BTW if it teases the story more, the first longest story I wrote was the one about the unveiling of the authors of the Mirai DDoS malware

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

Just added a very interesting wrinkle from the DNS guru Doug Madory over at Kentik, regarding the top sources and destinations for Stark Industries' traffic:

Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark's network.

"Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477)," Madory said. "Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran."

Malwarebytes has published a writeup on an extensive campaign that targets corporate users with malicious ads. Among the sites used as lures are fake Wall Street Journal and CNN websites that tell visitors they're required to install a WSJ or CNN-branded browser extension.

tl;dr: A key domain used in this campaign is hosted at Stark Industries Solutions.

https://www.threatdown.com/blog/corporate-users-targeted-via-malicious-ads-and-modals/

It has been brought to my attention that I left two important details about Stark out of my story.

1) Stark's contact details with RIPE, which manages Internet address space for Europe, the Middle East and Central Asia, include a choice "leet" designation and possibly a dig at RIPE: "SICK1337-RIPE"

Also, I can't believe I forgot to include the bit of movie trivia (I thought it was obvious): In the Marvel storyline, the head of Stark Industries, Tony, was an international arms dealer. Funny enough, Ivan Neculiti, or his brother Yuri who also runs Stark/PQ Hosting, consistently used the email address [email protected].