Cybersecurity researchers have uncovered a substantial network of malicious infrastructure operating within Russia’s commercial hosting environments. Over a three-month period from January 1 to April 1, 2026, more than 1,250 active command-and-control (C2) servers were identified across 165 distinct Russian infrastructure providers. This discovery highlights the sophisticated embedding of cyberattack mechanisms within legitimate commercial networks, significantly complicating efforts to disrupt malicious activities.
These C2 servers, instrumental in directing malware and exfiltrating data, were found distributed across various hosting types, including shared platforms, virtual private servers, and telecommunications networks. The widespread distribution across a large number of providers, rather than being concentrated in a few, suggests a deliberate strategy to enhance resiliency and evade detection.
Malware Families and Active Campaigns Driving Russian Hosting Abuse
Analysts from Hunt.io, utilizing their Host Radar intelligence module, meticulously mapped these C2 servers and other malicious artifacts back to their sustaining hosting providers. The analysis revealed approximately 1,290 malicious artifacts in total, with C2 infrastructure accounting for a dominant 88.6%, or 1,252 servers. Other detected threats included malicious open directories (5.3%), phishing sites (4.9%), and publicly reported indicators of compromise (1.2%). These findings provide granular, provider-level visibility into the threat landscape.
Key Russian hosting providers were identified as hosting significant numbers of these C2 servers. TimeWeb led this list with 311 detected servers, followed by WebHost1 with 140, REG.RU with 138, VDSina with 86, and PROSPERO OOO with 80. This concentration suggests that targeted disruptions targeting these providers could have a notable impact on mitigating the associated threats.
Digging deeper into the nature of the malicious infrastructure, Hunt.io researchers employed HuntSQL to identify specific malware families. Keitaro, a traffic distribution system frequently employed for malware redirection, was found to be the most prevalent, contributing to 587 unique C2 IP addresses. Other significant threats included the IoT-focused Hajime botnet with 191 C2 servers, alongside ongoing abuse of routers and embedded devices by Mozi and Mirai.
Furthermore, the analysis identified the repurposing of offensive security frameworks for malicious ends. Tactical RMM was linked to 87 endpoints, while Cobalt Strike variants and other tools like Sliver and Ligolo-ng were also detected. The presence of scanning and phishing tools such as Acunetix, Interactsh, and Gophish indicates that this infrastructure supports not only direct intrusions but also crucial phases like reconnaissance and credential theft.
Specific Campaigns and Their Modus Operandi
Several active campaigns underscore the severity of these findings, illustrating how threat actors leverage this infrastructure. For instance, a campaign on JSC TIMEWEB utilized a fake CAPTCHA technique known as ClickFix to trick users into executing a PowerShell command. This command would download the Latrodectus v2.3 malware, which then communicated with attacker-controlled domains.
Infrastructure hosted by REG.RU was implicated in a Lumma Stealer operation that employed Google Groups redirectors to distribute malicious archives targeting both Windows and Linux systems. On Hosting Technology LTD infrastructure, the SmartApeSG campaign deployed the Remcos RAT through deceptive CAPTCHA prompts on compromised websites, establishing persistence via DLL sideloading.
Beget LLC’s hosting environment was found to support the UAC-0252 campaign, which impersonated Ukrainian government institutions. This campaign utilized a vulnerability in WinRAR (CVE-2025-8088) to deploy SHADOWSNIFF and SALATSTEALER infostealers. Separately, Proton66 OOO infrastructure was linked to a BoryptGrab infostealer operation that exploited over 100 public GitHub repositories through sophisticated SEO manipulation techniques.
The widespread presence of these malicious C2 servers within Russian commercial hosting presents a significant challenge for global cybersecurity efforts. The distribution across numerous providers makes broad blocking difficult, and the use of legitimate infrastructure provides a degree of camouflage. Security teams are advised to prioritize provider-level monitoring and consider controls against the most active hosting providers, such as TimeWeb and REG.RU. Additionally, monitoring outbound connections to Russian ASNs exhibiting elevated C2 activity, implementing threat intelligence beyond file hashes, and securing against vulnerable curl-to-PowerShell chains and IoT devices are crucial steps in mitigating exposure to these evolving threats.