Lightnews — Scholar-powered news

Reposted by Lawrence S.

Virtual Routes @virtualroutes.bsky.social · 9d

👋 Don't miss the first Colloquium session tomorrow!

📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET

1 3 3

Reposted by Lawrence S.

The Banshee Queen 👑 @cyberoverdrive.bsky.social · 16d

First public report at Recorded Future by yours truly is out! RedNovember (formerly TAG-100, a.k.a. Storm-2077) is a Chinese state-sponsored threat group focused on intelligence collection, especially on flashpoint issues of strategic interest to China. www.recordedfuture.com/research/red...

RedNovember Targets Government, Defense, and Technology Organizations

RedNovember, a likely Chinese state-sponsored cyber-espionage group, has targeted global government, defense, and tech sectors using advanced tools like Pantegana and Cobalt Strike. Discover the lates...

www.recordedfuture.com

2 14 22

Reposted by Lawrence S.

TProphet @tprophet.org · 17d

1/ Hi, I'm TProphet. I write the Telecom Informer for @2600.com. A lot of people have been asking me about www.nbcnews.com/politics/nat... given that I'm somewhat knowledgeable in the area.

Here's my take: I'm kind of astonished that this is public, and it isn't normal that it would ever be.

Secret Service agents dismantle network that could shut down New York cellphone system

Agents discovered electronic devices in five locations in and around the city that could be used to disable cellphone towers. The system could also be used for criminal activities.

www.nbcnews.com

10 180 370

Reposted by Lawrence S.

Catalin Cimpanu @campuscodi.risky.biz · 16d

-US raids SIM farm in New York
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October

Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...

2 18 58

Lawrence S. @lawrencesec.bsky.social · 18d

The UK has sanctioned Aeza International, citing its involvement in destabilising Ukraine by providing internet services to Russian disinformation campaigns. This follows OFAC sanctions in July. www.gov.uk/government/n...

UK sanctions Georgia-linked supporters of Putin’s illegal war in Ukraine

The UK has announced new sanctions targeting Georgia-linked supporters of Putin’s illegal war in Ukraine.

www.gov.uk

1 1

Reposted by Lawrence S.

Julian-Ferdinand Vögele @julianferdinand.bsky.social · 18d

I'm excited to speak at #VB2025 later this week! I'll be diving into TAG-124, a group whose services are leveraged by a wide range of actors, from cybercriminals to state-sponsored groups. Hit me up if you are in town!

www.virusbulletin.com/conference/v...

9 18

Reposted by Lawrence S.

Virus Bulletin @virusbtn.bsky.social · 22d

Recorded Future's Insikt Group reports CopyCop, also tracked as Storm 1516, expanding in 2025, adding at least 200 new fictional media websites targeting the United States, France and Canada and using self-hosted LLMs. www.recordedfuture.com/research/cop...

2 2

Reposted by Lawrence S.

Julian-Ferdinand Vögele @julianferdinand.bsky.social · 24d

Really excited to present at #LABScon25 on ChamelGang‘s most recent campaign targeting the Taliban, a collaborative research project with @milenkowski.bsky.social (SentinelLABS) and @azaka.fun (TeamT5)! www.labscon.io/speakers/jul...

3 5

Lawrence S. @lawrencesec.bsky.social · 29d

Read our referenced material here:
www.recordedfuture.com/research/one...

One Step Ahead: Stark Industries Solutions Preempts EU Sanctions

Before facing EU sanctions in May 2025, Stark Industries Solutions executed a strategic infrastructure overhaul to maintain operations. This report reveals how rebranding, RIPE resource manipulation, ...

www.recordedfuture.com

Lawrence S. @lawrencesec.bsky.social · 29d

Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.

BrianKrebs @briankrebs.infosec.exchange.ap.brid.gy · 29d

New, from me:

In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of […]

[Original post on infosec.exchange]

An organization chart published by the news publication correctiv.org shows photos of the Neculiti brothers and their connections to MIRhosting in the Netherlands.

1 3 3

Reposted by Lawrence S.

Julian-Ferdinand Vögele @julianferdinand.bsky.social · Sep 4

1/ Today @whoisnt.bsky.social, Marius, and I release a report on a new threat actor, #TAG-150, active since at least March 2025, which stands out for its rapid development, sophistication, responsiveness to reporting, and a large, evolving infrastructure: www.recordedfuture.com/research/fro...

From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure

Insikt Group reveals TAG-150’s multi-tiered infrastructure and CastleRAT malware—an advanced threat actor evolving rapidly with stealth and scale.

www.recordedfuture.com

1 6 9

Lawrence S. @lawrencesec.bsky.social · Sep 4

Read the full report here: www.recordedfuture.com/research/fro...

From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure

Insikt Group reveals TAG-150’s multi-tiered infrastructure and CastleRAT malware—an advanced threat actor evolving rapidly with stealth and scale.

www.recordedfuture.com

Lawrence S. @lawrencesec.bsky.social · Sep 4

A significant amount of #CastleLoader C2 infrastructure identified by @julianferdinand.bsky.social was tied to #ThreatActivityEnabler 🇬🇧 FEMO IT SOLUTIONS #AS214351 utilising 🇩🇪 aurologic GmbH #AS30823 as their sole upstream provider. One to watch out for!

Julian-Ferdinand Vögele @julianferdinand.bsky.social · Sep 4

2/ TAG-150 is Insikt Group’s designation for the actor likely behind the malware families #CastleLoader, #CastleBot, and most recently #CastleRAT, a RAT documented here for the first time.

1 2 3

Lawrence S. @lawrencesec.bsky.social · Sep 4

Another ASN spun up by #StarkIndustries to monitor #AS213999 , only announcing a single prefix so far! 77[.]221[.]150[.]0/24

1

Reposted by Lawrence S.

Brian Liston @brianjliston.bsky.social · Sep 3

New report published today from our team at Recorded Future: “Russian Influence Assets Converge on Moldovan Elections”

www.recordedfuture.com/research/rus...

Russian Influence Assets Converge on Moldovan Elections

Ahead of Moldova’s 2025 elections, Russia-linked influence operations seek to undermine EU integration, discredit President Sandu, and destabilize democratic processes through coordinated disinformati...

www.recordedfuture.com

5 6

Reposted by Lawrence S.

780th Military Intelligence Brigade (Cyber) @780thmibdecyber.bsky.social · Aug 29

H1 2025 Malware and Vulnerability Trends report | RecordedFuture www.recordedfuture.com/research/h1-...
Geographically, the majority of state-sponsored campaigns were conducted by Chinese state-sponsored actors or suspected China-linked actors.

H1 2025 Malware and Vulnerability Trends

Explore Recorded Future’s H1 2025 malware & vulnerability trends: key exploited CVEs, most-targeted vendors (Microsoft, edge devices), ransomware & mobile malware shifts — practical guidance to priori...

www.recordedfuture.com

1 1 1

Reposted by Lawrence S.

780th Military Intelligence Brigade (Cyber) @780thmibdecyber.bsky.social · Aug 29

Infosecurity Magazine: The majority (53%) of attributed vulnerability exploits in the first half 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to a new report by Recorded Future’s Insikt Group. www.infosecurity-magazine.com/news/state-h...

State-Sponsored Hackers Behind Majority of Vulnerability Exploits

Recorded Future highlighted the vast capabilities of state actors to rapidly weaponize newly disclosed vulnerabilities for geopolitical purposes

www.infosecurity-magazine.com

1 1 2

Reposted by Lawrence S.

Catalin Cimpanu @campuscodi.risky.biz · Aug 29

-Instacart fraud ring charged
-VerifTools seized
-US sanctions DPRK remote IT worker network
-Purgatory group behind US swattings
-Storm-0501 steals/extorts cloud data
-Stark Industries rebrands
-ShadowSilk APT has Russian and Chinese operators
-Backdoored text editor targets Chinese dissidents

1 1 5

Lawrence S. @lawrencesec.bsky.social · Aug 29

Another really good piece on stark industries.

Max Bernhard @mxbernhard.bsky.social · May 16

Recherche wie immer mit @alexejhock.bsky.social @timetodiscover.bsky.social

Unsere Recherche letztes Jahr zu Stark Industries und den Neculitis correctiv.org/faktencheck/...

Hacks und Propaganda: Zwei Brüder aus Moldau tragen Russlands digitalen Krieg nach Europa

Russland verbreitet parallel zum Ukraine-Krieg Falschnachrichten und führt Cyberattacken durch. Zwei Brüder aus Moldau liefern die Technik. CORRECTIV zeigt, wie ihr Firmenkonstrukt Spuren verwischt un...

correctiv.org

2

Lawrence S. @lawrencesec.bsky.social · Aug 29

www.recordedfuture.com/research/one...

One Step Ahead: Stark Industries Solutions Preempts EU Sanctions

Before facing EU sanctions in May 2025, Stark Industries Solutions executed a strategic infrastructure overhaul to maintain operations. This report reveals how rebranding, RIPE resource manipulation, ...

www.recordedfuture.com

Reposted by Lawrence S.

Alexander Martin @alexmartin.bsky.social · Aug 28

🇳🇱🇨🇳💻🕵️

New: The Netherlands announced on Thursday that it had been targeted by a Chinese cyber-espionage campaign tracked as Salt Typhoon and RedMike that has been compromising critical infrastructure globally.

Dutch intelligence agencies report country was targeted by Chinese cyber spies

The Netherlands announced on Thursday that it was targeted by a Chinese cyber-espionage campaign tracked as Salt Typhoon and RedMike that has been compromising critical infrastructure globally.

therecord.media

21 26

Reposted by Lawrence S.

Bellingcat @bellingcat.com · Aug 26

Academic or student in the USA? Our research techniques can be useful in assessing fake news. We're helping students to investigate and better understand the anti-democratic online ideologies that threaten their communities with two free webinars on digital investigation skills this September 🧵

3 110 220

Reposted by Lawrence S.

Zack Whittaker @zackwhittaker.com · Aug 28

NEW: Credit reporting giant TransUnion has confirmed a data breach involving more than 4.4 million customers' personal information. TransUnion claims "no credit information was accessed" in the late-July breach, which it said involves its U.S. consumer support operations.

TransUnion says hackers stole 4.4 million customers' personal information | TechCrunch

The credit reporting giant confirmed unauthorized access to a third-party application storing the personal information of its customers.

techcrunch.com

12 96 180

Reposted by Lawrence S.

780th Military Intelligence Brigade (Cyber) @780thmibdecyber.bsky.social · Aug 28

Recorded Future: Stark Industries, along with its CEO and owner, was formally sanctioned by the Council of the European Union on May 20, 2025, for enabling Russian state-sponsored cyber operations | www.recordedfuture.com/research/one...

One Step Ahead: Stark Industries Solutions Preempts EU Sanctions

Before facing EU sanctions in May 2025, Stark Industries Solutions executed a strategic infrastructure overhaul to maintain operations. This report reveals how rebranding, RIPE resource manipulation, ...

www.recordedfuture.com

3 4

Lawrence S. @lawrencesec.bsky.social · Aug 28

Already seeing some updates in RIPE in response to our report.... 👀 #StarkIndustries #AS44477 #ThreatActivityEnabler

1 2