🧵 ICYMI: We just dropped our 2025 Malicious Infrastructure Review! Some of the highlights below👇 #Infosec #CyberThreats 1/6

www.recordedfuture.com/research/202...

-Iran internet outage not caused by strikes
-Russia expands internet blackout to Sankt Petersburg
-Oracle out-of-band security update
-Himmelblau vulnerability gives root
-Claudy Day vulnerabilities
-Leak in German uni campuses platform
-Langflow attacks started within a day

Microsoft defender is also flagging #TheVoidStealer as #WallStealer. Here’s the threat actor nikoniko (aka “TheVoidStl”) discussing the removal of multiple detections, including WallStealer.

Recorded Future's annual malicious infrastructure report has finally dropped, and this year, we took a different approach to how we analyze malicious infrastructure👇

2025 Year in Review: Malicious, Infrastructure Explore Insikt Group’s 2025 Malicious Infrastructure Report. Gain insights into Cobalt Strike, Vidar infostealers, and AI-driven threats to secure your 2026 strategy.

1/ Today we’re publishing our annual malicious infrastructure report, providing a broad view of global threat infrastructure. This year, we significantly expanded coverage across malware families, threat categories, and deeper infrastructure insights: www.recordedfuture.com/research/202...

Noticed Microsoft Defender tagging #TheVoidStealer as #WallStealer thanks to some recent abuse_ch
uploads. Here’s the threat actor nikoniko (aka “TheVoidStl”) discussing the removal of multiple detections, including WallStealer.

-Even more research on Twitter/X algorithm manipulation
-Russia turns on Telegram
-Texas sues TP-Link
-West Virginia sues Apple
-US does dumb things, part 332737232
-Spain arrests hotel hacker
-Nigerian hacker sentenced to 8 years
-651 cybercrime arrests in Africa
-GrayCharlie profile

GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures to deploy NetSupport RAT, Stealc, and Sectop...

1/ Today, Insikt Group is publishing on GrayCharlie, a threat actor active since mid-2023 that overlaps with SmartApeSG. GrayCharlie compromises WordPress sites and turns them into malware delivery hubs: www.recordedfuture.com/research/gra...

BlueDelta’s Persistent Campaign Against UKR.NET Discover how Russia’s BlueDelta targets UKR.NET users with advanced credential-harvesting campaigns, evolving tradecraft, and multi-stage phishing techniques.

Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET. The activity is attributed to the Russian state-sponsored threat group | www.recordedfuture.com/research/blu...

CastleLoader in the wild! Four distinct activity clusters, sector-specific targeting of logistics, and high-end tooling like Matanbuchus and CastleRAT.

Recorded Future’s Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...

2/ Our latest analysis uncovered four distinct activity clusters within GrayBravo’s ecosystem, all leveraging the group’s #CastleLoader malware. Each cluster uses different tactics, techniques, and targets, reinforcing the assessment that GrayBravo runs a #MaaS model.

GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries

1/ @whoisnt.bsky.social, Marius, and I just published a report on #GrayBravo (formerly TAG-150), a highly adaptive, sophisticated threat actor that we first identified in Sept 2025. It uses a multi-layered infrastructure and responds quickly to exposure: www.recordedfuture.com/research/gra...

A good piece highlighting the EU's continued inaction following recent sanctions, essentially allowing these enablers to continue their operations.

Predator spyware uses new infection vector for zero-click attacks The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed "Aladdin" that compromised specific targets when simply viewing a malicious advertisement.

The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed "Aladdin" that compromised specific targets when simply viewing a malicious advertisement.

🚨 - New report by Haaretz, Inside Story, Inside-IT and Amnesty International release the Intellexa Leaks. Which exposes Intellexa support staff had access through Teamviewer to customer deployments and confirms found IOC's in the past by civil society. 🧵👇

Intellexa’s Global Corporate Web

1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...

3/ As long as the same LIRs and the same bad actors are able to maintain control of their RIPE resources, the problem will never stop.

2/ The case of fraud relating to metaspinner GmbH really does spell out the severity of the problem...

‘Neutral’ internet governance enables sanctions evasion Internet service providers and hosting companies enable cybercrime and cyber operations. Why don’t sanctions stop them?

1/ It's nice to see the topic of bulletproof hosters and Threat Activity Enablers gaining more mainstream attention; however, a bigger problem than endless shell companies exists, and that is RIPE RIR policy. bindinghook.com/neutral-inte...

NSA Joins CISA and Others to Release Guidance on Mitigating Malicious Activity from Bulletproof Hosting Provider Infrastructure
November 19, 2025, NSA/CSS
www.nsa.gov/Press-Room/P...

Completed draft of cyber strategy emphasizes imposing costs, industry partnership The forthcoming Trump administration cyber strategy will introduce six key pillars, emphasizing deterrence of cyber threats and enhanced industry partnerships, with action items and deliverables for U...

The national cyber director and a top FBI official shared more details about the forthcoming Trump administration document Tuesday. via @timstarks.bsky.social cyberscoop.com/trump-cyber-...

3/

Malicious Infrastructure Finds Stability with aurologic GmbH This investigative report reveals how German hosting provider aurologic GmbH has become a central enabler of malicious internet infrastructure, linking numerous threat activity networks while operatin...

2/ Sanctions include Aeza's entities used to evade recent OFAC and UK sanctions, including Hypercore LTD and SMART DIGITAL IDEAS DOO. Myself and @whoisnt.bsky.social
break down these entities in our recent report: www.recordedfuture.com/research/mal...

1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...

This is highly likely CrazyRDP :)

Duizenden servers in beslaggenomen in omvangrijk cybercrime onderzoek In een onderzoek naar een malafide hostingbedrijf zijn door het team cybercrime Oost-Nederland duizenden servers in beslaggenomen. Het hostingbedrijf wordt volgens de politie enkel en alleen gebruikt ...

www.politie.nl/nieuws/2025/...

Operation Endgame 3.0 took down 1025 servers including CrazyRDP Europol and Shadowserver have announced today they have completed "third phase" of Endgame operation targeting infostealer Rhadamanthys, Remote Access Trojan VenomRAT, and the botnet Elysium...

2/ ASNs believed to be utilised by CrazyRDP were reportedly downstream of aurologic….. lowendspirit.com/discussion/c...

Dutch police seize thousands of servers used for ransomware, child sex abuse footage The Dutch police seized thousands of servers in The Hague and Zoetermeer, used solely for hosting criminal activities. According to the police, the hosting company rented space to criminals to carry o...

1/ Reports indicating that CrazyRDP is the bulletproof hoster behind this seizure in the Netherlands. nltimes.nl/2025/11/14/d...

3/ metaspinner net GmbH (Hamburg, Germany) has no affiliation with #AS209800, Virtualine Technologies, or any related malicious activity associated with that network.