ThirdEye Blacklist Series – Global Connectivity Solutions LLP

Understanding the Structures That Enable Persistent Cyber Operations

🔴 The Blacklist

A curated record of entities, systems, and patterns that enable modern criminal operations. Not focused on individuals alone, but on the environments that allow them to operate, adapt, and persist.

There is a tendency to look for the person behind the activity. A name, an alias, a group. That approach assumes the individual matters most. In many cases, it does not. What matters is what allows them to continue. And that’s where this blog will focus.

This entry is part of the ThirdEye Intelligence Blacklist series, focused on analysing systems and patterns that may enable operational persistence. All assessments are based on open-source and closed-source information and are presented with appropriate confidence levels.

Case Snapshot

Case ID: BL-001
Subject: Global Connectivity Solutions LLP
Type: Enablement
Entity Type: UK Limited Liability Partnership (LLP)
Associated ASN: AS215540
Operational Context: Hosting environment referenced in malicious infrastructure reporting
Observed Activity Link: Infrastructure supporting command and control frameworks
Jurisdictional Presence: UK with extensions into offshore entities (e.g., Seychelles)

At a surface level, this is a registered company. It exists within a legal framework, with identifiable control and documentation. There is nothing inherently unusual about that. What becomes relevant is how it is positioned, and what appears to operate around it.

Assessment Note

This analysis is based on publicly available information, including open-source reporting, infrastructure listings, and corporate registry data. The observations presented reflect patterns and associations identified during research and should be interpreted as analytical assessment, not definitive attribution.

There is no direct evidence within this analysis to conclude deliberate involvement of the entity or associated individuals in criminal activity. References to external reporting and historical associations are included to provide context on the environment in which the infrastructure operates.

All conclusions are made with moderate to low confidence, where applicable, and are intended to support understanding of potential risk patterns rather than assert intent.

Case Introduction

This did not begin with the company. It began with infrastructure. An exposed service led to an ASN. The ASN led to an entity. The entity, when examined in isolation, appeared unremarkable. A registered LLP, minimal public footprint, limited engagement surface.

That is often where most reviews stop but structures like this are rarely built for visibility. They are built for function, so instead of asking what this entity is, the better question becomes: What does it allow?

Entity Profile

Global Connectivity Solutions LLP presents with characteristics that are not uncommon in isolation, but become more relevant when considered together:

Limited public-facing information.
Contact mechanisms primarily via email.
Association with infrastructure environments referenced in abuse-related listings.

There is no direct indication, based solely on registration, that the entity is engaged in malicious activity. However, entities that support infrastructure environments tend to reflect the nature of what they enable. That is where further context becomes important.

Correlated Intelligence

Infrastructure associated with AS215540 has appeared in multiple publicly available listings related to suspicious or potentially malicious activity, including environments referenced for malware hosting. External investigative reporting has also referenced entities such as Global Internet Solutions LLC (GIR) in connection with similar infrastructure patterns. In addition, individuals operating under aliases, including “dimetr50”, have been historically linked to credential-based criminal activity and infrastructure provisioning.

It is important to note that these associations do not confirm direct involvement of this specific entity in those activities.

Further OSINT-based infrastructure mapping, including analysis using Maltego, identifies additional and recently observed IP addresses within AS215540. Some of these IPs appear to be associated with services consistent with malware C2s, VPN portals, remote access mechanisms, and web-based login interfaces.

While such services are not inherently malicious, their presence within this environment provides additional context on the types of externally accessible infrastructure being hosted. Taken together, the overlap between infrastructure patterns, entity relationships, and historical reporting suggests alignment with environments that may tolerate or support such operations.

This assessment remains moderate confidence, based on publicly available information at the time of analysis.

Corporate & Structural Observations

Further examination of corporate records indicates a layered structure.

The LLP structure provides flexibility in ownership and operational control.
Associated individuals appear across multiple entities.
Additional organisations linked through appointments extend into offshore jurisdictions, including Seychelles.

Examples of associated entities include:

LS Trading Partners.
Lupine Logistics.

These entities show characteristics consistent with:

distributed ownership.
jurisdictional separation.
repeatable entity formation.

Connections to individuals previously involved in company formation services suggest that the establishment of such structures may follow a known pattern designed to reduce traceability and increase operational flexibility.

Again, these observations do not independently confirm intent. They do, however, indicate a structure that is capable of supporting sustained activity with limited disruption.

Observed Infrastructure

Infrastructure identified within this environment includes:

IP: 147.45.60.103
Port: 3000
Access Path: /login.html
Framework: Sliver C2

The interface presented as a Sliver console login page, accessible directly over IP without domain abstraction.

This suggests:

direct access model.
minimal exposure control at the interface level.
reliance on environment rather than interface hardening.

This instance should be considered an example of infrastructure operating within the broader ecosystem, rather than the defining characteristic of it.

Intelligence Insight

What becomes evident in this case is a separation between visibility and importance. The infrastructure is visible. It can be identified, analysed, and eventually replaced. The entity, and the structure around it, is less visible. It does not need to change frequently. It does not need to move. It only needs to remain available.

This creates an asymmetry:

Defensive efforts often focus on what is easiest to see.
Operational resilience is built on what is least likely to be examined.

The effectiveness of such a model does not depend on sophistication. It depends on continuity.

TTMM Mapping

Surface: Infrastructure instances (e.g., exposed C2 panel) observable through direct access.
Infrastructure: Hosting within AS215540, associated with repeated high-risk activity references.
Enablement: LLP structure with offshore extensions contributing to ownership opacity.
Operation: Support of command and control frameworks and related infrastructure.
Persistence: Sustained through jurisdictional layering and reusable entity models.

Operational Takeaway

This case highlights the need to expand focus beyond individual infrastructure components.

Consideration should be given to:

monitoring infrastructure linked to high-risk ASNs.
identifying patterns across entities associated with those environments.
incorporating corporate and jurisdictional context into investigations.
recognising that removal of individual nodes may have limited impact without addressing the enabling structure.

At a strategic level, this reflects a shift from reacting to activity towards understanding how that activity is sustained.

Closing

This case does not point to a single technique or a uniquely sophisticated implementation. What it highlights is a structure that appears capable of supporting repeated operations with limited disruption, even when individual infrastructure components are exposed or replaced.

From a detection and response perspective, this reinforces the need to expand beyond indicator-led approaches. Organisations should consider placing greater emphasis on:

identifying infrastructure patterns across high-risk hosting environments
incorporating ASN and provider-level context into investigation workflows
recognising corporate and jurisdictional structures as part of the threat landscape, not separate from it
correlating infrastructure, ownership, and access patterns during incident analysis

This is where threat intelligence can provide additional value. By moving beyond indicator collection towards environment and ecosystem mapping, threat intelligence functions can help connect isolated findings into a broader operational picture, enabling more informed prioritisation and response.

This does not replace traditional detection. It strengthens it by adding context. We know that the infrastructure will continue to change, access points will rotate however environments that enable them are more likely to persist.

Understanding that distinction is where defensive advantage begins.