This systematic approach to network utilization demonstrates the sophisticated nature of modern bulletproof hosting operations and their critical role in enabling large-scale cybercriminal campaigns across multiple malware families and attack vectors. The 93.123.39.0/24 network segment functions as the primary DDoS and botnet command center, hosting 39 malicious IP addresses that distribute over 120 different malware payloads. The investigation revealed that the hosting provider’s approximately 2,300 hosts are being utilized for various malicious purposes, from hosting phishing websites impersonating legitimate financial services like Brex to distributing sophisticated malware payloads targeting both Windows and Linux architectures. The company, operating under Autonomous System Number (ASN) 213702, has been identified as the infrastructure backbone supporting multiple high-profile malware families including Lumma Stealer, Amadey Botnet, and Mirai variants. A sophisticated bulletproof hosting operation has emerged as a critical enabler of global malware campaigns, with cybersecurity researchers uncovering extensive evidence linking UK-registered company Qwins Ltd to widespread cybercriminal activities. Notably, Konstantinova served as acting director for exactly six months before the company underwent a strategic rebranding in April 2025, becoming “Quality IT Network Solutions Limited.” This timeline coincides with increased malicious activity across the provider’s network infrastructure. Cyber Intelligence Insights researchers identified a disturbing pattern of abuse across Qwins Ltd’s network segments, with evidence pointing to systematic exploitation by multiple threat actor groups. Recent analysis of over 100 Lumma Stealer samples revealed that threat actors are leveraging Qwins Ltd’s hosting services to orchestrate coordinated attacks across multiple vectors. The most significant revelation from the analysis involves the systematic segmentation of malicious activities across Qwins Ltd’s network infrastructure. The 77.105.164.0/24 segment completes the infrastructure by providing command-and-control services, configuration hosting, and data exfiltration capabilities, ensuring persistent communication between infected systems and threat actor infrastructure. The investigation, spanning July 15-22, 2025, identified 292 communicating IP addresses associated with malicious activities, with the company’s infrastructure serving as both command-and-control centers and payload distribution hubs. Operating from server locations across Russia, Germany, Finland, Netherlands, and Estonia, Qwins Ltd offers virtual private servers and dedicated hosting at remarkably low prices starting around $2 per month, making it an attractive option for cybercriminals seeking cost-effective infrastructure. Supporting the attack chain, the 95.164.53.0/24 network functions as the initial infection vector, distributing document-based droppers including malicious PDF, DOC, and ZIP files. The primary malicious activities are concentrated across four distinct network segments, each serving specialized functions in the broader cybercriminal ecosystem. This network primarily operates botnet infrastructure communicating through port 666, facilitating large-scale distributed denial-of-service attacks and maintaining persistent access to compromised systems. Key IP address 141.98.6.34 has been particularly active, hosting phishing sites and serving as a communication endpoint for multiple malware families. Analysis of the network’s malicious infrastructure reveals a sophisticated operational structure designed to maximize attack effectiveness while minimizing detection. These payloads serve as entry points for infection chains, subsequently directing victims to download additional malware components from other network segments. The 141.98.6.0/24 segment serves as the information stealer hub, with 15 flagged IP addresses hosting approximately 45 malware samples.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 02:25:28 +0000