The Qilin ransomware group has rapidly ascended as a formidable threat in the cybersecurity realm, leveraging advanced bulletproof hosting infrastructures to execute widespread attacks across various sectors. Operating under a Ransomware-as-a-Service (RaaS) model, Qilin first emerged in mid-2022 under the alias Agenda before rebranding later that year. The group has since gained notoriety for targeting healthcare organizations, government entities, critical infrastructure operators, and asset management firms worldwide.
A notable incident attributed to Qilin occurred in September 2025, when the group claimed responsibility for a ransomware attack on Asahi Group Holdings, Japan’s largest beverage manufacturer. This assault led to production halts at most of Asahi’s 30 factories for nearly two weeks, underscoring the group’s capacity to disrupt major industrial operations.
Qilin’s technical versatility is evident in its development of ransomware variants written in both Golang and Rust programming languages, enabling cross-platform attacks that can compromise diverse systems. According to the Health Sector Cybersecurity Coordination Center (HC3), Qilin typically gains initial access through spear-phishing campaigns. Once inside a network, the group employs Remote Monitoring and Management (RMM) tools alongside other common penetration utilities to establish persistence within compromised environments.
The group’s operational model includes double extortion tactics, where victim data is encrypted and simultaneously exfiltrated. This strategy increases pressure on organizations to comply with ransom demands, as the threat of public data release looms. Qilin’s RaaS platform offers affiliates user-friendly panels to configure attacks, manage victims, and negotiate ransoms. Additionally, the group maintains a Data Leak Site on the Tor network to publish stolen data, further coercing victims into payment.
Analysts from Resecurity have highlighted Qilin’s deep connections with an underground bulletproof hosting conglomerate rooted in Russian-speaking cybercriminal forums and Hong Kong. These affiliations provide Qilin with robust infrastructure that operates with minimal oversight, enhancing resilience against law enforcement interventions. Bulletproof hosting services utilized by Qilin are often incorporated in jurisdictions with strong privacy laws and are structured through complex networks of anonymous shell companies, creating safe havens for cybercriminal activities.
A significant component of Qilin’s infrastructure is Cat Technologies Co. Limited, a Hong Kong-based entity sharing business addresses with related companies such as Starcrecium Limited in Cyprus and Chang Way Technologies Co. Limited. Resecurity researchers have identified these entities as official representatives for Russia-based hosting provider Hostway.ru, operating under the legal entity OOO Information Technologies. Network analyses have revealed that Qilin’s operations frequently utilize IP addresses associated with these providers, with regular changes to complicate tracking efforts.
In April 2024, researchers observed Qilin’s Data Leak Site referencing IP addresses 176[.]113[.]115[.]97 and 176[.]113[.]115[.]209, both linked to Cat Technologies Co. Limited. The business model of these bulletproof hosting providers thrives on the absence of Know Your Customer (KYC) protocols and due diligence checks. Services are offered at prices ranging from $95 to $500 and beyond, depending on server configurations, with specialized offerings for mass scanning capabilities featuring network bandwidth up to 10 Gbps.
One prominent provider, BEARHOST Servers—also known as Underground and Voodoo Servers—has been advertising directly on Qilin’s WikiLeaksV2 platform. Historical passive DNS records show this operation was hosted at IP 31[.]41[.]244[.]100, associated with Red Bytes LLC in Saint Petersburg, Russia. The service has maintained active accounts on multiple underground forums, including XSS and Exploit, since at least 2019.
Bulletproof Hosting Infrastructure and Operational Resilience
The bulletproof hosting infrastructure supporting Qilin’s operations demonstrates remarkable resilience through sophisticated corporate structures designed to evade detection and law enforcement action. Multiple legal entities share common directors and addresses, creating a complex web that shields the true operators from accountability.
Corporate records reveal that Mr. Lenar Davletshin serves as director of numerous entities, including Chang Way Technologies Co. Limited, Starcrecium Limited, OOO Red Byte, OOO Information Technologies, OOO Hostway, OOO Hostway Rus, OOO Triostars, and OOO F1—all registered in Russia, Cyprus, and Hong Kong. These hosting networks are frequently implicated in command-and-control server operations for various malware families, including Amadey, StealC, and CobaltStrike.
The IP address 85.209.11.79, associated with this infrastructure, has been reported over 11,346 times to AbuseIPDB for malicious activity, including exploit probing and network scanning. The interconnected nature of these providers was further confirmed when U.S. Treasury Department sanctions in July 2025 targeted the Aeza Group for providing bulletproof hosting services to cybercriminals, specifically aiding ransomware groups like BianLian and hosting illicit drug markets such as BlackSprut.
Following increased scrutiny and multiple abuse complaints, BEARHOST announced in late December 2024 that their service would transition to private mode, accepting new customers only through vetting and invitations from existing clients. This operational security adjustment represents a common pattern among established underground vendors who have built significant customer bases and seek to minimize exposure to law enforcement and cybersecurity researchers.
In May 2025, BEARHOST rebranded as voodoo_servers before ultimately announcing the termination of services due to political reasons, executing what appears to be an exit scam that left customers without server access or fund returns while the underlying legal entities continued operations.
