Russian-aligned hacking groups UAC-0050 and UAC-0006 have been observed switching their network infrastructure through bulletproof hosting providers, enabling persistent campaigns against Ukrainian entities and their international allies. The complex hosting arrangements provide these threat actors with resilient infrastructure that complicates attribution and frustrates takedown efforts, allowing them to maintain persistent access to compromised systems even as individual infrastructure components that are identified and blocked. The network traffic patterns reveal communications between infected systems and command and control servers hosted on IP addresses like 185.157.213[.]71 and 147.45.44[.]255, which resolve to domains owned by shell companies registered in offshore jurisdictions like Seychelles. The infrastructure supporting these operations reveals a complex web of bulletproof hosting providers operating through offshore shell companies. These threat actors conducted financially-motivated and espionage operations throughout late 2024 and early 2025, primarily targeting organizations in Ukraine’s energy sector, governmental institutions, and critical infrastructure. In one notable campaign in January 2025, attackers deployed NetSupport Manager remote access tools through JavaScript downloaders hosted on compromised infrastructure. This shift coincided with migration to new network infrastructure hosted on bulletproof providers that specialize in evading detection and legal consequences. The primary provider, Global Connectivity Solutions LLP (AS215540), is a UK-based autonomous system routing traffic through Stark Industries (AS44477), a network that cybersecurity researchers have linked to Russian intelligence operations. IPv4 prefixes previously announced by sanctioned bulletproof hosting provider Zservers were systematically transferred to newly created autonomous systems including AS213194, AS61336, and AS213010. Intrinsec researchers noted a significant tactical shift in early 2025, when UAC-0050 transitioned from using Remcos and sLoad to predominantly leveraging NetSupport Manager for their operations. Analysis of network infrastructure reveals a deliberate strategy to obscure attribution and evade sanctions. These networks are registered to seemingly unrelated entities but share peering agreements and technical characteristics with known malicious infrastructure. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 31 Mar 2025 08:25:14 +0000