QWINS LTD, The Suspected Bulletproof Hosting Provider Fueling Global Malware Campaigns

In a deep-dive into the infrastructure powering some of today’s most prevalent malware campaigns, security researcher Vasilis Orlof uncovers a suspected bulletproof hosting provider operating under the guise of legitimacy—fueling the global spread of infostealers, botnets, and trojans.

“It all started with a simple follow up on another Lumma infection,” Orlof begins. What started as routine hunting for indicators outside CDN protection quickly escalated into the exposure of QWINS LTD, a hosting provider offering services “directly through their Telegram bot” and seemingly enabling a wide range of malicious operations.

Lumma, consistently ranking among the top 5 malware families, served as the entry point into this sprawling ecosystem. Using abuse.ch and VirusTotal APIs, Orlof extracted 100 recent Lumma samples, revealing 292 unique IPs communicating with these payloads. Filtering out infrastructure behind CDNs led to a refined set of 10 IPs across 10 autonomous systems (ASNs). Among them, AS213702 (QWINS LTD) stood out.

“Starting with 141.98.6.34… we find a very interesting Russian-operated hosting provider… Servers can be deployed in Russia, Germany, Finland, Netherlands, Estonia,” Orlof notes.

The infrastructure behind QWINS LTD seemed ripe for abuse. Beyond its sketchy Telegram provisioning, the company—incorporated in the UK in November 2024—was renamed just six months later to “QUALITY IT NETWORK SOLUTIONS LIMITED,” a tactic often used to evade scrutiny.

The report links 141.98.6.34, 141.98.6.130, and 141.98.6.190 as part of a malicious cluster. These IPs shared services, self-signed certificates, and malware associations including AgentTesla, GuLoader, and Makoob.

Pivoting further, Orlof uncovered fake domains like dbeaver-pro[.]site mimicking database tools to lure developers. These domains resolved to 141.98.6.81, associated with Mirai, Quackbot, and Qbot botnets.

“It’s clear now that many malicious activities take place in this ASN,” Orlof concludes.

Zooming out, the report analyzes more than 3,000 hosts in ASN 213702, categorizing them into specialized roles:

• 93.123.39.0/24 – DDoS infra and botnets (often on port 666)
• 141.98.6.0/24 – Infostealers like Lumma, Vidar, and Amadey
• 95.164.53.0/24 – Initial droppers and payload delivery
• 77.105.164.0/24 – Command & Control (C2), exfiltration, and configuration backups

This segmentation reveals a mature and modular malware infrastructure, where attackers can host phishing pages, deliver malicious documents, manage botnets, and exfiltrate data—all within a few coordinated IP blocks.

Related Posts:

• Bulletproof Hosting: The Dark Infrastructure Behind Global Cybercrime
• AI Powers a Phishing Frenzy – Zscaler Report Warns of Unprecedented Threat Wave
• ZServers/XHost Bulletproof Hosting Down: 127 Servers Seized
• Unmasking BtHoster: The Bulletproof Host Fueling Global Cyberattacks
• CISA Warning: Critical Flaw (CVE-2025-5310) Exposes Fueling Station Devices