Sunday, May 25, 2025
Homecyber securityRussian Hackers Leverage Bulletproof Hosting to Shift Network Infrastructure

Russian Hackers Leverage Bulletproof Hosting to Shift Network Infrastructure

Published on

SIEM as a Service

Follow Us on Google News

Russian-aligned cyber threat groups, UAC-0050 and UAC-0006, have significantly escalated their operations in 2025, targeting entities worldwide with a focus on Ukraine.

These groups employ bulletproof hosting services to mask their network infrastructure, enabling sophisticated campaigns involving financial theft, espionage, and psychological operations.

UAC-0050, linked to Russian law enforcement agencies, has transitioned to deploying NetSupport Manager malware this year, while UAC-0006 continues using SmokeLoader malware for phishing attacks.

- Advertisement - Google News

Infrastructure Manipulation via Bulletproof Hosting

Both groups rely heavily on bulletproof hosting providers to evade detection and legal accountability. Autonomous systems such as Global Connectivity Solutions LLP (AS215540) and Railnet LLC (AS214943) are central to their operations.

These networks are often fronted by shell companies registered in offshore jurisdictions like Seychelles and managed by entities with ties to cybercrime ecosystems.

For instance, Zservers a sanctioned Russian hosting provider has shifted its network prefixes to newly established autonomous systems in Russia and Seychelles to obscure its activities.

Global Connectivity Solutions LLP, a UK-based network, facilitates traffic for ransomware groups such as Black Basta and Cactus by routing through Stark Industries (AS44477), a known proxy for Russian cyberattacks.

Similarly, Railnet LLC operates under Virtualine Technologies, a Russia-based bulletproof hosting provider advertised on underground forums for illegal activities like phishing and spam campaigns.

Psychological Operations and Espionage

In addition to malware campaigns, UAC-0050 has conducted psychological operations targeting Ukrainian entities with bomb threats under the guise of the “Fire Cells Group.”

Content of the phishing email sent in October

These emails aim to destabilize critical infrastructure and spread fear among allies of Ukraine.

Investigations reveal the use of IPs from Aeza International Ltd (AS210644) and other networks linked to bulletproof hosting providers.

Content of the phishing email sent in November

Meanwhile, UAC-0006 focuses on financial theft through phishing emails targeting accountants in Ukraine’s banking sector.

Leveraging compromised Ukrainian proxies managed via SystemBC panels, the group has repeatedly shifted its infrastructure across networks like PSB Hosting Ltd (AS214927) and other offshore providers.

The use of shell companies such as LS Trading Partners Inc and Lupine Logistics Ltd highlights the intricate legal frameworks employed by these hosting providers.

These entities obscure ownership details while facilitating malicious activities. Zservers’ administrators have avoided arrest despite sanctions from the U.S., UK, and Australia, showcasing the difficulty in dismantling these networks.

The evolving tactics of UAC-0050 and UAC-0006 underscore the growing sophistication of cybercriminals leveraging bulletproof hosting solutions.

Their ability to adapt infrastructure across global networks poses significant challenges for cybersecurity efforts aimed at mitigating state-sponsored cyber threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...