U.S., International Partners Target Bulletproof Hosting Services
None
<p>Threat researchers at Resecurity in a <a href="https://www.resecurity.com/blog/article/qilin-ransomware-and-the-ghost-bulletproof-hosting-conglomerate" target="_blank" rel="noopener">report last month</a> detailed the reliance the notorious and prolific Qilin ransomware group has on bulletproof hosting (BPH) providers to run their malicious campaigns.</p><p>The Russian-speaking ransomware-as-a-service (RaaS) group this year has continued adding to its growing list of victims from around the world on its data leak site – including Volkswagen Group France, Charles River Properties real estate brokerage in Massachusetts, the Spanish Tax Administration Agency, and Turnkey Africa, an IT provider in Africa.</p><p>According to Resecurity, key to Qilin’s success is its use of BPH providers, with a “close affiliation” with such operations in Russia and Hong Kong, including Bearhost Servers – also known as Voodoo Servers and Underground – and Cat Technologies.</p><p>“Qilin’s use of prominent BPH providers highlights the latter’s role as critical infrastructure for cybercriminal operators,” the researchers wrote. “Rogue BPH services enable their clients to host content with minimal or no oversight. Frequently incorporated in pro-secrecy jurisdictions and structured across complex webs of anonymous and geographically distributed shell companies, BPH services are designed to be resilient to abuse complaints and even law enforcement intervention.”</p><p>The BPH model “thrives on zero KYC (Know Your Customer) and a total absence of due-diligence checks, effectively creating safe havens for cyber-offenders who wish to remain anonymous,” they added. “These malign infrastructures, and the pro-corporate secrecy regimes that shield them, enable destructive ransomware campaigns and other malicious cybercriminal operations to persist undisturbed for prolonged durations.”</p><h3>Targeting Bulletproof Hosting Firms</h3><p>Law enforcement agencies in the United States and elsewhere this month have put a target on some of these operations. Dutch police announced the takedown of an unnamed BPH service that had been active since 2022, seizing about 250 servers found in data centers in The Hague and Zoetermeter. The service – which reportedly was CrazyRDP – had been mentioned in more than 80 law enforcement investigations, the police said.</p><p>Days later, the U.S. Treasury Department, along with counterparts in Australia and the UK, announced <a href="https://home.treasury.gov/news/press-releases/sb0319" target="_blank" rel="noopener">sanctions against Media Land</a>, which they described as a BPH provider in St. Petersburg, Russia, that had been used by <a href="https://securityboulevard.com/2025/10/surprised-not-surprised-ransomware-attacks-have-ticked-up/" target="_blank" rel="noopener">ransomware</a> groups like <a href="https://securityboulevard.com/2025/02/ransom-payments-fell-35-in-2024-after-lockbit-blackcat-takedowns/" target="_blank" rel="noopener">Lockbit</a>, BlackSuit, and Play as well as other cybercriminal operations. It also was used in multiple <a href="https://securityboulevard.com/2025/11/microsoft-fends-off-massive-ddos-attack-by-aisuru-botnet-operators/" target="_blank" rel="noopener">distributed denial-of-service</a> (DDoS) attacks against companies and critical infrastructure in the United States.</p><p>Treasury’s Office of Foreign Assets Control (OFAC) and the FBI also designated three members of the Media Land leadership and three sister companies – ML Cloud, Media Land Technology, and Data Center Kirishi.</p><h3>Keeping Aeza Group in Check</h3><p>In addition, OFAC and the UK designated Hypercore Ltd.,<strong> </strong>a front company of Aeza Group – which the Treasury Department <a href="https://securityboulevard.com/2025/07/aeza-group-latest-bph-service-provider-sanctioned-by-u-s-treasury/" target="_blank" rel="noopener">targeted earlier this year</a> – as well as two people and two entities that have led, supported, or acted for Aeza Group.</p><p>During the same week, authorities with the Five Eyes intelligence alliance and The Netherlands <a href="https://www.cisa.gov/sites/default/files/2025-11/Bulletproof_Defense_Mitigating_Risks_from_Bulletproof_Hosting_Providers_508c.pdf" target="_blank" rel="noopener">published a guide</a> aimed at ISPs and network defenders for mitigating the threat of BPH services.</p><p>“Mitigating cybercriminal activity enabled by BPH providers requires a nuanced approach because BPH infrastructure is integrated into legitimate internet infrastructure systems, and actions from ISPs or network defenders may impact legitimate activity,” they wrote.</p><p>Mark Odom, senior solutions engineer at security company Black Duck, echoed the sentiment, noting that “bulletproof hosting can be deeply involved with more normal [and] legitimate infrastructure. Broad ASN [autonomous system number] blocking sounds easy but also carries the risk of collateral damage for smaller networks.”</p><p>Odom said that for ISPs, cloud providers, and content delivery networks CDNs, the guidance is less something new and more about standardizing practices that already exist.</p><p>“What feels ‘new’ is the focus on tracking bulletproof hosters as more of an ecosystem and building playbooks around them, rather than treating each domain in isolation,” he said.</p><h3>More Companies, Individuals Sanctioned</h3><p>Along with Media Land and its sister companies, U.S. and other authorities also designated Aleksandr Volosovik, Media Land’s general director of Media Land who has advertised the Media Land business on cybercriminal forums under the alias “Yalishanda,” provided servers, and conducted troubleshooting for ransomware and DDoS actors.</p><p>The other two designed are Kirill Zatolokin, a Media Land employee responsible for collecting payment from customers and coordinating with other cyber actors, and Yulia Pankova, who’s helped Zatolokin with legal issues and managed his finances.</p><p>Regarding the Aeza Group and Hypercore, the United States also designed two companies, Smart Digital Ideas DOO and Datavice MCHJ, which are Serbian and Uzbek companies used by Aeza to evade sanctions by setting up infrastructure that is not associated with Aeza.</p><p>Maksim Vladimirovich Makarov is Aeza’s new director and crucial in making decisions about the organization’s efforts to evade sanctions. Ilya Vladislavovich Zakirov was designated for helping to establish new companies and payment methods to obfuscate Aeza’s ongoing activity.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/u-s-international-partners-target-bulletproof-hosting-services/" data-a2a-title="U.S., International Partners Target Bulletproof Hosting Services"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fu-s-international-partners-target-bulletproof-hosting-services%2F&linkname=U.S.%2C%20International%20Partners%20Target%20Bulletproof%20Hosting%20Services" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fu-s-international-partners-target-bulletproof-hosting-services%2F&linkname=U.S.%2C%20International%20Partners%20Target%20Bulletproof%20Hosting%20Services" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fu-s-international-partners-target-bulletproof-hosting-services%2F&linkname=U.S.%2C%20International%20Partners%20Target%20Bulletproof%20Hosting%20Services" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fu-s-international-partners-target-bulletproof-hosting-services%2F&linkname=U.S.%2C%20International%20Partners%20Target%20Bulletproof%20Hosting%20Services" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fu-s-international-partners-target-bulletproof-hosting-services%2F&linkname=U.S.%2C%20International%20Partners%20Target%20Bulletproof%20Hosting%20Services" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>