Threat Weather Report Apr 28: 243 Tor Relays Staged, .top Cluster Forming

# Threat Weather Report, April 28, 2026: Storm Staging Off Thirteen Coasts

It's a CRITICAL day on the PreCog board. Five of eleven precursor signals are elevated. The dominant pattern is staging — anonymization layer being assembled, criminal infrastructure being burned and replaced, attack-side domains clustering in deliberate TLDs, and high-volume intelligence collectors going silent. This is the picture the radar shows when something is being set up, not when it's already executing.

We deployed two new precursor signals to the dashboard today. One of them fired against live data within the same hour. Here is the weather.

Conditions

PreCog V2 is currently tracking eleven independent precursor signals. Each one looks at a different surface — Tor relay deployment patterns, IOC ingestion velocity, MITRE technique escalation, supply chain staging, cross-index threat convergence, exotic-TLD campaign assembly, and so on. The composite threat level is computed from the maximum signal score and the count of elevated signals.

Right now: composite threat level CRITICAL, score 0.90. Driver: the Tor signal alone hit 0.90, with four other signals also elevated.

The Front

The dominant feature is a Tor relay mass-deployment event. Two hundred forty-three new relays staged across thirteen autonomous systems in the last forty-eight hours. The infrastructure is distributed across Germany, the Netherlands, the United States, Sweden, Austria, Switzerland, Finland, Spain, France, the UK, Canada, Italy, Poland, and Luxembourg.

The cluster is not random. Multiple ASNs in the deployment carry names that telegraph their function: 1st Amendment Encrypted Openness LLC, Church of Cyberology, Foundation for Applied Privacy, Foreningen for Digitala Fri- och Rättigheter, Stiftung Erneuerbare Freiheit. These are operators who position themselves as anonymity-friendly hosting. The single largest contribution by relay count is OVH SAS at thirty-eight, the single largest by bandwidth is Church of Cyberology at one point one gigabits per second.

Total bandwidth across the staged set: roughly six and a half gigabits per second. That is not organic relay growth. That is a coordinated capacity bring-up.

Our PreCog V2 detector treats this signature — five or more new relays from the same ASN within forty-eight hours, minimum bandwidth threshold met — as a mass deployment indicator. The lead-time band on this signal is twelve to seventy-two hours before downstream campaign activity. Translated: anonymization layer being assembled, expect campaign-side traffic in days, not weeks.

The Cells

A second pattern fired today on a signal we deployed this morning. We added a Cross-TLD Campaign Stack Assembly detector after publishing analysis of the February 2026 Russian operation that staged Signal phishing infrastructure and residential proxy infrastructure under the same .coupons TLD within seventy-two hours of each other. The pattern is: one operator stands up multiple attack functions in the same low-density exotic TLD inside a short window, because they are building a complete campaign stack before launch.

That detector is now live. Today it caught a fourteen-domain cluster on the .top TLD, with at least two distinct attack functions present:

The C2-style entry: rapidforge.top. That naming pattern matches the convention used by command-and-control infrastructure operators across multiple campaigns we have indexed.

The relay-style entry: quantumsignaturecertificationgatewayhub.top. The deliberately long brand-imitating name is exactly the construction used to slip past automated brand-impersonation detectors that look for short company names rather than long enterprise-sounding strings. The "gateway hub" suffix is consistent with proxy-relay infrastructure naming.

Twelve more domains in the cluster have not yet been classified by function but were registered inside the same window. The window opened April 26 and is still active.

The Cross-TLD signal scored 0.75 against this cluster. Lead time band: twenty-four to seventy-two hours before campaign launch.

The Pressure Drop

Spamhaus DROP, the "Don't Route Or Peer" list of confirmed criminal netblocks, ingested 403 new entries in the last twenty-four hours. The seven-day daily average is 57.6. That is a seven-times spike.

A surge of this size in DROP entries is itself a downstream signal — Spamhaus is publishing because operators independent of us are detecting and reporting these networks. But for our purposes the spike means a wave of new criminal infrastructure has just been publicly identified. That implies an upstream wave of new criminal infrastructure was just stood up, and the defender side is catching up. The IOC Velocity Spike signal scored 0.50 on this.

The Silence

Two intelligence-collection patterns went quiet today. Both are IPv6, both made high-volume requests against our STIX feed and search endpoints over a short window, and both have not returned for at least twenty-four hours. One ran 879 requests over a single day before going dark. The other ran 265 requests in approximately five minutes before going dark.

The pattern that the precursor framework treats as significant is not the volume itself, it is the abrupt transition from heavy use to silence. Routine consumers continue at a steady rate. Operators who are collecting before staging show a pattern of intensive harvest followed by a period of absence while they process and stage. The lead-time band on this signal is twenty-four to seventy-two hours.

We deployed a fix today to the Consumer Collection signal: the previous version was occasionally flagging Googlebot, which exhibits the same crawl-then-pause rhythm by design. The detector now excludes known good-faith crawlers including Google, Bing, Twitter, Facebook, and a handful of others. The two IPv6 candidates surfaced today are not in any of those exclusion ranges.

The Lightning Sighting

A new GitHub IOC: github.com/NerdForData, tagged to the Emmenhtal loader family. Emmenhtal is initial-access malware that we have indexed across multiple campaigns this year. A new account associated with that family becoming visible is low-score on its own — 0.12 — but is the kind of indicator that converges with other elevated signals into a higher-confidence picture if it persists.

The Forecast

Read the signals together rather than individually. Tor relay capacity is being assembled at scale. Spamhaus is publishing a wave of newly-identified criminal infrastructure. A cross-TLD cluster is staging at least C2 and relay functions inside the .top namespace. Two IPv6 collectors are silent after harvest. A new loader-family account is visible.

The composite reads as preparation, not active campaign. The lead-time bands across the elevated signals point toward downstream activity in the twelve-hour to seven-day window. None of these signals individually predicts a specific target or time. Together they describe a posture: the offense is staging.

The defensive response to a forecast of this kind is not panic, it is patching schedule discipline. Make sure your perimeter patches are current. Make sure your linked devices on Signal, WhatsApp, and Telegram are audited (we wrote about that this morning). Make sure your DNS filter is pulling a current threat feed. Make sure your incident response runbook has been read by the people on call this week, not last quarter.

The Receipts

We deployed two new precursor signals to the dashboard this morning. The Cross-TLD Campaign Stack Assembly signal fired on a real cluster the same hour. The infrastructure was already live before we deployed the detector — meaning it was visible in our IOC index for hours before any defender pulled it. That is the gap our system exists to close.

The signal-eleven build was prompted directly by yesterday's coverage of the Russia Signal-phishing campaign and the residential-proxy abuse infrastructure. The pattern observed in February — one operator using one exotic TLD for two attack functions inside seventy-two hours — has now been formalized into a continuously-running detector. Today the detector caught its first new cluster, two months after the original observation, on a different TLD, run by a different operator.

The framework generalizes. The pattern recurs.

Our Feed

PreCog V2 dashboard: analytics.dugganusa.com (auth required, threat-level summary on the precursor tab)

STIX 2.1 feed (free): analytics.dugganusa.com/api/v1/stix-feed

Search the index: analytics.dugganusa.com/api/v1/search

Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo.

Her name was Renee Nicole Good. His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet. 275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC · Audit your brand on AIPM · See pricing