In the ever-evolving landscape of cyber threats, certain entities play pivotal roles in facilitating malicious activities. One such entity is Qwins Ltd, a UK-registered company that has recently come under scrutiny for its involvement in global malware campaigns. Operating under Autonomous System Number (ASN) 213702, Qwins Ltd has been identified as a significant enabler of cybercriminal operations, providing the infrastructure necessary for various malicious endeavors.
The Role of Bulletproof Hosting in Cybercrime
Bulletproof hosting services are specialized web hosting providers that offer clients the assurance of anonymity and resilience against takedown attempts. These services are particularly attractive to cybercriminals as they allow the hosting of illicit content, including malware distribution, phishing sites, and command-and-control servers, without the risk of immediate shutdown by authorities. By turning a blind eye to the nature of the hosted content, bulletproof hosts like Qwins Ltd become indispensable to the cybercrime ecosystem.
Qwins Ltd’s Infrastructure and Operations
Qwins Ltd offers virtual private servers and dedicated hosting solutions at exceptionally low prices, starting around $2 per month. This affordability makes it an appealing option for cybercriminals seeking cost-effective infrastructure. The company’s servers are strategically located across multiple countries, including Russia, Germany, Finland, the Netherlands, and Estonia, providing a distributed network that enhances the resilience and reach of the hosted malicious activities.
Association with Notorious Malware Families
Recent analyses have uncovered that Qwins Ltd’s infrastructure supports several high-profile malware families, including Lumma Stealer, Amadey Botnet, and variants of the Mirai botnet. Over a week-long investigation from July 15 to July 22, 2025, researchers identified 292 IP addresses associated with malicious activities linked to Qwins Ltd. These IP addresses functioned as command-and-control centers and payload distribution hubs, orchestrating coordinated attacks across multiple vectors.
Corporate Structure and Red Flags
Qwins Ltd was incorporated on November 11, 2024, in the United Kingdom, with Kristina Konstantinova listed as the director. Notably, Konstantinova served as acting director for exactly six months before the company underwent a strategic rebranding in April 2025, changing its name to “Quality IT Network Solutions Limited.” This rebranding coincided with a surge in malicious activity across the provider’s network infrastructure, raising further concerns about the company’s operations and intentions.
Network Segmentation and Specialized Functions
An in-depth analysis of Qwins Ltd’s network infrastructure reveals a sophisticated segmentation designed to maximize the effectiveness of cyber attacks while minimizing detection. The primary malicious activities are concentrated across four distinct network segments, each serving specialized functions:
1. 93.123.39.0/24 Segment: This segment functions as the primary command center for Distributed Denial-of-Service (DDoS) attacks and botnet operations. It hosts 39 malicious IP addresses distributing over 120 different malware payloads. Communication primarily occurs through port 666, facilitating large-scale DDoS attacks and maintaining persistent access to compromised systems.
2. 141.98.6.0/24 Segment: Serving as the hub for information-stealing malware, this segment hosts 15 flagged IP addresses associated with approximately 45 malware samples. It specializes in deploying infostealers like Amadey, Lumma, and Vidar, targeting sensitive user credentials and financial information. Notably, IP address 141.98.6.34 has been particularly active, hosting phishing sites and serving as a communication endpoint for multiple malware families.
3. 95.164.53.0/24 Segment: This network functions as the initial infection vector, distributing document-based droppers, including malicious PDF, DOC, and ZIP files. These payloads serve as entry points for infection chains, subsequently directing victims to download additional malware components from other network segments.
4. 77.105.164.0/24 Segment: Completing the infrastructure, this segment provides command-and-control services, configuration hosting, and data exfiltration capabilities. It ensures persistent communication between infected systems and the threat actor’s infrastructure.
The Broader Implications of Bulletproof Hosting
The case of Qwins Ltd underscores the critical role that bulletproof hosting providers play in the cybercrime ecosystem. By offering resilient and anonymous hosting services, these providers enable cybercriminals to conduct operations with impunity. The distributed nature of their infrastructure, spanning multiple jurisdictions, complicates efforts by law enforcement agencies to dismantle their operations.
Law Enforcement Actions Against Bulletproof Hosts
Recognizing the threat posed by bulletproof hosting providers, law enforcement agencies worldwide have intensified efforts to disrupt their operations. For instance, in February 2025, Dutch police dismantled a bulletproof hosting provider named ZServers/XHost, seizing 127 servers used to facilitate cybercriminal activities. Similarly, in August 2023, European and U.S. authorities dismantled Lolek Hosted, arresting five administrators and seizing hundreds of servers containing terabytes of data. These actions highlight the ongoing global efforts to combat the infrastructure supporting cybercrime.
The Need for Vigilance and Proactive Measures
The emergence of entities like Qwins Ltd highlights the necessity for continuous vigilance and proactive measures in the fight against cybercrime. Organizations must implement robust cybersecurity protocols, including regular network monitoring, threat intelligence sharing, and collaboration with law enforcement agencies. By identifying and mitigating threats associated with bulletproof hosting providers, the cybersecurity community can disrupt the infrastructure that underpins many cybercriminal operations.
Conclusion
Qwins Ltd exemplifies the challenges posed by bulletproof hosting providers in the modern cyber threat landscape. By offering services that prioritize anonymity and resilience against takedown attempts, these providers become linchpins in the execution of global malware campaigns. Addressing this issue requires a concerted effort from cybersecurity professionals, law enforcement agencies, and policymakers to dismantle the infrastructure that enables cybercriminals to operate with relative impunity.
