Exposed: Over 1,250 Command and Control Servers Active in Russian Hosting Providers
New research reveals a startling reality within Russian networks: over 1,250 active command-and-control (C2) servers have been operating across 165 domestic infrastructure providers between January and April 2026. This comprehensive mapping of malicious infrastructure exposes a widespread ecosystem that extends beyond isolated incidents to systemic abuse across shared hosting, VPS platforms, and telecom networks.
Infrastructure-Centric Intelligence Reveals Hidden Threat Networks
Using advanced analytics tools like Host Radar and HuntSQL, security researchers correlated diverse threat artifacts to identify providers hosting coordinated cyber campaigns. Unlike traditional indicator-based approaches, this method tracks infrastructure patterns across:
- 1,252 active C2 servers
- 75 malicious open directories
- 69 phishing sites
- 17 public IOCs
As shown below, C2 infrastructure dominates the landscape, constituting 88.6% of observed artifacts:

Key Hosting Providers Enabling Global Threat Operations
A concentrated group of providers hosts malicious infrastructure at scale:
- TimeWeb: 311 C2 servers (15.7% of total)
- WebHost1: 140 C2 servers
- REG.RU: 138 C2 servers
- VDSina: 86 C2 servers
- PROSPERO OOO: 80 C2 servers
Telecom providers like Rostelecom and Er-Telecom also appear among the top offenders, confirming that both commercial and backbone networks enable abuse. Visual analysis below shows the concentration pattern:

Malware Families Dominating Russian Networks
Keitaro leads observed malware families with 587 unique C2 IPs, followed by:
- IoT botnets: Hajime, Mozi, and Mirai compromise routers and embedded devices
- Post-exploitation frameworks: Cobalt Strike, Tactical RMM, Sliver, and Ligolo-ng
- Phishing infrastructure: Includes sophisticated techniques like “ClickFix” (fake CAPTCHA attacks)
Notably, IP 85.239.54[.]130 associated with CERT Polska’s ClickFix analysis demonstrated how TimeWeb infrastructure enables sophisticated social engineering attacks:

Strategic Implications for Defenders
This infrastructure-centric approach enables security teams to:
- Identify high-risk networks for prioritized monitoring and blocking
- Track shared infrastructure across unrelated campaigns
- Pressure providers through sanctions and enforcement actions
- Focus resources on high-impact tooling (Keitaro, IoT botnets) rather than payload variants
As evidenced by sanctions against “bulletproof” providers, effective targeting at the hosting layer can disrupt entire threat ecosystems. For more details on methodology and provider-specific intelligence, visit Hunt.io’s full analysis.