Unmasking BtHoster: The Bulletproof Host Fueling Global Cyberattacks

In a revealing investigation, French cybersecurity firm Intrinsec exposes the sprawling infrastructure of BtHoster, a bulletproof hosting provider fueling widespread scanning, brute-force attacks, and malware campaigns through a series of shell companies and autonomous systems.

Between February and March 2025, Intrinsec’s honeypots detected an alarming spike in traffic originating from obscure autonomous systems in the United Kingdom. “By analysing the networks that most hit our honeypots, we found two autonomous systems named Skynet Network Ltd (AS214295) and Inside Network LTD (AS215476), that we assess with a high level of confidence to be operated by the bulletproof hosting provider BtHoster,” the report states.

These networks were far from isolated. Intrinsec traced their upstream traffic to UAB Host Baltic (AS209605), a Lithuanian ISP “used by those smaller bulletproof networks for its upstream capacities.” Intrinsec observed over 62,000 attacks from this AS alone within a single month—most tied to masscan scans and botnet activity.

BtHoster and its affiliates openly market their infrastructure for illegal purposes. In underground forums, the group boasts of servers where “scan / brute / cracking” operations are not only tolerated but encouraged. Customers are even offered pre-configured masscan servers with up to 1300kpps (Kilo Packets Per Second) throughput—ideal for large-scale internet scanning and enumeration campaigns.

When a provider like BtHoster gets blacklisted, it simply changes its skin. “Some of them were only rebrands of a known bulletproof hosting provider named BtHoster that created those new entities to evade bad reputation and blocklists,” the report notes.

For example, Inside Network LTD’s prefix (77.90.185.0/24) was previously announced by BtHoster LTD itself. The same Telegram contact—@bthosterltd—appears on the websites of both entities.

Other shell companies include Limited Network LTD, SS-Net, 4Vendeta, and 4Media Ltd, often located in the UK or Bulgaria, and all sharing infrastructure or contact points with BtHoster. Many of these entities are on Spamhaus blocklists, but some, alarmingly, are not.

The report also highlights the use of BGP hijacking techniques to misattribute attacks to other regions—particularly Iran. “The description and geolocation of the previous Iranian autonomous system prefixes were kept on the new ones, making it look like the attacks came from Iran.”

One such example involves the CIPHER OPERATIONS DOO BEOGRAD (AS215930), which reannounced Iranian prefixes and launched aggressive scanning traffic, alongside Amwaj Alkhyr and Skynet Network. A March 5th tweet by security researcher Jo Provost flagged this as “a classic BGP hijacking case” intended for misdirection and anonymity.

The infrastructure extends even deeper into the Russian cybercriminal ecosystem. BtHoster-linked prefixes are tied to proxy services like Proxyline, Farmproxy.ru, and Spaceproxy, all fed IP ranges by Stark Industries Solutions—a known provider used in Russian disinformation and cyber operations.

“GLOBAL INTERNET SOLUTIONS LLC – AS207713 and GLOBAL CONNECTIVITY SOLUTIONS LLP (AS215540) […] are often used by Russian state sponsored intrusion sets such as Gamaredon (UAC-0010), Doppelgänger, and NoName057(16),” Intrinsec reveals.

To combat these threats, Intrinsec advises organizations to:

Block traffic from all identified ASNs tied to BtHoster and its network cluster.
Track IP prefix reassignments, especially those that retain misleading geolocation data.
Add indicators of compromise (IOCs) from this report into threat intelligence platforms.

As the report concludes: “Tracking their network infrastructure and relations to other entities represents a key element to anticipate future threats and intrusion sets.”

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply