Lawrence S.
@lawrencesec.bsky.social
🇬🇧 Threat Research @ Recorded Future.
I Like Tracking ASNs and ISPs for some reason...
I Like Tracking ASNs and ISPs for some reason...
2/ The case of fraud relating to metaspinner GmbH really does spell out the severity of the problem...
November 26, 2025 at 2:11 PM
2/ The case of fraud relating to metaspinner GmbH really does spell out the severity of the problem...
9/Aeza Group continues to rely on aurologic for a large share of its connectivity, announcing roughly half of its IP space, despite recent sanctions by the US and the UK.
November 6, 2025 at 11:33 AM
9/Aeza Group continues to rely on aurologic for a large share of its connectivity, announcing roughly half of its IP space, despite recent sanctions by the US and the UK.
8/ Femo IT Solutions was allocated a /24 prefix from a /17 network registered to the Iranian Research Organization for Science and Technology (IROST), the same origin seen in allocations to other TAEs such as Global Connectivity Solutions and Aeza Group.
November 6, 2025 at 11:33 AM
8/ Femo IT Solutions was allocated a /24 prefix from a /17 network registered to the Iranian Research Organization for Science and Technology (IROST), the same origin seen in allocations to other TAEs such as Global Connectivity Solutions and Aeza Group.
7/ Femo IT Solutions Ltd #AS214351 is a UK-registered network with close operational ties to self-proclaimed bulletproof hoster “Defhost”, who offer “Germany-only” abuse-resilient services on underground forums.
November 6, 2025 at 11:32 AM
7/ Femo IT Solutions Ltd #AS214351 is a UK-registered network with close operational ties to self-proclaimed bulletproof hoster “Defhost”, who offer “Germany-only” abuse-resilient services on underground forums.
6/ Virtualine Technologies is a Russia-linked TAE with operational ties to multiple organizations used to register and control IP space, masking ownership and maintaining operational control through networks like Railnet.
November 6, 2025 at 11:32 AM
6/ Virtualine Technologies is a Russia-linked TAE with operational ties to multiple organizations used to register and control IP space, masking ownership and maintaining operational control through networks like Railnet.
5/ Railnet’s elevated abuse levels followed the transfer of Metaspinner Net IP space to Lanedonet, networks assessed with high probability to have impersonated legitimate companies, under the control of actors tied to Virtualine Technologies.
November 6, 2025 at 11:31 AM
5/ Railnet’s elevated abuse levels followed the transfer of Metaspinner Net IP space to Lanedonet, networks assessed with high probability to have impersonated legitimate companies, under the control of actors tied to Virtualine Technologies.
4/ Railnet LLC #AS214943 is one of the largest sources of malicious infrastructure observed by Insikt Group, with over 80 validated C2 servers currently active on the network.
November 6, 2025 at 11:31 AM
4/ Railnet LLC #AS214943 is one of the largest sources of malicious infrastructure observed by Insikt Group, with over 80 validated C2 servers currently active on the network.
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
November 6, 2025 at 11:30 AM
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
Another ASN spun up by #StarkIndustries to monitor #AS213999 , only announcing a single prefix so far! 77[.]221[.]150[.]0/24
September 4, 2025 at 3:06 PM
Another ASN spun up by #StarkIndustries to monitor #AS213999 , only announcing a single prefix so far! 77[.]221[.]150[.]0/24
Already seeing some updates in RIPE in response to our report.... 👀 #StarkIndustries #AS44477 #ThreatActivityEnabler
August 28, 2025 at 11:51 AM
Already seeing some updates in RIPE in response to our report.... 👀 #StarkIndustries #AS44477 #ThreatActivityEnabler
6/ Just nine days after sanctions, PQ Hosting rebranded as The[.]Hosting, shifting assets under Dutch company WorkTitans B.V. Weeks later, the network consolidated further with the creation of a new ASN, #AS209847 - THE, and further transfer of #StarkIndustries resources.
August 27, 2025 at 2:25 PM
6/ Just nine days after sanctions, PQ Hosting rebranded as The[.]Hosting, shifting assets under Dutch company WorkTitans B.V. Weeks later, the network consolidated further with the creation of a new ASN, #AS209847 - THE, and further transfer of #StarkIndustries resources.
5/ On May 8, Moldovan media, citing a leaked EU document, reported that #StarkIndustries and its operators, Ivan & Iurie Neculiti, would face sanctions. Days later, control of #AS44477 was shifted to a new entity named after its parent company, PQ.Hosting
August 27, 2025 at 2:24 PM
5/ On May 8, Moldovan media, citing a leaked EU document, reported that #StarkIndustries and its operators, Ivan & Iurie Neculiti, would face sanctions. Days later, control of #AS44477 was shifted to a new entity named after its parent company, PQ.Hosting
4/ Anticipating sanctions, #StarkIndustries migrated its Russian infrastructure to UFO Hosting LLC, (#AS33993 - UFO-AS) in April 2025.
August 27, 2025 at 2:23 PM
4/ Anticipating sanctions, #StarkIndustries migrated its Russian infrastructure to UFO Hosting LLC, (#AS33993 - UFO-AS) in April 2025.
3/ The timeline says it all. From infrastructure shifts to leaked sanctions and an eventual rebrand, every step shows how the company stayed “one step ahead”.
August 27, 2025 at 2:22 PM
3/ The timeline says it all. From infrastructure shifts to leaked sanctions and an eventual rebrand, every step shows how the company stayed “one step ahead”.
1/ Today, we published “One Step Ahead: Stark Industries Solutions Preempts EU Sanctions,” revealing how hosting provider #StarkIndustries executed a multi-phase restructuring of its operations, beginning up to a month before #EU sanctions.
August 27, 2025 at 2:21 PM
1/ Today, we published “One Step Ahead: Stark Industries Solutions Preempts EU Sanctions,” revealing how hosting provider #StarkIndustries executed a multi-phase restructuring of its operations, beginning up to a month before #EU sanctions.
Read about all of our unique findings in our full report:
assets.recordedfuture.com/insikt-repor...
assets.recordedfuture.com/insikt-repor...
August 20, 2025 at 8:04 PM
Read about all of our unique findings in our full report:
assets.recordedfuture.com/insikt-repor...
assets.recordedfuture.com/insikt-repor...
RecordedFuture's 2024 Malicious Infrastructure report highlighted Aeza Group (AS216246) and Aeza International Ltd (AS210644) as top sources of malicious traffic, based on our validated infrastructure holdings.
July 2, 2025 at 1:39 PM
RecordedFuture's 2024 Malicious Infrastructure report highlighted Aeza Group (AS216246) and Aeza International Ltd (AS210644) as top sources of malicious traffic, based on our validated infrastructure holdings.