BulletProof Hosting Provider Qwins Ltd Fueling Global Malware Campaigns

A sophisticated bulletproof hosting operation has emerged as a critical enabler of global malware campaigns, with cybersecurity researchers uncovering extensive evidence linking UK-registered company Qwins Ltd to widespread cybercriminal activities.

The company, operating under Autonomous System Number (ASN) 213702, has been identified as the infrastructure backbone supporting multiple high-profile malware families including Lumma Stealer, Amadey Botnet, and Mirai variants.

Recent analysis of over 100 Lumma Stealer samples revealed that threat actors are leveraging Qwins Ltd’s hosting services to orchestrate coordinated attacks across multiple vectors.

The investigation, spanning July 15-22, 2025, identified 292 communicating IP addresses associated with malicious activities, with the company’s infrastructure serving as both command-and-control centers and payload distribution hubs.

Operating from server locations across Russia, Germany, Finland, Netherlands, and Estonia, Qwins Ltd offers virtual private servers and dedicated hosting at remarkably low prices starting around $2 per month, making it an attractive option for cybercriminals seeking cost-effective infrastructure.

The company’s corporate structure raises additional red flags, having been incorporated on November 11, 2024, in the United Kingdom under the directorship of Kristina Konstantinova.

Notably, Konstantinova served as acting director for exactly six months before the company underwent a strategic rebranding in April 2025, becoming “Quality IT Network Solutions Limited.” This timeline coincides with increased malicious activity across the provider’s network infrastructure.

Cyber Intelligence Insights researchers identified a disturbing pattern of abuse across Qwins Ltd’s network segments, with evidence pointing to systematic exploitation by multiple threat actor groups.

The investigation revealed that the hosting provider’s approximately 2,300 hosts are being utilized for various malicious purposes, from hosting phishing websites impersonating legitimate financial services like Brex to distributing sophisticated malware payloads targeting both Windows and Linux architectures.

Analysis of the network’s malicious infrastructure reveals a sophisticated operational structure designed to maximize attack effectiveness while minimizing detection.

The primary malicious activities are concentrated across four distinct network segments, each serving specialized functions in the broader cybercriminal ecosystem.

Network Segmentation and Attack Infrastructure

The most significant revelation from the analysis involves the systematic segmentation of malicious activities across Qwins Ltd’s network infrastructure.

The 93.123.39.0/24 network segment functions as the primary DDoS and botnet command center, hosting 39 malicious IP addresses that distribute over 120 different malware payloads.

This network primarily operates botnet infrastructure communicating through port 666, facilitating large-scale distributed denial-of-service attacks and maintaining persistent access to compromised systems.

The 141.98.6.0/24 segment serves as the information stealer hub, with 15 flagged IP addresses hosting approximately 45 malware samples.

This network specializes in deploying infostealers like Amadey, Lumma, and Vidar, targeting sensitive user credentials and financial information.

Key IP address 141.98.6.34 has been particularly active, hosting phishing sites and serving as a communication endpoint for multiple malware families.

Supporting the attack chain, the 95.164.53.0/24 network functions as the initial infection vector, distributing document-based droppers including malicious PDF, DOC, and ZIP files.

These payloads serve as entry points for infection chains, subsequently directing victims to download additional malware components from other network segments.

The 77.105.164.0/24 segment completes the infrastructure by providing command-and-control services, configuration hosting, and data exfiltration capabilities, ensuring persistent communication between infected systems and threat actor infrastructure.

This systematic approach to network utilization demonstrates the sophisticated nature of modern bulletproof hosting operations and their critical role in enabling large-scale cybercriminal campaigns across multiple malware families and attack vectors.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches