{ "name": "Malicious Infrastructure Finds Stability with aurologic GmbH", "slug": "malicious-infrastructure-finds-stability-with-aurologic-gmbh", "description": "German hosting provider aurologic GmbH has become a central hub for high-risk hosting networks, providing upstream transit to multiple threat activity enablers. These include sanctioned entities like Aeza Group and other providers associated with cybercrime and disinformation campaigns. aurologic's continued service to these networks, despite public scrutiny and sanctions, raises questions about the line between neutrality and negligence in internet infrastructure. The company's reactive abuse handling and reliance on legal compliance over proactive risk management have allowed malicious actors to maintain operational stability. This case highlights broader challenges in accountability within the hosting ecosystem and the need for upstream providers to take greater responsibility in preventing infrastructure abuse.", "published": "2025-11-06T17:51:59+00:00", "created_at": "2025-11-06T17:51:59+00:00", "modified_at": "2025-11-06T19:34:12+00:00", "created_at_opencti": "2025-11-06T17:51:59+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-11-06", "abuse", "amadey", "asyncrat", "aurologic", "aurotun", "bianlian", "castleloader", "castlerat", "cobalt strike", "cybercrime", "dark crystal rat", "darkcomet", "dcrat", "destiny stealer", "disinformation", "hosting", "infrastructure", "latrodectus", "lumma", "meduza stealer", "moobot", "neutrality", "phorpiex", "quasarrat", "redline stealer", "remcos rat", "rhadamanthys stealer", "risepro stealer", "sanctions", "sliver", "stealc", "svcstealer", "systembc", "thc hydra", "tinyloader", "transit", "upstream", "vidar" ], "related_entities": { "observables": [ { "id": "", "name": "aurologic.com" }, { "id": "", "name": "vonie.net" }, { "id": "", "name": "virtualine.net" }, { "id": "", "name": "sunucumburada.com" }, { "id": "", "name": "proxio.cc" }, { "id": "", "name": "proxio.net" }, { "id": "", "name": "pricepirates.com" }, { "id": "", "name": "preispiraten.de" }, { "id": "", "name": "ntired.net" }, { "id": "", "name": "nettacompany.com" }, { "id": "", "name": "metaspinner.net" }, { "id": "", "name": "metaspinner.de" }, { "id": "", "name": "meta-spinner.net" }, { "id": "", "name": "lanedo.net" }, { "id": "", "name": "lanedo.com" }, { "id": "", "name": "fastpipe.io" }, { "id": "", "name": "evozcdn.com" }, { "id": "", "name": "driphost.net" }, { "id": "", "name": "dior.host" }, { "id": "", "name": "cheapy.host" }, { "id": "", "name": "birsunucum.com" }, { "id": "", "name": "antired.net" }, { "id": "", "name": "antired.host" } ], "attack_patterns": [ { "id": "75702b35-b790-4504-a1e0-7829e76f22e9", "name": "T1585" }, { "id": "7616ff60-a18f-4663-9824-b889aa01c8ce", "name": "T1588" }, { "id": "5e3b3612-8bf8-46e1-943e-b4c1524bef11", "name": "T1587" }, { "id": "9c5a20d1-0df9-4e99-bcc5-0b731a78b5d1", "name": "T1608" }, { "id": "1e043fe4-2413-4b8e-887c-0fe45d095a24", "name": "T1583" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "74d5f31c-5e2d-4aed-b8b9-4fabdde76dfa", "name": "T1598" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf", "name": "T1584" } ], "others": [ { "id": "", "name": "Serbia" }, { "id": "", "name": "Iran, Islamic Republic of" }, { "id": "", "name": "Germany" }, { "id": "", "name": "United Kingdom of Great Britain and Northern Ireland" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "Russian Federation" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Telecommunications" } ] }, "external_refs": [ "https://www.recordedfuture.com/research/media_1bfe9de2bfeea34dcb206c1c308f99a7b25b68b32.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh", "https://otx.alienvault.com/pulse/690cee4f0a00b80c63983535" ] }