Hunt Intelligence for IP 176.120.22.24 (AS198953, Russia) shows active nginx and OpenSSH services
At a glance
| Field | Detail |
|---|---|
| Actors | Many groups sharing the same networks: commodity crime plus APTs (Cloud Atlas, ShinyHunters, INJ3CTOR3, Black Basta, Pink) |
| Activity | C2 hosting, malware, phishing, ransomware staging, mapped at the provider level |
| Targets | Global victims of campaigns run from the region: government, diplomatic, crypto, and enterprise |
| Scale | 3,900+ C2 servers, 302 providers, 10 countries, 90 days; one host ~53.5% |
| Status | Threat-intelligence mapping; no law enforcement action reported |
| Source | Hunt.io (Host Radar) |
TL;DR
A new Hunt.io report maps the hosting layer behind Eastern Europe’s cybercrime. Over three months, it found more than 3,900 Eastern European C2 servers across 302 providers. One Bulgarian host alone ran more than half.
What the report found
Hunt.io tracked malicious infrastructure across ten countries from March 12 to June 12, 2026. The list covers Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine. The team used its Host Radar tool, which maps abuse at the provider level instead of chasing single indicators. C2 servers dominated the activity, at about 90.6% of all detections. Phishing, open directories, and public IOCs made up the rest.
One finding stands out. Friendhosting LTD in Bulgaria hosted roughly 2,100 C2 servers, about 53.5% of the regional total. Hunt.io frames this as a hosting-layer signal. As the report puts it, “IPs rotate, domains get burned, but the hosting layer underneath stays remarkably stable.” This mirrors Hunt.io’s earlier regional maps. In the Middle East, one carrier carried most regional C2. In China, a single ISP hosted nearly half of 18,000-plus servers.
Who is behind it
No single group owns this infrastructure. Instead, many actors share it. Hunt.io links some servers to Cloud Atlas, an APT that targets government and diplomatic bodies in Russia and Belarus. It ties other IPs to ShinyHunters, allegedly exploiting an Oracle PeopleSoft zero-day (CVE-2026-35273). Researchers also connect hosts to INJ3CTOR3 toll-fraud, Black Basta affiliates, and the Pink extortion group. These attributions come from Hunt.io and partner research, not from any court. Treat them as suspected links rather than proven facts.
Named campaigns
Hunt.io documents several live operations on these networks. One Romanian host served a malicious npm package that dropped a macOS trojan at DeFi developers. A Russian host tied to Proton66 was linked to active PeopleSoft exploitation. Another supported a FreePBX toll-fraud scheme and a fresh PHP webshell. The same provider pools also carried ransomware tradecraft, including a Nemesys intrusion that dumped credentials and rushed to encrypt.
Impact and scale
The numbers are large. Hunt.io counted more than 3,900 active C2 servers in 90 days. By country, Russia led with 929 unique C2 IPs, close to half the top-five total. Poland ranked a surprising second at 438 IPs. Bulgaria followed with 298, Romania with 199, and Ukraine with 170. Russia also led by provider volume, with over 150 distinct ASNs.
Keitaro, a traffic distribution system, topped the malware families at 1,277 unique C2 IPs. Tactical RMM and the Acunetix scanner followed. Cobalt Strike and Sliver also appeared, showing both criminal and state-adjacent use. Most servers, though, ran broader management tooling rather than pure C2. That split suggests heavy reuse of shared frameworks across many operators.
What comes next
The report’s core lesson is simple. Hosting relationships outlast individual indicators. Therefore, defenders should track providers and ASNs, not just IP addresses. Scrutinize traffic to high-risk ASNs with repeat abuse. Watch for the named campaigns and tools above. Above all, treat reputation at the hosting layer as a durable detection signal.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.