Inside Eastern Europe's C2 Sprawl: 3,900+ Servers, 302 Providers, One Host Doing Half the Work

Eastern Europe has long served as a reliable foundation for both commodity cybercrime and state-linked threat operations, a region where bulletproof hosting providers, major telecoms, and cloud infrastructure coexist within the same ASN pools. Over a three-month window from March 12 to June 12, 2026, we mapped malicious infrastructure across 10 countries in the region, covering Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine.

Across 302 distinct hosting providers, we identified more than 3,900 active C2 servers. The distribution was anything but even. A single Bulgarian provider accounted for more than half of all detected C2 infrastructure, a level of concentration that doesn't surface when you're tracking individual IPs or domains. It only becomes visible when you look at the hosting layer itself, which is exactly what this analysis does.

Background and Methodology

Every prior region we've mapped has reinforced the same lesson: IPs rotate, domains get burned, but the hosting layer underneath stays remarkably stable. Mapping Chinese hosting environments uncovered 18,000+ C2 servers where commodity and state-linked tooling shared the same provider networks, Russian providers showed high-tolerance hosts absorbing disproportionate malicious activity, and across the Middle East, a single carrier accounted for nearly three-quarters of all regional C2 infrastructure. Host Radar exists precisely to surface that kind of provider-level signal automatically, instead of requiring analysts to reconstruct it indicator by indicator.

Using Host Radar, we analyzed telemetry across all 10 countries in scope. The results reveal the scale of active C2 infrastructure, the dominance of specific malware families, and how frequently major telecoms and hosting providers appear in infrastructure tied to both commodity cybercrime and advanced threat operations.

Here are the key findings.

Key Takeaways

• More than 3900 C2 servers were identified across 302 Eastern European infrastructure providers within the past 3 months.

• Friendhosting LTD (Bulgaria) hosts 2,100 C2 servers over 90 days, representing approximately 53.5% of all detected C2 infrastructure in the region.

• C2 infrastructure dominates malicious activity across the region (~90.6%), with malicious open directories (~3.4%), IOC Hunter posts (~2.6%), phishing sites (~2.4%), and publicly reported IOCs (~1.4%) accounting for the remainder of observed artifacts.

• Keitaro leads Eastern European malware family distribution with 1,277 unique C2 IPs, followed by Tactical RMM (232) and Acunetix (173).

• Cloud Atlas APT infrastructure was observed across multiple Eastern European providers, confirming the group's continued reliance on Eastern European hosting.

• Proton66 OOO was linked to active exploitation of CVE-2026-35273, a critical Oracle PeopleSoft zero-day attributed to the ShinyHunters group, with C2 infrastructure directly traceable to this Russian provider.

• Russia dominates provider volume, with over 150 distinct Russian ASNs appearing in the dataset, though individual Russian providers show lower C2 concentrations compared to the Bulgarian and Moldovan outliers.

• Moldovan providers such as AlexHost and PQ Hosting together account for 299 C2 servers and carry high bulletproof ratings.

That's where we start.

Malicious Infrastructure Across Eastern Europe

After applying Eastern European country filters (BY, BG, CZ, HU, PL, MD, RO, RU, SK, UA), the Host Radar summary view reveals 302 distinct infrastructure providers operating within Eastern European ISPs, hosting providers, and cloud ecosystems that were associated with malicious activity.

Across the full set of 302 Eastern European infrastructure providers, Host Radar recorded 4,331 total malicious detections during the three-month observation period. Of these, 3,923 were C2 servers, while IOC Hunter posts accounted for 146, malicious open directories for 111, phishing sites for 90, and publicly reported IOC IPs for 61.

The data reveals that C2 infrastructure overwhelmingly dominates observed malicious activity, accounting for approximately 90.6% of all detected malicious activity. In comparison, IOCs Hunter represents about 3.4%, malicious open directories account for 2.6%, phishing infrastructure is recorded for roughly 2.1%, while publicly reported IOCs contribute approximately 1.4% of the dataset.

This distribution suggests that Eastern Europe's hosting environments are primarily used for C2 operations, with fewer exposed assets or publicly documented indicators than in other infrastructure ecosystems.

Beyond infrastructure counts alone, Host Radar provides visibility into the threat activity operating behind these assets. Let's explore the real threats across these ISPs.

Threat Actors and Campaigns Active Across Eastern European ISPs

The following examples illustrate how the infrastructure patterns identified above translate into active malware campaigns, state-sponsored espionage operations, and targeted intrusion activity within Eastern European hosting environments.

Over the same period, Hunt.io tracking surfaced several malicious command-and-control (C2) endpoints hosted across Eastern European infrastructure providers, beginning with activity linked to 146.70.53[.]171 hosted on M247 Europe SRL (AS9009), which is associated with Cloud Atlas APT campaigns targeting government and diplomatic entities in Russia and Belarus. Kaspersky reporting documents renewed Cloud Atlas activity in H2 2025--early 2026, leveraging phishing ZIPs with LNK shortcuts launching PowerShell, alongside malicious Office documents exploiting CVE-2018-0802.

Similar campaign IPs 195.58.49[.]99, 185.22.154[.]73, 194.87.196[.]163, 195.58.49[.]9, 46.17.44[.]125, and 46.17.44[.]212 were also found on Baxet (LLC Baxet, AS51659) during the analysis window.

Another IP 146.70.129[.]114 (Czech Republic, AS9009) flagged as a probable Mullvad VPN node associated with an active FreePBX toll-fraud campaign attributed to INJ3CTOR3 that deploys a multi-stage Bash dropper to install the previously undocumented JOMANGY PHP webshell alongside ZenharR.

Similarly, the IP 89.36.224[.]5 (Romania, AS9009) was identified as a staging server for a malicious npm package (@velora-dex/sdk version 9.4.1) that deployed a Go-based remote access trojan (minirat) targeting macOS developers in the DeFi/Web3 space, attributed to JINX-0164 threat actor.

The IP 176.120.22[.]24 hosted on Proton66 OOO (AS198953) is directly linked to active exploitation of CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62). Horizon3.ai attributes this exploitation campaign to ShinyHunters, with observed activity between May 27 and June 9, 2026, targeting approximately 300 PeopleSoft instances across more than 100 organizations, including universities.

The IP 141.98.83[.]86 hosted on FlyServers S.A. (AS209588) was directly associated with a documented Nemesys ransomware intrusion analyzed in threat research. The attacker authenticated using valid credentials originating from this IP, then deployed an Automim credential-harvesting toolkit including Mimikatz, LaZagne, and multiple NirSoft tools. Persistence was established via HKCU Run key reexecution.

On Rostelecom (PJSC Rostelecom, AS12389), the IP 78.85.31[.]182 (Izhevsk, AS12389) was found associated with the Ollama Honeypot campaign series (Bleeding Llama, CVE-2026-7482), where attackers exploited exposed Ollama API services to execute coinminer scripts, perform GGUF blob upload attempts, and conduct LLMjacking-style abuse.

Another IP 87.225.105[.]217 (Vladivostok, AS12389) is linked to WantToCry ransomware operations, as stated in Cybersecurity News.

On VDSina (Hosting technology LTD, AS48282), the IP 195.2.67[.]129 associated with Fluffy Wolf phishing campaigns targeting Russian organizations between March and May 2026 was found. Another IP 109.172.88[.]38 (Moscow, AS48282) was linked to a Black Basta affiliate campaign using Microsoft Teams vishing and registration-bombing spam to pressure victims into installing AnyDesk.

On MTW (JSC Mediasoft ekspert, AS48347), the IP 194.87.92[.]109 was directly identified by Unit 42 as an exfiltration server for the evolved Gremlin Stealer variant. The stealer hides its payload and configuration in a .NET resource section using XOR encoding, only decrypting at runtime.

On DDoS-Guard (DDOS-GUARD LTD, AS57724), the IP 185.178.208[.]153 (Global Anycast, AS57724) is associated with the Pink extortion group, a Microsoft 365-focused data theft and extortion operation with tradecraft similarities to ShinyHunters and Blackfile. Pink impersonates internal IT over phone calls to capture credentials and MFA sessions, then exfiltrates SharePoint and OneDrive data via Microsoft Graph APIs.

Additional threat intelligence findings identified several IPs with links to active cybercriminal and state-aligned operations. IP 130.204.1[.]83 (A1 Bulgaria) was associated with the Silent Ransom Group (SRG) DNS fast-flux infrastructure, while 185.203.116[.]18 (Belcloud) was linked to DevilNFC Android malware activity. IP 92.39.211[.]142 (MTS) generated an active XenoRAT signal connected to Gentlemen Ransomware operations.

Meanwhile, 83.168.110[.]191 (SkyPass Solutions Sp. z.o.o.) was identified as infrastructure referenced in Iranian-linked activity involving exploitation staging for CVE-2026-0257 (Palo Alto Networks GlobalProtect authentication bypass), with Pioneer Kitten assessed as a likely actor to weaponize the vulnerability following the June 2026 escalation period. Additionally, 195.62.53[.]253 (IPServer) was associated with ProxyCB botnet command-and-control infrastructure and showed historical links to the TeamSpy cyber-espionage campaign.

These examples demonstrate how Eastern European hosting providers support a diverse threat landscape, ranging from phishing-driven infostealer campaigns to advanced intrusion operations and malware distribution infrastructure.

Inside the Top Eastern European Infrastructure Providers

The table below summarizes the top five Eastern European infrastructure providers by detected C2 volume over the last three months, before we unpack what's notable about each one.

With the top Eastern European infrastructure hosting providers in mind, let's now focus on analyzing the C2 infrastructure across different ISPs and regions.

Concentration of C2 Infrastructure Across Eastern European Providers

Friendhosting LTD (Bulgaria) emerges as the dominant contributor with 2,100 detected C2 servers, representing approximately 53.5% of all detected C2 infrastructure across the Eastern European dataset.

This is followed by JSC TIMEWEB (277 C2 detections), PQ HOSTING PLUS S.R.L. (175), Neterra (137), and AlexHost (120), demonstrating how both large telecommunications providers and specialized hosting companies contribute to regional malicious infrastructure.

Other providers with notable C2 volumes include WebHost1 (Russia, 118), ZetServers (Romania, 101), Webinvest Plus (Ukraine, 88), VDSina (Russia, 77), and M247 (Romania, 66).

The presence of telecommunications giants alongside cryptocurrency-accepting bulletproof VPS providers within the top rankings illustrates how diverse infrastructure types contribute to the Eastern European C2 landscape.

Malware Family Distribution Within Eastern European Networks

Using HuntSQL, we analyzed the distribution of command-and-control (C2) infrastructure across malware families hosted within Eastern European networks over three months.

Example Query:

SELECT
  malware.name,
  uniq(ip) AS COUNTS
FROM
  malware
WHERE
  asn.country_code IN (
    'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  malware.name
ORDER BY
  COUNTS DESC

                
Copy

Output Example:

The results reveal that Keitaro leads the dataset with 1,277 unique C2 IPs, reflecting widespread abuse of this traffic distribution system (TDS) for malvertising, redirect chains, phishing, and exploit kit campaigns.

Tactical RMM (232 C2s) represents the second largest concentration of C2 infrastructure observed in Eastern Europe hosting environments, reflecting widespread abuse of this legitimate remote management tool for post-exploitation operations.

Acunetix (173 C2s) and Gophish (122 C2s) indicate a scanning and vulnerability-discovery infrastructure, reflecting active reconnaissance operations targeting external assets.

IoT botnets such as Hajime (106), Mozi (82), and Mirai (27) continue to exploit embedded devices and consumer routers across the region, consistent with Eastern Europe's large installed base of internet-exposed IoT devices.

Cobalt Strike (35 verified + 44 unverified) and Sliver (35) represent the adversary simulation and post-exploitation framework layer, indicating both criminal and state-adjacent operations operating from Eastern European infrastructure.

This concentration lets defenders focus on shared infrastructure rather than individual malware variants rather than chasing individual malware variants.

Infrastructure Providers Hosting the Widest Malware Diversity

A HuntSQL query was designed to surface organizations hosting the widest variety of malware activity with respect to unique IP counts within Eastern European networks over the last three months.

Example Query:

SELECT
  org.name,
  uniq(ip) AS Unique_C2,
  uniq(malware.name) AS Unique_Malware
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  org.name
ORDER BY
  Unique_Malware DESC

                
Copy

Output Example:

The results reveal that malware activity is concentrated within a relatively small set of hosting and cloud providers, many of which support large-scale virtual server and hosting environments.

ICI Bucuresti leads in malware diversity with 12 distinct families across just 15 C2 endpoints, the highest diversity-to-volume ratio in the dataset.

Yandex.Cloud (37 C2s, 11 malware families) and OVH Poland (32 C2s, 10 families) represent large cloud providers whose scale naturally attracts diverse malicious deployments. Both providers' presence reflects the ongoing challenge for major cloud operators in enforcing abuse policies at scale.

PROSPERO OOO (24 C2s, 9 families) and JSC TIMEWEB (84 C2s, 9 families) show that dedicated Russian VPS and hosting providers serve multiple simultaneous threat actor campaigns, consistent with their high bulletproof ratings observed in the Host Radar data.

Country-Level Concentration of Malware Infrastructure

The provider-level view raises an obvious follow-up question: which countries are actually absorbing the bulk of this activity, independent of any single standout provider? We ran a HuntSQL query grouping the same three-month dataset by ASN country to find out.

Example Query:

SELECT
  asn.country_name,
  uniq(ip) AS total
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  asn.country_name
ORDER BY
  total DESC

                
Copy

Output Example:

Russia leads by a wide margin with 929 unique C2 IPs (45.7% of the top-5 country total), consistent with the sheer number of distinct Russian ASNs already observed in the provider-level data.

What's more interesting is the second-place position of Poland, with 438 IPs (21.5%), a country that barely registered in the top-provider rankings above. This indicates that Poland's malware footprint is distributed across many smaller and mid-sized providers rather than concentrated in one or two standout hosts, the inverse of the pattern seen in Bulgaria.

Bulgaria (298, 14.7%) and Romania (199, 9.8%) round out the top five, both reflecting the influence of their respective standout providers.

Ukraine (170, 8.4%) shows a comparatively even spread across telecommunications carriers (Ukrtelecom, Webinvest Plus) rather than a single dominant host.

Subsystem-Level Breakdown: What These Servers Are Actually Doing

Malware family names describe the tool; they don't always describe the function. To understand what role this infrastructure plays operationally, we queried the dataset by malware.subsystem, the functional classification Hunt.io assigns to each detected service.

Example Query:

SELECT
  malware.subsystem,
  uniq(ip) AS Unique_C2
FROM
  malware
WHERE
  org.name != ""
  AND (
    asn.country_code IN (
      'BY', 'BG', 'CZ', 'HU', 'PL', 'MD', 'RO', 'RU', 'SK', 'UA'
    )
  )
  AND timestamp > NOW - 3 MONTH
GROUP BY
  malware.subsystem
ORDER BY
  Unique_C2 DESC

                
Copy

Output Example:

This breakdown is one of the more revealing cuts of the dataset. Management infrastructure leads by a wide margin at 1,496 unique IPs (65.2% of the subsystem total), far ahead of infrastructure explicitly tagged C2 (428, 18.7%).

Red Team Tools (234, 10.2%) reflects legitimate adversary-simulation frameworks being run from the same provider pool. Phishing infrastructure (124, 5.4%) is comparatively small as a subsystem category, and Team Server infrastructure (12, 0.5%) is the smallest category, representing dedicated C2 framework backends rather than the broader tooling ecosystem around them.

How Host Radar Surfaces Provider-Level Threat Signals

The analysis presented in this report did not require manual correlation of IP reputation data, review of raw PCAP captures, or the consolidation of multiple threat intelligence sources. Host Radar centralizes these datasets by aggregating C2 infrastructure, malicious open directories, phishing activity, and publicly reported IOCs at the provider level.

As a result, questions such as which ASNs host the highest concentration of C2 infrastructure, which providers exhibit the greatest malware diversity, or which countries show elevated exposure across multiple providers can be answered through targeted queries rather than extensive manual research.

For defenders, this visibility supports several practical use cases. Security Operations teams investigating alerts originating from Eastern European infrastructure can quickly determine whether a source ASN has a history of hosting malicious activity, carries an elevated bulletproof-hosting profile, or has been associated with specific malware families. This additional context helps analysts assess risk and prioritize response efforts more efficiently.

Threat Hunters can leverage HuntSQL to perform the same provider, country, and infrastructure analysis demonstrated throughout this report, enabling detection strategies that focus on persistent infrastructure patterns rather than short-lived indicators.

For Cyber Threat Intelligence teams, provider-level visibility offers a scalable way to assess regional exposure, support vendor risk assessments, monitor geopolitical developments, and track changes in infrastructure risk over time.

The broader lesson remains consistent across every region examined: infrastructure typically changes more slowly than the indicators associated with it. While domains, IP addresses, and malware samples may rotate frequently, the underlying hosting relationships often persist.

Infrastructure Observables

This research is based on a very large set of infrastructure-level signals, including IP addresses, domains, and C2 endpoints that Hunt.io has identified and labeled as malicious infrastructure, active malware command-and-control, phishing infrastructure, or related abuse across Eastern European ISPs and hosting providers.

Given the scale of the dataset, with more than 3900 active C2 endpoints observed over three months, publishing a static list here would provide limited operational value.

→ Teams interested in accessing this data with proper context, attribution, and historical tracking can reach out to discuss research collaboration or operational access to the full dataset.

Conclusion

The findings highlight Eastern Europe as a persistent hub for cybercriminal and advanced threat infrastructure, with a small number of high-tolerance hosting providers disproportionately supporting malicious operations while major regional telecommunications networks frequently serve as unwitting hosts for compromised systems.

The dominance of Keitaro (1,277 C2s) across the malware family distribution reflects the region's established role in traffic distribution and redirect infrastructure, a foundational layer for malvertising, phishing, and exploit kit operations. The simultaneous presence of Cobalt Strike, Sliver, and Tactical RMM indicates that Eastern European hosting serves both commodity criminal operations and more sophisticated post-exploitation campaigns sharing the same infrastructure layer.

The prevalence of established C2 frameworks, traffic distribution systems, and ransomware-related infrastructure underscores the region's continued importance to both commodity cybercrime and sophisticated threat actors.

For defenders, focusing on high-risk ASNs, hosting providers, and recurring infrastructure patterns offers a more resilient detection strategy than relying solely on rapidly changing IP-based indicators.

If you want to explore this host-centric view of malicious infrastructure firsthand, you can see how Host Radar works in practice by booking a demo today.