Lawrence S.'s Avatar

Lawrence S.

@lawrencesec

πŸ‡¬πŸ‡§ Threat Research @ Recorded Future. I Like Tracking ASNs and ISPs for some reason...

100
Followers 195
Following 56
Posts 10.03.2025
Joined
Posts Following

Latest posts by Lawrence S. @lawrencesec

Post image

-Even more research on Twitter/X algorithm manipulation
-Russia turns on Telegram
-Texas sues TP-Link
-West Virginia sues Apple
-US does dumb things, part 332737232
-Spain arrests hotel hacker
-Nigerian hacker sentenced to 8 years
-651 cybercrime arrests in Africa
-GrayCharlie profile

20.02.2026 10:41 πŸ‘ 5 πŸ” 3 πŸ’¬ 2 πŸ“Œ 0
Preview
GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures to deploy NetSupport RAT, Stealc, and Sectop...

1/ Today, Insikt Group is publishing on GrayCharlie, a threat actor active since mid-2023 that overlaps with SmartApeSG. GrayCharlie compromises WordPress sites and turns them into malware delivery hubs: www.recordedfuture.com/research/gra...

18.02.2026 17:13 πŸ‘ 5 πŸ” 8 πŸ’¬ 1 πŸ“Œ 0
Preview
BlueDelta’s Persistent Campaign Against UKR.NET Discover how Russia’s BlueDelta targets UKR.NET users with advanced credential-harvesting campaigns, evolving tradecraft, and multi-stage phishing techniques.

Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET. The activity is attributed to the Russian state-sponsored threat group | www.recordedfuture.com/research/blu...

18.12.2025 12:09 πŸ‘ 7 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0

CastleLoader in the wild! Four distinct activity clusters, sector-specific targeting of logistics, and high-end tooling like Matanbuchus and CastleRAT.

09.12.2025 15:43 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image

Recorded Future’s Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...

09.12.2025 11:25 πŸ‘ 6 πŸ” 5 πŸ’¬ 0 πŸ“Œ 0
Post image

2/ Our latest analysis uncovered four distinct activity clusters within GrayBravo’s ecosystem, all leveraging the group’s #CastleLoader malware. Each cluster uses different tactics, techniques, and targets, reinforcing the assessment that GrayBravo runs a #MaaS model.

09.12.2025 08:24 πŸ‘ 3 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Preview
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries

1/ @whoisnt.bsky.social, Marius, and I just published a report on #GrayBravo (formerly TAG-150), a highly adaptive, sophisticated threat actor that we first identified in Sept 2025. It uses a multi-layered infrastructure and responds quickly to exposure: www.recordedfuture.com/research/gra...

09.12.2025 08:24 πŸ‘ 10 πŸ” 6 πŸ’¬ 1 πŸ“Œ 1

A good piece highlighting the EU's continued inaction following recent sanctions, essentially allowing these enablers to continue their operations.

05.12.2025 19:35 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Predator spyware uses new infection vector for zero-click attacks The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed "Aladdin" that compromised specific targets when simply viewing a malicious advertisement.

The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed "Aladdin" that compromised specific targets when simply viewing a malicious advertisement.

04.12.2025 15:48 πŸ‘ 7 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0
Post image

🚨 - New report by Haaretz, Inside Story, Inside-IT and Amnesty International release the Intellexa Leaks. Which exposes Intellexa support staff had access through Teamviewer to customer deployments and confirms found IOC's in the past by civil society. πŸ§΅πŸ‘‡

04.12.2025 11:37 πŸ‘ 9 πŸ” 16 πŸ’¬ 1 πŸ“Œ 3
Preview
Intellexa’s Global Corporate Web

1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...

04.12.2025 04:17 πŸ‘ 26 πŸ” 18 πŸ’¬ 2 πŸ“Œ 4

3/ As long as the same LIRs and the same bad actors are able to maintain control of their RIPE resources, the problem will never stop.

26.11.2025 14:12 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

2/ The case of fraud relating to metaspinner GmbH really does spell out the severity of the problem...

26.11.2025 14:11 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
β€˜Neutral’ internet governance enables sanctions evasion Internet service providers and hosting companies enable cybercrime and cyber operations. Why don’t sanctions stop them?

1/ It's nice to see the topic of bulletproof hosters and Threat Activity Enablers gaining more mainstream attention; however, a bigger problem than endless shell companies exists, and that is RIPE RIR policy. bindinghook.com/neutral-inte...

26.11.2025 14:11 πŸ‘ 2 πŸ” 1 πŸ’¬ 1 πŸ“Œ 1

NSA Joins CISA and Others to Release Guidance on Mitigating Malicious Activity from Bulletproof Hosting Provider Infrastructure
November 19, 2025, NSA/CSS
www.nsa.gov/Press-Room/P...

20.11.2025 12:03 πŸ‘ 4 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0
Preview
Completed draft of cyber strategy emphasizes imposing costs, industry partnership The forthcoming Trump administration cyber strategy will introduce six key pillars, emphasizing deterrence of cyber threats and enhanced industry partnerships, with action items and deliverables for U...

The national cyber director and a top FBI official shared more details about the forthcoming Trump administration document Tuesday. via @timstarks.bsky.social cyberscoop.com/trump-cyber-...

19.11.2025 14:57 πŸ‘ 2 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

3/

19.11.2025 17:19 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Malicious Infrastructure Finds Stability with aurologic GmbH This investigative report reveals how German hosting provider aurologic GmbH has become a central enabler of malicious internet infrastructure, linking numerous threat activity networks while operatin...

2/ Sanctions include Aeza's entities used to evade recent OFAC and UK sanctions, including Hypercore LTD and SMART DIGITAL IDEAS DOO. Myself and @whoisnt.bsky.social
break down these entities in our recent report: www.recordedfuture.com/research/mal...

19.11.2025 17:19 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...

19.11.2025 17:17 πŸ‘ 3 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0

This is highly likely CrazyRDP :)

16.11.2025 19:58 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Duizenden servers in beslaggenomen in omvangrijk cybercrime onderzoek In een onderzoek naar een malafide hostingbedrijf zijn door het team cybercrime Oost-Nederland duizenden servers in beslaggenomen. Het hostingbedrijf wordt volgens de politie enkel en alleen gebruikt ...

www.politie.nl/nieuws/2025/...

15.11.2025 12:10 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Operation Endgame 3.0 took down 1025 servers including CrazyRDP Europol and Shadowserver have announced today they have completed "third phase" of Endgame operation targeting infostealer Rhadamanthys, Remote Access Trojan VenomRAT, and the botnet Elysium...

2/ ASNs believed to be utilised by CrazyRDP were reportedly downstream of aurologic….. lowendspirit.com/discussion/c...

15.11.2025 12:08 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Dutch police seize thousands of servers used for ransomware, child sex abuse footage The Dutch police seized thousands of servers in The Hague and Zoetermeer, used solely for hosting criminal activities. According to the police, the hosting company rented space to criminals to carry o...

1/ Reports indicating that CrazyRDP is the bulletproof hoster behind this seizure in the Netherlands. nltimes.nl/2025/11/14/d...

15.11.2025 12:07 πŸ‘ 3 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0

3/ metaspinner net GmbH (Hamburg, Germany) has no affiliation with #AS209800, Virtualine Technologies, or any related malicious activity associated with that network.

12.11.2025 21:52 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

2/ A falsified RIPE end-user agreement provided to Insikt Group highlights how a basic verification check against publicly accessible company registration documents could have prevented the fraudulent registration.

12.11.2025 21:52 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

1/ [UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Group’s original assessment that their identity was unlawfully and fraudulently used in the registration of #AS209800.

12.11.2025 21:51 πŸ‘ 2 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Preview
German ISP aurologic GmbH Identified as Key Hub for Malicious Hosting Infrastructure German hosting provider aurologic GmbH has emerged as a critical hub within the global malicious infrastructure ecosystem, according to recent intelligence reporting.

German ISP aurologic GmbH Identified as Key Hub for Malicious Hosting Infrastructure gbhackers.com/german-isp-a...

09.11.2025 15:24 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Malicious Infrastructure Finds Stability with aurologic GmbH

Malicious Infrastructure Finds Stability with aurologic GmbH

07.11.2025 11:24 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
German ISP Aurologic GmbH has Become a Central Nexus for Hosting Malicious Infrastructure

German ISP Aurologic GmbH has Become a Central Nexus for Hosting Malicious Infrastructure

08.11.2025 00:41 πŸ‘ 2 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0