1,250+ C2 Servers Mapped Across Russian Hosting Across 165 Providers

Cybersecurity researchers have uncovered a large and organized network of malicious infrastructure quietly running inside Russia’s commercial hosting ecosystem.

Over a three-month window from January 1 to April 1, 2026, more than 1,250 active command-and-control (C2) servers were detected across 165 Russian infrastructure providers, spanning shared hosting platforms, virtual server environments, and telecommunications networks.

A command-and-control server is the backbone of most cyberattacks — the system attackers use to send instructions to infected machines and retrieve stolen data.

Finding over 1,250 of these servers active at once, all housed within Russian hosting providers, shows how deeply malicious infrastructure has embedded itself into legitimate commercial networks.

The servers are not concentrated in one or two obscure corners of the internet; they are distributed across 165 separate providers, making them harder to block and easier to maintain without drawing attention.

Hunt.io analysts and researchers identified these patterns using Host Radar, a core intelligence module built to correlate C2 servers, phishing infrastructure, open malicious directories, and public indicators of compromise back to the hosting providers that sustain them.

Their analysis surfaced repeatable patterns in how malicious infrastructure is distributed and reused across Russian hosting environments, providing provider-level visibility that separates actionable intelligence from a stream of disposable IP addresses.

Across the full dataset, Host Radar recorded approximately 1,290 malicious artifacts during the observation period. C2 infrastructure dominates, accounting for roughly 88.6% of all detected activity with 1,252 servers confirmed.

Malicious open directories make up about 5.3%, phishing sites roughly 4.9%, and publicly reported indicators of compromise around 1.2%.

TimeWeb leads with 311 detected C2 servers over 90 days, followed by WebHost1 with 140, REG.RU with 138, VDSina with 86, and PROSPERO OOO with 80.

Malware Families and Active Campaigns

Using HuntSQL, analysts queried telemetry across Russian networks to identify which malware families were hosting the most C2 infrastructure.

Keitaro, a traffic distribution system frequently abused to redirect victims toward malware, leads the dataset with 587 unique C2 IP addresses — the largest concentration observed.

Hajime, an IoT-focused botnet, follows with 191 C2 servers, while Mozi and Mirai reflect ongoing abuse of compromised routers and embedded devices.

Offensive security frameworks including Tactical RMM (87 endpoints), Cobalt Strike variants (55 combined), Sliver, and Ligolo-ng were also found, all repurposed for malicious use.

Scanning and phishing tools like Acunetix, Interactsh, and Gophish were detected as well, confirming this infrastructure supports reconnaissance and credential theft alongside direct intrusions. 

Active campaigns tied to this infrastructure reinforce the gravity of these findings. One campaign on JSC TIMEWEB used a fake CAPTCHA technique called ClickFix to trick users into executing a PowerShell command that downloaded Latrodectus v2.3 malware communicating with attacker-controlled domains. 

REG.RU-hosted infrastructure was linked to a Lumma Stealer operation abusing Google Groups redirectors to push malicious archives across Windows and Linux systems.

On Hosting Technology LTD infrastructure, the SmartApeSG campaign delivered Remcos RAT through fake CAPTCHA prompts on compromised sites, establishing persistence via DLL sideloading.

Beget LLC infrastructure hosted activity tied to the UAC-0252 campaign, which impersonated Ukrainian government institutions and deployed SHADOWSNIFF and SALATSTEALER infostealers through a WinRAR vulnerability tracked as CVE-2025-8088.

Proton66 OOO infrastructure was separately connected to a BoryptGrab infostealer operation abusing over 100 public GitHub repositories through SEO manipulation.

Security teams should treat provider-level monitoring as a core defensive priority. Applying controls against the highest-volume providers — especially TimeWeb, REG.RU, WebHost1, VDSina, and PROSPERO OOO — can meaningfully reduce exposure.

Organizations should monitor outbound connections to Russian ASNs with elevated C2 activity, apply threat intelligence covering infrastructure-level indicators beyond file hashes, restrict curl-to-PowerShell chains vulnerable to ClickFix-style lures, and maintain visibility into IoT and edge devices given the continued activity of Hajime, Mozi, and Mirai botnets.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.