ABSTRACT

The security of the Italian Republic faces a threat that has transcended traditional propaganda to emerge as a multidimensional and technologically advanced attack. This abstract outlines the fundamental coordinates of what national intelligence defines as a multi-vector threat , orchestrated by the Government of the Russian Federation with the systemic goal of eroding social cohesion, manipulating decision-making processes, and compromising Italy ‘s geopolitical projection in the MED-OR quadrant .

The scientific rigor of this analysis is based on irrefutable documentary pillars: the Report on Information Security Policy 2024 (presented to Parliament on 4 March 2025 ), the sanctioning decisions of the Council of the European Union and the technical reports of the European cyber security agencies ( ENISA and VIGINUM ).

The Hybrid Threat Doctrine: From Noise to Disarticulation

The beating heart of the Russian offensive lies in the transition from “tactical disinformation” to “strategic hybrid warfare .” According to the 2024 Annual Intelligence Report , Russia is no longer acting to convince the Italian public of the validity of its positions, but to dismantle objective reality . The mechanism identified by the DIS (Department of Security Information) is based on the saturation of information spaces with fallacious narratives, designed to trigger extreme polarization on sensitive issues: arms shipments to Ukraine, NATO membership , and, increasingly, energy security linked to the Mattei Plan .

The threat is defined as multi-vector because it operates simultaneously on multiple levels. While the GRU ‘s unit 74455 (known as Sandworm ) attacks digital infrastructure, agencies such as the Social Design Agency (SDA) manage public perception by cloning institutional websites. This operational synchronicity transforms every news event into a potential trigger for Reflexive Control operations , in which the adversary induces policymakers or citizens to make decisions that unwittingly favor the Kremlin’s interests. Report on Information Policy for Security – Year 2024 – Information System for the Security of the Republic – March 2025

The Infrastructure of Tax Evasion: The “Doppelgänger” Network

One of the most critical chapters of the research concerns Operation Doppelgänger , an industrial-scale manipulation campaign sanctioned by the EU Council in June 2024. As of January 10, 2026 , technical data confirms that Italy remains a priority target of this network. The Typosquatting mechanism (registration of domains similar to the originals) has allowed Russia to create over 2,000 malicious domains imitating news outlets such as ANSA , Corriere della Sera , and government portals.

These sites aren’t just blogs; they’re AI- powered platforms that upload articles in real time, translating Kremlin dispatches into perfect Italian and adapting them to the local cultural context. The goal is to create an “echo chamber” where users, believing they’re accessing an authoritative source, absorb messages aimed at discrediting national institutions. The Council of the European Union has formally identified the Social Design Agency (SDA) and Structura National Technologies as the operational arms behind this infrastructure. Council Decision (CFSP) 2024/1747 of 24 June 2024 – Official Journal of the European Union

“Portal Kombat”: The Pravda Network and the War of Cognitive Attrition

In addition to cloning, Russia has deployed a network of information portals called “Portal Kombat .” Identified by the French agency VIGINUM in April 2024 and continuously monitored by the ACN (National Cybersecurity Agency) in 2025 , this network includes at least 193 sites (including pravda-it.com) that do not produce original content, but automate the dissemination of pro-Russian narratives.

The systemic risk for Italy lies in the ability of these portals to pollute search engine results (SEO Manipulation), causing manipulated news to appear among the first results on critical issues such as gas prices or the stability of the Mediterranean. This is the War of Cognitive Attrition : constant, low-cost pressure aimed at tiring the population’s critical capacity, inducing apathy or cynicism towards democratic participation. PORTAL KOMBAT: Report on pro-Russian information manipulation network – SGDSN/VIGINUM – ​​April 2024

The 2026 Challenge: Towards Active Neutralization

In conclusion, the analysis of reliable data indicates that Italy must shift from a monitoring posture to one of Active Neutralization . The 2024 Intelligence Report emphasizes the urgency of protecting national digital sovereignty by strengthening the cyber perimeter and rigorously enforcing the Digital Services Act (DSA) to force social media platforms to remove Russian botnets within specified timeframes (less than 24 hours).

The stability of the Republic, the success of the Mattei Plan , and the protection of the democratic order depend on the ability to identify and disrupt these mechanisms before they can influence electoral cycles or strategic decisions within the G7 . This report offers the technical tool to navigate and win this invisible war.

INDEX OF CHAPTERS

• The Hybrid Threat Doctrine in the DIS 2024 Annual Report.
• Operation Doppelgänger Mechanics: Medium Cloning and Typosquatting.
• The “Portal Kombat” Network: Analysis of Pravda’s Italian-language websites.
• Weaponization of the Mattei Plan: Energy Discrediting Strategies in North Africa.
• The Evasion Infrastructure: The Role of SDA and Structura National Technologies.
• The Anatomy of the Evidence – A Technical Dissection of the Viginum Report and EU Sanctions from the Perspective of Italian National Security
• Detailed Analysis of EU Decision (CFSP) 2023/1566: Russian Disinformation Patterns
• The Logistics Infrastructure of the Threat – The Aurologic GmbH Nexus and the Role of Safe Haven Providers in Sanctions Evasion
• The Aeza Group’s “pulpit” – synergy between crypto-finance, “bulletproof” hosting, and the derivation of attacks towards Italy
• The Cutting Edge of Proactive Defense – AI-Based Interdiction Architectures and Upstream Denialization Protocols (trs-2026)
• Resilience Protocols: Application of the Digital Services Act and the Role of the ACN.
• APPENDIX – Detailed Report on aurologic GmbH: A Hub for Malicious Infrastructure in the Context of EU and Global Sanctions

---

THE HYBRID THREAT DOCTRINE IN THE 2024 DIS ANNUAL REPORT – ARCHITECTURE, VECTORS AND STRATEGIC OBJECTIVES

The analysis of Italian national security as of January 10, 2026, cannot ignore the key document of national intelligence: the Report on Information Security Policy for the year 2024 , officially presented to Parliament on March 4, 2025. This document represents the “ground zero” for understanding how the Department of Security Information (DIS) , together with the operational agencies AISE (foreign) and AISI (domestic), has codified the change in Russia’s posture from a competitive player to an asymmetric existential threat.

In this chapter, we will maniacally analyze the sections of the Report that describe the Hybrid Threat , the breakdown of Russian attack vectors and their interaction with the geopolitical context of Italy .

THE CONCEPT OF “MULTI-VECTOR THREAT” ACCORDING TO ITALIAN INTELLIGENCE

The 2024 Annual Report introduces the concept of a “Multi-Vector Threat” with surgical precision. According to DIS analysts , Russia no longer operates in watertight compartments, but integrates every instrument of state power—diplomatic, informational, military, and economic ( DIME )—into a single, coordinated maneuver.

• The Objective of “Reflexive Control”: The document highlights how Moscow uses disinformation not only to lie, but to distort Italian policymakers’ perception of reality. The goal is to induce Italy to make choices that, while seemingly rational in the short term, strategically favor the Kremlin in the long term.
• Operational Synchronization: The Report documents specific cases in which DDoS cyber attacks against institutional portals (Ministry of Defense, Ministry of Foreign Affairs) were launched simultaneously with disinformation campaigns on social media to create a sense of “digital siege” and systemic vulnerability. Report on Information Security Policy – ​​Year 2024 – Information System for the Security of the Republic – March 2025

OFFENSIVE VECTORS: CYBER, ENERGY, AND DISINFO

Italian intelligence identifies three primary vectors through which the Russian offensive will manifest itself in 2024-2025 .

A. The Cyber ​​Vector and Public Administration Sabotage (Certain Fact)

The Report devotes ample space to the increase in attacks conducted by pro-Russian Hacktivist groups such as KillNet and NoName057(16) . However, the most alarming data concerns the activity of state units such as the GRU Unit 74455 .

• Mechanics: These actors are not only aiming for visibility (defacement), but also for the exfiltration of sensitive data from local public administrations to fuel hack-and-leak operations .
• Objective: Create artificial scandals or reveal structural vulnerabilities to undermine citizens’ trust in the state.

B. Energy Weaponization in the Mediterranean

A key aspect of the Report concerns the security of supplies in the MED-OR quadrant . Intelligence indicates that Russia , through the presence of the Africa Corps in Libya, is exerting indirect pressure on gas flows to Italy.

• Pattern Detected: Every diplomatic tension between Rome and Moscow during 2024 was followed by “technical anomalies” or veiled threats regarding the integrity of underwater gas pipelines, constantly monitored by Russian vessels such as the Yantar . Undersea Infrastructure Security – NATO Maritime Command – October 2024

C. The Manipulation of Information and the Mattei Plan

The DIS report confirms that the Mattei Plan is the primary target of Russian intelligence operations. The Russian narrative paints Italy as a “neocolonial” actor, attempting to incite Sahel governments against Italian cooperation.

• OSINT Finding: The use of coordinated botnets to amplify local protests in Africa against Italian companies such as Eni and Leonardo has been technically traced back to the Social Design Agency (SDA) in Moscow.

RISK ANALYSIS FOR THE 2025-2026 CYCLE

Based on the trends outlined in the Report, the intelligence community makes critical predictions for the current two-year period.

• Interference in Democratic Processes: DIS warns that Russia will use Generative Artificial Intelligence to create hyper-realistic Deepfakes aimed at influencing local elections and the perception of the Italian G7 Presidency .
• Cognitive Saturation: The strategy is no longer the “single message”, but the production of thousands of contrasting versions of the same fact, leading the Italian user to “Truth Fatigue” .
• Supply Chain Infiltration: The Report highlights the risk of shady acquisitions of Italian SMEs operating in the defense sector by Russian shielded capital, circumventing Golden Power controls . Investment Screening and Strategic Assets – European Commission – November 2024

TOWARDS ACTIVE RESILIENCE

The 2024 Report concludes with a call for “Integrated National Resilience .” Defense cannot be solely military or cyber, but must involve civil society, the productive system, and the media.

• The role of the ACN: The need for constant coordination between intelligence and the National Cybersecurity Agency to protect the national cyber perimeter is emphasized.
• Digital Sovereignty: Italy must reduce its technological dependence on non-EU suppliers that could be vulnerable to pressure from hostile actors, ensuring the integrity of critical infrastructure.

The mechanics of Operation “DOPPELGÄNGER” – Media cloning, typosquatting, and institutional delegitimization

Operation Doppelgänger represents the pinnacle of Russian technological sophistication in the domain of disinformation. While Chapter 1 outlined the doctrinal framework of DIS , this chapter analyzes the engineering mechanics with which the Government of the Russian Federation , through sanctioned private entities, has built an infrastructure mirroring that of official Italian information.

The operation is not a simple propaganda effort; it is a system of Digital Social Engineering aimed at diverting citizens’ trust towards synthetic realities.

OPERATIONAL INFRASTRUCTURE: SDA IS THE STRUCTURE OF NATIONAL TECHNOLOGIES

The technical attribution of the operation is certain and documented. The Council of the European Union , based on evidence provided by intelligence agencies (including the DIS and the French VIGINUM ), has identified the Social Design Agency (SDA) and Structura National Technologies as the main architects of the network.

• The “Service Provider” Mechanics: These companies operate like traditional marketing agencies, but with a Russian state mandate. They create content, operate botnets, and purchase advertising space on Western platforms using front companies.
• The June 2024 Sanctions: The inclusion of these entities in the EU sanctions packages confirmed their role in “creating fake websites that impersonate media outlets and government websites.” Council Decision (CFSP) 2024/1747 of 24 June 2024 – Official Journal of the European Union

TECHNICAL MECHANICS OF DECEPTION: TYPOSQUATTING AND CLOAKING

Doppelgänger ‘s success lies in its ability to make itself indistinguishable from legitimate sources through three maniacal techniques:

A. Typosquatting and Mirror Domains (Certain Data)

Russian agents register thousands of domains that differ from the official ones by just one character or extension. In 2024-2025 , clones of:

• ANSA: Use of domains such as ansa.ltdor ansa.eu.com.
• Corriere della Sera: Domains like corriere.newsor corriere.today.
• Ministry of Foreign Affairs: Domains such as esteri-it.org.

B. Cloaking and Geofencing IP

To avoid being detected by Google or cybersecurity agencies’ security crawlers, Russian servers apply cloaking .

• The Mechanics: If the user accesses the link from a Russian IP address or from an analytics server, they’ll see a 404 error page or a recipe site. If the user accesses the link from an Italian IP address via a Facebook or Telegram link , they’ll be served disinformation content.
• Technical Findings: Mandiant forensic analysis confirmed the use of complex scripts that filter traffic based on geographic origin to maximize impact on the local target.

C. Ad Injection and Redirection

The operation massively purchases advertising space (Ads) on Meta and X using fake profiles with credit cards issued in third-party countries. These ads promote sensational headlines (e.g., “Italy risks power blackout by Christmas”) that take the user directly to Doppelgänger sites .

NARRATIVE FOCUS: TARGETING THE MATTEI PLAN AND ENERGY

As of January 10, 2026 , the narrative pivot of the operation has shifted to national energy security.

• Delegitimization of Eni and Snam: On ANSA clone websites , fake articles were published reporting “serious structural flaws” in the Transmed gas pipeline , claiming that Algerian gas was “unhealthy for Italian boilers”.
• Discrediting African Partners: Targeted campaigns have spread the idea that the Mattei Plan is a “financial failure,” publishing false reports attributed to institutions such as the Bank of Italy or the Ministry of the Economy and Finance .
• Strategic Objective: Pressure the Italian government to reopen direct import channels from Russia , presenting the latter as the only “stable and safe” source. Tackling Disinformation: EU vs. Disinfo Analysis of Doppelgänger – European External Action Service – December 2024

#DOPPELGANGER: How Russia-based actors cloned legitimate media outlets from multiple countries (🇩🇪🇬🇧🇫🇷🇮🇹🇱🇻🇺🇦) to spread disinformation designed to undermine the support for Ukraine.

Our last investigation: https://t.co/yaeAEBHdWY

— EU DisinfoLab (@DisinfoEU) September 27, 2022

IMPACT ON NATIONAL SECURITY: THE EROSION OF TRUTH

The impact of Doppelgänger is not only quantifiable in views, but in Erosion of Institutional Trust .

• Search Engine Saturation: The use of aggressive SEO techniques allows clone sites to appear among the top results in Google News for short periods before being removed.
• Organic Virality: Unsuspecting users share links on WhatsApp and Telegram groups , starting a peer-to-peer spread that escapes the control of the authorities.
• “Familiarity Bias”: Even when a site is shut down, the message (the fake news) remains imprinted in the user’s memory, creating a permanent basis of suspicion towards official communications.

THE “PORTAL KOMBAT” NETWORK – ANALYSIS OF ITALIAN-LANGUAGE “PRAVDA” SITES AND THE WAR OF COGNITIVE FRICTION

As of January 10, 2026 , Italy is one of the central nodes of a vast information manipulation operation called “Portal Kombat.” If the Doppelgänger network (Chapter 2) focuses on cloning existing news outlets, Portal Kombat relies on the creation of a capillary network of “information” portals that pass themselves off as local news aggregators, but are actually terminals of a single command center located in Russia .

This network has been formally identified by the French cybersecurity agency VIGINUM and continuously monitored by the National Cybersecurity Agency (ACN) throughout 2025 .

ANATOMY OF “PORTAL KOMBAT”: 193 COORDINATED PORTALS

The operation is not based on the quality of the content, but on the saturation of the noise . The network is made up of at least 193 websites covering most European languages, with a section specifically dedicated to Italy .

• The “Pravda-IT” Node: The hub for the Italian market is the domain pravda-it.com(and its mirror variants generated via DGA). This site does not produce original journalism, but serves as a funnel for Kremlin dispatches, automatically translated and adapted with Generative AI algorithms .
• The Mechanics of Automation: Technical analysis revealed that 95% of content is published via automated scripts that draw from Russian official Telegram channels, state media ( RIA Novosti , TASS ), and pro-Russian influencer accounts.
• Official Confirmation: Attribution to Russian state actors was confirmed by VIGINUM ‘s April 2024 technical report, which mapped the server infrastructure common to all 193 portals. PORTAL KOMBAT: Report on pro-Russian information manipulation network – SGDSN/VIGINUM – ​​April 2024

Propagation Mechanics: SEO Manipulation and Echo Chambers

Portal Kombat ‘s strategy aims to pollute search engine results and create a substratum of organic-appearing “alternative truths.”

A. Search Engine Optimization (SEO)

Through aggressive Search Engine Optimization (SEO) techniques and the use of a vast network of backlinks (sites that link to each other), the network’s portals often manage to rank among the top results in Google News or Bing for specific keywords related to the energy crisis or the Mattei Plan .

• The “Truth Fatigue” Effect: When a user searches for information on a sensitive topic (e.g., “gas costs in Algeria”), the massive presence of these portals among the results creates the illusion that there is a broad debate casting doubt on the Italian government’s official data.

B. The Eco Social Chamber

Every article published on pravda-it.comis instantly reposted by hundreds of Bot accounts on X (Twitter) and Facebook .

• The Mechanics: These bots don’t just share the link, they generate comments that simulate anger or frustration from Italian citizens, using slang and references to domestic politics to appear authentic.
• Objective: To create an artificial climate of tension that will induce the mainstream media to reiterate the “news” and debunk it, effectively giving further visibility to the Russian narrative.

STRATEGIC FOCUS: THE WARFARE OF COGNITIVE FRICTION

Unlike election campaigns of the past, Portal Kombat isn’t looking for an immediate result. It’s a War of Attrition .

• Eroding Resilience: By constantly bombarding the public with catastrophic news about the Italian economy and the failure of its foreign policy, Russia aims to induce a state of apathy and cynicism.
• Discrediting the Mattei Plan: The network dedicates a special section to the anti-Italian narrative in Africa, portraying Italy as an unreliable partner and a “vassal” of the United States. This message is aimed both at the Italian public (to undermine consensus) and at African elites (to hinder the Eni and Snam agreements ).
• Support for Radical Fringe: The network systematically amplifies the content of Italian extremist groups, acting as a sounding board for divisive narratives that can fragment the national political landscape.

COUNTERACTIONS AND OPERATIONAL RESULTS

Over the course of 2025 , Italy implemented more aggressive response protocols.

• Nationwide DNS Filtering: ACN , in collaboration with major ISPs (Internet Service Providers) , has begun blacking out key nodes in the Portal Kombat network to reduce organic reach.
• Digital Services Act (DSA) Enforcement: Under pressure from the European Commission, social media platforms have begun dismantling the botnet clusters powering the network, leading to an estimated 35% reduction in virality in Q4 2025.
• Institutional Fact-Checking: The EUvsDisinfo portal and Italian intelligence have intensified the publication of technical denials, exposing the automation behind the “Pravda” websites. Tackling Disinformation: EU vs Disinfo Database – European External Action Service – January 2026

MATTEI PLAN WEAPONIZATION – ENERGY DISCREDITING AND INFORMATION SABOTAGE STRATEGIES IN NORTH AFRICA

The Mattei Plan for Africa is not only the cornerstone of Italian foreign policy, but has also become the primary target of a complex informational weaponization operation conducted by the Russian Government . The mechanism identified by the DIS and monitored by intelligence stations in North Africa reveals a systematic attempt to portray Italy’s energy expansion as an act of “predatory neocolonialism,” with the ultimate goal of ousting national companies ( Eni , Snam , Leonardo ) from the strategic markets of the Sahel and Maghreb .

The Russian offensive in this sector is defined as a “Pincer Discredit” : it undermines internal consensus in Italy and at the same time poisons diplomatic relations in African partner countries.

THE MECHANICS OF DISCREDITATION: THE “AFRICA CORPS” VECTOR

Italian intelligence has found that disinformation operations on the African continent are managed in close coordination between the GRU and the psychological warfare units of the Africa Corps (formerly the Wagner Group).

• The Use of Local Proxy Media (Certain Data): In countries like Mali , Burkina Faso , and Niger , Russia has financed and structured local radio networks and web portals that broadcast also anti-Italian narratives 24/7. These media present the Mattei Plan ‘s development projects as cover for the “theft of natural resources.”
• Social Media Amplification: Through thousands of coordinated accounts on Facebook and Telegram , manipulated or out-of-context videos are being spread, showing alleged abuses by Italian companies. The speed of propagation is calculated to outpace any official denials from Italian embassies. Russia’s Strategic Footprint in Africa – IISS – May 2025

Energy Weaponization and Price Manipulation

Russian disinformation aims to create an artificial link between the Mattei Plan and rising energy costs for Italian citizens.

A. The “Expensive Gas” Narrative (Operational Mechanics)

Through the Doppelgänger network (Chapter 2) and the Pravda websites (Chapter 3), Russia constantly spreads the idea that energy deals with Algeria and Libya are “ disadvantageous and expensive” compared to Russian gas.

• False Arbitrage: Fake economic studies, attributed to phantom research centers, are published claiming that Italy is paying 30% above market value for Algerian gas to “finance Rome’s colonial policy.”
• Technical Feedback: ACER (Agency for the Cooperation of Energy Regulators) has reported that these waves of misinformation often coincide with attempts to speculate on spot markets to create artificial volatility. Market Monitoring Report on Gas Volatility – ACER – December 2024

B. Sabotage of Infrastructure Projects

Russia uses the threat of physical sabotage as an extension of its disinformation. The presence of ships like the Yantar atop the Transmed and Greenstream pipelines serves not only for mapping purposes, but also to generate “dangerous news” that discourages international investors from participating in funds linked to the Mattei Plan.

COGNITIVE INFILTRATION PATTERNS IN THE SAHEL

In the Sahel quadrant , Russia has implemented the “Shadow Influence” protocol .

• Recruiting Local Influencers: Intelligence has documented cryptocurrency payments (Chapter 19) to African influencers with millions of followers to promote the Russian narrative of “African sovereignty” versus “European vassalage.”
• Fake News on Environmental Disasters: Synthetic reports (Deepfakes) are created showing alleged oil spills or ecological damage caused by Italian infrastructure, with the aim of sparking violent protests against Eni production sites .
• Synchronization with the G7 Summits: Coinciding with the Italian-led 2026 G7 summit , a massive wave of coordinated attacks is expected to isolate Italy from its historic African partners.

RESILIENCE PROTOCOLS: ITALY’S RESPONSE

To counter the weaponization of the Mattei Plan, the Government has activated new Integrated Energy Security protocols .

• Geoeconomic Intelligence: Enhancing Monitoring of Russian Financial Flows to African Media Through Blockchain Analytics ( TRS-2026 Protocol ).
• Active Information Diplomacy: Opening direct peer-to-peer communication channels with local populations, bypassing Russian proxy media and showcasing the tangible results (schools, hospitals, energy) of Italian projects.
• Cyber ​​Protection of Energy Assets: Implementation of active defense systems for underwater sensors and pumping stations to prevent both physical sabotage and the exfiltration of operational data.

INFRASTRUCTURE OF EVASION – THE ROLE OF SDA AND STRUCTURAL NATIONAL TECHNOLOGIES IN THE HYBRID WAR AGAINST ITALY

As of January 10, 2026 , analysis of Russian interference operations has revealed that disinformation is not a spontaneous activity, but the product of a centralized industrial architecture. If previous chapters described the contents (the “bullets”), this chapter analyzes the “factory” and the “delivery systems.” At the heart of this machine reside two coordinated entities: the Social Design Agency (SDA) and Structura National Technologies . These organizations, directly linked to the Presidential Administration of the Government of the Russian Federation , constitute the technical backbone necessary for evading informational sanctions and conducting high-intensity psychological operations in the MED-OR quadrant .

ACTORS’ PROFILE: STATE DISINFORMATION AGENCIES

The technical attribution of operations against Italy was consolidated through an intelligence convergence between the ACN , the French VIGINUM and the US Department of the Treasury .

• Social Design Agency (SDA): Founded and directed by Ilya Gambashidze , SDA operates as a “strategic communications” agency that provides the Kremlin with content creation, social media monitoring, and botnet management services. Its role is that of the “creative architect” of smear campaigns against the G7 .
• Structura National Technologies: This entity provides infrastructure support. It manages the servers, purchases domains for Operation Doppelgänger , and develops the generative AI algorithms used to produce articles and comments that mimic the language of Italian citizens.
• International Sanctions (Certified Data): Both entities were sanctioned by the Council of the European Union in June 2024 for their systemic role in manipulating information and threatening the stability of Western democracies. Council Decision (CFSP) 2024/1747 of 24 June 2024 – Official Journal of the European Union

EVASION AND FINANCING MECHANICS (“SHADOW” LOGISTICS)

To operate in Italy and Europe, SDA and Structura must circumvent the financial and technical blocks imposed by NATO and the EU .

A. The Crypto-Hawala Circuit (Certain Data)

As highlighted by financial intelligence, payment for servers and advertisements (Ads) on platforms like Meta is made through cryptocurrencies, specifically USDT on the TRON network .

• Gateway North Africa: Liquidity is often “offloaded” in Libya via Hawala brokers (Chapter 19), allowing the Russian agency to purchase services in Europe through North African front men using “clean” credit cards.
• OSINT Findings: Chainalysis reports have tracked wallets linked to sanctioned Russian entities sending steady flows to non-compliant exchanges serving the Middle Eastern and African markets.

B. Domain Generation Algorithms (DGA)

To prevent immediate takedown by Italian authorities, Structura National Technologies uses algorithms that automatically generate new domain names every 24 hours.

• Technical Resilience: If ACN blocks , ansa.it.security-check.comthe system instantly moves the content to ansa.news-update.it.co. This “digital mobility” makes monitoring a constant race, requiring a move toward automated blocking at the national DNS level.

EXAMPLES OF MALICIOUS DOMAINS (TECHNICAL SAMPLE)

The identified domains follow the typosquatting or deceptive extension technique. Below is a list of domains that have historically been part of this network or that follow the syntax detected by ACN monitoring systems (many have been blocked, others are rotated through DGA):

Malicious Domain Detected	Original Target	Deception Mechanics
ansa.ltd	HANDLE	Replacing extension .itwith .ltdto bypass filters.
repubblica.life	The Republic	Using a generic extension to host fake gas articles.
corriere.news.it	Evening Courier	Subdomain created to instill trust in the user.
interno-gov.it	Ministry of the Interior	Clone for the dissemination of false migration data.
enispa.online	ONE	Aimed at manipulating the perception of investments in Africa.
tg24-sky.it	SkyTG24	Used to spread Deepfake energy news videos.
libero-news.top	Free Daily Newspaper	Targeting specific segments of the electorate.

THE USE OF ARTIFICIAL INTELLIGENCE FOR LOCAL TARGETING

As of January 10, 2026 , the frontier of the offensive is message personalization through AI.

• Real-Time Sentiment Analysis: SDA constantly monitors search trends in Italy. If public opinion shows concern about the “price of bread” or “housing taxes,” Structura’s AI generates hundreds of fake articles within minutes linking these concerns to military support for Ukraine or the costs of the Mattei Plan .
• Neural and Dialect Translation: The use of advanced language models has eliminated the classic grammatical errors that characterized Russian disinformation in the past. Today, Russian bot posts use Italian slang and precise regional references, making it nearly impossible for an untrained user to distinguish the bot from a fellow citizen.
• Deepfake Factory: Structura operates servers dedicated to producing synthetic videos. In 2025 , it was documented creating videos imitating Italian news programs to announce “corruption discoveries” involving defense officials, with the aim of provoking a government crisis.

LONG-TERM STRATEGIC OBJECTIVES

The investment in SDA and Structura is not aimed at a single electoral victory, but at Systemic Degradation .

• Decision Paralysis: By creating constant background noise, Russia aims to make every decision of the Italian government controversial, forcing politicians to focus on debunking fake news rather than managing strategic dossiers.
• International Isolation: Disinformation aims to portray Italy as an “unreliable” partner in the eyes of its G7 allies , fueling the narrative of an infiltrated and unstable country.
• Controlling the Information Taps: By gradually replacing official outlets in the media diet of its most vulnerable citizens, Russia aims to wield the power to shape national consensus in the event of an open military or energy crisis.

The Anatomy of the Evidence – A Technical Dissection of the Viginum Report and EU Sanctions from the Perspective of Italian National Security

Understanding the Russian offensive against Italy requires a forensic analysis of the documents that exposed its infrastructure. If disinformation is the “fog of war,” the VIGINUM Technical Report and Council Decision (CFSP) 2023/1566 represent the radar that allowed us to map every single server, financial transaction, and line of code used by the Kremlin.

This chapter meticulously analyzes the Key Document and its ramifications, providing up-to-date data on the resilience of these infrastructures despite international sanctions.

THE VIGINUM REPORT: THE “SOURCE CODE” OF THE THREAT

The document entitled “Révélation d’une campagne numérique de manipulation de l’information contre la France impliquant des acteurs russes” , although originated in the French context, has become the standard European protocol for identifying hybrid threats.

• Discovery of the Common Infrastructure: The VIGINUM team isolated a unique technical pattern: the use of servers registered under false names but with identical digital fingerprints. As of January 10, 2026 , Italian intelligence confirmed that 65% of clone sites targeting news outlets such as ANSA and Il Sole 24 Ore share the same technical backend described in the French report.
• Mechanics of “Mirroring Automation”: The report describes how Russian agencies use scripts to capture the HTML of original sites in real time. Over the course of 2025 , this technique has evolved: today, Russian clone sites are no longer static, but update themselves automatically every time the real site publishes a news item, but insert AI-generated “toxic paragraphs” within the text. Revelation of a digital manipulation campaign – SGDSN/VIGINUM – ​​June 2024

DISSECTION OF DECISION (CFSP) 2023/1566 AND SUBSEQUENT EXTENSIONS

The legal and operational value of the fight against disinformation lies in Decision (CFSP) 2023/1566 of the Council of the European Union , published in the Official Journal.

• Certain Attribution to SDA and Structura: This document is not a simple political statement, but a legal act that identifies the Social Design Agency (SDA) and Structura National Technologies as “instruments of the Government of the Russian Federation”.
• Sanctions Impact as of January 2026: The sanctions have frozen the European assets of Ilya Gambashidze and his associates. However, intelligence has found that these entities have responded by fragmenting their structure into dozens of micro-startups based in Kazakhstan , Serbia , and the United Arab Emirates , which continue to provide the same disinformation services to Italy under new legal guises.
• The Role of the Official Journal: The publication of these sanctions allowed the ACN to activate “preventive blocking” protocols on a legal basis, preventing European registrars from selling domains to individuals or entities connected, even indirectly, to SDA and Structura. Council Decision (CFSP) 2023/1566 – Official Journal of the European Union – July 2023

ALERTS INTEGRATION: US DEPARTMENT OF STATE AND ACN

In addition to the European data, there is constant monitoring by allied security agencies, creating a shared threat database (Threat Intel Sharing).

A. State Department Alerts (Global Engagement Center)

The American GEC has provided forensic evidence on the financing of Doppelgänger campaigns . As of January 2026 , the use of funds from Russian commodity exports to Asia, “laundered” through cryptocurrencies, was documented to pay for Facebook and X ads targeting Italian audiences.

• Focus 2026: The GEC reports a new vector called “Social Fabric Injection” , aimed at infiltrating local discussion groups on WhatsApp to spread fake news about the instability of Italy’s public finances.

B. The National Cybersecurity Agency’s (NCA) Response

ACN has integrated VIGINUM ‘s findings into its Early Warning system .

• Data Updated January 2026: Thanks to the indicators of compromise ( IoC ) extracted from the French report, Italy was able to implement a “DNS Sinkholing” system that today protects 92% of Italian institutional connections from cloned domains.
• IT Target Analysis: ACN reports that the “quality” of Russian cloning has increased: fake sites now include real advertising banners from Italian companies (obtained through programmatic advertising networks) to dramatically increase their perceived credibility.

Persistence Analysis: Why Infrastructure Survives

Despite reports and sanctions, the threat persists for three technical reasons analyzed in the TRS-2026 Protocol :

• Fast-Flux DNS: Russian domains change IP addresses every few minutes, rendering traditional “blacklists” obsolete in less than an hour.
• Bulletproof Hosting: Using servers located in jurisdictions that do not cooperate with the EU (such as Central Asia) gives Structura National Technologies total physical impunity.
• AI Generation Algorithms: Content creation no longer requires massive human staffing; a single server can generate 5,000 “Doppelganger” articles per day, overwhelming European regulators’ manual monitoring capabilities.

Detailed Analysis of EU Decision (CFSP) 2023/1566: Russian Disinformation Patterns

Russian Disinformation Mechanisms: An Analysis of Hybrid Operations and EU Sanctions

Decision (CFSP) 2023/1566 of the Council of the European Union, adopted on 28 July 2023 and published in the Official Journal of the EU (L 190 I/21), represents a crucial step in Europe’s collective response to Russia’s war of aggression against Ukraine. This decision amends the previous Decision 2014/145/CFSP, introducing restrictive measures against seven individuals and five Russian entities involved in information manipulation campaigns. This is in light of the EU’s strong condemnation of Russia’s violation of the United Nations Charter, as reiterated in the European Council conclusions of 23 March 2023. The specific campaign at the heart of this decision is called “Recent Reliable News” (RRN), also known as “Doppelgänger” in subsequent analyses, a digital operation orchestrated by Russian actors to spread propaganda in support of the Ukrainian invasion. This initiative is not isolated, but part of a broader ecosystem of hybrid threats combining disinformation, psychological operations, and cyberattacks, which have evolved significantly from 2023 to 2026.

The Mechanism of Organizations: A Hybrid State-Private Network at the Service of the Kremlin

Sanctioned organizations operate as an integrated network, often disguised as civilian or non-profit entities, but in reality directed or influenced by Russian military intelligence, particularly Unit 54777 of the GRU (Main Intelligence Directorate). This mechanism relies on a “front organization” approach, where seemingly independent technology companies, media agencies, and institutes mask state operations. For example, Inforos OOO IA serves as a central hub, creating over 270 auxiliary websites to spread pro-Russian narratives, while being a direct front for the GRU responsible for psyops (psychological operations). Similarly, the Institute of the Russian Diaspora and ANO Dialog are linked to the Russian presidential administration, with ties to the Department of Information and Technology (DIT) in Moscow.

These entities act on behalf of Russia with the primary goal of legitimizing aggression in Ukraine and undermining international consensus. The mechanism operates on multiple levels:

• Centralized Coordination : The GRU and the presidential administration provide direction, resources, and funding. Individuals like Alexander Starunsky (former GRU commander) and Denis Tyurin (GRU agent) establish and manage these entities, creating a “closed loop” where false information reinforces itself.
• Digital Scaling : Operations leverage technologies to amplify their reach. For example, Social Design Agency (SDA) and Structura National Technologies, founded by Ilya Gambachidze, create fake domains that mimic legitimate sites, registered with shared email addresses to maintain anonymity.
• Multi-Platform Integration : Propaganda spreads through websites, social media (e.g., Telegram with “War on Fakes,” run by Timofey Vassiliev), and channels like Readovka, linked to ANO Dialog. This creates a cascade effect: a fake article on a camouflaged website is amplified by bots and fake social media accounts.

From 2023 to 2026, this mechanism evolved to incorporate more advanced hybrid elements, such as deepfakes and cyberattacks. According to EU updates, in December 2025, the Council sanctioned an additional 12 individuals and 2 entities for information manipulation and signal jamming, extending the regime to operations combining disinformation with election interference. This reflects a pattern of resilience: despite the sanctions, Russian networks are adapting their tactics, shifting from static sites to AI-generated content for more precise targeting.

How They Act to Hit Other Countries: Targets and Impacts

These organizations operate under Russian mandate to destabilize perceived adversaries, primarily by undermining Western support for Ukraine and sowing internal divisions. The goal is twofold: to justify the aggression internally (e.g., by portraying Ukraine as a “Nazi state”) and to influence foreign public opinion to reduce military aid and sanctions. These actions are part of an asymmetric “information war,” where Russia exploits digital vulnerabilities to achieve disproportionate impact at minimal cost.

Countries implicated as victims include mainly EU and allied countries:

• Germany, France, Italy, the United Kingdom, and Ukraine : As specified in the 2023 document, the NRN campaign targets these countries by creating fake websites that mimic national media outlets (e.g., Der Spiegel in Germany, Le Monde in France, ANSA in Italy) and governments. This has caused confusion on issues such as the economics of sanctions or military support for Ukraine.
• Extension to the US and elsewhere : From 2024 to 2026, operations expanded, influencing the 2024 US election with anti-Biden propaganda and targeting Poland and the Baltics for “NATO threat” narratives. For example, in 2025, EU sanctions targeted Russian outlets for disinformation about COVID vaccines and climate change, broadening the front.

The impacts are multidimensional: erosion of trust in the media, social polarization, and weakening EU cohesion. EUvsDisinfo studies indicate that these campaigns have reached billions of views, influencing votes in the 2024 European elections.

Disinformation Methods: Techniques and Operational Patterns

The modes are sophisticated and scalable, based on recurring patterns:

• Mimicry and Usurpation : Creation of “doppelganger” sites that copy the layout and domains of legitimate sources (e.g., fake “lemonde.fr”). Pattern: Use of typosquatting (similar domains) to deceive users; in 2023-2026, evolution to deepfake videos of EU leaders.
• Social Amplification : Spread via Telegram, X (formerly Twitter), and botnets. Pattern: Reverse fact-checking (e.g., “War on Fakes” labels truth as fake); coordination with influencers for virality.
• Specific Narratives : Promoting themes such as “Nazi Ukraine” or “NATO proxy war.” Pattern: Cyclic repetition for cognitive reinforcement; targeting the Russian diaspora for mobilization.
• Psychological Operations : Led by GRU, they include psyops to manipulate emotions (fear, anger). Pattern: Geo-targeting (e.g., anti-EU propaganda in Italy during energy crises).

These patterns demonstrate a systemic approach: hierarchical (top-down from the Kremlin), adaptable (from static to AI-driven), and resilient (new entities emerge post-sanctions).

Responsible and Roles

The “responsible” (executors) are the individuals and entities listed, with specific roles:

• Individuals like Starunsky, Panteleyev, Tyurin : GRU agents, front founders; orchestrate psyops.
• Kirillova and Dorokhova : Inforos directors, scaling online networks.
• Gambachidze and Vassiliev : Tech experts, they create and manage “RRN”.
• Entities such as Inforos, SDA, Structura : Operational hubs for production and dissemination.

These actors form a network where collaborative patterns (e.g., resource sharing) maximize impact. EU sanctions from 2023 to 2026 have expanded the list, demonstrating the commitment to countering these threats.

Table 1: List of Sanctioned Persons (with Roles, Connections and Illicit Actions)

This table breaks down data from the document, highlighting individual patterns and connections.

ID	Name (Transliterated / Cyrillic)	Main Role	Key Connections	Specific Unlawful Actions	Behavior Patterns
1578	Timofey Vladimirovitch Vassiliev (Timofey Vladimirovich Vasiliev, alias Timofey Vi)	Head of the Strategic Orientation Department of ANO Dialog	ANO Dialog (created by DIT Moscow, tied to the presidential administration); “War on Fakes” (Telegram); Readovka	Operates Telegram accounts for false fact-checking; spreads propaganda about illegally annexed Ukrainian territories.	Government affiliation; use of social media to amplify misinformation; collaboration with state entities for psychological operations.
1579	Ilya Andreïevitch Gambachidze (Ilya Andreevich Gambachidze)	Founder of Structura National Technologies and Social Design Agency	Duma Deputy Speaker (Piotr Tolstoy); “RRN” campaign; Structura and SDA	Creates fake websites imitating European media (e.g., Italy); promotes “RRN” on social media.	Political ties; creation of fake digital networks; specific targeting of the EU to undermine support for Ukraine.
1580	Aleksandr Gennad’yevich Starunsky	Founder of the Institute of the Russian Diaspora	GRU (unit 54777, former commander); Inforos; russkie.org	Spreads disinformation via russkie.org; GRU psychological operations.	Background intelligence; use of front organizations for online propaganda; pattern of ex-military personnel in civilian roles.
1581	Anastasia Sergeevna Kirillova (Anastasia Sergeevna Kirillova)	General Director of Inforos	GRU (unit 54777); over 270 auxiliary sites; co-founded with Dorokhova	Creates auxiliary sites for propaganda; psychological operations.	Leadership in front agencies; scaling online networks; female collaboration in GRU structures.
1582	Nina Viktorovna Dorokhova (Nina Viktorovna Dorokhova)	General Director of Inforos	GRU (unit 54777); over 270 auxiliary sites; co-founded with Kirillova	Creates auxiliary sites for propaganda; psychological operations.	Similar to Kirillova; role duplication pattern for operational redundancy.
1583	Sergey Yurievich Panteleyev (Sergey Yurievich Panteleev, alias Panteleev)	Intelligence Agent Unit 54777 GRU	GRU; Institute of the Russian Diaspora; Inforos; russkie.org	Founder of the Institute; spreads propaganda via russkie.org.	Direct GRU involvement; online network integration; agent patterns in founding roles.
1584	Denis Valerievich Tyurin	GRU Agent	GRU (unit 54777); Inforos (founder); Institute of the Russian Diaspora (co-founder)	Create over 270 auxiliary sites; register propaganda sites with Inforos email.	Central to a network; multiple roles; founder patterns connecting entities.

Table 2: List of Sanctioned Entities (with Details, Connections and Illegal Actions)

Similar to the previous one, focused on entities.

ID	Name (Alias ​​/ Russian)	Type / Headquarters	Key Connections	Specific Unlawful Actions	Behavior Patterns
245	Social Design Agency (Agentsvo Sotsialnogo Proektirovania / ASP)	Tech/info company, Moscow (founded 2001)	Russian political power; “RRN”; Structura (same founder Gambachidze)	Creates fake websites imitating EU media; promotes “RRN” on social media.	Linked to political elite; digital scaling; mimicry pattern for deception.
246	Structura National Technologies (Struktura / LLC “GC STRUCTURE”)	Tech/info company, Moscow (founded 2009)	Russian political power; “RRN”; SDA (same founder)	Creates fake websites; promotes pro-Russian propaganda.	Similar to SDA; twin entity pattern for redundancy.
247	ANO Dialog (AHO Dialog)	Non-profit organization, Moscow (2019)	DIT Moscow; Presidential Administration (led by Alexey Goreslavsky); Readovka; “War on Fakes” (run by Vassiliev)	Spreads propaganda in annexed territories; Telegram has issued instructions for spreading disinformation.	Presidential ties; use of nonprofits for camouflage; centralized leadership pattern.
248	Inforos OOO IA (OOO IA INFOROS)	Media organization, Moscow (2003)	GRU (unit 54777, facade); over 270 auxiliary sites; Institute (integrated)	Creates propaganda websites (Nazi Ukraine, proxy warfare); psychological operations.	Intelligence facade; high output; pattern of anti-Western narratives.
249	Institute of the Russian Diaspora	Management/Commercial Consulting, Moscow (2005)	GRU (facade); Inforos (co-founded by Tyurin); russkie.org	Spreads disinformation via russkie.org; networks with Inforos.	Diaspora facade; media integration; targeting patterns for foreign communities.

Table 3: Collaboration Network (How They Act Together to Spread Disinformation)

This table maps the connections between entities, showing how they form a coordinated ecosystem (e.g., GRU as a central hub).

Main Subject	Direct Collaborators	Collaboration Modes	Example of Concomitant Action	Impact on Disinformation
CRANE (Unit 54777)	Starunsky (former commander), Panteleyev (agent), Tyurin (agent), Inforos (front), Institute (front)	Psychological operations; founding of a front entity	Coordinates the creation of fake websites and propaganda; uses Inforos for over 270 outlets.	It amplifies pro-Russian narratives on a global scale, undermining Ukraine’s integrity.
Inforos	Kirillova and Dorokhova (directors), Tyurin (founder), Institute (integrated), GRU	Online network; site registration with shared email addresses	Creates auxiliary websites; spreads the idea of ​​”Nazi Ukraine” via russkie.org.	Cascading Pattern: Fake Sites Fuel Social Media for Virality.
YEAR Dialog	Vassiliev (head of department), Readovka, “War on Fakes”, Presidential Administration	Instructions to Telegram channels; propaganda on annexations	Provides fake content to Readovka; Vassiliev operates domains for deceptive fact-checking.	State-private collaboration; targeting occupied territories to legitimize aggression.
Social Design Agency & Structura	Gambachidze (founder), “RRN”	Fake website creation; social media promotion	They imitate EU media (e.g., Italy); they amplify “RRN” with bots and fake accounts.	Mimicry patterns: they impersonate legitimate sources to deceive the public, influencing EU opinion.
Diaspora Institute	Starunsky and Panteleyev (founders), Tyurin (co-founder), Inforos	Shared online presence (russkie.org)	Spreads propaganda integrated with Inforos; targeting the Russian diaspora.	Closed-loop network: entities feed each other for narrative coherence.

Table 4: Types of Illicit Actions (with Examples and Frequency in Subjects)

Rank the top actions, showing recurring patterns (e.g. 80% involve creating fake content).

Type of Action	Description	Examples from the Document	Subjects Involved	Observed Pattern
Creating Fake Websites	Imitating legitimate media/governments to spread propaganda.	Fake EU websites (Germany, France, Italy); over 270 auxiliary websites.	Gambachidze, SDA, Structura, Inforos, Kirillova, Dorokhova, Tyurin	High volume; EU-specific targeting; digital scaling pattern.
Propaganda Spread via Social Media/Telegram	Use of accounts for false fact-checking and anti-Ukrainian narratives.	“War on Fakes”, Readovka, russkie.org; promozione “RRN”.	Vassiliev, ANO Dialog, Starunsky, Panteleyev	Bot virality; coordinated amplification pattern.
Psychological Operations	Information manipulation to undermine Western support.	Narrative “Nazi Ukraine” or “proxy war”.	GRU, Inforos, Institute	Intelligence-related; pattern of military psyops in the civilian sphere.
Facade Foundations	Creation of non-profit/tech entities for camouflage.	ANO Dialog (DIT Moscow), Inforos (GRU).	All subjects	Layering Pattern: Civil Entities Hide State Ties.

Table 5: Operating Modes (How They Perform Actions)

It highlights technical and organizational methods, with evolutionary patterns (e.g., from sites to deepfakes in 2024-2026).

Operating Mode	Description	Examples	Observed Pattern
Digital/Online	Use of domains, social networks, and bots for dissemination.	Fake domain registration; amplification on Telegram/X.	Scalable and low-cost automation pattern for global reach.
Identity Usurpation	Imitation of legitimate sources.	Sites pretending to be ANSA or Le Monde.	Visual deception patterns; evolving into deepfakes in 2024.
Centralized Coordination	Hubs like GRU or presidential direct.	Instructions from ANO Dialog to Readovka.	Hierarchical pattern: top-down from state to executors.
Specific Targeting	Focus on the EU, elections, and diaspora.	Propaganda about Italy/France; influences the 2024 vote.	Adaptable; geo-targeting pattern for internal EU divisions.

Overall Pattern Analysis

• Core Pattern: Hybrid State-Private Ecosystem : All entities are interconnected via GRU (unit 54777 as the core), with entities like Inforos and ANO Dialog serving as “fronts” for deniable operations. This allows for concurrent collaboration: e.g., Tyurin founds Inforos, which powers the Institute, while Gambachidze uses SDA/Structura for “RRN,” amplified by Vassiliev on Telegram.
• Evolution 2023-2026 : From fake to hybrid sites with cyberattacks (e.g., signal jamming in 2025); focus on EU/US elections, with patterns of resilience despite sanctions (entities active on online platforms).
• Impact : Undermines EU democracy by spreading divisions; pattern of “information warfare” to support Russian aggression, as condemned by the EU.

THE LOGISTICS INFRASTRUCTURE OF THE THREAT – NEXUS AUROLOGIC GMBH AND THE ROLE OF “SAFE HAVEN” PROVIDERS IN SANCTIONS EVASION

As of January 10, 2026 , the frontier of national defense is not limited to content monitoring but must necessarily penetrate the physical and logistical layer of the global internet. The reference technical document, the CTA-2025-1106 report prepared by Insikt Group (Recorded Future) and published on November 6, 2025 , uncovered a Russian cyber resilience architecture that leverages European transit nodes. At the heart of this ecosystem is the German company aurologic GmbH , identified as a strategic “Nexus” (connection point) that guarantees stability and connectivity to a wide range of malicious infrastructures and sanctioned actors operating against Italy and the European Union.

FORENSIC ANALYSIS OF AUROLOGIC GMBH: THE UPSTREAM TRANSIT PROVIDER

Aurologic GmbH , headquartered in Langen (Hessen), Germany, has emerged as a leading infrastructure enabler for high-risk networks. Unlike direct hosting providers, Aurologic operates primarily as an upstream transit and data center services provider for other networks (Autonomous Systems – AS).

• The “Infrastructure Shield” Feature: Aurologic provides backbone connectivity to third-party hosting providers that physically host the disinformation and cyberespionage servers. This mechanism creates a layer of legal separation: Aurologic can declare itself “neutral” with respect to the content hosted by its customers, making it extremely difficult for the ACN (National Cybersecurity Agency) or German authorities to impose swift takedowns.
• The Pattern of Reactivity vs. Proactivity: The Recorded Future report highlights an alarming finding: aurologic exhibits a systematic pattern of prioritizing minimal legal compliance over proactive risk management. The company responds only to formal court orders, ignoring or delaying responses to abuse reports from private security agencies and government agencies. This timeframe is vital for Russian actors to complete data exfiltration operations or influence campaigns during electoral peaks. CTA-2025-1106: Malicious Infrastructure Finds Stability with aurologic GmbH – Recorded Future Insikt Group – November 2025

“THREAT ACTIVITY ENABLERS” (TAE) AND THEIR CONNECTIONS WITH THE KREMLIN

The document identifies with a high degree of confidence several Threat Activity Enablers (TAEs) using Aurologic’s services. These entities are the true drivers of Russian hybrid campaigns:

• Aeza Group (Aeza International Ltd): Recently sanctioned by OFAC (US Treasury) , Aeza is a hosting provider known for offering “bulletproof” services to criminal groups and state actors. Aeza’s continued provision of transit to a sanctioned network represents a critical vulnerability for the European security perimeter.
• Virtualine Technologies & Femo IT Solutions: These entities have been tracked as launching bases for phishing and malware attacks targeting Italian critical infrastructure in 2024 and 2025.
• Global-Data System IT (SWISSNETWORK02): This provider uses deceptive brand names to pretend to be Swiss, despite operating on physical infrastructure provided by aurologic. It was used to host command-and-control (C2) nodes for botnets powering Operation Doppelgänger in Italy.

EVASION MECHANICS AND RESILIENCE OF MALICIOUS NETWORKS

The strength of the aurologic-based network lies in its operational resilience . When Italian intelligence identifies a malicious IP address, Russian actors exploit the following techniques documented in the CTA-2025-1106 report :

• BGP Hijacking and IP Rotation: Hostile actors rapidly rotate IP address blocks within the Aurologic-managed Autonomous System, rendering ACN’s static “blacklists” obsolete within hours.
• Data Center Colocation: aurologic provides physical spaces where sanctioned actors can install their hardware, maintaining full physical control over their data while benefiting from Germany’s high-speed connectivity to the rest of Europe.
• Upstream Network Abuse: Aurologic itself receives transit from industry giants (such as Lumen or Arelion ). The challenge for 2026 is to force these “Tier-1” providers to isolate Aurologic until it implements rigorous KYC (Know Your Customer) procedures.

IMPACT ON ITALIAN SOVEREIGNTY AND THE TRS-2026 PROTOCOL

For Italy , the existence of a hub like Aurologic a few hundred kilometers from the border means that the Russian threat has one foot in the house.

• Latency and Attack Speed: The geographic proximity of aurologic’s servers to the Italian internet infrastructure allows for DDoS attacks with minimal latency, capable of saturating Public Administration portals before filtering systems can react.
• Digital Golden Power Evasion: While Italy can control investments in its own companies, it has no direct control over a German provider that “leases” computing capacity to Russian agents. This is where the TRS-2026 Protocol must intervene with coordinated diplomatic pressure within the G7 .
• Forensic Evidence: The Recorded Future report concludes that aurologic has positioned itself as a “nexus” because it offers stability at a time when other European providers are becoming more rigorous. This effectively makes it the logistical base for Russia’s 2026 offensive.

AEZA GROUP’S “PULPIT” – SYNERGY BETWEEN CRYPTOMINANCE, BULLETPROOF HOSTING, AND DERIVATION OF ATTACKS TOWARDS ITALY

As of January 10, 2026 , an in-depth analysis of Recorded Future ‘s CTA-2025-1106 document allows us to isolate the most dangerous actor operating under the aurologic GmbH umbrella : the Aeza Group (also known as Aeza International Ltd ). If aurologic represents the digital highway, Aeza is the refueling station and command center for a wide range of hostile activities that directly affect Italy ‘s economic sovereignty and digital integrity.

This chapter meticulously analyzes how Aeza Group became the go-to entity for Russian state cybercrime and how its operations were sanctioned but not disrupted, thanks to technologically advanced evasion mechanisms.

AEZA GROUP: THE SANCTIONED DISINFORMATION AND CYBERCRIME HUB

On November 6, 2025 , the Insikt Group report confirmed what Western intelligence services had long suspected: Aeza Group is a Tier 1 Threat Activity Enabler (TAE). Its designation by OFAC ( U.S. Department of the Treasury) was not a symbolic act, but a response to a massive infrastructure dedicated to supporting the Kremlin’s hybrid operations.

• OFAC Designation (September 2024): The U.S. government has sanctioned Aeza for providing technology services that facilitate the evasion of Russian sanctions and for its ties to the cryptocurrency payment processor Cryptex . This synergy allows Russian actors to purchase infrastructure in Europe by paying in untraceable virtual currencies.
• Bulletproof Hosting: Aeza advertises itself on dark web forums as a provider that does not respond to takedown requests from European authorities. For Italy, this means that once a fake news site or malware command server is hosted on Aeza, ACN has very few legal options to immediately shut it down. CTA-2025-1106: Malicious Infrastructure Finds Stability with aurologic GmbH – Registered Future Insikt Group – November 2025

THE LINK BETWEEN CRYPTEX AND AEZA: THE FINANCIAL ENGINE OF THE THREAT

The document reveals a complex financial mechanism that is crucial to the survival of Russian infrastructure in Germany.

• Cryptocurrency Laundering: Aeza is closely linked to Cryptex , a sanctioned exchange used to launder the proceeds of ransomware and cyber fraud. These funds are then reused to rent servers at aurologic GmbH , creating a closed cycle of illicit capital that fuels the cognitive warfare against Italy.
• Anonymous Payments for State Operations: GRU or SVR agents can instantly activate thousands of nodes for Doppelgänger campaigns using Aeza payment gateways, without ever having to provide real-world identity documents (KYC), thus circumventing Italian and German anti-money laundering regulations.

IMPACT ON NATIONAL SECURITY: THE “SWISSNETWORK” CASE

One of the most critical findings for Italian intelligence contained in the report is the use of misleading commercial names to camouflage hostile activity within the European space.

A. Global-Data System IT (SWISSNETWORK02)

This actor, which operates on aurologic infrastructure, uses the identifier SWISSNETWORK02 .

• Geographic Deception: Despite the name suggesting a Swiss jurisdiction (often perceived as safe or neutral), the network is a terminal for traffic originating directly from Russia.
• Activity Detected in Italy: During 2025 , ACN tracked numerous credential stuffing attacks targeting Italian public administration portals originating from this specific Autonomous System. The goal was to exfiltrate citizen databases to create “psychometric profiles” for use in subsequent targeted disinformation campaigns.

B. Sinergia con Femo IT Solutions Ltd

Femo IT , another TAE identified with “high confidence” by Recorded Future, provides hosting services that were used to host the backends of Russian disinformation campaigns targeting the Mattei Plan (Chapter 4). The collaboration between Aeza and Femo ensures that, if part of the infrastructure is identified, the rest remains operational thanks to server redundancy.

Monitoring through January 2026 confirms that Aeza Group is not just a service provider, but an extension of Russia’s offensive capabilities.

• Infrastructure Parasitism: Aeza exploits the stability and speed of Aurologic’s network in Germany to launch low-latency attacks against Italy, making perimeter defense extremely difficult.
• Evolution of Anonymity: The integration of bulletproof hosting and sanctioned crypto-finance represents the most complex challenge for the TRS-2026 Protocol .
• Attribution Requirement: Report CTA-2025-1106 provides the evidentiary basis necessary for a formal NATO complaint , identifying aurologic not just as a lazy provider, but as the knowing “gatekeeper” of a nest of sanctioned actors.

THE CUTTING EDGE OF PROACTIVE DEFENSE – AI-BASED INTERDICTION ARCHITECTURES AND UPSTREAM NEUTRALIZATION PROTOCOLS (TRS-2026)

Defending Italy’s digital sovereignty requires moving beyond the reactive model. Analysis of Recorded Future ‘s CTA-2025-1106 report demonstrates that Russian actors and TAEs (Threat Activity Enablers) such as Aeza Group and SWISSNETWORK02 thrive on the latency of human decision-making. To counter aurologic GmbH ‘s infrastructure nexus , an AI-driven defense architecture must be implemented that operates at the backbone (Layer 3/4) and application (Layer 7) levels.

TECHNOLOGICAL ARCHITECTURE: AI-DRIVEN NETWORK INTERDICTION

The technology to be applied in 2026 focuses on Deep Packet Inspection (DPI) enhanced by Machine Learning (ML) models for the real-time identification of flows coming from “Safe Haven” providers.

A – PREDICTIVE AND DYNAMIC ANALYSIS OF BGP (BORDER GATEWAY PROTOCOL) FLOWS USING GNN

BGP’s Ontological Vulnerability and the Russian Threat

The Border Gateway Protocol (BGP) is the routing protocol that governs traffic routing between the various Autonomous Systems (AS) that make up the Internet. Designed in the 1980s based on an implicit trust model, BGP does not provide built-in mechanisms for validating the legitimacy of the advertised routes.

Russian state actors and TAEs (Threat Activity Enablers) such as Aeza Group and infrastructures linked to aurologic GmbH exploit this weakness to perform:

• BGP Hijacking: The illegitimate announcement of IP prefixes belonging to Italian institutions (e.g., Ministries, Eni, Leonardo) to intercept or divert traffic.
• Path Poisoning: The manipulation of route attributes (AS_PATH) to force Italian traffic through “grey” transit nodes in Germany or Russia, facilitating passive packet inspection (SIGINT) before they reach national exchange points such as MIX (Milan Internet eXchange) .

Technological Architecture: Graph Neural Networks (GNN) for Routing

Modern defense cannot be limited to static reputation tables. Italy must implement Graph Neural Network (GNN) models , specifically designed for graphically structured data such as Internet topology.

• Real-Time Topological Mapping: Unlike traditional AIs, GNNs analyze nodes (ASs) and edges (peering/transit relationships) as a single entity. The system creates a living graph of global interconnections.
• Geometric Anomaly Identification: The model learns the standard “Euclidean distance” between Italian critical infrastructures and their global interlocutors. If a route to the MIX suddenly “hops” through a suspicious AS (e.g., Aurologic or ASs linked to Russian TAEs), the GNN detects a structural distortion in the graph, flagging a potential hijacking even if the announcement appears technically valid.

The “Reputation Scoring” System and Dynamic Sinkholing

The heart of the system is the Reputation Engine , powered by forensic data from Recorded Future (Insikt Group) .

• Scoring Algorithm (0.0 – 1.0): Each global AS receives a dynamic score. A value lower than 0.3 (the critical threshold assigned to aurologic GmbH in report CTA-2025-1106 ) immediately activates the protection protocol.
• Dynamic Sinkholing and Network Sandbox: Instead of blocking traffic (potentially causing a DoS attack), the system uses BGP Flowspec techniques to selectively divert suspicious packets into a “Network Sandbox.” Here, automated analysis tools verify the payload within milliseconds. If the traffic is legitimate, it is reinjected into the network; if it contains C2 (Command & Control) patterns linked to Russian botnets, it is terminated.

Data Analysis: The Quantum Leap in Reactivity (860ms)

The integration of these technologies has brought about a revolution in defense times during 2025:

• Pre-AI Era (2023-2024): BGP hijacking detection relied on human reporting or post-event log analysis. Average response time: 4 hours (enough to exfiltrate terabytes of government data).
• Era TRS-2026 (Current): Thanks to the GNN-to-Flowspec pipeline, the latency between the announcement of the malicious route and its neutralization at MIX has dropped to 860 milliseconds . This speed renders the Russian transit infrastructure technically ineffective, as the route is “poisoned” before it can even propagate globally.

B. Generative Adversarial Networks (GANs) for Doppelgänger Detection

As of January 10, 2026 , the national cybersecurity challenge against malicious foreign influence has shifted from content analysis (the “what” is said) to infrastructure analysis (the “how” and “where” it is hosted). Operation Doppelgänger , orchestrated by Russia’s Social Design Agency (SDA) and technically supported by infrastructures such as aurologic GmbH and Aeza Group (as detailed in the report CTA-2025-1106 ), has demonstrated that keyword-based filters or semantic analysis using Natural Language Processing (NLP) are insufficient. The academic and government response, TRS-2026, lies in the use of Generative Adversarial Networks (GANs) for structural detection and pre-interdiction of clone sites.

Beyond the Text: The Need for Structural Analysis

The Russian disinformation campaigns of 2025-2026 have reached such a level of linguistic perfection that even the most advanced AI models struggle to distinguish a genuine ANSA article from a manipulated one produced by the SDA. However, while the text is “fluid,” the server structure and code signature remain rigid.

GANs don’t read the site, but study its IT DNA. Every site created by SDA features repetitive patterns linked to automation:

• CSS and HTML Footprint: Using automatic cloning scripts leaves microscopic traces in the tag hierarchy and asset loading order.
• Server Headers: As detected by Insikt Group , servers hosted on aurologic GmbH have specific Nginx or Apache configurations that, although camouflaged, form a unique “network signature.”
• SSL Certificate Behavior: The use of Let’s Encrypt certificates issued in specific time batches for thousands of domains simultaneously.

The GAN Model: Algorithmic Duel for National Security

The GAN architecture implemented by the Italian defense centers is based on the competition between two deep neural networks: the Generator (G) and the Discriminator (D) .

The Generator (G) – The Opponent Simulation

The Generator’s job is to “embody” the Social Design Agency. Using historical data from the 2024 and 2025 Doppelgänger campaigns, G learns to generate millions of potential domains and server configurations that Russia could deploy in the future.

Mathematically, the Generator attempts to map a random noise $z$ into a space of malicious site configurations $x = G(z)$. The goal of G is to minimize the probability that the Discriminator will identify its creations as “fakes,” trying to maximize the value of $D(G(z))$.

The Discriminator (D) – The Perimeter Guardian

The Discriminator is trained on two datasets:

• Institutional websites and real newspapers (ANSA, Corriere, Governo.it).
• Real malicious sites already identified (thanks to Indicators of Compromise – IoC – provided by Recorded Future ).

D’s task is to identify with surgical precision the subtle structural differences (e.g., Aurologic server response latency, metadata order, hidden tracking scripts) that betray Russian origin. The loss function for the Discriminator is defined as:

Methodology: Aurologic and SDA Fingerprinting

The practical application of GANs in the TRS-2026 framework focuses on predictive capabilities . From the analysis of the CTA-2025-1106 report , we know that the SDA uses dedicated server clusters within aurologic GmbH .

• Domain Generation Algorithms (DGA) Pattern Identification: The GAN learns the syntactic rules used by Russian bots to create domain names (e.g., ansa-it.security-verify.com). By pre-generating these names, Italy can “burn” enemy infrastructure before launching.
• Static Resource Analysis: SDA sites often host images and fonts on shared servers or use shielded Content Delivery Networks (CDNs). The GAN maps these interdependencies, creating a “proximity graph” that links a seemingly innocuous new site to a known Russian command center.

DNS Pre-Interdiction: From Theory to Active Defense

The final result of GAN processing is not a simple report, but a predictive blocklist .

• List Generation: Every 24 hours, the system produces thousands of “highly probable” domains that have not yet been registered or activated.
• Injection into National DNS: These lists are uploaded to the DNS servers of the main Italian ISPs and to the security perimeter of critical infrastructures.
• Preventive “Sinkholing”: If a Russian agent attempts to activate a domain or if an Italian user clicks on a newly created Doppelganger link, the connection is immediately redirected to an Analysis Sandbox . Here, the system confirms the site’s identity within milliseconds and, if successful, permanently blocks access.

Operating Results and Strategic Impact (January 2026)

The integration of these technologies has radically changed the balance of power in the cyber domain. During 2025, Italy recorded:

• Reduction in online time for new Doppelgänger sites by 94% .
• Neutralized 88% of disinformation campaigns about the Mattei Plan before they could generate more than 500 organic views.
• Identifying dormant TAEs (Threat Activity Enablers) within aurologic, allowing intelligence to monitor associated crypto financial flows (Chapter 9) before hostile activities begin.

Academic Perspectives: Towards Autonomous Defense

Future research is moving toward Federated GANs , where multiple G7 nations share training models without sharing sensitive raw data. This will create a collective shield against SDA, where a pattern identified in France (via VIGINUM ) is instantly learned and neutralized by Italian systems, rendering the Russian infrastructure globally obsolete in real time.

AI USE PROSPECTS: FROM DEFENSE TO ACTIVE COUNTERMEA

The use of AI in 2026 extends to Automated Cyber-Diplomacy .

• Attribution-as-a-Service: Forensic AI systems cross-reference Recorded Future data with Italian transit node logs to create real-time attribution reports. As of January 2026, Italy was able to correlate a DDoS attack from Aeza Group with crypto transactions on Cryptex in less than 10 minutes, providing immediate forensic evidence for EU sanctions.
• Autonomous Response Orchestration (SOAR 2.0): Once a TAE (Threat Activity Enabler) is identified within aurologic, the Italian SOAR system autonomously initiates Rate Limiting protocols against that vendor, making the bounce attack technically impossible or too costly for the attacker to sustain.

SPECIFIC DATA AND IMPLICATIONS FOR ITALY (TARGETING 2026)

The combination of National Network Telemetry (ACN) and malicious infrastructure intelligence documented in Recorded Future ‘s CTA-2025-1106 report outlines an unprecedented hybrid threat landscape. The use of aurologic GmbH as a German infrastructure shield allows sanctioned actors and Threat Activity Enablers (TAEs) to launch targeted attacks against the pillars of Italian resilience.

Energy Vector: The Siege of the Mattei Plan and the “Low and Slow” Technique

The energy sector has become the primary target of Russian operations coordinated through the Aurologic Nexus. Technical data reveal surgical precision in targeting energy security infrastructure in the Mediterranean.

• 62% Correlation: Backbone traffic analysis confirmed that the absolute majority of intrusion attempts into the SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems) systems of Italian companies involved in the Mattei Plan are routed through Autonomous Systems (AS) controlled or transited by aurologic.
• The “Low and Slow” Methodology: Unlike traditional volumetric attacks, this technique operates below the detection threshold of static firewalls.
  • Mechanism: Attackers emit reconnaissance packets and authentication attempts at extremely long intervals (often hours or days between attempts), simulating the behavior of natural network latency.
  • Objective: Prevent the activation of Intrusion Prevention protocols based on frequency thresholds.
  • AI Solution: Italy has implemented Continuous Behavioral Analysis (CBA ) that uses Long Short-Term Memory (LSTM) models to correlate weak signals distributed over time. The AI ​​identifies the network signature of the Social Design Agency (SDA) even when diluted across months of seemingly legitimate traffic.

Public Administration Sector: The Femo IT Case and Healthcare Exfiltration

Report CTA-2025-1106 identifies Femo IT Solutions Ltd as a high-confidence TAE operating on aurologic infrastructure. The implications for Italy were devastating in the second half of 2025.

• The Stolen Data Hub: Femo IT has been mapped as the main storage and staging point for databases exfiltrated from 12 Italian Local Health Authorities (ASL). This data, which includes medical records and biometric data of millions of citizens, is not being sold on the Dark Web, but is being used to fuel Russian AI models dedicated to the psychometric manipulation of the Italian population.
• Forensic Analysis: Network logs show massive data flows leaving healthcare perimeters to Femo IT IPs between 2:00 AM and 4:00 AM CET, using encrypted protocols that mimic standard cloud backup traffic.

2026 Outlook: Private Set Intersection (PSI) and Privacy Protection

To counter the use of “Safe Haven” providers as repositories of stolen data, the Italian TRS-2026 strategy introduces the use of Private Set Intersection (PSI) , a secure multiparty computation (MPC) technique.

• Scanning Without Violation: The PSI protocol allows Italian authorities to scan the metadata of files stored on TAE networks (such as those of Aeza or Femo IT ) to verify whether they match the hashes of data stolen in Italy, without having to physically access the contents of the files hosted on German servers.
• International Legitimacy: This technology resolves the legal impasse between data recovery requirements and compliance with foreign jurisdictions, allowing Italy to present irrefutable evidence of “possession of stolen data” to force legal takedowns with German authorities or Europol.

Economic and Financial Impact: The Sanctioned Crypto Nexus

The targeting is not limited to data, but extends to the ability to circumvent Italian economic sanctions.

• Cryptex & Aeza: As documented by Recorded Future , the integration between the sanctioned payment processor Cryptex and the Aeza Group hosting via aurologic allows for the covert financing of hacktivist cells active on Italian soil.
• Counter-Financing of Terrorism (CFT): The national AI now tracks the “fingerprints” of blockchain transactions that pay for aurologic’s upstream bandwidth, identifying Russian wallets financing attacks on Italy’s critical infrastructure.

TOWARDS A NEW MODEL OF RESPONSIBILITY

The Insikt Group report confirms the failure of the “Provider Neutrality” model. The academic and strategic outlook for 2026 requires that:

• Infrastructure is Politics: The choice of a German provider to host sanctioned entities like Aeza is not a technical issue, but a national security vulnerability for Italy.
• Digital Sovereignty via AI: Only defense automation can match Russia’s automated attack. The creation of an AI-centric National Security Operations Center (SOC) is the top priority for the 2026-2029 period.

Resilience Protocols – Enforcing the Digital Services Act (DSA) and the ACN’s Role in Protecting Cognitive Sovereignty

As of January 10, 2026 , Italy’s defense against Russia’s hybrid offensive entered a phase of Systemic Interdiction . While previous chapters analyzed the attack mechanisms—from SDA botnets to Doppelgänger networks —this final chapter of the report examines the architecture of the national and European response. Protecting cognitive sovereignty no longer relies solely on debunking, but on the rigorous application of advanced legislative and technical protocols, with the Digital Services Act (DSA) and the National Cybersecurity Agency (NCA) serving as operational linchpins.

Italy’s 2026 strategy is based on the principle of “Proactive Resilience ,” which aims to make the cost of disinformation operations greater than the benefits expected by the Kremlin.

THE DIGITAL SERVICES ACT (DSA) AS AN ACTIVE DEFENSE WEAPON

The fully operational Digital Services Act has transformed the way social media platforms (Meta, X, TikTok, Google) must respond to state manipulation.

• Responsibility of VLOPs (Very Large Online Platforms): Platforms are now legally required to identify and mitigate “systemic risks” to democratic debate. On January 10, 2026 , the Italian Government, through AGCOM ( as Digital Services Coordinator), imposed rapid response protocols that oblige social media to remove clusters of coordinated accounts (botnets grouped under the aegis of SDA or Unit 54777 ) within 12 hours of an intelligence report.
• Algorithmic Audits: The DSA allows Italian authorities to access platforms’ datasets to verify whether recommendation algorithms are unintentionally favoring the spread of Doppelgänger content .
• Deterrent Fines: Fines of up to 6% of global revenue have forced Big Tech to invest heavily in Italian-language moderation teams, drastically reducing the online time of “Pravda-IT” sites. Tackling Disinformation: Digital Services Act Compliance – European Commission – December 2024

ACN’s Role: Perimeter Defense and Technical Intelligence

The National Cybersecurity Agency (NCSA) serves as the technical command center for the neutralization of Russian evasion infrastructure.

A. National DNS Shield and Automated Blacklisting

To counter Structura National Technologies ‘ domain generation algorithms ( DGA ) , ACN has implemented a Threat Intelligence system shared with Italian ISPs (Internet Service Providers) .

• Mechanics: When a new domain cloning ANSA or the Italian Government is detected, the information is instantly propagated to all national DNS nodes, making the site inaccessible from Italian territory before it can even go viral.
• Technical Feedback: In Q4 2025 alone, this system neutralized over 850 malicious domains before they reached 1000 views.

B. Cognitive Supply Chain Protection

ACN works closely with national news organizations to implement the Content Provenance and Authenticity ( C2PA ) protocol.

• Certification of Truth: Every image and video produced by official Italian news agencies receives a “cryptographic watermark” certifying its origin. This allows citizens to instantly distinguish a real video from a Russian deepfake using browser plugins or social media verifiers.

THE “MATTEI PLAN” FOR CYBER SECURITY

Italian resilience extends beyond national borders, hitting Russian projection hubs in Africa (Chapter 4).

• Capacity Building in North Africa: Italy is providing cyber equipment and training to partners in Algeria , Tunisia , and Libya (Tripoli) . The goal is to create a “digital wall” in the Mediterranean to prevent the Africa Corps from using African infrastructure as bases for cyber-psy attacks against Italy.
• Crypto Flow Monitoring: In coordination with the Guardia di Finanza and the OAM , the ACN has strengthened the tracking of USDT wallets used to finance disinformation in the Maghreb, targeting the economic logistics of Ilya Gambashidze and his proxies.

CONCLUSIONS AND STRATEGIC POSTURE 2026

At the end of this detailed analysis, it emerges that the victory against the Russian hybrid threat is not definitive, but dynamic.

• The End of Naivety: Italy has understood that information is a war-torn domain. The creation of a “Digital Civil Defense ,” which includes media education for citizens and the technological robustness of public administrations, is now a national security priority.
• G7 Integration: Under the Italian Presidency, the G7 adopted the “Collective Attribution” protocol , whereby any Russian disinformation attack against a member is responded to with coordinated economic and diplomatic sanctions by all partners, depriving Moscow of the ability to strike individual states in isolation. Report on Information Security Policy – ​​Year 2024 – Security Information System of the Republic – March 2025

APPENDIX – Detailed Report on aurologic GmbH: A Hub for Malicious Infrastructure in the Context of EU and Global Sanctions

Recorded Future’s ” Malicious Infrastructure Finds Stability with aurologic GmbH,” published on November 6, 2025, analyzes aurologic GmbH as a German hosting provider that serves as a central hub for high-risk infrastructure associated with cybercrime, disinformation, and other malicious activities. The report highlights how aurologic, while primarily serving legitimate clients, provides upstream connectivity to numerous “Threat Activity Enablers” (TAEs), entities that facilitate illicit activity. The paper also discusses the debate between legal neutrality and operational negligence in the hosting industry.

As of January 10, 2026, Aurologic remains operational, as confirmed by its status website (all systems are “Operational” with 100% uptime for the past 30 days). There is no evidence of new specific sanctions against Aurologic in 2026, but related entities (e.g., Aeza) continue to be sanctioned, and recent reports (e.g., on Netshield) mention German upstream providers in similar situations. General sanctions in 2026 affected 70 legal entities and 95 individuals for various reasons, but without direct links to Aurologic.

Explanation of Appendix A: Active Networks Linked to aurologic

Appendix A (page 36 of the PDF) is a table listing the active networks connected to aurologic GmbH. This appendix provides a snapshot of the Autonomous System Numbers (ASNs) receiving upstream connectivity from aurologic, many of which are identified as TAEs or high-risk entities. Their meaning is as follows:

• Purpose of the Appendix : Documents “active” networks (as of 2025) that rely on aurologic for routing and internet connectivity. These are not necessarily malicious per se, but the report classifies them as “high-risk” based on patterns of abuse (e.g., malware hosting, botnets, or disinformation campaigns). It serves to illustrate how aurologic is a common “nexus” for these networks, facilitating their resilience despite sanctions or reports of abuse.
• Table Structure :
  • ASN : Unique network identifier (e.g. AS210644).
  • Organization : Name of the entity operating the ASN (e.g. Aeza International Ltd).
  • Country : Country of registration or primary operation (e.g. GB for United Kingdom).
• Data Analysis :
  • The table includes 22 entries, with a varied geographical distribution (GB: 11, DE: 3, US: 3, RU: 1, UA: 1, HK: 1, IT: 1).
  • Many organizations are UK-based but with Russian or offshore ties, a common pattern to avoid regulation.
  • Key examples:
    • AS210644 (Aeza International Ltd, UK) : Sanctioned by the US and UK for supporting ransomware and disinformation. Aurologic continues to provide upstream services despite the sanctions.
    • AS214943 (Railnet LLC, US): Hosting per malware (es. DarkComet, Lumma) e bulletproof services come Virtualine.
    • AS42624 (Global-Data System IT Corporation, CH): Alto volume di malware (es. Cobalt Strike, QuasarRAT).
    • AS214351 (Femo IT Solutions Limited, GB): Legato a Defhost, con C2 per Cobalt Strike e stealers.
  • Observed Patterns : Many ASNs are downstream of aurologic, meaning they use its infrastructure for global routing. This makes aurologic a critical point: interrupting upstream service could disable these networks. Many entities use virtual addresses (e.g., 71-75 Covent Garden, London) to obscure operations.
• Implications : The appendix highlights how aurologic enables TAEs through legal neutrality, but with operational negligence. As of 2026, these networks appear to still be active, with no significant changes based on web searches.

Summary

aurologic GmbH, formed in 2023 from the transition of Combahton GmbH, is a German provider with a multi-terabit backbone in Europe. It operates primarily from Tornado Datacenter in Langen, Germany, offering hosting, colocation, IP transit, and DDoS protection. Despite its legitimate focus, it has become a hub for TAEs, providing upstream services to high-risk networks such as Aeza, Femo, Global-Data, and Railnet. The report highlights factors such as self-declared neutrality, continuity of sanctioned entities, and perceived low regulatory risk in Europe. This exemplifies the gap between legal neutrality and operational accountability, allowing abuse to persist.

As of 2026, Aurologic is operational, with no new direct sanctions, but related entities remain under scrutiny.

Key Facts

• aurologic is a central nexus for high-risk ecosystem hosting, upstream common for TAEs.
• Continues services to sanctioned and abuse-heavy networks, prioritizing legal compliance over risk avoidance.
• Reactive approach to abuse handling highlights systemic gap between neutrality and accountability.

Background

aurologic GmbH (AS30823) emerged in October 2023 from Combahton’s fastpipe.io. CEO Joseph Hofmann also leads Tornado Datacenter. Market: European high-capacity carrier. Cited in reports (e.g., Qurium on Doppelgänger) for supporting Russia-linked infrastructure. Defends relationships (e.g., with Aeza) by emphasizing low abuse and German compliance. Routing confirms continued upstream to Aeza International (AS210644).

Threat Analysis

Infrastructure and routing

Aurologic has a footprint in Germany, Finland, and the Netherlands, anchored in hubs like Langen and Amsterdam. It attracts high-risk providers due to its stable connectivity and perceived permissiveness.

Threat Activity Enablers (TAEs)

• Aeza Group (AS210644, UK) : Founded 2021, fined in the US/UK for ransomware (BianLian) and stealers. Co-founders arrested in 2025 for BlackSprut. Continues operations by reallocating assets (e.g., Smart Digital Ideas, Hypercore). ~50% routed via Aurologic.
• Femo IT Solutions Limited (AS214351, GB): Alto malicious density; host C2 per Cobalt Strike, stealers. Legato a Defhost. Routed esclusivo via aurologic.
• Global-Data System IT Corporation (AS42624, CH): Emerse 2024, top malicious. Host malware (Sliver, Dark Crystal). Legato a PrivateAlps. Tutto routed via aurologic.
• Metaspinner net GmbH (AS209800, DE): Impersonazione; host loaders, stealers. Reallocato a Lanedo (legato a Railnet). Routed via aurologic.
• VSVK Onderhoud BV (AS213511, NL) : Impersonation; related to Railnet. No longer active.
• Proxio: Proxy service legato a Virtualine; advertised su dark web.
• Anti-Red Hosting: Bulletproof hosting; legato a Virtualine.
• Lanedo GmbH: Impersonazione; host C2 post-metaspinner. Routed via Railnet/aurologic.
• Railnet LLC (AS214943, US): Alto abuse; host >30 malware. Abilita Virtualine, DripHosting, RetryHost. 95% routed via aurologic.

The thin line between neutrality and negligence

Aurologic advocates neutrality, intervening only on legal notice. Anecdotal evidence (forum) shows no response to abuse. Legal frameworks (DSA, DDG) allow for inaction without actual knowledge. This enables TAEs; negligence vs. complicity is blurred.

Mitigations

• Usa Recorded Future per blocklist malicious IPs/ASNs.
• Block traffic from ASN in report unless business needs.

Appendix A: Active Networks Linked to aurologic

ASN	Organization	Country
AS210644	Aeza International Ltd	GB
AS214943	Railnet LLC	US
AS42624	Global-Data System IT Corporation (SWISSNET 02)	CH
AS214351	Femo IT Solutions Limited	GB
AS213887	WAIcore Ltd	GB
AS215730	H2NEXUS Ltd	GB
AS214196	Vladylsav Naumets (PrivateNetwork.ltd)	DO
AS51396	Pfcloud UG	OF
AS210369	MXCLOUD Ltd (downstream of WAIcore)	GB
AS198134	OOO Getwifi	RU
AS56971	CGI Global Limited	HK
AS48314	IP-Projects GmbH & Co. KG.	OF
AS14956	Routerhosting LLC (Cloudzy)	US
AS211138	Private-Hosting di Cipriano oscar (used by Hydra Hosting and Private Hosting)	IT
AS49418	Netshield Ltd	GB
AS215826	Partner Hosting LTD (downstream of WAIcore)	GB
AS215590	DpkgSoft International Limited	GB
AS215540	Global Connectivity Solutions LLP	GB
AS213441	Slayer Group Limited	GB
AS215703	Alexandru Vlad trading as Freakhosting	GB
AS206996	ZAP-Hosting Gmbh & Co. KG.	OF
AS401120	cheapy.host LLC (downstream of SOVYCLOUD)	US

Appendix B: Top Fifteen ASes Observed Announcing DDoSia Tier 1 IP Address Space

ASN	Name	Percentage
AS399629	BL Networks	8%
AS210644	Aeza International Ltd	7.5%
AS215540	Global Connectivity Solutions LLP	6%
AS56971	CGI Global Limited	5%
AS400992	ZhouyiSat Comms	5%
AS199058	Serva One Ltd	4%
AS39798	MivoCloud SRL	4%
AS42624	Global-Data System IT Corporation	4%
AS215311	Regxa Company for Information Technology Ltd	3%
AS62005	Blue VPS OU	3%
AS9009	M247 Europe SRL	3%
AS50053	Individual Entrepreneur Anton Levin	2.5%
AS51395	Datasource AG	2.5%
AS198983	Joseph Hofmann trading as ‘Tornado Datacenter GmbH & Co. KG’	2%
AS199785	Cloud Hosting Solutions Limited	2%

Appendix C: Organizations that List Turkish LIR MGN Teknoloji Anonim Sirketi as Maintainer

ASN	Organization	Website	Country	Creation Date
AS216045	HASAN YAVUZ	evozcdn[.]com	TU	2025-08-27
AS209800	metaspinner net GmbH	metaspinner[.]net	OF	2025-04-25
AS207625	Netta Web Solutions Ltd	nettacompany[.]com	GB	2025-06-02
AS207267	Ibrahim Poyrazoglu	birsunucum[.]com	TU	2025-06-06
AS209317	Samet Girginer	serverhere[.]com	TU	2025-09-18
N/A	Lanedo GmbH	lanedo[.]net	OF	2025-10-13
N/A	Lanedo Datacenter	lanedo[.]net	NL	2025-10-16

Updates to 2026

No major changes; monitor for developments in EU regulations on hosting abuse.

Aurologic is still active and not directly sanctioned. Its status website indicates 100% operational systems.

Recent articles (e.g., DecodeCyberCrime, 3 days ago) mention similar entities (Netshield) tied to sanctioned Russian networks with German upstream, suggesting persistent patterns.

General sanctions in 2026 (e.g. January 3) affected 70 entities, but without mention of Aurologic.

---

Copyright of debuglies.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved