PQ.Hosting (STARK INDUSTRIES SOLUTIONS LTD, formerly MoreneHost) sanctioned by EU
Looks like the EU has sanctioned STARK INDUSTRIES SOLUTIONS LTD, that is PQ.hosting and Ivan Neculiti, its founder.
STARK was primarily used as a shell company for their ASN, to not attract attention to their main brand, PQ. They started started selling servers under STARK brand too.
Among those listed are also Stark Industries, a web hosting service, its CEO Iurie Neculiti and owner Ivan Neculiti. They have been acting as enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber-attacks against the Union and third countries.
Those designated today will be subject to an asset freeze and EU citizens and companies will be forbidden from making funds available to them. In addition, natural persons will also be subject to a travel ban, which will prevent them from entering or transiting through EU territories.
https://www.consilium.europa.eu/en/press/press-releases/2025/05/20/russian-hybrid-threats-eu-lists-further-21-individuals-and-6-entities-and-introduces-sectoral-measures-in-response-to-destabilising-activities-against-the-eu-its-member-states-and-international-partners/ (archive)
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500966 (archive)
They knew about it ahead of time, and have moved their ASN from STARK to their Moldovan company
Status of the network as of now
Comments
Seen this ASN pop up doing some nasty things in the Fortigate / Sonicwall CVE space recently, not surprised at all.
Its a gamble whether they will suspend you for malicious activity.
I have been suspended over a fake "botnet c2" report from some Chinese "researcher" before.
They also have(or used to) an interesting policy, where only the server gets terminated for abuse, but not the entire account. So you could just keep buying VPS over and over when suspended.
But there are also IP's that don't get suspended ever, makes you wonder who are their customers and why do they ignore reports for one group, but not another.
Connections to Russia get journo scum excited, but in this case I do think FSB is involved. There are many things I've heard over the years, that line up.
Without any sensitive info being given out - it is well known among cybersec that this group as well as a few others I won't name are state sponsored actors, acting as if they were not. They sell legitimate goods on the side to make it seem legit, but they mess up in strange ways, like only certain blocks are used for X activities.
You can tell the difference from say, Frantech / BuyVM - where you see one of these IPs in a log and it can be pretty bad - but then you check and it's like "oh, tor block, ez ban" Where these state sponsored / used hosts just don't have that obviousness to them. It's like they're trying to keep it low key while door knocking ~200,000 firewalls trying to exploit a CVE where a proof of concept was not yet released. They'll change ip block hands between each other etc. It's like they think we're stupid or something. Not like ARIN RIPE etc don't keep logs of that shit dawg. FR FR ong, no cap.
PQ sent this to their customers
Network status as of now, looks like its crumbling. 33 /24's down since the initial post was made.
Country list (archive)
Unsurprisingly, many are Russian.
As a part of damage control, PQ.hosting has renamed to THE.hosting. I do not believe its "new ownership and management", just a new shell.
https://the.hosting/en/news/pqhosting-thehosting-important-news-about-the-companys-transformation (archive)
Their ASN is still called "PQ HOSTING PLUS S.R.L.", however most subnets have been renamed to "WorkTitans B.V.".
What does a recruitment company have to do with hosting? Probably nothing, PQ either bought them to use as a shell, or they knew eachother prior to that.
Yep, just another ASN to add to the filter. This happens every 2-3 weeks btw, it just so happens that you are paying attention to this one.
Upon taking a closer look at "the.hosting" ORG on RIPE, I have found a someones personal email attached as a contact on MNT.
https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=THE-HOSTING-MNT&type=mntner (archive)
Its also shown on "ufo.hosting"(which is where PQ hosting RU customers were redirected before) MNT
https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=UFO42-MNT&type=mntner (archive)
"[email protected]" appears to be Dmitrii Aleksandrovich Miasnikov(Мясников Дмитрий Александрович) aka "jimboframe", according to information gathered from leaked databases.
And sure enough, 91.207.183.0/24 coming from his personal ripe org, ru.ripe7 is announced on UFO Hosting ASN.
I still stand by that WorkTitans B.V. is just a front, PQ/THE appears to be still operated by Russians.