Cybersecurity researchers have uncovered a large and organized network of malicious infrastructure quietly running inside Russia\u2019s commercial hosting ecosystem. <\/p>\n
Over a three-month window from January 1 to April 1, 2026, more than 1,250 active command-and-control (C2) servers were detected across 165 Russian infrastructure providers, spanning shared hosting platforms, virtual server environments, and telecommunications networks.<\/a><\/p>\n A command-and-control server is the backbone of most cyberattacks \u2014 the system attackers use to send instructions to infected machines and retrieve stolen data. <\/p>\n Finding over 1,250 of these servers active at once, all housed within Russian hosting providers, shows how deeply malicious infrastructure has embedded itself into legitimate commercial networks. <\/p>\n The servers are not concentrated in one or two obscure corners of the internet; they are distributed across 165 separate providers, making them harder to block and easier to maintain without drawing attention.<\/a><\/p>\n Hunt.io analysts and researchers identified these patterns<\/a> using Host Radar, a core intelligence module built to correlate C2 servers, phishing infrastructure, open malicious directories, and public indicators of compromise back to the hosting providers that sustain them. <\/p>\n Their analysis surfaced repeatable patterns in how malicious infrastructure is distributed and reused across Russian hosting environments, providing provider-level visibility that separates actionable intelligence from a stream of disposable IP addresses.<\/a><\/p>\n Across the full dataset, Host Radar recorded approximately 1,290 malicious artifacts during the observation period. C2 infrastructure dominates, accounting for roughly 88.6% of all detected activity with 1,252 servers confirmed. <\/p>\n Malicious open directories make up about 5.3%, phishing sites<\/a> roughly 4.9%, and publicly reported indicators of compromise around 1.2%. <\/p>\n TimeWeb leads with 311 detected C2 servers over 90 days, followed by WebHost1 with 140, REG.RU with 138, VDSina with 86, and PROSPERO OOO with 80.<\/a><\/p>\n Using HuntSQL, analysts queried telemetry across Russian networks to identify which malware families were hosting the most C2 infrastructure. <\/p>\n Keitaro, a traffic distribution system frequently abused to redirect victims toward malware, leads the dataset with 587 unique C2 IP addresses \u2014 the largest concentration observed. <\/p>\n Hajime, an IoT-focused botnet, follows with 191 C2 servers, while Mozi and Mirai reflect ongoing abuse of compromised routers and embedded devices. <\/p>\n Offensive security frameworks including Tactical RMM (87 endpoints), Cobalt Strike variants (55 combined), Sliver, and Ligolo-ng were also found, all repurposed for malicious use. <\/p>\n Scanning and phishing tools like Acunetix, Interactsh, and Gophish were detected as well, confirming this infrastructure supports reconnaissance and credential theft alongside direct intrusions.\u00a0<\/p>\n Active campaigns tied to this infrastructure reinforce the gravity of these findings. One campaign on JSC TIMEWEB used a fake CAPTCHA<\/a> technique called ClickFix to trick users into executing a PowerShell command that downloaded Latrodectus v2.3 malware communicating with attacker-controlled domains.\u00a0<\/p>\n REG.RU-hosted infrastructure was linked to a Lumma Stealer<\/a> operation abusing Google Groups redirectors to push malicious archives across Windows and Linux systems. <\/p>\n On Hosting Technology LTD infrastructure, the SmartApeSG campaign delivered Remcos RAT<\/a> through fake CAPTCHA prompts on compromised sites, establishing persistence via DLL sideloading. <\/p>\n Beget LLC infrastructure hosted activity tied to the UAC-0252 campaign, which impersonated Ukrainian government institutions and deployed SHADOWSNIFF and SALATSTEALER infostealers through a WinRAR vulnerability tracked as CVE-2025-8088.<\/p>\n Proton66 OOO infrastructure was separately connected to a BoryptGrab infostealer operation abusing over 100 public GitHub repositories through SEO manipulation.<\/a><\/p>\n Security teams should treat provider-level monitoring as a core defensive priority. Applying controls against the highest-volume providers \u2014 especially TimeWeb, REG.RU, WebHost1, VDSina, and PROSPERO OOO \u2014 can meaningfully reduce exposure. <\/p>\n Organizations should monitor outbound connections to Russian ASNs with elevated C2 activity, apply threat intelligence covering infrastructure-level indicators beyond file hashes, restrict curl-to-PowerShell chains vulnerable to ClickFix-style lures, and maintain visibility into IoT and edge devices given the continued activity of Hajime, Mozi, and Mirai botnets.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post 1,250+ C2 Servers Mapped Across Russian Hosting Across 165 Providers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMalware Families and Active Campaigns<\/strong><\/h2>\n
![\"Top](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiOxzzlkH3iEwEJe7R-k7XNtyh6S864G2GcCyK8yKaoYLZ7hYwfUluuO5AMZVanih8VyJZpYg2Q39Ozl-4O5VT2SzLmA5C11XEQBtfrlyve6DIgYv-HGOIMoKqAI32v-pocB_5zRtX-Iwv03zQAn_lIB1X3nj05Hko4srFMvXrcyQtZUQNG9aD7Xtl46Gs\/s16000\/Top%252010%2520Malware%2520Command-and-Control%2520%28C2%29%2520Families%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
![\"Top](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiHA6Tgt83VUlAS_ngDTWP_jorBaQfQ3ydypsTXD-APP4lEGacFqQu0KCvZmWOVFk_T3_BTGAl89Uayupce4VWugx5ygnym0Id7TjZLDE8syytnqX0xDJANByjiHtFq8bTOhWzweKk2QxxP4JY9VNp22bhyphenhyphen8oQ56LhXjJl6NK-BeWaltYNBmovDEdSH7b4\/s16000\/Top%2520ISPs%2520hosting%2520malware%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")