In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and broad remote control capabilities for the attackers. We dubbed this malware family “Argamal”.

The malware uses COM hijacking to persist on the victim’s machine, replacing the InprocServer32 entry for Windows Color System Calibration Loader DLL. This task is triggered when the user logs in, effectively allowing the malware to run at startup.

Kaspersky solutions detect this threat as Trojan.Win32.Termixia.*, Trojan.Win32.Agent.*, HEUR:Trojan.Win32.Argamal.gen and HEUR:Trojan-Downloader.Win32.Argamal.gen.

Technical details

Background

In April, as part of our ongoing monitoring of telemetry data, we found some suspicious DLLs. Further analysis revealed that various versions of these DLLs have existed since at least 2024.

The DLLs were spawned by different games written using various game engines and programming languages, including RenPy (Python) and RPG Maker MV (JavaScript), among others. However, they all had one thing in common: they were all hentai games. We searched for the distribution sources and found a number of websites hosting game screenshots and download links. These links redirected users to PixelDrain, a free file transfer service.

Adult games catalogue

In addition to these websites, the trojanized games have also been distributed via different torrent trackers, including AniRena.

Malicious game torrent in AniRena

Delivery

Both the dedicated websites and torrents delivered an archive containing the infected game.

Contents of the game archive

This archive contained fully functional, legitimate game files, as well as a modified FFmpeg DLL (SHA1: 42add9475e67a1ccc6a6af94b5475d3defc01b85), that imported the DllGetClassObject function from a file called natives2_blob.bin. Since the game needs ffmpeg.dll to run properly, the library loads as soon as the user starts the game.

Script executor

The natives2_blob.bin (SHA1: edce72f59e4c1d136cd1946af70d334c19df858d) file is a DLL that executes a Base64-encoded PowerShell script when loaded.

The natives2_blob.bin file code

This PowerShell script, which we’ll call Stage1, performs basic checks for controlled environments. For example, it checks for the Sandboxie folder in Program Files and Procmon64 in the process list. If all the checks indicate that the process is not running in a controlled environment, it proceeds to establish persistence.

Stage1 sets the MI_V environment variable (and also MI_V2 in the new versions of malware) for the current user to another Base64-encoded PowerShell script, which we’ll call Stage2. After that, it sets the InprocServer32 registry key at HKCU\SOFTWARE\Classes\CLSID\{722D0F89-B69C-4700-AE8C-4A44350E4876} to a random DLL file name in a random subdirectory of %USER%\AppData\Local, as well as the ShellFolder subkey to another random DLL file name in the same location. Stage1 also creates a scheduled task that will execute three days later. This task executes Stage2 and runs once.

Stage2 is a payload downloader script. It takes previously generated DLL filenames from the registry and downloads an encrypted payload called zaesdl.dat from GitHub using bitsadmin.exe. The downloaded payload is saved in the settings.dat file in the randomly chosen subdirectory of %USER%\AppData\Local. Stage2 decrypts it using AES-CBC with the key zbcd1j9234r670eh and an IV equal to the key. The decrypted payload is then saved in the DLL file specified in the ShellFolder registry subkey.

The decrypted payload is set as InprocServer32 at HKCU\SOFTWARE\Classes\CLSID\{B210D694-C8DF-490D-9576-9E20CDBC20BD}, which is a COM object used by the \Microsoft\Windows\WindowsColorSystem\Calibration Loader scheduled task. This task runs every time a user logs in, allowing the malware to run during every user session.

Before quitting, Stage2 also removes the changes made under the HKCU\SOFTWARE\Classes\CLSID\{722D0F89-B69C-4700-AE8C-4A44350E4876} registry key, unsets the MI_V environment variable (and MI_V2 in newer versions), and removes the scheduled task that launched Stage2.

Malicious agent

Early payload versions decrypted themselves using the 0xB0C1D4E9 rolling XOR key, where the decryption key for the i + 1 block is the encrypted content of the i block (each encrypted block being four bytes long). The most recent agent versions don’t do that.

The samples we found had string encryption; they use a simple substitution with a key that corresponds position-by-position to the following alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@#$./:<>*&~. The decryption process involves finding the position of each symbol of the encrypted strings in the key, and replacing it with the symbol that occupies the same position in the alphabet.
During our investigation, we found the following keys were used:

• 17htUno/I3L&fK2H#yapE@b5NqZ$Q4xmeF.s96uB>jkdWCPvAgD*XwO:iR~TMrV0YGl8z<JSc
• 71htUno/I3L&fK2H#aypE@b5NqZ$Q4xmeF.s96uB>jdkWCPvAgD*XwO:iR~TMrV0YGl8z<JSc
• E1hUtno/IL3&fK2H#ypa7@b5NqZ$Q4xmeF.s69uB>jkdWCvPAgD*XwO:iR~TrMV0YGl8z<JcS

All symbols not used in the key remain unchanged.

String decryption

The payload checks for the presence of the following security solutions using the output of the tasklist command:

• Kaspersky
• Avast
• McAfee
• BitDefender
• MalwareBytes
• +36 other solutions

Security solution detection logic

The payload itself is a RAT with broad functionality. The default C2 server is asper1[.]freeddns[.]org for earlier versions and Winst0[.]kozow[.]com for the latest versions of the payload. Both domains point to 186[.]158.223.35. We also saw another IP address for the first C2 in pDNS records, though we haven’t actually seen it in use. The C2 address can change based on a C2 reply or when certain conditions are met. For example, if the user’s default locale is set to “zh-CN”, the RAT sets its C2 address to country1[.]ignorelist[.]com. During most of our investigation, this domain pointed to 127[.]0.0.1, but starting April 26, it has been pointing to 186[.]158.223.35 as well.

The payload sends UDP heartbeats to port 57441 of the C2 server. These heartbeats contain information about detected security solutions, system startup time, time since last input activity, architecture info, machine IP address and username.

The C2 may respond to the heartbeat. Based on this response, the payload can perform different actions. Below is the full list of available commands.

The C2 can also set a flag in the response that will turn on the extended RAT mode. In this mode, the payload communicates with the C2 server using the 3747/tcp port.

TCP communications are encrypted using a simple substitution cipher. Each character is replaced using a fixed mapping defined by the key:
koP]Y4Os-_t?cB',aK.Wm>QM2[U!^C`*@Ff:X\6Dp8H%ATydE<e(#G&LhwRZ5znjJqgNrl)I7V$3=910"+Svxi/;ub
This key corresponds position-by-position to the standard ASCII character sequence:
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}
In other words, each character in the ASCII set is replaced by the corresponding character in the key string.

C2 requests and responses are divided into two parts by the first space character. The first part is a command and the second part is usually an argument.
After connecting and before receiving information from the C2, the malware sends metadata about the infected machine using the NOOP command. This metadata includes a run cycle counter, mounted drive metadata, time since the last input activity and data about the display settings.

Based on the C2 command, the malware can execute commands on the infected machine, perform reboot and shutdown actions, control the cursor, take screenshots, compress files into archives, and send files to other specified servers. In short, it can fully control the machine. The full list of commands is as follows:

System control

• KILL REBOOT: Reboots the infected system
• KILL POWER: Shuts down the infected system
• KILL SELF: Same as the QUIT command (described below)
• KILL ME: Exits process running the malware

Surveillance

• SCREEN / SCREEN9: makes a screenshot, saves it to the ~wra1269.tmp file and sends it to the C2

File operations

• DELETE <filename>: deletes specified file
• DELDIR <dirname>: deletes specified directory
• REN <file path 1>#<file path 2>: moves specified file
• MAKDIR <path>: creates directory
• ZIPFILE <file or folder name> / ZIPFOLDER <file or folder name>: compresses specified file/folder into a .zip archive
• TAR <file or folder name> / TAR2 <file or folder name>: compresses specified file/folder into a .tar archive
• GETFILEDATE <filename>: sends file’s last modification date
• SETFILEDATE <filename>: sets file’s last modification date
• GETFILEACC <filename>: sends file’s last access date
• DWLOAD <filename>: sends file to the C2
• UPLOAD <filename>#<C2 address>: uploads file to the specified C2 server

Reconnaissance

• USER: sends username
• KALIVE: sends run cycle counter
• IDLE: sends number of seconds passed since last input activity
• DRIVES: sends information about mounted drives
• FOLDEX <folder type>: sends full path to a directory of the specified type:
• – type = 0x63: temporary directory
• – type = 0x64: \Google\Chrome\User Data\Default\ in AppData\Local folder
• – type = 0x65: \Downloads\ in user home directory
• – type = 0x66: \Microsoft\Excel\XLSTART\ in AppData folder
• – type = 0x67: AppData folder
• LFILES <folder path>: lists and sends paths to all files in the directory
• OSVER: sends information about user, hostname, OS architecture and version
• COMPILERDATE: sends constant hardcoded in the RAT, e.g., 25.10.2025

Generic control

• DSOCKE: recreates TCP keep-alive socket
• QUIT: notifies the C2 about quitting, closes the socket and stops the process
• RUNHID <command> / RUN <command>: runs specified command inside ShellExecuteW
• RUNDOS <command>: runs specified command inside CreateProcessW
• RUNTASK <command>: creates, runs and deletes task that executes specified command
• SKEY <key code>: presses specified key
• MOUSE FREEZE: freezes mouse movement
• MOUSE <command>: clicks the specified mouse button or sets the cursor position to the specified coordinates

Other delivery methods

During our research, we also observed other delivery methods for the RAT. Instead of patching FFmpeg and downloading the payload from GitHub, the attackers included the main payload as libpython64.dat or another file with a similar name in the lib\py3-windows-x86_64 directory of the game. This .dat file was loaded by one of the libraries used in the game, which was patched for this purpose.

In another case, the threat actor posted their malicious DLL file (payload downloader) on a gaming forum, disguising it as a cheat.

Infrastructure

Our research revealed the following infrastructure was used in this attack.

Victims

According to our telemetry, hundreds of individuals were infected with this malware. The majority of the victims were located in Russia, Brazil, Germany and Vietnam.

Distribution of victims (download)

Attribution

Based on the language of the comments in the code, infrastructure data and other facts we assess with medium confidence that the developer of the downloader chain speaks Spanish.

The actor behind this attack uses Spanish in variable names and comments. For example, the Base64-decoded delivery script contains the following lines:

Part of the PowerShell script used in the payload delivery

In addition, the JavaScript code from the website distributing infected games contains variable names, function names and comments in Spanish:

JavaScript code from the malicious site

Notably, the malware payloads used in this attack had previously chosen 127.0.0.1 as their C2 server when the victim’s default locale is set to “zh-CN”, thus not targeting Chinese users. This may indicate that the attacker is associated with a Chinese-speaking threat actor or uses payloads developed by a Chinese-speaking threat actor. However, we still believe it’s unlikely that the developer of these delivery chains is Chinese-speaking.

Conclusions

The Argamal Trojan is a new RAT targeting individuals who seek adult games. During our analysis, we observed a steady stream of updates to the payload, including the addition of new features and fixes for various bugs, as well as changes to the infrastructure. This leads us to believe that the threat actor behind this malware will continue to develop and enhance it. The campaign’s goal is likely data and credential theft; however, the RAT enables the attacker to take full control of the device and execute any malicious activity they want.

Creating malware in today’s development landscape has become significantly easier thanks to the wide availability of detailed guides, tooling, and automation resources. As a result, it is crucial not only to detect known malware but also to identify new and evolving threats as they emerge. Kaspersky solutions prevented the malicious activity in the earliest stages of the attack. The solutions help ensure device security by identifying not only known threats but also the behavior of the software and its actions, providing comprehensive protection against malware.

Indicators of Compromise

File hashes
RAT payloads:
76253fb55aed707440e808ea78e7101318436b1c
1405a3c5e0aeb08012484134e16cdec4ab29b4a4
535f4337f261b6da20a3c614eb13270bed2d533a
d2cb0d7a9ad2b5d4ea7c2da8aec62beb37cf36d6
e05f1767c2a337910ed75e90288838d6d0541164
dad26f61da7b8bccc78364411812be74c025b475
29f1d346a6e71774c7dad25b90f446b2974393df
e815a9b418d09c2d4bcd074c2c0bc21406eeb22f
17f8f8f34dfa737f36182fed7ff9e9814a114058
954722b0c9c678b1313d1f8b204e102842dc5889
69331cfdac792dc79240e6a6bb6e803eabd70beb
901cfa97b1baaf908fd4a02bb52d970f576c4193
5f1f3689bcf23de1b280b5f35712946da0f7978f
c2d9d48b3b10bd58cdf5df9463e3ffcd60533ff3
2423a5bf0fa7cb9ec09211630a5488629499691b
ae4601a19d28332a3ec6ac31b385cdf53be53450

Trojan downloaders:
9803604ec45f31f9ef75bcca1e1310d8ac1fc3a6
edce72f59e4c1d136cd1946af70d334c19df858d
02819d200d1424882af81cb504b3e8614b32397a

Domains and IPs
asper1[.]freeddns[.]org
Winst0[.]kozow[.]com
Country1[.]ignorelist[.]com
186[.]158.223.35

GitHub repositories used in the campaign
hxxps://github[.]com/gmz159/u
hxxps://github[.]com/DnyP/files
hxxps://github[.]com/mgzv/p

securelist.com/argamal-rat-dis…

We’ve seen just about every possible way to make a clock here at Hackaday over the years. So it’s rare to have a first, but here we are with [Twisted & Tinned], who’s made a novel clock with a diffraction grating.

The display of the clock looks for all the world like a jumble of LEDs, that is, until you place the grating in front of it. Those LEDs are addressable multi-color parts, and each digit is generated at a different color all on top of each other. The grating splits out these colors, resulting in a magical set of floating LED figures.

Behind those LEDs is a Pi Pico, but that’s just one of many microcontrollers that could have powered this project. It’s the use of the diffraction grating in a novel way with those LEDs that makes the difference, and we rather like it. He’s also managed to get the grating pattern in the 3D printed surround for a shimmering look, by printing directly onto a diffraction grating sheet. That in particular is a technique we’ve looked at before in detail.

youtube.com/embed/1DD9vaVy1H8?…

hackaday.com/2026/06/03/a-diff…

Replacing a 3D printer’s extruder with a cutting blade seems like an easy way to do things like vinyl cutting, but you cannot just put on any blade and expect good results. The right type of blade is called a drag knife and it’s designed so that it follows the direction in which you’re cutting. You can get these in dedicated vinyl cutting machines, as well as in the form of attachments for the likes of CNC machines. How to use them with an old Anycubic Mega S FDM printer is demonstrated by [Cocoanix 3D Printing] in a recent video.

For a bit more background information you can peruse for example this write-up by [Kronos Robotics], who goes through the steps of selecting the right blade, cutting mat and such for use with a CNC machine.

For the 3D printer in the video a Roland vinyl cutter style holder and blades were bought off AliExpress, for which then a custom 3D printed mount was designed, though you can often get a ready-made one off your usual 3D model sources. Following this you get into the hardest part, being the software and making sure you don’t cut too deep into the vinyl through its backing paper.

Fortunately most of the hard work here is done already by the Polycut project, which is precisely designed to help you turn a 3D printer or similar into a vinyl cutter or plotter. This takes in an SVG file and generates the appropriate g-code, after which you better have gotten your Z-offset calibration right if you want that perfect result. With all that in place it’s then actually quite easy to cut your very own vinyl without shelling out big bucks for a dedicated machine.

Of course, it’ll likely never be as fast as those machines, requires more calibration and have a more limited cutting space, but as it’s not a permanent modification and probably less crazy than putting a laser engraver module on a commercial FDM printer like the Bambu Lab H2D.

youtube.com/embed/KcpcjyyMpYQ?…

hackaday.com/2026/06/02/turnin…

[Chris Doble] has high ambitions: he’s making his own scanning-electron microscope, and as the first step he’s built a high-vacuum system. This required its own controller to manage the various electronics involved in the system, which he’s documented and open-sourced.

The vacuum system itself starts with a rotary-vane roughing pump, which can bring a chamber down from atmospheric pressure to about 10^-3 millibar. This is still too high a pressure, so the second stage is a turbomolecular high-vacuum pump, which can operate from 18 millibar down to 10^-7 millibar. To protect the turbomolecular pump in case the roughing pump suddenly stops, it includes an anti-suckback valve. Connected to these pumps is a pressure gauge which uses a pair of sensors to sense the entire pressure range. All this setup worked well, but the turbomolecular pump and the pressure sensor each used their own interfaces, while [Chris] wanted a single interface for the eventual microscope.

[Chris] therefore designed his own controller based on the Raspberry Pi Pico 2, with firmware written in Rust. The pressure gauge uses an RS-232 interface, which he connected to the Pico’s UART pins using an RS-232 level shifter, with a null modem to swap over the transmitting and receiving pins. The turbomolecular pump used an RS-485 interface, which required a converter circuit and some level-shifting resistors. A custom PCB and 3D-printed case hold the final circuit, which provides a host computer with a single USB interface. When [Chris] tested the controller, the vacuum chamber reached a pressure of 10^-6 millibar, and was still slowly falling when he ended the test.

This isn’t the first vacuum chamber controller we’ve seen. Of course, this assumes that the pressure gauge already has a controller; if not, we’ve also covered one of those. To see the inspiration for [Chris]’s project, check out [Ben Krasnow]’s scanning-electron microscope.

youtube.com/embed/Ku04_mVZx_E?…

hackaday.com/2026/06/02/a-high…

There are a lot of single board computers on the market these days, so you can be forgiven if you missed the LuckFox Lyra. Its main claim to fame seems to be that it shares the Pi Pico’s 51 mm x 21 mm footprint while being powerful enough to run a full Linux system– or at least, it was. Now its claim to fame is as a device you can interact with no peripherals, accessing the terminal via Morse code. That’s thanks to [Gabriel Broussard Korr] and his Morstdin project, which should run on just about anything POSIX-compliant, by dint of a being a clever sh script at heart.

Of course, with most POSIX-compliant systems, you’ll need to alter the script to account for some kind of periferal to do the Morse I/O– not so on the LuckFox Lyra, which has a built-in LED and a single usable button. It actually has two buttons, but one of them is RESET and you can’t use that for anything but its intended purpose. The BOOT button, on the other hand, becomes user input after the system has started. One button, one LED? It’s almost like LuckFox designed this SBC for Morse! Admittedly we’d prefer an audible output, but adding a buzzer would detract from the purity of this implementation.

He’s had to extend the code, of course, since Samuel Morse did not expect all of the special characters you’re likely to encounter on the terminal. The resultant Programmer’s Morse, or PMorse is a straightforward extension, but [Gabriel] didn’t stop there: he’s also added a set of commands he describes as “vim-like” make using this headless device easier by doing things like deleting whole words or flash the line you’re working on so you can make sure you haven’t made any errors.

If that wasn’t enough, he’s also put an LLM on it. Because in the Year of Our Lord 2026, you apparently cannot escape the frakkin’ toasters by jumping your rag-tag fleet into the 128 MB of RAM on this tiny SBC. Still, his inclusion of Llamma.cpp does add one thing to the project: it can now claim to be the world’s smallest stand-alone chatbot. It’s also the only one that speaks Morse. That’s got to be worth some bragging rights.

[Gabriel] may have a thing for physically tiny Linux devices– his last project, which we featured, was about using Linux on old smartphones with Termux.

Thanks to [Gabriel] for the tip!

Header image credit Luckfox.

hackaday.com/2026/06/02/does-y…

Pallets are a wonderful way to package goods and move them around, but especially the wooden ones have a very finite lifespan. This means that many of them are discarded every day, even though there is still good wood on them. Even if it’s not the highest quality wood, you can still use it for some nice wooden items, like the tea tray that [GR Woodworking] recently put together.

The reclaimed wood is the typical fast-growing, soft type, with the suspicion of it being paulownia here. Of course, wooden pallets use a wide variety of wood varieties, so not all reclaimed wood is equally suitable for applications like this, and identifying the type can be a challenge in itself.

In the video it’s shown how the wood is planed to make it smooth and straight, before the joints are created and it is married to the poplar or aspen base plate. Of note is that absolutely no power tools or bulky things like router tables are used here, just basic hand tools that should make this kind of woodworking accessible to people even without that kitted-out woodworking shop.

After assembly it’s finished with Vararhana oil-based stain to give it a darker look and really bring out the grain. Naturally, since it’s a tea tray it has to be commissioned with a proper tea ceremony, which it passes with flying colors.

youtube.com/embed/tnNvp0LoJiw?…

hackaday.com/2026/06/02/from-s…

Four years ago the EMF hacker camp in the UK released a new kind of event badge. The Tildagon was designed to be a recurring event badge, useful for the next EMF rather than destined to be e-waste. With the 2026 event coming up there’s a new Tildagon called the Spaceagon, and as you might expect it’s very familiar indeed.

Tildagon owners can update their badge with the Spaceagon front panel, while those without one can buy the new badge. It has a few minor updates from its predecessor, including better buttons, LEDs, and display mounting, and there’s a compass, a joystick, and touch sensitive areas.

The Tildagon introduced its own add-on format, the Hexpansion. This year there’s the first official Hexpansion, a keyboard, using the same rubber moulding we see on quite a few maker projects. We like the Hexpansion idea because it uses an edge connector rather than a set of pins on the device, but at the cost of more expensive badge parts.

If you’re going to EMF you should be able to order yourself a Spaceagon, or an upgrade kit if you already own a Tildagon. Meanwhile we covered the 2024 version back when it arrived, and surprisingly this isn’t the first keyboard add-on for it either.

hackaday.com/2026/06/02/the-20…

While many operating systems seem to try to prevent you from peeking under the hood, Unix and Linux positively encourage it. One great tool that we’ve looked at before is strace. Using this tool, you can see details about every system call a program makes. As you might imagine, for any significant program, the output from strace can be huge.

While I’m not always a fan of GUIs, this is one of those cases where making the data easier to browse is a great idea. Enter strace-tui, a text-based GUI for strace from [Rodrigodd]. The program can parse output from strace or manage the strace execution itself, and either way, display the data in a useful way.

I started out looking at [janestreet’s] strace_ui, but the OCaml setup was throwing errors for me, so I just gave up. The strace-tui installs like many Rust programs, using cargo, and it went smoothly.

An Example

The strace-tui interface.
The only issue I had running the tool was that I don’t normally keep ~/.cargo/bin on my path. You can add it to your path, link the executable into your path, or solve that in any number of other ways.

As an example, I traced a symbolic link command (ln -sf nature.txt test.link). It is easy to pick out some essential information on the top line. The command took 112 system calls, 14 of them failed (which isn’t unexpected), there were no unfinished calls, no signals, and only a single PID.

The bottom shows things you can do. Arrows or j and k, along with the usual cursor control keys like Home and Page Down scroll through the list. The right and left arrows will expand or collapse items. That will show details about the call in question, including the arguments and return values. You can consult the help for all the details.

Useful Tools

The real power, though, lies in filtering out the noise and searching for specific things. If you are looking at something you don’t want to see, you can press a lowercase h to hide it, but note that it hides everything similar, not just an individual line. An uppercase H will bring up a filter dialog where you can include or exclude groups of data.

Searching is also a great way to find what you want. A slash key starts a search. The N key navigates with a lowercase entry moving forward and an uppercase one moving backward.

For example, if I only wanted to look at openat commands, I could open the dialog. Not only does it show filters, but it also shows how many things match (there are 30 instances of openat). Pressing a will toggle all entries off and then selecting openat greatly reduces the amount of output. I also selected symlinkat, read, and fstat so I would only look at the file-related items.
Peeking at the system call that does the actual linking.
Many of the file operations are related to loading shared libraries and locales. To find the actual line that makes the link, it was easy to press the slash key and some text from the file like test.link.

That will highlight the symlinkat line, which is no surprise, but this is a simple example. If you press Enter or the right arrow, you can see more detail, including arguments, the return value, the amount of time executing, and a backtrace that shows how your program made it to the call.

This is a simple example, but the program can also visualize multi-threaded or multi-process traces using graphs. That can be helpful for analyzing real programs.

Even this simple program has a lot of output. Sure, if you are trying to debug a locale-related problem, all of the lines about loading locale files that don’t exist might be gold. But most of the time, you don’t really care about all the standard loading scaffolding and a tool like this can help cut through the chatter.

Missing Links

According to the project page, there are some missing features, and we presume this is a roadmap for future development.

In particular, the program can’t filter traces for specific processes or threads. There’s also no way to copy details to the clipboard or export filtered traces out to a file. Of course, it is open source, so you can always volunteer to add some of this or your favorite feature.

If you give strace-tui a shot, or have other strace tips and tricks you’d like to share, let us know in the comments.

hackaday.com/2026/06/02/linux-…