Bulletproof Hosting Provider Powering Global Malware Campaigns

Security researchers may have discovered a reliable hosting company run by Qwins Ltd. that supports a broad range of international malware operations in a recent analysis resulting from standard follow-up on Lumma infostealer infections.

Lumma, consistently ranking among the top five malware families according to platforms like abuse.ch and ANY.RUN, provided an abundant source of samples for analysis.

By querying the abuse.ch API for samples from July 15-22, researchers retrieved 100 recent hashes, which were then scrutinized using VirusTotal’s API to extract 292 communicating IP addresses.

Uncovering Malicious Infrastructure

To focus on actionable leads, IPs hidden behind content delivery networks such as Cloudflare and Akamai were filtered out, leaving 10 unique IPs across distinct autonomous system numbers (ASNs).

Among these, IP 141.98.6.34 within AS213702, owned by Qwins Ltd, emerged as a focal point due to its associations with infostealers, trojans, and impersonation sites.

Qwins Ltd, a Russian-operated entity offering low-cost VPS and dedicated servers starting at $2 per month, deploys infrastructure in locations including Russia, Germany, Finland, Netherlands, and Estonia, with services accessible via a Telegram bot.

Incorporated in the UK on November 11, 2024, under the initial direction of Kristina Konstantinova until April 2025, the company underwent a name change to Quality IT Network Solutions Limited.

According to the researchers, its domain registration predates incorporation by a year, raising suspicions of premeditated operations.

Analysis of 141.98.6.34 revealed it hosted a phishing site impersonating Brex financial services in late June, alongside numerous malicious files including executables, ZIPs, and RARs linked to infostealers and trojans, suggesting use by multiple threat actors or a coordinated group.

Clustering and Malware Activity in AS213702

Hypothesizing AS213702 as a hub for threat actors, researchers leveraged Censys to identify approximately 2,300 hosts within the ASN.

Narrowing to attributes matching the initial IP such as ports 5554 and 3389, and shared self-signed certificates yielded a cluster of three IPs: 141.98.6.190, 141.98.6.130, and 141.98.6.34.

These were tied to malware like Makop, GuLoader, and AgentTesla, active concurrently and exhibiting loader and infostealer behaviors.

Pivoting to hosted domains, sites impersonating the DBeaver SQL tool (dbeaver.it.com and dbeaver-pro.site) led to another IP, 141.98.6.81, associated with botnets including Mirai, Quackbot, and Condi.

A deeper 30-day analysis of AS213702’s networks uncovered pervasive malicious activity across subnets like 93.123.39.0/24 (dominated by DDoS and botnet C2 on port 666), 141.98.6.0/24 (infostealers like Amadey, Lumma, and Vidar), 95.164.53.0/24 (malware distribution via droppers), and 77.105.164.0/24 (C2 and data exfiltration).

Over 120 payloads spanned botnets (Mirai, Amadey), trojans (Zapchast), and cross-platform threats targeting Windows, Linux, ARM, and MIPS architectures, including cryptominers and remote access trojans like DarkGate.

Infection chains often initiated from document droppers on 95.164 networks, escalating to payloads on 93.123, with exfiltration to 77.105, indicating structured abuse.

While definitive classification as bulletproof hosting remains under investigation, the concentration of unmitigated malicious operations phishing, social engineering, and diverse malware signals a resilient provider tolerant of abuse.

Researchers plan further probes into interconnected threats, urging collaboration from those with prior insights to enhance global threat intelligence.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!