Cybersecurity researchers have uncovered what appears to be a bulletproof hosting operation centered around UK-incorporated Qwins Ltd, revealing a sophisticated criminal infrastructure supporting multiple malware families, including Lumma, Vidar, DarkGate, and various botnets.
The investigation, which began with routine analysis of Lumma infostealer samples, exposed a hosting provider potentially facilitating widespread cybercriminal activities across its network infrastructure.
Russian-Operated Hosting Provider Under Scrutiny
Qwins Ltd, operating under Autonomous System Number (ASN) 213702, offers virtual private servers and dedicated hosting services starting at approximately $2 per month.
The company, incorporated in the UK on November 11, 2024, with “Kristina Konstantinova” as acting director until April 2025, was subsequently renamed to “Quality IT Network Solutions Limited.”
Despite its UK registration, the service operates primarily through Russian channels, including a Telegram bot for customer transactions, with servers deployed across Russia, Germany, Finland, the Netherlands, and Estonia.
Research analysis revealed concerning patterns across the provider’s approximately 2,300 hosted systems.
Initial investigation of IP address 141.98.6.34 uncovered hosting of phishing sites impersonating Brex financial services and numerous malicious executables associated with infostealers and trojans.
Further analysis identified three clustered IP addresses (141.98.6.34, 141.98.6.190, and 141.98.6.130) sharing identical self-signed certificates and hosting similar malicious infrastructure.
Segmented Criminal Infrastructure Across Network Subnets
Technical analysis of ASN 213702 revealed a sophisticated segmentation strategy across different network ranges, each serving distinct criminal purposes.
The 93.123.39.0/24 subnet hosts approximately 39 malicious IP addresses distributing over 120 payloads primarily associated with DDoS infrastructure and botnet command-and-control servers, typically operating on port 666.
The 141.98.6.0/24 range contains approximately 15 flagged IP addresses hosting over 45 malware samples, predominantly infostealers including Amadey, Lumma, and Vidar variants.
Meanwhile, the 95.164.53.0/24 network appears dedicated to initial payload distribution, hosting document droppers and first-stage loaders that initiate infection chains.
The 77.105.164.0/24 range serves as command-and-control infrastructure for data exfiltration and configuration management.
Malware family analysis identified significant concentrations of Amadey Botnet, Mirai Botnet, Zapchast Trojan, Lumma, Vidar, and DarkGate variants targeting multiple architectures, including Windows, Linux x86/x86_64, ARM, and MIPS systems.
The operational flow demonstrates sophisticated coordination, with droppers hosted on distribution networks leading to payloads on botnet infrastructure, while infostealer communications flow to dedicated command-and-control ranges.
This discovery highlights the evolving landscape of bulletproof hosting services, where legitimate business registrations mask sophisticated criminal infrastructure supporting multiple threat actor operations simultaneously.
