banner
LightNews
calwarez.bsky.social
Calwarez
@calwarez.bsky.social
430 followers 200 following 39 posts
Leads Malicious Infrastructure Discovery @ Recorded Future | Views my own
Posts Media Videos Starter Packs
Reposted by Calwarez
virtualroutes.bsky.social
Virtual Routes @virtualroutes.bsky.social · 8d
👋 Don't miss the first Colloquium session tomorrow!

📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
1 3 3
Reposted by Calwarez
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · 21d
Recorded Future's Insikt Group reports CopyCop, also tracked as Storm 1516, expanding in 2025, adding at least 200 new fictional media websites targeting the United States, France and Canada and using self-hosted LLMs. www.recordedfuture.com/research/cop...
2 2
Reposted by Calwarez
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · 17d
I'm excited to speak at #VB2025 later this week! I'll be diving into TAG-124, a group whose services are leveraged by a wide range of actors, from cybercriminals to state-sponsored groups. Hit me up if you are in town!

www.virusbulletin.com/conference/v...
9 18
Reposted by Calwarez
lawrencesec.bsky.social
Lawrence S. @lawrencesec.bsky.social · 17d
The UK has sanctioned Aeza International, citing its involvement in destabilising Ukraine by providing internet services to Russian disinformation campaigns. This follows OFAC sanctions in July. www.gov.uk/government/n...
UK sanctions Georgia-linked supporters of Putin’s illegal war in Ukraine
The UK has announced new sanctions targeting Georgia-linked supporters of Putin’s illegal war in Ukraine.
www.gov.uk
1 1
Reposted by Calwarez
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · 23d
Really excited to present at #LABScon25 on ChamelGang‘s most recent campaign targeting the Taliban, a collaborative research project with @milenkowski.bsky.social (SentinelLABS) and @azaka.fun (TeamT5)! www.labscon.io/speakers/jul...
3 5
Reposted by Calwarez
lawrencesec.bsky.social
Lawrence S. @lawrencesec.bsky.social · 28d
Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.
briankrebs.infosec.exchange.ap.brid.gy
BrianKrebs @briankrebs.infosec.exchange.ap.brid.gy · 28d
New, from me:

In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of […]

[Original post on infosec.exchange]
An organization chart published by the news publication correctiv.org shows photos of the Neculiti brothers and their connections to MIRhosting in the Netherlands.
1 3 3
Reposted by Calwarez
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · Sep 8
Insikt Group identifies a new threat actor, TAG-150, active since at least March 2025. Its multi-layered infrastructure is used to deploy likely self-developed malware families, including CastleLoader, CastleBot, and the newly documented CastleRAT. www.recordedfuture.com/research/fro...
3 4
Reposted by Calwarez
campuscodi.risky.biz
Catalin Cimpanu @campuscodi.risky.biz · Sep 7
Recorded Future has spotted two influence operations around the recent India-Pakistan military conflict from May.

The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).

www.recordedfuture.com/research/inf...
4 5
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Sep 5
Should be all fixed now :-)
Reposted by Calwarez
lawrencesec.bsky.social
Lawrence S. @lawrencesec.bsky.social · Sep 4
A significant amount of #CastleLoader C2 infrastructure identified by @julianferdinand.bsky.social was tied to #ThreatActivityEnabler 🇬🇧 FEMO IT SOLUTIONS #AS214351 utilising 🇩🇪 aurologic GmbH #AS30823 as their sole upstream provider. One to watch out for!
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · Sep 4
2/ TAG-150 is Insikt Group’s designation for the actor likely behind the malware families #CastleLoader, #CastleBot, and most recently #CastleRAT, a RAT documented here for the first time.
1 2 3
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Sep 4
Another great report from the team on TAG-150, a sophisticated and rapidly evolving threat actor. 🕵️ Our report documents #CastleRAT for the first time, a new Remote Access Trojan, alongside the previously observed #CastleLoader.
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · Sep 4
1/ Today @whoisnt.bsky.social, Marius, and I release a report on a new threat actor, #TAG-150, active since at least March 2025, which stands out for its rapid development, sophistication, responsiveness to reporting, and a large, evolving infrastructure: www.recordedfuture.com/research/fro...
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
Insikt Group reveals TAG-150’s multi-tiered infrastructure and CastleRAT malware—an advanced threat actor evolving rapidly with stealth and scale.
www.recordedfuture.com
1 2
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Sep 4
Thanks for the tip! will get someone to look into it ASAP!
2
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Aug 28
1
Reposted by Calwarez
780thmibdecyber.bsky.social
780th Military Intelligence Brigade (Cyber) @780thmibdecyber.bsky.social · Aug 28
Recorded Future: Stark Industries, along with its CEO and owner, was formally sanctioned by the Council of the European Union on May 20, 2025, for enabling Russian state-sponsored cyber operations | www.recordedfuture.com/research/one...
One Step Ahead: Stark Industries Solutions Preempts EU Sanctions
Before facing EU sanctions in May 2025, Stark Industries Solutions executed a strategic infrastructure overhaul to maintain operations. This report reveals how rebranding, RIPE resource manipulation, ...
www.recordedfuture.com
3 4
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Aug 27
This report on Stark Industries is a fantastic case study in the cat-and-mouse game between hosting providers and law enforcement. The new "Threat Activity Enabler" (TAE) terminology is spot-on and highlights the critical role these providers play in the cybercrime ecosystem.
lawrencesec.bsky.social
Lawrence S. @lawrencesec.bsky.social · Aug 27
1/ Today, we published “One Step Ahead: Stark Industries Solutions Preempts EU Sanctions,” revealing how hosting provider #StarkIndustries executed a multi-phase restructuring of its operations, beginning up to a month before #EU sanctions.
4 3
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Aug 26
Highly recommend this report on TAG-144. It breaks down the group's operations into five distinct clusters and reveals some serious tradecraft! From using compromised government emails to hiding payloads in JPGs. A deep dive into a very sophisticated threat.
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · Aug 26
1/ We just released a new report on TAG-144 (also known as Blind Eagle), where we identified five distinct activity clusters that have been active throughout 2024 and 2025, primarily targeting the Colombian government at multiple levels. Link to the report: www.recordedfuture.com/research/tag...
TAG-144’s Persistent Grip on South American Organizations
Persistent cyber operations by TAG-144 (Blind Eagle) continue to target South American, primarily Colombian, government entities through advanced spearphishing and RAT-based malware campaigns. Explore...
www.recordedfuture.com
3 3
Reposted by Calwarez
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · Aug 20
1/ Today, we release a first-of-its-kind analysis of a set of Lumma affiliates within a vast info-stealing ecosystem, showing their interconnectedness and resilience even after a major law enforcement takedown attempts earlier this year: www.recordedfuture.com/research/beh...
Behind the Curtain: How Lumma Affiliates Operate
Explore a groundbreaking investigation into Lumma affiliates: uncover their tools, tactics, scams, and integration in the cybercriminal ecosystem. Essential reading for defenders.
www.recordedfuture.com
2 14 20
Reposted by Calwarez
virusbtn.bsky.social
Virus Bulletin @virusbtn.bsky.social · Aug 11
Recorded Future's Insikt Group has identified new infrastructure associated with Candiru, which includes components likely used in the deployment & C2 of Candiru’s DevilsTongue spyware, as well as higher-tier infrastructure used by the spyware operators. www.recordedfuture.com/research/tra...
3 6
Reposted by Calwarez
suzannesmalley.bsky.social
Suzanne Smalley @suzannesmalley.bsky.social · Aug 5
New active infrastructure for Candiru spyware linked to Hungary and Saudi Arabia identified

therecord.media/candiru-spyw...
Active infrastructure for Candiru spyware linked to Hungary, Saudi Arabia
Windows spyware tracked as DevilsTongue — a product of the company Candiru — is likely still active, with clusters appearing in Hungary and Saudi Arabia, researchers said.
therecord.media
17 18
Reposted by Calwarez
julianferdinand.bsky.social
Julian-Ferdinand Vögele @julianferdinand.bsky.social · Aug 5
1/ We've just released a new report uncovering new infrastructure tied to multiple activity clusters linked to the Israeli spyware vendor #Candiru across several countries. Full report: www.recordedfuture.com/research/tra...
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries
Recorded Future's Insikt Group uncovers active infrastructure linked to Candiru’s DevilsTongue spyware across multiple countries. Discover how this stealthy spyware targets high-value individuals and ...
www.recordedfuture.com
1 12 12
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Jul 23
NoName057(16) is back online and launching new #DDoSia attacks just 6 days after #OperationEastwood. Their new targets? Primarily German and Italian government and municipal websites. Their rapid resurgence highlights their persistence. #Cybersecurity #NoName057
3 3
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Jul 22
10/ Ready to dive deeper into NoName057(16)'s operations? Download the full "Anatomy of DDoSia" report now for data-driven insights, technical analysis, and defensive recommendations! 🔗 www.recordedfuture.com/research/ana... #CybersecurityReport #ThreatAnalysis
www.recordedfuture.com
1
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Jul 22
9/ Hacktivist DDoS attacks are a constant in today's hybrid warfare, operating below conventional conflict. Organizations must adapt to this long-term reality in evolving geopolitical landscapes. #HybridWarfare #CyberConflict #Geopolitics
1 1
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Jul 22
8/ Operation Eastwood (July 14-17, 2025) saw international law enforcement target NoName057(16)'s network. Their infrastructure disappeared, but new Tier 1 C2s emerged days later, yet without targeting! Learn more: www.europol.europa.eu/media-press/... #LawEnforcement #CyberDisruption
www.europol.europa.eu
1 1
calwarez.bsky.social
Calwarez @calwarez.bsky.social · Jul 22
7/ Their attack methods have a strong preference for TCP-based floods (SYN, ACK) & HTTP GET floods. Also use "nginx_loris" (slow-loris variant) to exhaust server connections. #DDoSTactics #CyberDefense
1 1