence of a UUID within the Base64-encoded data in POST requests.
alert tcp any any -> any any (msg: "Trojan.Mythic.HTTP.C&C"; flow: to_server, established; content: "POST"; http_method; content: "|0D 0A 0D 0A|"; base64_decode: bytes 80, offset 0, relative; base64_data; content: "-"; offset: 8; depth: 1; content: "-"; distance: 4; within: 1; content: "-"; distance: 4; within: 1; content: "-"; distance: 4; within: 1; pcre: "/[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}/"; threshold: type both, track by_src, count 1, seconds 180; reference: md5, 6ef89ccee639b4df42eaf273af8b5ffd; classtype: trojan1; sid: 9000113; rev: 2;)
The screenshot below shows how the NDR platform detects agent communication with the server over HTTP, generating an alert with the name Trojan.Mythic.HTTP.C&C.

Communication via HTTPS

Mythic agents can communicate with the server via HTTPS using the corresponding transport module. In this case, data is encrypted with TLS and is not amenable to signature-based analysis. However, the activity of Mythic agents can be detected if they use the default SSL certificate. Below is an example of network traffic from a Mythic agent with such a certificate.

For this purpose, the following signature is applied:
alert tcp any any -> any any (msg: "Trojan.Mythic.HTTPS.C&C"; flow: established, from_server, no_stream; content: "|16 03|"; content: "|0B|"; distance: 3; within: 1; content: "Mythic C2"; distance: 0; reference: url, github.com/its-a-feature/Mythi… classtype: ndr1; sid: 9000114; rev: 1;)

WebSocket

The WebSocket protocol enables full-duplex communication between a client and a remote host. Mythic can utilize it for agent management.

The process of agent communication with the server via WebSocket is as follows:

1. The agent sends a request to the WebSocket container to change the protocol for the HTTP(S) connection.
2. The agent and the WebSocket container switch to WebSocket to send and receive messages.
3. The agent sends a message to the WebSocket container requesting tasks from the Mythic container.
4. The WebSocket container forwards the request to the Mythic container.
5. The Mythic container returns the tasks to the WebSocket container.
6. The WebSocket container forwards these tasks to the agent.

It is worth mentioning that in this communication model, both the WebSocket container and the Mythic container reside on the Mythic server. Below is a screenshot of the initial agent connection to the server.

An analysis of the TCP session shows that the actual data is transmitted in the data field in Base64 encoding.

Decoding reveals the familiar data structure: UUID+AES256(JSON).

Therefore, we can use an approach similar to those discussed above to detect agent activity. The signature should rely on the UUID string at the beginning of the data field. The rule first verifies that the session data matches the data:base64 format, then decodes the data field and searches for a string matching the UUID pattern.
alert tcp any any -> any any (msg: "Trojan.Mythic.WebSocket.C&C"; flow: established, from_server; content: "|7B 22|data|22 3a 22|"; depth: 14; pcre: "/^[0-9a-zA-Z\/\+]+[=]{0,2}\x22\x7D\x0A$/R"; content: "|7B 22|data|22 3a 22|"; depth: 14; base64_decode: bytes 48, offset 0, relative; base64_data; pcre: "/^[a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}/i"; threshold: type both, track by_src, count 1, seconds 30; reference: url, github.com/MythicAgents/; classtype: ndr1; sid: 9000115; rev: 2;)
Below is the Trojan.Mythic.WebSocket.C&C signature triggering on Mythic agent communication over WebSocket.

Takeaways

The Mythic post-exploitation framework continues to gain popularity and evolve rapidly. New agents are emerging, designed for covert persistence within target infrastructures. Despite this evolution, the various implementations of network communication in Mythic share many common characteristics that remain largely consistent over time. This consistency enables IDS/NDR solutions to effectively detect the framework’s agent activity through network traffic analysis.

Mythic supports a wide array of agent management options utilizing several network protocols. Our analysis of agent communications across these protocols revealed that agent activity can be detected by searching for specific data patterns within network traffic. The primary detection criterion involves tracking UUID strings in specific positions within Base64-encoded transmitted data. However, while the general approach to detecting agent activity is similar across protocols, each requires protocol-specific filters. Consequently, creating a single, universal signature for detecting Mythic agents in network traffic is challenging; individual detection rules must be crafted for each protocol. This article has provided signatures that are included in Kaspersky NDR.

Kaspersky NDR is designed to identify current threats within network infrastructures. It enables the detection of all popular post-exploitation frameworks based on their characteristic traffic patterns. Since the network components of these frameworks change infrequently, employing an NDR solution ensures high effectiveness in agent discovery.

Kaspersky verdicts in Kaspersky solutions (Kaspersky Anti-Targeted Attack with NDR module and Kaspersky NGFW)

Trojan.Mythic.SMB.C&C
Trojan.Mythic.TCP.C&C
Trojan.Mythic.HTTP.C&C
Trojan.Mythic.TLS.C&C
Trojan.Mythic.WebSocket.C&C

securelist.com/detecting-mythi…

It’s happened to all of us: you find the perfect model for your needs — a bracket, a box, a cable clip, but it only comes in STL, and doesn’t quite fit. That problem will never happen if you’re using Iteration3D to get your models, because every single thing on the site is fully-parametric, thanks to an open-source toolchain leveraging 123Dbuilds and Blender.

Blender gives you preview renderings, including colors where the models are set up for multi-material printing. Build123D is the CAD behind the curtain — if you haven’t heard of it, think OpenSCAD but in Python, but with chamfers and fillets. It actually leverages the same OpenCascade that’s behind everyone’s other favorite open-source CAD suite, FreeCAD. Anything you can do in FreeCAD, you can do in Build123D, but with code. Except you don’t need to learn the code if the model is on Iteration3D; you just set the parameters and push a button to get an STL of your exact specifications.

The downside is that, as of now, you are limited to the hard-coded templates provided by Iteration3D. You can modify their parameters to get the configuration and dimensions you need, but not the pythonic Build123D script that generates them. Nor can you currently upload your own models to be shared and parametrically altered, like Thingiverse had with their OpenSCAD-based customizer. That said, we were told that user-uploads are in the pipeline, which is great news and may well turn Iteration3D into our new favorite.

Right now, if you’re looking for a box or a pipe hanger or a bracket, plugging your numbers into Iteration3D’s model generator is going to be a lot faster than rolling your own, weather that rolling be done in OpenSCAD, FreeCAD, or one of those bits of software people insist on paying for. There’s a good variety of templates — 18 so far — so it’s worth checking out. Iteration3D is still new, having started in early 2025, so we will watch their career with great interest.

Going back to the problem in the introduction, if Iteration3D doesn’t have what you need and you still have an STL you need to change the dimensions of, we can help you with that.

Thanks to [Sylvain] for the tip!

hackaday.com/2025/12/11/iterat…

Cisco Talos ha identificato una nuova campagna ransomware chiamata DeadLock: gli aggressori sfruttano un driver antivirus Baidu vulnerabile (CVE-2024-51324) per disabilitare i sistemi EDR tramite la tecnica Bring Your Own Vulnerable Driver (BYOVD). Il gruppo non gestisce un sito di fuga di dati ma comunica con le vittime tramite Session Messenger.

Secondo Talos gli attacchi vengono eseguiti da un operatore motivato finanziariamente che ottiene l’accesso all’infrastruttura della vittima almeno cinque giorni prima della crittografia e prepara gradualmente il sistema per l’implementazione di DeadLock.

Uno degli elementi chiave della catena è BYOVD : gli aggressori stessi introducono nel sistema un driver Baidu Antivirus legittimo ma vulnerabile, BdApiUtil.sys, camuffato da DriverGay.sys, e il proprio loader, EDRGay.exe. Il loader inizializza il driver in modalità utente, stabilisce una connessione ad esso tramite CreateFile() e inizia a enumerare i processi alla ricerca di soluzioni antivirus ed EDR.

Successivamente, viene sfruttata la vulnerabilità CVE-2024-51324, un errore di gestione dei privilegi nel driver. Il loader invia uno speciale comando DeviceIOControl() al driver con codice IOCTL 0x800024b4 e il PID del processo di destinazione.

Dal lato kernel, il driver interpreta questo come una richiesta di terminazione del processo, ma a causa della vulnerabilità, non verifica i privilegi del programma chiamante. Eseguendo con privilegi kernel, il driver richiama semplicemente ZwTerminateProcess() e “termina” immediatamente il servizio di sicurezza, aprendo la strada ad ulteriori aggressori.

Prima di lanciare il ransomware, l’operatore esegue uno script PowerShell preparatorio sul computer della vittima. Innanzitutto, verifica i privilegi dell’utente corrente e, se necessario, si riavvia con privilegi amministrativi tramite RunAs, bypassando l’UAC e attenuando le restrizioni standard di PowerShell.

Dopo aver ottenuto i privilegi di amministratore, lo script disabilita Windows Defender e altri strumenti di sicurezza, arresta e disabilita i servizi di backup, i database e altri software che potrebbero interferire con la crittografia. Elimina inoltre tutti gli snapshot delle copie shadow del volume, privando la vittima degli strumenti di ripristino standard, e infine si autodistrugge, complicando l’analisi forense.

Lo script include anche un elenco dettagliato di eccezioni per i servizi critici per il sistema. Tra queste rientrano i servizi di rete (WinRM, DNS, DHCP), i meccanismi di autenticazione (KDC, Netlogon, LSM) e i componenti di base di Windows (RPCSS, Plug and Play, registro eventi di sistema).

Ciò consente agli aggressori di disabilitare il maggior numero possibile di componenti di sicurezza e applicativi senza causare l’arresto anomalo dell’intero sistema, consentendo alla vittima di leggere la nota, contattare il ransomware e pagare.

Talos ha notato che alcune sezioni dello script relative all’eliminazione delle condivisioni di rete e ai metodi alternativi per l’arresto dei processi erano commentate, a indicare che gli autori le intendevano come “opzioni” per scopi specifici. Lo script carica dinamicamente alcune eccezioni da un file run[.]txt esterno.

La telemetria indica che gli aggressori stanno accedendo alla rete della vittima tramite account legittimi compromessi. Dopo l’accesso iniziale, configurano l’accesso remoto persistente: utilizzando il comando reg add, modificano il valore di registro fDenyTSConnections per abilitare RDP. Quindi, utilizzando netsh advfirewall, creano una regola che apre la porta 3389, impostano il servizio RemoteRegistry in modalità on-demand e lo avviano, consentendo la gestione remota del registro.

Il giorno prima della crittografia, l’operatore installa una nuova istanza di AnyDesk su una delle macchine , nonostante altre installazioni del software siano già presenti nell’infrastruttura, rendendo questa distribuzione sospetta.

AnyDesk viene distribuito in modo silenzioso, con l’avvio di Windows abilitato, una password configurata per l’accesso silenzioso e gli aggiornamenti disabilitati che potrebbero interrompere le sessioni degli aggressori. Successivamente, inizia la ricognizione attiva e lo spostamento della rete: nltest viene utilizzato per trovare i controller di dominio e la struttura del dominio, net localgroup/domain per enumerare i gruppi privilegiati, ping e quser per verificare la disponibilità e gli utenti attivi, e infine mstsc e mmc compmgmt.msc per connettersi ad altri host tramite RDP o tramite lo snap-in Gestione Desktop remoto.

Il potenziale accesso alle risorse web interne viene rilevato dall’avvio di iexplore.exe con indirizzi IP interni.

L'articolo L’EDR è inutile! Gli hacker di DeadLock hanno trovato un “kill switch” universale proviene da Red Hot Cyber.

The age of cheap and powerful devices is upon us. How about a 20 EUR handheld game console intended for retro game emulation, that runs Linux under the hood? [Luiz Ferreira] kicks the tires of a R36S, a very popular and often cloned device running a quad-core RK3326 with an Ubuntu-based OS, and shows us how to write and cross-compile a simple app for it using Rust – even if you daily drive Windows.

Since a fair bit of the underlying Linux OS is exposed, you can quickly build even text applications and have them run on the console. For instance, [Luiz]’s app uses ratatui to scan then print button and joystick states to the screen. Perhaps the most important thing about this app is that it’s a detailed tutorial on cross-compiling Rust apps for a Linux target, and it runs wonders using WSL, too.

Installing your app is simple, too: SSH into it, username ark and password ark. Looking for a Linux-powered device with a bright screen, WiFi, a fair few rugged buttons, and an OS open for exploration? This one is quite reassuring in the age of usual portables like smartphones getting more and more closed-off to tinkering. And, if the store-bought hackable Linux consoles still aren’t enough, you can always step it up and build your own, reusing Joycons for your input needs while at it.

hackaday.com/2025/12/11/buildi…

Negli angoli più nascosti di internet, il traffico di dati rubati e accessi non autorizzati continua a prosperare. Un recente post apparso su un forum underground chiuso, mostra la vendita di 896 credenziali VPN FortiSSL, complete di indirizzo IP e credenziali in chiaro, a un prezzo complessivo di 3.000 dollari.

Il post nelle underground e la minaccia latente

L’annuncio, pubblicato da un utente elenca gli accessi disponibili per diverse nazioni, tra cui Stati Uniti, Germania, Austria, Singapore, Giappone, Corea del Sud, Italia, Emirati Arabi Uniti, Brasile, Svizzera e Francia. I dati sono offerti nel tradizionale formato ip:port user:password, facilmente utilizzabile da chiunque abbia conoscenze base di rete.

Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.

La vendita di credenziali VPN rappresenta una minaccia crescente per aziende e privati. Le VPN, strumenti pensati per garantire privacy e sicurezza online, diventano così una porta d’ingresso per attacchi informatici mirati, furti di dati sensibili e attività di spionaggio digitale.

Il fatto che questi accessi siano commercializzati con una “garanzia dell’utente” evidenzia la professionalizzazione del mercato criminale, dove l’affidabilità del venditore è diventata un fattore di marketing tra i cybercriminali.

Secondo gli esperti di cybersecurity, forum di questo tipo stanno diventando sempre più sofisticati, offrendo non solo credenziali, ma veri e propri servizi di accesso a reti aziendali, server FTP e database. La presenza di accessi provenienti da diverse nazioni evidenzia inoltre l’internazionalità del fenomeno, che può avere ripercussioni globali se le credenziali vengono utilizzate per attacchi mirati.

Le autorità e le aziende sono quindi chiamate a rafforzare le difese dei sistemi VPN e ad adottare misure di sicurezza avanzate, come l’autenticazione a più fattori e il monitoraggio continuo degli accessi, per contrastare la proliferazione di credenziali rubate nel dark web.

Cosa devono fare le aziende italiane dopo aver letto questo articolo

L’allarme lanciato da questo post sottolinea quanto sia delicato il confine tra strumenti di protezione e vulnerabilità sfruttabili dai criminali: nel mondo digitale, anche una VPN, se compromessa, può trasformarsi in un rischio significativo per la sicurezza informatica.

Le aziende non possono permettersi di affidarsi alla speranza: la protezione dei sistemi VPN deve diventare una priorità strategica. È fondamentale implementare l’autenticazione a più fattori (MFA) per tutti gli accessi remoti, aggiornare regolarmente le configurazioni dei dispositivi e dei server VPN, e adottare soluzioni di monitoraggio continuo degli accessi e dei log di rete.

Anche la formazione del personale gioca un ruolo cruciale: sensibilizzare dipendenti e collaboratori sulle minacce legate a credenziali compromesse riduce significativamente il rischio di incidenti.

Inoltre, le aziende devono considerare la gestione proattiva delle credenziali, inclusa la rotazione periodica delle password e l’utilizzo di strumenti sicuri per la loro memorizzazione.

Controlli regolari sulle vulnerabilità, audit di sicurezza e simulazioni di attacco consentono di identificare e correggere punti deboli prima che possano essere sfruttati. Solo adottando un approccio integrato e costantemente aggiornato è possibile ridurre il rischio derivante dalla vendita e dall’utilizzo illecito di credenziali VPN nel dark web.

L'articolo 896 accessi a FortiSSL in vendita a 3.000$ tra i quali anche di aziende italiane proviene da Red Hot Cyber.

On December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React Server Components (RSC) functionality used in web applications built with the React library. RSC speeds up UI rendering by distributing tasks between the client and the server. The flaw is categorized as CWE-502 (Deserialization of Untrusted Data). It allows an attacker to execute commands, as well as read and write files in directories accessible to the web application, with the server process privileges.

Almost immediately after the exploit was published, our honeypots began registering attempts to leverage CVE-2025-55182. This post analyzes the attack patterns, the malware that threat actors are attempting to deliver to vulnerable devices, and shares recommendations for risk mitigation.

A brief technical analysis of the vulnerability

React applications are built on a component-based model. This means each part of the application or framework should operate independently and offer other components clear, simple methods for interaction. While this approach allows for flexible development and feature addition, it can require users to download large amounts of data, leading to inconsistent performance across devices. This is the challenge React Server Components were designed to address.

The vulnerability was found within the Server Actions component of RSC. To reach the vulnerable function, the attacker just needs to send a POST request to the server containing a serialized data payload for execution. Part of the functionality of the handler that allows for unsafe deserialization is illustrated below:

A comparison of the vulnerable (left) and patched (right) functions

CVE-2025-55182 on Kaspersky honeypots

As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

The number of CVE-2025-55182 attacks targeting Kaspersky honeypots, by day (download)

Attackers first probe their target to ensure it is not a honeypot: they run whoami, perform multiplication in bash, or compute MD5 or Base64 hashes of random strings to verify their code can execute on the targeted machine.

In most cases, they then attempt to download malicious files using command-line web clients like wget or curl. Additionally, some attackers deliver a PowerShell-based Windows payload that installs XMRig, a popular Monero crypto miner.

CVE-2025-55182 was quickly weaponized by numerous malware campaigns, ranging from classic Mirai/Gafgyt variants to crypto miners and the RondoDox botnet. Upon infecting a system, RondoDox wastes no time, its loader script immediately moving to eliminate competitors:

Beyond checking hardcoded paths, RondoDox also neutralizes AppArmor and SELinux security modules and employs more sophisticated methods to find and terminate processes with ELF files removed for disguise.

Only after completing these steps does the script download and execute the main payload by sequentially trying three different loaders: wget, curl, and wget from BusyBox. It also iterates through 18 different malware builds for various CPU architectures, enabling it to infect both IoT devices and standard x86_64 Linux servers.

In some attacks, instead of deploying malware, the adversary attempted to steal credentials for Git and cloud environments. A successful breach could lead to cloud infrastructure compromise, software supply chain attacks, and other severe consequences.

Risk mitigation measures

We strongly recommend updating the relevant packages by applying patches released by the developers of the corresponding modules and bundles.
Vulnerable versions of React Server Components:

• react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)
• react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)
• react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)

Bundles and modules confirmed as using React Server Components:

• next
• react-router
• waku
• @parcel/rsc
• @vitejs/plugin-rsc
• rwsdk

To prevent exploitation while patches are being deployed, consider blocking all POST requests containing the following keywords in parameters or the request body:

• #constructor
• # proto
• #prototype
• vm#runInThisContext
• vm#runInNewContext
• child_process#execSync
• child_process#execFileSync
• child_process#spawnSync
• module#_load
• module#createRequire
• fs#readFileSync
• fs#writeFileSync
• s#appendFileSync

Conclusion

Due to the ease of exploitation and the public availability of a working PoC, threat actors have rapidly adopted CVE-2025-55182. It is highly likely that attacks will continue to grow in the near term.

We recommend immediately updating React to the latest patched version, scanning vulnerable hosts for signs of malware, and changing any credentials stored on them.

Indicators of compromise

Malware URLs
hxxp://172.237.55.180/b
hxxp://172.237.55.180/c
hxxp://176.117.107.154/bot
hxxp://193.34.213.150/nuts/bolts
hxxp://193.34.213.150/nuts/x86
hxxp://23.132.164.54/bot
hxxp://31.56.27.76/n2/x86
hxxp://31.56.27.97/scripts/4thepool_miner[.]sh
hxxp://41.231.37.153/rondo[.]aqu[.]sh
hxxp://41.231.37.153/rondo[.]arc700
hxxp://41.231.37.153/rondo[.]armeb
hxxp://41.231.37.153/rondo[.]armebhf
hxxp://41.231.37.153/rondo[.]armv4l
hxxp://41.231.37.153/rondo[.]armv5l
hxxp://41.231.37.153/rondo[.]armv6l
hxxp://41.231.37.153/rondo[.]armv7l
hxxp://41.231.37.153/rondo[.]i486
hxxp://41.231.37.153/rondo[.]i586
hxxp://41.231.37.153/rondo[.]i686
hxxp://41.231.37.153/rondo[.]m68k
hxxp://41.231.37.153/rondo[.]mips
hxxp://41.231.37.153/rondo[.]mipsel
hxxp://41.231.37.153/rondo[.]powerpc
hxxp://41.231.37.153/rondo[.]powerpc-440fp
hxxp://41.231.37.153/rondo[.]sh4
hxxp://41.231.37.153/rondo[.]sparc
hxxp://41.231.37.153/rondo[.]x86_64
hxxp://51.81.104.115/nuts/bolts
hxxp://51.81.104.115/nuts/x86
hxxp://51.91.77.94:13339/termite/51.91.77.94:13337
hxxp://59.7.217.245:7070/app2
hxxp://59.7.217.245:7070/c[.]sh
hxxp://68.142.129.4:8277/download/c[.]sh
hxxp://89.144.31.18/nuts/bolts
hxxp://89.144.31.18/nuts/x86
hxxp://gfxnick.emerald.usbx[.]me/bot
hxxp://meomeoli.mooo[.]com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL
hxxps://api.hellknight[.]xyz/js
hxxps://gist.githubusercontent[.]com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner[.]sh

MD5 hashes
0450fe19cfb91660e9874c0ce7a121e0
3ba4d5e0cf0557f03ee5a97a2de56511
622f904bb82c8118da2966a957526a2b
791f123b3aaff1b92873bd4b7a969387
c6381ebf8f0349b8d47c5e623bbcef6b
e82057e481a2d07b177d9d94463a7441

securelist.com/cve-2025-55182-…

Appena due giorni dopo la scoperta della vulnerabilità critica di React2Shell, i ricercatori di Sysdig hanno scoperto un nuovo malware, EtherRAT, in un’applicazione Next.js compromessa. Il malware utilizza gli smart contract di Ethereum per la comunicazione e ottiene persistenza sui sistemi Linux in cinque modi.

Gli esperti ritengono che il malware sia correlato agli strumenti utilizzati dal gruppo nordcoreano Lazarus. Tuttavia, EtherRAT differisce dai campioni noti per diversi aspetti chiave.

React2Shell (CVE-2025-55182) è una vulnerabilità critica nella popolare libreria JavaScript React di Meta.Il problema, che ha ricevuto un punteggio CVSS di 10 su 10, è correlato alla deserializzazione non sicura dei dati nei componenti di React Server e consente l’esecuzione di codice remoto sul server utilizzando una normale richiesta HTTP (senza autenticazione o privilegi).

Il bug riguarda le ultime versioni 19.0, 19.1.0, 19.1.1 e 19.2.0 nelle configurazioni predefinite, nonché il famoso framework Next.js. Le correzioni sono state rilasciate nelle versioni 19.0.1, 19.1.2 e 19.2.1 di React, nonché per le versioni di Next.js interessate.

Gli esperti avvertono che potrebbero verificarsi problemi simili in altre librerie con implementazioni di React Server, tra cui: plugin Vite RSC, plugin Parcel RSC, anteprima di React Router RSC, RedwoodSDK e Waku.

La vulnerabilità è già stata sfruttata dai gruppi di hacker cinesi Earth Lamia e Jackpot Panda e almeno 30 organizzazioni sono state colpite dagli attacchi.

Gli attacchi iniziano sfruttando la vulnerabilità React2Shell. Una volta sfruttata, un comando shell codificato in base64 viene eseguito sul sistema di destinazione. Questo comando viene utilizzato per scaricare uno script s.sh dannoso tramite curl, wget o python3. Il comando viene ripetuto ogni 300 secondi fino al completamento del download. Lo script risultante viene verificato, gli vengono concessi i permessi di esecuzione e viene avviato.

Lo script crea quindi una directory nascosta in $HOME/.local/share/, dove scarica la versione 20.10.0 del runtime Node.js legittimo direttamente dal sito web ufficiale nodejs.org. Quindi scrive un payload crittografato e un dropper JavaScript offuscato, che viene eseguito tramite il binario Node scaricato. Lo script si elimina quindi da solo.

Il dropper legge il blob crittografato, lo decrittografa utilizzando una chiave AES-256-CBC codificata e scrive il risultato come un altro file JavaScript nascosto. Il payload decrittografato è EtherRAT, distribuito utilizzando Node.js precedentemente installato.

Secondo gli esperti, EtherRAT utilizza gli smart contract di Ethereum per il controllo, rendendo gli aggressori resistenti al blocco. Il malware interroga simultaneamente nove provider RPC pubblici di Ethereum e seleziona il risultato in base al voto a maggioranza, proteggendo dall’avvelenamento di un singolo nodo o di un sinkhole.

Ogni 500 millisecondi, il malware invia URL casuali, simili agli indirizzi CDN, al suo server di comando e controllo ed esegue il codice JavaScript restituito tramite AsyncFunction. Questo fornisce agli aggressori una shell Node.js interattiva a tutti gli effetti.

Secondo gli analisti, gli hacker nordcoreani hanno già utilizzato contratti intelligenti per distribuire malware. Questa tecnica, chiamata EtherHiding, è stata descritta in report di Google e GuardioLabs . Sysdig osserva inoltre che il pattern di download crittografato in EtherRAT corrisponde a quello del malware BeaverTail, utilizzato nella campagna Contagious Interview collegata alla Corea del Nord.

Il rapporto sottolinea inoltre l’estrema aggressività di EtherRAT nei sistemi Linux. Il malware utilizza cinque meccanismi per insediarsi nel sistema infetto:

• cron;
• iniezione in bashrc;
• Avvio automatico XDG;
• servizio utente systemd;
• iniezione nel profilo.

Un’altra caratteristica unica di EtherRAT è la sua capacità di auto-aggiornamento. Il malware carica il suo codice sorgente su un endpoint API e riceve codice sostituito con le stesse funzionalità ma con un offuscamento diverso. Il malware si sovrascrive quindi e avvia un nuovo processo con il payload aggiornato. Secondo i ricercatori, questo aiuta a eludere i meccanismi di rilevamento statici, può ostacolare l’analisi o aggiungere funzionalità specifiche.

Nel suo rapporto, Sysdig fornisce un breve elenco di indicatori di compromissione relativi all’infrastruttura di distribuzione EtherRAT e ai contratti Ethereum. I ricercatori raccomandano di verificare la presenza dei meccanismi di persistenza elencati, di monitorare il traffico RPC di Ethereum, di monitorare i log delle applicazioni e di ruotare regolarmente le credenziali.

L'articolo React2Shell sfruttata da Lazarus? Nasce EtherRAT, il malware che vive sulla blockchain proviene da Red Hot Cyber.

Aircraft parts generally have to meet very specific standards, because if certain parts fail, the aircraft falls out of the sky. This usually ends poorly, and is best avoided by using the proper equipment during repair and maintenance tasks. A great example of this comes to us from the UK, where a light aircraft crashed after an aftermarket 3D printed component failed. (via BBC)
It’s not supposed to look like that. Credit: AAIB
The report from the Air Accidents Investigation Branch tells the story. The owner of a Cozy MK IV light aircraft had fitted it with a 3D-printed air intake elbow, which fed the engine. During the landing phase of a recent flight, the air intake collapsed, starving the engine of air and leading to a loss of power. With precious little altitude and speed, the pilot was unable to reach the runway, landing short and crashing into part of the airfield’s instrument landing system (ILS). Thankfully, the pilot only suffered minor injuries.

Post-crash analysis revealed that the aircraft owner had installed the 3D-printed component, purchased from an air show in the United States. The part was believed to be printed in a CF-ABS filament, with a supposed glass transition temperature of 105 C. Noting this was above the glass transition temperature of the standard fiberglass epoxy resin part used in these aircraft, the owner believed the part to be fit for purpose. However, post-crash testing revealed the 3D printed part had a glass transition temperature of under 55 C, and also lacked the aluminium tube reinforcement of the standard intake. Thus, when it was used in the hot engine bay of the small aircraft, it eventually grew hot enough to fail, causing the loss of power that led to the crash.

The basic lesson here is easy to understand. Don’t rely on an untested 3D printed part when life and limb are on the line. You wouldn’t 3D print a seatbelt, now, would you? Stick to stuff that won’t hurt you if it fails, and be safe out there.

[Thanks to George Graves for the tip!]

hackaday.com/2025/12/10/3d-pri…

The Dutch word for sundial, zonnewijzer, can be literally translated into “Sun Pointer” according to [illusionmanager] — and he took that literal translation literally, building a reverse sundial so he would always know the precise location of our local star, even when it is occluded by clouds or the rest of the planet.

The electronics aren’t hugely complicated: an ESP32 dev board, an RTC board, and a couple of steppers. But the craftsmanship is, as usual for [illusionmanager], impeccable. You might guess that one motor controls the altitude and the other the azimuth of the LED-filament pointer (a neat find from AliExpress), but you’d be wrong.

This is more like an equatorial mount, in that the shaft the arrow spins upon is bent at a 23.5 degree angle. Through that hollow shaft a spring-steel wire connects the arrow to one stepper, to drive it through the day. The second stepper turns the shaft to keep the axis pointed correctly as Earth orbits the sun.

Either way you can get an arrow that always points at the sun, but this is lot more elegant than an alt-az mount would have been, at the expense of a fiddlier build. Given the existence of the orrery clock we featured from him previously, it’s safe to say that [illusionmanager] is not afraid of a fiddly build. Doing it this way also lets you read the ticks on the base just as you would a real sundial, which takes this from discussion piece to (semi) usable clock.

hackaday.com/2025/12/10/revers…

For as long as there have been supercomputers, people like us have seen the announcements and said, “Boy! I’d love to get some time on that computer.” But now that most of us have computers and phones that greatly outpace a Cray 2, what are we doing with them? Of course, a supercomputer today is still bigger than your PC by a long shot, and if you actually have a use case for one, [Stephen Wolfram] shows you how you can easily scale up your processing by borrowing resources from the Wolfram Compute Services. It isn’t free, but you pay with Wolfram service credits, which are not terribly expensive, especially compared to buying a supercomputer.

[Stephen] says he has about 200 cores of local processing at his house, and he still sometimes has programs that run overnight. If your program already uses a Wolfram language and uses parallelism — something easy to do with that toolbox — you can simply submit a remote batch job.

What constitutes a supercomputer? You get to pick. You can just offload your local machine using a single-core 8GB virtual machine — still a supercomputer by 1980s standards. Or you get machines with up to 1.5TB of RAM and 192 cores. Not enough for your mad science? No worries, you can map a computation across more than one machine, too.

As an example, [Stephen] shows a simple program that tiles pentagons:

When the number of pentagons gets large, a single line of code sends it off to the cloud:

RemoteBatchSubmit[PentagonTiling[500]]

The basic machine class did the work in six minutes and 30 seconds for a cost of 5.39 credits. He also shows a meatier problem running on a 192-core 384GB machine. That job took less than two hours and cost a little under 11,000 credits (credit cost from just over $4/1000 to $6/1000, depending on how many you buy, so this job cost about $55 to run). If two hours is too much, you can map the same job across many small machines, get the answer in a few minutes, and spend fewer credits in the process.

Supercomputers today are both very different from old supercomputers and yet still somewhat the same. If you really want that time on the Cray you always wanted, you might think about simulation.

hackaday.com/2025/12/10/your-s…

There’s a type of dust-collector that’s been popular since the 1990s, where a cube of acrylic or glass is laser-etched in a three-dimensional pattern. Some people call them bubblegrams. While it could be argued that bubblegrams are a sort of 3D display, they’re more like a photograph than a TV. [Ancient] had the brainwave that since these objects work by scattering light, he could use them as a proper 3D video display by controlling the light scattered from an appropriately-designed bubblegram.

Appropriately designed, in this case, means a point cloud, which is not exactly exciting to look at on its own. It’s when [Ancient] adds the colour laser scanning projector that things get exciting. Well, after some very careful alignment. We imagine if this was to go on to become more than a demonstrator some sort of machine-vision auto-aligning would be desirable, but [Ancient] is able to conquer three-dimensional keystoning manually for this demonstration. Considering he is, in effect, projection-mapping onto the tiny bubbles in the crystal, that’s impressive work. Check out the video embedded below.

With only around 38,000 points, the resolution isn’t exactly high-def, but it is enough for a very impressive proof-of-concept. It’s also not nearly as creepy as the Selectric-inspired mouth-ball that was the last [Ancient] project we featured. It’s also a lot less likely to take your fingers off than the POV-based volumetric display [Ancient] was playing DOOM on a while back.

For the record, this one runs the same DOOM port, too– it’s using the same basic code as [Ancient]’s other displays, which you can find on GitHub under an MIT license.

Thanks to [Hari Wiguna] for the tip.

youtube.com/embed/wrfBjRp61iY?…

hackaday.com/2025/12/10/volume…

Ever think about all the moving parts involving a big KiCad project going into production? You need to provide manufacturer documentation, assembly instructions and renders for them to reference, every output file they could want, and all of it has to always stay up to date. [Vincent Nguyen] has a software pipeline to create all the files and documentation you could ever want upon release – with an extensive installation and usage guide, helping you turn your KiCad projects truly production-grade.

This KiBot-based project template has no shortage of features. It generates assembly documents with custom processing for a number of production scenarios like DNPs, stackup and drill tables, fab notes, it adds features like table of contents and 3D renders into KiCad-produced documents as compared to KiCad’s spartan defaults, and it autogenerates all the outputs you could want – from Gerbers, .step and BOM files, to ERC/DRC reports and visual diffs.

This pipeline is Github-tailored, but it can also be run locally, and it works wonderfully for those moments when you need to release a PCB into the wild, while making sure that the least amount of things possible can go wrong during production. With all the features, it might take a bit to get used to. Don’t need fully-featured, just some GitHub page images? Use this simple plugin to auto-add render images in your KiCad repositories, then.

youtube.com/embed/63R6Wnx44uY?…

We thank [Jaac] for sharing this with us!

hackaday.com/2025/12/10/produc…

This week Jonathan chats with K. S. Bhaskar about YottaDB. This very high performance database has some unique tricks! How does YottaDB run across multiple processes without a daemon? Why is it licensed AGPL, and how does that work with commercial deployments? Watch to find out!

• yottadb.com/feed/
• github.com/YottaDB/YDB

youtube.com/embed/aUhdny-zHdw?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/12/10/floss-…

Il mondo della tecnologia quantistica ha compiuto un balzo in avanti impressionante:

QuantWare ha presentato il primo processore al mondo da 10.000 qubit, 100 volte più di qualsiasi dispositivo esistente. Inoltre, il nuovo chip occupa ancora meno spazio rispetto ai sistemi attuali, rendendo questa svolta particolarmente degna di nota in un contesto di anni di stagnazione nella scalabilità dei processori quantistici.

Per quasi un decennio, il settore non è riuscito a superare la soglia dei 100 qubit. Google è riuscita a passare da 53 a 105 qubit solo in sei anni, mentre IBM ha introdotto un processore da 1.121 qubit nel 2023 e non prevede una crescita significativa almeno fino al 2028. Di fronte alle limitazioni hardware, le aziende sono state costrette a combinare più chip di piccole dimensioni anziché aumentare la potenza di uno solo. Ciò ha complicato l’architettura, aumentato i costi e ostacolato il progresso reale.

QuantWare sostiene che la sua nuova architettura rimuove questa barriera.

Si basa sulla scalabilità 3D e su un design modulare a livello di chiplet, supportando 40.000 linee di I/O e interconnessioni interchip ad alta precisione. Questo approccio consente la costruzione di unità di elaborazione quantistica (QPU) monolitiche di grandi dimensioni senza sacrificare affidabilità o prestazioni.

L’azienda sostiene che il nuovo sistema offre una potenza di calcolo significativamente maggiore per dollaro e per watt rispetto alle soluzioni multi-chip, e l’architettura stessa potrebbe diventare uno standard di scalabilità a livello di settore. Qualsiasi organizzazione che lavori con qubit superconduttori potrà utilizzarlo per creare dispositivi quantistici più potenti.

QuantWare sta sviluppando contemporaneamente l’ecosistema Quantum Open Architecture, che ora includeNVIDIA NVQLink. Combinata con l’architettura proprietaria di QuantWare, questa tecnologia combina il calcolo quantistico iperscalabile con il calcolo classico ad alte prestazioni, accessibile tramite NVIDIA CUDA-Q. L’azienda è convinta che la combinazione di VIO e NVQLink offra la scalabilità di cui il settore ha disperatamente bisogno oggi.

Insieme all’annuncio, l’azienda ha anche annunciato l’intenzione di costruire un impianto Kilofab su larga scala. L’impianto, la cui apertura è prevista per il 2026 a Delft, nei Paesi Bassi, diventerà la prima fabbrica al mondo dedicata ai dispositivi Quantum Open Architecture e uno dei più grandi impianti di produzione quantistica mai progettati. QuantWare spedisce già più processori quantistici di qualsiasi altro produttore commerciale in termini di volume, e Kilofab aumenterà questa capacità di 20 volte.

Matt Rijlaarsdam, CEO di QuantWare, ha definito questo un punto di svolta atteso da tempo.

Ha osservato che per anni gli specialisti si erano limitati a teorizzare le capacità dei sistemi quantistici, poiché il settore era limitato a 100 qubit e non poteva raggiungere una potenza di calcolo economicamente significativa. Il nuovo processore, ha affermato, rimuove finalmente questa barriera e apre la strada a computer quantistici realmente utili . “Con il VIO-40K, stiamo offrendo all’intero ecosistema l’accesso all’architettura di processore quantistico più potente e scalabile mai realizzata”, ha sottolineato.

I preordini sono già aperti e le prime unità saranno consegnate ai clienti nel 2028.

Ricordiamo che nel 2019 Craig Gidney e Martin Ekerå stimarono, nel loro lavoro intitolato “How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits”, che un dispositivo quantistico con circa 20 milioni di qubit fisici “rumorosi” — connessi in una griglia piana e corretti con codice superficie (surface code) — sarebbe teoricamente in grado di fattorizzare una chiave RSA a 2048 bit in circa 8 ore.

Tuttavia, in un aggiornamento del 2025 lo stesso Gidney propone ottimizzazioni sostanziali: grazie a tecniche come l’approximate residue arithmetic e una gestione più efficiente dei qubit logici dormienti, secondo l’articolo “How to factor 2048 bit RSA integers with less than a million noisy qubits” oggi sarebbe sufficiente un quantum computer con meno di un milione di qubit fisici rumorosi per scomporre una chiave RSA-2048, in un tempo “meno di una settimana.

L'articolo Il QDay è vicino? QuantWare presenta il processore quantistico da 10.000 qubit proviene da Red Hot Cyber.

The basic concept of human intelligence entails self-awareness alongside the ability to reason and apply logic to one’s actions and daily life. Despite the very fuzzy definition of ‘human intelligence‘, and despite many aspects of said human intelligence (HI) also being observed among other animals, like crows and orcas, humans over the ages have always known that their brains are more special than those of other animals.

Currently the Cattell-Horn-Carroll (CHC) theory of intelligence is the most widely accepted model, defining distinct types of abilities that range from memory and processing speed to reasoning ability. While admittedly not perfect, it gives us a baseline to work with when we think of the term ‘intelligence’, whether biological or artificial.

This raises the question of how in the context of artificial intelligence (AI) the CHC model translate to the technologies which we see in use today. When can we expect to subject an artificial intelligence entity to an IQ test and have it handily outperform a human on all metrics?

Types Of Intelligence

While the basic CHC model contains ten items, the full model is even more expansive, as can be seen in the graphic below. Most important are the overarching categories and the reasoning for the individual items in them, as detailed in the 2014 paper by Flanagan and McGrew. Of these, reasoning (Gf, for fluid intelligence), acquired knowledge and memory (long and short term) are arguably the most relevant when it comes to ‘general intelligence’.
Current and expanded CHC theory of cognitive abilities. Source: Flanagan & McGrew (1997).
Fluid intelligence (Gf), or reasoning, entails the ability to discover the nature of the problem or construction, to use a provided context to fill in the subsequent steps, and to handle abstract concepts like mathematics. Crystallized intelligence (Gc) can be condensed to ‘basic skills’ and general knowledge, including the ability to communicate with others using a natural language.

The basic memory abilities pertain to short-term (Gsm) and long-term recall (Glr) abilities, in particular attention span, working memory and the ability to recall long-term memories and associations within these memories.

Beyond these basic types of intelligence and abilities we can see that many more are defined, but these mostly expand on these basic four, such as visual memory (Gv), various visual tasks, speed of memory operations, reaction time, reading and writing skills and various domain specific knowledge abilities. Thus it makes sense to initially limit evaluating both HI and AI within this constrained framework.

Are Humans Intelligent?

North American Common Raven (Corvus corax principalis) in flight at Muir Beach in Northern California (Credit: Copetersen)
It’s generally considered a foregone conclusion that because humans as a species possesses intelligence, ergo facto every human being possesses HI. However, within the CHC model there is a lot of wriggle room to tone down this simplification. A big part of IQ tests is to test these these specific forms of intelligence and skills, after all, creating a mosaic that’s then boringly reduced to a much less meaningful number.

The main discovery over the past decades is that the human brain is far less exceptional than we had assumed. For example crows and their fellow corvids easily keep up with humans in a range of skills and abilities. As far as fluid intelligence is concerned, they clearly display inductive and sequential reasoning, as they can solve puzzles and create tools on the spot. Similarly, corvids regularly display the ability to count and estimate volumes, demonstrating quantitative reasoning. They have regularly demonstrated understanding water volume, density of objects and the relation between these.

In Japanese parks, crows have been spotted manipulating the public faucets for drinking and bathing, adjusting the flow to either a trickle or a strong flow depending on what they want. Corvids score high on the Gf part of the CHC model, though it should be said that the Japanese crow in the article did not turn the faucet back off again, which might just be because they do not care if it keeps running.

When it comes to crystallized intelligence (Gc) and the memory-related Gsm and Glr abilities, corvids score pretty high as well. They have been reported to remember human faces, to learn from other crows by observing them, and are excellent at mimicking the sounds that other birds make. There is evidence that corvids and other avian dinosaur species (‘birds’) are capable of learning to understand human language, and even communicating with humans using these learned words.

The key here is whether the animal understands the meaning of the vocalization and what vocalizing it is meant to achieve when interacting with a human. Both parrots and crows show signs of being able to learn significant vocabularies of hundreds of words and conceivably a basic understanding of their meaning, or at least what they achieve when uttered, especially when it comes to food.

Whether non-human animals are capable of complex human speech remains a highly controversial topic, of course, though we are breathlessly awaiting the day that the first crow looks up at a human and tells the hairless monkey what they really think of them and their species as a whole.

The Bears

The bear-proof garbage bins at Yosemite National Park. (Credit: detourtravelblog)
Meanwhile there’s a veritable war of intellects going on in US National Parks between humans and bears, involving keeping the latter out of food lockers and trash bins while the humans begin to struggle the moment the bear-proof mechanism requires more than two hand motions. This sometimes escalates to the point where bears are culled when they defeat mechanisms using brute force.

Over the decades bears have learned that human food is easier to obtain and fills much better than all-natural food sources, yet humans are no longer willing to share. The result is an arms race where bears are more than happy to use any means necessary to obtain tasty food. Ergo we can put the Gf, Gc and memory-related scores for bears also at a level that suggests highly capable intellects, with a clear ability to learn, remember, and defeat obstacles through intellect. Sadly, the bear body doesn’t lend itself well to creating and using tools like a corvid can.

Despite the flaws of the CHC model and the weaknesses inherent in the associated IQ test scores, it does provide some rough idea of how these assessed capabilities are distributed across a population, leading to a distinct Bell curve for IQ scores among humans and conceivably for other species if we could test them. Effectively this means that there is likely significant overlap between the less intelligent humans and smarter non-human animals.

Although H. sapiens is undeniably an intelligent species, the reality is that it wasn’t some gods-gifted power, but rather an evolutionary quirk that it shares with many other lifeforms. This does however make it infinitely more likely that we can replicate it with a machine and/or computer system.

Making Machines Intelligent

Artificial Intelligence Projects for the Commodore 64, by Timothy J. O’Malley
The conclusion we have thus reached after assessing HI is that if we want to make machines intelligent, they need to acquire at least the Gf, Gc, Gsm and Glr capabilities, and at a level that puts them above that of a human toddler, or a raven if you wish.

Exactly how to do this has been the subject of much research and study the past millennia, with automatons (‘robots’) being one way to pour human intellect into a form that alleviates manual labor. Of course, this is effectively merely on par with creating tools, not an independent form of intelligence. For that we need to make machines capable of learning.

So far this has proved very difficult. What we are capable of so far is to condense existing knowledge that has been annotated by humans into a statistical model, with large language models (LLMs) as the pinnacle of the current AI hype bubble. These are effectively massively scaled up language models following the same basic architecture as those that hobbyists were playing with back in the 1980s on their home computers.

With that knowledge in mind, it’s not so surprising that LLMs do not even really register on the CHC model. In terms of Gf there’s not even a blip of reasoning, especially not inductively, but then you would not expect this from a statistical model.

As far as Gc is concerned, here the fundamental flaw of a statistical model is what it does not know. It cannot know what it doesn’t know, nor does it understand anything about what is stored in the weights of the statistical model. This is because it’s a statistical model that’s just as fixed in its functioning as an industrial robot. Chalk up another hard fail here.

Finally, although the context window of LLMs can be considered to be some kind of short-term memory, it is very limited in its functionality. Immediate recall of a series of elements may work depending on the front-end, but cognitive operations invariably fail, even very basic ones such as adding two numbers. This makes Gsm iffy at best, and more realistically a complete fail.

Finally, Glr should be a lot easier, as LLMs are statistical models that can compress immense amounts of data for easy recall. But this associative memory is an artefact of human annotation of training data, and is fixed at the time of training the model. After that, it does not remember outside of its context window, and its ability to associate text is limited to the previous statistical analysis of which words are most likely to occur in a sequence. This fact alone makes the entire Glr ability set a complete fail as well.

Piecemeal Abilities

Although an LLM is not intelligent by any measure and has no capacity to ever achieve intelligence, as a tool it’s still exceedingly useful. Technologies such as artificial neurons and large language models have enabled feats such as machine vision that can identify objects in a scene with an accuracy depending on the training data, and by training an LLM on very specific data sets the resulting model can be a helpful statistical tool, as it’s a statistical model.

These are all small fragments of what an intelligent creature is capable of, condensed into tool form. Much like hand tools, computers and robots, these are all tools that we humans have crafted to make certain tasks easier or possible. Like a corvid bending some wire into shape to open a lock or timing the dropping of nuts with a traffic light to safely scoop up fresh car-crushed nuts, the only intelligence so far is still found in our biological brains.

All of which may change as soon as we figure out a way to replicate abstract aspects such as reasoning and understanding, but that’s still a whole kettle of theoretical fish at this point in time, and the subject of future articles.

hackaday.com/2025/12/10/why-ll…

For less than $30 USD, you can get a 10×10 centimeter hotplate with 350 Watts of power. Sounds mighty fine to us, so surely there must be a catch? Maybe not, as [Stefan Nikolaj]’s review of this AliExpress hotplate details, it seems to be just fine enough.

At this price, you’d expect some shoddy electronics inside, or maybe outright fiery design decisions, in the vein of other reviews for similar cheap heat-producing tech that we’ve seen over the years. Nope – the control circuitry seems to be more than well-built for our standards, with isolation and separation where it matters, the input being fused away, and the chassis firmly earthed. [Stefan] highlights just two possible problem areas: a wire nut that could potentially be dodgy, and lack of a thermal fuse. Both can be remedied easily enough after you get one of these, and for the price, it’s a no-brainer. Apart from the review, there’s also general usage recommendations from [Stefan] in the end of the blog post.

While we’re happy to see folks designing their own PCB hotplates or modifying old waffle irons, the availability of cheap turn-key options like this means there’s less of a reason to go the DIY route. Now, if you’re in the market for even more build volume, you can get one of the classic reflow ovens, and maybe do a controller upgrade while you’re at it.

hackaday.com/2025/12/10/cheap-…

The “Long Dark” is upon us, at least for those who live north of the equator, and while it’s all pre-holiday bustle, pretty lights, and the magical first snow of the season now, soon the harsh reality of slushy feet, filthy cars, and not seeing the sun for weeks on end will set in. And when it does, it pays to have something to occupy idle mind and hands alike, a project that’s complicated enough to make completing even part of it feel like an accomplishment.

But this time of year, when daylight lasts barely as long as a good night’s sleep, you’ve got to pick your projects carefully, lest your winter project remain incomplete when the weather finally warms and thoughts turn to other matters. For me, at least, that means being realistic about inevitabilities such as competition from the day job, family stuff, and the dreaded “scope creep.”

It’s that last one that I’m particularly concerned with this year, because it has the greatest potential to delay this project into spring or even — forbid it! — summer. And that means I need to be on the ball about what the project actually is, and to avoid the temptation to fall into any rabbit holes that, while potentially interesting and perhaps even profitable, will only make it harder to get things done.

Pushing My Buttons

For my winter project this year, I chose something I’ve been itching to try for a while: an auto-starter for my generator. Currently, my solar PV system automatically charges its battery bank when the state of charge (SOC) drops below 50%, which it does with alarming frequency during these short, dark days. But rather than relying on shore power, I want my generator to kick on to top off the batteries, then turn itself off when the charge is complete.
Primer assembly for the generator auto-start. The silver part is the regulator; the solenoid pushes the primer button when it fires. All the parts needed to be custom-made.
In concept, it’s a simple project, since the inverter panel I chose has dry contacts that can trigger based on SOC. It seems like a pretty easy job, just a microcontroller to sense when the inverter is calling for a charge and some relays to kick the generator on. It’s a little — OK, a lot — more complicated than that when you think about it, since you have to make sure the generator actually cranks over, you’ve got to include fail-safes so the generator doesn’t just keep cranking endlessly if it doesn’t catch, and you have to make everything work robustly in an electrically and mechanically noisy environment.

However, in my case, the most challenging aspect is dealing with the mechatronics of the project. My generator is fueled by propane, which means there’s a low-pressure regulator that needs to be primed before cranking the starter. When cranking the generator manually, you just push the primer button a few times to get enough propane into the fuel intake and turn the key. Automating this process, though, is another matter, one that will surely require custom parts, and the easiest path to that would be 3D printing.

But, up until a couple of weeks ago, I didn’t own a 3D printer. I know, it’s hard to believe someone who writes for Hackaday for a living wouldn’t own one of the essential bits of hacker kit, but there it is. To be fair to myself, I did dip my toe into additive manufacturing about six or seven years ago, but that printer was pretty awful and never really turned out great prints. It seemed like this project, with its potential need for many custom parts, was the perfect excuse to finally get a “big boy” printer.

Pick Your Project

And that’s where I came upon the first potential rabbit hole: should I buy an out-of-the-box solution, or should I take on a side-quest project? I was sorely tempted to take the latter course by getting one of those used Enders returned to Amazon, having heard that they’re about half the price of new and often need very little work to get them going. But then again, sometimes these printers have gone through a lot in the short time they were in a customer’s hands, to the point where they need quite a bit of work to get them back in good order.

While I like the idea of a cheap printer, and I wouldn’t mind tinkering with one to get it going again, I decided against the return route. I really didn’t like my odds, given that our Editor in Chief, Elliot Williams, says that of the two returned printers he’s purchased, one worked basically out of the box, while the other needed more work to get in shape. I wanted to unbox the printer and start making parts right away, to get this project going. So, I took the plunge and bought a Bambu P1S on a pre-Black Friday sale that was much less than list price, but much more than what I would have paid for a returned Ender.

Now, I’m not going to turn this into a printer review — that’s not really the point of this article. What I want to get across is that I decided to buy a solution rather than take on a new hobby. I got the Bambu up and running in about an hour and was cranking out prototype parts for my project later that afternoon. Yes, I might have had the same experience with a returned printer at about half the price of the Bambu, but I felt like the perceived value of a new printer was worth the premium price, at least in this case.

I think this is a pretty common choice that hackers face up and down the equipment spectrum. Take machine tools, for instance. Those of us who dream of one day owning a shop full of metalworking tools often trawl through Facebook Marketplace in search of a nice old South Bend lathe or a beautiful Bridgeport milling machine, available for a song compared to what such a machine would cost new. But with the difficulty and expense of getting it home and the potential for serious mechanical problems like worn ways or broken gears that need to be sorted before putting the machine to use, the value proposition could start to shift back toward buying a brand new machine. Expensive, yes, but at least you stand a chance of making parts sooner.

Your Turn

Don’t get me wrong; I’d love to find a nice old lathe to lovingly restore, and I just may do that someday. It’s like buying a rusty old classic car; you’re not doing it to end up with a daily driver, but rather for the joy of restoring a fine piece of engineering to its former glory. In projects like that, the journey is the point, not the destination. But if I need to make parts right away, a new lathe — or mill, or CNC router, or 3D printer — seems like the smarter choice.

I’ll turn things over to you at this point. Have you come up against this kind of decision before? If so, which path did you choose? Has anyone had a satisfying out-of-the-box experience with returned printers? Was I unnecessarily pessimistic about my chances in that market? What about your experience with large machine tools, like lathes and mills? Is it possible to buy used and not have the machine itself become the project? Sound off in the comments below.

hackaday.com/2025/12/10/ask-ha…

Sono state scoperte due estensioni dannose che infettano i computer degli sviluppatori con programmi stealer sul marketplace di Visual Studio Code di Microsoft. Il malware può acquisire screenshot, rubare password e wallet di criptovalute e persino dirottare le sessioni del browser.

I ricercatori di Koi Security hanno scoperto le estensioni dannose Bitcoin Black e Codo AI, che si mascherano da tema e assistente AI.

Entrambi i malware sono stati pubblicati con il nome dello sviluppatore BigBlack. Al momento della pubblicazione del rapporto dei ricercatori, Codo AI era ancora disponibile nello store, sebbene avesse meno di 30 download. Bitcoin Black aveva una sola installazione.

Secondo gli esperti, Bitcoin Black utilizza l’evento di attivazione “*”, che viene attivato da ogni azione in VSCode. Il plugin può anche eseguire codice PowerShell.

Nelle versioni precedenti, l’estensione utilizzava uno script di PowerShell per scaricare un archivio protetto da password contenente il payload. Tuttavia, ciò causava la visualizzazione di una finestra di PowerShell, che poteva allertare l’utente. Nelle versioni più recenti del malware, il processo è stato spostato in uno script batch (bat.sh), che richiama curl per scaricare un file DLL e un file eseguibile .exe, il tutto in modalità stealth.

Per quanto riguarda Codo AI, l’estensione può effettivamente aiutare l’utente con il codice utilizzando ChatGPT o DeepSeek, ma contiene anche un componente dannoso simile.

Entrambe le estensioni contengono un file eseguibile Lightshot legittimo e una DLL dannosa, che viene caricata tramite dirottamento della DLL e distribuisce un infostealer denominato runtime.exe sul sistema della vittima. Solo 29 dei 72 programmi antivirus su VirusTotal rilevano la DLL dannosa.

Sul computer infetto, il malware crea una directory in %APPDATA%Local e una cartella Evelyn per archiviare i dati rubati, tra cui informazioni sui processi in esecuzione, contenuti degli appunti, credenziali Wi-Fi, dati di sistema, screenshot, un elenco dei programmi installati e processi attivi.

Per rubare i cookie e dirottare le sessioni degli utenti, il malware avvia Chrome ed Edge in modalità headless, da dove recupera i cookie memorizzati e dirotta le sessioni.

Inoltre, lo stealer, nascondendosi nelle estensioni, ruba dati da portafogli di criptovalute come Phantom, Metamask ed Exodus e cerca anche password e altre credenziali.

I rappresentanti di Microsoft segnalano che entrambe le estensioni dannose sono state rimosse dal marketplace VSCode.

L'articolo Malware in Visual Studio Code: due estensioni dannose rubano dati sensibili proviene da Red Hot Cyber.

Back in March, a small aircraft in the UK lost engine power while coming in for a landing and crashed. The aircraft was a total loss, but thankfully, the pilot suffered only minor injuries. According to the recently released report by the Air Accidents Investigation Branch, we now know a failed 3D printed part is to blame.

The part in question is a plastic air induction elbow — a curved duct that forms part of the engine’s air intake system. The collapsed part you see in the image above had an air filter attached to its front (towards the left in the image), which had detached and fallen off. Heat from the engine caused the part to soften and collapse, which in turn greatly reduced intake airflow, and therefore available power.
Serious injury was avoided, but the aircraft was destroyed.
While the cause of the incident is evident enough, there are still some unknowns regarding the part itself. The fact that it was 3D printed isn’t an issue. Additive manufacturing is used effectively in the aviation industry all the time, and it seems the owner of the aircraft purchased the part at an airshow in the USA with no reason to believe anything was awry. So what happened?

The part in question is normally made from laminated fiberglass and epoxy, with a glass transition of 84° C. Glass transition is the temperature at which a material begins to soften, and is usually far below the material’s actual melting point.

When a part is heated at or beyond its glass transition, it doesn’t melt but is no longer “solid” in the normal sense, and may not even be able to support its own weight. It’s the reason some folks pack parts in powdered salt to support them before annealing.

The printed part the owner purchased and installed was understood to be made from CF-ABS, or ABS with carbon fiber. ABS has a glass transition of around 100° C, which should have been plenty for this application. However, the investigation tested two samples taken from the failed part and measured the glass temperature at 52.8°C and 54.0°C, respectively. That’s a far cry from what was expected, and led to part failure from the heat of the engine.

The actual composition of the part in question has not been confirmed, but it sure seems likely that whatever it was made from, it wasn’t ABS. The Light Aircraft Association (LAA) plans to circulate an alert to inspectors regarding 3D printed parts, and the possibility they aren’t made from what they claim to be.

hackaday.com/2025/12/10/failed…

Regular Christmas trees don’t emit light, nor do they react to music. If you want both things in a holiday decoration, consider this build from [dbmaking].

An ESP32-D1 mini runs the show here. It’s hooked up to a strip of WS2812B addressable LEDs. The LED strip is placed on a wooden frame resembling the shape of a traditional Christmas tree. Ping-pong balls are then stacked inside the wooden frame such that they act as a light diffuser for the LEDs behind. The microcontroller is also hooked up to an INMP441 omnidirectional MEMS microphone module. This allows the ESP32 to detect sound and flash the LEDs in time, creating a colorful display that reacts to music. This is achieved by using the WLED web installer to set the display up in a sound reactive mode.

It’s a fun build, and we’d love to tinker around with coding more advanced visualizer effects for a build like this. We’ve seen builds that go the other way, too, by toning down excessive blinkiness in Christmas decorations.

youtube.com/embed/bDVR_IPmDBA?…

hackaday.com/2025/12/10/a-musi…

Multare X per 120 milioni è sufficiente?

spreaker.com/episode/dk-10x14-…

Asus ha annunciato che uno dei suoi fornitori è stato hackerato. Nel frattempo, il gruppo ransomware Everest ha affermato di aver rubato un terabyte di dati da tre aziende: Asus, Qualcomm e ArcSoft.

Secondo gli hacker criminali, la fuga di dati non ha coinvolto solo documenti, ma anche il codice sorgente del software della fotocamera dello smartphone, dei modelli di intelligenza artificiale e del software interno. I rappresentanti di Asus affermano che il problema ha interessato solo uno dei fornitori dell’azienda: gli aggressori sono riusciti ad accedere a parte del codice sorgente del software della fotocamera del telefono.

Tuttavia, l’azienda insiste sul fatto che non sono stati causati danni ai propri sistemi, prodotti o dati dei clienti.

Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.

L’azienda ha aggiunto di star già rafforzando la sicurezza della supply chain. Tuttavia, la dichiarazione non ha rivelato il nome del fornitore compromesso né i dettagli dei dati rubati dagli hacker.

Nel frattempo, il gruppo ransomware Everest ha pubblicato sul suo sito web darknet degli screenshot di file presumibilmente rubati. Gli aggressori affermano di aver rubato un terabyte di dati da Asus, ArcSoft e Qualcomm. Gli hacker affermano di aver rubato:

• moduli di segmentazione binaria;
• sorgenti e patch;
• Dump della RAM e registri della memoria;
• Modelli e pesi dell’IA;
• Strumenti e firmware interni OEM;
• video di prova e dati di calibrazione della doppia telecamera;
• set di immagini;
• registri degli arresti anomali e report di debug;
• informazioni su HDR e post-elaborazione;
• testare APK e app sperimentali;
• script e soluzioni di automazione;
• file di calibrazione binaria.

I rappresentanti di Asus non hanno ancora commentato le affermazioni del gruppo. Non è noto inoltre se l’attacco abbia effettivamente colpito Qualcomm e ArcSoft.

L’azienda non ha risposto alle richieste dei media circa l’appartenenza dei materiali rubati ad Asus stessa o ad altre aziende.

L'articolo Attacco alla Supply Chain di Asus. Everest sostiene di aver compromesso anche Qualcomm e ArcSoft proviene da Red Hot Cyber.

Una vulnerabilità critica, monitorata con il codice CVE-2025-59719, riguarda le linee di prodotti FortiOS, FortiWeb, FortiProxy e FortiSwitchManager è stata segnalata da Fortinet tramite un avviso di sicurezza urgente. Tale avviso è stato emesso in relazione a falle di sicurezza che interessano tali prodotti.

Un aggressore potrebbe ottenere l’accesso amministrativo non autorizzato al dispositivo creando un messaggio SAML specifico, se la vulnerabilità viene sfruttata. Tale vulnerabilità è causata dall’incapacità del dispositivo di verificare in modo corretto le firme dei messaggi SAML.
Pannello CVE Details di Red Hot Cyber
Fortinet raccomanda ai propri clienti di procedere con l’aggiornamento alle versioni più recenti che seguono. Per quelle organizzazioni che non sono in grado di applicare le patch immediatamente, è stata messa a disposizione una soluzione provvisoria. Disabilitanto la funzionalità di accesso a FortiCloud, gli amministratori sono in grado di ridurre il rischio.

La falla di sicurezza, identificata come Verifica impropria della firma crittografica (CWE-347), potrebbe consentire a un aggressore non autenticato di aggirare l’autenticazione di accesso Single Sign-On (SSO) di FortiCloud.

Quando un amministratore registra un dispositivo su FortiCare tramite l’interfaccia utente grafica (GUI), l’opzione “Consenti accesso amministrativo tramite FortiCloud SSO” è abilitata per impostazione predefinita. A meno che l’amministratore non disattivi esplicitamente questa opzione durante la registrazione, il dispositivo diventa immediatamente vulnerabile a questo bypass.

La scoperta del problema è stata fatta internamente da Theo Leleu e Yonghui Han del team di sicurezza dei prodotti Fortinet, e l’informazione è stata resa pubblica il 9 dicembre 2025. La funzionalità SSO di FortiCloud, costituisce un rischio considerevole soprattutto negli ambienti di rete distribuiti.

L'articolo Vulnerabilità critica in FortiOS e altri prodotti Fortinet: aggiornamenti urgenti proviene da Red Hot Cyber.

Raspberry Pi boards are no longer constrained – these days, you can get a quad-core board with 8 or 16GB of RAM to go around, equip it with a heatsink, and get a decently comfortable shop/desk/kitchen computer with GPIOs, cameras, speedy networking, maybe even NVMe, and all the wireless you’d expect.

Raspberry OS, however, remains lightweight with its pre-installed LXDE environment – and, in many cases, it feels quite constrained. In case you ever idly wondered about giving your speedy Pi a better UI, [Luc]/[lucstechblog] wants to remind you that setting up KDE on your Raspberry OS install is dead simple and requires only about a dozen commandline steps.

[Luc] walks you through these dozen steps, from installation to switching the default DE, and the few hangups you might expect after the switch; if you want to free up some disk space afterwards, [Luc] shows how to get rid of the original LXDE packages. Got the latest Trixie-based Pi OS? There’s an update post detailing the few necessary changes, as well as talking about others’ experiences with the switch.

All in all, [Luc] demonstrates that KDE will have a fair bit of graphical and UX advantages, while operating only a little slower, and if you weren’t really using your powerful Pi to the fullest, it’s a worthwhile visual and usability upgrade. For the regular desktop users, KDE has recently released their own distro, and our own [Jenny] has taken a look at it.

hackaday.com/2025/12/09/puttin…

Recently the MagQuest competition on improving the measuring of the Earth’s magnetic field announced that the contestants in the final phase have now moved on to launching their satellites within the near future. The goal here is to create a much improved World Magnetic Model (WMM), which is used by the World Geodetic System (WGS). The WGS is an integral part of cartography, geodesy and satellite-based navigation, which includes every sat nav, smartphone and similar with built-in GNSS capabilities.

Although in this age of sat navs and similar it can seem quaint to see anyone bother with using the Earth’s magnetic field with a compass, there is a very good reason why e.g. your Android smartphone has an API for estimating the Earth’s magnetic field at the current location. After your sat nav or smartphone uses its magnetometer, the measurements are then corrected so that ‘north’ really is ‘north’. Since this uses the WMM, it’s pertinent that this model is kept as up to date as possible, with serious shifts in 2019 necessitating an early update outside of the usual five-year cycle.

Goal of the MagQuest competition is thus to find a method that enables much faster, even real-time updates. The three candidate satellites feature three different types of magnetometers: a scalar-vector magnetometer (COSMO), a nitrogen-vacancy (NV) quantum sensor, and the Io-1 satellite containing both a vector fluxgate and atomic scalar magnetometer.

The NV quantum magnetometer is quite possibly the most interesting one, featuring a new, quantum-level approach for magnetic sensing. This effectively uses a flaw in a diamond’s carbon matrix to create a quantum spin state that interacts with magnetic fields and can subsequently be read out. The advantage of this method is its extreme sensitivity, which makes it an interesting sensor for many other applications where measuring the Earth’s magnetic field is essential.

hackaday.com/2025/12/09/magque…

[NullPxl]’s Ban-Rays concept is a wearable that detects when one is in the presence of camera-bearing smartglasses, such as Meta’s line of Ray-Bans. A project in progress, it’s currently focused on how to reliably perform detection without resorting to using a camera itself. Right now, it plays a well-known audio cue whenever it gets a hit.
Once software is nailed down, the device aims to be small enough to fit into glasses.
Currently, [NullPxl] is exploring two main methods of detection. The first takes advantage of the fact that image sensors in cameras act as tiny reflectors for IR. That means camera-toting smartglasses have an identifying feature, which can be sensed and measured. You can see a sample such reflection in the header image, up above.

As mentioned, Ban-Rays eschews the idea of using a camera to perform this. [NullPxl] understandably feels that putting a camera on glasses in order to detect glasses with cameras doesn’t hold much water, conceptually.

The alternate approach is to project IR in a variety of wavelengths while sensing reflections with a photodiode. Initial tests show that scanning a pair of Meta smartglasses in this way does indeed look different from regular eyeglasses, but probably not enough to be conclusive on its own at the moment. That brings us to the second method being used: wireless activity.

Characterizing a device by its wireless activity turned out to be trickier than expected. At first, [NullPxl] aimed to simply watch for BLE (Bluetooth Low-Energy) advertisements coming from smartglasses, but these only seem to happen during pairing and power-up, and sometimes when the glasses are removed from the storage case. Clearly a bit more is going to be needed, but since these devices rely heavily on wireless communications there might yet be some way to actively query or otherwise characterize their activity.

This kind of project is something that is getting some interest. Here’s another smartglasses detector that seems to depend entirely on sniffing OUIs (Organizationally Unique Identifiers); an approach [NullPxl] suspects isn’t scalable due to address randomization in BLE. Clearly, a reliable approach is still in the works.

The increasing numbers of smartglasses raises questions about the impact of normalizing tech companies turning people into always-on recording devices. Of course, the average person is already being subtly recorded by a staggering number of hidden cameras. But at least it’s fairly obvious when an individual is recording you with a personal device like their phone. That may not be the case for much longer.

hackaday.com/2025/12/09/making…

The G4 iMac is one of the more popular computers in the restomodding scene given its charm and unparalleled ergonomics. Most modern machines that people squeeze in don’t have a disc drive anymore though, so [EasternBloc Engineering] has fitted a retractable MagSafe charger into the drive bay of the machine.

In this example, the iMac has become simply a monitor, instead of an entire all-in-one computer, and the original 15″ display has been replaced with a lightweight 22″ monitor on a 3D printed VESA mount. The narrow confines of the iMac neck meant [EasternBloc Engineering] had to sever the connectors from the HDMI and power cable before reconnecting them once they were fed through.

The really novel part of this restomod is the engineering of the retractable MagSafe charger mount that pops out of the drive bay. [EasternBloc Engineering] started by looking at repurposing an original disc drive, but quickly turned to a bespoke 3D printed solution. Using a LEGO motor and gears for the drive, the system can stick its tongue out at you in a more modern way. A straight in-and-out mechanism like on an original disc drive would’ve been easier to implement, but we appreciate the extra time for angling the phone that respects the ergonomics of the machine. We hope the files will become available soon for this part of the mod since electromechanical components are more interesting than the VESA mount.

We’ve taken a look at how to implement MagSafe (or Qi2) into your own projects and also a few different G4 iMac restomods whether you prefer Apple Silicon or a PC-based approach.

youtube.com/embed/CVLD5OtLygU?…

hackaday.com/2025/12/09/g4-ima…

Compromise is key to keeping a team humming along. Say one person wants an inrunner electric motor, and the other prefers outrunner. What to do? Well, if you work at [Deep Drive], the compromise position is a dual-rotor setup that they claim can be up to 20% more efficient than standard designs. In a recent video, [Ziroth] provides a deep dive into Deep Drive’s Twin-Rotor Motor.

This is specifically a radial flux permanent magnet motor, like most used in electric vehicles today — and don’t let talk of inrunners and outrunners fool you, that’s the size of motor we’re talking about here. This has been done before with axial flux motors, but it’s a new concept for team radial. As the names imply, the difference is the direction the magnetic field is orientated: axial flux motors have all the magnetism oriented along the axis, which leads to the short wide profile that inspired the nickname “pancake motors”. For various reasons, you’re more likely to see those on a PCB than in an electric car.

In a radial flux motor, the flux goes out the radius, so the coils and magnets are aligned around the shaft of the motor. Usually, the coils are held by an iron armature that directs their magnetic flux inwards (or outwards) at the permanent magnets in the rotor, but not here. By deleting the metal armature from their design and putting magnets on both sides of the stator coil, Deep Drive claims to have built a motor that is lighter and provides more torque, while also being more energy-efficient.

Of course you can’t use magnet wire if your coil is self-supporting, so instead they’re using hefty chunks of copper that could moonlight as busbars. In spite of needing magnets on both inner and outer rotors, the company says they require no more rare-earths than their competitors. We’re not sure if that is true for the copper content, though. To make the torque, those windings are beefy.

Still, its inspiring to see engineers continue to innovate in a space that many would have written off as fully-optimized. We look forward to seeing these motors in upcoming electric cars, but more than that, hope they sell a smaller unit for an air compressor so after going on a Deep Drive deep dive we can inflate our rubber raft with their twin rotor motor boater bloater. If it works as well as advertised, we might have to become twin-rotor motor boater bloater gloaters!

youtube.com/embed/Ir_JKMdWaUg?…

Thanks to [Keith Olson] for the tip.

hackaday.com/2025/12/09/a-deep…

[Jean] wrote into the tips line (the system works!) to let all of us know about his hacked and hand-wired C64 keyboard, a thing of beauty in its chocolate-brown and 9u space bar-havin’ glory.

Image by [Jean] via GitHubThis Arduino Pro Micro-based brain transplant began as a sketch, and [Jean] reports it now has proper code in QMK. But how is a person supposed to use it in 2025, almost 2026, especially as a programmer or just plain serious computer user?

The big news here is that [Jean] added support for missing characters using the left and right Shift keys, and even added mouse controls and Function keys that are accessed on a layer via the Shift Lock key. You can see the key maps over on GitHub.

I’ll admit, [Jean]’s project has got me eyeing that C64 I picked up for $12 at a thrift store which I doubt still works as intended. But don’t worry, I will test it first.

Fortunately, it looks like [Jean] has thought of everything when it comes to reproducing this hack, including the requisite C64-to-Arduino pinout. So, what are you waiting for?

ArcBoard MK20 Proves That Nothing Is Ever Finished

I find it so satisfying that [crazymittens-r] is never quite satisfied with his ArcBoard, which is now in its 20th revision.

Image by [crazymittens-r] via redditWhen asked ‘WTF am I looking at?’, [crazymittens-r] responded thusly: ‘my interpretation of how you might use a keyboard and trackball without moving your hands.’ Well, there you have it.

This is one of those times where the longer you look, the crazier it gets. Notice the thumb trackball, d-pad thingy, and the green glowy bit, all of which move. Then there are those wheels up by the YHN column.

A bit of background: [crazymittens-r] needed something to help him keep on working, and you know I can relate to that 100%. There’s even a pair of pedals that go with it, and you’ll see those in the gallery.

You may remember previous ArcBoards, and if not, know this: it’s actually gotten a lot smaller since mk. 19 which I featured here in May 2024. It still looks pretty bonkers in the best possible way, though, and I’m here for it.

Via reddit

The Centerfold: KaSe

Image by [harrael] via redditSo I have become fond of finding fuller-figured centerfolds for you such as KaSe by [harrael]. As the top commenter put it, KaSe gives off nice Esrille NISSE vibes. Boy howdy. And I think that’s probably just enough thumb keys for me.

[harrael] had noble goals for this project, namely learning more about ESP32-S3s, USB/BLE HID, and firmware design, but the most admirable of all is sharing it with the rest of us. (So, if you can’t afford a NISSE…)

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: Typewriter Tom’s Typewriter Throng

I’m going to take a brief detour from the normal parade of old typewriters to feature Typewriter Tom, who has so many machines lying around that Hollywood regularly comes knocking to borrow his clacking stock.
Image via The Atlanta-Journal Constitution
And how many is that? Around 1,000 — or six storage units full. Tom received a call once. The caller needed six working IBM Selectrics ASAP. Of course, Tom could deliver, though he admits he’s probably the one person in all of Georgia who could.

Another thing Tom delivers is creativity in the form of machines he sells to artists and students. He also co-founded the Atlanta Typewriter Club, who have been known to hold typewriter petting zoo events where people can come and — you guessed it — put their hands on a typewriter or two.

Go for the story and stay for the lovely pictures, or do things the other way around if you prefer. But Typewriter Tom deserves a visit from you, even if he already got one from Tom Hanks once.

Finally, PropType AR Can Turn Anything Into a Keyboard

Yes, literally anything with enough real estate can now become a keyboard, or at least it would seem from TechExplore and the short video embedded below. Watch as various drinking vessels and other things become (split!) keyboards, provided you have your AR goggles handy to make the magic happen.

Image by [PropType] via YouTubeWhile this setup would be immensely helpful to have around given the right circumstances, the chances that you’re going to have your AR goggles on you while running or running around the mall seem somewhat slim.

But the point here is that for augmented reality users, typing is notoriously difficult and causes something known as ‘gorilla arm’ from extended use. So in all seriousness, this is pretty cool from a problem-solving standpoint.

So how does it work? Basically you set the keyboard up first using the PropType editing tool to customize layouts and apply various effects, like the one you’ll see in the video. Be sure to stick around for the demo of the editing tool, which is cool in and of itself. I particularly like the layout on the soda can, although it might be difficult to actually use without spilling.

youtube.com/embed/7ZcFbvHClcU?…

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/12/09/keebin…

We’re all used to Bluetooth chips coming in QFN and BGA formats, at a minimum of 30-40 pins, sometimes even a hundred. What about ten pins, with 1.27 mm pitch? [deqing] from Hackaday.io shows us a chip from WCH, CH571K, in what’s essentially a SO-10 package (ESSOP10). This chip has a RISC-V core, requires only three components to run, and can work Bluetooth through a simple wire antenna.

This chip is a RISC-V MCU with a Bluetooth peripheral built in, and comes from the CH57x family of WCH chips that resemble the nRF series we’re all used to. You get a fair few peripherals: UART, SPI, and ADC, and of course, Bluetooth 4 with Low Energy support to communicate with a smart device of your choice. For extra hacker cred, [deqing] deadbugs it, gluing all components and a 2.54 mm header for FTDI comms onto the chip, and shows us a demo using webBluetooth to toggle an LED through a button in the browser.

You need not be afraid of SDKs with this one. There’s Arduino IDE support (currently done through a fork of arduino_core_ch32) and a fair few external tools, including at least two programming tools, one official and one third-party. The chip is under a dollar on LCSC, even less if you buy multiple, so it’s worth throwing a few into your shopping cart. What could you do with it once received? Well, you could retrofit your smoke alarms with Bluetooth, create your own tire pressure monitors, or just build a smartphone-connected business card!

hackaday.com/2025/12/09/super-…

A year ago, I’ve design reviewed an MCU module for CAN hacking, called TinySparrow. Modules are plenty cool, and even more so when they’re intended for remaking car ECUs. For a while now, every car has heavily depended on a computer to control the operation of everything inside it – the engine and its infrastructure, the lights, and Sadly, ECUs are quite non-hackable, so building your own ECUs only makes sense – which is why it’s heartwarming to see modules intended to make this easier on the budding ECU designer!

Last time we saw this module, it was quite a bit simpler. We talked about fixing a number of things – the linear regulator, the unprotected CAN transceiver, and the pinout; we also made the board cheaper to produce by reducing the layer count and instead pushing the clearance/track width limits. This time, we’re seeing TinySparrow v2 , redesigned accounting for the feedback and upgraded with a new MCU – it’s quite a bit more powerful!

For a start, it’s got ESD diodes, a switching-linear regulator chain for clean but efficient power supply, and most importantly, an upgraded MCU, now with USB and one more CAN channel for a total of two! There’s a lot more GPIOs to go around, too, so the PCB now uses all four of its sides for breakout out power, programming, and GPIO pads. Only a tiny bit bigger than its v1, this module packs a fair bit of punch.

Let’s revisit the design, and try to find anything still left to improve – there’s a few noteworthy things I found.

Protection Almost Perfect

It took me a bit to try and find the ESD diodes mentioned in the README – I didn’t notice that they’re basically the only thing on the bottom layer. This is fine – protection elements like ESD diodes can be on a different layer, and as they’re SOT-23, they’re easy to solder on post-factum. This is quite a nice placement choice, in my opinion – you can basically solder this board with cheaper single-side assembly, use ESD-less boards for your bench testing, and then simply solder the few bottom side components onto “production” versions!

There is but one hiccup with the way they’re placed. ESD diode appnotes will tell you – there’s some extra considerations you can try and put into ESD diode layout. This design pulls connector tracks directly to the CAN ICs on top layer, and directly to diodes on the bottom one. Instead, you should try and route the signal “through” the ESD diodes – letting track inductance play in your favour, and not impeding the ESD diode’s impact.

Fortunately, by lightly rerouting 3.3V CAN transceiver power inputs and a few surrounding signals, we can put CAN+ and CAN- signals through vias under the package, so that the signal flows “in series” with ESD diode pads. Similarly, the ESD diodes get vias to ground, shared with transceiver ground vias, but oh well. It’s not perfect, but to my eye, it’s better than before, as far as ESD protection is concerned.

About the only problem I can see with the reroute, is having to reshuffle USB signals, putting them closer together. However, as long as they’re intra-pair length-matched, they’ll do just fine.

Vias Fit Inside Pads, But Maybe Don’t?

This is not the only change to consider as far as signal routing goes, but it’s the most major one. The next issue I see, is vias – specifically, vias inside component pads.

I’ve had a few run-ins with via-in-pad related problems. Previously, I’ve failed to assemble some boards specifically because of via-in-pad related problems, with solder paste wicking through the board and onto the opposite side. For 0402 components I used, this made a number of boards essentially non-solderable depending on how lucky I got reflowing them, and I had to run a new board revision to get the yield up.

This board’s files have a fair few hints about getting assembled by JLCPCB, and JLC can definitely do plugged vias, preventing any sorts of solder flowing through the board. If the designer or someone else takes the board elsewhere, however, that might no longer apply, which would be disappointing. Also, you might have to pay extra for plugging holes – just like with the previous review, let’s see if we can avoid it. Most problematic areas are around the transceivers, still – especially given the board files now have a custom rule for 0.5mm via-to-via distances. This is not a constraint I’ve seen actually stressed by JLCPCB, but I don’t mind – with just a little bit more signal shuffling, every newly moved via landed within the 0.5mm target area.

Pinout Considerations, Again

The VDC pin now has GND pins to match, and in general, there’s a lot more GND pins to go around – which is great! It’s pretty surprising to me that the VDC pin is duplicated and its trace goes across the board on an inner layer. This is supposed to be an at least somewhat unfiltered and unprotected car power rail, after all, and I don’t think that’d help things like noise integrity. Maybe this helps with testing because all the core signals are brought to the same corner, but to my eye, it has bad vibes.

The module could perhaps use a key pin – there’s zero omissions in the outer dual-row, which leaves for a possibility of inserting this module rotated 180 degrees by accident, likely obliterating at least something on the module. If these modules are ever meant to be swapped during testing, i.e. using machined headers, I’d try and remove one of the pins from the equation – there’s a NC pin in one of the corners already, thankfully.

There’s a pair of 3.3 V signals and GND signals on the opposite sides of each other. This is geometrically satisfying pinout-wise, and, it would short-circuit the module’s onboard regulator if the module’s ever rotated inserted 180 degrees. This is generally harmless with modern modules, but it could very well make the switching or the linear regulator heat up to finger-burning temperatures – last thing you need when trying to remove a module inserted incorrectly!

Thankfully, at the top, there’s a few unconnected pads, so perhaps GND and NC could swap places, making sure that 3.3 V lands on NC once rotated 180 degrees. The VDC pads could perhaps use the same consideration, but I’m comfortable leaving those as homework.

Moving Forward

It’s a joy to see how much the TinySparrow module has grown in its v2. From vastly improved layout to higher consideration given to design rules, nicer silkscreen, and a way more powerful MCU while at it, it’s that much more of a viable heart for a somewhat modern car, and it’d be quite nice to see some boards utilizing it in the future. I hope this review can help!

As usual, if you would like a design review for your board, submit a tip to us with [design review] in the title, linking to your board files. KiCad design files strongly preferred, both repository-stored files (GitHub/GitLab/etc) and shady Google Drive/Dropbox/etc .zip links are accepted.

It sometimes seems as though we are in a constant tussle over privacy between governments and the governed, with each year bringing fresh attempts to extend surveillance, and consequent battles. For Brits the big news at the moment comes in a new digital ID scheme, something that will be required for anyone wishing to work in the country, as well as for certain government services. It’s something that has attracted a lot of opposition, and now the EFF have produced an analysis of why they think it won’t work.

From the perspective of a British writer it would be easy to write screeds about the flaws in the scheme, the way it over-reaches, and about the historical distrust of Brits for their government’s bureaucracy. With the parliamentary petition opposing it approaching three million signatures, there’s no shortage of people who don’t support it. Perhaps the most obvious thing for most of us is how unnecessary it is for its stated aim of preventing illegal immigrants from seeking employment, it neglects that we already have to show proof of right to work before being hired, and that if crooked employers ignore that they will surely also ignore the digital ID.

If you’re reading this elsewhere in the world from where this is being written then it’s still of relevance, because governments like to point to other countries to justify these measures. Follow the EFF on this matter, and take note.

Art: British Passport SVG by Swapnil1101, Public Domain

hackaday.com/2025/12/09/the-ef…

Corso di Formazione per giornalisti in Sapienza

Programma
Il corso formativo concernerà il fenomeno dell’information disorder e delle fakenews, con particolare attenzione al quadro giuridico nazionale, europeo e internazionale e ai possibili rimedi.

Il corso si propone di approfondire i profili giuridici legati alla libertà di espressione, alla regolamentazione dell’informazione e alle responsabilità degli attori digitali.

Verranno esaminati strumenti normativi e casi concreti, nazionali e internazionali, per aiutare i giornalisti a orientarsi in un panorama sempre più complesso e sfidante. L’argomento è di rilevante importanza giornalistica per l’impatto che ha sulla credibilità dell’informazione e sul ruolo democratico della stampa.

Verrà analizzato l’articolo 21 della Costituzione italiana, che tutela della libertà di espressione e di stampa, in cui ognuno ha il diritto di manifestare liberamente il proprio pensiero con qualsiasi mezzo di diffusione, ponendo le basi per una tutela ampia della libertà di espressione e informazione.

Si osserverà come si può facilmente influenzare sentimenti, pensieri e azioni di un pubblico specifico, al fine di ottenere vantaggi strategici in ambito politico, militare o sociale. Verranno illustrati diversi esempi di diffusione di fake news, alterazione di contenuti, uso strategico dei social per destabilizzare o polarizzare l’opinione pubblica.

Si prenderà in esame l’articolo 19 del nuovo Codice Deontologico delle Giornaliste e dei Giornalisti che introduce una regola specifica sull’uso dell’intelligenza artificiale.

Relatori:
Alberto Marinelli, prorettore alle tecnologie innovative per la comunicazione, Sapienza, Università di Roma;
guido d’ubaldo, presidente dell’Ordine dei Giornalisti del Lazio; ⁠
Arturo Di Corinto, IA cybersecurity Advisor nell’Agenzia per la cybersicurezza nazionale (ACN);
Federica Fabrizzi, professoressa ordinaria di Diritto dell’informazione presso il Dipartimento di Scienze Politiche dell’Università La Sapienza di Roma;
Laura Camilloni, caporedattrice dell’Agenparl;
Massimiliano Pierro, direttore generale di Intent Group;
Mirko Lapi, professore aggregato in Open Source Intelligence, Dipartimento di Giurisprudenza dell’Università di Foggia;
marco giampaolo, direttore commerciale e operativo Negg group;
Luigi Camilloni, direttore responsabile dell’Agenparl.

WHAT: Corso gratuito formazione giornalisti, in Presenza
WHEN: 18 dicembre 2025 09:30-13:30
WHERE: Università La Sapienza Facoltà di Scienze Politica – Dipartimento di Comunicazione e Ricerca Sociale (CoRiS), Via Salaria,113 – 00198, Roma
WHO: Organizzato da: Ordine dei Giornalisti del Lazio ODG Lazio
WHY: 6 Crediti Deontologici

Chiusura iscrizioni
16/12/2025

dicorinto.it/associazionismo/n…

Telegram has won over users worldwide, and cybercriminals are no exception. While the average user chooses a messaging app based on convenience, user experience and stability (and perhaps, cool stickers), cybercriminals evaluate platforms through a different lens.

When it comes to anonymity, privacy and application independence – essential criteria for a shadow messaging app – Telegram is not as strong as its direct competitors.

• It lacks default end-to-end (E2E) encryption for chats.
• It has a centralized infrastructure: users cannot set up their own servers for communication.
• Its server-side code is closed: users cannot verify what it does.

This architecture requires a high degree of trust in the platform, but experienced cybercriminals prefer not to rely on third parties when it comes to protecting their operations and, more importantly, their personal safety.

That said, Telegram today is widely viewed and used not only as a communication tool (messaging service), but also as a full-fledged dark-market business platform – thanks to several features that underground communities actively exploit.

Is this research, we examine Telegram through the eyes of cybercriminals, evaluate its technical capabilities for running underground operations, and analyze the lifecycle of a Telegram channel from creation to digital death. For this purpose, we analyzed more than 800 blocked Telegram channels, which existed between 2021 and 2024.

Key findings

• The median lifespan of a shadow Telegram channel increased from five months in 2021–2022 to nine months in 2023–2024.
• The frequency of blocking cybercrime channels has been growing since October 2024.
• Cybercriminals have been migrating to other messaging services due to frequent blocks by Telegram.

You can find the full report on the Kaspersky Digital Footprint Intelligence website.

securelist.com/goodbye-dark-te…

An hourglass tells you what it is in the name — a glass that you use to measure an hour of time passing by. [EDISON SCIENCE CORNER] has built a digital project that mimics such a thing, with little beads of light emulating falling sand in the timekeepers of old.

The build is designed around the Arduino platform, and can be constructed with an Arduino Uno, Nano, or Pro Mini if so desired. The microcontroller board is hooked up with an ADXL335 three-axis accelerometer, which is used for tracking the orientation and movement of the digital hourglass. These movements are used to influence the movement of emulated grains of sand, displayed on a pair of 8×8 LED matrixes driven by a MAX7219 driver IC. Power is courtesy of a 3.7 V lithium-ion cell, with a charge/boost module included for good measure. Everything is wrapped up in a vaguely hourglass-shaped 3D printed enclosure.

The operation is simple. When the hourglass is turned, the simulated grains of sand move as if responding to gravity. The movement is a little janky — no surprise given the limited resolution of the 8×8 displays. You also probably wouldn’t use such a device as a timer when more elegant solutions exist. However, that’s not to say builds like this don’t have a purpose. They’re actually a great way to get to grips with a microcontroller platform, as well as to learn about interfacing external hardware and working with LED matrixes. You can pick up a great deal of basic skills building something like this.

Would you believe this isn’t the first digital hourglass we’ve featured on the site?

youtube.com/embed/23EBLhm-rG8?…

hackaday.com/2025/12/09/led-ho…

Il Centro Congressi Frentani ospiterà il 12 dicembre la conferenza “Cybercrime, Artificial Intelligence & Digital Forensics”, l’evento annuale organizzato da IISFA – Associazione Italiana Digital Forensics e da Gerardo Costabile, che riunirà i massimi esperti italiani di sicurezza informatica, forze dell’ordine, accademici e professionisti del settore.

Per chi vorrà partecipare, l’ingresso sarà gratuito, ma sarà necessaria la registrazione su Eventbrite.

Sarà una giornata intensa, caratterizzata da analisi tecniche, prospettive investigative e un confronto pubblico sempre più necessario in un’epoca dominata dall’intelligenza artificiale.

Apertura dei lavori: il quadro aggiornato delle minacce cyber

La conferenza si aprirà con i saluti di Gerardo Costabile, presidente IISFA, seguiti dall’intervento di Nunzia Ciardi, Vicedirettrice dell’Agenzia per la Cybersicurezza Nazionale, che evidenzierà l’urgenza di costruire un ecosistema di difesa più solido e reattivo.

L’Ammiraglio Gianluca Galasso dell’ACN – CSIRT Italia offrirà un aggiornamento sul trend nazionale degli attacchi cyber, sottolineando un livello di minaccia mai così elevato, soprattutto verso infrastrutture critiche e servizi essenziali.

Successivamente, Ivano Gabrielli, direttore della Polizia Postale, analizzerà i nuovi trend del cybercrime, sempre più automatizzati, distribuiti e alimentati dall’intelligenza artificiale.

Follow the money e anatomia degli attacchi ransomware

Molto atteso sarà l’intervento del Generale Antonio Maccazzo della Guardia di Finanza, dedicato alle nuove frontiere del follow the money, tra criptovalute anonime e schemi di riciclaggio avanzati.
Stefano Mele, avvocato specializzato in Space & Cyber Law, presenterà un approfondimento sull’anatomia di un attacco ransomware, mostrando come psicologia del ricatto, tecniche di pressione e comunicazione criminale siano ormai componenti strategiche dell’attacco.

Intelligenza artificiale, etica e informatica forense

La prima tavola rotonda vedrà la partecipazione di Eugenio Albamonte della Direzione Nazionale Antimafia, Giuseppe Corasaniti dell’UniMercatorum, Paolo Galdieri, Mattia Epifani, Marco Calonzi e Gianluca Boccacci, che discuteranno del rapporto tra intelligenza artificiale, etica e informatica forense.

Cybercrime, social media e comunicazione giornalistica tra forma e sostanza

La seconda tavola rotonda sarà dedicata al ruolo dei media, del giornalismo e dei social network nella rappresentazione e comprensione delle minacce cyber. Interverranno Domenico Colotta di Assocomunicazione, Arturo Di Corinto, Luigi Garofalo e Roland Kapidani di Red Hot Cyber. Kapidani evidenzierà come la comunicazione sia ormai centrale quanto la difesa tecnica, sottolineando l’importanza di diffondere consapevolezza e prevenzione. “Non si tratta solo di informare: dobbiamo aiutare le persone a capire come il cybercrime si muove, perché lo fa e quali strumenti abbiamo per difenderci.”

Paolo Galdieri: tra diritto, criminologia e cultura cyber

Interverrà nei panel anche Paolo Galdieri, avvocato penalista e professore universitario, figura molto stimata all’interno della community di Red Hot Cyber, dove contribuisce da anni con competenza e sensibilità ai temi che collegano diritto, tecnologia e società.

Galdieri, noto per la sua capacità di tradurre concetti giuridici complessi in un linguaggio chiaro e comprensibile, ha portato nella discussione un punto di vista fondamentale: la necessità di aggiornare costantemente il quadro normativo per stare al passo con l’evoluzione delle minacce digitali.

Il pomeriggio: mobile forensics, OSINT e post-quantum security

Nel pomeriggio, il focus si sposterà su scenari tecnici avanzati. Paolo Dal Checco presenterà uno studio sullo spy hunting nei dispositivi mobili. Michela Carloni Gammon e Veronica Vacchi illustreranno nuove forme di media investigation e OSINT applicate alla sicurezza aziendale. Stefano Aterno discuterà dei reati informatici legati all’AI generativa, mentre il Prof. Aniello Castiglione analizzerà le frontiere della post-quantum security, con attenzione alle implicazioni investigative.

Cyber Forensics Game: il pubblico diventa analista

La giornata si concluderà con una simulazione di analisi forense guidata da Cosimo de Pinto e Salvatore Filograno, che coinvolgerà il pubblico in un caso reale di investigazione digitale.

Conclusioni: l’Italia cerca una risposta unitaria al cybercrime

Il summit IISFA 2025 si confermerà uno degli appuntamenti chiave per comprendere lo stato dell’arte della sicurezza informatica in Italia. La giornata metterà in evidenza un punto cruciale: senza divulgazione, community attive e un ecosistema informativo affidabile, la lotta al cybercrime non potrà essere vinta. La cybersecurity diventerà così un bene collettivo, che richiederà partecipazione e consapevolezza a ogni livello della società.

L'articolo Il 12 Dicembre a Roma, il summit IISFA: Cybercrime e Intelligenza Artificiale proviene da Red Hot Cyber.

Un nuovo post pubblicato poche ore fa sul forum underground Exploit rivela l’ennesima offerta criminale legata alla vendita di accessi a siti compromessi. L’inserzionista, un utente storico del forum noto per la sua attività da seller, ha messo in vendita un negozio online italiano basato su WordPress, completo di accesso amministratore e con plugin attivi e funzionanti.

Secondo quanto riportato, il sito compromesso non sarebbe un semplice shop qualunque: l’annuncio include infatti dettagli operativi sul volume delle transazioni, suddivise per metodo di pagamento e mese di attività. Numeri che fanno pensare a un e-commerce pienamente funzionante, utilizzato dagli attaccanti come leva per rendere l’offerta più appetibile sul mercato criminale.

Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.
Print Screen dal forum exploit.in fornita da Paragon Sec

Chi sono gli Initial Access broker (IaB)

Gli Initial Access Broker (IAB) sono attori criminali specializzati nel guadagnare e rivendere l’accesso iniziale a sistemi, reti o infrastrutture compromesse. A differenza dei gruppi ransomware o dei threat actor più complessi, gli IAB non eseguono direttamente l’attacco finale: il loro ruolo è quello di infiltrarsi in un target sfruttando vulnerabilità dei sistemi, credenziali rubate, configurazioni errate o tecniche di social engineering. Una volta ottenuto l’accesso – che può essere un account VPN, un pannello RDP, un’installazione WordPress compromessa, un accesso cloud o un’intera infrastruttura – lo mettono in vendita nei forum underground, rendendolo disponibile ad altri criminali più specializzati. Il modello di business è chiaro: monetizzare l’ingresso, non l’attacco.

Per questo motivo gli Initial Access Broker rappresentano oggi uno degli anelli più importanti dell’ecosistema cybercriminale. I gruppi ransomware-as-a-service, i data broker, gli operatori di botnet e gli specialisti di frodi acquistano da loro il punto di accesso già pronto per l’uso, accelerando enormemente i tempi di intrusione e abbassando la barriera tecnica per chi vuole lanciare attacchi distruttivi.

Questa divisione del lavoro rende gli attacchi più rapidi, più organizzati e più difficili da rilevare. Gli IAB operano spesso su piattaforme come Exploit, XSS o BreachForums, dove pubblicano annunci con metriche dettagliate (privilegi, geolocalizzazione, volume di traffico, tipo di accesso), contribuendo a creare un vero e proprio mercato nero dell’accesso iniziale.

Dettagli dell’offerta

L’accesso in vendita riguarda un WordPress Shop italiano, con pieno accesso all’area amministrativa (WP-admin). L’annuncio specifica che il sito utilizza vari metodi di pagamento, inclusi:

• Stripe
• PayPal
• Contrassegno (COD)
• Bonifico bancario

Statistiche condivise dal venditore

L’inserzionista mostra le vendite recenti del negozio per dimostrare la sua “legittimità” e attrattività nel mercato nero:

• Novembre: oltre 370 ordini
  
  • 123 tramite Stripe
  • 148 tramite PayPal
  • 81 in contrassegno
  • Il resto tramite bonifico

  
  

• Dicembre: 58 ordini
  
  • 15 tramite Stripe
  • 22 tramite PayPal
  • 12 in contrassegno
  • 7 tramite bonifico

  
  

Il venditore sottolinea inoltre che gli ordini sono “100% unici”, frase tipicamente usata negli ambienti criminali per rassicurare i compratori sul fatto che non si tratti di dati riciclati o già venduti ad altri.

Prezzi richiesti

L’offerta segue la tipica struttura di pricing del mercato cybercriminale:

• Start: 400
• Step: 100 (incrementi di rilancio)
• Blitz: 800 (acquisto immediato)
• PPS: 16

La modalità “asta” è comune, soprattutto per asset che possono generare profitti immediati, come store online compromessi utilizzati per campagne di frodi finanziarie, triangolazioni o attività di drop-shipping illegale.

Un’offerta collocata in un contesto criminale più ampio

L’inserzionista promuove anche altri servizi e exploit nel footer del post, tra cui:

• Vulnerabilità RCE con bypass Cloudflare
• Database premium (shopping, forex, seekers/job)
• Lead spam
• E altri servizi di attacco

Questo rafforza la sua credibilità nel forum e mostra come la vendita di accessi a shop WordPress si inserisca in un portafoglio più ampio di attività criminali.

Perché questo post è rilevante nel panorama della cybercriminalità

La vendita di siti WordPress compromessi – soprattutto e-commerce – è diventata una pratica diffusa per diversi scopi:

1. Frodi finanziarie

Gli attaccanti possono sfruttare i metodi di pagamento integrati per:

• Processare transazioni fraudolente
• Vendere beni virtuali/non spediti
• Utilizzare il sito come ponte per outgoing fraudolenti

2. Distribuzione di malware

I plugin o l’area admin possono essere usati per:

• Inserire script malevoli
• Reindirizzare utenti verso phishing o exploit kit
• Compromettere checkout e form di pagamento (skimming)

3. Raccolta dati dei clienti

Email, numeri di telefono, indirizzi e dati di pagamento possono essere rivenduti o utilizzati in altre campagne criminali.

4. Triangolazioni e logistica clandestina

Gli store ancora operativi possono essere sfruttati come “negozi fantasma” per truffe con merce reale, un modus operandi noto nelle frodi da e-commerce.

Conclusioni

L’annuncio apparso su Exploit rappresenta un chiaro esempio di come gli e-commerce WordPress vulnerabili vengano monetizzati nel mercato underground. La presenza di statistiche dettagliate e la segmentazione dei metodi di pagamento indica un livello di professionalità ormai consolidato tra i venditori di accessi compromessi.

Per le aziende italiane che gestiscono shop online, episodi come questo sottolineano l’urgenza di:

• mantenere aggiornati plugin e CMS
• implementare misure di hardening
• monitorare regolarmente accessi e attività sospette
• eseguire vulnerability assessment periodici

In un contesto dove la vendita di asset compromessi è così strutturata e dinamica, la sicurezza diventa più che mai un requisito critico.

L'articolo Quale e-commerce italiano presto sarà compromesso? La vendita degli accessi nel Dark Web proviene da Red Hot Cyber.