Calwarez
@calwarez.bsky.social
Director for Malicious Infrastructure Discovery @ Recorded Future | Views my own
Reposted by Calwarez
"There is a lack of consensus regarding the current state of AI malware maturity."
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
December 6, 2025 at 3:23 AM
"There is a lack of consensus regarding the current state of AI malware maturity."
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...
Reposted by Calwarez
⚠️ New victims of Predator #spyware identified, with malicious TikTok links revealing new targets, and evidence showing 🇪🇬Egypt & 🇸🇦Saudi clients still active.
➡️ Ad-based infections confirmed.
➡️ Leaked files & investigation expose post-sanctions Intellexa operations.
www.haaretz.com/israel-news/...
➡️ Ad-based infections confirmed.
➡️ Leaked files & investigation expose post-sanctions Intellexa operations.
www.haaretz.com/israel-news/...
December 4, 2025 at 6:03 AM
⚠️ New victims of Predator #spyware identified, with malicious TikTok links revealing new targets, and evidence showing 🇪🇬Egypt & 🇸🇦Saudi clients still active.
➡️ Ad-based infections confirmed.
➡️ Leaked files & investigation expose post-sanctions Intellexa operations.
www.haaretz.com/israel-news/...
➡️ Ad-based infections confirmed.
➡️ Leaked files & investigation expose post-sanctions Intellexa operations.
www.haaretz.com/israel-news/...
Reposted by Calwarez
And check out the companion blog post by @amnestyuk.bsky.social tech with a detailed peek into Intellexa's setup based on leaked materials 👀
Giveaway: Intellexa can observe all of what their gov clients are doing with their hacking tech and more securitylab.amnesty.org/latest/2025/...
Giveaway: Intellexa can observe all of what their gov clients are doing with their hacking tech and more securitylab.amnesty.org/latest/2025/...
To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware - Amnesty International Security Lab
Drawing on leaked internal company documents, sales and marketing material, as well as training videos, the “Intellexa Leaks” investigation gives a never-before-seen glimpse of the internal operations...
securitylab.amnesty.org
December 4, 2025 at 5:03 AM
And check out the companion blog post by @amnestyuk.bsky.social tech with a detailed peek into Intellexa's setup based on leaked materials 👀
Giveaway: Intellexa can observe all of what their gov clients are doing with their hacking tech and more securitylab.amnesty.org/latest/2025/...
Giveaway: Intellexa can observe all of what their gov clients are doing with their hacking tech and more securitylab.amnesty.org/latest/2025/...
Reposted by Calwarez
1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...
Intellexa’s Global Corporate Web
www.recordedfuture.com
December 4, 2025 at 4:18 AM
1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...
Reposted by Calwarez
Cyber Monday Deal
Get 6 months of Modat Magnify Pro for just €5 total (save €355).
Use code: MODAT2025CYBERMONDAY
Try the platform. Run advanced queries. Find what others miss.
magnify.modat.io
#CyberMonday #Cybersecurity #OSINT
Use code: MODAT2025CYBERMONDAY
Try the platform. Run advanced queries. Find what others miss.
magnify.modat.io
#CyberMonday #Cybersecurity #OSINT
December 1, 2025 at 10:51 AM
Cyber Monday Deal
Get 6 months of Modat Magnify Pro for just €5 total (save €355).
Use code: MODAT2025CYBERMONDAY
Try the platform. Run advanced queries. Find what others miss.
magnify.modat.io
#CyberMonday #Cybersecurity #OSINT
Use code: MODAT2025CYBERMONDAY
Try the platform. Run advanced queries. Find what others miss.
magnify.modat.io
#CyberMonday #Cybersecurity #OSINT
Reposted by Calwarez
1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...
ofac.treasury.gov
November 19, 2025 at 5:17 PM
1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...
Great read from @lawrencesec.bsky.social & @whoisnt.bsky.social !
1/ New report from myself and @whoisnt.bsky.social: “Malicious Infrastructure Finds Stability with aurologic GmbH.”
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
We uncover how German ISP aurologic GmbH has become a central nexus for high-risk hosting networks, sustaining large concentrations of malicious infrastructure.
November 6, 2025 at 11:53 AM
Great read from @lawrencesec.bsky.social & @whoisnt.bsky.social !
Reposted by Calwarez
Recorded Future just published Dark Covenant 3.0, revealing how global crackdowns and shifting Russian enforcement are reshaping the cybercriminal underground, exposing ties to state actors and turning cybercrime into a geopolitical tool: www.recordedfuture.com/research/dar...
Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals
Explore how Russia’s cybercriminal ecosystem evolved under Operation Endgame—where state control, selective enforcement, and criminal alliances collide.
www.recordedfuture.com
October 22, 2025 at 2:26 PM
Recorded Future just published Dark Covenant 3.0, revealing how global crackdowns and shifting Russian enforcement are reshaping the cybercriminal underground, exposing ties to state actors and turning cybercrime into a geopolitical tool: www.recordedfuture.com/research/dar...
Great work by my colleague, @lawrencesec.bsky.social ! He dives deep into the systemic flaw where "neutral" internet governance lets sanctioned ISPs evade restrictions and continue supporting #cyberattacks and #disinformation. A must-read on the infrastructure gap. 👇
In his latest for Binding Hook, @lawrencesec.bsky.social looks at how internet service providers work within the system to evade sanctions and enable #cyberattacks and #disinformation campaigns: bindinghook.com/neutral-inte...
‘Neutral’ internet governance enables sanctions evasion
Internet service providers and hosting companies enable cybercrime and cyber operations. Why don’t sanctions stop them?
bindinghook.com
October 21, 2025 at 8:45 AM
Great work by my colleague, @lawrencesec.bsky.social ! He dives deep into the systemic flaw where "neutral" internet governance lets sanctioned ISPs evade restrictions and continue supporting #cyberattacks and #disinformation. A must-read on the infrastructure gap. 👇
Reposted by Calwarez
Recorded Future just published a report diving into the Beijing Institute of Electronics Technology and Application (BIETA), which is almost certainly a front for China’s MSS, developing technologies to support intelligence and military missions. Full report: www.recordedfuture.com/research/bie...
BIETA: A Technology Enablement Front for China's MSS
Discover how China's Ministry of State Security (MSS) almost certainly operates BIETA and its subsidiary CIII as public fronts for cyber-espionage, covert communications, and technology acquisition. C...
www.recordedfuture.com
October 7, 2025 at 8:04 PM
Recorded Future just published a report diving into the Beijing Institute of Electronics Technology and Application (BIETA), which is almost certainly a front for China’s MSS, developing technologies to support intelligence and military missions. Full report: www.recordedfuture.com/research/bie...
Reposted by Calwarez
👋 Don't miss the first Colloquium session tomorrow!
📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
October 1, 2025 at 1:03 PM
👋 Don't miss the first Colloquium session tomorrow!
📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
📌 Mythical Beasts and Where to Find Them: Diving into the Depths of the Global Spyware Market
💡 Jen Roberts (@cyberstatecraft.bsky.social) & @julianferdinand.bsky.social (Recorded Future)
🗓️ October 2, 2025
🕓 16:00 – 17:00 CET
Reposted by Calwarez
Recorded Future's Insikt Group reports CopyCop, also tracked as Storm 1516, expanding in 2025, adding at least 200 new fictional media websites targeting the United States, France and Canada and using self-hosted LLMs. www.recordedfuture.com/research/cop...
September 18, 2025 at 9:10 AM
Recorded Future's Insikt Group reports CopyCop, also tracked as Storm 1516, expanding in 2025, adding at least 200 new fictional media websites targeting the United States, France and Canada and using self-hosted LLMs. www.recordedfuture.com/research/cop...
Reposted by Calwarez
I'm excited to speak at #VB2025 later this week! I'll be diving into TAG-124, a group whose services are leveraged by a wide range of actors, from cybercriminals to state-sponsored groups. Hit me up if you are in town!
www.virusbulletin.com/conference/v...
www.virusbulletin.com/conference/v...
September 22, 2025 at 8:23 AM
I'm excited to speak at #VB2025 later this week! I'll be diving into TAG-124, a group whose services are leveraged by a wide range of actors, from cybercriminals to state-sponsored groups. Hit me up if you are in town!
www.virusbulletin.com/conference/v...
www.virusbulletin.com/conference/v...
Reposted by Calwarez
The UK has sanctioned Aeza International, citing its involvement in destabilising Ukraine by providing internet services to Russian disinformation campaigns. This follows OFAC sanctions in July. www.gov.uk/government/n...
UK sanctions Georgia-linked supporters of Putin’s illegal war in Ukraine
The UK has announced new sanctions targeting Georgia-linked supporters of Putin’s illegal war in Ukraine.
www.gov.uk
September 22, 2025 at 3:48 PM
The UK has sanctioned Aeza International, citing its involvement in destabilising Ukraine by providing internet services to Russian disinformation campaigns. This follows OFAC sanctions in July. www.gov.uk/government/n...
Reposted by Calwarez
Really excited to present at #LABScon25 on ChamelGang‘s most recent campaign targeting the Taliban, a collaborative research project with @milenkowski.bsky.social (SentinelLABS) and @azaka.fun (TeamT5)! www.labscon.io/speakers/jul...
September 16, 2025 at 1:50 PM
Really excited to present at #LABScon25 on ChamelGang‘s most recent campaign targeting the Taliban, a collaborative research project with @milenkowski.bsky.social (SentinelLABS) and @azaka.fun (TeamT5)! www.labscon.io/speakers/jul...
Reposted by Calwarez
Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.
New, from me:
In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of […]
[Original post on infosec.exchange]
In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of […]
[Original post on infosec.exchange]
September 11, 2025 at 6:32 PM
Great blog post from @briankrebs.infosec.exchange.ap.brid.gy on #StarkIndustries. Makes a great point by highlighting it's links to MIRHosting. Where there are Dutch prefixes under these providers, there is usually always MIRHosting upstream.
Reposted by Calwarez
Insikt Group identifies a new threat actor, TAG-150, active since at least March 2025. Its multi-layered infrastructure is used to deploy likely self-developed malware families, including CastleLoader, CastleBot, and the newly documented CastleRAT. www.recordedfuture.com/research/fro...
September 8, 2025 at 8:33 AM
Insikt Group identifies a new threat actor, TAG-150, active since at least March 2025. Its multi-layered infrastructure is used to deploy likely self-developed malware families, including CastleLoader, CastleBot, and the newly documented CastleRAT. www.recordedfuture.com/research/fro...
Reposted by Calwarez
Recorded Future has spotted two influence operations around the recent India-Pakistan military conflict from May.
The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).
www.recordedfuture.com/research/inf...
The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).
www.recordedfuture.com/research/inf...
September 7, 2025 at 11:24 AM
Recorded Future has spotted two influence operations around the recent India-Pakistan military conflict from May.
The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).
www.recordedfuture.com/research/inf...
The networks are tracked as networks as Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan).
www.recordedfuture.com/research/inf...
Reposted by Calwarez
A significant amount of #CastleLoader C2 infrastructure identified by @julianferdinand.bsky.social was tied to #ThreatActivityEnabler 🇬🇧 FEMO IT SOLUTIONS #AS214351 utilising 🇩🇪 aurologic GmbH #AS30823 as their sole upstream provider. One to watch out for!
2/ TAG-150 is Insikt Group’s designation for the actor likely behind the malware families #CastleLoader, #CastleBot, and most recently #CastleRAT, a RAT documented here for the first time.
September 4, 2025 at 3:17 PM
A significant amount of #CastleLoader C2 infrastructure identified by @julianferdinand.bsky.social was tied to #ThreatActivityEnabler 🇬🇧 FEMO IT SOLUTIONS #AS214351 utilising 🇩🇪 aurologic GmbH #AS30823 as their sole upstream provider. One to watch out for!
Another great report from the team on TAG-150, a sophisticated and rapidly evolving threat actor. 🕵️ Our report documents #CastleRAT for the first time, a new Remote Access Trojan, alongside the previously observed #CastleLoader.
1/ Today @whoisnt.bsky.social, Marius, and I release a report on a new threat actor, #TAG-150, active since at least March 2025, which stands out for its rapid development, sophistication, responsiveness to reporting, and a large, evolving infrastructure: www.recordedfuture.com/research/fro...
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
Insikt Group reveals TAG-150’s multi-tiered infrastructure and CastleRAT malware—an advanced threat actor evolving rapidly with stealth and scale.
www.recordedfuture.com
September 4, 2025 at 3:19 PM
Another great report from the team on TAG-150, a sophisticated and rapidly evolving threat actor. 🕵️ Our report documents #CastleRAT for the first time, a new Remote Access Trojan, alongside the previously observed #CastleLoader.
Reposted by Calwarez
Recorded Future: Stark Industries, along with its CEO and owner, was formally sanctioned by the Council of the European Union on May 20, 2025, for enabling Russian state-sponsored cyber operations | www.recordedfuture.com/research/one...
One Step Ahead: Stark Industries Solutions Preempts EU Sanctions
Before facing EU sanctions in May 2025, Stark Industries Solutions executed a strategic infrastructure overhaul to maintain operations. This report reveals how rebranding, RIPE resource manipulation, ...
www.recordedfuture.com
August 28, 2025 at 12:26 PM
Recorded Future: Stark Industries, along with its CEO and owner, was formally sanctioned by the Council of the European Union on May 20, 2025, for enabling Russian state-sponsored cyber operations | www.recordedfuture.com/research/one...
This report on Stark Industries is a fantastic case study in the cat-and-mouse game between hosting providers and law enforcement. The new "Threat Activity Enabler" (TAE) terminology is spot-on and highlights the critical role these providers play in the cybercrime ecosystem.
1/ Today, we published “One Step Ahead: Stark Industries Solutions Preempts EU Sanctions,” revealing how hosting provider #StarkIndustries executed a multi-phase restructuring of its operations, beginning up to a month before #EU sanctions.
August 27, 2025 at 2:57 PM
This report on Stark Industries is a fantastic case study in the cat-and-mouse game between hosting providers and law enforcement. The new "Threat Activity Enabler" (TAE) terminology is spot-on and highlights the critical role these providers play in the cybercrime ecosystem.
Highly recommend this report on TAG-144. It breaks down the group's operations into five distinct clusters and reveals some serious tradecraft! From using compromised government emails to hiding payloads in JPGs. A deep dive into a very sophisticated threat.
1/ We just released a new report on TAG-144 (also known as Blind Eagle), where we identified five distinct activity clusters that have been active throughout 2024 and 2025, primarily targeting the Colombian government at multiple levels. Link to the report: www.recordedfuture.com/research/tag...
TAG-144’s Persistent Grip on South American Organizations
Persistent cyber operations by TAG-144 (Blind Eagle) continue to target South American, primarily Colombian, government entities through advanced spearphishing and RAT-based malware campaigns. Explore...
www.recordedfuture.com
August 26, 2025 at 6:58 PM
Highly recommend this report on TAG-144. It breaks down the group's operations into five distinct clusters and reveals some serious tradecraft! From using compromised government emails to hiding payloads in JPGs. A deep dive into a very sophisticated threat.
Reposted by Calwarez
1/ Today, we release a first-of-its-kind analysis of a set of Lumma affiliates within a vast info-stealing ecosystem, showing their interconnectedness and resilience even after a major law enforcement takedown attempts earlier this year: www.recordedfuture.com/research/beh...
Behind the Curtain: How Lumma Affiliates Operate
Explore a groundbreaking investigation into Lumma affiliates: uncover their tools, tactics, scams, and integration in the cybercriminal ecosystem. Essential reading for defenders.
www.recordedfuture.com
August 20, 2025 at 2:08 PM
1/ Today, we release a first-of-its-kind analysis of a set of Lumma affiliates within a vast info-stealing ecosystem, showing their interconnectedness and resilience even after a major law enforcement takedown attempts earlier this year: www.recordedfuture.com/research/beh...