Il Great Firewall cinese blocca il traffico internet per 74 minuti
I ricercatori del team del Great Firewall Report hanno notato che nella notte del 20 agosto il Great Firewall cinese ha subito un problema tecnico o era sottoposto a qualche tipo di test. Tutto il traffico sulla porta TCP 443 è rimasto bloccato per 74 minuti, isolando la Cina da quasi tutta la rete Internet globale.
“Circa dalle 00:34 alle 01:48 (ora di Pechino, UTC+8) del 20 agosto 2025, il Grande Firewall cinese ha mostrato un comportamento anomalo, iniettando incondizionatamente falsi pacchetti TCP RST+ACK per terminare tutte le connessioni sulla porta TCP 443 (sia da che verso la Cina)”, hanno scritto i ricercatori.
Ciò ha impedito agli utenti cinesi di accedere alla maggior parte dei siti web ospitati all’estero. L’incidente ha anche bloccato i servizi che utilizzano la porta 443, lo standard per le connessioni HTTPS. Apple e Tesla, ad esempio, utilizzano questa porta per connettersi ai server stranieri che forniscono alcuni dei loro servizi principali.
Allo stesso tempo, gli analisti notano che l’impronta digitale del dispositivo che ha implementato questo blocco non corrispondeva ad alcun nodo o componente noto del “Grande Firewall cinese”.
I ricercatori ritengono che l’incidente sia stato causato da un nuovo dispositivo connesso al Great Firewall cinese o da un dispositivo esistente “che funzionava in uno stato nuovo o configurato in modo errato“.
Pertanto, le principali teorie degli esperti sostengono che la Cina potrebbe aver testato la possibilità di bloccare le connessioni sulla porta 443, oppure che qualcuno abbia semplicemente commesso un errore che è stato prontamente corretto. Tuttavia, l’indagine sull’accaduto è difficile a causa della breve durata dell’incidente.
L'articolo Il Great Firewall cinese blocca il traffico internet per 74 minuti proviene da il blog della sicurezza informatica.
Un Criminal Hacker vende gli accessi ai server della Roche nelle underground
Un recente post comparso in un forum underground ha attirato l’attenzione degli esperti di sicurezza informatica. Un utente ha dichiarato di aver venduto accesso amministrativo di Roche, colosso farmaceutico con oltre 100mila dipendenti e un fatturato di circa 69,7 miliardi di dollari.
Il messaggio, corredato dal logo dell’azienda e da link a siti informativi pubblici, è stato presentato come una sorta di “trofeo” condiviso all’interno della community criminale. È probabile che l’intento sia stato quello di guadagnare credibilità presso altri utenti e attirare potenziali acquirenti interessati ad accessi di alto valore.
Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.
I forum sotterranei sono da anni un punto di riferimento per il mercato nero digitale. In questi spazi, nascosti nel dark web e protetti da sistemi di anonimato, si scambiano credenziali rubate, malware, servizi di phishing e accessi a reti aziendali.
La pubblicazione di un annuncio come quello legato a Roche si inserisce in una dinamica ben nota: ostentare una “conquista” per rafforzare la reputazione personale.
È probabile però che non tutti questi annunci corrispondano a un’effettiva intrusione. Nel mondo degli underground forum, la linea tra realtà e propaganda è spesso sfumata. Talvolta i criminali pubblicano informazioni parziali o addirittura false per attirare compratori. In altri casi, l’accesso viene venduto più volte a soggetti diversi, generando ulteriori rischi per le vittime e alimentando un circolo vizioso che mescola verità e menzogna. Ciò rende estremamente difficile verificare la fondatezza delle affermazioni senza indagini approfondite.
Negli ultimi anni diverse piattaforme simili sono state chiuse grazie a operazioni coordinate delle autorità internazionali. RaidForums, BreachForums e Darkode sono stati smantellati, e molti utenti sono finiti sotto inchiesta proprio a causa dei loro stessi post. È probabile quindi che dichiarazioni troppo plateali, come quella legata a Roche, possano attirare l’attenzione indesiderata di investigatori e analisti di cyber intelligence, trasformandosi in un pericoloso autogol per chi cerca notorietà criminale.
Il dato di fondo resta però chiaro: il fenomeno dei forum underground continua a crescere. Secondo stime recenti, nel 2024 si è registrato un aumento significativo dei dati condivisi in questi spazi, con miliardi di credenziali compromesse messe in vendita. È probabile che, in un simile scenario, post come quello comparso a nome di Roche non siano casi isolati, ma parte di una strategia di marketing criminale che si nutre di clamore, prestigio e paura.
L'articolo Un Criminal Hacker vende gli accessi ai server della Roche nelle underground proviene da il blog della sicurezza informatica.
Now that Commodore is Back, Could Amiga Be Next?
Now that Commodore has arisen from the depths of obscurity like Cthulhu awoken from R’lyeh, the question on every shoggoth’s squamose lips is this: “Will there be a new Commodore Amiga?” The New Commodore is reportedly interested, but as [The Retro Shack] reports in the video embedded below, it might be some time before the stars align.
He follows the tortured history of the Amiga brand from its origins with Hi-Toro, the Commodore acquisition and subsequent Atari lawsuit, and the post-Commodore afterlife of the Amiga trademark. Yes, Amiga had a life after Commodore, and that’s the tl;dr here: Commodore might be back, but it does not own the Amiga IP.
If you’re wondering who does, you’re not the only one. Cloanto now claims the name and most of Amiga’s IP, though it remains at loggerheads with Hyperion, the distributors of AmigaOS 4. If you haven’t heard of them, Cloanto is not an elder god, but in fact the group behind Amiga Forever. They have been great stewards of the Amiga heritage over the decades. Any “new” Amiga is going to need the people at Cloanto on board, one way or another. That doesn’t mean it’s impossible– the new Commodore might be able to seduce Cloanto into a merger, or even just a licensing agreement to use the name on reproduction or new hardware.
While a replica C=64 was a no-brainer for the revived Commodore brand, it’s not quite so clear what they should do with the Amiga name. An FPGA reproduction of the popular A500 or A1200? Would anyone want newly-made 68000-based machines, or to follow Hyperion and MorphOS to now-outdated generations of PowerPC? All of these have been proposed and argued over for years.
We’d love to see something fully new that captures the spirit of the bouncing ball, but it’s hard to imagine bottling magic like that in the twenty-first century. For now, Amiga lies dreaming– but that is not dead which can eternally lie, and we hold out hope this Great Old One can return when the stars are right.
youtube.com/embed/XwXpjrgllOY?…
Replicating the World’s Oldest Stringed Instrument
Posts on Hackaday sometimes trend a little bit retro, but rarely do we cover hacks that reach back into the Bronze Age. Still, when musician [Peter Pringle] put out a video detailing how he replicated an ancient Sumerian instrument, we couldn’t wait to dig in.
The instrument in question is the “Golden Lyre of Ur”, and it was buried at the Royal Cemetery of Ur with a passel of other grave goods (including a Silver Lyre) something around 4400 to 4500 years ago. For those not in the know, Ur was an early Sumerian city in the part of Mesopotamia became modern-day Iraq. A lyre is a type of plucked stringed instrument, similar to a harp.
That anything of the instrument remains after literal millennia buried under the Mesopotamian sand is thanks to the
extensive ornamentation on the original lyre– the gut strings and wooden body might have rotted away, but the precious stones and metals adorning the lyre preserved the outline of the instrument until it was excavated in 1922. Reconstruction was also greatly aided by contemporary mosaics and pottery showing similar lyres.
For particular interest are the tuning pegs, which required that artistic inspiration to recreate– the original archeological dig did not find any evidence of the tuning mechanism. [Peter] spends some time justifying his reconstruction, using both practical engineering concerns (the need for tension to get good sound) and the pictographic evidence. The wide “buzzing” bridge matches the pictographic evidence as well, and gives the lyre a distinct, almost otherworldly sound to Western ears. [Peter]’s reconstruction sounds good, though we have no way of knowing if it matches what you’d have heard in the royal halls of Ur all those dusty centuries ago. (Skip to 17:38 in the video below if you just want to hear it in action.)
The closest thing to this ancient, man-sized lyre we’ve seen on Hackaday before might be one of the various laser harp projects we’ve featured over the years. If you squint a little, you can see the distant echo of the Golden Lyre of Ur in at least some of them. We also can’t help but note that the buzzing bridge gives the Sumerian lyre a certain droning quality not entirely unlike a hurdy-gurdy, because we apparently can’t have a musical post without mentioning the hurdy-gurdy.
youtube.com/embed/zjTqKPaiip0?…
This Pocket Multitool Weighs less than a Penny
A multitool that weighs less than a penny? Yes, it exists. This video by [ToolTechGeek] shows his titanium flat-cut design tipping the scales at only 1.9 grams—lighter than the 2.5-gram copper penny jingling in your pocket. His reasoning: where most everyday carry (EDC) tools are bulky, overpriced, or simply too much, this hack flips the equation: reduce it to the absolute minimum, yet keep it useful.
You might have seen this before. This second attempt is done by laser-cutting titanium instead of stainless steel. Thinner, tougher, and rust-proof, titanium slashes the weight dramatically, while still keeping edges functional without sharpening. Despite the size, this tool manages to pack in a Phillips and flathead screwdriver, a makeshift saw, a paint-lid opener, a wire bender (yes, tested on a paperclip), and even a 1/4″ wrench doubling as a bit driver. High-torque screwdriving by using the long edges is a clever exploit, and yes—it scrapes wood, snaps zip ties, and even forces a bottle cap open, albeit a bit roughly.
It’s not about replacing your Leatherman; it’s about carrying something instead of nothing. Ultra-minimalist, featherlight, pocket-slip friendly—bet you can’t find a reason not to just have it in your pocket.
youtube.com/embed/dniAyMoiKn4?…
Using the 74HC595 Shift Register to Drive 7-Segment Displays
In a recent video our hacker [Electronic Wizard] introduces the 74HC595 shift register and explains how to use it to drive 7-segment displays.
[Electronic Wizard] explains that understanding how to apply the 74HC595 can increase the quality of your projects and also help keep the demands on the number of pins from your microcontroller to manageable levels. If you’re interested in the gory details you can find a PDF datasheet for the 74HC595 such as this one from Texas Instruments.
[Electronic Wizard] explains further that a shift register is like a small one byte memory where its data is directly available on its eight output pins, no input address required. When you pulse the clock pin (CLK) each bit in the eight bit memory shifts right one bit, making room for a new bit on the left. The bits that fall off the right hand side can daisy chain into another 74HC595 going out on pin 9 and coming in on pin 14.
[Electronic Wizard] goes on to extol the virtues of pin 13, the active-low Output Enable, which can be used to make sure junk doesn’t appear on your 7-segment displays during initialization. Also the 74HC595 can provide current itself which lessens the power demands on your micro.
[Electronic Wizard] covers how to use multiplexing to drive multiple 7-segment displays but notes the drawbacks of this method including large pin counts and high frequency flashing which, while invisible to the human eye, can become visible on some cameras and recording equipment making the 74HC595 a superior solution to multiplexing.
The bottom line is that using only three pins from the microcontroller you can drive one or more 7-segment displays. To learn more, including how to use the other pins and features of the 74HC595, be sure to click through to watch the video. If you’re interested in the 74HC595 you might like to read about how the Bus Pirate 5 used two of them to get an extra 16 pins on the board.
youtube.com/embed/bXzk33EeLWE?…
How Intel’s 386 Protects Itself From ESD, Latch-up and Metastability
To connect the miniature world of integrated circuits like a CPU with the outside world, a number of physical connections have to be made. Although this may seem straightforward, these I/O pads form a major risk to the chip’s functioning and integrity, in the form of electrostatic discharge (ESD), a type of short-circuit called a latch-up and metastability through factors like noise. Shielding the delicate ASIC from the cruel outside world is the task of the I/O circuitry, with [Ken Shirriff] recently taking an in-depth look at this circuity in Intel’s 386 CPU.
The 386 has a total of 141 of these I/O pads, each connected to a pin on the packaging with a delicate golden bond wire. ESD is on the top of the list of potential risks, as a surge of high voltage can literally blow a hole in the circuitry. The protective circuit for this can be seen in the above die shot, with its clamping diodes, current-limiting resistor and a third diode.
Latch-up is the second major issue, caused by the inadvertent creation of parasitic structures underneath the P- and NMOS transistors. These parasitic transistors are normally inactive, but if activated they can cause latch-up which best case causes a momentary failure, but worst case melts a part of the chip due to high currents.
To prevent I/O pads from triggering latch-up, the 386 implements ‘guard rings’ that should block unwanted current flow. Finally there is metastability, which as the name suggests isn’t necessarily harmful, but can seriously mess with the operation of the chip which expects clean binary signals. On the 386 two flip-flops per I/O pad are used to mostly resolve this.
Although the 386’s 1985-era circuitry was very chonky by today’s standards, it was still no match for these external influences, making it clear just how important these protective measures are for today’s ASICs with much smaller feature sizes.
Linux Fu: Windows Virtualization the Hard(ware) Way
As much as I love Linux, there are always one or two apps that I simply have to run under Windows for whatever reason. Sure, you can use wine, Crossover Office, or run Windows in a virtual machine, but it’s clunky, and I’m always fiddling with it to get it working right. But I recently came across something that — when used improperly — makes life pretty easy. Instead of virtualizing Windows or emulating it, I threw hardware at it, and it works surprisingly well.
Once Upon a Time
First, a story. Someone gave me a Surface Laptop 2 that was apparently dead. It wouldn’t charge, and you can’t remove the keyboard without power. Actually, you can with a paper clip, and I suggested pulling it to see if the screen would charge by itself. They said they had already bought a new computer, so they didn’t care.
Unsurprisingly, once I popped the keyboard off, the computer charged and was fine. You just have to replace the keyboard or use another one. Or use it as a tablet, which it is set up for anyway. But I have plenty of laptops and computers of every description. What was I going to do with this nice but keyboardless computer?
Coincidence
About this same time, I’d been moving my VirtualBox Windows installs over to KVM. That’s a pain if you’ve ever done it, but it performs well and works well. Then I found WinApps. This is a simple script setup that runs Windows in your choice of virtual machine and can pull a single application into an RDP client on your desktop. The effect is that you can have, for example, Microsoft Word just sitting on your desktop like any other program. It also wires up the application so you can, say, open a PowerPoint directly using a real copy of PowerPoint running in the virtual machine.
It works great, except for one thing. When Windows is running, your disk thrashes like crazy. That’s probably not very surprising since the Windows VM image is in a file, so everything goes through the Windows file system and then the Linux file system. Between my SSD cache and my RAID array, there’s a lot going on there. The performance wasn’t bad, but the disk going wild was annoying, and it would freeze up here and there while the drive was overwhelmed.
Virtually Reality, for Real
But what about WinApps? It points to a virtual machine in KVM or Docker. Why not let it point to a real piece of hardware on the network? I could put the Surface out of the way and then run my choice of Windows software right on my desktop with hardware speeds only limited by the network.
Rather than keep you in suspense, it worked. The program allows you to set your virtualization type and one of them is “manual.” Presumably, you’d usually start a VM yourself, but in this case, just the IP address of the remote Windows box is all you need.
Is it that Easy?
Well, almost. There were two small issues. For one thing, you need to run an install script on the Windows box. You can do that before you set up, while you enable Remote Desktop. Here’s what the directions say:
Next, you will need to make some registry changes to enable RDP Applications to run on the system. Start by downloading the RDPApps.reg file, right-clicking on the Raw button, and clicking on Save target as. Repeat the same thing for the install.bat and the NetProfileCleanup.ps1. Do not download the Container.reg.
The other issue is that I have two monitors that are separated, with one at the bottom left and one at the top right of a large rectangle, and lots of blank wall between them. The xfreerdp program hates that. I had to fiddle with the settings quite a bit, and you may have different results.
One thing I did to be safe was to go get the latest version of xfreerdp and install it. You can point to it in the WinApps configuration file. Sometimes, the programs in your distro’s repositories can be pretty old. I wanted to make sure I had the latest RDP client.
For normal operations, these options worked:
RDP_FLAGS="/cert:tofu /sound /microphone +home-drive /span /multimon:force /mouse-relative /dynamic-resolution"
I also had to edit ~/.local/bin/winapps to change the options for the “windows” run (which starts a full-screen windows session) to:
# Open Windows RDP session.
dprint"WINDOWS"
$FREERDP_COMMAND \
/d:"$RDP_DOMAIN"\
/u:"$RDP_USER"\
/p:"$RDP_PASS"\
/scale:"$RDP_SCALE"\
+auto-reconnect\
/monitors:0\
/wm-class:"Microsoft Windows"\
/t:"Windows RDP Session [$RDP_IP]"\
/v:"$RDP_IP"&>/dev/null &
Bugs!
While I was in there, I also fixed a bug. The script (and the installation script) can’t figure out that my user is in the right group to run virtual machines, so if you plan on using real virtualization, you might have to fix it or, do what I did, and comment that test out of the main program and the installer. However, if you are using manual mode, that shouldn’t be a problem. The installer also tells me that ~/.local/bin isn’t on my path, but it is. That’s safe to ignore.
There seem to be some other issues. For example, while the installer sets up the ~/local/bin directory, it didn’t add any links to my start menu. I think it was supposed to. Of course, it is trivial to just add your own menu items, which you’ll need to do for non-standard programs, anyway.
Proof in the Pudding
Does it work? Well, there’s Microsoft Word running on my KDE desktop. You might have to rearrange or resize a Window when you first launch it. If that bothers you, write a rule to fix the window position. Most of the time, it works well enough. You can also go full screen and back (Control+Alt+Enter). Anything you can normally do in a RDP session, you can do here.
Is it perfect? Nope. You can, in theory, redirect USB devices, but it will be kludgy and probably slow. I still use KVM for things that have to talk to a USB device. Of course, you can also hang the USB device off the Windows machine. The default setup maps your home directory to Windows, but you can fix it to map other places, too (and make sure the config file knows where your removable media mounts, too). The system autodetects many apps, but there is a manual mode that can, in theory, run anything. Or, you can pull up Windows Explorer and run any application you want.
This would be a perfect thing to use an old computer sitting around or a junk store small form factor PC that you can pick up for nearly nothing. You won’t be gaming on it or anything, but it is perfectly usable for that strange Word document or EPROM programmer software.
Honestly, it’s gotten to the point where having WSL on Windows means I barely notice which OS I’m on 99% of the time. Most of the apps I use will run on either system, but I still prefer the control I have on Linux and find it easier to fix issues there. At least dual booting is mostly a thing of the past.
Bad To The Bluetooth: You Shouldn’t Use This Jammer
Back in the day, an FM bug was a handy way to make someone’s annoying radio go away, particularly if it could be induced to feedback. But these days you’re far more likely to hear somebody’s Bluetooth device blasting than you are an unruly FM radio.
To combat this aural menace, [Tixlegeek] is here with a jammer for the 2.4 GHz spectrum to make annoying Bluetooth devices go silent. While it’s not entirely effective, it’s still of interest for its unashamed jankiness. Besides, you really shouldn’t be using one of these anyway, so it doesn’t really matter how well it works.
Raiding the AliExpress 2.4 GHz parts bin, there’s a set of NRF24L01+ modules that jump around all over the band, a couple of extremely sketchy-looking power amplifiers, and a pair of Yagi antennas. It’s not even remotely legal, and we particularly like the sentence “After running the numbers, I realized it would be cheaper and far more effective to just throw a rock at [the Bluetooth speaker]“. If there’s a lesson here, perhaps it is that effective jamming comes in disrupting the information flow rather than drowning it out.
This project may be illegal, but unlike some others we think it (probably) won’t kill you.
Ask Hackaday: Where Are All the Fuel Cells?
Given all the incredible technology developed or improved during the Apollo program, it’s impossible to pick out just one piece of hardware that made humanity’s first crewed landing on another celestial body possible. But if you had to make a list of the top ten most important pieces of gear stacked on top of the Saturn V back in 1969, the fuel cell would have to place pretty high up there.
Smaller and lighter than batteries of the era, each of the three alkaline fuel cells (AFCs) used in the Apollo Service Module could produce up to 2,300 watts of power when fed liquid hydrogen and liquid oxygen, the latter of which the spacecraft needed to bring along anyway for its life support system. The best part was, as a byproduct of the reaction, the fuel cells produced drinkable water.
The AFC was about as perfectly suited to human spaceflight as you could get, so when NASA was designing the Space Shuttle a few years later, it’s no surprise that they decided to make them the vehicle’s primary electrical power source. While each Orbiter did have backup batteries for emergency purposes, the fuel cells were responsible for powering the vehicle from a few minutes before launch all the way to landing. There was no Plan B. If an issue came up with the fuel cells, the mission would be cut short and the crew would head back home — an event that actually did happen a few times during the Shuttle’s 30 year career.
This might seem like an incredible amount of faith for NASA to put into such a new technology, but in reality, fuel cells weren’t really all that new even then. The space agency first tested their suitability for crewed spacecraft during the later Gemini missions in 1965, and Francis Thomas Bacon developed the core technology all the way back in 1932.
So one has to ask…if fuel cell technology is nearly 100 years old, and was reliable and capable enough to send astronauts to the Moon back in 1960s, why don’t we see them used more today?
Fuel Cell 101
Before continuing to bemoan their absence from our everyday lives, perhaps it would be helpful to take a moment and explain what a fuel cell is.
In the most basic configuration, the layout of a fuel cell is not entirely unlike a traditional battery. You’ve got an anode that serves as the negative terminal, a cathode for the positive, and an electrolyte in between them. There’s actually a number of different electrolytes that can be used, which in turn dictate both the pressure the cell operates at and the fuel it consumes. But we don’t really need to get into the specifics — it’s enough to understand that the electrolyte allows positively charged ions to move through it, while negatively charged electrons are blocked.
The electrons are eager to get to the party on the other side of the electrolyte, so once the fuel cell is connected to a circuit, they’ll rush through to get over to the cathode. Each cell usually doesn’t produce much electricity, but gang a bunch of them up in serial and you can get your total output into a useful range.
One other element to consider is the catalyst. Again, the specifics can change depending on the type of fuel cell and what it’s consuming, but in general, the catalyst is there to break the fuel down. For example, plating the anode with a thin layer of platinum will cause hydrogen molecules to split as they pass through.
Earthly Vehicle Applications
So we know they were used extensively by NASA up until the retirement of the Shuttle back in 2011, but spacecraft aren’t the only vehicles that have used fuel cells for power.
There’s been quite a number of cars that used fuel cells, ranging from prototypes to production models. In fact, Toyota, Honda, and Hyundai actually have fuel cell cars available for sale currently. They’re not terribly widespread however, with availability largely limited to Japan and California as those are nearly the only places you’ll find hydrogen filling stations.
Of course, not all vehicles need to be filled up at a public pump. There have been busses and trains powered by fuel cells, but again, none have ever enjoyed much widespread success. In the early 2000s there were some experimental fuel cell aircraft, but those efforts were hampered by the fact that electric aircraft in general are still in their infancy.
Interestingly, outside of their space applications, fuel cells seem to have enjoyed the most success on the water. While still a minority in the grand scheme of things, there have been a number of fuel cell passenger ferries over the years, with a few still in operation to this day. There’s also been a bit of interest by the world’s navies, with both the German and Italian government collaborating on the development of the Type 212A submarine. Each of the nine fuel cells on the sub can produce up to 50 kW, and together they allow the submarine to remain submerged for weeks — a trick that’s generally only possible with a nuclear-fueled vessels.
Personal Power Plants
While fuel cell vehicles have only seen limited success, there’s plenty of other applications for the technology, some of which are arguably more interesting than a hydrogen-breathing train anyway.
At least for a time, it seemed fuel cells would have a future powering our personal devices like phones and laptops. Modern designs don’t require the liquid oxygen of the Apollo-era hardware, and can instead suck in atmospheric air. You still need the hydrogen, but that can be provided in small replaceable cylinders like many other commercially-available gases.
The peak example of this concept has to be the Horizon MiniPak. This handheld fuel cell was designed to power all of your USB gadgets with its blistering 2 watt output, and used hydrogen cylinders which could either be tossed when they were empty or refilled with a home electrolysis system. Each cylinder reportedly contained enough hydrogen to generate 12 watt-hours, which would put each one about on par with a modern 18650 cell.
The device made its debut at that the 2010 Consumer Electronics Show (CES), but despite contemporary media coverage talking about an imminent commercial release, it’s not clear that it was ever actually sold in significant numbers.
Looking at what’s on the market currently, a company called EFOY offers a few small fuel cells that seem to be designed for RVs and boats. They certainly aren’t handheld, with the most diminutive model roughly the size of a small microwave, but at least it puts out 40 watts. Unfortunately, the real problem is the fuel — rather than breathing hydrogen and spitting out pure water, the EFOY units consume methanol and output as a byproduct the creeping existential nightmare of being burned alive by invisible fire.
DIY To the Rescue?
If the free market isn’t offering up affordable portable fuel cells, then perhaps the solution can be found in the hacker and maker communities. After all, this is Hackaday — we cover home-spun alternatives for consumer devices on a daily basis.
Except, not in this case. While there are indeed very promising projects like the Open Fuel Cell, we actually haven’t seen much activity in this space. A search through the back catalog while writing this article shows the term “fuel cell” has appeared fewer than 80 times on these pages, and of those occurrences, almost all of them were discussing some new commercial development. There were two different fuel cell projects entered into the 2015 Hackaday Prize, but unfortunately both of those appear to have been dead ends.
So Dear Reader, the question is simple: what’s the hold up with mainstream fuel cells? The tech is not terribly complex, and a search online shows plenty of companies selling the parts and even turn-key systems. There’s literally a site called Fuel Cell Store, so why don’t we see more of them in the wild? Got a fuel cell project in the back of your mind? Let us know in the comments.
Una falsa patch per la firma digitale, diffonde malware! Attenzione alla truffa
In data odierna – avverte il Cert-AGiD – sono pervenute segnalazioni da parte di Pubbliche Amministrazioni riguardo a una campagna malevola mirata diffusa in queste ore.
Email malevola
L’e-mail fraudolenta, sfruttando un presunto aggiornamento urgente di un software di firma digitale, induce gli utenti a cliccare sul link presente nel corpo del messaggio con lo scopo di scaricare un file ZIP contenente un VBS malevolo.
File VBS malevolo
Il file VBS non adotta tecniche di offuscamento e il codice risulta commentato in italiano, suggerendo l’uso di strumenti AI da parte di un threat actor italiano o, in alternativa, il tentativo di sviare l’attribuzione.
L’obiettivo è l’installazione di Action1, uno strumento legittimo normalmente utilizzato per la gestione remota di patch e la risoluzione delle vulnerabilità presenti sui sistemi da parte degli amministratori IT, ma che in questo contesto viene sfruttato da attori malevoli per ottenere accesso non autorizzato ai dispositivi compromessi.
Analisi del file MSI
Per il CERT-AGID si tratta della prima evidenza in Italia dell’abuso di questo strumento da parte di attori malevoli, sebbene a livello internazionale sia già noto per essere stato sfruttato in campagne di distribuzione di malware, incluso dal gruppo ransomware Conti.
Analogamente a quanto accaduto con altri prodotti leciti di remote management, come ScreenConnect, i criminali informatici sfruttano software firmati e legittimi per ridurre la probabilità di rilevazione da parte delle soluzioni di sicurezza.
Al momento non è stato identificato il malware o il payload finale che potrebbe essere distribuito; è verosimile che gli attori malevoli stiano attendendo il momento più opportuno per rilasciarlo.
Azioni intraprese e suggerimenti
Il CERT-AGID ha avviato le opportune attività di contrasto alla campagna, diffondendo gli IoC relativi e contattando il Gestore di Firma interessato. Invita inoltre le Pubbliche Amministrazioni e, più in generale, tutti gli utenti che abbiano ricevuto questa email a:
- non cliccare sul link contenuto nel messaggio;
- utilizzare gli Indicatori di Compromissione (IoC) messi a disposizione dal CERT-AGID per effettuare le opportune verifiche;
- usare il tool hashr per la ricerca di file malevoli all’interno dei propri sistemi;
- in caso di compromissione, isolare immediatamente il dispositivo e segnalare l’incidente al CSIRT Italia.
Indicatori di Compromissione
Gli IoC relativi a questa campagna sono stati già condivisi con le organizzazioniaccreditate al flusso IoCdel CERT-AGID.
Link:Download IoC
L'articolo Una falsa patch per la firma digitale, diffonde malware! Attenzione alla truffa proviene da il blog della sicurezza informatica.
CAL 3D Printing Spins Resin Right Round, Baby
Computed Axial Lithography (CAL) is a lighting-fast form of volumetric 3D printing that holds incredible promise for the future, and [The Action Lab] filmed it in action at a Berkeley team’s booth at the “Open Sauce” convention.
The basic principle works like this: an extra-viscous photopolymer resin sits inside a rotating, transparent cylinder. As the cylinder rotates, UV light is projected into the resin in patterns carefully calculated to reproduce the object being printed. There are no layers, no FEP, and no stop-and-start; it’s just one long exposure from what is effectively an object-generating video, and it does not take long at all. You can probably guess that the photo above shows a Benchy being created, though unfortunately, we’re not told how long it took to produce.
Don’t expect to grab a bottle of SLA resin to get started: not only do you need higher viscosity, but also higher UV transmission than you get from an SLA resin to make this trick work. Like regular resin prints, the resolution can be astounding, and this technique even allows you to embed objects into the print.
It’s not a new idea. Not only have we covered CAL before, we even covered it being tested in zero-G. Floating in viscous resin means the part couldn’t care less about the local gravity field. What’s interesting here is that this hardware is at tabletop scale, and looks very much like something an enterprising hacker might put together.
Indeed, the team at Berkeley have announced their intention to open-source this machine, and are seeking to collaborate with the community on their Discord server. Hopefully we’ll see something more formally “open” in the future, as it’s something we’d love to dig deeper into — and maybe even build for ourselves.
Thanks to [Beowulf Shaeffer] for the tip. If you are doing something interesting with photopolymer ooze (or anything else) don’t hesitate to let us know!
youtube.com/embed/L7QnADt04ZU?…
Playing DOOM on the Anker Prime Charging Station
At this point the question is no longer whether a new device runs DOOM, but rather how well. In the case of Anker’s Prime Charging Station it turns out that it’s actually not too terrible at controlling the game, as [Aaron Christophel] demonstrates. Unlike the similar Anker power bank product with BLE and a big display that we previously covered, this device has quite the capable hardware inside.
According to [Aaron], inside this charging station you’ll not only find an ESP32-C3 for Bluetooth Low Energy (BLE) duty, but also a 150 MHz Synwit SWM341RET7 (Chinese datasheet) ARM-based MCU along with 16 MB of external flash and 8 MB of external RAM. Both of these are directly mapped into the MCU’s memory space. The front display has a 200×480 pixel resolution.
This Synwit MCU is a bit of a curiosity, as it uses ARM China’s Star-MC1 architecture most of the information on it is in Chinese, though it’s clear that it implements the ARMv8-M profile. It can also be programmed the typical way, which is what [Aaron] did to get DOOM on it, with the clicky encoder on the side of the charging station being the sole control input.
As can be seen in the video it makes for a somewhat awkward playing experience, but far more usable than one might expect, even if running full-screen proved to be a bit too much for the hardware.
youtube.com/embed/MdOU8SqCqeY?…
LastPass, 1Password e Keeper sotto tiro! Rilevati diffusi bug 0day e milioni di utenti a rischio
Un esperto di sicurezza informatica ha individuato falle zero-day che coinvolgono undici noti gestori di password, mettendo a rischio potenzialmente decine di milioni di utenti per il furto di credenziali con un semplice clic malevolo.
Un’innovativa strategia di attacco, conosciuta come \”DOM-based Extension Clickjacking\”, segna un avanzamento sostanziale rispetto ai metodi tradizionali di clickjacking online.
La ricerca, condotta dall’esperto di sicurezza Marek Tóth, rivela che gli aggressori possono sfruttare queste vulnerabilità per rubare dati di carte di credito, informazioni personali, credenziali di accesso e persino codici di autenticazione a due fattori da utenti ignari.
Catena di attacco di estensione basata su DOM
Diversamente dagli approcci tradizionali, che colpiscono le applicazioni web attraverso iframe non visibili, questa strategia altera gli elementi dell’interfaccia utente inseriti dalle estensioni del gestore di password nelle strutture DOM delle pagine web, facendoli diventare non visibili ma ancora cliccabili.
Quando gli utenti incontrano elementi apparentemente legittimi, come banner di consenso ai cookie o domande CAPTCHA su siti web compromessi, un singolo clic può attivare la compilazione automatica di moduli nascosti con i dati sensibili memorizzati.
L’attacco funziona creando script dannosi che nascondono gli elementi dell’interfaccia utente dell’estensione tramite manipolazione. JavaScript , in particolare tramite regolazioni dell’opacità e tecniche di sovrapposizione DOM. La ricerca approfondita di Tóth ha testato undici noti gestori di password, tra cui leader del settore come 1Password, Bitwarden, LastPass, Dashlane, Keeper e altri.
I risultati sono stati allarmanti: tutti i gestori di password testati erano inizialmente vulnerabili ad almeno una variante della tecnica Extension Clickjacking basata su DOM. Le vulnerabilità interessano circa 40 milioni di installazioni attive sulle piattaforme Chrome Web Store, Firefox Add-ons ed Edge Add-ons.
Sei gestori di password su nove testati erano vulnerabili all’estrazione dei dati delle carte di credito, mentre otto su dieci potevano essere sfruttati per esfiltrare informazioni personali memorizzate.
Forse la cosa più preoccupante è che dieci gestori di password su undici erano soggetti a furto di credenziali, compresi i codici TOTP (Time-based One-Time Password) utilizzati per l’autenticazione a due fattori.
L'articolo LastPass, 1Password e Keeper sotto tiro! Rilevati diffusi bug 0day e milioni di utenti a rischio proviene da il blog della sicurezza informatica.
Exploit RCE 0-day per Windows in vendita a 125.000 dollari: come proteggersi
Navigare nel dark web può rivelare annunci inquietanti e allarmanti per chi si occupa di sicurezza informatica. Recentemente, abbiamo notato un post che offre in vendita un exploit 0-day, un tipo di strumento estremamente pericoloso. L’annuncio, proveniente da un utente con il nickname “admc21”, mette in mostra un attacco di Remote Code Execution (RCE) che colpisce le versioni più recenti di Windows, tra cui Windows 10, Windows 11 e Windows Server 2022. Il prezzo richiesto è di $125.000, una cifra che sottolinea il valore di questi strumenti sul mercato nero.
Ma cosa rende questi exploit così letali?
Cos’è esattamente un Exploit 0-Day?
Il termine “0-day” (o zero-day) si riferisce a una vulnerabilità del software che è sconosciuta allo sviluppatore del prodotto. Questo significa che non esiste ancora una patch o un aggiornamento di sicurezza per correggerla. L’attaccante che scopre o acquista un exploit 0-day ha un vantaggio enorme: può sfruttare la falla per attaccare i sistemi senza che le vittime possano difendersi. Una volta che la vulnerabilità viene resa pubblica o scoperta, gli sviluppatori hanno zero giorni per preparare una contromisura.
Il post fa riferimento a un RCE, un tipo di attacco che consente a un cyber-criminale di eseguire codice malevolo sul computer della vittima da remoto, senza che questa se ne accorga. Nel caso specifico, l’exploit fornisce i privilegi di “SYSTEM”, il massimo livello di controllo su un sistema Windows.
È come dare le chiavi di casa all’aggressore: può rubare dati, installare malware o prendere il controllo totale del dispositivo.
Le contromisure tecniche e l’economia del crimine informatico
L’annuncio specifica che l’exploit è in grado di aggirare le moderne difese di Windows come ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention) e CFG (Control Flow Guard). Queste misure di sicurezza sono state create proprio per rendere più difficile lo sfruttamento delle vulnerabilità, ma un exploit 0-day ben progettato può riuscire a eluderle.
Il prezzo di $125.000 in criptovaluta ci offre uno sguardo sull’economia sommersa del cyber-crime. La richiesta di una “single-use sale” (vendita singola) indica che l’acquirente avrà l’uso esclusivo di questo strumento, almeno per un certo periodo, il che ne aumenta il valore e la segretezza.
Questa tipologia di transazioni alimenta un ecosistema in cui le vulnerabilità dei nostri sistemi vengono trasformate in armi digitali.
Proteggersi da minacce sconosciute
Allora, come possiamo proteggerci da una minaccia che non conosciamo? La risposta è complessa, ma si basa su alcuni principi fondamentali di cybersecurity:
- Mantenere i sistemi aggiornati: anche se un 0-day è per sua natura sconosciuto, i fornitori di software rilasciano costantemente patch per vulnerabilità già scoperte. Mantenere i sistemi aggiornati riduce il rischio di attacchi noti.
- Utilizzare software di sicurezza avanzati: i moderni software EDR (Endpoint Detection and Response) non si basano solo sulle firme dei malware, ma utilizzano l’intelligenza artificiale per rilevare comportamenti anomali che potrebbero indicare un attacco 0-day.
- Adottare una politica di “zero trust”: non fidarsi di nessuno, né all’interno né all’esterno della rete, e implementare controlli di sicurezza rigorosi su ogni dispositivo e utente.
La vendita di exploit 0-day ci ricorda che il mondo della sicurezza informatica è una battaglia continua.
Solo rimanendo informati, vigilanti e adottando le giuste contromisure possiamo sperare di rimanere un passo avanti rispetto alle minacce.
L'articolo Exploit RCE 0-day per Windows in vendita a 125.000 dollari: come proteggersi proviene da il blog della sicurezza informatica.
Let’s Brief You on Recent Developments for Electrostatic Motors
Over on his YouTube channel [Ryan Inis] has a video about how electrostatic motors are breaking all the rules.
He explains that these days most motors are electromagnetic but suggests that may be changing as the age-old principles of electrostatics are being explored again, particularly due to the limited supply of rare-earth magnets and other materials (such as copper and steel) which are used in many electromagnetic motors.
[Ryan] says that new electrostatic motors could be the answer for highly efficient and economical motors. Conventional electromagnetic motors pass current through copper windings which create magnetic fields which are forces which can turn a rotor. The rotor generally has permanent magnets attached which are moved by the changing magnetic forces. These electromagnetic motors typically use low voltage and high current.
Electrostatic alternatives are actually an older design, dating back to the 1740s with the work of Benjamin Franklin and Andrew Gordon. These electrostatic motors generate motion through the attraction and repulsion of high voltage electric charges and demand lower current than electromagnetic motors. The high voltages involved create practical problems for engineers who need to harness this energy safely without leading to shocks or sparks or such.
[Ryan] goes on to discuss particular electrostatic motor designs and how they can deliver higher torque with lower energy losses due to friction and heat making them desirable for various applications, particularly industrial applications which demand low speed and high torque. He explains the function of the rotor and stator and says that these types of motors use 90% less copper than their electromagnetic alternatives, also no electrical steel and no permanent magnets.
For more coverage on electrostatic motors check out Electrostatic Motors Are Making A Comeback.
youtube.com/embed/44WM5J6AcHo?…
One-Motor Drone Mimics Maple Seeds For Stability
We’ve seen aircraft based on “helicopter” seeds (technically samara seeds, which include those of maples and elms) before, but this recent design from researchers at the Singapore University of Technology and Design (SUTD) shows how a single small motor can power a spinning monocopter capable of active directed flight, including hovering.
We saw what looks like an earlier version of this concept from SUTD that was capable of directed flight by modifying the airfoil surface, but like the seeds it was modeled after, it’s more of a glider. This unit has the same spinning-seed design, but is actively powered. A significant improvement, for sure.
For those who prefer their DIY micro aircraft a little more traditional-looking, be sure to check out the design details of a handmade and fully operational 1:96 scale P-51 Mustang that weighs only 2.9 grams. It even has retractable landing gear! When one can manage to keep mass to a bare minimum, a little power goes a long way.
Carry your Grayscale Memories with this Tiny Gameboy Photo Frame
While we cannot be certain this is the world’s smallest digital photo frame, [Raphaël Boichot]’s Pico Slide Show is probably in the running. Since the 0.85″ TFT display would be wasted on multi-megapixle images, [Raphael] has dedicated this project to images from the Game Boy Camera.
It’s a good fit: the tiny square display has a resolution of 128 pixels per side, while the Game Boy Camera produces files measuring 128 x 112. That allows for pixel-perfect rendering of the grainy images from everyone’s favourite early digicam with just a little letter boxing.
The brains of the operation are an RP2040, provided via the RP2040-zero breakout from Waveshare. Since everything is through-hole or on breakouts, this wouldn’t be a bad project for a beginner solderer.
Since it would make no sense not to have this tiny unit to be portable, power is provided with a 503035 LiPo pouch on the back. It’s only 500 mAh, sure, but this device isn’t going to be chugging power, so we’d expect a reasonable runtime.
Alas, no link cable functionality is currently included, and files must be transferred via PC. Images are saved to the Pico’s flash memory, and [Raphaël] says any format from any Gameboy printer emulator will work, provided it has a four-colour palette. The flash memory on the chip has room for 540 images, which seems like more than enough. Regardless of the novelty of the tiny screen and retro format, nobody wants to see that many holiday snaps in one go.
The code and PCB files are all available open-source on [Raphaël]’s GitHub.
The GameBoy Camera has been popular with Hackers literally for decades now, and we’ve seen it everywhere from wedding photo booths to the heart of a custom DSLR, and even on Zoom calls.
Thanks to [Raphaël] for the tip. If you’re feeling jealous and want four colours of greyscale gratitude for yourself, submit your projects here.
Carry your Grayscale Memories with this Tiny Game Boy Photo Frame
While we cannot be certain this is the world’s smallest digital photo frame, [Raphaël Boichot]’s Pico Slide Show is probably in the running. Since the 0.85″ TFT display would be wasted on multi-megapixel images, [Raphael] has dedicated this project to images from the Game Boy Camera.
It’s a good fit: the tiny square display has a resolution of 128 pixels per side, while the Game Boy Camera produces files measuring 128 x 112. That allows for pixel-perfect rendering of the grainy images from everyone’s favorite early digicam with just a little letter boxing.
The brains of the operation are an RP2040, provided via the RP2040-zero breakout from Waveshare. Since everything is through-hole or on breakouts, this wouldn’t be a bad project for a beginner solderer.
Since it would make no sense not to have this tiny unit to be portable, power is provided with a 503035 LiPo pouch on the back. It’s only 500 mAh, but this device isn’t going to be chugging power, so we’d expect a reasonable runtime.
Alas, no link cable functionality is currently included, and files must be transferred via PC. Images are saved to the Pico’s flash memory, and [Raphaël] says any format from any Game Boy Printer emulator will work, provided it has a four-color palette. The flash memory on the chip has room for 540 images, which seems like more than enough. Regardless of the novelty of the tiny screen and retro format, nobody wants to see that many holiday snaps in one go.
The Game Boy Camera has been popular with hackers literally for decades now, and we’ve seen it everywhere from wedding photo booths to the heart of a custom DSLR, and even on Zoom calls.
Hide Capacitive Touch Buttons In Your Next 3D Print
Capacitive touch sensors are entirely in the domain of DIY, requiring little more than a carefully-chosen conductive surface and a microcontroller. This led [John Phillips] to ask why not embed such touch buttons directly into a 3D print?
The process is not much different from that of embedding hardware like magnets or fasteners into 3D prints: one pauses the print at convenient spot, drops in the necessary hardware, then resumes printing. It’s more or less the same for embedding a touch-sensitive button, but [John] has a few tips to make things easier.
[John] suggests using a strip of copper tape, one per touch pad, and embedding it into the print near the surface. His preference is three layers in, putting the copper tape behind 0.6 mm of plastic when using standard 0.20 mm layer heights.
Copper tape makes a good capacitive touch sensor, and the adhesive on the tape helps ensure it stays in place as the 3D printer seals it in on subsequent passes.
Copper tape is also easy to solder to, so [John] leaves a small hole over the copper — enough to stick in a wire and tack it down with the tip of a soldering iron and a blob of solder after the print is complete. It might not be ideal soldering conditions, but if things get a little melty on the back side it’s not the end of the world.
On the software side capacitive touch sensors can be as simple as using an Arduino library for the purpose but [John] rolled his own code, so give it a peek.
This reminds us a bit of another way to get a capacitive touch sensor right up against some plastic: a simple spring can do the trick.
FLOSS Weekly Episode 843: Money Usually Helps
This week Jonathan and Dan chat with Farid Abdelnour about Kdenlive! It’s top quality video editing software, and happens to be what we use to edit the show! What’s next for the project, and how can you help? Watch to find out!
youtube.com/embed/C6oojQz66Ss?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/08/20/floss-…
Nike sotto Tiro! In vendita l’accesso alle infrastrutture IT da Un Initial Access Broker
Un Initial Access Broker mette in vendita accesso ai server di Nike USA in un celebre forum underground.
Un post apparso recentemente su un forum del dark web ha sollevato nuove preoccupazioni in merito alla sicurezza delle grandi aziende internazionali. Un Initial Access Broker (IAB), ovvero un attore specializzato nella compromissione e nella rivendita di accessi a reti aziendali, ha dichiarato di avere a disposizione credenziali o punti di ingresso validi per i sistemi di Nike USA oppure, di un suo fornitore di terze parti.
Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.
Chi sono gli Initial Access Broker (IAB)
Gli Initial Access Broker rappresentano una figura centrale nell’ecosistema del cybercrime. La loro attività consiste nel compromettere le infrastrutture informatiche di aziende – tramite phishing, exploit di vulnerabilità, credenziali rubate o attacchi brute force – per poi rivendere questi accessi sul dark web.
Gli acquirenti possono essere gruppi ransomware, criminali interessati al furto di dati sensibili, oppure attori che sfruttano questi punti di ingresso per muoversi lateralmente all’interno delle reti e lanciare attacchi mirati.
Di fatto, gli IAB abbassano la barriera d’ingresso al cybercrimine: chiunque abbia le risorse economiche per acquistare un accesso iniziale può bypassare la fase più complessa di un attacco, accelerando la compromissione dell’obiettivo.
Il post sul forum
Il messaggio è stato pubblicato da un utente con nickname NetworkBrokers, che nel forum gode di uno status di alto livello (“GOD”) e vanta una reputazione positiva.
Nel post, datato 25 agosto 2025 alle 03:55 AM, l’utente scrive:
> “Hi,
We are selling Initial Access to Nike USA.”
Il testo, molto sintetico, è accompagnato dal logo ufficiale della multinazionale statunitense. Non vengono riportati dettagli tecnici sull’accesso in vendita (ad esempio tipologia, livello di privilegi, modalità di accesso o prezzo richiesto). Tuttavia, il semplice annuncio è sufficiente per attirare l’attenzione degli attori malevoli in cerca di nuove opportunità di attacco.
Un rischio che potrebbe estendersi alla supply chain
Non è chiaro se l’accesso offerto riguardi direttamente i sistemi di Nike USA o se sia legato a un fornitore terzo che collabora con l’azienda. In entrambi i casi, l’impatto potenziale è significativo: nel primo scenario l’attacco colpirebbe direttamente l’organizzazione, nel secondo potrebbe generare un effetto domino tipico delle supply chain attacks, che sfruttano i legami con partner esterni meno protetti per penetrare in infrastrutture di alto profilo.
Considerazioni finali
La comparsa di un annuncio simile conferma ancora una volta come i grandi brand globali siano costantemente nel mirino della criminalità informatica e come la filiera di fornitori e partner possa rappresentare un anello debole nella difesa.
Se confermato, l’accesso messo in vendita potrebbe essere sfruttato da cyber gang per future campagne ransomware o di data exfiltration.
L'articolo Nike sotto Tiro! In vendita l’accesso alle infrastrutture IT da Un Initial Access Broker proviene da il blog della sicurezza informatica.
Instant Macropad: Just Add QMK
I recently picked up one of those cheap macropads (and wrote about it, of course). It is surprisingly handy and quite inexpensive. But I felt bad about buying it. Something like that should be easy to build yourself. People build keyboards all the time now, and with a small number of keys, you don’t even have to scan a matrix. Just use an I/O pin per switch.
The macropad had some wacky software on it that, luckily, people have replaced with open-source alternatives. But if I were going to roll my own, it would be smart to use something like QMK, just like a big keyboard. But that made me wonder, how much trouble it would be to set up QMK for a simple project. Spoiler: It was pretty easy.
The Hardware
Since I just wanted to experiment, I was tempted to jam some switches in a breadboard along with a Raspberry Pi Pico. But then I remembered the “simple badge” project I had up on a nearby shelf. It is simplicity itself: an RP2040-Plus (you could just use a regular Pi Pico) and a small add-on board with a switch “joystick,” four buttons, and a small display. You don’t really need the Plus for this project since, unlike the badge, it doesn’t need a battery. The USB cable will power the device and carry keyboard (or even mouse) commands back to the computer.
Practical? No. But it would be easy enough to wire up any kind of switches you like. I didn’t use the display, so there would be no reason to wire one up if you were trying to make a useful copy of this project.
The Software
There are several keyboard firmware choices out there, but QMK is probably the most common. It supports the Pico, and it’s well supported. It is also modular, offering a wide range of features.
The first thing I did was clone the Git repository and start my own branch to work in. There are a number of source files, but you won’t need to do very much with most of them.
There is a directory called keyboards. Inside that are directories for different types of keyboards (generally, brands of keyboards). However, there’s also a directory called handwired for custom keyboards with a number of directories inside.
There is one particular directory of interest: onekey. This is sort of a “Hello World” for QMK firmware. Inside, there are directories for different CPUs, including the RP2040 I planned to use. There are many other choices, though, if you prefer something else.
Surprise!
So, that directory probably has a mess of files in it, right? Not really. There are five files, including a readme, and that’s it. Of those, there are only two I was going to change: config.h and keyboard.json. In addition, there are a few files that may be important in the parent directory: config.h, onekey.c, and info.json.
I didn’t want to interfere with the stock options, so I created a directory at ~/qmk_firmware/keyboards/handwired/hackaday. I copied the files from onekey to this directory, along with the rp2040 and keymap directories (that one is important). I renamed onekey.c to hackaday.c.
It seems confusing at first, but maybe the diagram will help. This document will help, too. The good news is that most of these files you won’t even need to change. Essentially, info.json is for any processor, keyboard.json is for a specific processor, and keymap.json goes with a particular keymap.
Changes
The root directory config.h didn’t need any changes, although you can disable certain features here if you care. The hackaday.c file had some debugging options set to true, but since I wanted to keep it simple, I set them all to false.
The info.json file was the most interesting. You can do things like set the keyboard name and USB IDs there. I didn’t change the rest, even though the diode_direction key in this file won’t be used for this project. For that matter, the locking section is only needed if you have physical keys that actually lock, but I left it in since it doesn’t hurt anything.
In the rp2040 directory, there are more changes. The config.h file allows you to set pin numbers for various things, and I also put some mouse parameters there (more on that later). I didn’t actually use any of these things (SPI and the display), so I could have deleted most of this.
But the big change is in the keyboard.json file. Here you set the processor type. But the big thing is you set up keys and some feature flags. Usually, you describe how your keyboard rows and columns are configured, but this simple device just has direct connections. You still set up fake rows and columns. In this case, I elected to make two rows of five columns. The first row is the four buttons (and a dead position). The second row is the joystick buttons. You can see that in the matrix_pins section of the file.
The layouts section is very simple and gives a name to each key. I also set up some options to allow for fake mouse keys and media keys (mousekey and extrakey set to true). Here’s the file:
{
"keyboard_name": "RP2040_Plus_Pad",
"processor": "RP2040",
"bootloader": "rp2040",
"matrix_pins": {
"direct": [
["GP15", "GP17", "GP19", "GP21", "NO_PIN"],
["GP2", "GP18", "GP16", "GP20", "GP3"]
]
},
"features": {
"mousekey": true,
"extrakey": true,
"nkro": false,
"bootmagic": false
},
"layouts": {
"LAYOUT": {
"layout": [
{ "label":"K00", "matrix": [0, 0], "x": 0, "y": 0 },
{ "label": "K01", "matrix": [0, 1], "x": 1, "y": 0 },
{ "label": "K02", "matrix": [0, 2], "x": 2, "y": 0 },
{ "label": "K03", "matrix": [0, 3], "x": 3, "y": 0 },
{ "label": "K10", "matrix": [1, 0], "x": 0, "y": 1 },
{ "label": "K11", "matrix": [1, 1], "x": 1, "y": 1 },
{ "label": "K12", "matrix": [1, 2], "x": 2, "y": 1 },
{ "label": "K13", "matrix": [1, 3], "x": 3, "y": 1 },
{ "label": "K14", "matrix": [1, 4], "x": 4, "y": 1 }
]
}
}
}
The Keymap
It still seems like there is something missing. The keycodes that each key produces. That’s in the ../hackaday/keymaps/default directory. There’s a json file you don’t need to change and a C file:
#include QMK_KEYBOARD_H
const uint16_t PROGMEM keymaps[][MATRIX_ROWS][MATRIX_COLS] = {
[0] = LAYOUT(
// 4 buttons
KC_KB_VOLUME_UP, KC_KB_MUTE, KC_KB_VOLUME_DOWN, KC_MEDIA_PLAY_PAUSE,
// Mouse
QK_MOUSE_CURSOR_UP, QK_MOUSE_CURSOR_DOWN,
QK_MOUSE_CURSOR_LEFT, QK_MOUSE_CURSOR_RIGHT,
QK_MOUSE_BUTTON_1
),
};
. . .
Mousing Around
I didn’t add the mouse commands until later. When I did, they didn’t seem to work. Of course, I had to enable the mouse commands, but it still wasn’t working. What bit me several times was that the QMK flash script (see below) doesn’t wait for the Pi Pico to finish downloading. So you sometimes think it’s done, but it isn’t. There are a few ways of solving that, as you’ll see.
Miscellaneous and Building
Installing QMK is simple, but varies depending on your computer type. The documentation is your friend. Meanwhile, I’ve left my fork of the official firmware for you. Be sure to switch to the rp2040 branch, or you won’t see any differences from the official repo.
There are some build options you can add to rules.mk files in the different directories. There are plenty of APIs built into QMK if you want to play with, say, the display. You can also add code to your keymap.c (among other places) to run code on startup, for example. You can find out more about what’s possible in the documentation. For example, if you wanted to try an OLED display, there are drivers ready to go.
The first time you flash, you’ll want to put your Pico in bootloader mode and then try this:
qmk flash -kb handwired/hackaday/rp2040 -km default
If you aren’t ready to flash, try the compile command. You can also use clean to wipe out all the binaries. The binaries wind up in qmk_firmware/.build.
Once the bootloader is installed the first time (assuming you didn’t change the setup), you can get back in bootloader mode by double-tapping the reset button. The onboard LED will light so you know it is in bootloader mode.
It is important to wait for the Pi to disconnect, or it may not finish programming. Adding a sync command to the end of your flash command isn’t a bad idea. Or just be patient and wait for the Pi to disconnect itself.
Usually, the device will reset and become a keyboard automatically. If not, reset it yourself or unplug it and plug it back in. Then you’ll be able to use the four buttons to adjust the volume and mute your audio. The joystick fakes being a mouse. Don’t like that? Change it in keymap.c.
There’s a lot more, of course, but this will get you started. Keeping it all straight can be a bit confusing at first, but once you’ve done it once, you’ll see there’s not much you have to change. If you browse the documentation, you’ll see there’s plenty of support for different kinds of hardware.
What about debugging? Running some user code? I’ll save that for next time.
Now you can build your dream macropad or keyboard, or even use this to make fake keyboard devices that feed data from something other than user input. Just remember to drop us a note with your creations.
Building a Robotic Arm Without Breaking the Bank
There are probably at least as many ways to construct a robotic arm as there are uses for them. In the case of [Thomas Sanladerer] his primary requirement for the robotic arm was to support a digital camera, which apparently has to be capable of looking vaguely menacing in a completely casual manner. Meet Caroline, whose styling and color scheme is completely coincidental and does not promise yummy moist cake for anyone who is still alive after all experiments have been run.
Unlike typical robotic arms where each joint in the arm is directly driven by a stepper motor or similar, [Thomas] opted to use a linear rail that pushes or pulls the next section of the arm in a manner that’s reminiscent of the action by the opposing muscles in our mammalian appendages. This 3D printer-inspired design is pretty sturdy, but the steppers like to skip steps, so he is considering replacing them with brushless motors.
Beyond this, the rest of the robotic arm uses aluminium hollow stock, a lot of 3D printed sections and for the head a bunch of Waveshare ST3215 servos with internal magnetic encoder for angle control. One of these ~€35 ST3215s did cook itself during testing, which is somewhat worrying. Overall, total costs was a few hundred Euro, which for a nine-degree robotic arm like this isn’t too terrible.
youtube.com/embed/rKyJm80RxE0?…
Death of the Cheque: Australia Moves On
Check (or cheques) have long been a standard way for moving money from one bank account to another. They’re essentially little more than a codified document that puts the necessary information in a standard format to ease processing by all parties involved in a given transaction.
The check was once a routine, if tedious, way for the average person to pay for things like bills, rent, or even groceries. As their relevance continues to wane in the face of newer technology, though, the Australian government is making a plan to phase them out for good.
Put Some Respect On My Check
The pending demise of the checks was first floated in June 2023, with the release of the government’s Strategic Plan for Australia’s Payments System. With the rise of credit and debit cards, digital payments via smartphones, and Osko instant bank transfers, checks had diminished to a lower level of importance than ever.
Government statistics indicated that checks were used for less than 0.1% of retail payments within Australia. In 2004, over 10,000,000 personal checks were used every month. Fast forward to 2024, and that number had dwindled to somewhere below 300,000. As volumes have fallen, the price of processing individual checks has effectively increased. In an era where digital payments happen instantly for near-zero cost, a check can take 3 to 7 days to clear, with government statistics stating processing costs for a single check now exceed $5.
Ultimately, the check is now seen as a slow and unwieldy way to make payments, and one no longer worthy of being maintained into the future. Companies have even been questioned openly in the media for the rationale of still using checks to issue refunds in this day and age. The rationale is that winding down the check system for good will lead users to prioritize cheaper, faster methods of transferring money. The aim is to reduce transaction costs, improve productivity in the financial system, and just generally grease the wheels of commerce across the country.
The current transition plan has two major milestones. By 30 June 2028, Australian banks will cease issuing personal, commercial, government, and bank checks. Any check written after this date will not be accepted and effectively deemed invalid, with no payment made. By 30 September 2029, financial institutions will cease accepting personal, commercial, government and bank cheques entirely. Any remaining checks, whenever created, will effectively be void.
These dates were chosen specifically because personal, commercial, and government checks go “stale” 15 months after they are first drawn. Thus, checks of these types that are written on the very last valid day will still be able to be cashed in the usual period of validity before the system is shut down for good. The intention is that there will be no checks that would otherwise still be valid to cash past 30 September 2029 had the system not been closed. Bank checks do not technically go “stale,” so there is still an open question as to whether there will be a need to honor unpresented bank checks after this date.
There are still a few years left until the big shut down. This gives the government and financial institutions time to ensure they have alternative payment methods in place for the handful of remaining check use cases. There are some concerns that various banks may attempt to leave the checking system prior to the government shut down date, burdening other financial institutions with the costs of keeping the system afloat until the end. The government has stated its expectations that banks will work together to ensure a smooth transition.
To that end, there are exit conditions expected to be adhered to for banks that are shutting down checking. Tier 1 banks are expected to maintain operations until the end date to support smaller institutions that rely on them for check clearing services. Additionally, banks which cease checking operations must still remain members of the Australian Paper Clearing System and fund the system. Banks will also need to provide 6 month warnings to customers ahead of any decision to shut down their checking operations.
While the domestic Australian checking system will shut down, this will not impact foreign checks coming into the country. Since these checks are processed outside the existing Australian checking system, this will not be an issue—financial institutions that process foreign checks will continue to do so.
Thermal Batteries for Lower Carbon Industrial Processes
Heating things up is one of the biggest sources of cost and emissions for many industrial processes we take for granted. Most of these factories are running around the clock so they don’t have to waste energy cooling off and heating things back up, so how can you match this 24/7 cycle to the intermittent energy provided by renewables? This MIT spin-off thinks one solution is thermal storage refractory bricks.
Electrified Thermal Solutions takes the relatively simple technology of refractory brick to the next level. For the uninitiated, refractory bricks are typically ceramics with a huge amount of porosity to give them a combination of high thermal tolerance and very good insulating properties. A number of materials processes use them to maximize the use of the available heat energy.
While the exact composition is likely proprietary, the founder’s Ph.D. thesis tells us the bricks are likely a doped chromia (chrome oxide) composition that creates heat in the brick when electrical energy is applied. Stacked bricks can conduct enough current for the whole stack to heat up without need for additional connections. Since these bricks are thermally insulating, they can time shift the energy from solar or wind energy and even out the load. This will reduce emissions and cost as well. If factories need to pipe additional grid power, it would happen at off-peak hours instead of relying on the fluctuating and increasing costs associated with fossil fuels.
If you want to implement thermal storage on a smaller scale, we’ve seen sand batteries and storing heat from wind with water or other fluids.
Algoritmo Criminale. Come Mafia, cyber e AI riscrivono le regole del gioco
Dagli eventi che hanno portato all’arresto di Ross Ulbricht, manager di Silk Road, comincia il saggio Algoritmo Criminale. Come Mafia, cyber e AI riscrivono le regole del gioco, pubblicato a ottobre 2024 per i tipi del Sole24ore da Pierguido Iezzi e Ranieri Razzante. La tesi centrale è che l’attività illecita delle grandi organizzazioni criminali non sia più distinguibile dal cybercrime.
Dall’operazione della Polizia Italiana contro il clan Bonavota al Pig butcherin’ delle mafie asiatiche, dalle truffe romantiche del clan nigeriano Black Axe, fino alle ransomware gangs russe, il racconto si snoda lungo varie direttrici per provare a dimostrare questa tesi.
Non tutti i riferimenti sono recenti e alcune esempi meriterebbero una esplicita bibliografia, visto che anche i due autori parlano della complessità dell’attribuzione dei crimini agli attori del cyberspace, e tuttavia il discorso complessivo risulta convincente come nella parte in cui si descrivono i tipi di IA oggi disponibili sul mercato e che consentono una serie nuova di truffe, frodi e crimini informatici.
Scritto in maniera semplice e chiara è il contributo nella descrizione dei singoli crimini informatici e di quello che si può trovare nel DarkWeb: eroina, cocaina, barbiturici, carte di credito rubate. A spacciare droghe e informazioni ci pensano i blackmarket del web oscuro, secondo gli autori il vero luogo d’incontro tra criminalità organizzata e cybercrime (anche se non viene fatto cenno ai suoi usi positivi da parte di giornalisti d’inchiesta, dissidenti politici e credenti di religioni fuorilegge).
Interessanti sono gli esempi sull’uso che le mafie, nigeriana e albanese, e il cybercrime russo, fanno della tecnologia per sfruttare vulnerabilità umane e tecnologiche e condurre i loro affari: estorsioni e riciclaggio, soprattutto, come avevano ben spiegato Nicola Gratteri e Antonio Nicaso nel libro Il Grifone. Molto azzeccata pare la riflessione sul panorama criminale russo verso il quale il regime di Putin chiude un occhio nel caso in cui i suoi attori siano utili agli scopi statuali, sempre governati dalle agenzie di intelligence della Federazione russa.
Un capitolo utile è quello sull’hacking cerebrale, altro campo d’interesse non solo per le mafie ma soprattutto per i militari. I due autori, infatti, argomentano di come con l’avvento di chip e innesti cerebrali (tipo il Neuralink di Musk) e delle interfacce cervello-computer, già in uso nelle scuole cinesi per il controllo dell’attenzione degli studenti, si apra una nuova era per la manipolazione diretta delle percezioni, del pensiero e del comportamento umani.
Interessante, è infine, ancorché di tipo giuridico, la parte che riguarda l’uso illecito delle IA. Sì, proprio quelle a cui affidiamo le nostre informazioni più segrete e più intime. Anche lo sviluppo di questo settore è strettamente monitorato dalla criminalità che cerca sempre nuovi modi per aggirare le leggi e sfuggire gli interventi repressivi dei governi.
Reviving a Piece of Yesterday’s Tomorrow
To anyone who remembers Y2K, Sony’s MiniDisc format will probably always feel futuristic. That goes double for Sony’s MZ-RH1, the last MiniDisk recorder ever released, back in 2006. It’s barely larger than the diminutive disks, and its styling is impeccable. There’s a reason they’ve become highly collectible and sell for insane sums on e-Bay.
Unfortunately, they come with a ticking time-bomb of an Achilles heel: the first-generation OLED screens. Failure is not a question of if, but when, and many units have already succumbed. Fortunately enterprising hacker [Sir68k] has come up with replacement screen to keep these two-decade old bits of the future alive.
Previous revisions required some light surgery to get the twin OLED replacement screens to fit, but as of the latest incarnation (revision F+), it’s now a 100% drop-in replacement for the original Sony part. While it is a drop-in, don’t expect it to be easy. The internals are very densely packed, and fairly delicate — both in the name of miniaturization. You’ll need to break out the micro-screwdrivers for this one, and maybe some magnifiers if your eyes are as old as ours. At least Sony wasn’t gluing cases together back in 2006, and [Sir68k] does provide a very comprehensive repair guide.
He’s even working on new firmware, to make what many considered best MD recorder better than ever. It’s not ready yet, but when it is [Sir68k] promises to open-source the upgrade. The replacement screens are sadly not open source hardware, but they’re a fine hack nonetheless.
We may see more MiniDisc hacks as the format’s apparent revival continues. Things like adding Bluetooth to the famously-cramped internals, or allowing full data transfer — something Sony was unwilling to allow until the RH1, which is one of the reasons these units are so desirable.
Il Cyberpandino taglia il traguardo! L’importante è il percorso, non la destinazione
Il Cyberpandino ha compiuto l’impensabile: attraversare continenti, deserti e catene montuose fino a raggiungere il traguardo del Mongol Rally. Un’impresa folle e visionaria, nata dall’idea di spingersi oltre i limiti della tecnologia e della resistenza umana, a bordo di un piccolo mezzo che ha dimostrato di avere il cuore grande quanto la sua missione. Concludere questa avventura non è stato solo un traguardo sportivo, ma un simbolo della capacità di trasformare una sfida impossibile in una leggenda vivente e noi di Red Hot Cyber abbiano subito sposato l’idea di Matteo e Roberto.
Il viaggio è stato un susseguirsi di ostacoli e meraviglie: strade dissestate, confini complessi, notti fredde sotto le stelle e giornate interminabili in cui la meta sembrava lontanissima. Ogni chilometro percorso è stato una conquista, ogni problema meccanico una lezione di resilienza, ogni incontro con le persone lungo la strada un ricordo indelebile.
Il Cyberpandino non ha semplicemente viaggiato: ha intrecciato storie, culture ed emozioni lungo tutta la sua rotta.
Arrivare al traguardo è stato come vivere un sogno a occhi aperti. L’ultima tappa non è stata solo un punto geografico, ma un simbolo della forza di volontà e della passione che hanno alimentato questa impresa. Non c’erano scorciatoie, non c’era un percorso, ma solo la destinazione e la determinazione di dimostrare che anche un’idea folle può diventare realtà quando viene portata avanti con coraggio e creatività.
Ora, però, comincia una nuova sfida: tornare indietro. Perché se l’andata è stata un’avventura verso l’ignoto, il ritorno rappresenta la prova della vera forza. Non si tratta soltanto di ripercorrere le stesse strade, ma di affrontare ancora una volta i chilometri con la consapevolezza che la missione principale è stata completata. È il momento di guardare al viaggio non più come a una sfida, ma come a un racconto già inciso nella memoria collettiva.
Il Mongol Rally ha messo alla prova uomini e mezzi, ma soprattutto ha rivelato quanto grande possa essere lo spirito umano quando incontra l’imprevedibilità della strada. Il Cyberpandino ha dimostrato che la grandezza non risiede nella potenza dei motori o nella perfezione della tecnologia, ma nella capacità di non arrendersi mai, di saper sorridere anche quando tutto sembra remare contro.
E così la missione si conclude, con il cuore pieno e la strada ancora davanti.
Il Cyberpandino ha scritto una pagina epica, un’ode alla follia positiva che trasforma il viaggio in leggenda.
Non importa quanto lungo sarà il ritorno: ciò che conta è che la bandiera è stata piantata e il traguardo conquistato. Questa non è stata solo un’avventura, ma una dichiarazione al mondo intero: che anche i sogni più assurdi, se guidati con passione, possono diventare storia e realtà.
Di seguito la lettera consegnata al traguardo ai partecipanti.
Hai fatto centro, e il Rally è davvero iniziato. Sono già due cose meravigliose.
È stato estremamente divertente vedervi tu e le vostre piccole belve navigare fino alla fine del pianeta. E vedere che lo spirito dell’Avventurista scorre ancora forte nelle vene di questa follia, dopo tutti questi anni, è meraviglioso. Non mi sorprende. Ancora una volta.
Il Mongol Rally è un’impresa davvero sanguinosa, e senza sembrare uno di quei tizi sdolcinati che lavorano in una stanza di meditazione circondata da candele, è un viaggio di cui parlerai con nostalgia per il resto dei tuoi giorni. Con un po’ di fortuna, annoiando a morte chiunque ti ascolti.
Spero che tu ti sia goduto ogni momento. E, prima o poi, anche i momenti di merda – quando hai rotto un semiasse in mezzo al nulla, o quando hai bucato tutte e quattro le gomme in una giornata sola, o quando sei rimasto bloccato tra due posti di frontiera senza poter andare né avanti né indietro, o quando hai perso il passaporto – diventeranno i momenti migliori. Certamente meglio di “Ehi, ci siamo seduti su un’autostrada e abbiamo attraversato l’intera via senza che succedesse assolutamente nulla”. Non è proprio un gran aneddoto da raccontare al pub.
La vita normale può sembrare un bel colpo basso dopo aver completato qualcosa di così enorme. Quindi la domanda che devi farti ora è: qual è il prossimo passo?
Ti lascio riflettere su questo mentre ti godi la gloria dell’essere un veterano del Mongol Rally. Grazie per averne fatto parte. Siamo orgogliosi di averti con noi. Qui c’è la tua toppa ufficiale dell’evento. Oltre a rendere infinitamente più cool qualsiasi cosa ci sia attaccata (soprattutto te), è garantito che ti terrà in vita per sempre. Forse. Deve essere indossata in ogni occasione da ora in avanti.
Saluti,
Firmato Tom
Tom
Fondatore degli Adventurists e capo delle lettere insolitamente ispiratrici
L'articolo Il Cyberpandino taglia il traguardo! L’importante è il percorso, non la destinazione proviene da il blog della sicurezza informatica.
McDonald’s hackerato da BobDaHacker! Meglio lui che i criminali informatici veri
Il ricercatore BobDaHacker ha scoperto che la convalida dei punti premio dell’App di McDonalds veniva gestita solo lato client, consentendo agli utenti di richiedere articoli gratuiti come i nuggets anche senza punti sufficienti. BobDaHacker ha segnalato il problema ma un ingegnere informatico lo ha liquidarlo come “troppo impegnativo”, sebbene il bug sia stato corretto giorni dopo, probabilmente dopo che l’ingegnere stesso lo aveva esaminato.
Successivamente il ricercatore ha analizzato a fondo i sistemi di McDonald’s e ha scoperto vulnerabilità nel Design Hub, una piattaforma utilizzata per le risorse del brand da team in 120 paesi. Questa piattaforma si basava su una password lato client per la protezione.
Dopo aver segnalato il problema, l’azienda ha intrapreso una revisione di tre mesi per implementare accessi corretti per dipendenti e partner. Tuttavia, rimaneva un difetto significativo: semplicemente sostituendo “login” con “register” nell’URL, era possibile accedere a un endpoint aperto.
L’API forniva inoltre indicazioni agli utenti su eventuali campi mancanti, rendendo la creazione di un account incredibilmente semplice. Ancora più preoccupante era il fatto che le password venivano inviate via email in chiaro, una pratica estremamente rischiosa nel 2025.
Test successivi hanno confermato che l’endpoint era ancora accessibile, consentendo l’accesso non autorizzato a materiali riservati destinati esclusivamente all’uso interno, ha affermato BobDaHacker .
I file JavaScript nel Design Hub hanno rivelato ulteriori dettagli: le chiavi API e i segreti di Magicbell esposti consentivano di elencare gli utenti e inviare notifiche di phishing tramite l’infrastruttura di McDonald’s. Questi sono stati ruotati dopo la segnalazione. Anche gli indici di ricerca di Algolia erano elencabili, esponendo dati personali come nomi, indirizzi email e richieste di accesso.
Anche i portali dei dipendenti si sono dimostrati altrettanto vulnerabili. Gli account base dei membri del team di McDonalds potevano accedere a TRT, uno strumento aziendale, per cercare i dati globali dei dipendenti, comprese le email dei dirigenti, e persino utilizzare una funzione di “impersonificazione”.
Il panel Global Restaurant Standards (GRS) non disponeva di autenticazione per le funzioni di amministrazione, consentendo a chiunque di iniettare HTML tramite API. Per dimostrarlo, il ricercatore ha modificato brevemente la homepage in “Sei stato Shreked” prima di ripristinarla.
Ulteriori problemi includevano un accesso non configurato correttamente, l’esposizione di documenti interni al personale di basso livello e exploit nell’app sperimentale per ristoranti di CosMc, come l’utilizzo illimitato di coupon e l’iniezione arbitraria di dati sugli ordini.
Ricordiamo che il mese scorso una grave vulnerabilità di sicurezza nel sistema di assunzione basato sull’intelligenza artificiale di McDonald’s ha esposto i dati personali di 64 milioni di candidati tramite una debole sicurezza basata sulla password “123456”.
L'articolo McDonald’s hackerato da BobDaHacker! Meglio lui che i criminali informatici veri proviene da il blog della sicurezza informatica.
Using Ultra-Wideband for 3D Location and Tracking
Interested in playing with ultra-wideband (UWB)? [Jaryd] recently put together a fairly comprehensive getting started guide featuring the AI Thinker BU03 that looks like a great place to start. These modules can be used to determine distance between two of them to an accuracy in the order of 10 centimeters, and they can do so in any orientation and with obstacles in the line of sight. It is possible to create a network of these UWB modules to get multiple distance measurements at once and enable real-time 3D tracking for your project.
[Jaryd] gathers up nine UWB modules and uses a Raspberry Pi Pico for command and control purposes. He explains how to nominate the “tag” (the device being tracked) and the “base stations” (which help in locating the tag). He reports having success at distances of up to about 10 meters and in favorable circumstances all the way up to as much as 30 meters.
If you don’t know anything about UWB and would like a primer on the technology be sure to check out What Is Ultra Wideband?
youtube.com/embed/fpTaFBbadyE?…
Lisp in 99 Lines of C With TinyLisp
As one of the oldest programming languages still in common use today, and essential for the first wave of Artificial Intelligence research during the 1950s and 60s, Lisp is often the focus of interpreters that can run on very low-powered systems. Such is the case with [Robert van Engelen]’s TinyLisp, which only takes 99 lines of C code and happily runs on the Z80-based Sharp PC-G850V(S) pocket computer with its 2.3 kB of internal RAM and native C support.
The full details on how TinyLisp was implemented and how to write it yourself can be found in the detailed article that’s part of the GitHub project. It supports static scoping, double-precision floating point and features 21 Lisp primitives along with a garbage collector. Two versions for the Sharp PC-G850 (using BCD (i.e. NaN) boxing) are provided, along with a number of generic implementations, using either double or single precision floating point types. A heavily commented version is probably the version to keep alongside the article while reading.
TinyLisp is – as the name implies – very tiny, and thus more full-featured Lisp implementations are widely available. This includes two versions – linked at the bottom of the Readme – also by [Robert] that use a gargantuan 1,000 lines of C, providing a more advanced garbage collector and dozens more Lisp primitives to handle things like exceptions, file loading, strings and debug features.
A Solderless, Soluble Circuit Board
Anyone who’s spent significant amounts of time salvaging old electronics has probably wished there were a way to take apart a circuit board without desoldering it. [Zeyu Yan] et al seem to have had the same thought, and so designed circuit boards that can be dissolved and recycled when they become obsolete.
The researchers printed the circuit boards out of water-soluble PVA, with hollow channels in place of interconnects. After printing the boards, they injected a eutectic gallium-indium liquid metal alloy into these channels, populated the boards with components, making sure that their leads were in contact with the liquid alloy, and finally closed off the channels with PVA glue, which also held the components in place. When the board is ready to recycle, they simply dissolve the board and glue in water. The electric components tend to separate easily from the liquid alloy, and both can be recovered and reused. Even the PVA can be reused: the researchers evaporated the solution left after dissolving a board, broke up the remaining PVA, and extruded it as new filament.
The researchers designed a FreeCAD plugin to turn single or multi-layer KiCad circuit layouts into printable files. They had to design a few special sockets to hold components in place, since no solder will be fastening them, but it does support both SMD and through-hole components. The traces have a bit more cross-sectional area than normal copper traces, which has the advantage of compensating for the liquid alloy’s higher resistance; their standard traces had no trouble dissipating heat when carrying 5 amps of current. As a proof of concept, they were able to make a Bluetooth speaker, an electronic fidget toy, and a flexible gripper arm.
This isn’t the first time these researchers have worked on reducing circuit board e-waste; they’ve made solderless and reusable circuit boards before. If you’re interested in more PVA printing, we’ve seen some unusual applications for it.
youtube.com/embed/mByUTr7ITZE?…
Roll Your Own SSB Receiver
[Paul Maine] was experimenting with GNU Radio and an RTL-SDR dongle. He created an SSB receiver and, lucky for us, he documented it all in a video you can see below. He walks through how to generate SSB, too. If videos aren’t your thing, you can go back to the blog post from [Gary Schafer] that inspired him to make the video, which is also a wealth of information.
There is a little math — you almost can’t avoid it when talking about this topic. But [Paul] does a good job of explaining it all as painlessly as possible. The intuitive part is simple: An AM signal has most of its power in the carrier and half of what’s left in a redundant sideband. So if you can strip all those parts out and amplify just one sideband, you get better performance.
We love to play with GNU Radio. Sure, the GNU Radio Companion is just a fancy shell over some Python code, but we like how it maps software to blocks like you might use to design a traditional receiver.
If you want to try any of this out and don’t have a sufficient HF antenna or even an HF-capable SDR, no worries. [Paul] thoughtfully recorded some IQ samples off the air into a file. You can play back through your design to test how it works.
If you have never used GNU Radio, starting with audio isn’t a bad way to get your feet wet. That’s how we started our tutorial a decade ago. Still worth working through it if you are trying to get started.
youtube.com/embed/UWKj4QIwM8Q?…
2025 One Hertz Challenge: Atomic Decay Clock is Accurate But Not Precise
At this point, atomic clocks are old news. They’ve been quietly keeping our world on schedule for decades now, and have been through several iterations with each generation gaining more accuracy. They generally all work under the same physical principle though — a radio signal stimulates a gas at a specific frequency, and the response of the gas is used to tune the frequency. This yields high accuracy and high precision — the spacing between each “tick” of an atomic clock doesn’t vary by much, and the ticks cumulatively track the time with very little drift.
All of this had [alnwlsn] thinking about whether he could make an “atomic” clock that measures actual radioactive decay, rather than relying on the hyperfine transition states of atoms. Frustratingly, most of the radioactive materials that are readily available have pretty long half-lives — on the order of decades or centuries. Trying to quantify small changes in the energy output of such a sample over the course of seconds or minutes would be impossible, so he decided to focus on the byproduct of decay — the particles being emitted.
He used a microcontroller to count clicks from a Geiger-Müller tube, and used the count to calculate elapsed time by multiplying by a calibration factor (the expected number of clicks per second). While this is wildly inaccurate in the short term (he’s actually used the same system to generate random numbers), over time it smooths out and can provide a meaningful reading. After one year of continuous operation, the counter was only off by about 26 minutes, or 4.4 seconds per day. That’s better than most mechanical wristwatches (though a traditional Rubidium atomic clock would be less than six milliseconds off, and NIST’s Strontium clock would be within 6.67×10-11 seconds).
The end result is a probabilistic radiometric timepiece that has style (he even built a clock face with hands, rather than just displaying the time on an LCD). Better yet, it’s got a status page where you can check on on how it’s running. We’ve seen quite a few atomic clocks over the years, but this one is unique and a great entry into the 2025 One Hertz Challenge.
Food Irradiation Is Not As Bad As It Sounds
Radiation is a bad thing that we don’t want to be exposed to, or so the conventional wisdom goes. We’re most familiar with it in the context of industrial risks and the stories of nuclear disasters that threaten entire cities and contaminate local food chains. It’s certainly not something you’d want anywhere near your dinner, right?
You might then be surprised to find that a great deal of research has been conducted into the process of food irradiation. It’s actually intended to ensure food is safer for human consumption, and has become widely used around the world.
Drop It Like It’s Hot
Food irradiation might sound like a process from an old science fiction movie, but it has a very real and very useful purpose. It’s a reliable way to eliminate pathogens and extend shelf life, with only a few specific drawbacks. Despite being approved by health organizations worldwide and used commercially since the 1950s, it remains one of the most misunderstood technologies in our food system.
The fundamental concept behind food irradiation is simple. Food is exposed to ionizing radiation in controlled doses in order to disrupt the DNA of harmful microorganisms, parasites, and insects. The method is both useful in single serving contexts, such as individual meal rations, as well as in bulk contexts, such as shipping large quantities of wheat. Irradiation can outright kill bacteria in food that’s intended for human consumption, or leave pests unable to reproduce, ensuring a shipment of grain doesn’t carry harmful insects across national borders.
It’s important to note that food irradiation doesn’t make the food itself radioactive. This process doesn’t make food radioactive any more than a chest X-ray makes your body radioactive, since the energy levels involved simply aren’t high enough. The radiation passes through the food, breaking the chemical bonds that make up the genetic material of unwanted organisms. It effectively sterilizes or kills them, ideally without significantly changing the food itself. It also can be used to reduce sprouting of some species like potatoes or onions, and also delay ripening of fruits post-harvest, thanks to its effect on microbes and enzymes that influence these processes.
The concept of food irradiation dates back a long way, far beyond what we would typically call the nuclear age. At the dawn of the 20th century, there was some interest in using then-novel X-rays to deal with pests in food and aid with preservation. A handful of patents were issued, though these had little impact outside the academic realm.
It was only in the years after World War II that things really kicked off in earnest, with the US Army in particular investing a great deal of money to investigate the potential benefits of food irradiation (also known as radurization). With the aid of modern, potent sources of radiation, studies were undertaken at laboratories at the Quartermaster Food and Container Institute, and later at the Natick R&D Command. Much early research focused on meats—specifically beef, poultry, and pork products. A technique was developed which involved cooking food, portioning it, and sealing it in vacuum packs. It would then be frozen and irradiated at a set minimum dose. This process was developed to the point that refrigeration became unnecessary in some cases, and avoided the need to use potentially harmful chemical preservatives in food. These were all highly desirable attributes which promised to improve military logistics.
youtube.com/embed/pe6AKh_tLys?…
Food irradiation eventually spread beyond research and into the mainstream.
The technology would eventually spread beyond military research. By the late 1950s, a German effort was irradiating spices at a commercial level. By 1985, the US Food and Drug Administration had approved irradiation of pork, which became a key target for radurization in order to deal with trichinosis parasites. In time, commercialized methods would be approved in a number of countries to control insects in fruits, vegetables, and bulk foods like legumes and grain, and to prevent sprouting during transport. NASA even began using irradiated foods for space missions in the 1970s, recognizing that traditional food preservation methods aren’t always practical when you’re orbiting Earth. This space-age application highlights one of irradiation’s key advantages—it works without chemicals and eliminates the need for ongoing refrigeration to avoid spoilage. That’s a huge benefit for space missions which can save a great deal of weight by not taking a fridge with them. It also helps astronauts avoid foodborne illnesses, which are incredibly impractical in the confines of a spaceship. Irradiated food has also been used in hospitals to protect immune-compromised patients from another potential source of infection.
How It’s Done
Three main types of radiation are used commercially to treat food. Gamma rays from cobalt-60 or cesium-137 sources penetrate deeply into food, and it’s possible to use these isotopes to produce uniform and controlled doses of radiation. Cobalt-60 is more commonly used, as it is easier to obtain and can be used with less risks. Isotope sources can’t be switched “off,” so are stored in water pools when not in use to absorb their radiation output. Electron beams, generated by linear accelerators, offer precise control of dosage, but have limited penetration depth into food, limiting their use cases to specific foods. X-rays, produced when high-energy electrons strike a metal target, combine the benefits of both gamma rays and electron beams. They have excellent penetration and can be easily controlled by switching the X-ray source on and off. The choice depends on the specific application, with factors like food density, package size, and required dose uniformity all playing roles. Whatever method is used, there’s generally no real risk of food becoming irradiated. That’s because the X-rays, electron beams, and gamma rays used for irradiation are all below the energy levels that would be required to actually impact the nucleus of the atoms in the food. Instead, they’re only strong enough to break chemical bonds. It is thus important to ensure the irradiation process does not cause harmful changes in whatever material the food is stored in; much research has gone into finding safe materials that are compatible with the irradiation process.
The dosage levels used in food irradiation are carefully calibrated and measured in units in Grays (Gy) or more typically, kiloGrays (kGy). Low doses of 0.1 to 1 kGy can inhibit sprouting in potatoes and onions or delay ripening in fruits. Medium doses of 1 to 10 kGy eliminate insects and reduce pathogenic bacteria. High doses above 10 kGy can sterilize foods for long-term storage or for space-or hospital-based use, though these doses are not as widely used for commercial food products.
By and large, irradiation does not have a major effect on a food’s taste, appearance, or texture. Studies have shown that irradiation can cause some minor changes to food’s nutritional content, as noted by the World Health Organization. However, while irradiation can highly degrade vitamins in a pure solution, in food items, losses are typically on the order of a few percent at most. The losses are often comparable to or less than those from traditional processing methods like canning or freezing. Changes to carbohydrates, proteins, and lipids are usually very limited. The US FDA, World Health Organization, and similar authorities in many countries have approved food irradiation in many contexts, with studies bearing out its overall safety.
In some extreme cases, though, irradiation can cause problems. In 2008, Orijen cat foods were recalled in Australia after the irradiated product was found to be causing illness in cats. This was not a result of any radioactive byproduct. Instead, the issue was that the high dose (>50 kGy) of radiation used had depleted vitamin A content in the food. Since pets are often fed a very limited diet, this led to nutrient deficiencies and the unfortunate deaths of a number of animals prior to being recalled.
The regulatory landscape varies significantly worldwide, both in dose levels and in labelling. While the United States allows irradiation of various foods including spices, fruits, vegetables, grains, and meats, rules mandate that irradiated products are clearly identified. The distinctive radura symbol—a stylized flower in a circle—must appear alongside text stating “treated with radiation” or “treated by irradiation.” Some countries have embraced the technology more fully; others less so. EU countries primarily allow radiation treatments for herbs and spices only, while in Brazil, just about any food may be irradiated to whatever dose deemed necessary, though doses above 10 kGy should have a legitimate technological purpose.
Overall, food irradiation is a a scary-sounding technology that actually makes food a lot safer. It’s not something we think about on the regular, but it has become an important part of the international food supply nonetheless. Where there are pests to prevent and pathogens to quash, irradiation can prove a useful tool to preserve the quality of food and protect those that eat it.
The VLF Transformation
People have long been interested in very low frequency (VLF) radio signals. But it used to be you pretty much had to build your own receiver which, luckily, wasn’t as hard as building your own VHF or UHF gear. But there is a problem. These low frequencies have a very long wavelength and, thus, need very large antennas to get any reception. [Electronics Unmessed] says he has an answer.
These days, if you want to explore any part of the radio spectrum, you can probably do it easily with a software-defined radio (SDR). But the antenna is the key part that you are probably lacking. A small antenna will not work well at all. While the video covers a fairly common idea: using a loop antenna, his approach to loops is a bit different using a matching transformer, and he backs his thoughts up with modeling and practical results.
Of course, transformers also introduce loss, but — as always — everything is a trade-off. Running hundreds of feet of wire in your yard or even in a loop is not always a possibility. This antenna looks like it provides good performance and it would be simple to duplicate.
Early radio was VLF. Turns out, VLF may provide an unexpected public service in space.
youtube.com/embed/1x8rcep6mRE?…
How to Sink a Ship: Preparing the SS United States For its Final Journey
When we last brought you word of the SS United States, the future of the storied vessel was unclear. Since 1996, the 990 foot (302 meter) ship — the largest ocean liner ever to be constructed in the United States — had been wasting away at Pier 82 in Philadelphia. While the SS United States Conservancy was formed in 2009 to support the ship financially and attempt to redevelop it into a tourist attraction, their limited funding meant little could be done to restore or even maintain it. In January of 2024, frustrated by the lack of progress, the owners of the pier took the Conservancy to court and began the process of evicting the once-great liner.
It was hoped that a last-minute investor might appear, allowing the Conservancy to move the ship to a new home. But unfortunately, the only offer that came in wasn’t quite what fans of the vessel had in mind: Florida’s Okaloosa County offered $1 million to purchase the ship so they could sink it and turn it into the world’s largest artificial reef.
The Conservancy originally considered it a contingency offer, stating that they would only accept it if no other options to save the ship presented themselves. But by October of 2024, with time running out, they accepted Okaloosa’s offer as a more preferable fate for the United States than being scrapped.
It at least means the ship will remain intact — acting not only as an important refuge for aquatic life, but as a destination for recreational divers for decades to come. The Conservancy has also announced plans to open a museum in Okaloosa, where artifacts from the ship will be on display.
Laying a Behemoth to Rest
Sinking a ship is easy enough, it happens accidentally all the time. But intentionally sinking a ship, technically referred to as scuttling, in such a way that it sits upright on the bottom is another matter entirely. Especially for a ship the size of the SS United States, which will officially become both the largest intact ocean liner on the seafloor (beating out HMHS Britannic and her sister RMS Titanic) and the largest artificial reef in the world (taking the title from the USS Oriskany) when it eventually goes down.
The SS United States is currently in Mobile, Alabama, where it is being prepared for scuttling by Modern American Recycling Services and Coleen Marine. After a complete survey of the ship’s structural state, holes will be strategically cut throughout the hull. These will let the ship take on water in a more predictable way during the sinking, and also allow access to the inside of the hull for both sea life and divers. Internally, hatches and bulkheads will be removed for the same reason, though areas deemed too dangerous for recreational divers may be sealed off for safety.
At the same time, the ship must be thoroughly cleaned before it makes its final plunge into the waters off of Florida’s coast. Any remaining fuel or lubricants must be removed, as will any loose paint. Plastics that could break down, and anything that might contain traces of toxins such as lead or mercury, will also be stripped from the ship. In the end, the goal is to have very little left beyond the hull itself and machinery that’s too large to remove.
Finally, there’s the issue of depth. While the final resting place of the SS United States has yet to be determined, the depth is limited by the fact that Okaloosa wants to encourage recreational divers to visit. The upper decks of the ship must be located at a depth that’s reasonable for amateur divers to reach safely, but at the same time, the wreck can’t present a hazard to navigation for ships on the surface.
Once on the bottom, the goal is to have the upper decks of the ship at a depth of approximately 55 feet (17 m), making it accessible to even beginner divers. Unfortunately, the ship’s iconic swept-back funnels stand 65 feet (20 m) off the deck. While the tips of the funnels breaking through the surface of the water might make for a striking visual, it would of course be completely impractical.
youtube.com/embed/56zZtvcc7Qk?…
As such, the funnels and mast of the United States have just recently been removed. But thankfully, they aren’t being sent off to the scrapper. Instead, they will become key components of what the Conservancy is calling the “SS United States Museum and Visitor Experience.”
Honoring America’s Flagship
While the SS United States will welcome visitors willing to get their feet wet, not everyone who wants to explore the legacy of the ship will have to strap on a scuba tank. As part of the deal to purchase the ship, Okaloosa County has been working with the Conservancy to develop a museum dedicated to the ship and the cultural milieu in which she was developed and built.
Naturally, the museum will house many artifacts from the ship’s career. The Conservancy is already in the process of recalling many of the items in their collection which were loaned out while the ship was docked in Philadelphia. But uniquely, the building will also incorporate parts of the ship itself, including the funnels, mast, anchor, and at least one of the propellers.
Combined with some clever architecture by Thinc Design, the idea is for the museum’s structure to invoke the look of the ship itself. The Conservancy has released a number of concept images that depict various approaches being considered, the most striking of which essentially recreates the profile of the great liner with its bow extended out over the Florida waters.
A Bittersweet Farewell
To be sure, this is not the fate that the SS United States Conservancy had in mind when they purchased the ship. Over the years, they put forth a number of proposals that would have seen the ship either turned into a static attraction like the Queen Mary or returned to passenger service. But the funding always fell through, and with each year that passed the ship’s condition only got worse, making its potential restoration even more expensive.
It’s an unfortunate reality that many great ships have ended up being sold for scrap. Consider the RMS Olympic; despite being the last surviving ship of her class after the sinking of her sisters Titanic and Britannic, and having a long and storied career that included service as a troop ship during the First World War, she ended up having her fittings auctioned off before ultimately being torn to pieces in the late 1930s. It was an ending so unceremonious that the exact date of her final demolition has been lost to time. Meanwhile her sunken sisters, safe from the scrapper’s reach on the sea floor, continue to be studied and explored to this day.
In an ideal world, the SS United States would be afforded the same treatment as the USS New Jersey — it would be lovingly restored and live on as a museum ship for future generations to appreciate. But failing that, it would seem that spending the next century or so playing host to schools of fish and awestruck scuba divers is a more fitting end to America’s flagship than being turned into so many paperclips.
Volkswagen Joins the Car-As-A-Service Movement With Its ID.3 BEV
More and more car manufacturers these days are becoming interested in the recurring revenue model, with Volkswagen’s ID.3 BEV being the latest to have an optional ‘motor power upgrade’ that you can pay for either monthly or with a ‘lifetime’ payment.
As the BBC reports, this option is now available in the UK, with customers offered the option to pay £16.50 per month or £165 annually, or opt to shell out £649 for what is reportedly a ‘car lifetime’ subscription.
It appears that this subscription service has been in the works for a while already, with it being offered first last year in countries like Denmark, following which it appears to be rolled out in other countries too. The software unlock changes the maximum motor output from 150 kW to 170 kW, which some users report as being noticeable.
Regardless of whether you find this to be a good deal, the concept of Car-As-A-Service (CAAS) has becoming increasingly prevalent, with the BBC article referencing BMW’s heated seats subscription and Mercedes’ acceleration subscription. Considering that all the hardware is already in the car that you purportedly purchased, this is sure to rub people the wrong way, not to mention that from a car tuning perspective this seems to suggest that third-party tuners don’t need to apply.
Thanks to [Robert Piston] for the tip.
GodRAT – New RAT targeting financial institutions
Summary
In September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers used steganography to embed shellcode within image files. This shellcode downloads GodRAT from a Command-and-Control (C2) server.
GodRAT supports additional plugins. Once installed, attackers utilized the FileManager plugin to explore the victim’s systems and deployed browser password stealers to extract credentials. In addition to GodRAT, they also used AsyncRAT as a secondary implant to maintain extended access.
GodRAT is very similar to the AwesomePuppet, another Gh0st RAT-based backdoor, which we reported in 2023, both in its code and distribution method. This suggests that it is probably an evolution of AwesomePuppet, which is in turn likely connected to the Winnti APT.
As of this blog’s publication, the attack remains active, with the most recent detection observed on August 12, 2025. Below is a timeline of attacks based on detections of GodRAT shellcode injector executables. In addition to malicious .scr (screen saver) files, attackers also used .pif (Program Information File) files masquerading as financial documents.
| GodRAT shellcode injector executable MD5 | File name | Detection date | Country/territory | Distribution |
| cf7100bbb5ceb587f04a1f42939e24ab | 2023-2024ClientList&.scr | 2024.09.09 | Hong Kong | via Skype |
| e723258b75fee6fbd8095f0a2ae7e53c | 2024-11-15_23.45.45 .scr | 2024.11.28 | Hong Kong | via Skype |
| d09fd377d8566b9d7a5880649a0192b4 | 2024-08-01_2024-12-31Data.scr | 2025.01.09 | United Arab Emirates | via Skype |
| a6352b2c4a3e00de9e84295c8d505dad | 2025TopDataTransaction&.scr | 2025.02.28 | United Arab Emirates | NA |
| 6c12ec3795b082ec8d5e294e6a5d6d01 | 2024-2025Top&Data.scr | 2025-03-17 | United Arab Emirates | via Skype |
| bb23d0e061a8535f4cb8c6d724839883 |
| 2025-05-26 |
| NA |
| 160a80a754fd14679e5a7b5fc4aed672 |
| 2025-07-17 | Hong Kong | NA |
| 2750d4d40902d123a80d24f0d0acc454 | 2025TopClineData&1.scr | 2025-08-12 | United Arab Emirates | NA |
| 441b35ee7c366d4644dca741f51eb729 | 2025TopClineData&.scr | 2025-08-12 | Jordan | NA |
Technical details
Malware implants
Shellcode loaders
We identified the use of two types of shellcode loaders, both of which execute the shellcode by injecting it into their own process. The first embeds the shellcode bytes directly into the loader binary, and the second reads the shellcode from an image file.
A GodRAT shellcode injector file named “2024-08-01_2024-12-31Data.scr” (MD5 d09fd377d8566b9d7a5880649a0192b4) is an executable that XOR-decodes embedded shellcode using the following hardcoded key: “OSEDBIU#IUSBDGKJS@SIHUDVNSO*SKJBKSDS#SFDBNXFCB”. A new section is then created in the memory of an executable process, where the decoded shellcode is copied. Then the new section is mapped into the process memory and a thread is spawned to execute the shellcode.
Another file, “2024-11-15_23.45.45 .scr” (MD5 e723258b75fee6fbd8095f0a2ae7e53c), serves as a self-extracting executable containing several embedded files as shown in the image below.
Content of self-extracting executable
Among these is “SDL2.dll” (MD5 512778f0de31fcce281d87f00affa4a8), which is a loader. The loader “SDL2.dll” is loaded by the legitimate executable Valve.exe (MD5 d6d6ddf71c2a46b4735c20ec16270ab6). Both the loader and Valve.exe are signed with an expired digital certificate. The certificate details are as follows:
- Serial Number: 084caf4df499141d404b7199aa2c2131
- Issuer Common Name: DigiCert SHA2 Assured ID Code Signing CA
- Validity: Not Before: Friday, September 25, 2015 at 5:30:00 AM; Not After: Wednesday, October 3, 2018 at 5:30:00 PM
- Subject: Valve
The loader “SDL2.dll” extracts shellcode bytes hidden within an image file “2024-11-15_23.45.45.jpg”. The image file represents some sort of financial details as shown below.
The loader allocates memory, copies the extracted shellcode bytes, and spawns a thread to execute it. We’ve also identified similar loaders that extracted shellcode from an image file named “2024-12-10_05.59.18.18.jpg”. One such loader (MD5 58f54b88f2009864db7e7a5d1610d27d) creates a registry load point entry at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyStartupApp” that points to the legitimate executable Valve.exe.
Shellcode functionality
The shellcode begins by searching for the string “godinfo,” which is immediately followed by configuration data that is decoded using the single-byte XOR key 0x63. The decoded configuration contains the following details: C2 IP address, port, and module command line string. The shellcode connects to the C2 server and transmits the string “GETGOD.” The C2 server responds with data representing the next (second) stage of the shellcode. This second-stage shellcode includes bootstrap code, a UPX-packed GodRAT DLL and configuration data. However, after downloading the second-stage shellcode, the first stage shellcode overwrites the configuration data in the second stage with its own configuration data. A new thread is then created to execute the second-stage shellcode. The bootstrap code injects the GodRAT DLL into memory and subsequently invokes the DLL’s entry point and its exported function “run.” The entire next-stage shellcode is passed as an argument to the “run” function.
GodRAT
The GodRAT DLL has the internal name ONLINE.dll and exports only one method: “run”. It checks the command line parameters and performs the following operations:
- If the number of command line arguments is one, it copies the command line from the configuration data, which was “C:\Windows\System32\curl.exe” in the analyzed sample. Then it appends the argument “-Puppet” to the command line and creates a new process with the command line “C:\Windows\System32\curl.exe -Puppet”. The parameter “-Puppet” was used in AwesomePuppet RAT in a similar way. If this fails, GodRAT tries to create a process with the hardcoded command “%systemroot%\system2\cmd.exe -Puppet”. If successful, it suspends the process, allocates memory, and writes the shellcode buffer (passed as a parameter to the exported function “run”) to the allocated memory. A thread is then created to execute the shellcode, and the current process exits. This is done to execute GodRAT inside the curl.exe or cmd.exe process.
- If the number of command line arguments is greater than one, it checks if the second argument is “-Puppet.” If true, it proceeds with the RAT’s functionality; otherwise, it acts as if the number of command line arguments is one, as described in the previous case.
The RAT establishes a TCP connection to the C2 server on the port from the configuration blob. It collects the following victim information: OS information, local hostname, malware process name and process ID, user account name associated with malware process, installed antivirus software and whether a capture driver is present. A capture driver is probably needed for capturing pictures, but we haven’t observed such behavior in the analyzed sample.
The collected data is zlib (deflate) compressed and then appended with a 15-byte header. Afterward, it is XOR-encoded three times per byte. The final data sent to the C2 server includes a 15-byte header followed by the compressed data blob. The header consists of the following fields: magic bytes (\x74\x78\x20) , total size (compressed data size + header size), decompressed data size, and a fixed DWORD (1 for incoming data and 2 for outgoing data). The data received from the C2 is only XOR-decoded, again three times per byte. This received data includes a 15-byte header followed by the command data. The RAT can perform the following operations based on the received command data:
- Inject a received plugin DLL into memory and call its exported method “PluginMe”, passing the C2 hostname and port as arguments. It supports different plugins, but we only saw deployment of the FileManager plugin
- Close the socket and terminate the RAT process
- Download a file from a provided URL and launch it using the CreateProcessA API, using the default desktop (WinSta0\Default)
- Open a given URL using the shell command for opening Internet Explorer (e.g. “C:\Program Files\Internet Explorer\iexplore.exe” %1)
- Same as above but specify the default desktop (WinSta0\Default)
- Create the file “%AppData%\config.ini”, create a section named “config” inside this file, and, create in that section a key called “NoteName” with the string provided from the C2 as its value
GodRAT FileManager plugin
The FileManager plugin DLL has the internal name FILE.dll and exports a single method called PluginMe. This plugin gathers the following victim information: details about logical drives (including drive letter, drive type, total bytes, available free bytes, file system name, and volume name), the desktop path of the currently logged-on user, and whether the user is operating under the SYSTEM account. The plugin can perform the following operations based on the commands it receives:
- List files and folders at a specified location, collecting details like type (file or folder), name, size, and last write time
- Write data to an existing file at a specified offset
- Read data from a file at a specified offset
- Delete a file at a specified path
- Recursively delete files at a specified path
- Check for the existence of a specified file. If the file exists, send its size; otherwise, create a file for writing.
- Create a directory at a specified path
- Move an existing file or directory, including its children
- Open a specified application with its window visible using the ShellExecuteA API
- Open a specified application with its window hidden using the ShellExecuteA API
- Execute a specified command line with a hidden window using cmd.exe
- Search for files at a specified location, collecting absolute file paths, sizes, and last write times
- Stop a file search operation
- Execute 7zip by writing hard-coded 7zip executable bytes to “%AppData%\7z.exe” (MD5 eb8d53f9276d67afafb393a5b16e7c61) and “%AppData%\7z.dll” (MD5 e055aa2b77890647bdf5878b534fba2c), and then runs “%AppData%\7z.exe” with parameters provided by the C2. The utility is used to unzip dropped files.
Second-stage payload
The attackers deployed the following second-stage implants using GodRAT’s FileManager plugin:
Chrome password stealer
The stealer is placed at “%ALLUSERSPROFILE%\google\chrome.exe” (MD5 31385291c01bb25d635d098f91708905). It looks for Chrome database files with login data for accessed websites, including URLs and usernames used for authentication, as well as user passwords. The collected data is saved in the file “google.txt” within the module’s directory. The stealer searches for the following files:
- %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data – an SQLite database with login and stats tables. This can be used to extract URLs and usernames used for authentication. Passwords are encrypted and not visible.
- %LOCALAPPDATA%\Google\Chrome\User Data\Local State – a file that contains the encryption key needed to decrypt stored passwords.
MSEdge password stealer
The stealer is placed at “%ALLUSERSPROFILE%\google\msedge.exe” (MD5 cdd5c08b43238c47087a5d914d61c943). The collected data is stored in the file “edge.txt” in the module’s directory. The module attempts to extract passwords using the following database and file:
- %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data – the “Login Data” SQLite database stores Edge logins in the “logins” table.
- %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State – this file contains the encryption key used to decrypt saved passwords.
AsyncRAT
The DLL file (MD5 605f25606bb925d61ccc47f0150db674) is an injector and is placed at “%LOCALAPPDATA%\bugreport\LoggerCollector.dll” or “%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll”. It verifies that the module name matches “bugreport_.exe”. The loader then XOR-decodes embedded shellcode using the key “EG9RUOFIBVODSLFJBXLSVWKJENQWBIVUKDSZADVXBWEADSXZCXBVADZXVZXZXCBWES”. After decoding, it subtracts the second key “IUDSY86BVUIQNOEWSUFHGV87QCI3WEVBRSFUKIHVJQW7E8RBUYCBQO3WEIQWEXCSSA” from each shellcode byte.
A new memory section is created, the XOR-decoded shellcode is copied into it, and then the section is mapped into the current process memory. A thread is started to execute the code in this section. The shellcode is used to reflectively inject the C# AsyncRAT binary. Before injection, it patches the AMSI scanning functions (AmsiScanBuffer, AmsiScanString) and the EtwEventWrite function to bypass security checks.
AsyncRAT includes an embedded certificate with the following properties:
- Serial Number: df:2d:51:bf:e8:ec:0c:dc:d9:9a:3e:e8:57:1b:d9
- Issuer: CN = marke
- Validity: Not Before: Sep 4 18:59:09 2024 GMT; Not After: Dec 31 23:59:59 9999 GMT
- Subject: CN = marke
GodRAT client source and builder
We discovered the source code for the GodRAT client on a popular online malware scanner. It had been uploaded in July 2024. The file is named “GodRAT V3.5_______dll.rar” (MD5 04bf56c6491c5a455efea7dbf94145f1). This archive also includes the GodRAT builder (MD5 5f7087039cb42090003cc9dbb493215e), which allows users to generate either an executable file or a DLL. If an executable is chosen, users can pick a legitimate executable name from a list (svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe and QQScLauncher.exe) to inject the code into. When saving the final payload, the user can choose the file type (.exe, .com, .bat, .scr and .pif). The source code is based on Gh0st RAT, as indicated by the fact that the auto-generated UID in “GodRAT.h” file matches that of “gh0st.h”, which suggests that GodRAT was originally just a renamed version of Gh0st RAT.
GodRAT.h
gh0st.h
Conclusions
The rare command line parameter “puppet,” along with code similarities to Gh0st RAT and shared artifacts such as the fingerprint header, indicate that GodRAT shares a common origin with AwesomePuppet RAT, which we described in a private report in 2023. This RAT is also based on the Gh0st RAT source code and is likely connected with Winnty APT activities. Based on these findings, we are highly confident that GodRAT is an evolution of AwesomePuppet. There are some differences, however. For example, the C2 packet of GodRAT uses the “direction” field, which was not utilized in AwesomePuppet.
Old implant codebases, such as Gh0st RAT, which are nearly two decades old, continue to be used today. These are often customized and rebuilt to target a wide range of victims. These old implants are known to have been used by various threat actors for a long time, and the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can still maintain a long lifespan in the cybersecurity landscape.
Indicator of Compromise
File hashes
cf7100bbb5ceb587f04a1f42939e24ab
d09fd377d8566b9d7a5880649a0192b4 GodRAT Shellcode Injector
e723258b75fee6fbd8095f0a2ae7e53c GodRAT Self Extracting Executable
a6352b2c4a3e00de9e84295c8d505dad
6c12ec3795b082ec8d5e294e6a5d6d01
bb23d0e061a8535f4cb8c6d724839883
160a80a754fd14679e5a7b5fc4aed672
2750d4d40902d123a80d24f0d0acc454
441b35ee7c366d4644dca741f51eb729
318f5bf9894ac424fd4faf4ba857155e GodRAT Shellcode Injector
512778f0de31fcce281d87f00affa4a8 GodRAT Shellcode Injector
6cad01ca86e8cd5339ff1e8fff4c8558 GodRAT Shellcode Injector
58f54b88f2009864db7e7a5d1610d27d GodRAT Shellcode Injector
64dfcdd8f511f4c71d19f5a58139f2c0 GodRAT FileManager Plugin(n)
8008375eec7550d6d8e0eaf24389cf81 GodRAT
04bf56c6491c5a455efea7dbf94145f1 GodRAT source code
5f7087039cb42090003cc9dbb493215e GodRAT Builder
31385291c01bb25d635d098f91708905 Chrome Password Stealer
cdd5c08b43238c47087a5d914d61c943 MSEdge Password Stealer
605f25606bb925d61ccc47f0150db674 Async RAT Injector (n)
961188d6903866496c954f03ecff2a72 Async RAT Injector
4ecd2cf02bdf19cdbc5507e85a32c657 Async RAT
17e71cd415272a6469386f95366d3b64 Async RAT
File paths
C:\users\[username]\downloads\2023-2024clientlist&.scr
C:\users\[username]\downloads\2024-11-15_23.45.45 .scr
C:\Users\[username]\Downloads\2024-08-01_2024-12-31Data.scr
C:\Users\[username]\\Downloads\2025TopDataTransaction&.scr
C:\Users\[username]\Downloads\2024-2025Top&Data.scr
C:\Users\[username]\Downloads\2025TopClineData&1.scr
C:\Users\[username]\Downloads\Corporate customer transaction &volume.pif
C:\telegram desktop\Company self-media account application qualifications&.zip
C:\Users\[username]\Downloads\个人信息资料&.pdf.pif
%ALLUSERSPROFILE%\bugreport\360Safe2.exe
%ALLUSERSPROFILE%\google\chrome.exe
%ALLUSERSPROFILE%\google\msedge.exe
%LOCALAPPDATA%\valve\valve\SDL2.dll
%LOCALAPPDATA%\bugreport\LoggerCollector.dll
%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll
%LOCALAPPDATA%\bugreport\bugreport_.exe
Domains and IPs
103[.]237[.]92[.]191 GodRAT C2
118[.]99[.]3[.]33 GodRAT С2
118[.]107[.]46[.]174 GodRAT C2
154[.]91[.]183[.]174 GodRAT C2
wuwu6[.]cfd AsyncRAT C2
156[.]241[.]134[.]49 AsyncRAT C2
https://holoohg.oss-cn-hongkong.aliyuncs[.]com/HG.txt AsyncRAT URL
47[.]238[.]124[.]68 AsyncRAT C2