Russian Hackers Using Russia-Based Bulletproof Network to Switch Network Infrastructure

Russian-aligned hacking groups UAC-0050 and UAC-0006 have been observed switching their network infrastructure through bulletproof hosting providers, enabling persistent campaigns against Ukrainian entities and their international allies.

These threat actors conducted financially-motivated and espionage operations throughout late 2024 and early 2025, primarily targeting organizations in Ukraine’s energy sector, governmental institutions, and critical infrastructure.

The malicious campaigns employ sophisticated social engineering techniques, delivering payloads through phishing emails with weaponized attachments.

In one notable campaign in January 2025, attackers deployed NetSupport Manager remote access tools through JavaScript downloaders hosted on compromised infrastructure.

The attacks typically begin with emails containing PDF documents that redirect victims to malicious JavaScript files hosted on services like 4sync.

Intrinsec researchers noted a significant tactical shift in early 2025, when UAC-0050 transitioned from using Remcos and sLoad to predominantly leveraging NetSupport Manager for their operations.

This shift coincided with migration to new network infrastructure hosted on bulletproof providers that specialize in evading detection and legal consequences.

Network Infrastructure

The infrastructure supporting these operations reveals a complex web of bulletproof hosting providers operating through offshore shell companies.

The primary provider, Global Connectivity Solutions LLP (AS215540), is a UK-based autonomous system routing traffic through Stark Industries (AS44477), a network that cybersecurity researchers have linked to Russian intelligence operations.

Analysis of network infrastructure reveals a deliberate strategy to obscure attribution and evade sanctions.

IPv4 prefixes previously announced by sanctioned bulletproof hosting provider Zservers were systematically transferred to newly created autonomous systems including AS213194, AS61336, and AS213010.

These networks are registered to seemingly unrelated entities but share peering agreements and technical characteristics with known malicious infrastructure.

The network traffic patterns reveal communications between infected systems and command and control servers hosted on IP addresses like 185.157.213[.]71 and 147.45.44[.]255, which resolve to domains owned by shell companies registered in offshore jurisdictions like Seychelles.

The complex hosting arrangements provide these threat actors with resilient infrastructure that complicates attribution and frustrates takedown efforts, allowing them to maintain persistent access to compromised systems even as individual infrastructure components that are identified and blocked.

Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now