The Qilin ransomware group has emerged as one of the most prolific and dangerous threat actors in the cybersecurity landscape, exploiting sophisticated bulletproof hosting infrastructure to conduct devastating attacks on organizations across multiple sectors.
Operating under a Ransomware-as-a-Service (RaaS) model, Qilin first surfaced in mid-2022 under the name “Agenda” before rebranding later that year.
The group has gained widespread notoriety for targeting healthcare organizations, government entities, critical infrastructure operators, and asset management firms worldwide.
Most notably, the gang recently claimed responsibility for the September 2025 ransomware attack that crippled operations at Asahi Group Holdings, Japan’s largest beverage manufacturer, forcing production shutdowns at most of its 30 factories for nearly two weeks.
The ransomware operation maintains variants written in both Golang and Rust programming languages, demonstrating technical versatility that enables cross-platform attacks.
According to the Health Sector Cybersecurity Coordination Center, Qilin gains initial access through spear phishing campaigns and leverages Remote Monitoring and Management (RMM) tools alongside other common penetration tools to establish persistence within compromised networks.
.webp "Qilin Ransomware Using Ghost Bulletproof Hosting to Attack Organizations Worldwide 3")
The group practices double extortion tactics, encrypting victim data while simultaneously exfiltrating sensitive information to pressure organizations into paying ransoms.
Their RaaS platform provides affiliates with user-friendly panels to configure attacks, manage victims, and negotiate ransoms, while maintaining a Data Leak Site on the Tor network for publishing stolen data.
Resecurity analysts noted that Qilin’s operations are deeply intertwined with an underground bulletproof hosting conglomerate that has origins in Russian-speaking cybercriminal forums and Hong Kong.
The threat actors have established strong connections to rogue hosting providers that enable them to operate with minimal oversight and maximum resilience against law enforcement intervention.
These bulletproof hosting services are incorporated in pro-secrecy jurisdictions and structured across complex webs of anonymous shell companies distributed geographically, creating safe havens for cybercriminals who wish to remain anonymous.
The group’s infrastructure relies heavily on providers such as Cat Technologies Co. Limited, a Hong Kong-based entity that shares business addresses with related companies including Starcrecium Limited in Cyprus and Chang Way Technologies Co. Limited.
Resecurity researchers identified that these entities serve as official representatives for Russia-based hosting provider Hostway.ru, which operates under the legal entity OOO “Information Technologies”.
Network analysis revealed that Qilin ransomware operations utilize IP addresses associated with these providers, with frequent changes to complicate tracking efforts.
In April 2024, researchers observed the group’s Data Leak Site mentioning IP addresses 176[.]113[.]115[.]97 and 176[.]113[.]115[.]209, both associated with Cat Technologies Co. Limited.
The business model of these bulletproof hosting providers thrives on zero Know Your Customer (KYC) protocols and complete absence of due-diligence checks.
They offer services ranging from $95 to $500 and beyond, depending on server configurations, with specialized offerings for mass scanning capabilities featuring network bandwidth up to 10 Gbps. One prominent provider, BEARHOST Servers—also known as Underground and Voodoo Servers—has been advertising directly on Qilin’s “WikiLeaksV2” platform.
Historical passive DNS records show this operation was hosted at IP 31[.]41[.]244[.]100 associated with Red Bytes LLC in Saint Petersburg, Russia.
The service has maintained active accounts on multiple underground forums including XSS and Exploit since at least 2019.
Bulletproof Hosting Infrastructure and Operational Resilience
The bulletproof hosting infrastructure supporting Qilin ransomware operations demonstrates remarkable resilience through sophisticated corporate structures designed to evade detection and law enforcement action.
Multiple legal entities share common directors and addresses, creating a complex web that shields the true operators from accountability.
Corporate records reveal that Mr. Lenar Davletshin serves as director of numerous entities including Chang Way Technologies Co. Limited, Starcrecium Limited, OOO “Red Byte,” OOO “Information Technologies,” OOO “Hostway,” OOO “Hostway Rus,” OOO “Triostars,” and OOO “F1″—all registered in Russia, Cyprus, and Hong Kong.
These hosting networks are frequently implicated in command-and-control server operations for various malware families including Amadey, StealC, and CobaltStrike.
The IP address 85.209.11.79, associated with this infrastructure, has been reported over 11,346 times to AbuseIPDB for malicious activity including exploit probing and network scanning.
The interconnected nature of these providers was further confirmed when U.S. Treasury Department sanctions in July 2025 targeted the Aeza Group for providing bulletproof hosting services to cybercriminals, specifically aiding ransomware groups like BianLian and hosting illicit drug markets such as BlackSprut.
Following increased scrutiny and multiple abuse complaints, BEARHOST announced in late December 2024 that their service would transition to private mode, accepting new customers only through vetting and invitations from existing clients.
This operational security adjustment represents a common pattern among established underground vendors who have built significant customer bases and seek to minimize exposure to law enforcement and cybersecurity researchers.
In May 2025, BEARHOST rebranded as “voodoo_servers” before ultimately announcing termination of services due to “political reasons,” executing what appears to be an exit scam that left customers without server access or fund returns while the underlying legal entities continued operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
