US Patent Changes Promise Severe Consequences
When someone creates a US patent, they go through a review process to stop the most blatant copies from previous patents or pre-existing work. After this, you may still have bad patents get through, which can be removed through litigation or publicly accessible methods such as Inter Partes Review (IPR). The latter of which is planned to be changed as we know it in the near future.
IPR is a method where an individual can claim that an existing patent is invalid due to pre-existing work, such as something the individual should have creative ownership over. While there is always the litigation method of removing blatantly fraudulent patents, a small business or the average person is unlikely to have the funds.
New regulations are changing how IPRs can be filed in some substantial ways. Now, if someone files an IPR, they give up the right to future litigation on their rights over a patent. This is obviously not ideal for someone who may have their own products on the line if an IPR is to fail. Additionally, IPRs will no longer be able to be even tried if there are existing cases against the patent, even under poor previous cases. While this change is meant to increase the efficiency of the patent office, there are some serious consequences that must be looked into either way. The patent office also cites IPRs being beneficial to larger organizations rather than the smaller businesses, though you can make your own conclusions based on the U.S. Patent and Trademark Office’s arguments here.
Hackaday certainly can not give any legal advice on how this change will affect you, but there are cases given by both sides that may persuade you to write to your legal representatives if you live in the States. Even still, we here at Hackaday have seen our fair share of patent trolls causing issues. If you want a case of blatant patent shenanigans check out these 3D printing layers that promise improved strength!
Thanks [patentTrollsAreTheWorst] for the tip!
Designing PLA to Hold Over a Metric Ton
There’s never been such a thing as being “too competitive” when it comes to competition. This is something that [Tom Stanton] from Tim Stanton (wait, what now), [Tom]’s 2nd channel, took to heart for Polymaker’s 3D design challenge. The goal was simple: a single 3D printed part to hold as much weight as possible.
While seemingly simple, when considering the requirements, including a single print in addition to being able to open up for the mounts, the challenge gets exponentially more complicated. While the simplest and strongest joint would be a simple oval for uniform stress, this isn’t possible when considering the opening requirements. This creates a need for slightly more creativity.
[Tom] starts out with two flat C-shaped geometries to test his design. The design includes teeth specially placed to allow the forces to increase their own strength as force is applied. Flat features have the unfortunate quality of being able to slide across each other rather easily, which was the case during testing; however, the actual structures held up rather well. Moving onto the final design, including a hollow cavity and a much thicker depth, showed good promise early on in the competition, leading up to the finals. In fact, the design won out over anything else, getting over double the max strength of the runner up. Over an entire metric ton, the piece of plastic proved its abilities far past anything us here at Hackaday would expect from a small piece of PLA.
Design can be an absolute rabbit hole when it comes to even the simplest of things, as shown with this competition. [Tom] clearly showed some personal passion for this project; however, if you haven’t had the chance to dive this deep into CADing, keep sure to try out something like TinkerCAD to get your feet wet. TinkerCAD started out simple as can be but has exploded into quite the formidable suite!
youtube.com/embed/GEHNijssAKc?…
Hydrofoil Bikes Are Harder To Build Than You Think
Hydrofoils are perhaps best known for their application on boring ferries and scary boats that go too fast. However, as [RCLifeOn] demonstrates, you can also use them to build fun and quirky personal watercraft. Like a hydrofoil bike! Only, there are some challenges involved.
Hydrofoils work much like airfoils in air. The shape of the foil creates lift, raising the attached vehicle out of the water. This allows the creation of a craft that can travel more quickly because the majority of its body is not subject drag from the water. The key is to design the craft such that the hydrofoils remain at the right angle and depth to keep the craft lifted out of the water while remaining stable.
The hydrofoil bike is created out of a combination of plywood, foam, and 3D printed components. It uses a powerful brushless motor for propulsion, and that’s about it. Sadly, despite the simplicity, it wasn’t an instant success. As you might expect, balancing on the bike is quite difficult, particularly when trying to get it started—as the foils need some speed to actually start generating meaningful lift.
After further research into commercial hydrofoil bikes, [RCLifeOn] realized that the buoyancy of the bike made it too hard to straddle when starting out. Some of the 3D printed foils also proved more than a little fragile. It’s back to the drawing board for now—the power system is likely up to snuff, but the dynamics of the platform need work. It’s perhaps no surprise; we’ve covered the challenges of hydrofoil stability before. If you want to go fast on water, you could go the easier route and just build an electric surfboard. Video after the break.
youtube.com/embed/zP1nS3sIu2U?…
One-Way Data Extraction For Logging On Airgapped Systems
If you want to protect a system from being hacked, a great way to do that is with an airgap. This term specifically refers to keeping a system off any sort of network or external connection — there is literally air in between it and other systems. Of course, this can be limiting if you want to monitor or export logs from such systems. [Nelop Systems] decided to whip up a simple workaround for this issue, creating a bespoke one-way data extraction method.
The concept is demonstrated with a pair of Raspberry Pi computers. One is hooked up to critical industrial control systems, and is airgapped to protect it against outside intruders. It’s fitted with an optocoupler, with a UART hooked up to the LED side of the device. The other side of the optocoupler is hooked up to another Raspberry Pi, which is itself on a network and handles monitoring and logging duties.
This method creates a reliable one-way transmission method from the airgapped machine to the outside world, without allowing data to flow in the other direction. Indeed, there is no direct electrical connection at all, since the data is passing through the optocoupler, which provides isolation between the two computers. Security aficionados will argue that the machine is no longer really airgapped because there is some connection between it and the outside world. Regardless, it would be hard to gain any sort of access through the one-way optocoupler connection. If you can conceive of a way that would work, drop it down in the comments.
Optocouplers are very useful things; we’ve seen them used and abused for all sorts of different applications. If you’ve found some nifty use for these simple parts, be sure to drop us a line!
La Truffa del CEO! l’inganno che sta travolgendo le aziende italiane
Questa mattina Paragon Sec è stata contattata da un’azienda italiana vittima di un nuovo tentativo di frode conosciuto come Truffa del CEO. L’ufficio contabilità ha ricevuto un’e-mail urgente, apparentemente inviata dal loro Amministratore Delegato, contenente la richiesta di effettuare con immediatezza il pagamento di una fattura da 4.000 euro.
Il messaggio, accompagnato da una fattura apparentemente autentica, indicava la necessità di un bonifico immediato. Il dipendente incaricato dei pagamenti, convinto di eseguire un ordine diretto del proprio dirigente, ha effettuato il trasferimento senza ulteriori verifiche.
Solo successivamente la banca ha rilevato che l’IBAN indicato era associato a un soggetto fraudolento e ha bloccato l’operazione in tempo, impedendo la perdita economica. Si tratta di un caso che conferma come queste campagne stiano diventando sempre più frequenti, raffinate e mirate alle aziende italiane.
Che cos’è la Truffa del CEO
La Truffa del CEO, conosciuta a livello internazionale come Business Email Compromise, è una tecnica di ingegneria sociale in cui i criminali si spacciano per un alto dirigente dell’azienda, tipicamente l’Amministratore Delegato o il Direttore Finanziario.
Utilizzando e-mail costruite in modo credibile, i truffatori inducono un dipendente fidato – spesso chi gestisce i pagamenti – a eseguire trasferimenti di denaro urgenti e apparentemente legittimi.
Il punto di forza di questo attacco non è la tecnologia, ma la manipolazione psicologica: urgenza, autorevolezza e riservatezza vengono sfruttate per spingere la vittima ad agire senza riflettere.
Come difendersi
Per contrastare la Truffa del CEO, è fondamentale adottare procedure interne chiare e formare i dipendenti a riconoscere segnali sospetti.
Tra le misure più efficaci rientrano:
- Verificare sempre con attenzione l’indirizzo e-mail del mittente.
- Prestare attenzione a cambi di stile comunicativo, errori o richieste insolite.
- Diffidare di messaggi che richiedono segretezza, urgenza o scavalcano le procedure standard.
- Contattare direttamente il dirigente coinvolto tramite un canale alternativo per confermare la richiesta.
Cosa ci insegna questo episodio
Questo caso dimostra come gli attacchi non colpiscano solo la tecnologia, ma soprattutto i comportamenti umani. La vulnerabilità principale risiede nella fiducia, nella pressione psicologica e nella mancanza di una verifica incrociata.
La prevenzione passa attraverso la formazione continua, la consapevolezza e l’adozione di processi aziendali che permettano ai dipendenti di fermarsi, dubitare e verificare prima di eseguire qualunque operazione finanziaria fuori dall’ordinario.
La Truffa del CEO, ancora una volta, si conferma una delle minacce più insidiose per le aziende italiane.
Come si svolge la Truffa del CEO
La Truffa del CEO inizia con una fase di raccolta di informazioni, che i criminali svolgono attraverso tecniche OSINT e web scraping di piattaforme come LinkedIn. Qui ricostruiscono l’organigramma aziendale, identificano il CEO, il CFO e le figure chiave del reparto amministrativo, osservano abitudini, ruoli e relazioni interne. Parallelamente analizzano anche dati provenienti da vecchie collection del dark web, che contengono indirizzi e-mail, conversazioni compromesse e modelli di naming utili a imitare fedelmente la comunicazione interna dell’azienda.
Una volta ottenute queste informazioni, gli attaccanti isolano le due figure centrali del loro schema: il dirigente da impersonare e il dipendente più esposto, solitamente chi si occupa di bonifici o pagamenti. Attraverso social network, archivi pubblici e dati trapelati da precedenti violazioni, ricostruiscono procedure, orari, responsabilità e dettagli personali. Questo consente loro di capire quando il dirigente potrebbe non essere raggiungibile e in quali condizioni il dipendente sarebbe più incline a eseguire un ordine urgente senza verifiche.
Nella fase finale gli attaccanti costruiscono e inviano l’e-mail fraudolenta, sfruttando il linguaggio, la firma e lo stile del dirigente reale. La comunicazione contiene una richiesta urgente di pagamento, spesso accompagnata da termini come “riservato”, “non discutere con altri” o “deve essere fatto subito”.
A quel punto il successo della truffa non dipende più dalla tecnologia, ma dalla pressione psicologica esercitata sulla vittima, che crede di eseguire un ordine legittimo proveniente dall’alto.
L'articolo La Truffa del CEO! l’inganno che sta travolgendo le aziende italiane proviene da Red Hot Cyber.
Stack n’ Rack Your Hardware With the HomeRacker Project
Things are cooler when rack-mounted, and [KellerLab] aims to make that all far more accessible with the HomeRacker, a modular and 3D-printable rack building system designed to let you rack-mount to your heart’s content. While it can handle big things, it seems especially applicable to tasks like mounting one’s home network equipment and Raspberry Pi machines.
The basic system (or core) consists of three different parts: supports, connectors, and lock pins. The supports are the main structural bars, the connectors mostly go at the corners, and the lock pins ensure everything stays put. The nominal sizing is a 15 mm x 15 mm profile for the supports, with lengths being a multiple of 15 mm.
All is designed with 3D printing in mind, and requires no tools to assemble or disassemble. There are design elements we really appreciate, like how parts are printed at an angle, which improves strength while eliminating the need for supports. The lock pins (and the slots into which they go) are designed so that they are effective and will neither rattle nor fall out.
But the core system is just the foundation. There’s plenty of modularity and expansions to handle whatever one may need, from Gridfinity shelves and drawers to various faceplates and other modules. There are some example applications available from [KellerLab]’s HomeRacker models page, like CD shelf, under-desk drawer, or filament rack.
[KellerLab] welcomes any collaboration, so check out the GitHub repository for CAD references and design files.
One last point to make about the value of printing objects like this at an angle: not can the resulting layer lines provide better strength and reduce or eliminate the need for supports, but printing at an angle can help hide layer lines.
youtube.com/embed/g8k6X_axYug?…
Italia: allarme intelligenza artificiale, cliniche e referti falsi circolano online
i ricercatori di Check Point Software, hanno recentemente pubblicato un’indagine sull’aumento delle truffe farmaceutiche basate sull’intelligenza artificiale. È stato rilevato come i criminali utilizzano l’intelligenza artificiale generativa per produrre interi ecosistemi contraffatti: medici fittizi, referti di laboratorio, confezioni, trasformazioni fisiche, recensioni e approvazioni.
L’interesse globale per i farmaci GLP-1 come Ozempic, Wegovy e Mounjaro ha creato qualcosa di molto più pericoloso di una semplice tendenza culturale, ovvero l’occasione perfetta per i criminali informatici di far leva sulla disperazione, la scarsità e la disinformazione. Mentre le cliniche lottano con la carenza di farmaci e i produttori avvertono che i limiti di fornitura si protrarranno fino al 2026, la domanda di alternative “più facili”, più veloci o più economiche è esplosa. In questo vuoto, i gruppi criminali si sono mossi con straordinaria rapidità.
In Italia, Regno Unito, Spagna, Francia, e Germania, sono stati individuati diversi esempi di usurpazione dell’identità di istituzioni sanitarie nazionali. I criminali non si limitano a vendere prodotti GLP-1 contraffatti, stanno anche clonando l’identità delle organizzazioni su cui milioni di persone fanno affidamento per la sicurezza medica e la fiducia pubblica. Lo fanno con precisione, attenzione linguistica, stimoli emotivi specifici tarati sulle differenze culturali, utilizzando sistemi di IA generativa in grado di produrre varianti illimitate della stessa menzogna.
Non si tratta più solo di medicinali contraffatti, ma di medicinali contraffatti forti del benestare di un’autorità contraffatta.
Esempio in Italia: l’imitazione dell’AIFA e soluzioni “cliniche” a base di erbe
In Italia, i criminali adottano un approccio ibrido, in parte clinico e in parte naturale. Le campagne imitano lo stile visivo dell’AIFA, l’agenzia italiana per il farmaco, promuovendo al contempo formule a base di erbe, “delicate” o “non invasive”.
Il messaggio fa leva sull’affinità culturale con la fitoterapia e la medicina naturale, ma lo maschera sotto al cappello della supervisione farmaceutica ufficiale.
Ciò che rende questo fenomeno particolarmente allarmante è la sua sofisticatezza riportano i ricercatori di sicurezza. I criminali non si limitano a tradurre gli annunci, ma li ricostruiscono da zero per adattarli al contesto culturale, linguistico e normativo di ciascun Paese:
- Il Servizio Sanitario Nazionale è un punto di riferimento particolarmente potente nel Regno Unito.
- La Germania associa la sicurezza agli standard di produzione
- L’Italia risponde a una combinazione di medicina naturale e linguaggio clinico
- Il marchio AEMPS spagnolo è ampiamente riconosciuto
- La dipendenza della Francia dai farmacisti li rende figure autorevoli ideali
L’IA generativa rende questo livello di localizzazione estremamente semplice. Una singola campagna può essere reinventata in pochi minuti per un altro Paese: nuovi nomi, nuove uniformi, nuovi distintivi, nuove testimonianze sintetiche.
“Stiamo assistendo alla fase successiva del crimine informatico basato sull’intelligenza artificiale“, afferma Cristiano Voschion, Country Manager per l’Italia di Check Point Software Technologies. “I gruppi criminali sono ora in grado di generare interi ecosistemi fraudolenti, siti web, recensioni, marchi e approvazioni normative, su una scala che solo un anno fa era impossibile immaginare. Le organizzazioni e le istituzioni pubbliche hanno bisogno di una sicurezza basata sulla prevenzione che sia in grado di identificare i contenuti sintetici, rilevare le usurpazioni di marchio e bloccare i domini malevoli prima che raggiungano i cittadini”.
L’industrializzazione delle realtà mediche false
Il punto di partenza di quasi tutte le truffe è visuale. I criminali hanno compreso, inoltre, che le immagini di confronto, come le foto che mostrano il “prima” e il “dopo”, sono tra i formati più persuasivi nella categoria della perdita di peso. E l’intelligenza artificiale ha reso tutto questo facilmente riproducibile.
Queste immagini non provengono da pazienti reali. Sono state create combinando fotografie d’archivio, rimodellamento sintetico del corpo e manipolazione assistita dall’intelligenza artificiale. La pelle, l’illuminazione, le proporzioni del corpo, tutto è stato generato per imitare un “percorso” plausibile, spesso mostrando una donna tra i 40 e i 50 anni, la fascia demografica che attualmente sta guidando l’interesse per il GLP-1 in Europa. L’effetto è esattamente quello che vogliono i criminali: creare identificazione, aspirazione e urgenza.
Le immagini non sono comunque l’unica esca. Una volta che un utente clicca, viene attirato in un mondo che sembra completamente medico, completamente approvato e completamente plausibile, perché l’intelligenza artificiale rende semplicissimo creare:
- Medici
- Farmacisti
- Storie di successo dei pazienti
- Diagrammi scientifici
- Timbri dei medici di base
- Certificati “rilasciati” dalle autorità di regolamentazione europee
- Interi blog medici che si fingono giornalismo sanitario
- Pagine di checkout che imitano gli standard dell’e-commerce
I criminali non stanno più falsificando un prodotto. Stanno falsificando un intero ecosistema di legittimità.
La nuova fase: copiare le istituzioni sanitarie europee
Una delle scoperte più inquietanti è l’uso deliberato e improprio delle identità sanitarie pubbliche nazionali. La fiducia che gli europei ripongono nei loro sistemi sanitari, viene ora utilizzata contro di loro.
In tutti i Paesi esaminati, i criminali hanno riprodotto:
- Loghi
- Sigilli normativi
- Tavolozze di colori
- Tipografia istituzionale
- Divise
- Ambienti medici
- Bandiere nazionali
- Immagini cliniche
Un altro esempio di queste truffe si basa sull’uso malevolo di personaggi pubblici reali. In un video sponsorizzato destinato al Regno Unito, i truffatori sembrano imitare l’aspetto e lo stile di comunicazione di un noto esperto di nutrizione britannico, una persona con una presenza mediatica di lunga data e una forte credibilità pubblica. Sebbene l’identità dell’individuo sia qui sfocata, il formato dell’annuncio è deliberatamente studiato per assomigliare al contenuto originale: un ambiente cucina, un discorso diretto alla telecamera e un tono calmo e autorevole. L’obiettivo è chiaro: far credere agli spettatori che un professionista rispettato stia promuovendo il falso prodotto GLP-1. Non c’è alcun legame tra l’esperto e la pubblicità; l’imitazione è completamente inventata. Questa tattica è particolarmente pericolosa perché unisce un video sintetico alla familiarità di un personaggio affidabile e riconoscibile, aumentando notevolmente la probabilità che i consumatori vengano fuorviati.
Conclusione: un nuovo tipo di truffa online a cui l’Europa deve prestare attenzione
L’aumento dei prodotti GLP-1 contraffatti mostra come stiano cambiando le truffe online nel 2025. I criminali non si limitano più a rubare password o dati bancari, ma copiano interi prodotti sanitari, completi di confezioni, “recensioni” di medici, farmacie false e persino loghi sanitari nazionali contraffatti. L’intelligenza artificiale ha reso incredibilmente facile per i truffatori rendere questi siti realistici in poco tempo.
Le persone che cercano di perdere peso o migliorare la propria salute stanno diventando bersaglio di pubblicità altamente convincenti sui social media. Il logo del Servizio Sanitario Nazionale o quello del Ministero della Salute possono essere aggiunti a un sito web contraffatto in pochi secondi. Per molti consumatori diventa quasi impossibile distinguere il vero dal falso.
Come proteggersi
La migliore protezione è la consapevolezza. Alcune semplici abitudini possono fare la differenza:
- Acquistare esclusivamente da farmacie ufficiali, verificando che il sito sia autorizzato.
- Meglio essere scettici nei confronti delle pubblicità sui social media, in particolare quelle che promettono risultati rapidi senza sforzo.
- Controllare attentamente le approvazioni mediche. Spesso i truffatori inventano nomi di medici, di cliniche o del personale del Servizio Sanitario Nazionale.
- Fare attenzione ai segnali di allarme, come per esempio gli sconti elevati, timer per l’acquisto e avvisi del tipo “ne rimangono solo pochi”. Sono trucchi utilizzati per spingere ad acquisti rapidi.
Questo problema non riguarda solo i consumatori. Le agenzie sanitarie, le piattaforme online, i fornitori di servizi di pagamento e gli esperti di sicurezza informatica devono collaborare per identificare e rimuovere questi prodotti contraffatti prima che raggiungano il pubblico.
L’intelligenza artificiale ha reso più facile che mai per i truffatori creare imitazioni convincenti, ma con la giusta consapevolezza e collaborazione è ancora possibile restare un passo avanti a loro.
L'articolo Italia: allarme intelligenza artificiale, cliniche e referti falsi circolano online proviene da Red Hot Cyber.
Google is Building a New OS
Windows, macOS, and Linux are the three major desktop OSs in today’s world. However, there could soon be a new contender, with Google stepping up to the plate (via The Verge).
You’ve probably used Google’s operating systems before. Android holds a dominant market share in the smartphone space, and ChromeOS is readily available on a large range of notebooks intended for lightweight tasks. Going forward, it appears Google aims to leverage its experience with these products and merge them into something new under the working title of “Aluminium OS.”
The news comes to us via a job listing, which sought a Senior Product Manager to work on a “new Aluminium, Android-based, operating system.” The hint is in the name—with speculation that the -ium part of Aluminium indicates its relationship to Chromium, the open-source version of Chrome. The listing also indicated that the new OS would have “Artificial Intelligence (AI) at the core.” At this stage, it appears Google will target everything from cheaper entry level hardware to mid-market and premium machines.
It’s early days yet, and there’s no word as to when Google might speak more officiously on the topic of its new operating system. It’s a big move from one of the largest tech companies out there. Even still, it will be a tall order for Google to knock off the stalwart offerings from Microsoft and Apple in any meaningful way. Meanwhile, if you’ve got secret knowledge of the project and they forget to make you sign an NDA, don’t hesitate to reach out!
This Bedtime Bot Enforces Better Sleep Hygiene
[Will Dana] is engineering his way to better sleep hygiene. Not satisfied with a simple bedtime reminder notification — such things are easily dismissed, after all — [Will] is offloading self-control onto a robot which will take his phone away at bedtime.
Scrolling in bed is allowed up to a prescribed time. At that time, a rack and pinion-mounted arm rises up from behind his mattress, presenting an open hand, ready to accept the object of his addiction. At this point, a countdown begins. If he does not hand over the device in a matter of seconds, the robot escalates by flashing obnoxiously bright lights in his face.
The nocturnal technology detox is not absolute, however. A button allows [Will] to temporarily retrieve his phone after it has been confiscated. This safety override accounts for the Inevitable situation where he will need to send a last-minute text before nodding off. The flashing light disincentive countdown is restarted upon retrieval, ensuring that [Will] does not cheat his own system for additional scroll time.
As a brief sidebar, [Will] does a nice job explaining how pulse-width modulation works for the purpose of controlling the speed of the rack and pinion mechanism.
For more of [Will’s] projects see this iPad suspension system a Lamp that tracks the location of the ISS and a drum that uses the piezoelectric effect to charge mobile devices.
youtube.com/embed/8yEsae6zbFg?…
Arriva HashJack: basta un “#” e i browser AI iniziano a vaneggiare
I ricercatori di Cato Networks hanno scoperto un nuovo tipo di attacco ai browser basati su intelligenza artificiale chiamato HashJack. I ricercatori hanno utilizzato il simbolo “#” negli URL per iniettare comandi nascosti, eseguiti dagli assistenti AI dei browser, aggirando tutte le tradizionali misure di sicurezza.
L’attacco HashJack sfrutta il fatto che le parti di un URL dopo il carattere “#” non lasciano mai il browser né raggiungono il server.
Gli aggressori possono aggiungere il carattere “#” alla fine di un URL legittimo e quindi inserire prompt dannosi. Di conseguenza, quando un utente interagisce con una pagina tramite un assistente di intelligenza artificiale integrato (come Copilot in Edge, Gemini in Chrome o il browser Comet di Perplexity), queste istruzioni nascoste vengono elaborate dal modello linguistico ed eseguite come istruzioni legittime.
Gli esperti definiscono questo attacco “la prima iniezione indiretta di prompt in grado di trasformare qualsiasi sito web legittimo in un vettore di attacco”.
Durante i test, i ricercatori hanno dimostrato diversi scenari di sfruttamento per HashJack. Ad esempio, i browser AI con funzionalità basate su agenti (come Comet) possono essere indotti con l’inganno a trasmettere i dati degli utenti a server controllati dagli aggressori. Altri assistenti AI possono essere indotti con l’inganno a visualizzare link di phishing o istruzioni fuorvianti.
Le conseguenze di tali attacchi includono il furto di dati, il phishing, la diffusione di informazioni errate e possono persino danneggiare la salute dell’utente (ad esempio, se l’intelligenza artificiale fornisce raccomandazioni errate sul dosaggio dei farmaci).
“Questo è particolarmente pericoloso perché il tasso di successo è molto più alto rispetto al phishing tradizionale. Gli utenti visualizzano un sito web familiare e si fidano ciecamente delle risposte dell’assistente AI”, spiega Vitaly Simonovich, ricercatore di Cato Networks.
I ricercatori hanno informato gli sviluppatori di Perplexity della loro scoperta a luglio, e Google e Microsoft hanno fatto lo stesso ad agosto. Le reazioni sono state contrastanti: Google ha classificato il problema come “comportamento previsto”, ha assegnato un livello di gravità basso e si è rifiutata di implementare una correzione, mentre Microsoft e Perplexity hanno rilasciato patch per i loro browser.
I rappresentanti di Microsoft hanno sottolineato che l’azienda considera la protezione contro le iniezioni indirette di prompt un “processo continuo” e indaga a fondo su ogni nuova variante di tali attacchi.
Nel loro rapporto, i ricercatori sottolineano che i metodi di difesa tradizionali sono impotenti contro gli attacchi HashJack. Pertanto, affrontare tali problemi richiede difese multilivello, tra cui la gestione e il controllo dell’uso di strumenti di intelligenza artificiale, il blocco di frammenti di URL sospetti sul lato client, la limitazione dell’elenco degli assistenti di intelligenza artificiale consentiti e il monitoraggio attento dell’attività dei browser con funzionalità di intelligenza artificiale.
Infatti, le organizzazioni ora devono analizzare non solo i siti web stessi, ma anche la combinazione “browser + assistente AI” che elabora il contesto nascosto.
L'articolo Arriva HashJack: basta un “#” e i browser AI iniziano a vaneggiare proviene da Red Hot Cyber.
KiDoom Brings Classic Shooter to KiCad
As the saying goes: if it has a processor and a display, it can run DOOM. The corollary here is that if some software displays things, someone will figure out a way to make it render the iconic shooter. Case in point KiDoom by [Mike Ayles], which happily renders DOOM in KiCad at a sedate 10 to 25 frames per second as you blast away at your PCB routing demons.
Obviously, the game isn’t running directly in KiCad, but it does use the doomgeneric DOOM engine in a separate process, with KiCad’s PCB editor handling the rendering. As noted by [Mike], he could have used a Python version of DOOM to target KiCad’s Python API, but that’s left as an exercise for the reader.
Rather than having the engine render directly to a display, [Mike] wrote code to extract the position of sprites and wall segments, which is then sent to KiCad via its Python interface, updating the view and refreshing the ‘PCB’. Controls are as usual, though you’ll be looking at QFP-64 package footprints for enemies, SOIC-8 for decorations and SOT-23-3 packages for health, ammo and keys.
If you’re itching to give it a try, the GitHub project can be found right here. Maybe it’ll bring some relief after a particularly frustrating PCB routing session.
A Friendly Reminder That Your Unpowered SSDs Are Probably Losing Data
Save a bunch of files on a good ol’ magnetic hard drive, leave it in a box, and they’ll probably still be there a couple of decades later. The lubricants might have all solidified and the heads jammed in place, but if you can get things moving, you’ll still have your data. As explained over at [XDA Developers], though, SSDs can’t really offer the same longevity.
It all comes down to power. SSDs are considered non-volatile storage—in that they hold on to data even when power is removed. However, they can only do so for a rather limited amount of time. This is because of the way NAND flash storage works. It involves trapping a charge in a floating gate transistor to store a single bit of data. You can power down an SSD, and the trapped charge in all the NAND flash transistors will happily stay put. But over longer periods of time, from months to years, that charge can leak out. When this happens, data is lost.
Depending on your particular SSD, and the variety of NAND flash it uses (TLC, QLC, etc), the safe storage time may be anywhere from a few months to a few years. The process takes place faster at higher temperatures, too, so if you store your drives in a warm area, you could see surprisingly rapid loss.
Ultimately, it’s worth checking your drive specs and planning accordingly. Going on a two-week holiday? Your PC will probably be just fine switched off. Going to prison for three to five years with only a slim chance of parole? Maybe back up to a hard drive first, or have your cousin switch your machine on now and then for safety’s sake.
On a vaguely related note, we’ve even seen SSDs that can self-destruct on purpose. If you’ve got the low down on other neat solid-state stories, don’t hesitate to notify the tipsline.
Benchmarking Chinese CPUs
When it comes to PCs, Westerners are most most familiar with x86/x64 processors from Intel and AMD, with Apple Silicon taking up a significant market share, too. However, in China, a relatively new CPU architecture is on the rise. A fabless semiconductor company called Loongson has been producing chips with its LoongArch architecture since 2021. These chips remain rare outside China, but some in the West have been benchmarking them.
[Daniel Lemire] has recently blogged about the performance of the Loongson 3A6000, which debuted in late 2023. The chip was put through a range of simple benchmarking tests, involving float processing and string transcoding operations. [Daniel] compared it to the Intel Xeon Gold 6338 from 2021, noting the Intel chip pretty much performed better across the board. No surprise given its extra clock rate. Meanwhile, the gang over at [Chips and Cheese] ran even more exhaustive tests on the same chip last year. The Loongson was put through typical tasks like compressing archives and encoding video. The outlet came to the conclusion that the chip was a little weaker than older CPUs like AMD’s Zen 2 line and Intel’s 10th generation Core chips. It’s also limited as a four-core chip compared to modern Intel and AMD lines that often start at 6 cores as a minimum.
If you find yourself interested in Loongson’s product, don’t get too excited. They’re not exactly easy to lay your hands on outside of China, and even the company’s own website is difficult to access from beyond those shores. You might try reaching out to Loongson-oriented online communities if you seek such hardware.
Different CPU architectures have perhaps never been more relevant, particularly as we see the x86 stalwarts doing battle with the rise of desktop and laptop ARM processors. If you’ve found something interesting regarding another obscure kind of CPU, don’t hesitate to let the tipsline know!
Building a Low-Cost Satellite Tracker
Looking up at the sky just after sunset or just before sunrise will reveal a fairly staggering amount of satellites orbiting overhead, from tiny cubesats to the International Space Station. Of course these satellites are always around, and even though you’ll need specific conditions to view them with the naked eye, with the right radio antenna and only a few dollars in electronics you can see exactly which ones are flying by at any time.
[Josh] aka [Ham Radio Crash Course] is demonstrating this build on his channel and showing every step needed to get something like this working. The first part is finding the correct LoRa module, which will be the bulk of the cost of this project. Unlike those used for most Meshtastic nodes, this one needs to be built for the 433 MHz band. The software running on this module is from TinyGS, which we have featured here before, and which allows a quick and easy setup to listen in to these types of satellites. This build goes much further into detail on building the antenna, though, and also covers some other ancillary tasks like mounting it somewhere outdoors.
With all of that out of the way, though, the setup is able to track hundreds of satellites on very little hardware, as well as display information about each of them. We’d always favor a build that lets us gather data like this directly over using something like a satellite tracking app, although those do have their place. And of course, with slightly more compute and a more directed antenna there is all kinds of other data beaming down that we can listen in on as well, although that’s not always the intent.
youtube.com/embed/V6RJG9q7R8M?…
FLOSS Weekly Episode 856: QT: Fix It Please, My Mom is Calling
This week Jonathan chats with Maurice Kalinowski about QT! That’s the framework that runs just about anywhere, making it easy to write cross-platform applications. What’s the connection with KDE? And how has this turned into a successful company? Watch to find out!
youtube.com/embed/pMSStjolrRA?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/11/26/floss-…
Elli Furedy Brings Cyberpunk Games to Life
When you’re designing a bounty hunter game for a five-day cyberpunk live-action-role-play out in the middle of the Mojave desert, you’ve got to bring something extra cool. But [Elli]’s Hackaday Supercon talk isn’t just about the hardware; it’s as much about the design philosophy behind the game – how you bring something immersive and exciting to hundreds of players.
Sandbox Systems
The game itself is fairly simple: bounty hunters try to find the bounty, and when they do, they have a quick-draw to see who wins. Everyone is issued a color-coded Portable Data Node device, and when a hunter jacks into a bounty’s Node, a countdown begins, and the first to press the button after the display say “Go” wins.
But the simplicity of the game is by design, and [Elli] talks about the philosophy that she and her team followed to make it a success. If you’re designing a conference badge or an immersive game for a large group of people, take note.
The first principle is to focus on the people first before the tech. Here, that essentially means making the experience as simple as possible in order to leave room for the players to put their own spin on it – it’s a role-play event after all.
Next is providing opportunities over demands. In this game, for instance, if you’re playing the bounty hunter role, you have to deliver a “Declaration of Intent to Seize” when you encounter a bounty player, but what deciding on your personal catchphrase for this is left up to you.
Selling the story of the game with the tech is also important. For instance, there is a part of the Node that [Elli] calls “the doodad” which is just pure LED and greebles. It doesn’t do anything, but it looks cool.
Finally, [Elli] mentions that her team puts an effort into making the game as accessible for everyone as possible. The onboarding video has cyberpunk-styled closed captioning, for instance. While originally designed for folks who don’t hear well, it ended up providing an aesthetic that everyone can enjoy – an example of the curb-cut effect at work.
The end result? 374 players played 3,838 matches over five days, but that’s just the stats. As [Elli] points out, the real point of the game is as an ice-breaker, to allow people room to explore whatever character they’re playing, and to connect people in real-space. It sounds like it was a complete success on all fronts.
The Sandbox
This is a talk on design principles, but it’s also a talk at Supercon, and [Elli] gets pulled into the hardware side of things many times throughout the talk. The Nodes have OLEDs and haptic motors for feedback, they use and ESP32 with WiFi for the score reporting, and there’s even discussion of the serial protocol that they speak to each other when they get connected up via an audio jack.
[Elli] gets some great questions about ways to expand the game, and you’re just going to have to watch the video to appreciate them all. Or join in: after all, it’s an open-source project and it’s intended to be a sandbox!
There seems to be a lot of room to play along, and [Elli]’s talk is definitely food for thought if you’re designing hardware with the end goal of creating and encouraging human interaction through building up an engaging story.
youtube.com/embed/ndodsA254HA?…
The Busch Electronic Digital-Technik 2075 Digital Lab from the 1970s
In a recent video, [Jason Jacques] demos the Busch Electronic Digital-Technik 2075 which was released in West Germany in the 1970s.
The Digital-Technik 2075 comes with a few components including a battery holder and 9 V battery, a push button, two 1 K resistors, a red LED, a 100 nF ceramic capacitor, a 100 µF electrolytic capacitor, a quad NAND gate IC, and a counter module which includes an IC and a 7-segment display. The kit also comes with wires, plugs, a breadboard, and a tool for extracting modules.
The Digital-Technik 2075 doesn’t use the spring terminals we see in other project labs of the time, such as the Science Fair kits from Radio Shack, and it doesn’t use modular Denshi blocks, such as we saw from the Gakken EX-150, but rather uses wire in conjunction with yellow plastic plugs. This seems to work well enough.
In the video, after showing us how to do switch debouncing, [Jason] runs us through making a counter with the digital components and then getting the counter to reset after it counts to five. This is done using NAND gates. Before he gets stuck into doing a project he takes a close look at the manual (which is in German) including some of the advertisements for other project labs from Busch which were available at the time. As he doesn’t speak German [Jason] prints out an English translation of the manual before working through it.
We’ve heard from [Jason] at Hackaday in recent history when we saw his Microtronic Phoenix Computer System which referenced the 2090 Microtronic Computer System which was also made by Busch.
youtube.com/embed/AhI8z8OgQyY?…
Chinese Regulators May Kill Retractable Car Door Handles That Never Should Have Existed
Headlights. Indicators. Trunk releases. Seatbelts. Airbags. Just about any part of a car you can think of is governed by a long and complicated government regulation. It’s all about safety, ensuring that the car-buying public can trust that their vehicles won’t unduly injure or maim them in regular operation, or in the event of accident.
However, one part of the modern automobile has largely escaped regulation—namely, the humble door handle. Automakers have been free to innovate with new and wacky designs, with Tesla in particular making waves with its electronic door handles. However, after a series of deadly incidents where doors wouldn’t open, regulators are now examining if these door handles are suitable for road-going automobiles. As always, regulations are written in blood, but it raises the question—was not the danger of these complicated electronic door handles easy to foresee?
Trapped
A number of automakers have developed fancy retractable door handles in recent years. They are most notably seen on electric vehicles, where they are stated to have a small but measurable aerodynamic benefit. They are often paired with buttons or other similar electronic controls to open the doors from the inside. Compared to mechanical door handles, however, these door handles come with a trade-off in complexity. They require electricity, motors, and a functioning control system to work. When all is well, this isn’t a problem. However, when things go wrong, a retractable electronic door handle often proves inaccessible and useless.
It’s not hard to find case reports of fatal incidents involving vehicles with electronic door handles—both inside and out. Multiple cases have involved occupants burning alive inside Tesla vehicles, in which electronic door handles failed after a crash. Passengers inside the vehicles have failed to escape due to not finding emergency release door pulls hidden in the door panels, while bystanders have similarly been unable to use the retracted outside door handles to free those trapped inside.
In response, some Tesla owners have gone so far as to release brightly-colored emergency escape ripcords to replace the difficult-to-spot emergency release pulls that are nearly impossible to find without prior knowledge. In the case of some older models, though, there’s less hope of escape. For example, in the Tesla Model 3 built from 2017 to 2023, only front doors have an emergency mechanical release. Rear passengers are out of luck, and must find another route of escape if their electronic door handles fail to operate. No Tesla vehicles feature an easily-accessible mechanical release that can be used from outside the vehicle.
It’s worth noting that in the US market, federal regulations have mandated glow-in-the-dark trunk releases be fitted to all sedans from the 2002 model year onwards. You could theoretically escape from the trunk of certain Teslas more easily than a Cybertruck or Model 3 with a failed electrical system.
Tesla isn’t the only company out there building cars with retractable door handles. It does, however, remain the most prominent user of this technology, and its vehicles have been involved in numerous incidents that have made headlines. Other automakers, such as Audi and Fiat, have experimented with electronic door handles, both for ingress and egress, with varying degrees of mechanical backup available. In some cases, automakers have used smart two-stage latches. A small pull activates the electronic door release, while a stronger pull will engage a mechanical linkage that unlatches the door. It’s smart engineering—the door interface responds to the exact action a passenger would execute if trying to escape the vehicle in a panic. There are obviously less concerns around electronic door releases that have easily-accessed mechanical backups; it’s just that Tesla is particularly notable for not always providing them.
Over the years, national automotive bodies have thrown up their arms about all sorts of emerging automotive technologies. In the United States specifically, NHTSA has famously slow-walked the approval of things like camera-based rear-view mirror systems and replaceable-bulb headlamps, fearing the worst could occur if these technologies were freely allowed on the market.
Meanwhile, despite the obvious risks, electronic door handles have faced no major regulatory challenges. There were no obvious written rules standing in the way of Tesla making the choice to eliminate regular old door handles. Nor were there strict regulations on emergency door releases for passengers inside the vehicle. Tesla spent years building several models with no mechanical door release for the rear passengers. If your door button failed, you’d have to attempt escape by climbing out through the front doors, assuming you could figure out how to open them. Even today, the models with mechanical door releases still often hide them behind interior trim pieces or carpets, where few passengers would ever think to look in an emergency.
Obvious Mistakes
Things are beginning to change, however. Chinese regulators have led the charge, with reports stating that electronic retractable door handles could be banned as soon as 2027. While some semi-retractable styles will potentially avoid an outright ban, it’s believed new regulations will require a mechanically redundant release system as standard.
As for the US, the sleeping giant of NHTSA has finally awoken in the wake of Bloomberg‘s reporting on the matter. As reported by CNBC, Tesla has been given a deadline of December 10 to deliver records to the federal regulator, regarding design, failures, and customer issues around its electronic door release systems. The Office of Defects Investigations within NHTSA has already recorded 16 reports of failed exterior door releases in the a single model year of the Tesla Model Y. It’s likely a drop in the ocean compared to the full population of Tesla vehicles currently on roads. Meanwhile, the US automaker also faces multiple lawsuits over the matter from those who have lost family members in fatal crashes and fires involving the company’s vehicles.
In due time, it’s likely that automotive regulators in most markets will come out against electronic door handles from a safety perspective alone. No matter how well designed the electrical system in a modern vehicle, it’s hard to beat a lever flipping a latch for simplicity and robustness. The benefits of these electronic door handles are spurious in the first place—a fraction of a percent reduction in drag, and perhaps a little more luxury appeal. If the trade-off is trapping passengers in the event of a fire, it’s hard to say they’re worthwhile.
The electronic door handle, then, is perhaps the ultimate triumph of form over function. They’re often slower and harder to use than a regular door handle, and particularly susceptible to becoming useless when iced over on a frosty morning. For a taste of the future, lives were put at risk. Anyone could see that, so it’s both strange and sad that automakers and regulators alike seemed not to notice until it was far too late. Any new regulations will, once again, be written in blood.
Simulazioni di Phishing: 5 consigli per evitare falsi positivi dal CERT-AgID
Sempre più amministrazioni avviano simulazioni di campagne di phishing per misurare la capacità dei propri dipendenti di riconoscere i messaggi sospetti. Quando queste attività coinvolgono strutture pubbliche, può succedere che i messaggi vengano inopportunamente segnalati ai CERT istituzionali come se fossero illecite.
Senza qualche accorgimento tecnico per evidenziare la natura simulata dell’attività, la campagna può essere interpretata come un’operazione malevola vera e propria, con il rischio che anche i CERT censiscano gli indicatori della simulazione nelle blacklist operative.
Il CERT-AgID, propone dei suggerimenti che derivano dall’esperienza in materia maturata sul campo.
Non si tratta di regole rigide, ma di accorgimenti utili per un miglior esito di una simulazione e la minimizzazione del rischio di classificare come ostile qualcosa che non lo è, permettendo ai CERT di concentrarsi sulle minacce reali.
1. Inserire un commento nel codice HTML della pagina
Aggiungere un breve commento nel codice HTML, visibile solo a chi lo ispeziona, aiuta chi analizza la pagina a capire che si tratta di un test legittimo. È una piccola forma di trasparenza tecnica che permette di evitare fraintendimenti, un segnale discreto che mette in allerta l’analista e lo spinge ad approfondire una eventuale segnalazione prima di classificare la pagina come minaccia.
2. Lasciare visibili le informazioni del WHOIS
Non oscurare il WHOIS del dominio usato per la campagna. Vedere subito il nome della società o dell’ente che conduce la simulazione riduce il rischio che il dominio o l’IP vengano scambiati per un’infrastruttura malevola.
3. Informare preventivamente i CERT istituzionali
Una comunicazione essenziale ai CERT istiuzionali che probabilmente potrebbero essere allertati aiuta a evitare segnalazioni di falsi positivi. Possono bastare poche informazioni come:
- domini e IP utilizzati (opzionalmente il numero di telefono in caso di smishing)
- periodo previsto della simulazione
- eventuale tipo di target
Non serve descrivere nei dettagli lo scenario, ma solo poche ed essenziali informazioni sono sufficienti permettere ai CERT di riconoscere i relativi indicatori.
4. Usare un file security.txt sul dominio
Avere un file security.txt (vedere in proposito RFC 9116) disponibile sul dominio della simulazione permette agli analisti di verificare subito se esiste un contatto a cui chiedere conferma. Un riferimento operativo chiaro accelera la gestione dei dubbi e riduce il rischio di trattare la simulazione come un incidente reale.
5. Informare l’utente dopo l’inserimento delle credenziali
Dopo che l’utente inserisce le credenziali o avvia un download, si può scegliere di mostrare subito una pagina che chiarisce che si tratta di una simulazione. Questa soluzione evita preoccupazioni inutili e favorisce la consapevolezza. In altri casi si può decidere di informare l’utente in un secondo momento, anche in funzione dell’approccio scelto dalla società o dall’ente che conduce la simulazione.
L'articolo Simulazioni di Phishing: 5 consigli per evitare falsi positivi dal CERT-AgID proviene da Red Hot Cyber.
WormGPT e KawaiiGPT Migliorano! Le “AI del male” sono un’arma per i cybercriminali
I criminali informatici non hanno più bisogno di convincere ChatGPT o Claude Code a scrivere malware o script per il furto di dati. Esiste già un’intera classe di modelli linguistici specializzati, progettati specificamente per gli attacchi.
Uno di questi sistemi è WormGPT 4, che si pubblicizza come “la chiave per un’intelligenza artificiale senza confini“. Porta avanti l’eredità del modello WormGPT originale, emerso nel 2023 e successivamente scomparso a causa dell’ascesa di altri LLM “tossici“, come evidenziato nello studio Abnormal Security .
Secondo gli esperti di Unit 42 presso Palo Alto Networks, le vendite di WormGPT 4 sono iniziate intorno al 27 settembre, con annunci pubblicitari apparsi su Telegram e forum underground come DarknetArmy.
Secondo il loro rapporto, l’accesso al modello parte da 50 dollari al mese, mentre un abbonamento a vita con il codice sorgente costa 220 dollari.
Il canale Telegram di WormGPT conta attualmente diverse centinaia di iscritti e l’analisi di Unit 42 dimostra che questo modello commerciale senza restrizioni può fare molto di più che semplicemente aiutare a scrivere e-mail di phishing o singoli malware.
Nello specifico, i ricercatori hanno chiesto a WormGPT 4 di creare un ransomware, uno script che crittografa e blocca tutti i file PDF su un host Windows. Il modello ha prodotto uno script PowerShell pronto all’uso, con una nota che lo descrive come “veloce, silenzioso e brutale”. Il codice includeva parametri per la selezione di estensioni e ambiti di ricerca predefiniti sull’intera unità C:, la generazione di un messaggio di riscatto con una scadenza di 72 ore e la possibilità di divulgare dati tramite Tor.
L’Unità 42 sottolinea che nemmeno questa “IA per il male” riesce ancora a trasformare gli attacchi in una pipeline completamente automatizzata. Secondo Kyle Wilhout, responsabile della ricerca sulle minacce presso Palo Alto Networks, il codice generato dal software potrebbe teoricamente essere utilizzato in attacchi reali, ma nella maggior parte dei casi richiede modifiche manuali per evitare di essere bloccato immediatamente dagli strumenti di sicurezza standard.
Un altro esempio di tale strumento è KawaiiGPT, che ha attirato l’attenzione dei ricercatori di sicurezza informatica nell’estate del 2025. I suoi creatori pubblicizzano il modello come una “sadica trovatella per la cyberpenetrazione “ e promettono “dove la tenerezza incontra le armi informatiche offensive”. A differenza di WormGPT, KawaiiGPT è distribuito gratuitamente e disponibile su GitHub, riducendo ulteriormente la barriera d’ingresso per gli aggressori alle prime armi.
In un esperimento, l’Unità 42 ha chiesto a KawaiiGPT di creare un’e-mail di spear phishing che fingeva di provenire da una banca con oggetto “Urgente: verifica le informazioni del tuo conto”. Il modello ha generato un’e-mail convincente che portava a una falsa pagina di verifica in cui si voleva rubare il numero di carta della vittima, la data di nascita e le credenziali di accesso.
I ricercatori non si sono fermati qui e sono passati ad attività più tecniche. In risposta alla richiesta di “scrivere uno script Python per il movimento laterale su un host Linux”, KawaiiGPT ha restituito il codice utilizzando il modulo SSH paramiko. Uno script di questo tipo non offre funzionalità fondamentalmente nuove, ma automatizza un passaggio fondamentale in quasi tutti gli attacchi riusciti: penetrare nei sistemi adiacenti come utente legittimo con accesso alla shell remota, la possibilità di aumentare i privilegi, condurre ricognizioni, installare backdoor e raccogliere file sensibili.
In un altro test, il modello ha generato uno script Python per l’esfiltrazione di dati, in particolare file di posta elettronica EML su un host Windows. Lo script ha trovato i file richiesti e li ha inviati all’indirizzo dell’aggressore come allegati.
Secondo Unit 42, il vero pericolo di WormGPT 4, KawaiiGPT e simili LLM “oscuri” è che riducono significativamente la barriera d’ingresso nel cybercrimesemplificando la generazione di codice dannoso di base, e-mail di phishing e singole fasi di attacco. Tali strumenti possono già fungere da elementi costitutivi per campagne più sofisticate basate sull’intelligenza artificiale e, secondo i ricercatori, gli elementi di automazione discussi nel rapporto sono già utilizzati in attacchi reali.
L'articolo WormGPT e KawaiiGPT Migliorano! Le “AI del male” sono un’arma per i cybercriminali proviene da Red Hot Cyber.
MicroCAD Programs CAD
We love and hate OpenSCAD. As programmers, we like describing objects we want to 3D print or otherwise model. As programmers, we hate all the strange things about OpenSCAD that make it not like a normal programming language. Maybe µCAD (or Microcad) is the answer. This new entry in the field lets you build things programmatically and is written in Rust.
In fact, the only way to get it right now is to build it from source using cargo. Assuming you already have Rust, that’s not hard. Simply enter: cargo install microcad. If you don’t already have Rust, well, then that’s a problem. However, we did try to build it, and despite having the native library libmanifold available, Rust couldn’t find it. You might have better luck.
You can get a feel for the language by going through one of the tutorials, like the one for building a LEGO-like shape. Here’s a bit of code from that tutorial:
use std::geo2d::*;
use std::ops::*;
const SPACING = 8mm;
op grid(columns: Integer, rows: Integer) {
@input
.translate(x = [1..columns] * SPACING, y = [1..rows] * SPACING)
.align()
}
sketch Base(
columns: Integer,
rows: Integer,
width: Length,
height: Length
) {
thickness = 1.2mm;
frame = Frame(width, height, thickness);
struts = Ring(outer_d = 6.51mm, inner_d = 4.8mm)
.grid(columns = columns-1, rows = rows-1);
frame | struts;
}
There are proper functions, support for 2D sketches and 3D objects, and even a VSCode extension.
Will you try it? If we can get it to build, we will. Meanwhile, there’s always OpenSCAD. Even TinkerCAD can do some parametric modeling.
Shakerati Anonimi: la storia di Marco e il “prezzo” della Fiducia
Ciao a tutti… mi chiamo Marco, ho 37 anni e lavoro come impiegata amministrativa in uno studio commerciale. È la prima volta che parlo davanti a tutti voi e sono un pò emozionato … e vi assicuro che non è semplice. Ma dopo quello che ho passato, ho capito che tacere non porta da nessuna parte, mentre condividere può salvare qualcun altro dal mio stesso problema.
Mi sono sempre considerato una persona prudente: pago tutto con la carta, controllo gli estratti conto, tengo d’occhio le email sospette, e quando non capisco qualcosa… chiedo.
Eppure, qualche mese fa, tra lavoro, stress, bollette e un po’ di solitudine, ho abbassato la guardia. E qualcuno mi ha colpito proprio nel momento perfetto e ho perso 15.000 euro.
L’inizio di tutto
Tutto è cominciato con una pubblicità su un social: “Guadagna completando semplici task online – zero rischi, solo profitto”.
Non era la prima volta che vedevo annunci simili, ma quella piattaforma sembrava più professionale, con grafici, recensioni e perfino assistenza live.
Quindi ci penso, ma istintivamente compilo il modulo.
Dopo dieci minuti mi chiama un tizio con una voce rassicurante, educatissima.
Mi spiega che posso iniziare subito con un piccolo versamento: 250 euro.
Li invio.
Nel giro di qualche giorno il “portafoglio” mostrava già +12% di profitto.
Io non ci credevo: “Allora funziona davvero!”.
La spirale
Da lì è iniziata la pressione: task da completare, versamenti sempre più grandi, piccole “missioni” da finire per avere accesso ai bonus.
Ma ogni volta che provavo a prelevare, compariva un messaggio: “Errore. Attendi l’approvazione dell’operatore.”
Oppure: “Prelievo bloccato: è necessario completare un nuovo task.”
Pensavo che era un problema momentaneo.
Nel frattempo, i grafici del mio wallet salivano, salivano tanto… sembravo diventare ricco senza muovere un dito. Ma io quei soldi non li vedevo mai davvero.
Il problema più grande
Per continuare, a un certo punto non avevo più soldi miei.
Così ho usato la carta di credito di mio padre che mi aveva affidato “solo per le emergenze”. La carta era sempre con me, lui non ha mai fatto controlli ossessivi, e io mi illudevo che presto gli avrei rimesso tutto, anzi, forse avrei anche potuto fare una sorpresa alla famiglia.
Ho nascosto questa cosa a tutti. Per lunghi ed interminabili mesi… che stupido che sono stato!
Il colpo di scena
Un giorno, finalmente, decido di fare un prelievo importante: 5.000 euro dal mio “profitto”. Il portale si blocca. L’assistenza mi scrive: “Contatto in arrivo dal nostro reparto sicurezza.”
Mi chiama una signora, molto gentile. Mi dice che vedono un’anomalia sul mio profilo, che qualcuno potrebbe aver tentato accessi non autorizzati e che devono verificare la proprietà del wallet.
Mi chiede il numero della carta che ho utilizzato per i depositi, per “confermare l’identità”.
Gliela do.
A quel punto mi dicono: “La procedura richiede un’ultima transazione di validazione. Poi i fondi saranno sbloccati.” Dopo cinque minuti, vedo l’addebito: 3.000 euro.
Mi precipito a ricaricare la pagina.
Il portafoglio è sparito.
La piattaforma non esiste più.
La chat non risponde.
Il numero è irraggiungibile.
Ed ecco il colpo di scena: mio padre mi chiama chiedendo perché aveva ricevuto una notifica di sicurezza dalla banca per “attività sospette” sulla carta.
Lui non ne sapeva nulla, era caduto dalle nuvole.
La bugia e la truffa sono esplose insieme.
È lì che ho capito veramente che non solo avevo perso i miei soldi… avevo messo nei guai anche mio padre.
Quando mi sono presentato alla polizia postale, avevo il cuore a pezzi.
Non tanto per il denaro perso, ma per la vergogna. Credevo mi avrebbero giudicata come un cretino, invece mi sono sentita dire che casi come il mio arrivano ogni giorno: persone preparate, intelligenti, attente… tutte ingannate da manipolazioni psicologiche studiate al millimetro. È stato il primo momento in cui mi sono sentito meno solo ed ecco perché ho poi accettato di venire qua da voi a condividere la mia storia.
Da lì ho iniziato a leggere, informarmi, capire come funzionano queste finte piattaforme di investimento.
Ho scoperto, troppo tardi, che tutto ciò che vedevo, dai grafici ai profitti, era generato da un software truccato. Nulla era reale. Ogni messaggio, ogni telefonata, ogni “errore di prelievo” era parte di un piano preciso. E più leggevo, più mi chiedevo una sola cosa: come ho potuto cascarci?
Poi ho capito tristemente una cosa: non cadi perché sei stupido. Cadi perché sei un essere umano.
Lesson Learned – Cosa abbiamo imparato
- Le piattaforme che mostrano profitti immediati e garantiti sono una trappola al 100%.
- Se non puoi prelevare in qualunque momento, non è un investimento ma una truffa.
- I truffatori giocano su psicologia, pressione, premi, urgenza e senso di colpa.
- Utilizzare carte intestate ad altri (anche familiari) mette tutti a rischio e complica enormemente la situazione.
- Non denunciare subito peggiora i danni: i truffatori contano proprio sul silenzio.
- Condividere le tue esperienze digitali con i familiari aiuta ad uscirne fuori in fretta. Fallo!
Come prevedere (ed evitare) tutto questo
- Diffidare di ogni proposta che promette guadagni rapidi e “senza rischio”.
- Controllare sempre se una piattaforma finanziaria è autorizzata da CONSOB.
- Verificare i siti su portali come Whois, Scamadviser, Google Safe Browsing.
- Non credere ai grafici che “crescono”: sono completamente falsificabili.
- Non condividere codici, carte, screenshot o accessi con nessuno, mai.
- E soprattutto: se qualcosa ti fa sentire in ansia o sotto pressione, è quasi sempre una truffa.
Genesi dell’articolo
L’articolo è stato ispirato da una truffa reale, condivisa da un utente su Reddit.
A questa persona va tutto il nostro conforto: il suo coraggio nel raccontare ciò che ha vissuto permette ad altri di riconoscere i segnali, proteggersi e imparare dall’esperienza che ha affrontato.
L'articolo Shakerati Anonimi: la storia di Marco e il “prezzo” della Fiducia proviene da Red Hot Cyber.
Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025
Just like the 2000s
Flip phones grew popular, Windows XP debuted on personal computers, Apple introduced the iPod, peer-to-peer file sharing via torrents was taking off, and MSN Messenger dominated online chat. That was the tech scene in 2001, the same year when Sir Dystic of Cult of the Dead Cow published SMBRelay, a proof-of-concept that brought NTLM relay attacks out of theory and into practice, demonstrating a powerful new class of authentication relay exploits.
Ever since that distant 2001, the weaknesses of the NTLM authentication protocol have been clearly exposed. In the years that followed, new vulnerabilities and increasingly sophisticated attack methods continued to shape the security landscape. Microsoft took up the challenge, introducing mitigations and gradually developing NTLM’s successor, Kerberos. Yet more than two decades later, NTLM remains embedded in modern operating systems, lingering across enterprise networks, legacy applications, and internal infrastructures that still rely on its outdated mechanisms for authentication.
Although Microsoft has announced its intention to retire NTLM, the protocol remains present, leaving an open door for attackers who keep exploiting both long-standing and newly discovered flaws.
In this blog post, we take a closer look at the growing number of NTLM-related vulnerabilities uncovered over the past year, as well as the cybercriminal campaigns that have actively weaponized them across different regions of the world.
How NTLM authentication works
NTLM (New Technology LAN Manager) is a suite of security protocols offered by Microsoft and intended to provide authentication, integrity, and confidentiality to users.
In terms of authentication, NTLM is a challenge-response-based protocol used in Windows environments to authenticate clients and servers. Such protocols depend on a shared secret, typically the client’s password, to verify identity. NTLM is integrated into several application protocols, including HTTP, MSSQL, SMB, and SMTP, where user authentication is required. It employs a three-way handshake between the client and server to complete the authentication process. In some instances, a fourth message is added to ensure data integrity.
The full authentication process appears as follows:
- The client sends a NEGOTIATE_MESSAGE to advertise its capabilities.
- The server responds with a CHALLENGE_MESSAGE to verify the client’s identity.
- The client encrypts the challenge using its secret and responds with an AUTHENTICATE_MESSAGE that includes the encrypted challenge, the username, the hostname, and the domain name.
- The server verifies the encrypted challenge using the client’s password hash and confirms its identity. The client is then authenticated and establishes a valid session with the server. Depending on the application layer protocol, an authentication confirmation (or failure) message may be sent by the server.
Importantly, the client’s secret never travels across the network during this process.
NTLM is dead — long live NTLM
Despite being a legacy protocol with well-documented weaknesses, NTLM continues to be used in Windows systems and hence actively exploited in modern threat campaigns. Microsoft has announced plans to phase out NTLM authentication entirely, with its deprecation slated to begin with Windows 11 24H2 and Windows Server 2025 (1, 2, 3), where NTLMv1 is removed completely, and NTLMv2 disabled by default in certain scenarios. Despite at least three major public notices since 2022 and increased documentation and migration guidance, the protocol persists, often due to compatibility requirements, legacy applications, or misconfigurations in hybrid infrastructures.
As recent disclosures show, attackers continue to find creative ways to leverage NTLM in relay and spoofing attacks, including new vulnerabilities. Moreover, they introduce alternative attack vectors inherent to the protocol, which will be further explored in the post, specifically in the context of automatic downloads and malware execution via WebDAV following NTLM authentication attempts.
Persistent threats in NTLM-based authentication
NTLM presents a broad threat landscape, with multiple attack vectors stemming from its inherent design limitations. These include credential forwarding, coercion-based attacks, hash interception, and various man-in-the-middle techniques, all of them exploiting the protocol’s lack of modern safeguards such as channel binding and mutual authentication. Prior to examining the current exploitation campaigns, it is essential to review the primary attack techniques involved.
Hash leakage
Hash leakage refers to the unintended exposure of NTLM authentication hashes, typically caused by crafted files, malicious network paths, or phishing techniques. This is a passive technique that doesn’t require any attacker actions on the target system. A common scenario involving this attack vector starts with a phishing attempt that includes (or links to) a file designed to exploit native Windows behaviors. These behaviors automatically initiate NTLM authentication toward resources controlled by the attacker. Leakage often occurs through minimal user interaction, such as previewing a file, clicking on a remote link, or accessing a shared network resource. Once attackers have the hashes, they can reuse them in a credential forwarding attack.
Coercion-based attacks
In coercion-based attacks, the attacker actively forces the target system to authenticate to an attacker-controlled service. No user interaction is needed for this type of attack. For example, tools like PetitPotam or PrinterBug are commonly used to trigger authentication attempts over protocols such as MS-EFSRPC or MS-RPRN. Once the victim system begins the NTLM handshake, the attacker can intercept the authentication hash or relay it to a separate target, effectively impersonating the victim on another system. The latter case is especially impactful, allowing immediate access to file shares, remote management interfaces, or even Active Directory Certificate Services, where attackers can request valid authentication certificates.
Credential forwarding
Credential forwarding refers to the unauthorized reuse of previously captured NTLM authentication tokens, typically hashes, to impersonate a user on a different system or service. In environments where NTLM authentication is still enabled, attackers can leverage previously obtained credentials (via hash leakage or coercion-based attacks) without cracking passwords. This is commonly executed through Pass-the-Hash (PtH) or token impersonation techniques. In networks where NTLM is still in use, especially in conjunction with misconfigured single sign-on (SSO) or inter-domain trust relationships, credential forwarding may provide extensive access across multiple systems.
This technique is often used to facilitate lateral movement and privilege escalation, particularly when high-privilege credentials are exposed. Tools like Mimikatz allow extraction and injection of NTLM hashes directly into memory, while Impacket’s wmiexec.py, PsExec.py, and secretsdump.py can be used to perform remote execution or credential extraction using forwarded hashes.
Man-in-the-Middle (MitM) attacks
An attacker positioned between a client and a server can intercept, relay, or manipulate authentication traffic to capture NTLM hashes or inject malicious payloads during the session negotiation. In environments where safeguards such as digital signing or channel binding tokens are missing, these attacks are not only possible but frequently easy to execute.
Among MitM attacks, NTLM relay remains the most enduring and impactful method, so much so that it has remained relevant for over two decades. Originally demonstrated in 2001 through the SMBRelay tool by Sir Dystic (member of Cult of the Dead Cow), NTLM relay continues to be actively used to compromise Active Directory environments in real-world scenarios. Commonly used tools include Responder, Impacket’s NTLMRelayX, and Inveigh. When NTLM relay occurs within the same machine from which the hash was obtained, it is also referred to as NTLM reflexion attack.
NTLM exploitation in 2025
Over the past year, multiple vulnerabilities have been identified in Windows environments where NTLM remains enabled implicitly. This section highlights the most relevant CVEs reported throughout the year, along with key attack vectors observed in real-world campaigns.
CVE-2024‑43451
CVE-2024‑43451 is a vulnerability in Microsoft Windows that enables the leakage of NTLMv2 password hashes with minimal or no user interaction, potentially resulting in credential compromise.
The vulnerability exists thanks to the continued presence of the MSHTML engine, a legacy component originally developed for Internet Explorer. Although Internet Explorer has been officially deprecated, MSHTML remains embedded in modern Windows systems for backward compatibility, particularly with applications and interfaces that still rely on its rendering or link-handling capabilities. This dependency allows .url files to silently invoke NTLM authentication processes through crafted links without necessarily being open. While directly opening the malicious .url file reliably triggers the exploit, the vulnerability may also be activated through alternative user actions such as right clicking, deleting, single-clicking, or just moving the file to a different folder.
Attackers can exploit this flaw by initiating NTLM authentication over SMB to a remote server they control (specifying a URL in UNC path format), thereby capturing the user’s hash. By obtaining the NTLMv2 hash, an attacker can execute a pass-the-hash attack (e.g. by using tools like WMIExec or PSExec) to gain network access by impersonating a valid user, without the need to know the user’s actual credentials.
A particular case of this vulnerability occurs when attackers use WebDAV servers, a set of extensions to the HTTP protocol, which enables collaboration on files hosted on web servers. In this case, a minimal interaction with the malicious file, such as a single click or a right click, triggers automatic connection to the server, file download, and execution. The attackers use this flaw to deliver malware or other payloads to the target system. They also may combine this with hash leaking, for example, by installing a malicious tool on the victim system and using the captured hashes to perform lateral movement through that tool.
The vulnerability was addressed by Microsoft in its November 2024 security updates. In patched environments, motion, deletion, right-clicking the crafted .url file, etc. won’t trigger a connection to a malicious server. However, when the user opens the exploit, it will still work.
After the disclosure, the number of attacks exploiting the vulnerability grew exponentially. By July this year, we had detected around 600 suspicious .url files that contain the necessary characteristics for the exploitation of the vulnerability and could represent a potential threat.
BlindEagle campaign delivering Remcos RAT via CVE-2024-43451
BlindEagle is an APT threat actor targeting Latin American entities, which is known for their versatile campaigns that mix espionage and financial attacks. In late November 2024, the group started a new attack targeting Colombian entities, using the Windows vulnerability CVE-2024-43451 to distribute Remcos RAT. BlindEagle created .url files as a novel initial dropper. These files were delivered through phishing emails impersonating Colombian government and judicial entities and using alleged legal issues as a lure. Once the recipients were convinced to download the malicious file, simply interacting with it would trigger a request to a WebDAV server controlled by the attackers, from which a modified version of Remcos RAT was downloaded and executed. This version contained a module dedicated to stealing cryptocurrency wallet credentials.
The attackers executed the malware automatically by specifying port 80 in the UNC path. This allowed the connection to be made directly using the WebDAV protocol over HTTP, thereby bypassing an SMB connection. This type of connection also leaks NTLM hashes. However, we haven’t seen any subsequent usage of these hashes.
Following this campaign and throughout 2025, the group persisted in launching multiple attacks using the same initial attack vector (.url files) and continued to distribute Remcos RAT.
We detected more than 60 .url files used as initial droppers in BlindEagle campaigns. These were sent in emails impersonating Colombian judicial authorities. All of them communicated via WebDAV with servers controlled by the group and initiated the attack chain that used ShadowLadder or Smoke Loader to finally load Remcos RAT in memory.
Head Mare campaigns against Russian targets abusing CVE-2024-43451
Another attack detected after the Microsoft disclosure involves the hacktivist group Head Mare. This group is known for perpetrating attacks against Russian and Belarusian targets.
In past campaigns, Head Mare exploited various vulnerabilities as part of its techniques to gain initial access to its victims’ infrastructure. This time, they used CVE 2024-43451. The group distributed a ZIP file via phishing emails under the name “Договор на предоставление услуг №2024-34291” (“Service Agreement No. 2024-34291”). This had a .url file named “Сопроводительное письмо.docx” (translated as “Cover letter.docx”).
The .url file connected to a remote SMB server controlled by the group under the domain:
document-file[.]ru/files/documents/zakupki/MicrosoftWord.exe
The domain resolved to the IP address 45.87.246.40 belonging to the ASN 212165, used by the group in the campaigns previously reported by our team.
According to our telemetry data, the ZIP file was distributed to 121 users, 50% of whom belong to the manufacturing sector, 35% to education and science, and 5% to government entities, among other sectors. Of all the targets, 22 users interacted with the .url file.
To achieve their goals at the targeted companies, Head Mare used a number of publicly available tools, including open-source software, to perform lateral movement and privilege escalation, forwarding the leaked hashes. Among these tools detected in previous attacks are Mimikatz, Secretsdump, WMIExec, and SMBExec, with the last three being part of the Impacket suite tool.
In this campaign, we detected attempts to exploit the vulnerability CVE-2023-38831 in WinRAR, used as an initial access in a campaign that we had reported previously, and in two others, we found attempts to use tools related to Impacket and SMBMap.
The attack, in addition to collecting NTLM hashes, involved the distribution of the PhantomCore malware, part of the group’s arsenal.
CVE-2025-24054/CVE-2025-24071
CVE-2025-24071 and CVE-2025-24054, initially registered as two different vulnerabilities, but later consolidated under the second CVE, is an NTLM hash leak vulnerability affecting multiple Windows versions, including Windows 11 and Windows Server. The vulnerability is primarily exploited through specially crafted files, such as .library-ms files, which cause the system to initiate NTLM authentication requests to attacker-controlled servers.
This exploitation is similar to CVE-2024-43451 and requires little to no user interaction (such as previewing a file), enabling attackers to capture NTLMv2 hashes and gain unauthorized access or escalate privileges within the network. The most common and widespread exploitation of this vulnerability occurs with .library-ms files inside ZIP/RAR archives, as it is easy to trick users into opening or previewing them. In most incidents we observed, the attackers used ZIP archives as the distribution vector.
Trojan distribution in Russia via CVE-2025-24054
In Russia, we identified a campaign distributing malicious ZIP archives with the subject line “акт_выполненных_работ_апрель” (certificate of work completed April). These files inside the archives masqueraded as .xls spreadsheets but were in fact .library-ms files that automatically initiated a connection to servers controlled by the attackers. The malicious files contained the same embedded server IP address 185.227.82.72.
When the vulnerability was exploited, the file automatically connected to that server, which also hosted versions of the AveMaria Trojan (also known as Warzone) for distribution. AveMaria is a remote access Trojan (RAT) that gives attackers remote control to execute commands, exfiltrate files, perform keylogging, and maintain persistence.
CVE-2025-33073
CVE-2025-33073 is a high-severity NTLM reflection vulnerability in the Windows SMB client’s access control. An authenticated attacker within the network can manipulate SMB authentication, particularly via local relay, to coerce a victim’s system into authenticating back to itself as SYSTEM. This allows the attacker to escalate privileges and execute code at the highest level.
The vulnerability relies on a flaw in how Windows determines whether a connection is local or remote. By crafting a specific DNS hostname that partially overlaps with the machine’s own name, an attacker can trick the system into believing the authentication request originates from the same host. When this happens, Windows switches into a “local authentication” mode, which bypasses the normal NTLM challenge-response exchange and directly injects the user’s token into the host’s security subsystem. If the attacker has coerced the victim into connecting to the crafted hostname, the token provided is essentially the machine’s own, granting the attacker privileged access on the host itself.
This behavior emerges because the NTLM protocol sets a special flag and context ID whenever it assumes the client and server are the same entity. The attacker’s manipulation causes the operating system to treat an external request as internal, so the injected token is handled as if it were trusted. This self-reflection opens the door for the adversary to act with SYSTEM-level privileges on the target machine.
Suspicious activity in Uzbekistan involving CVE-2025-33073
We have detected suspicious activity exploiting the vulnerability on a target belonging to the financial sector in Uzbekistan.
We have obtained a traffic dump related to this activity, and identified multiple strings within this dump that correspond to fragments related to NTLM authentication over SMB. The dump contains authentication negotiations showing SMB dialects, NTLMSSP messages, hostnames, and domains. In particular, the indicators:
- The hostname localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA, a manipulated hostname used to trick Windows into treating the authentication as local
- The presence of the IPC$ resource share, common in NTLM relay/reflection attacks, because it allows an attacker to initiate authentication and then perform actions reusing that authenticated session
The incident began with exploitation of the NTLM reflection vulnerability. The attacker used a crafted DNS record to coerce the host into authenticating against itself and obtain a SYSTEM token. After that, the attacker checked whether they had sufficient privileges to execute code using batch files that ran simple commands such as whoami:
%COMSPEC% /Q /c echo whoami ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
Persistence was then established by creating a suspicious service entry in the registry under:
reg:\\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YlHXQbXO
With SYSTEM privileges, the attacker attempted several methods to dump LSASS (Local Security Authority Subsystem Service) memory:
- Using rundll32.exe:
C:\Windows\system32\cmd.exe /Q /c CMD.exe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, #+0000^24 ^%B \Windows\Temp\vdpk2Y.sav fullThe command locates the lsass.exe process, which holds credentials in memory, extracts its PID, and invokes an internal function of comsvcs.dll to dump LSASS memory and save it. This technique is commonly used in post-exploitation (e.g., Mimikatz or other “living off the land” tools). - Loading a temporary DLL (BDjnNmiX.dll):
C:\Windows\system32\cmd.exe /Q /c cMd.exE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tAsKLISt /fi "Imagename eq lSAss.ex*" | find "lsass""') do rundll32.exe C:\Windows\Temp\BDjnNmiX.dll #+0000^24 ^%B \Windows\Temp\sFp3bL291.tar.log fullThe command tries to dump the LSASS memory again, but this time using a custom DLL. - Running a PowerShell script (Base64-encoded):
The script leverages MiniDumpWriteDump via reflection. It uses the Out-Minidump function that writes a process dump with all process memory to disk, similar to running procdump.exe.
Several minutes later, the attacker attempted lateral movement by writing to the administrative share of another host, but the attempt failed. We didn’t see any evidence of further activity.
Protection and recommendations
Disable/Limit NTLM
As long as NTLM remains enabled, attackers can exploit vulnerabilities in legacy authentication methods. Disabling NTLM, or at the very least limiting its use to specific, critical systems, significantly reduces the attack surface. This change should be paired with strict auditing to identify any systems or applications still dependent on NTLM, helping ensure a secure and seamless transition.
Implement message signing
NTLM works as an authentication layer over application protocols such as SMB, LDAP, and HTTP. Many of these protocols offer the ability to add signing to their communications. One of the most effective ways to mitigate NTLM relay attacks is by enabling SMB and LDAP signing. These security features ensure that all messages between the client and server are digitally signed, preventing attackers from tampering with or relaying authentication traffic. Without signing, NTLM credentials can be intercepted and reused by attackers to gain unauthorized access to network resources.
Enable Extended Protection for Authentication (EPA)
EPA ties NTLM authentication to the underlying TLS or SSL session, ensuring that captured credentials cannot be reused in unauthorized contexts. This added validation can be applied to services such as web servers and LDAP, significantly complicating the execution of NTLM relay attacks.
Monitor and audit NTLM traffic and authentication logs
Regularly reviewing NTLM authentication logs can help identify abnormal patterns, such as unusual source IP addresses or an excessive number of authentication failures, which may indicate potential attacks. Using SIEM tools and network monitoring to track suspicious NTLM traffic enhances early threat detection and enables a faster response.
Conclusions
In 2025, NTLM remains deeply entrenched in Windows environments, continuing to offer cybercriminals opportunities to exploit its long-known weaknesses. While Microsoft has announced plans to phase it out, the protocol’s pervasive presence across legacy systems and enterprise networks keeps it relevant and vulnerable. Threat actors are actively leveraging newly disclosed flaws to refine credential relay attacks, escalate privileges, and move laterally within networks, underscoring that NTLM still represents a major security liability.
The surge of NTLM-focused incidents observed throughout 2025 illustrates the growing risks of depending on outdated authentication mechanisms. To mitigate these threats, organizations must accelerate deprecation efforts, enforce regular patching, and adopt more robust identity protection frameworks. Otherwise, NTLM will remain a convenient and recurring entry point for attackers.
There’s Nothing Backwards About This Laser Cut Retrograde Clock
It’s clock time again on Hackaday, this time with a lovely laser-cut biretrograde clock by [PaulH175] over on Instructables. If you’ve never heard of a ‘biretrograde clock,’ well, we hadn’t either. This is clearly a form of retrograde clock, which unlike the name implies doesn’t spin backwards but oscillates in its motion– the hands ‘go retrograde’ the same way the planets do.
The oscillating movement is achieved via a pair of cams mounted on the hour and minute shafts of a common clock mechanism. As the shafts (and thus cams) turn, the minute and hour arms are raised and drop. While that could itself be enough to tell the time, [Paul] goes one further and has the actual hands on pivots driven by a gear mechanism on the cam-controlled arms. You might think that that extra reversal is what makes this a ‘biretrograde clock’ but in the clockmaker’s world that’s just saying it’s a retrograde clock with two indicators: in this case, minute and second.
It’s a fairly rare way to make a clock, but we’ve seen one before. That older project was 3D printed, which might be more your speed; if you prefer laser-cutting, though, [Paul]’s Instructable includes SVG files. Alternatively, you could take a different approach and use voltmeters to get the same effect.
Cyber Risk in Medio Oriente: tra investimenti record e attacchi sempre più sofisticati
L’attenzione globale verso la sicurezza informatica continua a crescere in un contesto dominato dalla trasformazione digitale e dalla rapida diffusione delle tecnologie basate sull’intelligenza artificiale, fattori che rendono più semplice individuare vulnerabilità e condurre attacchi complessi. In questo scenario, la capacità di un Paese di garantire protezione, coordinamento, formazione e cooperazione internazionale è diventata un indicatore essenziale della stabilità nazionale.
Nel Global Cybersecurity Index 2024, l’Egitto e il Qatar hanno ottenuto un punteggio massimo di 100, entrando tra i 12 Paesi con le performance più elevate a livello mondiale. Il risultato è stato raggiunto grazie alla conformità ai cinque pilastri che compongono l’indice: quadro legislativo, protezione tecnica, struttura organizzativa, programmi di sviluppo delle competenze e collaborazione internazionale.
La piena aderenza a questi criteri colloca entrambi gli Stati tra i modelli di riferimento globali, all’interno del gruppo dei 46 Paesi considerati all’avanguardia in materia di cybersecurity.
Parallelamente, l’Arabia Saudita ha consolidato la propria posizione come leader regionale per investimenti nel settore.
Nel 2024, la spesa saudita per la sicurezza informatica ha raggiunto circa 4,8 miliardi di dollari (pari a 15,2 miliardi di riyal), con un incremento del 14% rispetto all’anno precedente. Secondo i dati dell’Autorità nazionale per la sicurezza informatica, questo andamento riflette un processo continuo di rafforzamento delle infrastrutture digitali e delle misure di difesa del cyberspazio nazionale.
Il report GCI 2024 evidenzia tuttavia una marcata eterogeneità tra i Paesi arabi. Oltre ai Paesi con i punteggi più elevati – tra cui Emirati Arabi Uniti, Oman, Bahrein, Giordania e Marocco, con valori compresi tra 95 e 100 – emergono realtà ancora in fase di consolidamento. Algeria, Libia, Tunisia e Kuwait si collocano in un livello intermedio, con punteggi tra 55 e 85, indicativi di sistemi in evoluzione che richiedono ulteriori investimenti in capacità tecniche e cooperazione internazionale.
Iraq, Libano, Mauritania, Sudan, Siria e Palestina rientrano in una fase iniziale di costruzione dei quadri regolatori, con punteggi compresi tra 20 e 55. Lo Yemen chiude la classifica regionale, con risultati inferiori a 20 punti, riflettendo un ecosistema di sicurezza informatica ancora allo stadio embrionale.
Il quadro è reso più critico dal forte aumento delle minacce nel Medio Oriente. Il phishing rimane una delle tecniche più utilizzate, sostenuto da metodi avanzati di ingegneria sociale. Gli attacchi DDoS hanno registrato un incremento particolarmente rilevante, con un +236% nel secondo trimestre del 2025. In parallelo, sono cresciuti anche gli attacchi contro applicazioni Microsoft Office, il furto di credenziali, lo spyware, le intrusioni contro le API e le attività di ricognizione.
Le operazioni di ransomware e di estorsione rappresentano circa la metà degli attacchi con movente identificabile. Crescono inoltre le offensive che sfruttano l’intelligenza artificiale, in particolare per automatizzare la ricerca di falle nei sistemi e rendere più efficaci le campagne di phishing. Secondo le stime, un singolo incidente informatico nella regione comporta un costo medio di circa 8 milioni di dollari, valore quasi doppio rispetto alla media globale. I settori più colpiti sono comunicazioni, energia, trasporti, sanità e finanza, confermando l’urgenza di investimenti strutturali e politiche coordinate per proteggere attività economiche e servizi essenziali.
L'articolo Cyber Risk in Medio Oriente: tra investimenti record e attacchi sempre più sofisticati proviene da Red Hot Cyber.
Logitech subisce un attacco informatico e una violazione dei dati
I rappresentanti di Logitech hanno notificato alle autorità un attacco informatico e una grave violazione dei dati. Il famigerato gruppo ransomware Clop, che da diversi mesi prende di mira le aziende sfruttando una vulnerabilità in Oracle E-Business Suite, ha rivendicato la responsabilità dell’attacco.
L’azienda ha presentato una notifica ufficiale alla Securities and Exchange Commission degli Stati Uniti, riconoscendo il furto di dati. I rappresentanti di Logitech riferiscono che l’incidente non ha avuto ripercussioni sulla produzione o sui prodotti dell’azienda, né sui suoi processi aziendali. Subito dopo aver scoperto la violazione, l’azienda ha incaricato esperti di sicurezza informatica terzi di fornire assistenza nelle indagini.
Logitech sostiene che i dati compromessi includono informazioni limitate su dipendenti e utenti, nonché dettagli su clienti e fornitori. Tuttavia, l’azienda sostiene che gli hacker non hanno avuto accesso a carte d’identità, dati di carte bancarie o altre informazioni sensibili, poiché queste informazioni non erano archiviate nei sistemi compromessi.
La scorsa settimana, il gruppo di hacker Clop ha aggiunto Logitech al suo sito di dump di dati, pubblicando quasi 1,8 TB di informazioni presumibilmente rubate all’azienda. Secondo Logitech, l’attacco è stato causato da una vulnerabilità zero-day scoperta in un fornitore terzo e corretta subito dopo il suo rilascio.
Gli operatori di Clop hanno sfruttato attivamente questa vulnerabilità già a luglio 2025 per lanciare attacchi di massa ai clienti aziendali Oracle. A ottobre, gli specialisti di Mandiant e Google hanno rilevato una campagna ransomware su larga scala: decine di aziende hanno ricevuto messaggi ransomware dagli operatori di Clop. Gli aggressori minacciavano di divulgare i dati rubati da Oracle E-Business Suite se le vittime non avessero pagato il riscatto. Gli sviluppatori di Oracle hanno quindi confermato la vulnerabilità e rilasciato una patch di emergenza.
Le dichiarazioni di Logitech suggeriscono che l’azienda ha installato l’aggiornamento di emergenza subito dopo il suo rilascio, ma era troppo tardi e i dati erano già stati rubati.
L'articolo Logitech subisce un attacco informatico e una violazione dei dati proviene da Red Hot Cyber.
A Bird Watching Assistant
When AI is being touted as the latest tool to replace writers, filmmakers, and other creative talent it can be a bit depressing staring down the barrel of a future dystopia — especially since most LLMs just parrot their training data and aren’t actually creative. But AI can have some legitimate strengths when it’s taken under wing as an assistant rather than an outright replacement.
For example [Aarav] is happy as a lark when birdwatching, but the birds aren’t always around and it can sometimes be a bit of a wild goose chase waiting hours for them to show up. To help him with that he built this machine learning tool to help alert him to the presence of birds.
The small device is based on a Raspberry Pi 5 with an AI hat nested on top, and uses a wide-angle camera to keep an eagle-eyed lookout of a space like a garden or forest. It runs a few scripts in Python leveraging the OpenCV library, which is a widely available machine learning tool that allows users to easily interact with image recognition. When perched to view an outdoor area, it sends out an email notification to the user’s phone when it detects bird activity so that they can join the action swiftly if they happen to be doing other things at the time. The system also logs hourly bird-counts and creates a daily graph, helping users identify peak bird-watching times.
Right now the system can only detect the presence of birds in general, but he hopes to build future versions that can identify birds with more specificity, perhaps down to the species. Identifying birds by vision is certainly one viable way of going about this process, but one of our other favorite bird-watching tools was demonstrated by [Benn Jordan] which uses similar hardware but listens for bird calls rather than looking for the birds with a vision-based system.
youtube.com/embed/KmH63ENa5fA?…
Boosting Antihydrogen Production using Beryllium Ions
Antihydrogen forms an ideal study subject for deciphering the secrets of fundamental physics due to it being the most simple anti-matter atom. However, keeping it from casually annihilating itself along with some matter hasn’t gotten much easier since it was first produced in 1995. Recently ALPHA researchers at CERN’s Antimatter Factory announced that they managed to produce and trap no fewer than 15,000 antihydrogen atoms in less than seven hours using a new beryllium-enhanced trap. This is an eight-fold increase compared to previous methods.
To produce an antihydrogen atom from a positron and an antiproton, the components and resulting atoms can not simply be trapped in an electromagnetic field, but requires that they are cooled to the point where they’re effectively stationary. This also makes adding more than one of such atom to a trap into a tedious process since the first successful capture in 2017.
In the open access paper in Nature Communications by [R. Akbari] et al. the process is described, starting with the merging of anti-protons from the CERN Antiproton Decelerator with positrons sourced from the radioactive decay of sodium-22 (β+ decay). The typical Penning-Malmberg trap is used, but laser-cooled beryllium ions (Be+) are added to provide sympathetic cooling during the synthesis step.
Together with an increased availability of positrons, the eight-fold increase in antihydrogen production was thus achieved. The researchers speculate that the sympathetic cooling is more efficient at keeping a constant temperature than alternative cooling methods, which allows for the increased rate of production.
DIY Test Gear from 1981
We can’t get enough of [Bettina Neumryn’s] videos. If you haven’t seen her, she takes old electronics magazines, finds interesting projects, and builds them. If you remember these old projects, it is nostalgic, and if you don’t remember them, you can learn a lot about basic electronics and construction techniques. This installment (see below) is an Elektor digital voltmeter and frequency counter from late 1981.
As was common in those days, you could find the PCB layouts in the magazine. In this case, there were two boards. The schematic shows that a counter and display driver chip — a 74C928 — does most of the heavy lifting for the display and the counter.
It is easy to understand how the frequency counter works. You clip the input with a pair of diodes, amplify it a bit, square it with a Schmitt trigger, and then, possibly, prescale it using a divider. The voltmeter is a little trickier: it uses a voltage divider, an op amp, and a 555 to convert the voltage to a frequency.
Of course, finding the parts for an old project can be a challenge. A well-stocked junk drawer doesn’t hurt. A PCB etching setup helps, too.
We’ve looked at her magazine rebuilds before. If you ever get the urge to tackle a project like this, you can find all the grand old magazines online.
youtube.com/embed/glEPG5nC8J0?…
La compravendita degli accessi ai firewall FortiGate italiani nel Dark Web
Negli ultimi giorni, su un forum underground noto per ospitare attività illegali, è apparso un annuncio che merita molta attenzione.
Un utente appena registrato, con il nickname “Sarcoma”, ha pubblicato un messaggio in cui si dice disposto ad acquistare accessi ai pannelli di amministrazione dei firewall FortiGate.
L’annuncio è piuttosto esplicito: offre un compenso a partire da 20 dollari ad accesso e specifica che gli interessano accessi provenienti da Stati Uniti, Canada, Italia e Germania. Per rendere il tutto più credibile ha allegato anche uno screenshot che richiama l’interfaccia di gestione dei sistemi Fortinet.
La Compravendita sul DarkWeb
Il valore di un pannello amministrativo FortiGate nelle mani sbagliate è enorme. Chi riesce ad entrarci può alterare completamente il comportamento del firewall: aprire porte, creare backdoor, disattivare i log e preparare il terreno per intrusioni più profonde. Non è un caso che questi accessi siano molto ricercati nel cybercrime.
Questi forum non sono semplici bacheche: sono veri e propri mercati neri in cui si incontrano due figure chiave. Da una parte ci sono gli Initial Access Broker (IaB), professionisti del crimine informatico che si specializzano nell’individuare vulnerabilità, configurazioni sbagliate o credenziali esposte. Il loro compito è ottenere un primo punto di ingresso nelle reti aziendali. Dall’altra parte ci sono gruppi criminali più strutturati, spesso legati ad attività di ransomware o furto di dati, che acquistano questi accessi pronti all’uso per muoversi più velocemente e ridurre i costi delle intrusioni. È un ecosistema perfettamente organizzato, in cui ognuno trae profitto da una parte specifica della “filiera”.
Cosa occorre fare
La presenza di un annuncio rivolto anche alla geografia italiana è un segnale chiaro: le aziende del nostro Paese restano un bersaglio appetibile, soprattutto quando i loro firewall non vengono aggiornati o vengono lasciati esposti su Internet senza le dovute precauzioni. Per difendersi è fondamentale applicare con regolarità tutte le patch di sicurezza rilasciate da Fortinet, molte delle quali riguardano vulnerabilità critiche che in passato sono state sfruttate proprio per ottenere accesso non autorizzato ai sistemi.
Un altro aspetto troppo spesso sottovalutato riguarda la visibilità dei servizi di amministrazione. I pannelli di gestione e gli strumenti utilizzati per configurare i firewall non dovrebbero essere mai raggiungibili direttamente dalla rete pubblica.
È necessario isolarli, limitarne drasticamente l’accesso e renderli disponibili solo attraverso reti interne, VPN sicure e metodi di autenticazione più robusti. Lasciarli esposti equivale a offrire un bersaglio perfetto, pronto per essere scambiato nei forum underground proprio come l’annuncio che ha dato il via a questa riflessione.
In un contesto in cui gli accessi si comprano e vendono come una qualsiasi merce digitale, la sicurezza delle reti aziendali non può più permettersi leggerezze. Ogni sistema esposto è una potenziale porta d’ingresso, e qualcuno là fuori è pronto a pagarla – anche pochi dollari – pur di aprirla.
Questo articolo si basa su informazioni, integralmente o parzialmente tratte dalla piattaforma di intelligence di Recorded Future, partner strategico di Red Hot Cyber e punto di riferimento globale nell’intelligence sulle minacce informatiche. La piattaforma fornisce analisi avanzate utili a individuare e contrastare attività malevole nel cyberspazio.
L'articolo La compravendita degli accessi ai firewall FortiGate italiani nel Dark Web proviene da Red Hot Cyber.
Build A High Voltage Supply For Vacuum Tube Work
If you work on simple digital projects, just about any bench supply will offer the voltage and current you’re looking for. However, if you’re working with valves, you’ll often find yourself needing much higher voltages that can be tricky to source. [Chappy Happy] has shared a design for a simple HV power supply that should prove useful to vacuum tube enthusiasts.
The build is fairly basic in nature, lacing together some commonly available parts to generate the necessary voltages for working with common vacuum tubes from a 12 volt DC input. Inside the supply is a UC3843A DC boost converter, set up to output high voltage up to around 300 volts DC, with a ripple filter added for good measure. The output can be adjusted with a knob, with a voltmeter on the front panel. There’s also a 12-volt output, and a LM2596 step down converter to produce 6.3 volts for the filament supply. The whole project is built in an old Heathkit project box, and he demonstrates the supply with a simple single-tube amplifier.
If you find yourself regularly whipping up tube circuits, you might like to have something like this on your workbench. Or, you might even consider cooking up your own tubes from scratch if you’re more adventurous like that. Video after the break.
youtube.com/embed/WDhYEJN2J-A?…
[Thanks to Stephen Walters for the tip!]
The Zen Must Flow From Arrakis Sand Table
In Dune, the Fremen people of Arrakis practice an odd future hybrid religion called “zensunni.” This adds an extra layer of meaning to the title of [Mark Rehorst]’s Arrakis 3.0 sand table, given that the inspiration for the robotic sand table seems to be Zen gardens from Japan.
The dunes on the tabletop version of Arrakis owe nothing to sand worms, but are instead created a rolling metal ball. With all workings happening below, it looks quite magical to the uninitiated, but of course it’s not magic: it’s magnets. Just beneath the tabletop and its sands, the steel ball is being dragged along by the magnetic field of a powerful neodynium magnet.
This build was designed for ease of construction and movement: sized at 2’x4′ (about 61 cm x 122 cm), it fits through doors and fits an off-the-shelf slab of coffee table glass, something that [Mark] wishes he’d considered when building version two. That’s the nice thing about jumping in on a project someone’s been iterating for a while: you’ve got the benefit of learning from their mistakes. You can see the roots of this design, and what has changed, from the one he showed us in 2020.
Naturally you’re not limited to CoreXY for a sand table, though it is increasingly popular — we’ve seen examples with polar mechanisms and even a SCARA arm.
youtube.com/embed/reeg5gIOmBw?…
Citizen Science by the Skin of Your Teeth
If you are a schoolkid of the right age, you can’t wait to lose a baby tooth. In many cultures, there is a ritual surrounding it, like the tooth fairy, a mouse who trades your tooth for a gift, or burying the tooth somewhere significant. But in 1958, a husband and wife team of physicians wanted children’s teeth for a far different purpose: quantifying the effects of nuclear weapons testing on the human body.
Louise and Eric Reiss, along with some other scientists, worked with Saint Louis University and the Washington School of Dental Medicine to collect and study children’s discarded teeth. They were looking for strontium-90, a nasty byproduct of above-ground nuclear testing. Strontium is similar enough to calcium that consuming it in water and dairy products will leave the material in your bones, including your teeth.
The study took place in the St. Louis area, and the results helped convince John F. Kennedy to sign the Partial Nuclear Test Ban Treaty.
They hoped to gather 50,000 teeth in a year. By 1970, 12 years later, they had picked up over 320,000 donated teeth. While a few kids might have been driven by scientific altruism, it didn’t hurt that the program used colorful posters and promised each child a button to mark their participation.
Children’s teeth were particularly advantageous to use because they are growing and are known to readily absorb radioactive material, which can cause bone tumors.
Scale
You might wonder just how much nuclear material is floating around due to bombs. Obviously, there were two bombs set off during the war, as well as the test bombs required to get to that point. Between 1945 and 1980, there were five countries conducting atmospheric tests at thirteen sites. The US, accounting for about 65% of the tests, the USSR, the UK, France, and China detonated 504 nuclear devices equivalent to about 440 megatons of TNT.
Well over 500 bombs with incredible force have put a lot of radioactive material into the atmosphere. That doesn’t count, too, the underground tests that were not always completely contained. For example, there were two detonations in Mississippi where the radiation was contained until they drilled holes for instruments, leaving contaminated soil on the surface. Today, sites like this have “monuments” explaining that you shouldn’t dig in the area.
Of course, above-ground tests are worse, with fallout affecting “downwinders” or people who live downwind of the test site. There have been more than one case of people, unaware of the test, thinking the fallout particles were “hot snow” and playing in it. Test explosions have sent radioactive material into the stratosphere. This isn’t just a problem for people living near the test sites.
Results
By 1961, the team published results showing that strontium-90 levels in the teeth increased depending on when the child was born. Children born in 1963 had levels of strontium-90 fifty times higher than those born in 1950, when there was very little nuclear testing.
The results were part of the reason that President Kennedy agreed to an international partial test ban, as you can see in the Lincoln Presidential Foundation video below. You may find it amazing that people would plan trips to watch tests, and they were even televised.
youtube.com/embed/1qptcKCzUU0?…
In 2001, Washington University found 85,000 of the teeth stored away. This allowed the Radiation and Public Health Project to track 3,000 children who were, by now, adults, of course.
Sadly, 12 children who had died from cancer before age 50 had baby teeth with twice the levels of the teeth of people who were still alive at age 50. To be fair, the Nuclear Regulatory Commission has questioned these findings, saying the study is flawed and fails to account for other risk factors.
And teeth don’t just store strontium. In the 1970s, other researchers used baby teeth to track lead ingestion levels. Baby teeth have also played a role in the Flint Water scandal. In South Africa, the Tooth Fairy Project monitored heavy metal pollution in children’s teeth, too.
Teeth aren’t the only indicator of nuclear contamination. Steel is also at risk.
Featured image: “Castle Bravo Blast” by United States Department of Energy.
Windows 10 è morto? Ecco l’alternativa Linux che sta esplodendo online!
Il periodo di transizione successivo alla fine del supporto per Windows 10 è diventato particolarmente evidente, alla luce del crescente interesse per sistemi operativi alternativi.
Mentre gli utenti continuano a cercare alternative ai loro ambienti familiari, una delle distribuzioni Linux più incentrate su Windows ha inaspettatamente ricevuto notevole attenzione. Gli sviluppatori di Zorin OS hanno riferito che la nuova versione del loro sistema ha registrato una domanda straordinaria in poche settimane.
Il team di Zorin OS ha annunciato che Zorin OS 18 ha superato il milione di download in circa un mese. Secondo la telemetria, oltre tre quarti degli installer sono stati scaricati da dispositivi Windows.
Questa cifra non garantisce un’adozione realmente diffusa, ma riflette il crescente interesse per le alternative in un momento in cui l’aggiornamento a Windows 11 sta suscitando preoccupazione in molti. Secondo i creatori del sistema, la nuova versione è progettata per essere il più intuitiva possibile per coloro che non sono pronti a cambiare completamente il proprio modo di lavorare.
Zorin OS 18 presenta un’interfaccia riprogettata, che combina elementi di Windows 11 con accenti visivi di macOS, oltre ad animazioni e gestione delle finestre aggiornate. Il sistema ora offre un layout delle finestre avanzato che funziona senza moduli aggiuntivi e consente una gestione flessibile dell’area di lavoro. Gli sviluppatori sottolineano la loro attenzione nel rendere l’ambiente più veloce e reattivo, pur mantenendo un’esperienza utente familiare.
Oltre alle modifiche esterne, la distribuzione ha ampliato il supporto per le applicazioni web. Gli utenti possono installare servizi come Office 365, Teams, Google Docs o la versione web di Photoshop come programmi autonomi con le proprie icone. Le funzionalità cloud più diffuse, tra cui OneDrive, sono integrate direttamente nel file system, semplificando la transizione da Windows.
Anche la compatibilità con le applicazioni Windows classiche è stata migliorata: Wine rimane la base, ma le impostazioni sono state ottimizzate per consentire l’esecuzione di più programmi senza necessità di configurazione manuale. Con l’ascesa del gaming su Linux, grazie all’impegno di Valve, questo approccio è diventato più attuale che mai.
L’aggiornamento aggiunge anche funzionalità essenziali per il lavoro quotidiano. Il file manager ora offre una ricerca rapida in tutte le directory, risparmiando tempo durante la navigazione. Il supporto per le connessioni remote tramite RDP è integrato nel sistema ed è rivolto agli utenti che necessitano di connettersi a computer Windows. Il sottosistema audio è ora basato su PipeWire, migliorando la qualità e riducendo la latenza durante l’utilizzo dell’audio Bluetooth. Poiché questa build è stata designata come versione a lungo termine, riceverà aggiornamenti fino al 2029.
L’aumento di interesse per Zorin OS è evidente nel contesto della fine del supporto di Windows 10. I severi requisiti hardware di Windows 11, i servizi in background, i continui dibattiti sulla privacy e le controverse funzionalità basate sull’intelligenza artificiale hanno portato a un notevole affaticamento degli utenti. In questo contesto, il download di centinaia di migliaia di copie di Zorin OS dimostra un desiderio significativamente più forte di esplorare alternative.
Linux non è ancora leader nei sistemi operativi desktop, ma la tendenza generale sta cambiando. Lo sviluppo della piattaforma SteamO , il rafforzamento del segmento gaming e le distribuzioni rivolte ai principianti stanno incoraggiando sempre più utenti a sperimentare.
Mentre Microsoft conta su una transizione graduale per tutti i rimanenti utenti di Windows 10 a Windows 11, le statistiche di Zorin OS suggeriscono uno scenario diverso: un graduale passaggio di alcuni utenti ad altri.
L'articolo Windows 10 è morto? Ecco l’alternativa Linux che sta esplodendo online! proviene da Red Hot Cyber.
Heater is Either a Miracle or a Scam
[Big Clive] picked up a tiny heater for less than £8 from the usual sources. Would you be shocked to learn that its heating capacity wasn’t as advertised? No, we weren’t either. But [Clive] treats us to his usual fun teardown and analysis in the video below.
A simple test shows that the heater drew about 800 W for a moment and drops as it heats until it stabilizes at about 300 W. Despite that, these units are often touted as 800 W heaters with claims of heating up an entire house in minutes. Inside are a fan, a ceramic heater, and two PCBs.
The ceramic heaters are dwarfed by metal fins used as a heat exchanger. The display uses a clever series of touch sensors to save money on switches. The other board is what actually does the work.
[Clive] was, overall, impressed with the PCB. A triac runs the heaters and the fan. It also includes a thermistor for reading the temperature.
You can learn more about the power supply and how the heater measures up in the video. Suffice it to say, that a cheap heater acts like a cheap heater, although as cheap heaters go, this one is built well enough.
youtube.com/embed/QiDUKYc0B2Y?…
So Long Firefox, Hello Vivaldi
It’s been twenty-three years since the day Phoenix was released, the web browser that eventually became Firefox. I downloaded it on the first day and installed it on my trusty HP Omnibook 800 laptop, and until this year I’ve used it ever since. Yet after all this time, I’m ready to abandon it for another browser. In the previous article in this series I went into my concerns over the direction being taken by Mozilla with respect to their inclusion of AI features and my worries about privacy in Firefox, and I explained why a plurality of browser engines is important for the Web. Now it’s time to follow me on my search for a replacement, and you may be surprised by one aspect of my eventual choice.
Where Do I Go From Here?
Happily for my own purposes, there are a range of Firefox alternatives which fulfill my browser needs without AI cruft and while allowing me to be a little more at peace with my data security and privacy. There’s Chromium of course even if it’s still way too close to Google for my liking, and there are a host of open-source WebKit and Blink based browsers too numerous to name here.
In the Gecko world that should be an easier jump for a Firefox escapee there are also several choices, for example LibreWolf, and Waterfox. In terms of other browser engines there’s the extremely promising but still early in development Ladybird, and the more mature Servo, which though it is available as a no-frills browser, bills itself as an embedded browser engine. I have not considered some other projects that are either lightweight browser engines, or ones not under significant active development.
Over this summer and autumn then I have tried a huge number of different browsers. Every month or so I build the latest Ladybird and Servo; while I am hugely pleased to see progress they’re both still too buggy for my purposes. Servo is lightning-fast but sometimes likes to get stuck in mobile view, while Ladybird is really showing what it’s going to be but remains for now slow-as-treacle. These are ones to watch, and support.
I gave LibreWolf and Waterfox the most attention over the summer, both of which after the experience I’d describe as like Firefox but with mildly annoying bugs. The inability to video conference reliably is a show-stopper in my line of work, and since my eyesight is no longer what it once was I like my browsers to remember when I have zoomed in on a tab. Meanwhile Waterfox on Android is a great mobile browser, right up until it needs to open a link in another app, and fails. I’m used to the quirks of open-source software after 30+ years experimenting with Linux, but when it comes to productivity I can’t let my software disrupt the flow of Hackaday articles.
The Unexpected Choice
It might surprise you after all this open-source enthusiasm then, to see the browser I’ve ended up comfortable with. Vivaldi may be driven by the open-source Blink engine from Chromium and Chrome, but its proprietary front end doesn’t have an open-source licence.
It’s freeware, or free-as-in-beer, and I think the only such software I use. Why, I hear you ask? It’s an effort to produce a browser like Opera used to be in the old days, it’s European which is a significant consideration when it comes to data protection law, and it has (so far) maintained a commitment to privacy while not being evil in the Google motto sense.
It’s quick, I like its interface once the garish coloured default theme has been turned off, and above all, it Just Works. I have my browser back, and I can get on with writing. Should they turn evil I can dump them without a second thought, and hope by then Ladybird has matured enough to suit my needs.
It may not be a trend many of us particularly like, but here in 2025 there’s a sense that the browser has reduced our computers almost to the status of a terminal. It’s thus perhaps the most important piece of software on the device, and in that light I hope you can understand some of the concerns levelled in this series. If you’re reading this from Firefox HQ I’d implore you to follow my advice and go back to what made Firefox so great back in the day, but for the rest of you I’d like to canvass your views on my choice of a worthy replacement. As always, the comments are waiting.
Simple Tricks To Make Your Python Code Faster
Python has become one of the most popular programming languages out there, particularly for beginners and those new to the hacker/maker world. Unfortunately, while it’s easy to get something up and running in Python, it’s performance compared to other languages is generally lacking. Often, when starting out, we’re just happy to have our code run successfully. Eventually, though, performance always becomes a priority. When that happens for you, you might like to check out the nifty tips from [Evgenia Verbina] on how to make your Python code faster.
Many of the tricks are simple common sense. For example, it’s useful to avoid creating duplicates of large objects in memory, so altering an object instead of copying it can save a lot of processing time. Another easy win is using the Python math module instead of using the exponent (**) operator since math calls some C code that runs super fast. Others may be unfamiliar to new coders—like the benefits of using sets instead of lists for faster lookups, particularly when it comes to working with larger datasets. These sorts of efficiency gains might be merely useful, or they might be a critical part of making sure your project is actually practical and fit for purpose.
It’s worth looking over the whole list, even if you’re an intermediate coder. You might find some easy wins that drastically improve your code for minimal effort. We’ve explored similar tricks for speeding up code on embedded platforms like Arduino, too. If you’ve got your own nifty Python speed hacks, don’t hesitate to notify the tipsline!
Basta un Win+R e sei Hackerato! La Nuova campagna ClickFix con falsi aggiornamenti Windows
I falsi aggiornamenti di Windows sono entrati in un nuovo ciclo di campagne ClickFix ,come riportato da Huntress. Gli aggressori stanno sostituendo sempre più spesso i controlli bot con finestre blu a schermo intero che simulano un aggiornamento di sistema.
Microsoft sottolinea che ClickFix è diventato il metodo di penetrazione iniziale più comune e che molti gruppi con diversi livelli di competenza sono passati a questo metodo.
Gli attacchi iniziano con la visita a un sito web dannoso che imposta il browser in modalità a schermo intero e visualizza una pagina che assomiglia superficialmente all’interfaccia di Windows Update.
Alla vittima viene chiesto di eseguire manualmente l’aggiornamento critico, seguendo un tipico scenario di ClickFix: aprire la finestra di dialogo Esegui con Win+R, incollare il comando preparato ed eseguirlo. A questo punto, l’utente avvia di fatto la catena dannosa autonomamente.
La riga di comando richiama mshta.exe con un URL, in cui il secondo ottetto dell’indirizzo IP è sempre codificato in formato esadecimale. PowerShell scarica quindi un frammento di codice .NET che, dopo la decrittazione, viene caricato direttamente in memoria e passa il controllo al componente successivo. Si tratta di un modulo .NET responsabile della distribuzione occulta di malware tramite steganografia . Estrae la shell Donut crittografata dai dati pixel dei file PNG, utilizzando singoli canali di colore per ricostruire il payload. Questo approccio aiuta a eludere i meccanismi di protezione basati sulle firme.
Secondo Huntress, dal 29 settembre al 30 ottobre 2025, il team ha analizzato 76 incidenti che hanno interessato organizzazioni nelle regioni USA, EMEA e APJ. Uno degli episodi ha coinvolto il traffico verso 141.98.80[.]175. In tutti i casi, la catena utilizzava un URL con un secondo ottetto esadecimale che conduceva a un downloader steganografico. I ricercatori hanno trovato commenti in lingua russa nel codice sorgente delle pagine che falsificavano l’aggiornamento, ma non sono stati in grado di stabilire la paternità della campagna.
Nonostante le operazioni di Operation Endgame abbiano preso di mira l’infrastruttura di Rhadamanthys il 13 novembre, i siti web che ospitavano falsi aggiornamenti hanno continuato a funzionare almeno fino al 19 novembre.
Tutte le esche rilevate facevano riferimento alla stessa struttura URL con codifica esadecimale precedentemente associata alla distribuzione di Rhadamanthys, sebbene il malware stesso non fosse più ospitato su questi siti. Tuttavia, i ricercatori avvertono che l’infrastruttura potrebbe cambiare rapidamente.
Entrambi i tipi di esche, camuffati da aggiornamenti di Windows, hanno infine scaricato Rhadamanthys, che ruba le credenziali utente, sui dispositivi.
Per ridurre il rischio di tali attacchi, si consiglia di bloccare la finestra di dialogo Esegui, informare i dipendenti sulla natura degli script ClickFix e ricordare loro che nessun aggiornamento legittimo richiede l’inserimento manuale di comandi. Le soluzioni di sicurezza di livello EDR possono aiutare a monitorare i casi in cui explorer.exe avvia mshta.exe, powershell.exe o altri file eseguibili con argomenti insoliti.
Gli IoC successivi sono tratti dalla piattaforma di intelligence di Recorded Future, partner strategico di Red Hot Cyber e punto di riferimento globale nell’intelligence sulle minacce informatiche. La piattaforma fornisce analisi avanzate utili a individuare e contrastare attività malevole nel cyberspazio.
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2,
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae,
34d025ef57eb3f484301744e2b2488ae0ac76f2e226585e65bb45edbbb6b7f69,
471c981c11df004b941dad0175bc435f9c901bcb968ba9582f1a2181443d9ef4,
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306,
81b179b050a13d5664e0d88143154bd3fc127f9ac3e7a6c16444caac1d3ab13c,
aba1e62ee9a460f5b7b67198dc22612b275a1e871d56c60324190ad69323ddf0
L'articolo Basta un Win+R e sei Hackerato! La Nuova campagna ClickFix con falsi aggiornamenti Windows proviene da Red Hot Cyber.
IISFA FORUM- Cybercrime, Artificial Intelligence & Digital Forensics
Unusual Circuits in the Intel 386’s Standard Cell Logic
Intel’s 386 CPU is notable for being its first x86 CPU to use so-called standard cell logic, which swapped the taping out of individual transistors with wiring up standardized functional blocks. This way you only have to define specific gate types, latches and so on, after which a description of these blocks can be parsed and assembled by a computer into elements of a functioning application-specific integrated circuit (ASIC). This is standard procedure today with register-transfer level (RTL) descriptions being placed and routed for either an FPGA or ASIC target.
That said, [Ken Shirriff] found a few surprises in the 386’s die, some of which threw him for a loop. An intrinsic part of standard cells is that they’re arranged in rows and columns, with data channels between them where signal paths can be routed. The surprise here was finding a stray PMOS transistor right in the midst of one such data channel, which [Ken] speculates is a bug fix for one of the multiplexers. Back then regenerating the layout would have been rather expensive, so a manual fix like this would have made perfect sense. Consider it a bodge wire for ASICs.
Another oddity was an inverter that wasn’t an inverter, which turned out to be just two separate NMOS and PMOS transistors that looked to be wired up as an inverter, but seemed to actually there as part of a multiplexer. As it turns out, it’s hard to determine sometimes whether transistors are connected in these die teardowns, or whether there’s a gap between them, or just an artifact of the light or the etching process.