Lawrence_Sec

New from @RecordedFuture! @_whoisnt and I break down Threat Activity Enablers (TAEs), the often overlooked backbone of modern cyber operations. 🔗recordedfuture.com/blog/threat-ac…

Crimenetwork returns after takedown, dismantled again by German authorities securityaffairs.com/191969/cyber-c… #securityaffairs #hacking

In their latest for Binding Hook, Joyce Hakmeh & Harriet Moynihan investigate what it actually takes to close the #CyberProxy accountability gap & laid out strategies for holding users of cyber proxies accountable. Read the full article: bindinghook.com/strategic-cohe…

Great deep dive on Media Land aka Yalishanda infrastructure here! disclosing.observer/2026/04/29/han…

#spankrat added extractor sample: tria.ge/260501-j1hh1sc… more: tria.ge/s/family:spank…

Another day, another 🇬🇧 UK-based shell corporation utilized for nefarious purposes: UFO TECHNOLOGIES LIMITED, registered to the pictured address in Ipswich (which houses a co-working space) in February. Its director, 🇷🇺 Russian national Lenar I. Davletshin, is no stranger to cybercrime investigators; related internet infrastructure and corporate entities have repeatedly been linked to bulletproof hosting. Particularly noteworthy is "Bearhost", a related, long-standing service offering, which shut down on May 9, 2025. ⤵️

We didn't know how an actor was using EV Certificates issued to Lenovo and others. We now do. From DigiCert's incident report: "the threat actor used a compromised analyst endpoint to access DigiCert's internal support portal. The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts." "Possession of the initialization code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate." The full report can be found here and explains the incident in great detail: bugzilla.mozilla.org/show_bug.cgi?i… The report mentions "Where we got lucky: A community member involved in security research reported the evolving pattern of misused certificates and engaged in dialogue with our support team. Without that report, the undetected compromise of ENDPOINT2 and the associated mis-issuance might have remained undiscovered for a longer period." Special thanks goes to the regular contributors to the Cert Graveyard; @g0njxa , @malwrhunterteam , and others. Also special thanks to DigiCert: this report has a high level of transparency, which is warranted, and also well executed.

Typically, "Daniel" has LIR status in @ripencc, allowing continuous cycles of abuse.

Both the sponsoring organization and the maintainers reference Daniel Mishayev, the individual known for setting up numerous PFCloud fronts, including RAILNET LLC, which was linked to the prolific threat activity enabler Virtualine Technologies.

@RecordedFuture are also seeing high levels of abuse from this AS. AS214472 updated in March to STORMSHIELD, a supposed “infrastructure holding company” with hosting services at stormcloud[.]pw

Critical Minerals and Cyber Operations In 2025, Insikt Group identified several Chinese state-sponsored threat actors targeting an organization focused on monitoring and regulating seabed mining. Recorded Future recordedfuture.com/research/criti… @RecordedFuture

Earlier this week @orange announced new routes taking precedence over its hijacked path, forcing the bad actors to withdraw the route: 90.98.0.0/15 AS41128 AS22541 AS29802 Bad actors (WITHDRAWN) 90.98.0.0/16 AS3215 AS5511 Orange 🇫🇷 90.99.0.0/16 AS3215 AS5511 Orange 🇫🇷 (see post from @DougMadory x.com/DougMadory/sta…) Meanwhile, the @VerizonBusiness hijacks out of AS29802 remain active. And, we’ve observed an additional suspicious route ⤵️⤵️

OMEGATECH (AS202412) is the latest installment of Threat Activity Enabler Virtualine Technologies, following their transition away from Railnet LLC.

New: We looked into the large-scale phishing campaign that's targeting Signal users and found digital evidence pointing to Russian involvement – and a connection to previous attacks in Ukraine and Moldova.

🧵 ICYMI: We just dropped our 2025 Malicious Infrastructure Review! Some of the highlights below👇 #Infosec #CyberThreats 1/6

#TheVoidStealer adopts a novel debugger-based Application-Bound Encryption (ABE) bypass technique gendigital.com/blog/insights/…

8/ Read @RecordedFuture's full 2025 Year in Review of Malicious Infrastructure here: recordedfuture.com/research/2025-…

7/ Bottom line: focusing on TAE networks whose sole purpose is hosting malicious infrastructure gives clear, actionable insights, allowing defenders to more effectively mitigate cyber threats.

1/ @RecordedFuture 's annual malicious infrastructure report has finally dropped! This year, we took a different approach to how we analyze malicious infrastructure👇

6/ Approximately 70% of the highest-risk TAEs observed by Insikt Group relied on German ISP #aurologic GmbH for upstream transit, most notably of which was the internationally sanctioned #Aeza

5/ Virtualine enabled a plethora of threats throughout 2025, most notably malware families such as #Latrodectus #AsyncRAT #DcRAT and many, many more!