{ "id": "be85afe6-96fc-45d4-962c-5e6f22c0a21f", "created_at": "2026-04-06T00:15:59.433074Z", "updated_at": "2026-04-10T03:24:30.201763Z", "deleted_at": null, "sha1_hash": "29fb56536ab6e1fd5ce0e729b04730b4cb4332eb", "title": "Bulletproof Hosting Hunt", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6038551, "plain_text": "Bulletproof Hosting Hunt\r\nBy Vasilis Orlof\r\nPublished: 2025-04-04 · Archived: 2026-04-05 17:45:23 UTC\r\nIt all started with a simple follow up on another Lumma infection. I wanted to find and automate a quick way to\r\nget hunting leads for infra that is not hidden behind CDNs but I think I might have found a Bulletproof hosting\r\nprovider.\r\nLumma continues to be in the top 5 malware families [1] [2] , which means high sample availability on malware\r\nreporting platforms and a great starting point for a hunt! Starting from the latest Lumma samples, we can expand\r\nto additional malicious infrastructure, including phishing, impersonation mininng and various malware.\r\nUsing abuse.ch API to retrieve samples from the last week (of this writing), returns 100 results between 15-22/7.\r\nWith the latest hashes in hand we can start our analysis.\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 1 of 11\n\nFirst, let’s grab any communicating IPs. Using VT API we can see that the malicious files are communicating with\r\n292 IPs. Now that we have our IPs, we’ll group them and try to filter out dead end pivots. What I mean by that is,\r\nsince most of the domains associated with Lumma are usually hidden behind CDN like Cloudflare, Akamai etc,\r\nwe’ll filter those out as it’s nearly impossible to pivot.\r\nAfter filtering the IPs and ASN, we are left with 10 unique IPs spread across 10 unique ASN so there is no\r\nimmediate pattern in the grouping.\r\n141.98.6.34 - AS213702, Qwins LTD\r\n185.215.113.51 - AS51381, (ELITETEAM-PEERING-AZ1 1337TEAM PEERING AZ1)\r\n144.172.115.212 - AS14956, ROUTERHOSTING\r\n167.160.161.12 - AS214943, Railnet LLC\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 2 of 11\n\n104.251.123.89 - AS14315, 1GSERVERS, LLC\r\n146.70.100.103 - AS9009, M247 Europe SRL\r\n176.46.152.39 - AS214351, FEMO IT SOLUTIONS LIMITED\r\n198.54.117.242 - AS22612, Namecheap, Inc.\r\n45.134.26.137 - AS198953 ,Proton66 OOO\r\n92.38.145.145 - AS199524, G-Core Labs S.A.\r\nStarting with 141.98.6.34 part of the AS213702 owned by QWINS LTD we find a very interesting Russian\r\noperated hosting provider offering VPS and dedicated servers at very low prices (starting around 2$ per month),\r\nwhile also offering services directly through their Telegram bot.\r\nServers can be deployed in Russia, Germany, Finland, Netherlands, Estonia\r\nThe company was incorporated on 11 November 2024 in the UK and had “Kristina Konstantinova” as acting\r\ndirector from the date of incorporation until April 2025 (6 months exactly). The company domain was registered\r\none year earlier on Nov 2023\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 3 of 11\n\nThe company was renamed on April 2025 to “QUALITY IT NETWORK SOLUTIONS LIMITED”.\r\nReviewing the aforementioned IP, we can see that around the end of June, a site impersonating “Brex” financial\r\nservices was hosted on it.\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 4 of 11\n\nIn addition, we see many malicious files (exe,zip,rar,etc.), associated mainly with infostealers and trojans recently\r\ncommunicating with the same IP meaning it is used by either multiple threat actors or a single actor involved in\r\nmany attacks.\r\nThis hosting provider seems promising, so let’s spend some more time investigating the ASN before pivoting to\r\nother networks.\r\nOur hypothesis is that ASN 213702 is being used by threat actors and by now, we can say with high confidence\r\nthat the IP 141.98.6.34 is hosting malicious payloads and is used as C2 infrastructure.\r\nMoving over to Censys, we see that there are about 2.3K hosts in that ASN.\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 5 of 11\n\nWe can narrow it down by filtering for hosts that match the attributes of our IP, which leaves us with just 3 hosts\r\nwhich also seem to share the same self signed cert.\r\nautonomous_system.asn: 213702 and services.port=5554 and services.port=3389\r\n141.98.6.190\r\n141.98.6.130\r\n141.98.6.34\r\nThe above IPs have been linked with malware, specifically with trojans and loaders and infostealers (makoob,\r\nguloader, agenttesla) and have been active around the same time, in combination with the services and self signed\r\ncertificates, I would say it’s safe to cluster those 3 IPs together.\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 6 of 11\n\nOur next pivot comes from domains hosted on our newly found cluster that trying to impersonate the database tool\r\nDBeaver.\r\n”dbeaver.it[.]com” \u0026 “dbeaver-pro.[s]ite” are hosted on that cluster and they claim to perform SQL perfomance\r\noptimization.\r\ndbeaver-pro[.]site\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 7 of 11\n\ndbeaver.it[.]com\r\ndbeaver-pro[.]site leads us to our next IP target 141.98.6.81, this IP has association mainly with botnets (mirai,\r\nquackbot, qbot, condi and more).\r\nIt’s clear now, that many malicious activities take place in this ASN, since it’s a relatively small network hosting\r\naround 3K IPs, let’s try to group the malicious activity per network and map out in more detail what kind of\r\nactivities originate from these networks.\r\nTo keep the IoC as fresh as possible, I only focused on the last 30 days. Grabbed all the hashes, IPs and URLs that\r\nwere flagged as malicious on these networks and analyzed the results.\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 8 of 11\n\nMost of the activity is originating from networks 93.123.39.0/24 and 141.98.6.0/24\r\nBased on the hashes found communicating and/or hosted on the networks, most of the malware is categorized as\r\nDroppers but as you can see, there is a huge variety of malware like botnet, rats, cryptominers, infostealers,\r\ntargeting multiple architectures (Windows/Linux x86/x86_64, ARM, Mips). Specifically, I found a big\r\nconcentration on the following malware.\r\nAmadey Botnet\r\nMirai Botnet\r\nZapchast Trojan\r\nLumma\r\nVidar\r\nDarkGate\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 9 of 11\n\nWe previously found that phishing websites and social engineering originated from the networks too, which is\r\nconsistent with the initial access via document droppers (pdf, doc,zip).\r\nFurther reviewing the findings leads to additional clustering based on the malware communication.\r\nIn this network, we find 39 malicious IPs spreading over than 120 payloads mainly associated with botnets, DDoS\r\ninfra and C2 usually on port 666\r\nWe can find around 15 flagged IPs, hosting over 45 samples. Mainly infostealers like Amadey, Lumma and Vidar\r\nand probably C2 infra.\r\nFound many files that look like initial payload distribution and malware hosting. It could be serving as the entry\r\npoint for infection chains, hosting document droppers, and first stage loaders.\r\nThe above findings can be somewhat verified if we follow the flow of the malicious files/hashes. We can see that\r\nmany droppers on the 95.164 network lead to payloads on the 93.123 network and many stealers from the 141.98\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 10 of 11\n\ncommunicate the 77.105 network which I interpreted as C2 communication and data exfil.\r\nTo summarize, I think we found a very interesting hosting provider that requires further investigation, I can’t say\r\nwith certainty if this is or isn’t a BPH but I can definitely say that there are some troubling signs.\r\nIn any case, this is all I have for now. I will follow up on some of the leads and see what other connections might\r\nappear.\r\nIf anyone has previously worked on that please reach out.\r\nAs always, I hope you are all safe and healthy. Thanks and take care!\r\nFull IoC list\r\nLinkedin\r\nX\r\nSource: https://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nhttps://intelinsights.substack.com/p/bulletproof-hosting-hunt\r\nPage 11 of 11\n\npoint for infection The above findings chains, hosting can be somewhat document droppers, verified if and first we follow the stage loaders. flow of the malicious files/hashes. We can see that\nmany droppers on the 95.164 network lead to payloads on the 93.123 network and many stealers from the 141.98\n Page 10 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://intelinsights.substack.com/p/bulletproof-hosting-hunt" ], "report_names": [ "bulletproof-hosting-hunt" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434559, "ts_updated_at": 1775791470, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29fb56536ab6e1fd5ce0e729b04730b4cb4332eb.pdf", "text": "https://archive.orkl.eu/29fb56536ab6e1fd5ce0e729b04730b4cb4332eb.txt", "img": "https://archive.orkl.eu/29fb56536ab6e1fd5ce0e729b04730b4cb4332eb.jpg" } }