Inside Eastern Europe's C2 Sprawl: 3,900+ Servers and 302 Providers Mapped (Updated)

Inside Eastern Europe's C2 Sprawl: 3,900+ Servers and 302 Providers Mapped (Updated)

Published on

Inside Eastern Europe's C2 Sprawl: 3,900+ Servers, 302 Providers, One Host Doing Half the Work

Blog Post Updated: July 10, 2026

Friendhosting LTD reviewed the data we shared with them and came back to us.

Their review turned up a set of accounts worth investigating, and they told us it prompted them to tighten their internal abuse detection. It also found that the cases raising credible concern involved traffic distribution infrastructure, not infrastructure they could identify as hosting command-and-control servers.

That is the distinction we did not draw clearly enough when this post first went out. Keitaro is a commercial traffic distribution system. Its presence on a network tells you the software is there. It does not tell you the network is running C2.

Our counts have not changed. How we describe them has.


Blog Post Updated: June 27. 2026

A note from our Co-Founder and Head of Research:

After this report was published, a hosting provider named in it raised a fair question: When a server is flagged for running software that is utilized in threat activity, what separates the mere presence of that software from evidence or risk of malicious use?

Our goal is to inform, educate, and help organizations block attacks.

Every tool we track can have legitimate, unwanted, and malicious use cases. The balance between those categories varies depending on the tool, the environment, and the specific context in which it appears.

Upon review, the blog post we published did not adequately capture that nuance. In places, it conflated the presence of certain software with malicious impact.

That was a failure in our editorial review process. We want to apologize to our readers and to the entities referenced for not describing that distinction more clearly.

We are working with some of the entities involved to add the appropriate nuance to both our product and our blog content, so users can more accurately assess risk. We have also heard people in the industry use the term “Threat Activity Enablers”, which we think is a more productive framing and a conversation we intend to take part in.

Certain software may be out of compliance for a specific end user, making it a risk within that environment. But the decision about how to handle that risk belongs to the end user. The phrasing and ranking in the original article made the issue sound more definitive and more hyperbolic than it should have.

We did not do a good enough job explaining the difference between legitimate, unwanted, and malicious use. We would also like to thank Pavlo from Friendhosting LTD and Tom Spring from Security Point Break for asking the questions that prompted us to review this more carefully.

Chris + Esteban


Originally Published on June 24, 2026 - Changes Include: 1) the note above 2) the word "C2" changed to "threat activity enabling" and the word "malicious" to be "potentially malicious"

Eastern Europe has long served as a reliable foundation for both commodity cybercrime and state-linked threat operations, a region where bulletproof hosting providers, major telecoms, and cloud infrastructure coexist within the same ASN pools. Over a three-month window from March 12 to June 12, 2026, we mapped potentially malicious infrastructure across 10 countries in the region, covering Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine.

Across 302 distinct hosting providers, we identified more than 3,900 active threat activity enabling servers. The distribution was anything but even. A small number of providers accounted for a disproportionate share of detections, a level of concentration that doesn't surface when you're tracking individual IPs or domains. It only becomes visible when you look at the hosting layer itself, which is exactly what this analysis does.

Background and Methodology

Every prior region we've mapped has reinforced the same lesson: IPs rotate, domains get burned, but the hosting layer underneath stays remarkably stable. Mapping Chinese hosting environments uncovered 18,000+ threat activity enabling servers where commodity and state-linked tooling shared the same provider networks, Russian providers showed high-tolerance hosts absorbing disproportionate potentially malicious activity, and across the Middle East, a single carrier accounted for nearly three-quarters of all regional threat activity enabling infrastructure. Host Radar exists precisely to surface that kind of provider-level signal automatically, instead of requiring analysts to reconstruct it indicator by indicator.

Using Host Radar, we analyzed telemetry across all 10 countries in scope. The results reveal the scale of active threat activity enabling infrastructure, the dominance of specific malware families, and how frequently major telecoms and hosting providers appear in infrastructure tied to both commodity cybercrime and advanced threat operations.

Here are the key findings.

Key Takeaways

  • More than 3,900 threat activity enabling servers were identified across 302 Eastern European infrastructure providers within the past 3 months.

  • Threat activity enabling infrastructure dominates potentially malicious activity across the region (~90.6%), IOC Hunter posts (~3.4%), potentially malicious open directories (~2.6%) posts (~2.6%), phishing sites (~2.1%), and publicly reported IOCs (~1.4%) accounting for the remainder of observed artifacts.

  • Keitaro leads Eastern European threat activity enablement with 1,277 unique threat activity enabling IPs, followed by Tactical RMM (232) and Acunetix (173).

  • Cloud Atlas APT infrastructure was observed across multiple Eastern European providers, confirming the group's continued reliance on Eastern European hosting.

  • Proton66 OOO was linked to active exploitation of CVE-2026-35273, a critical Oracle PeopleSoft zero-day attributed to the ShinyHunters group, with threat activity enabling infrastructure directly traceable to this Russian provider.

  • [Update June 27] Friendhosting LTD (Bulgaria) hosts many Keitaro instances which can be abused. They are working with data to analyze potential abuse.

  • Russia dominates provider volume, with over 150 distinct Russian ASNs appearing in the dataset, though individual Russian providers show lower threat activity enabling concentrations compared to the Bulgarian and Moldovan outliers.

  • Moldovan providers such as AlexHost and PQ Hosting together account for 299 threat activity enabling servers and carry high bulletproof ratings.

That's where we start.

Potential Malicious Infrastructure Across Eastern Europe

After applying Eastern European country filters (BY, BG, CZ, HU, PL, MD, RO, RU, SK, UA), the Host Radar summary view reveals 302 distinct infrastructure providers operating within Eastern European ISPs, hosting providers, and cloud ecosystems that were associated with potentially malicious activity.

Across the full set of 302 Eastern European infrastructure providers, Host Radar recorded 4,331 total potentially malicious detections during the three-month observation period. Of these, 3,923 were threat activity enabling servers, while IOC Hunter posts accounted for 146, potentially malicious open directories for 111, phishing sites for 90, and publicly reported IOC IPs for 61.

The data reveals that threat activity enabling infrastructure overwhelmingly dominates observed potentially malicious activity, accounting for approximately 90.6% of all detected malicious activity. In comparison, IOC Hunter represents about 3.4%, potentially malicious open directories account for 2.6%, phishing infrastructure is recorded for roughly 2.1%, while publicly reported IOCs contribute approximately 1.4% of the dataset.

Figure 1Figure 1. Aggregate breakdown of threat activity enabling servers (3,923), IOC Hunter posts (146), potentially malicious open directories (111), phishing sites (90), and public IOCs (61) detected within Eastern Europe hosting environments.

This distribution suggests that Eastern Europe's hosting environments are primarily used for threat activity enabling operations, with fewer exposed assets or publicly documented indicators than in other infrastructure ecosystems.

Beyond infrastructure counts alone, Host Radar provides visibility into the threat activity operating behind these assets. Let's explore the real threats across these ISPs.

Threat Actors and Campaigns Active Across Eastern European ISPs

The following examples illustrate how the infrastructure patterns identified above translate into active malware campaigns, state-sponsored espionage operations, and targeted intrusion activity within Eastern European hosting environments.

Over the same period, Hunt.io tracking surfaced several potentially malicious command-and-control (threat activity enabling) endpoints hosted across Eastern European infrastructure providers, beginning with activity linked to 146.70.53[.]171 hosted on M247 Europe SRL (AS9009), which is associated with Cloud Atlas APT campaigns targeting government and diplomatic entities in Russia and Belarus. Kaspersky reporting documents renewed Cloud Atlas activity in H2 2025--early 2026, leveraging phishing ZIPs with LNK shortcuts launching PowerShell, alongside potentially malicious Office documents exploiting CVE-2018-0802.

Figure 2Figure 2. Hunt Intelligence for 146.70.53[.]171 (AS9009, Bulgaria) shows active HTTP/SSH services, multiple associations, and historical Cloud Atlas APT intelligence hits.

Similar campaign IPs 195.58.49[.]99, 185.22.154[.]73, 194.87.196[.]163, 195.58.49[.]9, 46.17.44[.]125, and 46.17.44[.]212 were also found on Baxet (LLC Baxet, AS51659) during the analysis window.

Another IP 146.70.129[.]114 (Czech Republic, AS9009) flagged as a probable Mullvad VPN node associated with an active FreePBX toll-fraud campaign attributed to INJ3CTOR3 that deploys a multi-stage Bash dropper to install the previously undocumented JOMANGY PHP webshell alongside ZenharR.

Figure 3Figure 3. Hunt intelligence for 146.70.129[.]114 (AS9009, Czech Republic) shows Mullvad VPN node with historical IOC references tied to FreePBX persistence and toll-fraud campaigns associated with INJ3CTOR3.

Similarly, the IP 89.36.224[.]5 (Romania, AS9009) was identified as a staging server for a potentially malicious npm package (@velora-dex/sdk version 9.4.1) that deployed a Go-based remote access trojan (minirat) targeting macOS developers in the DeFi/Web3 space, attributed to JINX-0164 threat actor.

Figure 4Figure 4. Hunt Intelligence for 89.36.224[.]5 (AS9009, Romania) shows an active nginx web infrastructure with historical threat intelligence links to JINX-0164 campaigns targeting crypto organizations via social engineering.

The IP 176.120.22[.]24 hosted on Proton66 OOO (AS198953) is directly linked to active exploitation of CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62). Horizon3.ai attributes this exploitation campaign to ShinyHunters, with observed activity between May 27 and June 9, 2026, targeting approximately 300 PeopleSoft instances across more than 100 organizations, including universities.

Figure 5Figure 5. Hunt Intelligence for IP 176.120.22.24 (AS198953, Russia) shows active nginx and OpenSSH services, a potentially exposed directory, and numerous threat intelligence references tied to ShinyHunters' Oracle PeopleSoft exploitation campaigns.

The IP 141.98.83[.]86 hosted on FlyServers S.A. (AS209588) was directly associated with a documented Nemesys ransomware intrusion analyzed in threat research. The attacker authenticated using valid credentials originating from this IP, then deployed an Automim credential-harvesting toolkit including Mimikatz, LaZagne, and multiple NirSoft tools. Persistence was established via HKCU Run key reexecution.

Figure 6Figure 6. Hunt Intelligence shows IP 141.98.83[.]86 linked to a Nemesys ransomware attack leveraging credential dumping, persistence, and rapid encryption.

On Rostelecom (PJSC Rostelecom, AS12389), the IP 78.85.31[.]182 (Izhevsk, AS12389) was found associated with the Ollama Honeypot campaign series (Bleeding Llama, CVE-2026-7482), where attackers exploited exposed Ollama API services to execute coinminer scripts, perform GGUF blob upload attempts, and conduct LLMjacking-style abuse.

Figure 7Figure 7. Hunt Intelligence shows IP 78.85.31.182 associated with activity referenced in "Tales of an Ollama Honeypot (Part 3): More Traffic, More Findings".

Another IP 87.225.105[.]217 (Vladivostok, AS12389) is linked to WantToCry ransomware operations, as stated in Cybersecurity News.

On VDSina (Hosting technology LTD, AS48282), the IP 195.2.67[.]129 associated with Fluffy Wolf phishing campaigns targeting Russian organizations between March and May 2026 was found. Another IP 109.172.88[.]38 (Moscow, AS48282) was linked to a Black Basta affiliate campaign using Microsoft Teams vishing and registration-bombing spam to pressure victims into installing AnyDesk.

Figure 8Figure 8. Hunt Intelligence shows IP 109.172.88[.]38 linked to activity associated with the Black Basta threat group.

On MTW (JSC Mediasoft ekspert, AS48347), the IP 194.87.92[.]109 was directly identified by Unit 42 as an exfiltration server for the evolved Gremlin Stealer variant. The stealer hides its payload and configuration in a .NET resource section using XOR encoding, only decrypting at runtime.

Figure 9Figure 9. Hunt Intelligence shows IP 194.87.92[.]109 operating as a Gremlin Stealer exfiltration server used to receive stolen victim data.

On DDoS-Guard (DDOS-GUARD LTD, AS57724), the IP 185.178.208[.]153 (Global Anycast, AS57724) is associated with the Pink extortion group, a Microsoft 365-focused data theft and extortion operation with tradecraft similarities to ShinyHunters and Blackfile. Pink impersonates internal IT over phone calls to capture credentials and MFA sessions, then exfiltrates SharePoint and OneDrive data via Microsoft Graph APIs.

Figure 10Figure 10. Hunt Intelligence shows IP 185.178.208[.]153 referenced in reporting on the Pink Extortion Group targeting Microsoft 365 and cloud storage credentials.

Additional threat intelligence findings identified several IPs with links to active cybercriminal and state-aligned operations. IP 130.204.1[.]83 (A1 Bulgaria) was associated with the Silent Ransom Group (SRG) DNS fast-flux infrastructure, while 185.203.116[.]18 (Belcloud) was linked to DevilNFC Android malware activity. IP 92.39.211[.]142 (MTS) generated an active XenoRAT signal connected to Gentlemen Ransomware operations.

Meanwhile, 83.168.110[.]191 (SkyPass Solutions Sp. z.o.o.) was identified as infrastructure referenced in Iranian-linked activity involving exploitation staging for CVE-2026-0257 (Palo Alto Networks GlobalProtect authentication bypass), with Pioneer Kitten assessed as a likely actor to weaponize the vulnerability following the June 2026 escalation period. Additionally, 195.62.53[.]253 (IPServer) was associated with ProxyCB botnet command-and-control infrastructure and showed historical links to the TeamSpy cyber-espionage campaign.

These examples demonstrate how Eastern European hosting providers support a diverse threat landscape, ranging from phishing-driven infostealer campaigns to advanced intrusion operations and malware distribution infrastructure.

With the top Eastern European infrastructure hosting providers in mind, let's now focus on analyzing the threat activity enabling infrastructure across different ISPs and regions.

Threat activity enablement Within Eastern European Networks

Using HuntSQL, we analyzed the distribution of command-and-control (threat activity enabling) infrastructure across malware families hosted within Eastern European networks over three months.

Example Query:

SELECT
  malware.name,
  uniq(ip) AS COUNTS
FROM
  malware
WHERE
  asn.country_code IN (
    'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  malware.name
ORDER BY
  COUNTS DESC


                
Copy

Output Example:

Figure 11Figure 11. HuntSQL query output showing the dominant malware families hosting threat activity enabling infrastructure within Eastern European networks over three months.

The results reveal that Keitaro leads the dataset with 1,277 unique threat activity enabling IPs, reflecting widespread abuse of this traffic distribution system (TDS) for malvertising, redirect chains, phishing, and exploit kit campaigns.

Tactical RMM (232 threat activity enabling) represents the second largest concentration of threat activity enabling infrastructure observed in Eastern Europe hosting environments, reflecting widespread abuse of this legitimate remote management tool for post-exploitation operations.

Acunetix (173 threat activity enabling) and Gophish (122 threat activity enabling) indicate a scanning and vulnerability-discovery infrastructure, reflecting active reconnaissance operations targeting external assets.

IoT botnets such as Hajime (106), Mozi (82), and Mirai (27) continue to exploit embedded devices and consumer routers across the region, consistent with Eastern Europe's large installed base of internet-exposed IoT devices.

Cobalt Strike (35 verified + 44 unverified) and Sliver (35) represent the adversary simulation and post-exploitation framework layer, indicating both criminal and state-adjacent operations operating from Eastern European infrastructure.

This concentration lets defenders focus on shared infrastructure rather than individual malware variants rather than chasing individual malware variants.

Figure 12Figure 12. Bar graph illustrating the distribution of the Top 10 Often Abused software observed in Eastern Europe over the last three months.

Infrastructure Providers Hosting the Widest Malware Diversity

A HuntSQL query was designed to surface organizations hosting the widest variety of malware activity with respect to unique IP counts within Eastern European networks over the last three months.

Example Query:

SELECT
  org.name,
  uniq(ip) AS Unique_C2,
  uniq(malware.name) AS Unique_Malware
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  org.name
ORDER BY
  Unique_Malware DESC


                
Copy

Output Example:

Figure 13Figure 13. A HuntSQL query aggregating malware telemetry by Eastern European organizations, identifying providers hosting the widest variety of malware families.

The results reveal that malware activity is concentrated within a relatively small set of hosting and cloud providers, many of which support large-scale virtual server and hosting environments.

ICI Bucuresti leads in malware diversity with 12 distinct families across just 15 threat activity enabling endpoints, the highest diversity-to-volume ratio in the dataset.

Yandex.Cloud (37 threat activity enabling, 11 malware families) and OVH Poland (32 threat activity enabling, 10 families) represent large cloud providers whose scale naturally attracts diverse potentially malicious deployments. Both providers' presence reflects the ongoing challenge for major cloud operators in enforcing abuse policies at scale.

PROSPERO OOO (24 threat activity enabling, 9 families) and JSC TIMEWEB (84 threat activity enabling, 9 families) show that dedicated Russian VPS and hosting providers serve multiple simultaneous threat actor campaigns, consistent with their high bulletproof ratings observed in the Host Radar data.

Figure 14Figure 14. Malware Diversity vs. threat activity enabling Volume across Eastern European ISPs - ICI Bucuresti leads in malware family diversity per threat activity enabling, while Yandex.Cloud and TIMEWEB show high-volume, high-diversity profiles.

Country-Level Concentration of Malware Infrastructure

The provider-level view raises an obvious follow-up question: which countries are actually absorbing the bulk of this activity, independent of any single standout provider? We ran a HuntSQL query grouping the same three-month dataset by ASN country to find out.

Example Query:

SELECT
  asn.country_name,
  uniq(ip) AS total
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  asn.country_name
ORDER BY
  total DESC


                
Copy

Output Example:

Figure 15Figure 15. HuntSQL query output ranking Eastern European countries by unique malware-associated threat activity enabling IPs over a three-month window.

Russia leads by a wide margin with 929 unique threat activity enabling IPs (45.7% of the top-5 country total), consistent with the sheer number of distinct Russian ASNs already observed in the provider-level data.

What's more interesting is the second-place position of Poland, with 438 IPs (21.5%), a country that barely registered in the top-provider rankings above. This indicates that Poland's malware footprint is distributed across many smaller and mid-sized providers rather than concentrated in one or two standout hosts, the inverse of the pattern seen in Bulgaria.

Bulgaria (298, 14.7%) and Romania (199, 9.8%) round out the top five, both reflecting the influence of their respective standout providers.

Ukraine (170, 8.4%) shows a comparatively even spread across telecommunications carriers (Ukrtelecom, Webinvest Plus) rather than a single dominant host.

Figure 16Figure 16. Country-level distribution of malware-associated threat activity enabling infrastructure across Eastern Europe, highlighting Russia's dominant share and Poland's unexpectedly high concentration relative to its provider-level footprint.

Subsystem-Level Breakdown: What These Servers Are Actually Doing

Malware family names describe the tool; they don't always describe the function. To understand what role this infrastructure plays operationally, we queried the dataset by malware.subsystem, the functional classification Hunt.io assigns to each detected service.

Example Query:

SELECT
  malware.subsystem,
  uniq(ip) AS Unique_C2
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  malware.subsystem
ORDER BY
  Unique_C2 DESC


                
Copy

Output Example:

Figure 17Figure 17. HuntSQL query output breaking down Eastern European malware infrastructure by functional subsystem classification.

This breakdown is one of the more revealing cuts of the dataset. Management infrastructure leads by a wide margin at 1,496 unique IPs (65.2% of the subsystem total), far ahead of infrastructure explicitly tagged threat activity enabling (428, 18.7%).

Red Team Tools (234, 10.2%) reflects legitimate adversary-simulation frameworks being run from the same provider pool. Phishing infrastructure (124, 5.4%) is comparatively small as a subsystem category, and Team Server infrastructure (12, 0.5%) is the smallest category, representing dedicated threat activity enabling framework backends rather than the broader tooling ecosystem around them.

Figure 18Figure 18. Functional breakdown of Eastern European malware infrastructure by subsystem, showing that "Management" tooling accounts for the largest share of the threat surface.

How Host Radar Surfaces Provider-Level Threat Signals

The analysis presented in this report did not require manual correlation of IP reputation data, review of raw PCAP captures, or the consolidation of multiple threat intelligence sources. Host Radar centralizes these datasets by aggregating threat activity enabling infrastructure, potentially malicious open directories, phishing activity, and publicly reported IOCs at the provider level.

As a result, questions such as which ASNs host the highest concentration of threat activity enabling infrastructure, which providers exhibit the greatest malware diversity, or which countries show elevated exposure across multiple providers can be answered through targeted queries rather than extensive manual research.

Figure 19Figure 19. Overview of the HostRadar feature inside the Hunt.io Platform

For defenders, this visibility supports several practical use cases. Security Operations teams investigating alerts originating from Eastern European infrastructure can quickly determine whether a source ASN has a history of hosting potentially malicious activity, carries an elevated bulletproof-hosting profile, or has been associated with specific malware families. This additional context helps analysts assess risk and prioritize response efforts more efficiently.

Threat Hunters can leverage HuntSQL to perform the same provider, country, and infrastructure analysis demonstrated throughout this report, enabling detection strategies that focus on persistent infrastructure patterns rather than short-lived indicators.

For Cyber Threat Intelligence teams, provider-level visibility offers a scalable way to assess regional exposure, support vendor risk assessments, monitor geopolitical developments, and track changes in infrastructure risk over time.

The broader lesson remains consistent across every region examined: infrastructure typically changes more slowly than the indicators associated with it. While domains, IP addresses, and malware samples may rotate frequently, the underlying hosting relationships often persist.

Infrastructure Observables

This research is based on a very large set of infrastructure-level signals, including IP addresses, domains, and threat activity enabling endpoints that Hunt.io has identified and labeled as potentially malicious infrastructure, active malware command-and-control, phishing infrastructure, or related abuse across Eastern European ISPs and hosting providers.

Given the scale of the dataset, with more than 3900 active threat activity enabling endpoints observed over three months, publishing a static list here would provide limited operational value.

→ Teams interested in accessing this data with proper context, attribution, and historical tracking can reach out to discuss research collaboration or operational access to the full dataset.

Conclusion

The findings highlight Eastern Europe as a persistent hub for cybercriminal and advanced threat infrastructure, with a small number of high-tolerance hosting providers disproportionately supporting potentially malicious operations while major regional telecommunications networks frequently serve as unwitting hosts for compromised systems.

The dominance of Keitaro (1,277 threat activity enabling) across the Threat activity enablement reflects the region's established role in traffic distribution and redirect infrastructure, a foundational layer for malvertising, phishing, and exploit kit operations. The simultaneous presence of Cobalt Strike, Sliver, and Tactical RMM indicates that Eastern European hosting serves both commodity criminal operations and more sophisticated post-exploitation campaigns sharing the same infrastructure layer.

The prevalence of established threat activity enabling frameworks, traffic distribution systems, and ransomware-related infrastructure underscores the region's continued importance to both commodity cybercrime and sophisticated threat actors.

For defenders, focusing on high-risk ASNs, hosting providers, and recurring infrastructure patterns offers a more resilient detection strategy than relying solely on rapidly changing IP-based indicators.

If you want to explore this host-centric view of potentially malicious infrastructure firsthand, you can see how Host Radar works in practice by booking a demo today.

Blog Post Updated: July 10, 2026

Friendhosting LTD reviewed the data we shared with them and came back to us.

Their review turned up a set of accounts worth investigating, and they told us it prompted them to tighten their internal abuse detection. It also found that the cases raising credible concern involved traffic distribution infrastructure, not infrastructure they could identify as hosting command-and-control servers.

That is the distinction we did not draw clearly enough when this post first went out. Keitaro is a commercial traffic distribution system. Its presence on a network tells you the software is there. It does not tell you the network is running C2.

Our counts have not changed. How we describe them has.


Blog Post Updated: June 27. 2026

A note from our Co-Founder and Head of Research:

After this report was published, a hosting provider named in it raised a fair question: When a server is flagged for running software that is utilized in threat activity, what separates the mere presence of that software from evidence or risk of malicious use?

Our goal is to inform, educate, and help organizations block attacks.

Every tool we track can have legitimate, unwanted, and malicious use cases. The balance between those categories varies depending on the tool, the environment, and the specific context in which it appears.

Upon review, the blog post we published did not adequately capture that nuance. In places, it conflated the presence of certain software with malicious impact.

That was a failure in our editorial review process. We want to apologize to our readers and to the entities referenced for not describing that distinction more clearly.

We are working with some of the entities involved to add the appropriate nuance to both our product and our blog content, so users can more accurately assess risk. We have also heard people in the industry use the term “Threat Activity Enablers”, which we think is a more productive framing and a conversation we intend to take part in.

Certain software may be out of compliance for a specific end user, making it a risk within that environment. But the decision about how to handle that risk belongs to the end user. The phrasing and ranking in the original article made the issue sound more definitive and more hyperbolic than it should have.

We did not do a good enough job explaining the difference between legitimate, unwanted, and malicious use. We would also like to thank Pavlo from Friendhosting LTD and Tom Spring from Security Point Break for asking the questions that prompted us to review this more carefully.

Chris + Esteban


Originally Published on June 24, 2026 - Changes Include: 1) the note above 2) the word "C2" changed to "threat activity enabling" and the word "malicious" to be "potentially malicious"

Eastern Europe has long served as a reliable foundation for both commodity cybercrime and state-linked threat operations, a region where bulletproof hosting providers, major telecoms, and cloud infrastructure coexist within the same ASN pools. Over a three-month window from March 12 to June 12, 2026, we mapped potentially malicious infrastructure across 10 countries in the region, covering Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine.

Across 302 distinct hosting providers, we identified more than 3,900 active threat activity enabling servers. The distribution was anything but even. A small number of providers accounted for a disproportionate share of detections, a level of concentration that doesn't surface when you're tracking individual IPs or domains. It only becomes visible when you look at the hosting layer itself, which is exactly what this analysis does.

Background and Methodology

Every prior region we've mapped has reinforced the same lesson: IPs rotate, domains get burned, but the hosting layer underneath stays remarkably stable. Mapping Chinese hosting environments uncovered 18,000+ threat activity enabling servers where commodity and state-linked tooling shared the same provider networks, Russian providers showed high-tolerance hosts absorbing disproportionate potentially malicious activity, and across the Middle East, a single carrier accounted for nearly three-quarters of all regional threat activity enabling infrastructure. Host Radar exists precisely to surface that kind of provider-level signal automatically, instead of requiring analysts to reconstruct it indicator by indicator.

Using Host Radar, we analyzed telemetry across all 10 countries in scope. The results reveal the scale of active threat activity enabling infrastructure, the dominance of specific malware families, and how frequently major telecoms and hosting providers appear in infrastructure tied to both commodity cybercrime and advanced threat operations.

Here are the key findings.

Key Takeaways

  • More than 3,900 threat activity enabling servers were identified across 302 Eastern European infrastructure providers within the past 3 months.

  • Threat activity enabling infrastructure dominates potentially malicious activity across the region (~90.6%), IOC Hunter posts (~3.4%), potentially malicious open directories (~2.6%) posts (~2.6%), phishing sites (~2.1%), and publicly reported IOCs (~1.4%) accounting for the remainder of observed artifacts.

  • Keitaro leads Eastern European threat activity enablement with 1,277 unique threat activity enabling IPs, followed by Tactical RMM (232) and Acunetix (173).

  • Cloud Atlas APT infrastructure was observed across multiple Eastern European providers, confirming the group's continued reliance on Eastern European hosting.

  • Proton66 OOO was linked to active exploitation of CVE-2026-35273, a critical Oracle PeopleSoft zero-day attributed to the ShinyHunters group, with threat activity enabling infrastructure directly traceable to this Russian provider.

  • [Update June 27] Friendhosting LTD (Bulgaria) hosts many Keitaro instances which can be abused. They are working with data to analyze potential abuse.

  • Russia dominates provider volume, with over 150 distinct Russian ASNs appearing in the dataset, though individual Russian providers show lower threat activity enabling concentrations compared to the Bulgarian and Moldovan outliers.

  • Moldovan providers such as AlexHost and PQ Hosting together account for 299 threat activity enabling servers and carry high bulletproof ratings.

That's where we start.

Potential Malicious Infrastructure Across Eastern Europe

After applying Eastern European country filters (BY, BG, CZ, HU, PL, MD, RO, RU, SK, UA), the Host Radar summary view reveals 302 distinct infrastructure providers operating within Eastern European ISPs, hosting providers, and cloud ecosystems that were associated with potentially malicious activity.

Across the full set of 302 Eastern European infrastructure providers, Host Radar recorded 4,331 total potentially malicious detections during the three-month observation period. Of these, 3,923 were threat activity enabling servers, while IOC Hunter posts accounted for 146, potentially malicious open directories for 111, phishing sites for 90, and publicly reported IOC IPs for 61.

The data reveals that threat activity enabling infrastructure overwhelmingly dominates observed potentially malicious activity, accounting for approximately 90.6% of all detected malicious activity. In comparison, IOC Hunter represents about 3.4%, potentially malicious open directories account for 2.6%, phishing infrastructure is recorded for roughly 2.1%, while publicly reported IOCs contribute approximately 1.4% of the dataset.

Figure 1Figure 1. Aggregate breakdown of threat activity enabling servers (3,923), IOC Hunter posts (146), potentially malicious open directories (111), phishing sites (90), and public IOCs (61) detected within Eastern Europe hosting environments.

This distribution suggests that Eastern Europe's hosting environments are primarily used for threat activity enabling operations, with fewer exposed assets or publicly documented indicators than in other infrastructure ecosystems.

Beyond infrastructure counts alone, Host Radar provides visibility into the threat activity operating behind these assets. Let's explore the real threats across these ISPs.

Threat Actors and Campaigns Active Across Eastern European ISPs

The following examples illustrate how the infrastructure patterns identified above translate into active malware campaigns, state-sponsored espionage operations, and targeted intrusion activity within Eastern European hosting environments.

Over the same period, Hunt.io tracking surfaced several potentially malicious command-and-control (threat activity enabling) endpoints hosted across Eastern European infrastructure providers, beginning with activity linked to 146.70.53[.]171 hosted on M247 Europe SRL (AS9009), which is associated with Cloud Atlas APT campaigns targeting government and diplomatic entities in Russia and Belarus. Kaspersky reporting documents renewed Cloud Atlas activity in H2 2025--early 2026, leveraging phishing ZIPs with LNK shortcuts launching PowerShell, alongside potentially malicious Office documents exploiting CVE-2018-0802.

Figure 2Figure 2. Hunt Intelligence for 146.70.53[.]171 (AS9009, Bulgaria) shows active HTTP/SSH services, multiple associations, and historical Cloud Atlas APT intelligence hits.

Similar campaign IPs 195.58.49[.]99, 185.22.154[.]73, 194.87.196[.]163, 195.58.49[.]9, 46.17.44[.]125, and 46.17.44[.]212 were also found on Baxet (LLC Baxet, AS51659) during the analysis window.

Another IP 146.70.129[.]114 (Czech Republic, AS9009) flagged as a probable Mullvad VPN node associated with an active FreePBX toll-fraud campaign attributed to INJ3CTOR3 that deploys a multi-stage Bash dropper to install the previously undocumented JOMANGY PHP webshell alongside ZenharR.

Figure 3Figure 3. Hunt intelligence for 146.70.129[.]114 (AS9009, Czech Republic) shows Mullvad VPN node with historical IOC references tied to FreePBX persistence and toll-fraud campaigns associated with INJ3CTOR3.

Similarly, the IP 89.36.224[.]5 (Romania, AS9009) was identified as a staging server for a potentially malicious npm package (@velora-dex/sdk version 9.4.1) that deployed a Go-based remote access trojan (minirat) targeting macOS developers in the DeFi/Web3 space, attributed to JINX-0164 threat actor.

Figure 4Figure 4. Hunt Intelligence for 89.36.224[.]5 (AS9009, Romania) shows an active nginx web infrastructure with historical threat intelligence links to JINX-0164 campaigns targeting crypto organizations via social engineering.

The IP 176.120.22[.]24 hosted on Proton66 OOO (AS198953) is directly linked to active exploitation of CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62). Horizon3.ai attributes this exploitation campaign to ShinyHunters, with observed activity between May 27 and June 9, 2026, targeting approximately 300 PeopleSoft instances across more than 100 organizations, including universities.

Figure 5Figure 5. Hunt Intelligence for IP 176.120.22.24 (AS198953, Russia) shows active nginx and OpenSSH services, a potentially exposed directory, and numerous threat intelligence references tied to ShinyHunters' Oracle PeopleSoft exploitation campaigns.

The IP 141.98.83[.]86 hosted on FlyServers S.A. (AS209588) was directly associated with a documented Nemesys ransomware intrusion analyzed in threat research. The attacker authenticated using valid credentials originating from this IP, then deployed an Automim credential-harvesting toolkit including Mimikatz, LaZagne, and multiple NirSoft tools. Persistence was established via HKCU Run key reexecution.

Figure 6Figure 6. Hunt Intelligence shows IP 141.98.83[.]86 linked to a Nemesys ransomware attack leveraging credential dumping, persistence, and rapid encryption.

On Rostelecom (PJSC Rostelecom, AS12389), the IP 78.85.31[.]182 (Izhevsk, AS12389) was found associated with the Ollama Honeypot campaign series (Bleeding Llama, CVE-2026-7482), where attackers exploited exposed Ollama API services to execute coinminer scripts, perform GGUF blob upload attempts, and conduct LLMjacking-style abuse.

Figure 7Figure 7. Hunt Intelligence shows IP 78.85.31.182 associated with activity referenced in "Tales of an Ollama Honeypot (Part 3): More Traffic, More Findings".

Another IP 87.225.105[.]217 (Vladivostok, AS12389) is linked to WantToCry ransomware operations, as stated in Cybersecurity News.

On VDSina (Hosting technology LTD, AS48282), the IP 195.2.67[.]129 associated with Fluffy Wolf phishing campaigns targeting Russian organizations between March and May 2026 was found. Another IP 109.172.88[.]38 (Moscow, AS48282) was linked to a Black Basta affiliate campaign using Microsoft Teams vishing and registration-bombing spam to pressure victims into installing AnyDesk.

Figure 8Figure 8. Hunt Intelligence shows IP 109.172.88[.]38 linked to activity associated with the Black Basta threat group.

On MTW (JSC Mediasoft ekspert, AS48347), the IP 194.87.92[.]109 was directly identified by Unit 42 as an exfiltration server for the evolved Gremlin Stealer variant. The stealer hides its payload and configuration in a .NET resource section using XOR encoding, only decrypting at runtime.

Figure 9Figure 9. Hunt Intelligence shows IP 194.87.92[.]109 operating as a Gremlin Stealer exfiltration server used to receive stolen victim data.

On DDoS-Guard (DDOS-GUARD LTD, AS57724), the IP 185.178.208[.]153 (Global Anycast, AS57724) is associated with the Pink extortion group, a Microsoft 365-focused data theft and extortion operation with tradecraft similarities to ShinyHunters and Blackfile. Pink impersonates internal IT over phone calls to capture credentials and MFA sessions, then exfiltrates SharePoint and OneDrive data via Microsoft Graph APIs.

Figure 10Figure 10. Hunt Intelligence shows IP 185.178.208[.]153 referenced in reporting on the Pink Extortion Group targeting Microsoft 365 and cloud storage credentials.

Additional threat intelligence findings identified several IPs with links to active cybercriminal and state-aligned operations. IP 130.204.1[.]83 (A1 Bulgaria) was associated with the Silent Ransom Group (SRG) DNS fast-flux infrastructure, while 185.203.116[.]18 (Belcloud) was linked to DevilNFC Android malware activity. IP 92.39.211[.]142 (MTS) generated an active XenoRAT signal connected to Gentlemen Ransomware operations.

Meanwhile, 83.168.110[.]191 (SkyPass Solutions Sp. z.o.o.) was identified as infrastructure referenced in Iranian-linked activity involving exploitation staging for CVE-2026-0257 (Palo Alto Networks GlobalProtect authentication bypass), with Pioneer Kitten assessed as a likely actor to weaponize the vulnerability following the June 2026 escalation period. Additionally, 195.62.53[.]253 (IPServer) was associated with ProxyCB botnet command-and-control infrastructure and showed historical links to the TeamSpy cyber-espionage campaign.

These examples demonstrate how Eastern European hosting providers support a diverse threat landscape, ranging from phishing-driven infostealer campaigns to advanced intrusion operations and malware distribution infrastructure.

With the top Eastern European infrastructure hosting providers in mind, let's now focus on analyzing the threat activity enabling infrastructure across different ISPs and regions.

Threat activity enablement Within Eastern European Networks

Using HuntSQL, we analyzed the distribution of command-and-control (threat activity enabling) infrastructure across malware families hosted within Eastern European networks over three months.

Example Query:

SELECT
  malware.name,
  uniq(ip) AS COUNTS
FROM
  malware
WHERE
  asn.country_code IN (
    'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  malware.name
ORDER BY
  COUNTS DESC


                
Copy

Output Example:

Figure 11Figure 11. HuntSQL query output showing the dominant malware families hosting threat activity enabling infrastructure within Eastern European networks over three months.

The results reveal that Keitaro leads the dataset with 1,277 unique threat activity enabling IPs, reflecting widespread abuse of this traffic distribution system (TDS) for malvertising, redirect chains, phishing, and exploit kit campaigns.

Tactical RMM (232 threat activity enabling) represents the second largest concentration of threat activity enabling infrastructure observed in Eastern Europe hosting environments, reflecting widespread abuse of this legitimate remote management tool for post-exploitation operations.

Acunetix (173 threat activity enabling) and Gophish (122 threat activity enabling) indicate a scanning and vulnerability-discovery infrastructure, reflecting active reconnaissance operations targeting external assets.

IoT botnets such as Hajime (106), Mozi (82), and Mirai (27) continue to exploit embedded devices and consumer routers across the region, consistent with Eastern Europe's large installed base of internet-exposed IoT devices.

Cobalt Strike (35 verified + 44 unverified) and Sliver (35) represent the adversary simulation and post-exploitation framework layer, indicating both criminal and state-adjacent operations operating from Eastern European infrastructure.

This concentration lets defenders focus on shared infrastructure rather than individual malware variants rather than chasing individual malware variants.

Figure 12Figure 12. Bar graph illustrating the distribution of the Top 10 Often Abused software observed in Eastern Europe over the last three months.

Infrastructure Providers Hosting the Widest Malware Diversity

A HuntSQL query was designed to surface organizations hosting the widest variety of malware activity with respect to unique IP counts within Eastern European networks over the last three months.

Example Query:

SELECT
  org.name,
  uniq(ip) AS Unique_C2,
  uniq(malware.name) AS Unique_Malware
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  org.name
ORDER BY
  Unique_Malware DESC


                
Copy

Output Example:

Figure 13Figure 13. A HuntSQL query aggregating malware telemetry by Eastern European organizations, identifying providers hosting the widest variety of malware families.

The results reveal that malware activity is concentrated within a relatively small set of hosting and cloud providers, many of which support large-scale virtual server and hosting environments.

ICI Bucuresti leads in malware diversity with 12 distinct families across just 15 threat activity enabling endpoints, the highest diversity-to-volume ratio in the dataset.

Yandex.Cloud (37 threat activity enabling, 11 malware families) and OVH Poland (32 threat activity enabling, 10 families) represent large cloud providers whose scale naturally attracts diverse potentially malicious deployments. Both providers' presence reflects the ongoing challenge for major cloud operators in enforcing abuse policies at scale.

PROSPERO OOO (24 threat activity enabling, 9 families) and JSC TIMEWEB (84 threat activity enabling, 9 families) show that dedicated Russian VPS and hosting providers serve multiple simultaneous threat actor campaigns, consistent with their high bulletproof ratings observed in the Host Radar data.

Figure 14Figure 14. Malware Diversity vs. threat activity enabling Volume across Eastern European ISPs - ICI Bucuresti leads in malware family diversity per threat activity enabling, while Yandex.Cloud and TIMEWEB show high-volume, high-diversity profiles.

Country-Level Concentration of Malware Infrastructure

The provider-level view raises an obvious follow-up question: which countries are actually absorbing the bulk of this activity, independent of any single standout provider? We ran a HuntSQL query grouping the same three-month dataset by ASN country to find out.

Example Query:

SELECT
  asn.country_name,
  uniq(ip) AS total
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  asn.country_name
ORDER BY
  total DESC


                
Copy

Output Example:

Figure 15Figure 15. HuntSQL query output ranking Eastern European countries by unique malware-associated threat activity enabling IPs over a three-month window.

Russia leads by a wide margin with 929 unique threat activity enabling IPs (45.7% of the top-5 country total), consistent with the sheer number of distinct Russian ASNs already observed in the provider-level data.

What's more interesting is the second-place position of Poland, with 438 IPs (21.5%), a country that barely registered in the top-provider rankings above. This indicates that Poland's malware footprint is distributed across many smaller and mid-sized providers rather than concentrated in one or two standout hosts, the inverse of the pattern seen in Bulgaria.

Bulgaria (298, 14.7%) and Romania (199, 9.8%) round out the top five, both reflecting the influence of their respective standout providers.

Ukraine (170, 8.4%) shows a comparatively even spread across telecommunications carriers (Ukrtelecom, Webinvest Plus) rather than a single dominant host.

Figure 16Figure 16. Country-level distribution of malware-associated threat activity enabling infrastructure across Eastern Europe, highlighting Russia's dominant share and Poland's unexpectedly high concentration relative to its provider-level footprint.

Subsystem-Level Breakdown: What These Servers Are Actually Doing

Malware family names describe the tool; they don't always describe the function. To understand what role this infrastructure plays operationally, we queried the dataset by malware.subsystem, the functional classification Hunt.io assigns to each detected service.

Example Query:

SELECT
  malware.subsystem,
  uniq(ip) AS Unique_C2
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  malware.subsystem
ORDER BY
  Unique_C2 DESC


                
Copy

Output Example:

Figure 17Figure 17. HuntSQL query output breaking down Eastern European malware infrastructure by functional subsystem classification.

This breakdown is one of the more revealing cuts of the dataset. Management infrastructure leads by a wide margin at 1,496 unique IPs (65.2% of the subsystem total), far ahead of infrastructure explicitly tagged threat activity enabling (428, 18.7%).

Red Team Tools (234, 10.2%) reflects legitimate adversary-simulation frameworks being run from the same provider pool. Phishing infrastructure (124, 5.4%) is comparatively small as a subsystem category, and Team Server infrastructure (12, 0.5%) is the smallest category, representing dedicated threat activity enabling framework backends rather than the broader tooling ecosystem around them.

Figure 18Figure 18. Functional breakdown of Eastern European malware infrastructure by subsystem, showing that "Management" tooling accounts for the largest share of the threat surface.

How Host Radar Surfaces Provider-Level Threat Signals

The analysis presented in this report did not require manual correlation of IP reputation data, review of raw PCAP captures, or the consolidation of multiple threat intelligence sources. Host Radar centralizes these datasets by aggregating threat activity enabling infrastructure, potentially malicious open directories, phishing activity, and publicly reported IOCs at the provider level.

As a result, questions such as which ASNs host the highest concentration of threat activity enabling infrastructure, which providers exhibit the greatest malware diversity, or which countries show elevated exposure across multiple providers can be answered through targeted queries rather than extensive manual research.

Figure 19Figure 19. Overview of the HostRadar feature inside the Hunt.io Platform

For defenders, this visibility supports several practical use cases. Security Operations teams investigating alerts originating from Eastern European infrastructure can quickly determine whether a source ASN has a history of hosting potentially malicious activity, carries an elevated bulletproof-hosting profile, or has been associated with specific malware families. This additional context helps analysts assess risk and prioritize response efforts more efficiently.

Threat Hunters can leverage HuntSQL to perform the same provider, country, and infrastructure analysis demonstrated throughout this report, enabling detection strategies that focus on persistent infrastructure patterns rather than short-lived indicators.

For Cyber Threat Intelligence teams, provider-level visibility offers a scalable way to assess regional exposure, support vendor risk assessments, monitor geopolitical developments, and track changes in infrastructure risk over time.

The broader lesson remains consistent across every region examined: infrastructure typically changes more slowly than the indicators associated with it. While domains, IP addresses, and malware samples may rotate frequently, the underlying hosting relationships often persist.

Infrastructure Observables

This research is based on a very large set of infrastructure-level signals, including IP addresses, domains, and threat activity enabling endpoints that Hunt.io has identified and labeled as potentially malicious infrastructure, active malware command-and-control, phishing infrastructure, or related abuse across Eastern European ISPs and hosting providers.

Given the scale of the dataset, with more than 3900 active threat activity enabling endpoints observed over three months, publishing a static list here would provide limited operational value.

→ Teams interested in accessing this data with proper context, attribution, and historical tracking can reach out to discuss research collaboration or operational access to the full dataset.

Conclusion

The findings highlight Eastern Europe as a persistent hub for cybercriminal and advanced threat infrastructure, with a small number of high-tolerance hosting providers disproportionately supporting potentially malicious operations while major regional telecommunications networks frequently serve as unwitting hosts for compromised systems.

The dominance of Keitaro (1,277 threat activity enabling) across the Threat activity enablement reflects the region's established role in traffic distribution and redirect infrastructure, a foundational layer for malvertising, phishing, and exploit kit operations. The simultaneous presence of Cobalt Strike, Sliver, and Tactical RMM indicates that Eastern European hosting serves both commodity criminal operations and more sophisticated post-exploitation campaigns sharing the same infrastructure layer.

The prevalence of established threat activity enabling frameworks, traffic distribution systems, and ransomware-related infrastructure underscores the region's continued importance to both commodity cybercrime and sophisticated threat actors.

For defenders, focusing on high-risk ASNs, hosting providers, and recurring infrastructure patterns offers a more resilient detection strategy than relying solely on rapidly changing IP-based indicators.

If you want to explore this host-centric view of potentially malicious infrastructure firsthand, you can see how Host Radar works in practice by booking a demo today.