As we learn more about all the nasty stuff floating in the air, it becomes more compelling to monitor the air for pollution levels. [Aleksei Tertychnyi] does just that with pollutagNode2, a solar-powered pollution sensor.

The device uses a Seeed Studio Wia-E5 module for its built-in LoRa low power long-range communication capabilities. Pair that with a cheap 2 watt solar panel and a Li-ion battery, and you have a monitoring device that can stay up indefinitely — or until harsh weather gets the better of it. Even if the solar panel were to be omitted, a full charge would last you about two weeks!

It comes on an open-hardware PCB; no need for giant wire messes, just solder the solar panel, battery, sensor, and anything else you want onto the convenient pads on the side. It also integrates into the existing sensor community nicely via existing LoRa infrastructure. All this combined makes it easy for anyone to deploy one.

hackaday.com/2026/04/24/2026-g…

When Elliot Williams and Al Williams compare their notes on the week in Hackaday, you know you’ll get at least one or two bad puns. How bad? Tune in and find out.

This week, Tom Nardi visits several in-person events, and Elliot and Al talk about smart buttons, Itanium, ejecting things from a rocket, and the infinite pickle. Will Elliot build the coin flipper? Will Al use plasma at his next cookout? Hard to say.

For the can’t miss articles, this week, Al swept the category with a post on splices and another on what human junk is still sitting on the moon.

What do you think? Leave us a comment or record something and send it to our mailbag.

html5-player.libsyn.com/embed/…

Download a copy of the podcast with an MP3 from our continuous audio pipeline.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

News:

• VCF East And Maker Faire Make For A Busy Weekend
• Get Your Green Power On!

Mailbag

• Got something to share for the Mailbag? Drop us a line. Already sent something in? Maybe send it again as we were… ahem… experiencing technical difficulties.

What’s that Sound?

• For a change, neither Elliot nor Al knew what the sound was in advance. Think you know that sound? Fill out the form for a chance to win!

Interesting Hacks of the Week:

• DIY Smart Button Gets Surprisingly Complicated
• Itanium: The Great X86 Replacement That Never Was
• Photographing Rocket Chute Deployment At 10 Km
  
  • Ejector Seats: The Rocket Chairs That Save Lives

  
  

• DIY Weather Stations Report In From Chernobyl
  
  • This Reactor Is On Fire! Literally…

  
  

• Hacking Fermentation For Infinite Pickles From Pass-thru Bioreactor
  
  • Pickle Diodes, Asymmetric Jacobs Ladders, And Other AC Surprises
  • Pickle

  
  

• Using Capacitance For Extremely Sensitive Proximity Sensing

Quick Hacks:

• Elliot’s Picks:
  
  • Analog Circuitry Lets You Blow This LED Out
  • ESP32 Hosts A Public Website
  • Autonomous Coin Flipper Flips Expensive Coin

  
  

• Al’s Picks:
  
  • Modded Server PSU Provides Plenty Of Current
  • DIY Nuclear Battery With PV Cells And Tritium
  • Electric Wind-Up Plane Uses Supercapacitors For Free Flight Fun
  • Cooking With Plasma (Not Fire)

  
  

Can’t-Miss Articles:

• The Splice Must Flow
  
  • The Aluminum Wiring Fiasco

  
  

• What Have We Dumped On The Moon?
  
  • Salvage 1 – Wikipedia

  
  

hackaday.com/2026/04/24/hackad…

If you have a desktop 3D printer, you probably want something to hang filament spools on. [LVTRC] has a spool roller that fits the bill. It also incorporates a scale and a round touch screen. (Google Translate)

We’ve seen those round screens before, and now we wonder why we didn’t think of this. The GC9A01 display shows a progress ring and lets you save settings or calibrations to EEPROM. An Arduino Nano provides the brain, and the load cell connects to an HX711. The project is made to fit a specific printer, but it should be little trouble to adapt it to a different printer or to mount it in an external mount.

One of the calibration steps, of course, is to program the weight of an empty spool to subtract from the total weight. The device can store up to five specific profiles.

Not the biggest spool holder we’ve seen. We keep thinking that we don’t know why we want a circular screen, and then someone always drops in to show us another thing we didn’t think about.

hackaday.com/2026/04/24/spool-…

The author of the BlueHammer exploit, which was released earlier this month and addressed in the last Patch Tuesday, continues to be annoyed with the responses from the Microsoft security research and vulnerability response team, and has released another Windows zero-day attack against Windows Defender.

The RedSun exploit targets a logic and timing error in Windows Defender, convincing it to install the target file in the system, instead of quarantining the file and protecting the system. Not, generally, what you would hope would happen.

Since the RedSun attack requires local access in the first place, it seems unlikely Microsoft will release an out-of-sequence patch for it, however with public code available, we can probably expect to see malware leveraging it to establish higher permissions on an infected system.

Releasing exploits out of spite feels like a return to the late 1990s, and I almost don’t hate it.

University Domains Hijacked

Reported in Bleeping Computer, a group tracked as “Hazy Hawk” has been hijacking unmaintained DNS records of universities and government institutions to serve ad click spam.

The attack seems simple and doesn’t even require compromising the actual institution, using dangling DNS “CNAME” records. A “CNAME” entry in DNS acts essentially as an alias, pointing one domain name at another, which can be used to provide content from an official domain that is hosted on a cloud service where the IP address of the service might change.

A DNS “A” (or “AAAA” if you speak IPv6) record points a hostname – like “foo.example.com” – to an IP address – like “1.1.1.1”. A “CNAME” record points a hostname to another hostname, like “foo.some_cloud_host.com”. Scanning “high value” domains (like Ivy League universities) for “CNAME” records which point to expired domains (or domains on cloud hosted providers which no longer exist) lets anyone able to register that domain (or create an account with the proper naming scheme on the cloud host) to post any content they wish, and still appear to be the original name.

At least 30 educational institutions have been impacted, along with several government agencies including the CDC.

Linux Drops Old Network Drivers

A recent patch set to the Linux kernel schedules 18 legacy network drivers for removal, citing an increased maintenance burden due to bugs found by AI and fuzzing tools. This seems to be in line with other recent Linux kernel efforts to deprecate particularly old devices, migrating single-core systems to the multi-core scheduler and flagging i486 support for removal.

All of the devices slated to go are from 2002 or earlier, and are all ISA or PCMCIA Ethernet devices. Ultimately, it probably makes sense to remove problematic drivers for devices which have been out of production for 25 years or more, but it’s personally a bit painful to see the 3COM 3c59x driver going away, which was the first Ethernet card I had in a Linux system.

Bitwarden CLI Client Compromised

Following the theme the past month of supply chain hacks, the latest high-profile casualty is the Bitwarden command line client. There are indications this is the same group responsible for several of the previous weeks of supply chain attacks on NPM, GitHub, and VS Code extensions.

Bitwarden is a password manager, with the option of self-hosting, similar to LastPass or OnePassword. The trojan version of the Bitwarden CLI contains malicious code to spread the supply-chain botnet, by stealing authentication tokens , SSH keys, and AI service tokens. Whenever GitHub tokens are found, the script will also attempt to modify the GitHub Actions –automatic scripts run for code validation or package building — to embed itself in any packaged repository it has write access to.

In many ways, what could have been an astoundingly serious incident – the compromise of the password manager vault – turned into a case of the dog catching the car. (If a dog chasing cars caught one, would he even know what to do with it?) A surprising turn of events from code designed to steal credentials.

Mythos “Hacked”

Anthropic has admitted that there has been “unauthorized access” to the new Mythos model. The company has made copious announcements about the danger their new model brings for security and exploit development, humble-bragging that it is too dangerous for public use. Meanwhile it appears that enthusiasts on an AI-focused Discord were able to social engineer access from a third-party Anthropic contractor.

It is difficult to ascertain what risk Mythos will actually represent once it becomes generally available. Like any new bug discovery tool, the challenge is not only in finding a possible bug, but in validating that it can be triggered. When the concept of fuzzing — spamming programs with invalid or nearly-valid input — was popularized, thousands of bugs were found rapidly. OSS-Fuzz found almost 30,000 bugs in 360 projects, per this paper. That’s truly an intimidating quantity of issues to fix, but hardly heralded as apocalyptic.

The impact of new AI on bug finding will have to be assessed in retrospect, but it’s not exactly comforting that the same company making claims of world-changing danger in their models were still themselves victims to a social engineering campaign that exposed the model for weeks.

Nextcloud Ends Bug Bounty

Another week, another project ending their bug bounty program. This week it’s Nextcloud, a self-hostable file hosting platform – basically an open source Dropbox analogue.

Like other projects, Dropbox puts the blame on a flood of low-quality but time consuming AI generated bug reports. As of April 22, 2026, Nextcloud will no longer offer rewards for bug reports, regardless of the severity of the bug.

iOS Patches Notifications

Apple has released iOS 26.4.2 which fixes a notification issue used recently to expose Signal messages.

A recent court case demonstrated that it was possible to extract the content of Signal messages on an iPhone, even if the app and notifications had been deleted. This is not a flaw in Signal itself, or even limited to iOS devices: when Signal is configured to show the content of a message in a notification, it’s no longer under the control of the Signal app itself. For devices which have the option to show notifications on the lock screen, the content of messages is also no longer protected by user authentication!

Investigators were able to extract the notifications database from the phone, and from there, extract previous Signal notifications containing message content thought to have been deleted.

$2.5 M Stolen from Sri Lanka

Wrapping up, Newswire reports that Sri Lankan officials have confirmed that $2.5 million in funds were stolen from their Ministry of Finance by redirecting a foreign debt repayment. Few details are available, but such attacks typically take advantage of a compromised email account, using existing email threads to continue a conversation and change payment details.

Similar attacks happen on a smaller scale, often targeting real estate agencies and small banks – institutions likely to have little to no information security processes but who handle large lump sums of money. Having it occur on a national level is certainly a little unusual.

hackaday.com/2026/04/24/this-w…

404 Media

2026-04-09 13:27:50

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database

The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media. The case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one shooting a police officer in the neck.

The news shows how forensic extraction—when someone has physical access to a device and is able to run specialized software on it—can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database

The case was the first time authorities charged people for alleged “Antifa” activities after President Trump designated the umbrella term a terrorist organization.

^{Joseph Cox (404 Media)}

As part of the effort to push Large Language Model (LLM) ‘AI’ into more and more places, Anthropic’s Model Context Protocol (MCP) has been adopted as the standard to connect LLMs with various external tools and systems in a client-server model. A light oversight with the architecture of this protocol is that remote command execution (RCE) of arbitrary commands is effectively an essential part of its design, as covered in a recent article by [OX Security].

The details of this flaw are found in a detailed breakdown article, which applies to all implementations regardless of the programming language. Essentially the StdioServerParameters that are passed to the remote server to create a new local instance on said server can contain any command and arguments, which are executed in a server-side shell.

Essentially the issue is a lack of input sanitization, which is only the most common source of exploited CVEs. Across multiple real-world exploitation attempts on the software of LettaAI, LangFlow, Flowise and Windsurf it was possible to perform RCEs or perform local RCE in the case of the Windsurf IDE. Although Flowise had implemented some input sanitization by limiting allowed commands and the stripping of special characters, this was bypassed by using standard flags of the npx command.

After contacting Anthropic to inform them of these issues with MCP, the researchers were told that there was no design flaw and essentially had a ‘no-fix, works as designed’ hurled at them. According to Anthropic it’s the responsibility of the developer to perform input sanitization, which is interesting since they provide a range of implementations.

hackaday.com/2026/04/24/how-an…

Intro

Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues. Over the years, researchers have identified numerous vulnerabilities in services that rely on RPC, ranging from local privilege escalation to full remote code execution.

In this research, I present a new vulnerability in the RPC architecture that enables a novel local privilege escalation technique in all Windows versions. This technique enables processes with impersonation privileges to elevate their permissions to SYSTEM level. Although this vulnerability differs fundamentally from the “Potato” exploit family, Microsoft has not issued a patch despite proper disclosure.

I will demonstrate five different exploitation paths that show how privileges can be escalated from various local or network service contexts to SYSTEM or high-privileged users. Some techniques rely on coercion, some require user interaction and some take advantage of background services. As this issue stems from an architectural weakness, the number of potential attack vectors is effectively unlimited; any new process or service that depends on RPC could introduce another possible escalation path. For this reason, I also outline a methodology for identifying such opportunities.

Finally, I examine possible detection strategies, as well as defensive approaches that can help mitigate such attacks.

MSRPC

Microsoft RPC (Remote Procedure Call) is a Windows technology that enables communication between two processes. It enables one process to invoke functions that are implemented in another process, even though they are running in different execution contexts.

The figure below illustrates this mechanism.

Let us assume that Host A is running two processes: Process A and Process B. Process B needs to execute a function that resides inside Process A. To enable this type of interaction, Windows provides the Remote Procedure Call (RPC) architecture, which follows a client–server model. In this model, Process A acts as the RPC server, exposing its functionality through an interface, in our example, Interface A. Each RPC interface is uniquely identified by a Universally Unique Identifier (UUID), which is represented as a 128-bit value. This identifier enables the operating system to distinguish one interface from another.

The interface defines a set of functions that can be invoked remotely by the RPC client implemented in Process B. In our example, the interface exposes two functions: Fun1 and Fun2.

To communicate with the server, the RPC client must establish a connection through a communication endpoint. An endpoint represents the access point that enables transport between the client and the server. Because RPC supports multiple transport mechanisms, different endpoint types may exist, depending on the underlying transport.

For example:

• When TCP is used as the transport layer, the endpoint is a TCP port.
• When SMB is used, communication occurs through a named pipe.
• When ALPC is used, the endpoint is an ALPC port.

Each transport mechanism is associated with a specific RPC protocol sequence. For instance:

• ncacn_ip_tcp is used for RPC over TCP.
• ncacn_np is used for RPC over named pipes.
• ncalrpc is used for RPC over ALPC.

In this research, I focus specifically on Advanced Local Procedure Call (ALPC) as the RPC transport mechanism. ALPC is a Windows interprocess communication mechanism that predates MSRPC. Today, RPC can leverage ALPC as an efficient transport layer for communication between processes located on the same machine.

For simplicity, an ALPC port can be thought of as a communication channel similar to a file, where processes can send messages by writing to it, and receive messages by reading from it.

When the client wants to invoke a remote function, for example, Fun1, it must construct an RPC request. This request includes several important pieces of information, such as the interface UUID, the protocol sequence, the endpoint, and the function identifier. In RPC, functions are not referenced by name, but by a numerical identifier called the operation number (OPNUM). Depending on the requirements of the call, the request may also contain additional structures, such as security-related information.

Impersonation in Windows

In Windows, impersonation enables a service to temporarily operate using another user’s security context. For example, a service may need to open a file that belongs to a user while performing a specific operation. By impersonating the calling user, the system allows the service to access that file, even if the service itself would not normally have permission to do so. You can read more about impersonation in James Forshaw’s book Windows Security Internals.

This research focuses specifically on RPC impersonation. Instead of describing the interaction as a service and a user, I refer to the participants as a client and a server. In this model, the RPC server may temporarily adopt the identity of the client that initiated the request.

To perform this operation, the RPC server can call the RpcImpersonateClient API, which causes the server thread to execute under the client’s security context.

However, in some situations, a client may not want the server to be able to impersonate its identity. To control this behavior, Windows introduces the concept of an impersonation level. This defines how much authority the client grants the server to act on its behalf.

These settings are defined as part of the Security Quality of Service (SQOS) parameters, specified using the SECURITY_QUALITY_OF_SERVICE structure.

As you can see, this structure contains the impersonation level field, which determines the extent to which the server can assume the client’s identity.

Impersonation levels range from Anonymous, where the server cannot impersonate the client at all, to Impersonate and Delegate, which allow the server to act fully on behalf of the client.

At the same time, not every server process is allowed to impersonate a client. If any process could perform impersonation freely, it would pose a serious security risk. To prevent this, Windows requires the server process to possess a specific privilege called SeImpersonatePrivilege. Only processes with this privilege can successfully impersonate a client.

This privilege is granted by default to certain service accounts, such as Local Service and Network Service.

Interaction between Group Policy service and TermService

The Group Policy Client service (gpsvc) is a core Windows service responsible for applying and enforcing group policy settings on a system. It runs under the SYSTEM account inside svchost.exe.

When a group policy update is triggered, Windows uses an executable called gpupdate.exe. This tool can be executed with the /force flag to force an immediate refresh of all group policy settings. Internally, this executable communicates with the Group Policy service, which coordinates the update process.

At a certain stage during this operation, the Group Policy service attempts to communicate with TermService (Terminal Service, the Remote Desktop Services service) using RPC.

TermService is responsible for providing remote desktop functionality. This service is not running by default and can be enabled manually by the administrator via activation of Remote Desktop access. When this happens, the service exposes an RPC server with multiple interfaces and endpoints. TermService runs under the NT AUTHORITY\Network Service account.

When the command gpupdate /force is executed, the Group Policy service performs an RPC call to the TermService using the following parameters:

• UUID: bde95fdf-eee0-45de-9e12-e5a61cd0d4fe.
• Endpoint: ncalrpc:[TermSrvApi].
• Function: void Proc8(int).

However, because TermService is disabled by default, the RPC call fails and an exception occurs in rpcrt4.dll (the RPC runtime). The returned error is:

• 0x800706BA (RPC_S_SERVER_UNAVAILABLE, 1722).

This error indicates that the RPC client could not reach the target server.

Tracing the failure path further reveals that the root cause originates from a call to NtAlpcConnectPort, which is used by RPC to establish an ALPC connection between processes.

The NtAlpcConnectPort function is responsible for connecting to a specific ALPC port and returning a handle that the client can use for further communication. This function accepts multiple parameters.

The first two parameters include:

• A pointer to the returned port handle.
• The ALPC port name, represented as an ASCII string.

Another important argument is PortAttributes, which is an ALPC_PORT_ATTRIBUTES structure. Inside this structure is the SECURITY_QUALITY_OF_SERVICE structure, which, as mentioned above, defines the impersonation level used for the connection.

The final parameter of interest is RequiredServerSid, which specifies the expected identity of the target server process. This identity is represented using a Security Identifier (SID) structure.

Inspecting this call reveals that the Group Policy service attempts to connect to the RPC server using an impersonation level of Impersonate, expecting the remote server to run under the Network Service account. This behavior makes sense because TermService normally runs under Network Service.

Based on all the information above, the following scheme can be created to illustrate the interaction between TermService and gpsvc.

Up to this point, nothing unusual has occurred. An RPC client attempts to connect to an RPC server that is unavailable, resulting in an exception handled by the RPC runtime.

However, an interesting question arises: What if an attacker compromises a service that runs under the Network Service identity and mimics the exact RPC server exposed by TermService?

Could the attacker deploy a fake RPC server with the same endpoint?

If so, would the RPC runtime allow the client to connect to this illegitimate server?

And if the connection is successful, how could an attacker leverage this behavior?

Coercing the Group Policy service

To better understand the implications of the previously described behavior, let us consider the following attack scenario.

Imagine an attacker has compromised a service running on the system under the Network Service account, for example, an IIS server operating under the Network Service account. With this level of access, the attacker can deploy a malicious RPC server.

The attacker’s RPC server is designed to mimic the RPC interface exposed by the Remote Desktop service (TermService). Specifically, it implements the same RPC interface UUID and exposes the same endpoint name: TermSrvApi. Once deployed, the malicious server listens for RPC requests that would normally be directed to the legitimate RDP service.

Next, the attacker coerces the Group Policy service by triggering a policy update using gpupdate.exe /force. This causes the Group Policy Client service, which runs under the SYSTEM account, to perform the previously described RPC call. As observed earlier, this RPC call uses a high impersonation level (Impersonate).

When the attacker’s fake RPC server receives the request, it calls RpcImpersonateClient. This enables the server thread to impersonate the security context of the calling client, which, in this case, is SYSTEM.

As a result, the attacker can elevate privileges from Network Service to SYSTEM. In our proof-of-concept implementation, the exploit demonstrates privilege escalation by spawning a SYSTEM-level command prompt.

When this attack scenario was first discussed, it was purely theoretical. However, after implementing the malicious RPC server, the experiment confirmed that Windows allowed the server to be deployed and started successfully, and that the RPC runtime permitted the client to connect to the malicious endpoint. This made it possible to reliably escalate privileges from Network Service to SYSTEM using this technique. For this attack to succeed, though, at least one group policy must be applied on the system.

RPC architecture flow

Further investigation revealed that many Windows services attempt to communicate with TermService using RPC. These RPC calls often originate from winsta.dll, which acts as the RPC client component.

Windows processes invoke APIs exposed by winsta.dll; these APIs rely internally on RPC communication with TermService. This pattern is common in Windows; many system DLLs use RPC behind the scenes when their exported APIs are called.

However, it appears that the RPC runtime (rpcrt4.dll) does not provide a mechanism to verify the legitimacy of RPC servers. Moreover, Windows allows another process to deploy an RPC server that exposes the same endpoint as a legitimate service.

As a result, this architectural design introduces a large attack surface because RPC is heavily used across numerous system DLLs. Applications that invoke seemingly benign APIs may unintentionally trigger privileged RPC interactions. Under certain conditions, these interactions could be abused to achieve local privilege escalation without the user’s knowledge.

Identifying RPC calls to unavailable servers

As the issue appears to stem from an architectural weakness, a systematic approach is needed to identify RPC clients attempting to communicate with servers that are unavailable. First, I need a platform capable of monitoring RPC activity and extracting relevant information from each RPC request.

Specifically, I need to capture key RPC metadata, including:

• Interface UUID, endpoint, and OPNUM.
• Impersonation level and RPC status code.
• Client process privilege level, process name, and module path.

This information is critical because it enables me to reconstruct the RPC interaction, mimic the expected RPC server, and determine how the call is triggered.

The platform that provides this capability is Event Tracing for Windows (ETW). ETW is a built-in Windows logging framework that captures both kernel-mode and user-mode events in real time.

Windows provides a tool called logman to collect ETW data. It enables us to create trace sessions, select event providers, and configure the verbosity level of the tracing process. The collected tracing data is stored in an .etl file, which can later be analyzed using tools such as Event Viewer or other ETW analysis utilities.

ETW provides deep visibility into RPC activity without requiring modifications to applications. Through ETW, it is possible to capture detailed RPC information, such as:

• RPC bindings
• Endpoints
• Interface UUIDs
• Authentication details
• Call flow and timing
• RPC status codes

However, I’m not interested in every RPC event. My focus is on RPC call failures, specifically those that return the status RPC_S_SERVER_UNAVAILABLE.

For an event to be relevant to this research, the exception must meet two conditions:

• It must originate from a high-privileged process because impersonating such a process may allow an attacker to escalate privileges to a more powerful security context.
• The RPC call must use a high impersonation level, enabling the server to fully impersonate the client once the connection is established.

I cannot rely solely on the raw ETW output to implement this framework because it contains thousands of events, making manual filtering with standard tools inefficient. Therefore, I need to automate this process. The workflow shown below enables me to efficiently filter and extract only those events that are relevant to this analysis.

After generating the logs as an .etl file, I convert them to JSON format using tools such as etw2json. JSON is a much easier format to process programmatically. In this case, I use a Python script to filter and extract the relevant information.

The filtering process begins with a search for Event ID 1, which corresponds to an RPC stop event. This event indicates that the RPC client has completed the call and the result is available. From this event, I can extract useful information, such as:

• Status code
• Client process name
• Client process ID
• Endpoint

After extracting the status code, I filter for the specific value RPC_S_SERVER_UNAVAILABLE, which indicates that the target server was unreachable during an RPC call. These events represent the scenarios that are of interest.

However, Event ID 1 does not contain all of the required RPC metadata. To obtain the missing information, it is correlated with Event ID 5, which represents the RPC start event. This event is generated when the client initiates the RPC call.

By matching the metadata between Event ID 1 and Event ID 5, I can recover the missing details, including:

• Interface UUID
• OPNUM
• Impersonation level

After correlating and filtering these events, a JSON entry is obtained that is almost ready for analysis. At this stage, the data can be enriched further by adding context that will be helpful when reversing or analyzing the RPC server implementation. For example, the following can be identified:

• The DLL where the RPC interface is implemented
• The location of that DLL
• The number of procedures exposed by the interface

To retrieve this information, I match the UUID with an external RPC interface database. In this case, I used the RPC database, which contains a comprehensive list of RPC interfaces and their corresponding DLL implementations.

At the end of this process, a complete JSON dataset is obtained that can be used for further analysis.

One important observation is that the RPC calls I am looking for may only occur when specific system actions are triggered. Additionally, the resulting exceptions may vary from one system to another depending on which services are enabled or disabled. Therefore, I need a reliable way to generate these RPC exceptions.

In this research, I used several approaches to trigger such events:

1. Monitoring RPC activity during system startup
   I observed RPC activity while the system booted. During startup, many services initialize and perform various RPC calls, which increases the chances of capturing calls to unavailable servers.
2. Triggering administrative operations
   I developed PowerShell scripts that perform common administrative tasks, such as updating Group Policy, changing network settings, or creating new users. These operations often trigger RPC communication and may generate exceptions.
3. Disabling services intentionally
   After observing that Remote Desktop was disabled by default, I extended this idea by disabling additional services one by one and repeating the previous steps. This approach can reveal RPC clients that attempt to connect to services that are no longer available.

Additional privilege escalation paths

After running the logging and monitoring framework described earlier, I identified four additional scenarios that can lead to privilege escalation. The following sections introduce each case and explain how escalation can be achieved.

User interaction: From Edge to RDP

Microsoft Edge (msedge.exe) comes preinstalled on Windows systems. During startup, Edge triggers an RPC call to TermService. This RPC call is performed with a high impersonation level.

As previously discussed, Terminal Service is disabled by default. Because of this, the expected RPC server is unavailable, creating an opportunity for the attack scenario illustrated below.

The attack follows the same initial assumption as before: the attacker has already compromised a process running under the Network Service account. From there, they deploy the same malicious RPC server that mimics the legitimate TermService RPC interface.

However, unlike the previous scenario where the attacker coerced the Group Policy service, no coercion is required this time. Instead, the attacker simply waits for a high-privileged user, such as an administrator, to launch msedge.exe.

When Edge starts, it triggers the RPC client to attempt communication with the expected TermService RPC interface. Because the legitimate server is not running, the request is received by the attacker’s fake RPC server. Since the RPC call is made with a high impersonation level, the malicious server can call RpcImpersonateClient to impersonate the client process.

As a result, the attacker is able to impersonate the administrator-level client and escalate privileges from Network Service to Administrator.

Background services: From WDI to RDP

Some background Windows services periodically attempt to make RPC calls to the RDP service without user interaction. One such service is the WdiSystemHost service. The Diagnostic System Host Service (WDI) is a built-in Windows service that runs system diagnostics and performs troubleshooting tasks. This service runs under the SYSTEM account.

During normal operation, WDI periodically performs background RPC calls to the Remote Desktop service (TermService) using a high impersonation level. These RPC interactions occur automatically every 5–15 minutes and do not require any user input.

This behavior can be abused in a similar manner to the previous attack scenarios, as illustrated in the figure below.

In this case, however, no user interaction or coercion is required. After deploying a malicious RPC server that mimics the expected TermService RPC interface, the attacker only needs to wait for the WDI service to perform its periodic RPC call. Because the request is made with a high impersonation level, the malicious server can invoke RpcImpersonateClient and impersonate the calling process. This enables the attacker to escalate privileges to SYSTEM.

Abusing the Local Service account: From ipconfig to DHCP

Another scenario involves the DHCP Client service, which manages DHCP client operations on Windows systems. This service runs under the Local Service account and is enabled by default.

The DHCP Client service exposes an RPC server with multiple interfaces and endpoints. These interfaces are frequently invoked by various system DLLs, often using a high impersonation level.

In this scenario, instead of compromising a process running under Network Service, it is assumed the attacker has compromised a process running under the Local Service account. I also assume that the DHCP Client service is disabled, meaning the legitimate RPC server is unavailable.

As the figure below illustrates, the attacker can leverage this situation to escalate privileges.

After gaining control of a Local Service process, the attacker deploys a malicious RPC server that mimics the legitimate RPC server normally exposed by the DHCP Client service. Once the malicious server is running, the attacker waits for a high-privileged user, such as an administrator, to execute ipconfig.exe.

When ipconfig is run, it internally triggers an RPC request to the DHCP Client service. Since the legitimate RPC server is not running, the request is received by the attacker’s fake RPC server. Because the RPC call is performed with a high impersonation level, the malicious server can call RpcImpersonateClient to impersonate the client.

As a result, the attacker can escalate privileges from the Local Service account to the Administrator account.

Abusing Time

The Windows Time service (W32Time) is responsible for maintaining date and time synchronization across systems in a Windows environment. This service is enabled by default and runs under the Local Service account.

The service exposes an RPC server with two endpoints:

• \PIPE\W32TIME_ALT
• \RPC Control\W32TIME_ALT

The executable C:\Windows\System32\w32tm.exe interacts with the Windows Time service through RPC. However, before connecting to the valid RPC endpoints exposed by the service, the executable first attempts to access the nonexistent named pipe: \PIPE\W32TIME. This named pipe is not exposed by the legitimate W32Time service. However, if this endpoint were available, w32tm.exe would attempt to connect to it.

An attacker can abuse this behavior by deploying a malicious RPC server that mimics the legitimate RPC interface of the Windows Time service. Rather than exposing the legitimate endpoints, the attacker’s server exposes the nonexistent endpoint \PIPE\W32TIME, as shown in the figure below.

As in the previous scenarios, it is assumed the attacker has already compromised a process running under the Local Service account. The attacker then deploys a fake RPC server that implements the same RPC interface as the Windows Time service, but which exposes the alternative endpoint used by w32tm.exe.

Once the malicious server is running, the attacker simply waits for a high-privileged user, such as an administrator, to execute w32tm.exe. When the executable runs, it attempts to connect to the endpoint \PIPE\W32TIME. Because the attacker’s fake server exposes this endpoint, the RPC request is directed to the malicious server.

Since the RPC call is performed with a high impersonation level, the malicious server can impersonate the calling client. As a result, the attacker can escalate privileges from the Local Service account to the Administrator account.

In this scenario, it is important to note that the legitimate Windows Time service does not need to be disabled. Because the executable attempts to connect to a nonexistent endpoint, it is sufficient for the attacker to expose that endpoint through the malicious RPC server.

Vulnerability disclosure

After discovering the vulnerability, Kaspersky Security Services prepared a 10-page technical report describing the issue and the various aforementioned exploitation scenarios. The report was submitted to the Microsoft Security Response Center (MSRC) to report the vulnerability and request a fix.

Twenty days later, Microsoft responded, indicating that they did not classify the vulnerability as high severity. According to their assessment, the issue was classified as moderate severity and would therefore not be patched immediately. No CVE would be assigned, and the case would be closed without further tracking.

Microsoft explained that the moderate severity classification was due to the requirement that the originating process had to already possess the SeImpersonatePrivilege privilege. Since this privilege was typically required for the attack to succeed, Microsoft determined that the issue did not require immediate remediation.

Kaspersky Security Services respect Microsoft’s assessment and only published the research after the embargo period ends. In line with the coordinated vulnerability disclosure policy, Kaspersky Security Services will refrain from publishing detailed instructions that could enable or accelerate mass exploitation.

The disclosure timeline is shown below:

• 2025-09-19: Vulnerability reported to Microsoft Security Response Center (Case 101749).
• 2025-10-10: MSRC response – the case was assessed as moderate severity, not eligible for a bounty, no CVE was issued, and the case was closed without further tracking.
• 2026-04-24: expected whitepaper publication date.

Detection and defense

As discussed above, this vulnerability is related to an architectural design behavior. Fully preventing it would require Microsoft to release a patch that addresses the underlying issue.

Nevertheless, organizations can still take steps to detect and mitigate potential abuse. ETW-based monitoring within the framework described above enables defenders to identify RPC exceptions in their environment, especially when RPC clients attempt to connect to unavailable servers.

I have provide the tools used in the previously described framework so that organizations can check their environment for such behavior. You can find all of them in the research repository.

By monitoring these events, administrators can identify situations where legitimate RPC servers are expected but not running. In some cases, the attack surface may be reduced by enabling the corresponding services, ensuring that the legitimate RPC server is available. This can hinder attackers from deploying malicious RPC servers that imitate legitimate endpoints.

It is also good practice to reduce the use of the SeImpersonatePrivilege privilege in processes where it is not required. Some system processes need this privilege for normal operations. However, granting it to custom processes is generally not considered good security practice.

Conclusion

All the exploits described in this research were tested on Windows Server 2022 and Windows Server 2025 with the latest available updates prior to the submission date. The proof-of-concept implementations can be found in the research repository. However, it is highly likely that this issue may also be exploitable on other Windows versions.

Because the vulnerability stems from an architectural design issue, there may be additional attack scenarios beyond those presented in this research. The exact exploitation paths may vary from one system to another depending on factors such as installed software, the DLLs involved in RPC communication, and the availability of corresponding RPC servers.

securelist.com/phantomrpc-rpc-…

There’s retrogaming, and then there’s retro gaming. This next project falls into the second category, as [Callan] of 74XX Arcade Repair digs into the original Wild Gunman, first released by Nintendo way, way back in 1974 — on 16 mm film. Yes, it was a film-based arcade machine, but how else were you going to get realistic graphics just two years after PONG?

The game had two 16 mm projectors, with four different sets of film reels available, each depicting five gunmen. Unfortunately for [Callan], the film is all he has, so he’s not so much repairing as re-creating the historic game. Luckily, he had the manuals, so at least he knew how it was supposed to come together.

One projector did most of the work, showing the gunmen and a hidden timing signal for the game to know when the user could shoot; the other only activated if the user pulled the trigger at the correct time. Interestingly the ‘gun’ has an IR illuminator that bounced infrared light off the screen to a detector in the cabinet — much like later TV remotes. That makes for a rather large circular hitbox around the enemy gunslinger, which is perhaps not a bad thing for a game likely to be found in a bar.

His recreation is all-digital as he didn’t want to risk completely wearing out the vintage film. Instead there’s a PC, a digital projector, and a pico-based light-gun running the OpenFire firmware. [Callan] did go to some lengths to match the original appearance, with a combination of 3D printing, woodworking and fabric arts. Plus his recreation is authentic to the behavior of the original, so what more could you ask for?

As far as we know, this is the only playable version of the 1970s game in existence. [Callan] will have it available to play at the Ontario Pinfest 2026, in Stayner, Ontario on May 30-31, 2026. Happily enough, that’s 50 years since the game first arrived in North America in 1976. Worth a trip? Well, that depends on your location.

This reminds us of the time someone 3D printed a Computer Space cabinet, which only predates Wild Gunman by a few years. Speaking of 3D printing, you can also print your own 16 mm film camera, if you want to make an indie version this now-vanished style of arcade game.

youtube.com/embed/TOfqnomGPkM?…

hackaday.com/2026/04/24/revivi…

Considering that Windows has the concept of so-called ‘subsystems’ whereby you can run different systems side-by-side, starting with the POSIX subsystem and later the Windows Subsystem for Linux (WSL), it was probably only a matter of time before someone figured that the inverse was also completely reasonable. Rather than mucking about with Wine or such, we now got [Hailey Somerville]’s Linux Subsystem for Windows which is disappointingly called WSL9x rather than LSW.

To make running Windows 9x inside Linux work, it was necessary to heavily patch a Linux kernel, as normally there are no provisions for such a subsystems unlike the NT kernel. Correspondingly, the Linux kernel is based on user-mode Linux and hacked to call Windows 9x kernel APIs instead of the POSIX ones.

In order to use WSL9x you thus need to build said modified Linux kernel – currently at version 6.19 – along with a disk image containing an installed copy of Windows 9x. From there WSL9x can be loaded with the wsl command and you’re then free to cooperatively run the Win9x and Linux kernel side-by-side. This is reminiscent of Cooperative Linux (coLinux), which did pretty much the same except with Windows NT and Linux kernels running side-by-side. Maybe one day coLinux will be revived so that we can run 64-bit Windows alongside modern Linux?

Thanks to [adistuder] for the tip.

hackaday.com/2026/04/23/wsl9x-…

VPNs, Virtual Private Networks, aren’t just a good idea to keep your data secure: for millions of people living under restrictive regimes they’re the only way to ensure full access to the internet. What do you do when your government orders ISPs to ban VPNs, like Russia has done recently? [LaserHelix] shows us one way Gopniks cope, which is to use a ShadowSocks proxy.

If you’re not deep into network traffic, you might be wondering: how can an ISP block VPN traffic? Isn’t that stuff encrypted? Yes, but while the traffic going over the VPN is encrypted, you still need to connect to your VPN’s servers– and those handshake packets are easy enough to detect. You can do it at home with Wireshark, a tool that shows up fairly often on these pages. Of course if they can ID those packets, they can block them.

So, you just need a way to obfuscate what exactly the encrypted traffic you’re sending is. Luckily that’s a solved problem: Chinese hackers came up with something called Shadowsocks back in 2012 to help get around the Great Firewall, and have been in an arms-race with their authorities ever since.

Shadowsocks is not, in fact, a sibling of Gandalf’s horse as the name might suggest, but a tool to obfuscate the traffic going to your VPN. To invert a meme, you’re telling the authorities: we heard you don’t like encrypted traffic, so we put encryption in your encrypted traffic so you have to decrypt the packets before you recognize the encrypted packets.

What about the VPN? Well, some run their own shadowsocks service, while others will need to be accessed via a shadowsocks bridge: in effect, a proxy that then connects to the VPN for you. That means of course you’re bouncing through two servers you need to trust not to glow in the dark, but if you have to trust someone– otherwise it’s off to a shack in the woods, which never ends well.

Don’t forget that while VPNs can get you around government censorship, they do not provide anonymity on their own. If, like tipster [Keith Olson] –thanks for the tip, [Keith]!– you’re looking side-eyed at your government’s “think of the children!” rhetoric but don’t know where to start, we had a discussion about which VPNs to use last year.

hackaday.com/2026/04/23/encryp…

Some people learning the noble art of electronics find the jump from simpler tools like Fritzing to more complex ones, such as KiCAD, a little daunting, especially since they need to learn at least two tools. Fritzing is great for visualising your breadboard layout, but what if you want to start from a proper schematic, make a prototype on a breadboard and then design a custom PCB? Well, with the Kicad-breadboard plugin for (you guessed it!) KiCAD, you can now do all of this in the same tool.
A simple dual-rail oscillator schematic corresponding to the featured image above
Originally designed to support EE students at the University of Antwerp, the tool presents you with a virtual breadboard with configurable size and style, along with a list of components and tools that can be placed. A few clicks and parts can be placed on the virtual breadboard with ease. Adding wires is the next logical step to make those connections that operate in the horizontal dimension. Finally, assigning power supplies and probe connections completes the process. It’s a simple enough tool to draw stuff, but drawing a layout is no use if you can’t verify it’s correctness. This is where this plugin shines: it can perform an ERC (check) between the schematic and the breadboard and flag up what you missed. Add to this that you can also perform an ERC at the schematic level, before even thinking about layout, and it’s pretty hard to make an error. Now, you can transfer this directly to a real breadboard, or even a veroboard, for more permanence once you have confidence in correctness. This will definitely save time correcting errors and help keep the magic smoke safely contained within those mysterious black rectangles.

As it stands, the tools are limited to a few select ICs, which, much to this scribe’s disappointment, did not include the venerable 555 timer; however, it would be possible to work around that with some imagination at the schematic level. The ability to drop in and document power supply, function generator, and oscilloscope probing points is nice, enabling one to close the loop on documenting a layout to make it truly transferable to physical reality.

We cover electronics prototyping with breadboards a lot because they’re accessible. Here’s a super simple computer on a breadboard. We also like seeing them integrated as tools, like here. Finally, why stick with the tired old common breadboard shapes when you could make your own?

hackaday.com/2026/04/23/this-k…

With MCUs becoming increasingly more powerful it was only a matter of time before they would enable some more serious audio-processing tasks. [Danilo Gabriel]’s ESP32Synth library is a good example here, which provides an ESP-IDF based 80+ voice mixing and synthesis engine. If you ever wanted to create a pretty impressive audio synthesizer, then all you really need to get started is an ESP32, ESP32-S3 or similar dual-core Espressif MCU that has the requisite processing power.

Audio output goes via I2S, requiring only a cheap I2S DAC like the UDA1334A or PCM5102 to be connected, unless you really want to use the internal DAC. With this wired up you get 80 voices by default, with up to 350 voices demonstrated before the hardware cannot keep up any more. You can stream multiple WAV files from an SD card for samples along with the typical oscillators like sinewave, triangle, sawtooth and pulse, as well as noise, wavetables and more.

In order to make this work in real-time a number of optimizations had to be performed, such as the removal of slow floating-point and division operations in the audio path. The audio rendering task is naturally pinned to a single core, leaving a single core for application code to use for remaining tasks. While the code is provided as an Arduino project, it uses ESP-IDF so it can likely be used for a regular ESP-IDF project as well without too much fuss.

hackaday.com/2026/04/23/esp32s…

One of the problems facing any solar power installation comes in storing enough power for high-intensity operations such as cooking. The high-tech and expensive way involves battery banks and inverters, but [Solar Genius] is taking a more direct route by skipping the energy storage entirely.

A pair of parabolic antennas are pressed into service as mirrors, catching and focusing the sun’s energy onto a cooking pot. Of course, solar cookers like this are nothing new, so what makes this one different is the in-depth analysis of its performance. This thing can cook!

One antenna is covered in square mirrors while the other is covered in sticky chrome-effect mirror sheeting. They’re described as sun tracking, but since we don’t see any mechanism we’re guessing the tracking is done by hand. The experiment takes place in Pakistan, so there’s a plentiful supply of sunlight that those of us in more northern climes can only dream of.

This hack is part of our 2026 Green Powered Challenge. You’ve just got time to get your own entry in, so get a move on!

hackaday.com/2026/04/23/2026-g…