Qilin Ransomware’s Resilience Exposed: Bulletproof Hosting Network Underpins Asahi Group Holdings Attack

A new report from Resecurity’s HUNTER unit has exposed the global web of bulletproof hosting (BPH) providers underpinning the operations of the Qilin ransomware-as-a-service (RaaS) group — the same outfit responsible for the devastating September 2025 ransomware attack on Japan’s Asahi Group Holdings, which crippled the company’s manufacturing systems for nearly two weeks.

Resecurity’s investigation reveals that Qilin’s resilience and global reach rely heavily on a sprawling underground hosting ecosystem, spanning Russia, Hong Kong, Cyprus, and the UAE, and tied to sanctioned infrastructure providers that facilitate large-scale cybercrime while evading law enforcement oversight.

“Qilin’s use of prominent BPH providers highlights the latter’s role as critical infrastructure for cybercriminal operators,” the report states. “Rogue BPH services enable their clients to host content with minimal or no oversight, frequently incorporated in pro-secrecy jurisdictions and designed to be resilient to abuse complaints and law enforcement intervention.”

The Qilin ransomware group, which emerged in mid-2022 under the name Agenda, has evolved into one of the most prolific RaaS syndicates targeting global enterprises. Written in Golang and Rust, Qilin ransomware is distributed by a network of affiliates who receive up to 85% of ransom proceeds, while the operators take the rest.

“Qilin is also known to practice double extortion, demanding ransom payments from victims to prevent data from being leaked,” noted Resecurity, referencing the group’s Data Leak Site (DLS) on Tor used to publish stolen information.

The gang has targeted healthcare providers, critical infrastructure, and government entities across the world, using spear-phishing, RMM software abuse, and access broker partnerships to breach networks. Microsoft previously reported that North Korean threat actors had joined Qilin’s affiliate program — a move that underscores the increasing convergence between state-sponsored and financially motivated cybercrime.

Qilin claimed responsibility for the September 29, 2025 attack on Asahi Group Holdings, Japan’s largest beer manufacturer, disrupting digital logistics and brewing operations across 30 factories.

“The attack disrupted operations across the conglomerate’s brewing facilities, temporarily halting production and shipping at most of its 30 factories,” Resecurity wrote, citing BBC and Bloomberg reports.

Asahi confirmed that the attackers stole 27 GB of sensitive data and forced the company to revert to manual order processing via phone and fax, leading to nationwide beer shortages and postponed product launches.

Resecurity’s investigators later engaged directly with Qilin operators, discovering that the group attempted to sell Asahi’s stolen data for $10 million USD in early October.

“These demands were received on October 11… likely one of Qilin’s tactics to exclude middlemen and accelerate pressure on the victim,” the report noted.

Just days after the Asahi incident, Qilin added new high-profile victims, including:

• The Spanish Tax Administration Agency (Agencia Tributaria)
• Centurion Family Office Services (U.S.)
• Rasi Laboratories (U.S.)
• Richmond Behavioral Health Authority (U.S.)
• Ville-Elne Municipality (France)
• Turnkey Africa, and others

“The Spanish Tax Administration Agency is especially notable among the new victims,” Resecurity wrote. “This agency employs more than 26,000 staff and operates with a budget of $1.5 billion, processing vast amounts of data from both private and public sectors.”

The report further confirms that Qilin is expanding aggressively in the U.S. and Europe, with more than 50 new victims across 15 countries published in October 2025 alone — including municipalities, energy cooperatives, and automotive firms like Volkswagen France.

Resecurity’s most alarming discovery centers on Qilin’s deep integration with bulletproof hosting (BPH) conglomerates, which provide untraceable infrastructure for ransomware and data extortion operations.

“One of the most interesting and less widely detailed sides of Qilin is its strong connection to an underground bulletproof hosting conglomerate with origins in Russian-speaking underground and Hong Kong,” the researchers stated.

The investigation mapped this ecosystem to Cat Technologies Co. Limited, Chang Way Technologies, and Starcrecium Limited, entities registered in Hong Kong and Cyprus but linked via IPs, domains, and personnel to Russian hosting firm Hostway.ru.

These companies were allegedly managed by Lenar Davletshin, identified as a director across multiple shell firms used to operate Qilin’s infrastructure.

“Cat Technologies, Starcrecium, and Chang Way were named as the official representatives of Hostway.ru, a Russia-based provider long associated with cybercriminal activity,” the report confirmed.

Resecurity also highlighted BearHost Servers (also known as Underground and Voodoo Servers) as a core BPH provider supporting Qilin’s infrastructure, advertising directly on the group’s WikiLeaksV2 leak site.

“The service has been operating since at least 2019 and has registered accounts on multiple underground forums including XSS and Exploit,” the researchers wrote, noting prices ranging from $95 to $500 per server, often offering 10 Gbps bandwidth for mass scanning and exploitation.

The investigation also connects Qilin’s infrastructure to Aeza Group, a Russian ISP sanctioned by the U.S. Treasury Department in July 2025 for providing BPH services to ransomware groups like BianLian and hosting illicit drug markets such as BlackSprut.

“In July 2025, the U.S. Treasury Department sanctioned this entity for providing BPH services to cybercriminals. The company is accused of aiding ransomware groups and hosting illicit markets,” Resecurity reported.

By mid-2025, BearHost operators abruptly announced their “exit”, claiming closure for “political reasons.” However, Resecurity suggests this was a smokescreen for an exit scam, as the same infrastructure continues to function under new aliases like Prospero, Proton66, and Next Limited, a Hong Kong-based front company.

“They have not terminated any service, but have gone into private mode, servicing trusted and vetted underground actors,” Resecurity explained. “This concept is typical for underground vendors who have already built a significant customer base and are no longer interested in random visitors who could be law enforcement.”

The report warns that bulletproof hosting remains a critical enabler of modern cybercrime, shielding ransomware groups, disinformation campaigns, and dark web markets from law enforcement.

Related Posts:

• Threat Actors Continue to Exploit Legitimate RMM Tool ScreenConnect
• Qilin Ransomware: Beyond Encryption, a New Threat of Credential Theft
• Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
• Bulletproof Hosting: The Dark Infrastructure Behind Global Cybercrime
• Ransomware Gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit