Full Report
From Seychelles to Netherlands, a bulletproof hosting journey
Analysis Summary
# Threat Actor: Stark Industries (and successors)
## Attribution & Identity
Associated with:
* Stark Industries Solutions (Controversial hosting provider, linked to Russian state-sponsored actors and financially motivated actors).
* PQ Hosting SRL (Successor entity).
* Morenehost (Another linked bullet-proof hosting provider).
* WorkTitans B.V (Current Dutch entity hosting the infrastructure).
* Key individuals: The Neculiti brothers (CEO & Owner of Stark Industries, tied to PQ Hosting and Morenehost).
## Activity Summary
The primary focus of the investigation is the persistent operation of a bulletproof hosting service used by various malicious actors, including Russian state-sponsored and financially motivated groups.
* **Historical Operations:** Stark Industries was established around the time of the Russian invasion of Ukraine, potentially to facilitate influence and malicious operations.
* **Evasion Tactic:** Following sanctions imposed by the EU Council on May 20, 2025, against the Neculiti brothers and 6 entities (including Stark Industries), the operators quickly shifted infrastructure from Stark Industries to PQ Hosting SRL.
* **Recent Infrastructure Shift:** The infrastructure has recently moved again, with networks now being registered under the Dutch company "WorkTitans B.V."
## Tactics, Techniques & Procedures
The TTPs described relate primarily to obfuscation, infrastructure management, and evasion rather than specific offensive cyber techniques:
* Using bulletproof hosting services to shield malicious operations.
* Shifting hosting infrastructure between jurisdictions to evade sanctions and law enforcement action (e.g., moving from initial locations to PQ Hosting, and subsequently to the Netherlands via WorkTitans B.V.).
* Operational Security (OpSec) mistakes, specifically the reuse of the same phone number on an ASN registration (ASN44477) when moving from Stark Industries to PQ Hosting, confirming the continuity of the infrastructure.
## Targeting
* Sectors: The article implies that the hosting was used by actors involved in **Russian hybrid threats** and **financially motivated threats**, but does not specify the end-victim sectors of the *end-users* of the hosting service.
* Geography: Initial operations were tied to locations that avoided immediate EU compliance. The final infrastructure move positions operations under a **Dutch** entity (WorkTitans B.V.).
* Victims: Not explicitly detailed regarding the victims of the malicious traffic but the activities are noted as "destabilising activities against the EU, its member states and international partners."
## Tools & Infrastructure
* **Malware families used:** Not specified.
* **Infrastructure:**
* Stark Industries Solutions (Original provider).
* PQ Hosting SRL (First successor).
* Morenehost (Associated provider).
* WorkTitans B.V (Current Dutch registration).
* ASN44477 ("The-Hosting," previously Stark, linked to PQ Hosting).
## Implications
The actor/operators demonstrate high resourcefulness and persistence, successfully evading EU sanctions imposed in May 2025 by rapidly restructuring their hosting business. Their move to the Netherlands, despite being an EU member state, suggests confidence in exploiting potential regulatory gaps or jurisdictional weaknesses within that specific jurisdiction. The continuity of the underlying infrastructure (via ASN reuse) confirms that the same actors are maintaining control over the malicious hosting environment.
## Mitigations
* Continuous monitoring of infrastructure changes, particularly ASN registrations and changes in jurisdiction, especially when linked to previously sanctioned entities.
* Analysts should scrutinize new Dutch-registered entities ("WorkTitans B.V.") for operational continuity with known sanctioned hosting providers.
* Investigate potential regulatory gaps in the Netherlands that may be attracting bulletproof hosting operations previously located in less compliant jurisdictions.
* Track traffic flowing to/from networks associated with ASN44477.