In recent developments, Russian-affiliated cybercriminal groups, notably UAC-0050 and UAC-0006, have been observed utilizing bulletproof hosting services to maintain and obscure their malicious activities. This strategic shift has enabled these groups to persistently target Ukrainian organizations and their international partners, focusing on sectors such as energy, government institutions, and critical infrastructure.
Tactics and Techniques
Throughout late 2024 and early 2025, these threat actors have engaged in both financially motivated and espionage-driven campaigns. Their methods often involve sophisticated social engineering tactics, primarily through phishing emails that deliver malicious payloads. A notable instance in January 2025 involved the deployment of NetSupport Manager remote access tools via JavaScript downloaders hosted on compromised platforms.
The attack sequence typically begins with emails containing PDF documents that redirect recipients to malicious JavaScript files hosted on services like 4sync. This approach underscores the attackers’ adaptability and their ability to exploit commonly used platforms to disseminate malware.
Evolution of Attack Infrastructure
Intrinsec researchers have highlighted a significant tactical evolution in early 2025, where UAC-0050 transitioned from using tools like Remcos and sLoad to predominantly leveraging NetSupport Manager. This shift coincided with a migration to new network infrastructure hosted on bulletproof providers, which specialize in evading detection and legal repercussions.
Understanding Bulletproof Hosting
Bulletproof hosting services offer cybercriminals a resilient platform to host malicious content, often ignoring or circumventing law enforcement requests. These services are typically operated through offshore shell companies, complicating efforts to trace and dismantle them.
The primary provider identified in these operations is Global Connectivity Solutions LLP (AS215540), a UK-based autonomous system that routes traffic through Stark Industries (AS44477). Cybersecurity researchers have linked this network to Russian intelligence operations, indicating a deliberate strategy to obscure attribution and evade sanctions.
Infrastructure Analysis
Analysis of the network infrastructure reveals a complex web of bulletproof hosting providers operating through offshore entities. IPv4 prefixes previously associated with sanctioned bulletproof hosting provider Zservers were systematically transferred to newly created autonomous systems, including AS213194, AS61336, and AS213010. These networks, registered to seemingly unrelated entities, share peering agreements and technical characteristics with known malicious infrastructure.
Network traffic patterns indicate communications between infected systems and command-and-control servers hosted on IP addresses like 185.157.213[.]71 and 147.45.44[.]255. These addresses resolve to domains owned by shell companies registered in offshore jurisdictions such as Seychelles, further complicating attribution efforts.
Implications and Challenges
The use of bulletproof hosting services by Russian-affiliated hacking groups presents significant challenges for cybersecurity professionals and law enforcement agencies. These services provide a resilient infrastructure that complicates attribution and frustrates takedown efforts, allowing threat actors to maintain persistent access to compromised systems even as individual components are identified and blocked.
This development underscores the need for enhanced international cooperation and more robust cybersecurity measures to detect and mitigate such sophisticated threats. Organizations, particularly those in critical sectors, must remain vigilant and adopt comprehensive security strategies to protect against these evolving cyber threats.
