@lawrencesec.bsky.social
π¬π§ Threat Research @ Recorded Future. I Like Tracking ASNs and ISPs for some reason...
Recorded Futureβs Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET. The activity is attributed to the Russian state-sponsored threat group | www.recordedfuture.com/research/blu...
18.12.2025 12:09 β π 7 π 4 π¬ 0 π 0CastleLoader in the wild! Four distinct activity clusters, sector-specific targeting of logistics, and high-end tooling like Matanbuchus and CastleRAT.
09.12.2025 15:43 β π 3 π 2 π¬ 0 π 0
Recorded Futureβs Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...
09.12.2025 11:25 β π 6 π 5 π¬ 0 π 0
2/ Our latest analysis uncovered four distinct activity clusters within GrayBravoβs ecosystem, all leveraging the groupβs #CastleLoader malware. Each cluster uses different tactics, techniques, and targets, reinforcing the assessment that GrayBravo runs a #MaaS model.
09.12.2025 08:24 β π 3 π 1 π¬ 1 π 0
1/ @whoisnt.bsky.social, Marius, and I just published a report on #GrayBravo (formerly TAG-150), a highly adaptive, sophisticated threat actor that we first identified in Sept 2025. It uses a multi-layered infrastructure and responds quickly to exposure: www.recordedfuture.com/research/gra...
09.12.2025 08:24 β π 10 π 6 π¬ 1 π 1A good piece highlighting the EU's continued inaction following recent sanctions, essentially allowing these enablers to continue their operations.
05.12.2025 19:35 β π 1 π 0 π¬ 0 π 0
The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed "Aladdin" that compromised specific targets when simply viewing a malicious advertisement.
04.12.2025 15:48 β π 8 π 5 π¬ 0 π 0
π¨ - New report by Haaretz, Inside Story, Inside-IT and Amnesty International release the Intellexa Leaks. Which exposes Intellexa support staff had access through Teamviewer to customer deployments and confirms found IOC's in the past by civil society. π§΅π
04.12.2025 11:37 β π 9 π 16 π¬ 1 π 3
1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...
04.12.2025 04:17 β π 26 π 18 π¬ 2 π 43/ As long as the same LIRs and the same bad actors are able to maintain control of their RIPE resources, the problem will never stop.
26.11.2025 14:12 β π 0 π 0 π¬ 0 π 0
2/ The case of fraud relating to metaspinner GmbH really does spell out the severity of the problem...
26.11.2025 14:11 β π 0 π 0 π¬ 1 π 0
1/ It's nice to see the topic of bulletproof hosters and Threat Activity Enablers gaining more mainstream attention; however, a bigger problem than endless shell companies exists, and that is RIPE RIR policy. bindinghook.com/neutral-inte...
26.11.2025 14:11 β π 2 π 1 π¬ 1 π 1NSA Joins CISA and Others to Release Guidance on Mitigating Malicious Activity from Bulletproof Hosting Provider Infrastructure
November 19, 2025, NSA/CSS
www.nsa.gov/Press-Room/P...
The national cyber director and a top FBI official shared more details about the forthcoming Trump administration document Tuesday. via @timstarks.bsky.social cyberscoop.com/trump-cyber-...
19.11.2025 14:57 β π 2 π 2 π¬ 0 π 0
3/
19.11.2025 17:19 β π 2 π 0 π¬ 0 π 0
2/ Sanctions include Aeza's entities used to evade recent OFAC and UK sanctions, including Hypercore LTD and SMART DIGITAL IDEAS DOO. Myself and @whoisnt.bsky.social
break down these entities in our recent report: www.recordedfuture.com/research/mal...
1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...
19.11.2025 17:17 β π 3 π 3 π¬ 1 π 0This is highly likely CrazyRDP :)
16.11.2025 19:58 β π 2 π 0 π¬ 0 π 0
2/ ASNs believed to be utilised by CrazyRDP were reportedly downstream of aurologicβ¦.. lowendspirit.com/discussion/c...
15.11.2025 12:08 β π 0 π 0 π¬ 0 π 0
1/ Reports indicating that CrazyRDP is the bulletproof hoster behind this seizure in the Netherlands. nltimes.nl/2025/11/14/d...
15.11.2025 12:07 β π 3 π 1 π¬ 1 π 03/ metaspinner net GmbH (Hamburg, Germany) has no affiliation with #AS209800, Virtualine Technologies, or any related malicious activity associated with that network.
12.11.2025 21:52 β π 0 π 0 π¬ 0 π 02/ A falsified RIPE end-user agreement provided to Insikt Group highlights how a basic verification check against publicly accessible company registration documents could have prevented the fraudulent registration.
12.11.2025 21:52 β π 0 π 0 π¬ 1 π 01/ [UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Groupβs original assessment that their identity was unlawfully and fraudulently used in the registration of #AS209800.
12.11.2025 21:51 β π 2 π 1 π¬ 1 π 0
German ISP aurologic GmbH Identified as Key Hub for Malicious Hosting Infrastructure gbhackers.com/german-isp-a...
09.11.2025 15:24 β π 1 π 1 π¬ 0 π 0Malicious Infrastructure Finds Stability with aurologic GmbH
07.11.2025 11:24 β π 1 π 1 π¬ 0 π 0
German ISP Aurologic GmbH has Become a Central Nexus for Hosting Malicious Infrastructure
08.11.2025 00:41 β π 2 π 3 π¬ 0 π 0
/10 Dive into the full report βMalicious Infrastructure Finds Stability with Aurologic GmbHβ for the data, analysis, and context behind this ecosystem: www.recordedfuture.com/research/mal...
06.11.2025 11:34 β π 3 π 0 π¬ 0 π 0
9/Aeza Group continues to rely on aurologic for a large share of its connectivity, announcing roughly half of its IP space, despite recent sanctions by the US and the UK.
06.11.2025 11:33 β π 4 π 0 π¬ 1 π 0
