Independent Threat Intelligence

FDC Threat Intelligence

We investigate the infrastructure behind cybercrime and state-sponsored operations: bulletproof hosting supply chains, phishing campaigns, malware delivery networks. All findings are based on publicly available data and original research.

288
ASN Analyzed
3
Honeypot Regions
3,000+
Malware Samples
6
Published Reports

Active Projects

Bulletproof Hosting Ecosystem
Mapping the full supply chain of abuse-tolerant hosting: from IP allocation through BGP transit to ransomware C2, state-sponsored APTs, and disinformation. 21 operator profiles, 10 interactive network graphs, 7 jurisdictions.
active invite-only 288 ASN · 21 operators · since Jan 2026
PROSPERO AS200593 Investigation
Deep dive into a single BPH autonomous system: 262 IPs across 3 prefixes, Metasploit C2, dropper distribution, RDP farms, and connections to sanctioned infrastructure. Interactive graphs and full host analysis.
active public 262 IPs · 3 prefixes · since Mar 2026
Honeypot Network
Multi-region sensor network (DE, US, RU) capturing SSH brute-force, Docker API exploitation, SMB attacks, fake Ollama/Kubelet services. Automated malware collection via S3, sandbox analysis, and Loki-based monitoring.
active 3 regions · 9 containers · 29 ports · 3,000+ samples
Incident Response & Reporting
TLP:CLEAR reports on phishing campaigns targeting civil society, human rights organizations, and diaspora communities. Bilingual (EN/RU) PDF reports with IOCs and MITRE ATT&CK mapping.
reports tlp:clear

Capabilities

Infrastructure Analysis
RIPE DB, BGP routing, corporate registries, Shodan, Censys, passive DNS
Malware Analysis
Isolated sandbox, ClamAV, YARA rules, MalwareBazaar, automated S3 pipeline
Phishing Detection
Header analysis, URL extraction, domain intelligence, certificate monitoring
Honeypot Operations
Cowrie, Dionaea, PyRDP, Docker/Kubelet/Ollama traps, multi-region deployment
Threat Reporting
Bilingual reports (EN/RU), MITRE ATT&CK, IOC tables, TLP classification
Monitoring
Grafana + Loki + VictoriaMetrics, real-time alerts, Censys/crt.sh tracking

Public Reports

TLP:CLEAR incident reports and threat analysis, available in English and Russian.

2026-02-18
NED Spear-Phishing Campaign Targeting Civil Society
2026-02-12
Meta Business Suite Credential Phishing via Google Drive
2026-01-28
Google Drive Fingerprinting in Targeted Phishing

Contact

For collaboration, responsible disclosure, abuse reporting, or access to restricted research materials:

infra.observer@proton.me

Aleksei Fokin — Threat Intelligence Analyst