Calwarez
@calwarez.bsky.social
Director for Malicious Infrastructure Discovery @ Recorded Future | Views my own
7/ Their attack methods have a strong preference for TCP-based floods (SYN, ACK) & HTTP GET floods. Also use "nginx_loris" (slow-loris variant) to exhaust server connections. #DDoSTactics #CyberDefense
July 22, 2025 at 2:12 PM
7/ Their attack methods have a strong preference for TCP-based floods (SYN, ACK) & HTTP GET floods. Also use "nginx_loris" (slow-loris variant) to exhaust server connections. #DDoSTactics #CyberDefense
6/ Pattern-of-life analysis strongly indicates NoName057(16) operates from within a Russian time zone. New targets consistently added in two daily waves: peaking 05:00-07:00 UTC & around 11:00 UTC on weekdays.
July 22, 2025 at 2:12 PM
6/ Pattern-of-life analysis strongly indicates NoName057(16) operates from within a Russian time zone. New targets consistently added in two daily waves: peaking 05:00-07:00 UTC & around 11:00 UTC on weekdays.
5/ Sectoral focus: Government & Public Sector bore the brunt of attacks (41.09%), followed by Transportation & Logistics (12.44%) & Tech/Media/Comms (10.19%). Intent to erode civic trust & disrupt critical functions. #CriticalInfrastructure #CyberAttack
July 22, 2025 at 2:12 PM
5/ Sectoral focus: Government & Public Sector bore the brunt of attacks (41.09%), followed by Transportation & Logistics (12.44%) & Tech/Media/Comms (10.19%). Intent to erode civic trust & disrupt critical functions. #CriticalInfrastructure #CyberAttack
4/ NoName057(16) uses a multi-tiered infrastructure with rapidly rotated Tier 1 C2 servers & ACL-protected Tier 2 servers. #ThreatIntelligence #C2
July 22, 2025 at 2:12 PM
4/ NoName057(16) uses a multi-tiered infrastructure with rapidly rotated Tier 1 C2 servers & ACL-protected Tier 2 servers. #ThreatIntelligence #C2
2/ Geographic focus: Ukraine was the top target, followed by France, Italy, and Sweden. Their targeting reflects a strategic effort to disrupt countries supporting Ukraine. #Geopolitics #CyberWarfare
July 22, 2025 at 2:12 PM
2/ Geographic focus: Ukraine was the top target, followed by France, Italy, and Sweden. Their targeting reflects a strategic effort to disrupt countries supporting Ukraine. #Geopolitics #CyberWarfare
1/ Our analysis reveals NoName057(16) targeted over 3,700 unique hosts from July 2024 - July 2025, primarily government and public-sector entities in European nations. High operational tempo, averaging 50 unique targets daily! #Hacktivism
July 22, 2025 at 2:12 PM
1/ Our analysis reveals NoName057(16) targeted over 3,700 unique hosts from July 2024 - July 2025, primarily government and public-sector entities in European nations. High operational tempo, averaging 50 unique targets daily! #Hacktivism
🚨 Our latest Insikt Group report, “Anatomy of DDoSia: NoName057(16)'s DDoS Infrastructure and Targeting”, is now live, providing an in-depth analysis of the pro-Russian hacktivist group’s DDoS campaigns. Get the full details here: www.recordedfuture.com/research/ana... #DDoS #DDoSia #NoName05716 🧵
July 22, 2025 at 2:12 PM
🚨 Our latest Insikt Group report, “Anatomy of DDoSia: NoName057(16)'s DDoS Infrastructure and Targeting”, is now live, providing an in-depth analysis of the pro-Russian hacktivist group’s DDoS campaigns. Get the full details here: www.recordedfuture.com/research/ana... #DDoS #DDoSia #NoName05716 🧵
📣 See all the data-driven insights and protective measures in the full report. Download now at www.recordedfuture.com/research/202... (10/10)
February 28, 2025 at 3:03 PM
📣 See all the data-driven insights and protective measures in the full report. Download now at www.recordedfuture.com/research/202... (10/10)
🏗️ Malicious infrastructure clusters around key hosting providers; the Top 10 ASNs cover 43% of our detections. (9/10)
February 28, 2025 at 3:03 PM
🏗️ Malicious infrastructure clusters around key hosting providers; the Top 10 ASNs cover 43% of our detections. (9/10)
🚦 Droppers & loaders, like Latrodectus and PrivateLoader, drive many early-stage infections, cycling rapidly to evade takedowns. (8/10)
February 28, 2025 at 3:03 PM
🚦 Droppers & loaders, like Latrodectus and PrivateLoader, drive many early-stage infections, cycling rapidly to evade takedowns. (8/10)
📍 RAT infections span the globe based on network traffic data, with AsyncRAT especially widespread, affecting 200+ countries. (7/10)
February 28, 2025 at 3:03 PM
📍 RAT infections span the globe based on network traffic data, with AsyncRAT especially widespread, affecting 200+ countries. (7/10)
🐀 Among RATs, AsyncRAT claims the highest share of C2 servers, reflecting broad attacker preference, likely driven by its open source nature. (6/10)
February 28, 2025 at 3:03 PM
🐀 Among RATs, AsyncRAT claims the highest share of C2 servers, reflecting broad attacker preference, likely driven by its open source nature. (6/10)
🔍 LummaC2 rose to the top of the 2024 infostealer landscape in terms of C2 detections after targeted LE disrupted rival families such as RedLine. (5/10)
February 28, 2025 at 3:03 PM
🔍 LummaC2 rose to the top of the 2024 infostealer landscape in terms of C2 detections after targeted LE disrupted rival families such as RedLine. (5/10)
🌍 Meanwhile, cs2modrewrite was observed targeting 118 victim countries, reflecting a massive global victim base. (4/10)
February 28, 2025 at 3:03 PM
🌍 Meanwhile, cs2modrewrite was observed targeting 118 victim countries, reflecting a massive global victim base. (4/10)
👀 jQuery soared past all other Cobalt Strike malleable profiles in 2024, claiming the #1 spot by a wide margin. (3/10)
February 28, 2025 at 3:03 PM
👀 jQuery soared past all other Cobalt Strike malleable profiles in 2024, claiming the #1 spot by a wide margin. (3/10)
🚀 Cobalt Strike dominates the 2024 OST leaderboard. (2/10)
February 28, 2025 at 3:03 PM
🚀 Cobalt Strike dominates the 2024 OST leaderboard. (2/10)
🪡 Our 2024 Malicious Infrastructure Report showcases the results of our detections across hundreds of malware families and threat actors, revealing victims in 200+ countries and highlighting the global scale of cyber threats.
Blog: www.recordedfuture.com/research/202... (1/10)
Blog: www.recordedfuture.com/research/202... (1/10)
February 28, 2025 at 3:03 PM
🪡 Our 2024 Malicious Infrastructure Report showcases the results of our detections across hundreds of malware families and threat actors, revealing victims in 200+ countries and highlighting the global scale of cyber threats.
Blog: www.recordedfuture.com/research/202... (1/10)
Blog: www.recordedfuture.com/research/202... (1/10)
