Independent Threat Intelligence

FDC Threat Intelligence

We investigate the infrastructure behind cybercrime and state-sponsored operations: bulletproof hosting supply chains, phishing campaigns, malware delivery networks. All findings are based on publicly available data and original research.

288
ASN Analyzed
4
Honeypot Regions
3,600+
Malware Samples
19
Published Reports

Active Projects

Bulletproof Hosting Ecosystem
Mapping the full supply chain of abuse-tolerant hosting: from IP allocation through BGP transit to ransomware C2, state-sponsored APTs, and disinformation. 21 operator profiles, 10 interactive network graphs, 7 jurisdictions.
active invite-only 288 ASN · 21 operators · since Jan 2026
PROSPERO AS200593 Investigation
Deep dive into a single BPH autonomous system: 262 IPs across 3 prefixes, Metasploit C2, dropper distribution, RDP farms, and connections to sanctioned infrastructure. Interactive graphs and full host analysis.
active public 262 IPs · 3 prefixes · since Mar 2026
Honeypot Network
Multi-region sensor network (DE, US, RU, PL) capturing SSH brute-force, Docker API exploitation, SMB attacks, fake Ollama/Kubelet services. Automated malware collection via S3, sandbox analysis, and Loki-based monitoring.
active 4 regions · automated S3 collection · 3,600+ samples
Incident Response & Reporting
TLP:CLEAR reports on phishing campaigns targeting civil society, human rights organizations, and diaspora communities. Bilingual (EN/RU) PDF reports with IOCs and MITRE ATT&CK mapping.
reports tlp:clear

Capabilities

Infrastructure Analysis
RIPE DB, BGP routing, corporate registries, Shodan, Censys, passive DNS
Malware Analysis
Isolated sandbox, ClamAV, YARA rules, MalwareBazaar, automated S3 pipeline
Phishing Detection
Header analysis, URL extraction, domain intelligence, certificate monitoring
Honeypot Operations
Cowrie, Dionaea, PyRDP, Docker/Kubelet/Ollama traps, multi-region deployment
Threat Reporting
Bilingual reports (EN/RU), MITRE ATT&CK, IOC tables, TLP classification
Monitoring
Grafana + Loki + VictoriaMetrics, real-time alerts, Censys/crt.sh tracking

Honeypot Telemetry — June 2026

Aggregate activity across the multi-region honeypot network. Figures are anonymised totals from the monthly TLP:CLEAR report — no individual sensor identifiers, addresses, or locations are disclosed.

497,929
SSH sessions
118,909
Docker-API worm requests
70
Malware samples
16,729
AI-API abuse requests
Attack volume by category
SSH brute-force
497,929
Multi-protocol scanning
224,985
Docker-API worm
118,909
Ollama / AI-API abuse
16,729
Top source networks (attack-correlated hits)
DigitalOcean
6,468
OVH
1,707
VPSVAULT.HOST
1,487

Notable: a self-propagating Docker-API worm escaping to the host via chroot (Docker traffic up ~28× month-over-month), a captured-malware shift from WannaCry PE binaries to ELF SSH-worms (Panchan / Go SSH-worm / Discord-C2 / Mirai), and internet-wide IEC-104 (ICS/OT) reconnaissance with no attacker-issued control commands. Full analysis — June 2026 Monthly Report.

Public Reports

TLP:CLEAR incident reports and threat analysis, available in English and Russian.

Contact

For collaboration, responsible disclosure, abuse reporting, or access to restricted research materials:

infra.observer@proton.me

Aleksei Fokin — Threat Intelligence Analyst