Calwarez
@calwarez.bsky.social
Director for Malicious Infrastructure Discovery @ Recorded Future | Views my own
Great read from @lawrencesec.bsky.social & @whoisnt.bsky.social !
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
November 6, 2025 at 11:53 AM
Great read from @lawrencesec.bsky.social & @whoisnt.bsky.social !
Reposted by Calwarez
Recorded Future just published Dark Covenant 3.0, revealing how global crackdowns and shifting Russian enforcement are reshaping the cybercriminal underground, exposing ties to state actors and turning cybercrime into a geopolitical tool: www.recordedfuture.com/research/dar...
Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals
Explore how Russia’s cybercriminal ecosystem evolved under Operation Endgame—where state control, selective enforcement, and criminal alliances collide.
www.recordedfuture.com
October 22, 2025 at 2:26 PM
Recorded Future just published Dark Covenant 3.0, revealing how global crackdowns and shifting Russian enforcement are reshaping the cybercriminal underground, exposing ties to state actors and turning cybercrime into a geopolitical tool: www.recordedfuture.com/research/dar...
Great work by my colleague, @lawrencesec.bsky.social ! He dives deep into the systemic flaw where "neutral" internet governance lets sanctioned ISPs evade restrictions and continue supporting #cyberattacks and #disinformation. A must-read on the infrastructure gap. 👇
In his latest for Binding Hook, @lawrencesec.bsky.social looks at how internet service providers work within the system to evade sanctions and enable #cyberattacks and #disinformation campaigns: bindinghook.com/neutral-inte...
‘Neutral’ internet governance enables sanctions evasion
Internet service providers and hosting companies enable cybercrime and cyber operations. Why don’t sanctions stop them?
bindinghook.com
October 21, 2025 at 8:45 AM
Great work by my colleague, @lawrencesec.bsky.social ! He dives deep into the systemic flaw where "neutral" internet governance lets sanctioned ISPs evade restrictions and continue supporting #cyberattacks and #disinformation. A must-read on the infrastructure gap. 👇
Reposted by Calwarez
Recorded Future just published a report diving into the Beijing Institute of Electronics Technology and Application (BIETA), which is almost certainly a front for China’s MSS, developing technologies to support intelligence and military missions. Full report: www.recordedfuture.com/research/bie...
BIETA: A Technology Enablement Front for China's MSS
Discover how China's Ministry of State Security (MSS) almost certainly operates BIETA and its subsidiary CIII as public fronts for cyber-espionage, covert communications, and technology acquisition. C...
www.recordedfuture.com
October 7, 2025 at 8:04 PM
Recorded Future just published a report diving into the Beijing Institute of Electronics Technology and Application (BIETA), which is almost certainly a front for China’s MSS, developing technologies to support intelligence and military missions. Full report: www.recordedfuture.com/research/bie...
Reposted by Calwarez
👋 Don't miss the first Colloquium session tomorrow!
📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
October 1, 2025 at 1:03 PM
👋 Don't miss the first Colloquium session tomorrow!
📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
Reposted by Calwarez
Recorded Future's Insikt Group reports CopyCop, also tracked as Storm 1516, expanding in 2025, adding at least 200 new fictional media websites targeting the United States, France and Canada and using self-hosted LLMs. www.recordedfuture.com/research/cop...
September 18, 2025 at 9:10 AM
Recorded Future's Insikt Group reports CopyCop, also tracked as Storm 1516, expanding in 2025, adding at least 200 new fictional media websites targeting the United States, France and Canada and using self-hosted LLMs. www.recordedfuture.com/research/cop...
Reposted by Calwarez
I'm excited to speak at #VB2025 later this week! I'll be diving into TAG-124, a group whose services are leveraged by a wide range of actors, from cybercriminals to state-sponsored groups. Hit me up if you are in town!
www.virusbulletin.com/conference/v...
www.virusbulletin.com/conference/v...
September 22, 2025 at 8:23 AM
I'm excited to speak at #VB2025 later this week! I'll be diving into TAG-124, a group whose services are leveraged by a wide range of actors, from cybercriminals to state-sponsored groups. Hit me up if you are in town!
www.virusbulletin.com/conference/v...
www.virusbulletin.com/conference/v...
Reposted by Calwarez
The UK has sanctioned Aeza International, citing its involvement in destabilising Ukraine by providing internet services to Russian disinformation campaigns. This follows OFAC sanctions in July. www.gov.uk/government/n...
UK sanctions Georgia-linked supporters of Putin’s illegal war in Ukraine
The UK has announced new sanctions targeting Georgia-linked supporters of Putin’s illegal war in Ukraine.
www.gov.uk
September 22, 2025 at 3:48 PM
The UK has sanctioned Aeza International, citing its involvement in destabilising Ukraine by providing internet services to Russian disinformation campaigns. This follows OFAC sanctions in July. www.gov.uk/government/n...
Reposted by Calwarez
Really excited to present at #LABScon25 on ChamelGang‘s most recent campaign targeting the Taliban, a collaborative research project with @milenkowski.bsky.social (SentinelLABS) and @azaka.fun (TeamT5)! www.labscon.io/speakers/jul...
September 16, 2025 at 1:50 PM
Really excited to present at #LABScon25 on ChamelGang‘s most recent campaign targeting the Taliban, a collaborative research project with @milenkowski.bsky.social (SentinelLABS) and @azaka.fun (TeamT5)! www.labscon.io/speakers/jul...
Reposted by Calwarez
Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.
New, from me:
In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of […]
[Original post on infosec.exchange]
In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of […]
[Original post on infosec.exchange]
September 11, 2025 at 6:32 PM
Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.
Reposted by Calwarez
Insikt Group identifies a new threat actor, TAG-150, active since at least March 2025. Its multi-layered infrastructure is used to deploy likely self-developed malware families, including CastleLoader, CastleBot, and the newly documented CastleRAT. www.recordedfuture.com/research/fro...
September 8, 2025 at 8:33 AM
Insikt Group identifies a new threat actor, TAG-150, active since at least March 2025. Its multi-layered infrastructure is used to deploy likely self-developed malware families, including CastleLoader, CastleBot, and the newly documented CastleRAT. www.recordedfuture.com/research/fro...
Reposted by Calwarez
Recorded Future has spotted two influence operations around the recent India-Pakistan military conflict from May.
The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).
www.recordedfuture.com/research/inf...
The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).
www.recordedfuture.com/research/inf...
September 7, 2025 at 11:24 AM
Recorded Future has spotted two influence operations around the recent India-Pakistan military conflict from May.
The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).
www.recordedfuture.com/research/inf...
The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).
www.recordedfuture.com/research/inf...
Reposted by Calwarez
A significant amount of #CastleLoader C2 infrastructure identified by @julianferdinand.bsky.social was tied to #ThreatActivityEnabler 🇬🇧 FEMO IT SOLUTIONS #AS214351 utilising 🇩🇪 aurologic GmbH #AS30823 as their sole upstream provider. One to watch out for!
2/ TAG-150 is Insikt Group’s designation for the actor likely behind the malware families #CastleLoader, #CastleBot, and most recently #CastleRAT, a RAT documented here for the first time.
September 4, 2025 at 3:17 PM
A significant amount of #CastleLoader C2 infrastructure identified by @julianferdinand.bsky.social was tied to #ThreatActivityEnabler 🇬🇧 FEMO IT SOLUTIONS #AS214351 utilising 🇩🇪 aurologic GmbH #AS30823 as their sole upstream provider. One to watch out for!
Another great report from the team on TAG-150, a sophisticated and rapidly evolving threat actor. 🕵️ Our report documents #CastleRAT for the first time, a new Remote Access Trojan, alongside the previously observed #CastleLoader.
1/ Today @whoisnt.bsky.social, Marius, and I release a report on a new threat actor, #TAG-150, active since at least March 2025, which stands out for its rapid development, sophistication, responsiveness to reporting, and a large, evolving infrastructure: www.recordedfuture.com/research/fro...
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
Insikt Group reveals TAG-150’s multi-tiered infrastructure and CastleRAT malware—an advanced threat actor evolving rapidly with stealth and scale.
www.recordedfuture.com
September 4, 2025 at 3:19 PM
Another great report from the team on TAG-150, a sophisticated and rapidly evolving threat actor. 🕵️ Our report documents #CastleRAT for the first time, a new Remote Access Trojan, alongside the previously observed #CastleLoader.
Reposted by Calwarez
Recorded Future: Stark Industries, along with its CEO and owner, was formally sanctioned by the Council of the European Union on May 20, 2025, for enabling Russian state-sponsored cyber operations | www.recordedfuture.com/research/one...
One Step Ahead: Stark Industries Solutions Preempts EU Sanctions
Before facing EU sanctions in May 2025, Stark Industries Solutions executed a strategic infrastructure overhaul to maintain operations. This report reveals how rebranding, RIPE resource manipulation, ...
www.recordedfuture.com
August 28, 2025 at 12:26 PM
Recorded Future: Stark Industries, along with its CEO and owner, was formally sanctioned by the Council of the European Union on May 20, 2025, for enabling Russian state-sponsored cyber operations | www.recordedfuture.com/research/one...
This report on Stark Industries is a fantastic case study in the cat-and-mouse game between hosting providers and law enforcement. The new "Threat Activity Enabler" (TAE) terminology is spot-on and highlights the critical role these providers play in the cybercrime ecosystem.
1/ Today, we published “One Step Ahead: Stark Industries Solutions Preempts EU Sanctions,” revealing how hosting provider #StarkIndustries executed a multi-phase restructuring of its operations, beginning up to a month before #EU sanctions.
August 27, 2025 at 2:57 PM
This report on Stark Industries is a fantastic case study in the cat-and-mouse game between hosting providers and law enforcement. The new "Threat Activity Enabler" (TAE) terminology is spot-on and highlights the critical role these providers play in the cybercrime ecosystem.
Highly recommend this report on TAG-144. It breaks down the group's operations into five distinct clusters and reveals some serious tradecraft! From using compromised government emails to hiding payloads in JPGs. A deep dive into a very sophisticated threat.
1/ We just released a new report on TAG-144 (also known as Blind Eagle), where we identified five distinct activity clusters that have been active throughout 2024 and 2025, primarily targeting the Colombian government at multiple levels. Link to the report: www.recordedfuture.com/research/tag...
TAG-144’s Persistent Grip on South American Organizations
Persistent cyber operations by TAG-144 (Blind Eagle) continue to target South American, primarily Colombian, government entities through advanced spearphishing and RAT-based malware campaigns. Explore...
www.recordedfuture.com
August 26, 2025 at 6:58 PM
Highly recommend this report on TAG-144. It breaks down the group's operations into five distinct clusters and reveals some serious tradecraft! From using compromised government emails to hiding payloads in JPGs. A deep dive into a very sophisticated threat.
Reposted by Calwarez
1/ Today, we release a first-of-its-kind analysis of a set of Lumma affiliates within a vast info-stealing ecosystem, showing their interconnectedness and resilience even after a major law enforcement takedown attempts earlier this year: www.recordedfuture.com/research/beh...
Behind the Curtain: How Lumma Affiliates Operate
Explore a groundbreaking investigation into Lumma affiliates: uncover their tools, tactics, scams, and integration in the cybercriminal ecosystem. Essential reading for defenders.
www.recordedfuture.com
August 20, 2025 at 2:08 PM
1/ Today, we release a first-of-its-kind analysis of a set of Lumma affiliates within a vast info-stealing ecosystem, showing their interconnectedness and resilience even after a major law enforcement takedown attempts earlier this year: www.recordedfuture.com/research/beh...
Reposted by Calwarez
Recorded Future's Insikt Group has identified new infrastructure associated with Candiru, which includes components likely used in the deployment & C2 of Candiru’s DevilsTongue spyware, as well as higher-tier infrastructure used by the spyware operators. www.recordedfuture.com/research/tra...
August 11, 2025 at 9:38 AM
Recorded Future's Insikt Group has identified new infrastructure associated with Candiru, which includes components likely used in the deployment & C2 of Candiru’s DevilsTongue spyware, as well as higher-tier infrastructure used by the spyware operators. www.recordedfuture.com/research/tra...
Reposted by Calwarez
New active infrastructure for Candiru spyware linked to Hungary and Saudi Arabia identified
therecord.media/candiru-spyw...
therecord.media/candiru-spyw...
Active infrastructure for Candiru spyware linked to Hungary, Saudi Arabia
Windows spyware tracked as DevilsTongue — a product of the company Candiru — is likely still active, with clusters appearing in Hungary and Saudi Arabia, researchers said.
therecord.media
August 5, 2025 at 8:16 PM
New active infrastructure for Candiru spyware linked to Hungary and Saudi Arabia identified
therecord.media/candiru-spyw...
therecord.media/candiru-spyw...
Reposted by Calwarez
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Recorded Future's Insikt Group uncovers active infrastructure linked to Candiru’s DevilsTongue spyware across multiple countries. Discover how this stealthy spyware targets high-value individuals and ...
www.recordedfuture.com
August 5, 2025 at 2:18 PM
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
NoName057(16) is back online and launching new #DDoSia attacks just 6 days after #OperationEastwood. Their new targets? Primarily German and Italian government and municipal websites. Their rapid resurgence highlights their persistence. #Cybersecurity #NoName057
July 23, 2025 at 7:55 AM
NoName057(16) is back online and launching new #DDoSia attacks just 6 days after #OperationEastwood. Their new targets? Primarily German and Italian government and municipal websites. Their rapid resurgence highlights their persistence. #Cybersecurity #NoName057
🚨 Our latest Insikt Group report, “Anatomy of DDoSia: NoName057(16)'s DDoS Infrastructure and Targeting”, is now live, providing an in-depth analysis of the pro-Russian hacktivist group’s DDoS campaigns. Get the full details here: www.recordedfuture.com/research/ana... #DDoS #DDoSia #NoName05716 🧵
July 22, 2025 at 2:12 PM
🚨 Our latest Insikt Group report, “Anatomy of DDoSia: NoName057(16)'s DDoS Infrastructure and Targeting”, is now live, providing an in-depth analysis of the pro-Russian hacktivist group’s DDoS campaigns. Get the full details here: www.recordedfuture.com/research/ana... #DDoS #DDoSia #NoName05716 🧵
🚨 More hiring at Recorded Future’s Insikt Group
New role: Senior Threat Intelligence Analyst – Russia APT Focus
📍 Arlington VA, Boston MA, UK, or Remote
🎯 Track Russian state activity
🧠 Lead investigations and guide intel coverage
Apply: grnh.se/cpizn7d62us
New role: Senior Threat Intelligence Analyst – Russia APT Focus
📍 Arlington VA, Boston MA, UK, or Remote
🎯 Track Russian state activity
🧠 Lead investigations and guide intel coverage
Apply: grnh.se/cpizn7d62us
Senior Threat Intelligence Analyst (Russia APT Focus)
Arlington, VA
grnh.se
June 27, 2025 at 9:27 AM
🚨 More hiring at Recorded Future’s Insikt Group
New role: Senior Threat Intelligence Analyst – Russia APT Focus
📍 Arlington VA, Boston MA, UK, or Remote
🎯 Track Russian state activity
🧠 Lead investigations and guide intel coverage
Apply: grnh.se/cpizn7d62us
New role: Senior Threat Intelligence Analyst – Russia APT Focus
📍 Arlington VA, Boston MA, UK, or Remote
🎯 Track Russian state activity
🧠 Lead investigations and guide intel coverage
Apply: grnh.se/cpizn7d62us