Russian-aligned cyber threat groups, UAC-0050 and UAC-0006, have significantly escalated their operations in 2025, targeting entities worldwide with a focus on Ukraine.
These groups employ bulletproof hosting services to mask their network infrastructure, enabling sophisticated campaigns involving financial theft, espionage, and psychological operations.
UAC-0050, linked to Russian law enforcement agencies, has transitioned to deploying NetSupport Manager malware this year, while UAC-0006 continues using SmokeLoader malware for phishing attacks.
.png
)
Infrastructure Manipulation via Bulletproof Hosting
Both groups rely heavily on bulletproof hosting providers to evade detection and legal accountability. Autonomous systems such as Global Connectivity Solutions LLP (AS215540) and Railnet LLC (AS214943) are central to their operations.
These networks are often fronted by shell companies registered in offshore jurisdictions like Seychelles and managed by entities with ties to cybercrime ecosystems.
For instance, Zservers a sanctioned Russian hosting provider has shifted its network prefixes to newly established autonomous systems in Russia and Seychelles to obscure its activities.
Global Connectivity Solutions LLP, a UK-based network, facilitates traffic for ransomware groups such as Black Basta and Cactus by routing through Stark Industries (AS44477), a known proxy for Russian cyberattacks.
Similarly, Railnet LLC operates under Virtualine Technologies, a Russia-based bulletproof hosting provider advertised on underground forums for illegal activities like phishing and spam campaigns.
Psychological Operations and Espionage
In addition to malware campaigns, UAC-0050 has conducted psychological operations targeting Ukrainian entities with bomb threats under the guise of the “Fire Cells Group.”
These emails aim to destabilize critical infrastructure and spread fear among allies of Ukraine.
Investigations reveal the use of IPs from Aeza International Ltd (AS210644) and other networks linked to bulletproof hosting providers.
Meanwhile, UAC-0006 focuses on financial theft through phishing emails targeting accountants in Ukraine’s banking sector.
Leveraging compromised Ukrainian proxies managed via SystemBC panels, the group has repeatedly shifted its infrastructure across networks like PSB Hosting Ltd (AS214927) and other offshore providers.
The use of shell companies such as LS Trading Partners Inc and Lupine Logistics Ltd highlights the intricate legal frameworks employed by these hosting providers.
These entities obscure ownership details while facilitating malicious activities. Zservers’ administrators have avoided arrest despite sanctions from the U.S., UK, and Australia, showcasing the difficulty in dismantling these networks.
The evolving tactics of UAC-0050 and UAC-0006 underscore the growing sophistication of cybercriminals leveraging bulletproof hosting solutions.
Their ability to adapt infrastructure across global networks poses significant challenges for cybersecurity efforts aimed at mitigating state-sponsored cyber threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
