Jerri P

New blog from @Lawrence_Sec and I where we discuss the growing role of Threat Activity Enablers (TAEs) in today’s cyber threat landscape.

New from @RecordedFuture! @_whoisnt and I break down Threat Activity Enablers (TAEs), the often overlooked backbone of modern cyber operations. 🔗recordedfuture.com/blog/threat-ac…

A series of new routes has caught our attention: 198.193.12.0/24 AS2702 AS215828 198.193.32.0/20 AS2702 AS215828 198.195.144.0/24 AS2702 AS215828 198.196.199.0/24 AS2702 AS215828 Here’s why… ⤵️

@RecordedFuture are also seeing high levels of abuse from this AS. AS214472 updated in March to STORMSHIELD, a supposed “infrastructure holding company” with hosting services at stormcloud[.]pw

OMEGATECH (AS202412) is the latest installment of Threat Activity Enabler Virtualine Technologies, following their transition away from Railnet LLC.

1/ @RecordedFuture 's annual malicious infrastructure report has finally dropped! This year, we took a different approach to how we analyze malicious infrastructure👇

@TheDFIRReport Link 404s. Could you update 🙏

"The IP 195.211.190[.]189 was hosted on infrastructure from Railnet LLC — a legal front for Russia-based bulletproof hosting provider Virtualine." Full report 👇 thedfirreport.com/2025/11/17/cat… #DFIR #Ransomware #ThreatIntel #BlueTeam #CyberSecurity

how my codebase written entirely with claude code runs

We've solved the mystery. Who's That Pokemon? It's CastleRAT a/k/a TAG-150! Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns. Previously @malwrhunterteam discovered an unusual malicious .MSI file called "TopWebComics". It dropped an obfuscated .JS file. @nullableVoidPtr deobfuscated the malicious .JS, I reverse engineered it and named it "Smokest Stealer". However, @Kali3ndo went off my research notes and discovered that Smokest drops an additional malicious .PS1 file when Smokest connects to the C2. The malicious .PS1 file drops a malicious .PY file, encoded with PyArmor. The Python script extracts a payload from a .JPEG. After reviewing it, poking it with a stick, and having all sorts of fun, it turns out this payload was first noted by @YungBinary in August, 2025. This payload is CastleRAT (and tracked as TAG-150 by @RecordedFuture). CastleRAT payload found January, 18th: 8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402 "Smokest Stealer" MSI: 5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01 "Smokest Stealer" JS: 29e13df9547d4e85e7ca3fc5b95eab90f56a233aabc406638bee2ded368acd3d Thank you to my peers and colleagues for reversing this with me throughout the day and having fun with it. This was a very silly malware sample.

Check out @JulianVoeg, Marius and I's latest Insikt report! Multiple actor clusters, bespoke phishing tooling, logistics-sector targeting, and DNS-tunneling Matanbuchus variants show just how mature this operation has become. #CastleLoader #GrayBravo

1/ @_whoisnt and @JulianVoeg introduce #GrayBravo (formerly TAG-150) #CastleLoader #MaaS recordedfuture.com/research/grayb…

📢 In case you missed it….we recently published a detailed piece on the 'Anatomy of Bulletproof Hosts' - exploring how these services are evolving and what it means for the threat landscape. In this blog, we cover: - The decline of monolithic bulletproof hosts - The shift toward separation of liabilities - The growing abuse of trusted services - And what’s next for the threat ecosystem 👉 Read the full post here: spamhaus.org/resource-hub/b…

1/ It's nice to see the topic of bulletproof hosters and Threat Activity Enablers gaining more mainstream attention; however, a bigger problem than endless shell companies exists, and that is RIPE RIR policy bindinghook.com/neutral-intern…

This week, everywhere you look, bulletproof hosting (BPH) is in cyber news headlines. From the CrazyRDP takedown, to sanctions against entities adjacent to Aeza, and most recently Media Land LLC and ML[.]Cloud] LLC (do these measures actually move the needle?), to new CISA guidance on mitigating BPH activities.🛡️ It’s clear the spotlight is firmly on one of cybercrime’s most persistent enablers. And for a good reason. Few infrastructures have enabled so much criminal activity, for so long, with such resilience. Spamhaus has tracked BPH operators and their evolving tactics for decades. 🕵️ We've watched the ecosystem shift from monolithic BPHs to layered and complex business structures. So, amid the sensational headlines, we’ve compiled a grounded look at the topic, covering: the history, the current landscape, and where the threat landscape is likely to head next. Read it in full here 👉 spamhaus.org/resource-hub/b…

1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actions…

On November 12, around 250 physical servers were seized by the Dutch police at two datacenters in the Netherlands 👉 politie.nl/nieuws/2025/no… We assess the unnamed bulletproof hosting provider (BPH) is CrazyRDP, a major cybercrime hub previously operating front companies such as 🇺🇸 Delis LLC (AS211252), 🇺🇸 Limenet LLC (AS394711) and, most recently, 🇺🇸 Sovy Cloud Services (AS401110) and its downstreams (all incorporated in 🇺🇸 as well): AS401115 (EKABI), AS401116 (Nybula LLC), AS401109 (Zhongguancun LLC) and AS401120 (cheapy.host LLC). 🕵️ Of course, all of them are listed in DROP and ASN-DROP.) 🛡️ All this time, the physical infrastructure appears to have been hosted by 🇳🇱 Serverion BV, though iterations of this BPH saw attempts to obfuscate its physical location and hamper investigation attempts. 🧐 Congratulations to all parties involved in this takedown! Looking forward to seeing more of them soon! 👏 #Cybercrime #BulletproofHosting #DROP

Welp

🤔