From Stark to Dutch Hosts: Tracking Infrastructure Hops in 2026
Just caught the latest update on the Dutch authorities seizing 800 servers and arresting two co-owners tied to the 'Stark Industries Solutions' legacy. It’s fascinating how quickly threat actors pivot sanctioned infrastructure into new, seemingly benign hosting entities.
Since these servers were actively used for C2 and disinformation, it’s likely some of you are seeing residual traffic or connection attempts in your logs. The shift from Stark to these Dutch providers highlights a flaw in static IP blocking—if we aren't tracking ASNs and infrastructure reputation dynamically, we're blind to these hops.
I've started hunting for connections to the relevant NL-based ranges in my environment, specifically looking for short-lived connections on non-standard ports.
Here is a basic KQL query I'm using to spot potential outbound beacons to these regions (adjust for your specific geo-tags):
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where RemoteCountry == "Netherlands"
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "python.exe")
| summarize count(), dcount(RemoteIP) by DeviceName, RemotePort
| where count_ > 50
| sort by count_ desc
Has anyone else started correlating this takedown with specific TTPs in their environment? I’m curious if anyone is seeing specific User-Agent strings or JA3 fingerprints associated with this infrastructure before the sinkhole.
Solid query. We actually saw a drop in 'generic' traffic noise yesterday morning which correlated with this. We use a slightly different approach focusing on JA3 fingerprints since these groups often reuse specific TLS configurations. If you aren't hashing the SSL Client Hello, you're missing half the picture with these infrastructure hops.
I'm less worried about the C2 traffic and more about the disinformation angle. We caught a massive spike in bot-like traffic hitting our registration endpoints from Dutch ranges last week. It looked like a sloppy preparatory phase for an influence op. We ended up rate-limiting the whole /24 subnet temporarily. Definitely recommend checking your web server logs for 400 errors originating from NL data centers.
We automate this with a Python script that pulls the latest abuse.ch feeds and updates our firewall groups every hour. Static blocklists are dead when these bulletproof hosters can spin up 800 servers overnight.
import requests
feed = requests.get('https://feeds.abuse.ch/feed/')
# Logic to parse and update firewall API
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access