Stark Industries Solutions: A Threat Activity Enabler (TAE) in Focus

This blog builds on the new Insikt Group report [i] on Stark Industries Solutions to examine how hosting providers can serve as TAE [ii]  in hostile cyber and influence operations. The case of Stark Industries illustrates how infrastructure providers, often presenting themselves as legitimate businesses, become indispensable to the delivery of disinformation, cyberattacks, and other hybrid threats. 

Stark Industries Solutions Ltd., incorporated in the United Kingdom in February 2022, was founded by Iurie and Ivan Neculiti. Both have a long history in the hosting sector, with Ivan previously linked to Morenehost Ltd., an offshore service exposed in the Pandora Papers database (see ICIJ Offshore Leaks database [iii]).  

Stark operated as a “white label" [iv] brand for PQ. Hosting [v], offering Virtual Private Servers (VPS), proxy, and Virtual Private Network (VPN) services while concealing the true operators. [vi]  

Over time, its networks were repeatedly observed in connection with Distributed Denial-of-Service (DDoS) attacks, financially motivated actors such as FIN7 [vii], and, importantly, infrastructure supporting pro-Russian information manipulation operations, including the Doppelgänger or “Recent Reliable News” (RRN) network [viii] (find more information about Doppelgänger in CRC article and blog section). In these contexts, Stark’s role was not to generate content but to provide the resilient infrastructure that made such campaigns scalable and durable. 

On 20 May 2025, the Council of the European Union sanctioned Stark Industries Solutions Ltd., together with its CEO and owner, for enabling Russian state-sponsored cyber operations, explicitly citing their role in information manipulation, interference, and cyberattacks.[ix] 

The move followed media exposure: on 8 May 2025, the Moldovan service of Radio Free Europe/Radio Liberty reported on leaked sanction lists that named the Neculiti brothers,[x] and the central newsroom of RFE/RL confirmed the forthcoming designations on 9 May [xi]. 

The Insikt report concludes that Stark anticipated the sanctions and deliberately restructured its operations. In April 2025, Russian infrastructure was already being migrated to UFO Hosting LLC [xiii], a Moscow-based Internet Service Provider(ISP) registered under ASN: AS33993 [xvi]. Domains such as [bill-migration-db.stark-industries.solutions] and [russia.stark-industries.solutions] resolved through UFO-announced IP space before the EU’s action. [xv]

When the sanctions came on 20 May, Stark was formally listed in the EU’s Official Journal. [xvi] Nine days later, on 29 May, PQ.Hosting announced a full rebrand as THE.Hosting, presenting Dutch entity WorkTitans B.V. as the new corporate vehicle. By 24 June, a new ASN, AS209847, had been created to consolidate the rebrand. [xvii]

The RIPE database [xix] showed that maintainer [xx] records across PQ Hosting Plus, UFO Hosting, and THE.Hosting all shared the same identifiers tied to Russian operator Dmitrii Miasnikov. [xxi] This demonstrated operational continuity behind the cosmetic changes. 

For analysts, this case illustrates the importance of domain and network analysis in understanding influence operations. Narratives and content can shift rapidly, but infrastructure leaves durable traces. Tracking RIPE records [xxii], ASN histories (to observe continuity despite rebrands), prefix transfers [xxiii], and maintainer overlaps [xxiv] enables the continuity of disinformation infrastructure to be followed even when brands and jurisdictions change. The Insikt report provides concrete examples: leaked sanction lists triggered asset transfers observable in RIPE, domains resolved through UFO Hosting while protected by DDoS, and operator fingerprints remained visible across multiple shells.  

The full Insikt Group report is recommended reading for practitioners. It offers a detailed account of how a sanctioned TAE`s adapted with minimal disruption. The Stark case is a reminder that sanctioning entities involved in hostile information operations is necessary but not sufficient; without infrastructure-focused monitoring and multilateral coordination, such actors will continue to sustain malign campaigns under new names. 

[Footnotes]

[i] Recorded Future, Insikt Group, 2025. One step ahead: Stark Industries Solutions preempts EU sanctions. [online] Published 27 August 2025. Available at: https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0827.pdf

[ii] A Threat Activity Enabler (TAE) is a company or service provider whose infrastructure,  such as hosting, VPNs, or proxy networks, is repeatedly used to support malicious cyber or influence operations. TAEs may not conduct attacks or disinformation themselves but provide the technical backbone that allows hostile actors to operate at scale. Because they sit in a gray zone between legitimate business and illicit use, TAEs are difficult to disrupt and often adapt quickly to sanctions or law enforcement actions, source: Recorded Future, Insikt Group, 2025. One step ahead: Stark Industries Solutions preempts EU sanctions. [online] Published 27 August 2025. Available at: https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0827.pdf

[iii] International Consortium of Investigative Journalists, n.d. Offshore Leaks database: Morenehost Ltd (Node 240120865). [online] Available at: https://offshoreleaks.icij.org/nodes/240120865; Recorded Future, Insikt Group, 2025. One step ahead: Stark Industries Solutions preempts EU sanctions. [online] p.3, Published 27 August 2025. Available at: https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0827.pdf

[iv] The term “white lable” refers to a reseller brand without its own infrastructure

[v] “PQ Hosting is a Moldova-based hosting provider founded in 2019 by Ivan Neculiti. The company offers VPS/VDS, dedicated servers, VPN, and DNS services in over 35 countries, serving more than 100,000 clients”, Source: PQ Hosting, n.d. PQ Hosting: services, global reach, and infrastructure. [online] Available at: https://pq.hosting (checked 12 September 2025).

[vi] KrebsOnSecurity, 2024. Stark Industries Solutions: An Iron Hammer in the Cloud. [online] Published 23 May 2024. Available at: https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

[vii] FIN7 (also known as the “Carbanak Group”) is a Russian-speaking cybercrime organization active since at least 2015, targeting U.S. and international retail and restaurant chains. The group is best known for deploying malware on point-of-sale systems to steal millions of payment card records. According to the FBI, FIN7’s campaigns caused billions of dollars in losses to businesses and consumers, source: FBI, 2018. How cyber crime group FIN7 attacked and stole data from hundreds of U.S. companies. [online] Published 1 August 2018. Available at: https://www.fbi.gov/contact-us/field-offices/seattle/news/stories/how-cyber-crime-group-fin7-attacked-and-stole-data-from-hundreds-of-us-companies

[viii] KrebsOnSecurity, 2024. The Stark truth behind the resurgence of Russia’s Fin7. [online] Published 10 July 2024. Available at: https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/

[ix] European Union, 2025. Council Decision (CFSP) 2025/966 of 20 May 2025 amending Decision (CFSP) 2024/2643 concerning restrictive measures in view of Russia’s destabilising activities. ST/5953/2025/INIT. [online] Published 20 May 2025. Available at: https://eur-lex.europa.eu/eli/dec/2025/966/oj/en

[x] Europa Liberă Moldova, 2025. UE pregătește sancțiuni contra a doi frați de la Bender, acuzați că luptă în războiul hibrid al Rusiei împotriva Europei. [online] Published 8 May 2025. Available at: https://moldova.europalibera.org/a/ue-pregateste-sanctiuni-contra-a-doi-frati-de-la-bender-acuzati-ca-lupta-in-razboiul-hibrid-al-rusiei-impotriva-europei/33407343.html

[xi] RFE/RL, Rikard Jozwiak, 2025. The EU’s latest sanctions package against Russia might be its weakest yet. [online] Published 9 May 2025. Available at: https://www.rferl.org/a/eu-russia-sanctions-package-ukraine-hungary-/33409397.html

[xii] Recorded Future, Insikt Group, 2025. One step ahead: Stark Industries Solutions preempts EU sanctions. [online] Published 27 August 2025. Available at: https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0827.pdf

[xiii] IPinfo, n.d. UFO Hosting LLC (AS33993) details. [online] Available at: https://ipinfo.io/AS33993

[xiv] ASN stands for Autonomous System Number, a unique identifier for a network that participates independently in global internet routing; following ASN histories allows researchers to see when companies rebrand but continue using the same underlying infrastructure.

[xv] Recorded Future, Insikt Group, 2025. One step ahead: Stark Industries Solutions preempts EU sanctions. [online] pp. 10-11, Published 27 August 2025. Available at: https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0827.pdf

[xvi] European Union, 2025. Council Decision (CFSP) 2025/966 of 20 May 2025 amending Decision (CFSP) 2024/2643 concerning restrictive measures in view of Russia’s destabilising activities. ST/5953/2025/INIT. [online] Published 20 May 2025. Available at: https://eur-lex.europa.eu/eli/dec/2025/966/oj/en

[xvii] RIPE NCC, n.d. RIPE database record for AS209847. [online] Available at: https://apps.db.ripe.net/db-web-ui/query?bflag=false&dflag=false&rflag=true&searchtext=AS209847&source=RIPE

[xviii] Recorded Future, Insikt Group, 2025. One step ahead: Stark Industries Solutions preempts EU sanctions. [online] Published 27 August 2025. Available at: https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0827.pdf

[xix] RIPE stands for: Réseaux IP Européens, the regional internet registry for Europe that records who controls IP addresses and networks.

[xx] A maintainer in the RIPE database is the technical contact responsible for managing IP resources; if multiple companies use the same maintainer entries, it strongly suggests they are controlled by the same actors.

[xxi] Recorded Future, Insikt Group, 2025. One step ahead: Stark Industries Solutions preempts EU sanctions. [online] p.17, Published 27 August 2025. Available at: https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0827.pdf

[xxii] RIPE records are public entries showing who controls IP address blocks and networks.

[xxiii] Prefix is a block of IP addresses, transfer is the movement of that block from one provider to another; these transfers often indicate attempts to mask continuity

[xxiv] Maintainer overlaps share technical contacts that reveal common operators