Have you ever dreamed of making a bash script that assembles Intel 8080 machine code? [Chris Smith] did exactly that when he created xa.sh, a cross-assembler written entirely in Bourne shell script.
Assembly language (like the above) goes in, a binary comes out.
The script exists in part as a celebration of the power inherent in a standard Unix shell with quite ordinary POSIX-compliant command line tools like awk, sed, and printf. But [Chris] admits that mostly he found the whole project amusing.

It’s designed in a way that adding support for 6502 and 6809 machine code would be easy, assuming 8080 support isn’t already funny enough on its own.

It’s not particularly efficient and it’s got some quirks, most of which involve syntax handling (hexadecimal notation should stick to 0 or 0x prefixes instead of $ to avoid shell misinterpretations) but it works.

Want to give it a try? It’s a shell script, so pull a copy and and just make it executable. As long as the usual command-line tools exist (meaning your system is from sometime in the last thirty-odd years), it should run just fine as-is.

An ambitious bash script like this one recalls how our own Al Williams shared ways to make better bash scripts by treating it just a bit more like the full-blown programming language it qualifies as.

hackaday.com/2026/02/06/full-b…

The Commodore Amiga was famous for its characteristic Say voice, with its robotic enunciation being somewhat emblematic of the 16-bit era. The Commodore VIC-20 had no such capability out of the box, but [Mike] was able to get one talking with a little bit of work.

The project centers around the Adventureland cartridge, created by Scott Adams (but not the one you’re thinking of). It was a simple game that was able to deliver speech with the aid of the Votrax Type and Talk speech synthesizer box. Those aren’t exactly easy to come by, so [Mike] set about creating a modern equivalent. The concept was simple enough. An Arduino would be used to act as a go between the VIC-20’s slow serial port operating at 300 bps and the Speakjet and TTS256 chips which both preferred to talk at 9600 bps. The audio output of the Speakjet is then passed to an LM386 op-amp, set up as an amplifier to drive a small speaker. The lashed-together TTS system basically just reads out the text from the Adventureland game in an incredibly robotic voice. It’s relatively hard to understand and has poor cadence, but it does work – in much the same way as the original Type and Talk setup would have back in the day!

Text to speech tools have come a long way since the 1980s, particularly when it comes to sounding more natural. Video after the break.

youtube.com/embed/rORB7LeL5KE?…

[Thanks to Stephen Walters for the tip!]

hackaday.com/2026/02/05/gettin…

[Prof MAD] runs us through The Hidden Power of Inductors — Why Coils Resist Change.

The less often used of the passive components, the humble and mysterious inductor is the subject of this video. The essence of inductance is a conductor’s tendency to resist changes in current. When the current is steady it is invisible, but when current changes an inductor pushes back. The good old waterwheel analogy is given to explain what an inductor’s effect is like.

There are three things to notice about the effect of an inductor: increases in current are delayed, decreases in current are delayed, and when there is no change in current there is no noticeable effect. The inductor doesn’t resist current flow, but it does resist changes in current flow. This resistive effect only occurs when current is changing, and it is known as “inductive reactance”.

After explaining an inductor’s behavior the video digs into how a typical inductor coil actually achieves this. The basic idea is that the inductor stores energy in a magnetic field, and it takes some time to charge up or discharge this field, accounting for the delay in current that is seen.

There’s a warning about high voltages which can be seen when power to an inductor is suddenly cut off. Typically a circuit will include snubber circuits or flyback diodes to help manage such effects which can otherwise damage components or lead to electric shock.

[Prof MAD] spends the rest of the video with some math that explains how voltage across an inductor is proportional to the rate of change of current over time (the first derivative of current against time). The inductance can then be defined as a constant of proportionality (L). This is the voltage that appears across a coil when current changes by 1 ampere per second, opposing the change. The unit is the volt-second-per-ampere (VsA^-1) which is known as the Henry, named in honor of the American physicist Joseph Henry.

Inductance can sometimes be put to good use in circuits, but just as often it is unwanted parasitic induction whose effects need to be mitigated, for more info see: Inductance In PCB Layout: The Good, The Bad, And The Fugly.

youtube.com/embed/S--0-hkSARU?…

hackaday.com/2026/02/05/a-deep…

[GizmoThrill] shows off a design for an absolutely gorgeous, high-fidelity replica of the main character’s helmet from the video game Satisfactory. But the best part is the technique used to create the visor: just design around a cheap set of full-face “sunglasses” to completely avoid having to mold your own custom faceplate.

One of the most challenging parts of any custom helmet build is how to make a high-quality visor or faceplate. Most folks heat up a sheet of plastic and form it carefully around a mold, but [GizmoThrill] approached the problem from the other direction. After spotting a full-face sun visor online, they decided to design the helmet around the readily-accessible visor instead of the other way around.

The first thing to do with the visor is cover it with painter’s tape and 3D scan it. Once that’s done, the 3D model of the visor allows the rest of the helmet to be designed around it. In the case of the Satisfactory helmet, the design of the visor is a perfect match for the game’s helmet, but one could easily be designing their own custom headgear with this technique.
The hexagon grid pattern? It’s actually a clear vinyl sticker and doesn’t obstruct vision at all. Another clever touch.
With the helmet 3D printed, [GizmoThrill] heads to the bandsaw to cut away any excess from the visor, and secure it in place. That’s all there is to it! Sure, you don’t have full control over the visor’s actual shape, but it sure beats the tons and tons of sanding involved otherwise.

There’s a video tour of the whole process that shows off a number of other design features we really like. For example, metal mesh in the cheek areas and in front of the mouth means a fan can circulate air easily, so the one doesn’t fog up the inside of the visor with one’s very first breath. The mesh itself is concealed with some greebles mounted on top. You can see all those details up close in the video, embedded just below.

The helmet design is thanks to [Punished Props] and we’ve seen their work before. This trick for turning affordable and somewhat gimmicky sunglasses into something truly time-saving is definitely worth keeping in mind.

youtube.com/embed/9zncjfnF110?…

hackaday.com/2026/02/05/gimmic…

WELCOM BACK TO THE FREE MONTHLY EDITION of Digital Politics.I'm Mark Scott, and will be in Amsterdam and Brussels during the week of Feb 16, and then back in Brussels the week of Feb 23. If you're around for coffee, drop me a line here.

Also, apologies to those of you who are struggling to access the web version of this newsletter. There are ongoing technical difficulties linked with Ghost's back-end infrastructure. I'm working to resolve this asap.

— What defines digital policymaking is fundamentally shifting from a focus on online issues to those that directly affect the offline world.

— American lawmakers are again debating if Europe's online safety rules threaten the First Amendment. What is actually going on here?

— The world's semiconductor market remains highly concentrated within East Asia.

Let's get started:

THE END OF TECH POLICY AS WE KNOW IT

FOR YEARS, YOU COULD DIVIDE DIGITAL POLICYMAKING into three main camps. There was antitrust, privacy and platform governance. Some would argue that artificial intelligence deserves its own bucket. But, for me, AI fitted neatly into one of the three existing dogmas that underpinned decades of governance efforts linked to the online world.

That era is now over.

It's not that antitrust, privacy and platform governance, as topics, are either "solved" or relegated to the trash heap of history. If anything, these policymaking topics are now more pressing, in 2026, than at any other time in history. Yet it is time for those of us enmeshed in this world to acknowledge what has been on a slow burn for at least the last decade. Now, tech policy is as much an industrial policy issue — with all the political ramifications that come with that — as it is something that merely affects (and I say this with a pinch of salt) people and their interactions with some of the largest companies on earth.

By industrial policy issue, I mean the offline-online nexus of topics that encompass everything from the climate change problems and employment issues connected to data centres to the high politics of semiconductor subsidies and global tariffs imposed on electric vehicles. These topics significantly expand from the "antitrust, privacy and platform governance" cocoon that many of us, including myself, have lived in as the world has woken up to the fact that what happens online inevitably has consequences for the offline world.

There are many reasons for this shift.

In part, policymakers are fickle beasts, and the rise of semiconductors, large language models and "digital sovereignty" has allowed many to expand their interests from often wonky digital policy topics to those that have a more direct effect on the world around them.

Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.

Here's what paid subscribers read in January:
— Why the decline of US tech leadership, the rise of China as an internet governor, the growth of AI slop around elections, and the implications of child online safety rules will define 2026. More here.
— Europe wants to revamp its digital rules. Its citizens aren't so sure; Washington's departure from more than 60 international organizations shows how US officials are tactically engaging with global digital issues; Who dominates the world of data centers. More here.
— The transatlantic digital relationship has gone from bad to worse; Everything you need to know about India's AI Impact Summit; How many teenagers' social media accounts have been removed in Australia. More here.
— After Greenland-Gate, Europe is taking the gloves off when it comes to digital sovereignty; ByteDance's sale of its US TikTok unit doesn't solve any of the underlying problems; Teenagers are more open to smartphone bans than you might think. More here.

It's also true that many of the global efforts to update antitrust, privacy and platform governance rules — from the United States and European Union to Brazil and South Africa — have only had middling success. Some of that is down to policymaking being, well, hard. But the increasing geopolitical consequences (see the next section on the EU-US platform spat) of these decisions have often made actual legislating hard. Even those who have passed laws (looking at you, Brussels) must live with the reality that not all of their revamped digital rulebook has been the success that many had first hoped for.

National leaders have similarly embraced this "industrialization" of tech policy with open arms.

Being seen to open a new semiconductor foundry or data center is just better retail politics, in the short term, compared to the hard yakka required to pass child safety rules or unpick the oligopoly of a small number of Silicon Valley giants. It's not that some (but not all) lawmakers want to do those things. But it's an easier lift to return to political form via tax incentives and other subsidies to entice foreign firms to set up locally than to build complex coalitions to update national data protection regulation that few people actually understand.

I don't mean to denigrate this shift. The world is seeking economic growth — often powered by artificial intelligence. Politicians and policymakers face hard trade-offs between updating national economies to meet these new demands and supporting the more traditional digital wonkery which has defined the last 12 years of my career.

It's also true you can have both tech-driven industrial policy and digital policy that focuses on antitrust, privacy and platform governance. But what is becoming clear in 2026 is that many policymakers are shifting toward the former and away from the latter. That will require a recalibration for many (again, including myself) who feel more comfortable discussing the inner workings of ex ante digital competition reforms than how best to construct a federated system of data centres with the least energy footprint possible.

It's a mind-shift from almost exclusively focusing on the online world — often with offline consequences — to acknowledging that tech-focused industrial policy includes a greater number of traditional "analogue" policy areas than many of us have been used to dealing with.

That includes a heavy dose of trade policy as the world hurtles toward a zero-sum, mercantilist viewpoint where re-shoring, export controls and subsidies tied to foreign direct investment are as important as whether social media companies are held accountable for what is posted within their global networks.

It also includes a mishmash of policymaking specialisms that combines digital policy with labor policy with climate change policy with public health policy with a myriad of other policy areas which all intersect in this expanded form of tech-related industrial policy. Such coalitions are hard to create. Everyone believes their subject area is the most important and, routinely, experts speak past each other in jargon that no one outside of these communities understands.

None of this should take focus away from the ongoing problems associated with antitrust, privacy and platform governance. If Digital Politics can be read as anything, it's an indictment that within those three areas, there is still a lot of work to do.

But we should not remain siloed into what is comfortable and overlook what is happening around us. National leaders — mostly spurred on by the AI hype — are wedded to this blending of tech and industrial policy in the name of economic growth. That will have knock-on consequences beyond the digital realm, especially as the global labor force tries to navigate the complexities of the current techno-enabled geopolitical uncertainty.

Just like in last week's newsletteron the more muscular approach to digital sovereignty, within Europe, after the Greenland crisis, I do not yet have solutions to much of the complexity outlined above. It's going to be hard. But pretending that tech policy has not morphed into something more offline, more industrial and more multi-disciplinary would be a mistake.

It's time for many of us to evolve to meet this new challenge.

Chart of the Week

NOT ALL SEMICONDUCTORS ARE CREATED equally. But in terms of total production, three regions — East Asia, the US and the EU — represented more than 90 percent of the collective global annual production, based on figures from 2024, the last full-year available.

Even that geographical breakdown doesn't tell the full story.

East Asia, as a region, produces roughly three-fourths of the world's microchips. Within that, Taiwan manufactures 60 percent of total global semiconductor production — a figure that rises to 90 percent for the most advanced chips.
Source: Technology in Global Affairs

THE US TO EUROPE'S ONLINE SAFETY RULES: I JUST CAN'T QUIT YOU

YOU HAVE TO HAND IT TO CONGRESS. They may not be able to pass any digital rules (with maybe the exception of ByteDance's TikTok US offloading), but they sure like a hearing about how Europe is censoring Americans online. On Feb 4, the House of Representatives' Judiciary Committee will hold its second hearing entitled "Europe's Threat to American Speech and Innovation: Part II." Watch along here at 10am ET / 4pm CET / 3pm UK. You can read a report Republican lawmakers published to outline their arguments here.

The hearing follows a similar meeting, in September, which included British politician Nigel Farage comparing the United Kingdom to North Korea — because of the country's online safety regime, known as the Online Safety Act (editor's note: the UK is not like North Korea.) David Kaye, a University of California professor who gave evidence at the invitation of the Democrats, suggested it was the US, not Europe, that was undermining free speech.

Some US politicians and influencers' aversion to European online safety rules are well known. Accusations include subverting Americans' free speech rights; forcing platforms to crack down on legal speech online; and working with outside researchers to demote most right-wing social media users due to an alleged woke agenda. For more on what this looks like on the ground, check out my dispatch from 2023.

First things first: Europe's online safety rules are not about quelling free speech rights. Both the EU's Digital Services Act and UK's Online Safety Act enshrine protections for free speech into each separate legislation. (Disclaimer: I sit on an independent committee at Ofcom, the British regulator which oversees the country's rules, and anything I say here is in a personal capacity.) At their roots, these online safety regimes are exercises in transparency which are aimed at holding social media companies to their word on how they implement internal terms of service.

If these companies don't follow mostly internal procedures — or, in the case of X, flagrantly disregard basic transparency requirements — then they will be held responsible for those actions. Such regulatory oversight is standard in sectors from financial services to pharmaceuticals. X is appealing its fine under the EU's Digital Services Act.

Many European officials believe they can win over American critics by explaining the basics of how these regimes operate. If only we can make them understand the inner workings of mandatory risk assessment and audit requirements, goes the theory, then they will realize that no one wants to harm free speech.

That framing misses the point.

If this was about the specifics of these online safety rules, then it would be obvious — based on the actual reading of the documents (here and here) — that censorship is not at the heart of this legislation. Or, if you don't want to scroll through those pages, read this from the European rules:

"Providers of intermediary services shallact in a diligent, objective and proportionate manner in applying and enforcing the restrictions referred to in paragraph 1, with due regard to the rights and legitimate interests of all parties involved, including the fundamental rights of the recipients of the service, such as the freedom of expression, freedom and pluralism of the media, and other fundamental rights and freedoms as enshrined in the Charter." (Emphasis in bold is my own)

But if you read these American criticisms as part of a decades-old attempt to hobble Europe from regulating US tech firms — in everything from antitrust, privacy and platform governance (see above section) — then these latest attacks on the Old World's online safety rules start to make sense.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

It's not specifically about which article within the UK's Online Safety Act is alleged to silence Americans within the US (note: there are none.) Instead, it's part of an ongoing effort — albeit one on steroids — that includes many US politicians and policymakers pushing back against European concerns that American tech giants may not be playing fairly when operating on the other side of the Atlantic.

That goes for everything from Silicon Valley's alleged weaponization of EU privacy rules to cement their dominance to ongoing claims that American social media companies are not transparent about what often polarising posts show up in Europeans' feeds.

It's notable that in the Feb 4 hearing in Washington, another topic under discussion is how the EU's Digital Markets Act and other corporate transparency rules "target American companies and hurt innovation." It's hard to square how criticism aimed at Europe's online safety rules should go hand in hand with complaints about the Continent's digital competition rules. Unless, that is, you view these discussions as part of the wider — and decades-old — pushback from Washington against Brussels' (and, to a lesser degree London's) attempt to hold some of the US' largest firms to account.

None of that excuses the ongoing attacks aimed at destroying the EU and UK's online safety rules — all in the name of protecting American free speech. Such rhetoric from some in the US has arguably made the European online information space more dangerous and harmful, in part due to companies' willingness to pull back on their online safety protocols to align with such American criticism.

What I'm reading

— A tech entrepreneur set up a Reddit-style social media that only AI agents could post to. Humans are relegated to just watching along. Check it out here.

— The European Commission open two proceedings into Google's obligations under the Digital MarketS Act. More here.

— The Netherlands is moving toward ditching US tech services for those created either domestically or within the EU. More here.

— Maldita, the Spanish fact-checker, found more than 500 TikTok accounts that produced AI-generated videos of alleged political protests in violation of its commitments under the EU's online safety regime. More here.

— The Irish regulator in charge of the EU's Digital Services Act published guidance on how independent researchers could apply for access to private data held within social media companies. More here.

digitalpolitics.co/newsletter0…

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and will be in Amsterdam and Brussels during the week of Feb 16, and then back in Brussels the week of Feb 23. If you're around for coffee, drop me a line here.

Also, apologies to those of you who struggled to open/read last week's dispatch. It was caused by an issue with Ghost's back-end infrastructure. Hopefully, it's all working this week.

— What defines digital policymaking is fundamentally shifting from a focus on online issues to those that directly affect the offline world.

— American lawmakers are again debating if Europe's online safety rules threaten the First Amendment. What is actually going on here?

— The world's semiconductor market remains highly concentrated within East Asia.

Let's get started:

digitalpolitics.co/newsletter0…

Introduction

Stan Ghouls (also known as Bloody Wolf) is an cybercriminal group that has been launching targeted attacks against organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. These attackers primarily have their sights set on the manufacturing, finance, and IT sectors. Their campaigns are meticulously prepared and tailored to specific victims, featuring a signature toolkit of custom Java-based malware loaders and a sprawling infrastructure with resources dedicated to specific campaigns.

We continuously track Stan Ghouls’ activity, providing our clients with intel on their tactics, techniques, procedures, and latest campaigns. In this post, we share the results of our most recent deep dive into a campaign targeting Uzbekistan, where we identified roughly 50 victims. About 10 devices in Russia were also hit, with a handful of others scattered across Kazakhstan, Turkey, Serbia, and Belarus (though those last three were likely just collateral damage).

During our investigation, we spotted shifts in the attackers’ infrastructure – specifically, a batch of new domains. We also uncovered evidence suggesting that Stan Ghouls may have added IoT-focused malware to their arsenal.

Technical details

Threat evolution

Stan Ghouls relies on phishing emails packed with malicious PDF attachments as their initial entry point. Historically, the group’s weapon of choice was the remote access Trojan (RAT) STRRAT, also known as Strigoi Master. Last year, however, they switched strategies, opting to misuse legitimate software, NetSupport, to maintain control over infected machines.

Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain. That said, their heavy use of RATs may also hint at cyberespionage.

Like any other organized cybercrime groups, Stan Ghouls frequently refreshes its infrastructure. To track their campaigns effectively, you have to continuously analyze their activity.

Initial infection vector

As we’ve mentioned, Stan Ghouls’ primary – and currently only – delivery method is spear phishing. Specifically, they favor emails loaded with malicious PDF attachments. This has been backed up by research from several of our industry peers (1, 2, 3). Interestingly, the attackers prefer to use local languages rather than opting for international mainstays like Russian or English. Below is an example of an email spotted in a previous campaign targeting users in Kyrgyzstan.

Example of a phishing email from a previous Stan Ghouls campaign

The email is written in Kyrgyz and translates to: “The service has contacted you. Materials for review are attached. Sincerely”.

The attachment was a malicious PDF file titled “Постановление_Районный_суд_Кчрм_3566_28-01-25_OL4_scan.pdf” (the title, written in Russian, posed it as an order of district court).

During the most recent campaign, which primarily targeted victims in Uzbekistan, the attackers deployed spear-phishing emails written in Uzbek:

Example of a spear-phishing email from the latest campaign

The email text can be translated as follows:
[redacted] AKMALZHON IBROHIMOVICH

You will receive a court notice. Application for retrial. The case is under review by the district court. Judicial Service.

Mustaqillik Street, 147 Uraboshi Village, Quva District.
The attachment, named E-SUD_705306256_ljro_varaqasi.pdf (MD5: 7556e2f5a8f7d7531f28508f718cb83d), is a standard one-page decoy PDF:

The embedded decoy document

Notice that the attackers claim that the “case materials” (which are actually the malicious loader) can only be opened using the Java Runtime Environment.

They even helpfully provide a link for the victim to download and install it from the official website.

The malicious loader

The decoy document contains identical text in both Russian and Uzbek, featuring two links that point to the malicious loader:

• Uzbek link (“- Ish materiallari 09.12.2025 y”): hxxps://mysoliq-uz[.]com/api/v2/documents/financial/Q4-2025/audited/consolidated/with-notes/financials/reports/annual/2025/tashkent/statistical-statements/
• Russian link (“- Материалы дела 09.12.2025 г.”): hxxps://my-xb[.]com/api/v2/documents/financial/Q4-2025/audited/consolidated/with-notes/financials/reports/annual/2025/tashkent/statistical-statements/

Both links lead to the exact same JAR file (MD5: 95db93454ec1d581311c832122d21b20).

It’s worth noting that these attackers are constantly updating their infrastructure, registering new domains for every new campaign. In the relatively short history of this threat, we’ve already mapped out over 35 domains tied to Stan Ghouls.

The malicious loader handles three main tasks:

1. Displaying a fake error message to trick the user into thinking the application can’t run. The message in the screenshot translates to: “This application cannot be run in your OS. Please use another device.”
   
   Fake error message
2. Checking that the number of previous RAT installation attempts is less than three. If the limit is reached, the loader terminates and throws the following error: “Urinishlar chegarasidan oshildi. Boshqa kompyuterni tekshiring.” This translates to: “Attempt limit reached. Try another computer.”
   
   The limitCheck procedure for verifying the number of RAT download attempts
3. Downloading a remote management utility from a malicious domain and saving it to the victim’s machine. Stan Ghouls loaders typically contain a list of several domains and will iterate through them until they find one that’s live.
   
   The performanceResourceUpdate procedure for downloading the remote management utility

The loader fetches the following files, which make up the components of the NetSupport RAT: PCICHEK.DLL, client32.exe, advpack.dll, msvcr100.dll, remcmdstub.exe, ir50_qcx.dll, client32.ini, AudioCapture.dll, kbdlk41a.dll, KBDSF.DLL, tcctl32.dll, HTCTL32.DLL, kbdibm02.DLL, kbd101c.DLL, kbd106n.dll, ir50_32.dll, nskbfltr.inf, NSM.lic, pcicapi.dll, PCICL32.dll, qwave.dll. This list is hardcoded in the malicious loader’s body. To ensure the download was successful, it checks for the presence of the client32.exe executable. If the file is found, the loader generates a NetSupport launch script (run.bat), drops it into the folder with the other files, and executes it:

The createBatAndRun procedure for creating and executing the run.bat file, which then launches the NetSupport RAT

The loader also ensures NetSupport persistence by adding it to startup using the following three methods:

1. It creates an autorun script named SoliqUZ_Run.bat and drops it into the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup):
   
   The generateAutorunScript procedure for creating the batch file and placing it in the Startup folder
2. It adds the run.bat file to the registry’s autorun key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malicious_key_name).
   
   The registryStartupAdd procedure for adding the RAT launch script to the registry autorun key
3. It creates a scheduled task to trigger run.bat using the following command:
   schtasks Create /TN "[malicious_task_name]" /TR "[path_to_run.bat]" /SC ONLOGON /RL LIMITED /F /RU "[%USERNAME%]"
   
   The installStartupTask procedure for creating a scheduled task to launch the NetSupport RAT (via run.bat)

Once the NetSupport RAT is downloaded, installed, and executed, the attackers gain total control over the victim’s machine. While we don’t have enough telemetry to say with 100% certainty what they do once they’re in, the heavy focus on finance-related organizations suggests that the group is primarily after its victims’ money. That said, we can’t rule out cyberespionage either.

Malicious utilities for targeting IoT infrastructure

Previous Stan Ghouls attacks targeting organizations in Kyrgyzstan, as documented by Group-IB researchers, featured a NetSupport RAT configuration file client32.ini with the MD5 hash cb9c28a4c6657ae5ea810020cb214ff0. While reports mention the Kyrgyzstan campaign kicked off in June 2025, Kaspersky solutions first flagged this exact config file on May 16, 2025. At that time, it contained the following NetSupport RAT command-and-control server info:
...

[HTTP]CMPI=60
GatewayAddress=hgame33[.]com:443
GSK=FN:L?ADAFI:F?BCPGD;N>IAO9J>J@N
Port=443
SecondaryGateway=ravinads[.]com:443
SecondaryPort=443
At the time of our January 2026 investigation, our telemetry showed that the domain specified in that config, hgame33[.]com, was also hosting the following files:

• hxxp://www.hgame33[.]com/00101010101001/morte.spc
• hxxp://hgame33[.]com/00101010101001/debug
• hxxp://www.hgame33[.]com/00101010101001/morte.x86
• hxxp://www.hgame33[.]com/00101010101001/morte.mpsl
• hxxp://www.hgame33[.]com/00101010101001/morte.arm7
• hxxp://www.hgame33[.]com/00101010101001/morte.sh4
• hxxp://hgame33[.]com/00101010101001/morte.arm
• hxxp://hgame33[.]com/00101010101001/morte.i686
• hxxp://hgame33[.]com/00101010101001/morte.arc
• hxxp://hgame33[.]com/00101010101001/morte.arm5
• hxxp://hgame33[.]com/00101010101001/morte.arm6
• hxxp://www.hgame33[.]com/00101010101001/morte.m68k
• hxxp://www.hgame33[.]com/00101010101001/morte.ppc
• hxxp://www.hgame33[.]com/00101010101001/morte.x86_64
• hxxp://hgame33[.]com/00101010101001/morte.mips

All of these files belong to the infamous IoT malware named Mirai. Since they are sitting on a server tied to the Stan Ghouls’ campaign targeting Kyrgyzstan, we can hypothesize – with a low degree of confidence – that the group has expanded its toolkit to include IoT-based threats. However, it’s also possible it simply shared its infrastructure with other threat actors who were the ones actually wielding Mirai. This theory is backed up by the fact that the domain’s registration info was last updated on July 4, 2025, at 11:46:11 – well after Stan Ghouls’ activity in May and June.

Attribution

We attribute this campaign to the Stan Ghouls (Bloody Wolf) group with a high degree of confidence, based on the following similarities to the attackers’ previous campaigns:

1. Substantial code overlaps were found within the malicious loaders. For example:
   
   Code snippet from sample 1acd4592a4eb0c66642cc7b07213e9c9584c6140210779fbc9ebb76a90738d5e, the loader from the Group-IB report

   
   Code snippet from sample 95db93454ec1d581311c832122d21b20, the NetSupport loader described here

2. Decoy documents in both campaigns look identical.
   
   Decoy document 5d840b741d1061d51d9786f8009c37038c395c129bee608616740141f3b202bb from the campaign reported by Group-IB

   
   Decoy document 106911ba54f7e5e609c702504e69c89a used in the campaign described here

3. In both current and past campaigns, the attackers utilized loaders written in Java. Given that Java has fallen out of fashion with malicious loader authors in recent years, it serves as a distinct fingerprint for Stan Ghouls.

Victims

We identified approximately 50 victims of this campaign in Uzbekistan, alongside 10 in Russia and a handful of others in Kazakhstan, Turkey, Serbia, and Belarus (we suspect the infections in these last three countries were accidental). Nearly all phishing emails and decoy files in this campaign were written in Uzbek, which aligns with the group’s track record of leveraging the native languages of their target countries.

Most of the victims are tied to industrial manufacturing, finance, and IT. Furthermore, we observed infection attempts on devices within government organizations, logistics companies, medical facilities, and educational institutions.

It is worth noting that over 60 victims is quite a high headcount for a sophisticated campaign. This suggests the attackers have enough resources to maintain manual remote control over dozens of infected devices simultaneously.

Takeaways

In this post, we’ve broken down the recent campaign by the Stan Ghouls group. The attackers set their sights on organizations in industrial manufacturing, IT, and finance, primarily located in Uzbekistan. However, the ripple effect also reached Russia, Kazakhstan, and a few, likely accidental, victims elsewhere.

With over 60 targets hit, this is a remarkably high volume for a sophisticated targeted campaign. It points to the significant resources these actors are willing to pour into their operations. Interestingly, despite this, the group sticks to a familiar toolkit including the legitimate NetSupport remote management utility and their signature custom Java-based loader. The only thing they seem to keep updating is their infrastructure. For this specific campaign, they employed two new domains to house their malicious loader and one new domain dedicated to hosting NetSupport RAT files.

One curious discovery was the presence of Mirai files on a domain linked to the group’s previous campaigns. This might suggest Stan Ghouls are branching out into IoT malware, though it’s still too early to call it with total certainty.

We’re keeping a close watch on Stan Ghouls and will continue to keep our customers in the loop regarding the group’s latest moves. Kaspersky products provide robust protection against this threat at every stage of the attack lifecycle.

Indicators of compromise

* Additional IoCs and a YARA rule for detecting Stan Ghouls activity are available to customers of our Threat Intelligence Reporting service. For more details, contact us at crimewareintel@kaspersky.com.

PDF decoys

B4FF4AA3EBA9409F9F1A5210C95DC5C3
AF9321DDB4BEF0C3CD1FF3C7C786F0E2
056B75FE0D230E6FF53AC508E0F93CCB
DB84FEBFD85F1469C28B4ED70AC6A638
649C7CACDD545E30D015EDB9FCAB3A0C
BE0C87A83267F1CE13B3F75C78EAC295
78CB3ABD00A1975BEBEDA852B2450873
51703911DC437D4E3910CE7F866C970E
FA53B0FCEF08F8FF3FFDDFEE7F1F4F1A
79D0EEAFB30AA2BD4C261A51104F6ACC
8DA8F0339D17E2466B3D73236D18B835
299A7E3D6118AD91A9B6D37F94AC685B
62AFACC37B71D564D75A58FC161900C3
047A600E3AFBF4286175BADD4D88F131
ED0CCADA1FE1E13EF78553A48260D932
C363CD87178FD660C25CDD8D978685F6
61FF22BA4C3DF7AE4A936FCFDEB020EA
B51D9EDC1DC8B6200F260589A4300009
923557554730247D37E782DB3BEA365D
60C34AD7E1F183A973FB8EE29DC454E8
0CC80A24841401529EC9C6A845609775
0CE06C962E07E63D780E5C2777A661FC

Malicious loaders

1b740b17e53c4daeed45148bfbee4f14
3f99fed688c51977b122789a094fec2e
8b0bbe7dc960f7185c330baa3d9b214c
95db93454ec1d581311c832122d21b20
646a680856f837254e6e361857458e17
8064f7ac9a5aa845ded6a1100a1d5752
d0cf8946acd3d12df1e8ae4bb34f1a6e
db796d87acb7d980264fdcf5e94757f0
e3cb4dafa1fb596e1e34e4b139be1b05
e0023eb058b0c82585a7340b6ed4cc06
0bf01810201004dcc484b3396607a483
4C4FA06BD840405FBEC34FE49D759E8D
A539A07891A339479C596BABE3060EA6
b13f7ccbedfb71b0211c14afe0815b36
f14275f8f420afd0f9a62f3992860d68
3f41091afd6256701dd70ac20c1c79fe
5c4a57e2e40049f8e8a6a74aa8085c80
7e8feb501885eff246d4cb43c468b411
8aa104e64b00b049264dc1b01412e6d9
8c63818261735ddff2fe98b3ae23bf7d

Malicious domains

mysoliq-uz[.]com
my-xb[.]com
xarid-uz[.]com
ach-uz[.]com
soliq-uz[.]com
minjust-kg[.]com
esf-kg[.]com
taxnotice-kg[.]com
notice-kg[.]com
proauditkg[.]com
kgauditcheck[.]com
servicedoc-kg[.]com
auditnotice-kg[.]com
tax-kg[.]com
rouming-uz[.]com
audit-kg[.]com
kyrgyzstanreview[.]com
salyk-notofocations[.]com

securelist.com/stan-ghouls-in-…

Macropads can be as simple as a few buttons hooked up to a microcontroller to do the USB HID dance and talk to a PC. However, you can go a lot further, too. [CNCDan] demonstrates this well with his sleek macropad build, which throws haptic feedback into the mix.

The build features six programmable macro buttons, which are situated either on side of a 128×64 OLED display. This setup allows the OLED screen to show icons that explain the functionality of each button. There’s also a nice large rotary knob, surrounded by 20 addressable WS2811 LEDs for visual feedback. Underneath the knob lives an an encoder, as well as a brushless motor typically used in gimbal builds, which is driven by a TMC6300 motor driver board. Everything is laced up to a Waveshare RP2040 Plus devboard which runs the show. It’s responsible for controlling the motors, reading the knob and switches, and speaking USB to the PC that it’s plugged into.

It’s a compact device that nonetheless should prove to be a good productivity booster on the bench. We’ve featured [CNCDan’s] work before, too, such as this nifty DIY VR headset.

youtube.com/embed/bNUKRJQjuvQ?…

hackaday.com/2026/02/05/diy-ma…

Over the past couple of years with the Jenny’s Daily Drivers series, we’ve looked at a number of unusual or noteworthy operating systems. Among them has been ReactOS, an open source clone of a millennium-era Windows OS, which we tried back in November. It’s one of those slow-burn projects we know has been around for a long time, but still it’s a surprise to find we’ve reached the 30th anniversary of the first ReactOS code commit.

The post is a run through the project’s history, and having followed it for a long time we recognize some of the milestones from the various ISOs we downloaded and tried back in the day. At the end it looks into the future with plans to support more up-to-date hardware as well as UEFI, which we hope will keep it relevant.

When we tried it, we found an OS which could indeed be a Daily Driver on which a Hackaday article could be written — even if it wasn’t the slickest experience on the block. It doesn’t matter that it’s taken a while, if you’re used to Windows XP this has become a usable replacement. We came to the conclusion that like FreeDOS it could find a niche in places where people need a modern version of the old OS to run older software, but perhaps as it now moves towards its mature phase it will move beyond that. We salute the ReactOS developers for bringing it this far, and for not giving up.

You can read our Daily Drivers review of a recent ReactOS build here.

hackaday.com/2026/02/05/three-…

The heat pump has become a common fixture in many parts of modern life. We now have reverse-cycle air conditioning, heat pump hot water systems, and even heat pump dryers. These home appliances have all been marketed as upgrades over simpler technologies from the past, and offer improved efficiency and performance for a somewhat-higher purchase price.

Heat pumps aren’t just for the home, though. They’re becoming an increasingly important part of major public works projects, as utility providers try to do ever more with ever less energy in an attempt to save the planet. These days, heat pumps are getting bigger, and will be doing ever grander things in years to come.

Magical Efficiency

The heat pump is a particularly attractive tool because it has a near-mystical property that virtually no other machine does. It is capable of delivering more heat energy than the amount of electricity fed into it, appearing to effectively have an efficiency greater than unity. We’re told that thermodynamic laws mean that we can never get more energy out than we put in. If you put 1 kW of electrical energy into a resistive heating element, which is near 100% efficient, you should get almost 1 kW of heat out of it, but never a hair more than that. But with a heat pump, you could get 1.5 kW, or even 2 kW for your humble 1 kW input. The trick is that the heat pump is not actually a magical device that can multiply energy out of nothing. Instead, the heat pump’s trick is that it’s not turning your 1 kW input into heat energy. It’s using 1 kW of energy to move heat from one place to another. If you’re running a heat pump-based HVAC system to cool your home, for example, it might use 2 kW of electricity to pump 3 to 4 kW of heat from your lounge room and dissipate it outdoors. Since the outdoors doesn’t change much in temperature when you pump out the heat from your home, you can keep doing this pretty much all day. You can even reverse the flow if your heat pump system allows it, instead pumping heat from the outdoors into your home. This works well until temperatures get so low that there isn’t enough heat left in the outdoors to appreciably warm your house up.
A diagram of a heat pump system. Heat is pumped from the outdoors (B) to the indoors (A), with insulation (I) in between. Note the condensor coils (1), the expansion valve (2), the evaporator coils (3), and the compressor (4). Credit: Ilmari Karonen, GFDL
The heat pump achieves the feat of making heat go where we want it to go via the use of refrigerant. Specifically, refrigerant enters the compressor as a low pressure and low temperature vapor. It exits as a gas at high temperature and high pressure, and is then passed through a series of condenser coils. As it passes through, it releases heat to the surrounding environment and reduces in temperature, condensing into a liquid. From there, the liquid, still under high pressure, passes through an expansion valve, which rapidly lowers the pressure and drops the temperature further. The liquid is now cold, and passes through an evaporator coil where it picks up heat from the surroundings and turns back into a low-pressure, low-temperature vapor to start the cycle again as it heads back to the compressor. This system runs your fridge, your car’s air conditioner, and is used in so many other applications where it’s desirable to make something colder or hotter as efficiently as possible. You just choose which direction you want to pump the heat and design the system accordingly. Air conditioners and fridges pump heat out of a confined space, heaters and dryers pump it in, and so on. It’s heat pumps all the way down!

Bigger Applications

Thus far, you’ve probably used many a heat pump in your daily life, whether it be for heating, cooling, or drying clothes. However, there is a new push to build ever-larger heat pumps to work on the municipal scale, rather than simply serving individual households. The hope is to make utilities more energy efficient, and thus cheaper and greener in turn, by taking advantage of the efficiency gains offered by the magic of the heat pump.
An earlier project saw Siemens Energy team up with MVV to install a heat pump system to supply 3,500 households with 20 megawatts of heat in Mannheim. The new installation will be almost an order of magnitude larger. Credit: SiemensAt 82.5 megawatts each, the new installation features what are perhaps the largest heat pumps in the world. Credit: MVV
One such project is taking place just off the River Rhine in Germany. A pair of massive heat pump units are being constructed by MVV Energie, each with a capacity of 82.5 megawatts. They will deliver heat to a total of 40,000 homes via a district heating system, and will be constructed on the site of a former coal power plant. Each pump will effectively draw energy out of the massive watery heat battery that is the River Rhine, and use it to warm homes in the local area. Thankfully, the river’s capacity is large enough that drawing all that heat out of the river should only affect temperatures of the water by around 0.1 C.

The Rhine project builds upon a previous effort to install a large heat-pump heating system in Mannheim, in partnership with Siemens Energy. That installation draws 7 megawatts of electricity to supply 20 megawatts of heating to the local district heating grid. Installed in 2023, it supplies the heating needs of 3,500 local households.
The Danish installation will use slightly smaller heat pumps, but more of them, for a combined output of 177 megawatts. Credit: MAN Technology
A similar project is underway in Denmark, which will supply 177 megawatts of heat to homes in Aalborg. The installation of four 44 megawatt MAN Technology heat pumps will be hooked up to the existing district heating system, which is also supported by other sources including waste heat from a local cement factory. The benefit of using smaller individual units is that it allows some of the pumps to be shut down when heating demand is lower, as winter passes through autumn into summer.

What makes these projects special is their sheer scale. Rather than being measured in the kilowatt scale like home appliances, they’re measured in the many tens of megawatts, delivering heating to entire neighborhoods instead of single homes. As it turns out, heat pumps work just fine at large scales—you just need to build them out of bigger components. Bigger compressors, bigger expansion valves, and bigger condensors and evaporators—all of these combine to let you pump enormous amounts of heat from one place to another. As utilities around the world seek ever greater efficiency in new projects, heat pumps will likely grow larger and be deployed ever more widely, seeking to take advantage of the free heat on offer in the earth, water, and air around us. After all, there’s no point dumping energy into making heat when you can just move some that’s already there!

hackaday.com/2026/02/05/big-he…

It was January 25th of 1979, at an unassuming Michigan Ford Motor Company factory. Productivity over the past years had been skyrocketing due to increased automation, courtesy of Litton Industry’s industrial robots that among other things helped to pick parts from shelves. Unfortunately, on that day there was an issue with the automated inventory system, so Robert Williams was asked to retrieve parts manually.

As he climbed into the third level of the storage rack, he was crushed from behind by the arm of one of the still active one-ton transfer vehicles, killing him instantly. It would take half an hour before his body was discovered, and many years before the manufacturer would be forced to pay damages to his estate in a settlement. He only lived to be twenty-five years old.

Since Robert’s gruesome death, industrial robots have become much safer, with keep-out zones, sensors, and other safety measures. However this didn’t happen overnight; it’s worth going over some of the robot tragedies to see how we got here.

Just Following Orders

Perhaps the the most terrifying aspect about most industrial robots is that they are fairly simple machines, often just an arm containing a series of stepper motors and the electronics that strictly execute the tasks programmed into it when the manufacturing line was designed and assembled. This means a large metal arm, possibly weighing more than an adult human, that can swing and move around rapidly, with no regard for what might be in between its starting and end position unless designed with safeties in place.
Artist’s depiction of the accident involving a 34-year old US worker and an industrial robot. (Credit: US NIOSH)
This is what led to the death in 1981 of another factory worker, Kenji Urada, a maintenance worker, who was trying to fix a robotic arm. Although a safety fence had been installed at this Japanese plant that would disconnect the power supply of the robot when this fence was unhooked, for some reason Kenji decided to bypass this safety feature and hop over the fence. Moments later he would be dead, crushed by the robotic arm as it accidentally was activated by Kenji while in manual mode.

During the following investigation it was found that Kenji’s colleagues were unfamiliar with the robot’s controls and did not know how to turn it off by simply opening the fence. Subsequently they were unable to render him any aid and were forced to look on in horror until someone was able to power down the robot.

A similar accident occurred in the US in 1984, when a 34-year old operator of an automated die-cast system decided to cross the safety rail around the robot’s operating envelope to clean up some scrap metal on the floor, bypassing the interlocked access in the safety rail. In this case it wasn’t the arm that crushed the worker, but the back end, which the worker apparently had deemed to be ‘safe’. He had received a one-week training course in robotics three weeks prior.

Protecting Squishy Humans

ISO 7010 style warning sign for industrial robots. (Credit: Clemenspool, Wikimedia)
When it comes to industrial robot safety rules, we have to consider a number of factors beyond the straightforward fact that getting crushed by one is a scenario that a reasonable person would want to avoid. The first is that industrial robots are quite expensive, which makes adding major fencing and other safety measures not much of a financial issue in comparison.

The second factor is that while humans are really quite versatile, they tend to have the annoying habit of bypassing safeties despite endless briefings and drills that are designed for their own protection. Let’s call this factor “human nature”. Kenji Urada’s gruesome death is an example of this, but other industries are rife with examples too, giving agencies like the US Chemical Safety Board a seemingly endless collection of safety rule violations to investigate and condense into popular YouTube videos of disaster sequences.

The final, third factor that ties all of this together is that we no longer live in the early decades of the Industrial Revolution, where having a human worker getting caught with an arm between some gears, or crushed by a mechanism would only lead to some clerk rolling their eyes, crossing out a name and sending out an errand boy to post a fresh ‘help wanted’ note.

Ergo, we needed to find ways to human-proof industrial robots against humans and protect us against ourselves.

ISO 10218

Although some nations have their own standards, the overarching international standard is found in ISO 10218, currently in its 2025 update. This standard comes in two parts, ISO 10218-1, which concerns itself with the robot’s individual parts and targets robot manufacturers, as well as ISO 10218-2, which looks at complete systems and the integration of robots.
Germany bakery robots for palletizing food products. Note the plentiful safety fencing. (Credit: KUKA Roboter GmbH, Bachmann)
There are a number of distinct types of hazards when it comes to working around industrial robots, the most obvious of which is the crushing hazard. To prevent this and similar hazards, we can install plentiful of safety fencing to ensure that the squishy human cannot get within the range of the unsuspecting robot.

In the case of an especially persistent human, or potentially a legitimate human maintainer or operator, it’s crucial to ensure that the robot is powered down or rendered harmless in some other way. For example, the safety fence that should have prevented Kenji Urada from losing his life was designed for this, but unfortunately could be bypassed.

Similarly, in the case of Robert Williams there was a tag in/tag out system in place for the robotics, but Robert had not been instructed in this and apparently unaware of the dangers. Being able to bypass such safeties gets us firmly sliding down the rabbit hole of the hierarchy of controls.

The most effective hazard elimination is basically that, but since the robots are rather needed, and we got no replacement for them other than forcing the humans to do all the work again, this step is no real option here.

Next we can try to make robots safer, by adding intrusion detection sensors to the robot’s hazard zone, or as Amazon trialed in 2019 by making the squishy humans in its warehouses wear a device that alerts the robots around them on the warehouse floor of their presence without relying on either machine vision or obstacle recognition.

The placing of physical barriers is next, as part of engineering controls. This effectively tries to prevent humans from wandering into the danger zone like a particularly big fly around a brightly lit up bug zapper. Theoretically by putting a sufficiently daunting barrier between the hazard and the worker will said worker not end up facing their doom.

In an ideal world this would be all that it’d take to guarantee a completely safe work floor, even in the case of some distracted wandering. Of course, this doesn’t help much if said robots are sharing a warehouse floor with humans. To patch up the remaining gaps we got safety training courses as part of the administrative controls, but if these were very effective then the USCSB would already be mostly out of a job.,

The final item in the hierarchy of PPE can easily be skipped in the case of industrial robots, other than perhaps steel-tipped boots, a hard-hat and safety glasses in case of dropped items and flying debris. If an industrial robot’s arm is headed your way, there’s no PPE that will save your skin.

The Future

At this point in time industrial robots are fairly safe from humans, though in the US alone between 1992 and 2015 at least 61 people died due to sharing the same physical space with such a robot or a similar unfortunate event. As the number of robots increases in industry, but also in construction and health care, the topic of safety becomes ever more important.

In the case of a stationary industrial robot it’s fairly easy to just put a big, tall fence around it, lock the only gate and force anyone who absolutely needs access to beg an audience with the maintenance chief. In the case of the thousands of robots rolling around in warehouses like Amazon’s, situational awareness on the part of the robots can help them detect and avoid obstacles.

As long as humans are more fragile and weaker than the robots that they find themselves working around, it’s probably reasonable to expect said humans to pay a modicum of respect to the Death Machine, as the engineers who built them can only add so many technological solutions to what ultimately ends up being a game of idiot-proofing. Because absolutely nobody would ever do these exact things to willingly endanger themselves and/or others.

hackaday.com/2026/02/05/how-in…