Exposed: Over 1,250 Command and Control Servers Active in Russian Hosting Providers

New research reveals a startling reality within Russian networks: over 1,250 active command-and-control (C2) servers have been operating across 165 domestic infrastructure providers between January and April 2026. This comprehensive mapping of malicious infrastructure exposes a widespread ecosystem that extends beyond isolated incidents to systemic abuse across shared hosting, VPS platforms, and telecom networks.

Infrastructure-Centric Intelligence Reveals Hidden Threat Networks

Using advanced analytics tools like Host Radar and HuntSQL, security researchers correlated diverse threat artifacts to identify providers hosting coordinated cyber campaigns. Unlike traditional indicator-based approaches, this method tracks infrastructure patterns across:

  • 1,252 active C2 servers
  • 75 malicious open directories
  • 69 phishing sites
  • 17 public IOCs

As shown below, C2 infrastructure dominates the landscape, constituting 88.6% of observed artifacts:

Aggregate breakdown of C2 servers (1,252), phishing sites (69), malicious open directories (75), and public IOCs (17) detected in Russian environments
Threat artifact distribution across Russian providers (Source: Hunt.io)

Key Hosting Providers Enabling Global Threat Operations

A concentrated group of providers hosts malicious infrastructure at scale:

  • TimeWeb: 311 C2 servers (15.7% of total)
  • WebHost1: 140 C2 servers
  • REG.RU: 138 C2 servers
  • VDSina: 86 C2 servers
  • PROSPERO OOO: 80 C2 servers

Telecom providers like Rostelecom and Er-Telecom also appear among the top offenders, confirming that both commercial and backbone networks enable abuse. Visual analysis below shows the concentration pattern:

Top 10 Russian providers by C2 activity
Top ten Russian providers by C2 server volume (3-month period) (Source: Hunt.io)

Malware Families Dominating Russian Networks

Keitaro leads observed malware families with 587 unique C2 IPs, followed by:

  • IoT botnets: Hajime, Mozi, and Mirai compromise routers and embedded devices
  • Post-exploitation frameworks: Cobalt Strike, Tactical RMM, Sliver, and Ligolo-ng
  • Phishing infrastructure: Includes sophisticated techniques like “ClickFix” (fake CAPTCHA attacks)

Notably, IP 85.239.54[.]130 associated with CERT Polska’s ClickFix analysis demonstrated how TimeWeb infrastructure enables sophisticated social engineering attacks:

TimeWeb infrastructure with ClickFix indicators
Hunt.io’s IP intelligence showing TimeWeb’s AS9123 linked to fake CAPTCHA attacks (Source: Hunt.io)

Strategic Implications for Defenders

This infrastructure-centric approach enables security teams to:

  • Identify high-risk networks for prioritized monitoring and blocking
  • Track shared infrastructure across unrelated campaigns
  • Pressure providers through sanctions and enforcement actions
  • Focus resources on high-impact tooling (Keitaro, IoT botnets) rather than payload variants

As evidenced by sanctions against “bulletproof” providers, effective targeting at the hosting layer can disrupt entire threat ecosystems. For more details on methodology and provider-specific intelligence, visit Hunt.io’s full analysis.

Related Articles

Back to top button