Lawrence S.
@lawrencesec.bsky.social
🇬🇧 Threat Research @ Recorded Future.
I Like Tracking ASNs and ISPs for some reason...
I Like Tracking ASNs and ISPs for some reason...
Pinned
Lawrence S.
@lawrencesec.bsky.social
· Nov 6
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
Reposted by Lawrence S.
Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET. The activity is attributed to the Russian state-sponsored threat group | www.recordedfuture.com/research/blu...
BlueDelta’s Persistent Campaign Against UKR.NET
Discover how Russia’s BlueDelta targets UKR.NET users with advanced credential-harvesting campaigns, evolving tradecraft, and multi-stage phishing techniques.
www.recordedfuture.com
December 18, 2025 at 12:09 PM
Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET. The activity is attributed to the Russian state-sponsored threat group | www.recordedfuture.com/research/blu...
Reposted by Lawrence S.
CastleLoader in the wild! Four distinct activity clusters, sector-specific targeting of logistics, and high-end tooling like Matanbuchus and CastleRAT.
1/ @whoisnt.bsky.social, Marius, and I just published a report on #GrayBravo (formerly TAG-150), a highly adaptive, sophisticated threat actor that we first identified in Sept 2025. It uses a multi-layered infrastructure and responds quickly to exposure: www.recordedfuture.com/research/gra...
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries
www.recordedfuture.com
December 9, 2025 at 3:43 PM
CastleLoader in the wild! Four distinct activity clusters, sector-specific targeting of logistics, and high-end tooling like Matanbuchus and CastleRAT.
Reposted by Lawrence S.
Recorded Future’s Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...
December 9, 2025 at 11:25 AM
Recorded Future’s Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...
Reposted by Lawrence S.
2/ Our latest analysis uncovered four distinct activity clusters within GrayBravo’s ecosystem, all leveraging the group’s #CastleLoader malware. Each cluster uses different tactics, techniques, and targets, reinforcing the assessment that GrayBravo runs a #MaaS model.
December 9, 2025 at 8:24 AM
2/ Our latest analysis uncovered four distinct activity clusters within GrayBravo’s ecosystem, all leveraging the group’s #CastleLoader malware. Each cluster uses different tactics, techniques, and targets, reinforcing the assessment that GrayBravo runs a #MaaS model.
Reposted by Lawrence S.
1/ @whoisnt.bsky.social, Marius, and I just published a report on #GrayBravo (formerly TAG-150), a highly adaptive, sophisticated threat actor that we first identified in Sept 2025. It uses a multi-layered infrastructure and responds quickly to exposure: www.recordedfuture.com/research/gra...
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries
www.recordedfuture.com
December 9, 2025 at 8:24 AM
1/ @whoisnt.bsky.social, Marius, and I just published a report on #GrayBravo (formerly TAG-150), a highly adaptive, sophisticated threat actor that we first identified in Sept 2025. It uses a multi-layered infrastructure and responds quickly to exposure: www.recordedfuture.com/research/gra...
A good piece highlighting the EU's continued inaction following recent sanctions, essentially allowing these enablers to continue their operations.
🕵️ Aéza, linked to the pro-Kremlin Doppelganger disinfo network, has been sanctioned by the US, Australia, and the UK for aiding cybercriminals. The EU, however, has taken no action. @vsquare.bsky.social @investigacecz.bsky.social
From Darknet to Disinfo: How a ‘Bulletproof’ Russian Host Evades EU Sanctions - VSquare.org
The Russian server hosting company Aéza is known for its involvement in the pro-Kremlin Doppelganger disinformation campaign, which spread propaganda through look-alike clones of major news outlets.
vsquare.org
December 5, 2025 at 7:35 PM
A good piece highlighting the EU's continued inaction following recent sanctions, essentially allowing these enablers to continue their operations.
Reposted by Lawrence S.
The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed "Aladdin" that compromised specific targets when simply viewing a malicious advertisement.
Predator spyware uses new infection vector for zero-click attacks
The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed "Aladdin" that compromised specific targets when simply viewing a malicious advertisement.
www.bleepingcomputer.com
December 4, 2025 at 8:48 PM
The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed "Aladdin" that compromised specific targets when simply viewing a malicious advertisement.
Reposted by Lawrence S.
🚨 - New report by Haaretz, Inside Story, Inside-IT and Amnesty International release the Intellexa Leaks. Which exposes Intellexa support staff had access through Teamviewer to customer deployments and confirms found IOC's in the past by civil society. 🧵👇
December 4, 2025 at 11:37 AM
🚨 - New report by Haaretz, Inside Story, Inside-IT and Amnesty International release the Intellexa Leaks. Which exposes Intellexa support staff had access through Teamviewer to customer deployments and confirms found IOC's in the past by civil society. 🧵👇
Reposted by Lawrence S.
1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...
Intellexa’s Global Corporate Web
www.recordedfuture.com
December 4, 2025 at 4:18 AM
1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...
1/ It's nice to see the topic of bulletproof hosters and Threat Activity Enablers gaining more mainstream attention; however, a bigger problem than endless shell companies exists, and that is RIPE RIR policy. bindinghook.com/neutral-inte...
‘Neutral’ internet governance enables sanctions evasion
Internet service providers and hosting companies enable cybercrime and cyber operations. Why don’t sanctions stop them?
bindinghook.com
November 26, 2025 at 2:11 PM
1/ It's nice to see the topic of bulletproof hosters and Threat Activity Enablers gaining more mainstream attention; however, a bigger problem than endless shell companies exists, and that is RIPE RIR policy. bindinghook.com/neutral-inte...
Reposted by Lawrence S.
NSA Joins CISA and Others to Release Guidance on Mitigating Malicious Activity from Bulletproof Hosting Provider Infrastructure
November 19, 2025, NSA/CSS
www.nsa.gov/Press-Room/P...
November 19, 2025, NSA/CSS
www.nsa.gov/Press-Room/P...
www.nsa.gov
November 20, 2025 at 12:03 PM
NSA Joins CISA and Others to Release Guidance on Mitigating Malicious Activity from Bulletproof Hosting Provider Infrastructure
November 19, 2025, NSA/CSS
www.nsa.gov/Press-Room/P...
November 19, 2025, NSA/CSS
www.nsa.gov/Press-Room/P...
Reposted by Lawrence S.
The national cyber director and a top FBI official shared more details about the forthcoming Trump administration document Tuesday. via @timstarks.bsky.social cyberscoop.com/trump-cyber-...
Completed draft of cyber strategy emphasizes imposing costs, industry partnership
The forthcoming Trump administration cyber strategy will introduce six key pillars, emphasizing deterrence of cyber threats and enhanced industry partnerships, with action items and deliverables for U...
cyberscoop.com
November 19, 2025 at 2:57 PM
The national cyber director and a top FBI official shared more details about the forthcoming Trump administration document Tuesday. via @timstarks.bsky.social cyberscoop.com/trump-cyber-...
1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...
ofac.treasury.gov
November 19, 2025 at 5:17 PM
1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...
1/ Reports indicating that CrazyRDP is the bulletproof hoster behind this seizure in the Netherlands. nltimes.nl/2025/11/14/d...
Dutch police seize thousands of servers used for ransomware, child sex abuse footage
The Dutch police seized thousands of servers in The Hague and Zoetermeer, used solely for hosting criminal activities. According to the police, the hosting company rented space to criminals to carry o...
nltimes.nl
November 15, 2025 at 12:07 PM
1/ Reports indicating that CrazyRDP is the bulletproof hoster behind this seizure in the Netherlands. nltimes.nl/2025/11/14/d...
1/ [UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Group’s original assessment that their identity was unlawfully and fraudulently used in the registration of #AS209800.
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
November 12, 2025 at 9:51 PM
1/ [UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Group’s original assessment that their identity was unlawfully and fraudulently used in the registration of #AS209800.
Reposted by Lawrence S.
German ISP aurologic GmbH Identified as Key Hub for Malicious Hosting Infrastructure gbhackers.com/german-isp-a...
German ISP aurologic GmbH Identified as Key Hub for Malicious Hosting Infrastructure
German hosting provider aurologic GmbH has emerged as a critical hub within the global malicious infrastructure ecosystem, according to recent intelligence reporting.
gbhackers.com
November 9, 2025 at 3:24 PM
German ISP aurologic GmbH Identified as Key Hub for Malicious Hosting Infrastructure gbhackers.com/german-isp-a...
Reposted by Lawrence S.
Malicious Infrastructure Finds Stability with aurologic GmbH
Malicious Infrastructure Finds Stability with aurologic GmbH
assets.recordedfuture.com
November 7, 2025 at 11:24 AM
Malicious Infrastructure Finds Stability with aurologic GmbH
Reposted by Lawrence S.
German ISP Aurologic GmbH has Become a Central Nexus for Hosting Malicious Infrastructure
German ISP Aurologic GmbH has Become a Central Nexus for Hosting Malicious Infrastructure
cybersecuritynews.com
November 8, 2025 at 12:41 AM
German ISP Aurologic GmbH has Become a Central Nexus for Hosting Malicious Infrastructure
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
November 6, 2025 at 11:30 AM
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
Reposted by Lawrence S.
Recorded Future just published Dark Covenant 3.0, revealing how global crackdowns and shifting Russian enforcement are reshaping the cybercriminal underground, exposing ties to state actors and turning cybercrime into a geopolitical tool: www.recordedfuture.com/research/dar...
Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals
Explore how Russia’s cybercriminal ecosystem evolved under Operation Endgame—where state control, selective enforcement, and criminal alliances collide.
www.recordedfuture.com
October 22, 2025 at 2:26 PM
Recorded Future just published Dark Covenant 3.0, revealing how global crackdowns and shifting Russian enforcement are reshaping the cybercriminal underground, exposing ties to state actors and turning cybercrime into a geopolitical tool: www.recordedfuture.com/research/dar...
Reposted by Lawrence S.
Great work by my colleague, @lawrencesec.bsky.social ! He dives deep into the systemic flaw where "neutral" internet governance lets sanctioned ISPs evade restrictions and continue supporting #cyberattacks and #disinformation. A must-read on the infrastructure gap. 👇
In his latest for Binding Hook, @lawrencesec.bsky.social looks at how internet service providers work within the system to evade sanctions and enable #cyberattacks and #disinformation campaigns: bindinghook.com/neutral-inte...
‘Neutral’ internet governance enables sanctions evasion
Internet service providers and hosting companies enable cybercrime and cyber operations. Why don’t sanctions stop them?
bindinghook.com
October 21, 2025 at 8:45 AM
Great work by my colleague, @lawrencesec.bsky.social ! He dives deep into the systemic flaw where "neutral" internet governance lets sanctioned ISPs evade restrictions and continue supporting #cyberattacks and #disinformation. A must-read on the infrastructure gap. 👇
Reposted by Lawrence S.
Great opinion piece by my colleague @lawrencesec.bsky.social on an extremely timely and important topic!
🚨 My latest research for @bindinghook is out!
I explore how sanctions against #Aeza and #StarkIndustries reveal the limits of current policy, and how #ThreatActivityEnablers exploit RIR policy and company registration frameworks to maintain infrastructure and support ongoing cyber operations.
I explore how sanctions against #Aeza and #StarkIndustries reveal the limits of current policy, and how #ThreatActivityEnablers exploit RIR policy and company registration frameworks to maintain infrastructure and support ongoing cyber operations.
In his latest for Binding Hook, @lawrencesec.bsky.social looks at how internet service providers work within the system to evade sanctions and enable #cyberattacks and #disinformation campaigns: bindinghook.com/neutral-inte...
October 21, 2025 at 8:59 AM
Great opinion piece by my colleague @lawrencesec.bsky.social on an extremely timely and important topic!
🚨 My latest research for @bindinghook is out!
I explore how sanctions against #Aeza and #StarkIndustries reveal the limits of current policy, and how #ThreatActivityEnablers exploit RIR policy and company registration frameworks to maintain infrastructure and support ongoing cyber operations.
I explore how sanctions against #Aeza and #StarkIndustries reveal the limits of current policy, and how #ThreatActivityEnablers exploit RIR policy and company registration frameworks to maintain infrastructure and support ongoing cyber operations.
In his latest for Binding Hook, @lawrencesec.bsky.social looks at how internet service providers work within the system to evade sanctions and enable #cyberattacks and #disinformation campaigns: bindinghook.com/neutral-inte...
‘Neutral’ internet governance enables sanctions evasion
Internet service providers and hosting companies enable cybercrime and cyber operations. Why don’t sanctions stop them?
bindinghook.com
October 21, 2025 at 8:53 AM
🚨 My latest research for @bindinghook is out!
I explore how sanctions against #Aeza and #StarkIndustries reveal the limits of current policy, and how #ThreatActivityEnablers exploit RIR policy and company registration frameworks to maintain infrastructure and support ongoing cyber operations.
I explore how sanctions against #Aeza and #StarkIndustries reveal the limits of current policy, and how #ThreatActivityEnablers exploit RIR policy and company registration frameworks to maintain infrastructure and support ongoing cyber operations.