Full Report
Before facing EU sanctions in May 2025, Stark Industries Solutions executed a strategic infrastructure overhaul to maintain operations. This report reveals how rebranding, RIPE resource manipulation, and cross-border obfuscation enabled the sanctioned web host to remain resilient — highlighting the persistent challenge of threat activity enablers.
Analysis Summary
# Threat Actor: Stark Industries Solutions Ltd (Threat Activity Enabler - TAE)
## Attribution & Identity
* **Primary Entity:** Stark Industries Solutions Ltd (UK-registered web-hosting provider).
* **Associated Individuals:** Dmitrii Miasnikov (Russian network operator, linked via RIPE maintainer objects).
* **Associated Groups/Networks:** Facilitator for Russian state-sponsored cyber operations.
* **Successor/Rebranded Entities:** PQ Hosting Plus S.R.L. (New RIPE entity), UFO Hosting LLC, THE.Hosting, WorkTitans B.V. (Dutch entity controlling rebranded operations).
## Activity Summary
Stark Industries Solutions Ltd engaged in strategic organizational and infrastructure maneuvering to preemptively evade sanctions imposed by the European Union on May 20, 2025. This included:
1. Registration of a new RIPE entity, PQ Hosting Plus S.R.L.
2. Migration of Russian infrastructure to UFO Hosting LLC as early as April 10, 2025.
3. Following sanctions, operations were rebranded to “THE.Hosting” under the control of the Dutch entity “WorkTitans B.V.” on May 29, 2025.
4. Creation of a new autonomous system, AS209847 (THE), on June 24, 2025.
The overall goal was to sustain operational continuity and maintain service availability despite official sanctions, highlighting the structural resilience of this modern Threat Activity Enabler (TAE).
## Tactics, Techniques & Procedures
* **Infrastructure Relocation/Obfuscation:** Rapid migration of infrastructure between legal entities and service providers just prior to and immediately following sanctions enforcement.
* **Corporate Masking:** Utilizing new legal structures (PQ Hosting Plus S.R.L., WorkTitans B.V.) and rebranding to maintain hosting services.
* **RIPE Resource Control:** Maintaining control over critical RIPE resources (LIRs, ASNs, IP prefixes) allowing streamlined reallocation and rebranding.
* **Shared Maintainer Objects:** Using consistently linked RIPE maintainer objects (linked to `jama**[@]gmail[.]com`) across multiple transitional entities (PQ Hosting Plus S.R.L., UFO Hosting LLC, WorkTitans B.V.) for unified control.
* **No specific MITRE ATT&CK IDs were provided in the text.**
## Targeting
* **Sectors:** The entity itself was sanctioned for enabling Russian state-sponsored cyber operations, information manipulation, and destabilizing hybrid threats, implying targets linked to these activities. The TAE itself targets legal/regulatory frameworks.
* **Geography:** Operations span Russia (initial infrastructure base), UK (original registration), EU/Moldova (sanctioning bodies/media focus), and infrastructure distributed across Latvia, Portugal, and Bosnia and Herzegovina under the new structure.
* **Victims:** Agencies and entities targeted by the Russian state-sponsored cyber operations enabled by Stark Industries.
## Tools & Infrastructure
* **Malware Families Used:** None explicitly mentioned, focus is on infrastructure provisioning.
* **Infrastructure:**
* **ASNs:** AS33993 (UFO-AS, associated with UFO Hosting LLC), AS209847 (THE, associated with WorkTitans B.V.).
* **IP Prefixes (Associated with UFO Hosting LLC/Russia):** 2[.]56[.]178[.]0/24, 45[.]12[.]114[.]0/24, 45[.]12[.]115[.]0/24, 45[.]67[.]230[.]0/24, 45[.]84[.]1[.]0/24, 45[.]128[.]49[.]0/24, 45[.]128[.]53[.]0/24, 45[.]138[.]157[.]0/24, 45[.]144[.]30[.]0/24, 45[.]144[.]31[.]0/24, 45[.]150[.]64[.]0/24, 45[.]153[.]231[.]0/24, 91[.]207[.]183[.]0/24, 94[.]131[.]113[.]0/24, 94[.]131[.]121[.]0/24, 103[.]113[.]68[.]0/24, 171[.]22[.]119[.]0/24, 185[.]234[.]59[.]0/24, 185[.]235[.]242[.]0/24, 185[.]250[.]149[.]0/24, 193[.]201[.]126[.]0/24.
* **IP Prefixes (Associated with WorkTitans B.V./THE.Hosting):** 2[.]56[.]119[.]0/24, 5[.]182[.]39[.]0/24, 45[.]12[.]131[.]0/24, 45[.]15[.]178[.]0/24, 45[.]15[.]179[.]0/24, 45[.]15[.]184[.]0/24, 45[.]83[.]142[.]0/24, 45[.]133[.]216[.]0/24, 45[.]142[.]213[.]0/24, 45[.]142[.]215[.]0/24, 45[.]159[.]251[.]0/24, 94[.]131[.]10[.]0/24, 94[.]131[.]104[.]0/24, 95[.]164[.]32[.]0/24, 103[.]231[.]73[.]0/24, 171[.]22[.]129[.]0/24, 176[.]120[.]67[.]0/24, 193[.]43[.]146[.]0/24, IPv6 ranges 2a09:7c43::/32 and 2a0b:/32.
## Implications
Stark Industries exemplifies a highly resilient Threat Activity Enabler (TAE) that can successfully maintain operational continuity and service delivery despite targeted international sanctions. This suggests that current enforcement mechanisms relying solely on regional designations are insufficient to disrupt entities controlling critical RIPE resources (LIRs, ASNs). These actors are structurally positioned to pivot quickly, rendering initial disruption attempts ineffective.
## Mitigations
* **Multilateral Approach:** Need for comprehensive, cross-border collaboration among policymakers and law enforcement beyond regional sanctions.
* **RIPE Intervention:** Meaningful intervention regarding TAEs maintaining significant control over RIPE resources (LIRs, ASNs, IP prefixes) is required to prevent rapid rebranding and resource reallocation.
* **Sustained Monitoring:** Network defenders must implement sustained monitoring of associated infrastructure, legal entities, and RIPE resource updates post-designation to track obfuscation efforts.