Cybersecurity researchers have flagged a Ukrainian IP community for partaking in large brute-force and password spraying campaigns concentrating on SSL VPN and RDP units between June and July 2025.
The exercise originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity firm Intrinsec.
“We consider with a excessive stage of confidence that FDN3 is a part of a wider abusive infrastructure composed of two different Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), and a Seychelles-based autonomous system named TK-NET (AS210848),” in line with a report printed final week.
“These have been all allotted in August 2021 and infrequently trade IPv4 prefixes with each other to evade blocklisting and proceed internet hosting abusive actions.”
AS61432 at present broadcasts a single prefix 185.156.72[.]0/24, whereas AS210950 has introduced two prefixes 45.143.201[.]0/24 and
185.193.89[.]0/24. The 2 autonomous methods have been allotted in Might and August 2021, respectively. A serious chunk of their prefixes has been introduced on AS210848, one other autonomous system additionally allotted in August 2021.
“This community shares all its peering agreements with IP Quantity Inc. – AS202425, an organization based mostly in Seychelles and created by Ecatel’s homeowners, notorious for operating an extensively abusive bulletproof internet hosting service within the Netherlands since 2005,” Intrinsec famous.
The whole lot of prefixes that have been moved from AS61432 and AS210950 at the moment are introduced by bulletproof and abusive networks fronted by shell firms like International Web Options LLC (gir.community), International Connectivity Options LLP, Verasel, IP Quantity Inc., and Telkom Web LTD.
The findings construct upon prior disclosures about how a number of networks allotted in August 2021 and based mostly in Ukraine and Seychelles – AS61432, AS210848, and AS210950 – have been used for spam distribution, community assaults, and malware command-and-control internet hosting. In June 2025, a few of the IPv4 prefixes introduced by these networks have been moved to FDN3, which was created in August 2021.
That is not all. Three of the prefixes introduced by AS210848, and one by AS61432, have been beforehand introduced by one other Russian community, SibirInvest OOO (AS44446). Of the 4 IPv4 prefixes introduced by FDN3, considered one of them (88.210.63[.]0/24) is assessed to have been beforehand introduced by a U.S.-based bulletproof internet hosting answer named Virtualine (AS214940 and AS214943).
It is this IPv4 prefix vary that has been attributed to large-scale brute-force and password spraying makes an attempt, with the exercise scaling to a document excessive between July 6 and eight, 2025.
The brute-force and password spraying efforts aimed toward SSL VPN and RDP belongings might last as long as three days, per Intrinsec. It is value noting that these strategies have been adopted by numerous ransomware-as-a-service (RaaS) teams like Black Basta, GLOBAL GROUP, and RansomHub as an preliminary entry vector to breach company networks.
The 2 different prefixes that FDN3 introduced in June, 92.63.197[.]0/24 and 185.156.73[.]0/24, have been beforehand introduced by AS210848, indicating a excessive diploma of operational overlap. 92.63.197[.]0/24, for its half, has ties to Bulgarian spam networks like ROZA-AS (AS212283).
“All these sturdy similarities, together with their configuration, the content material they host, and their creation date, led us to evaluate with a excessive stage of confidence the beforehand talked about autonomous methods to be operated by a standard bulletproof internet hosting administrator,” Intrinsec defined.
Additional evaluation of FDN3 has uncovered ties to a Russian firm referred to as Alex Host LLC that, previously, has been linked to bulletproof internet hosting suppliers like TNSECURITY, which have been used to host Doppelganger infrastructure.
“This investigation as soon as once more highlights a standard phenomenon of offshore ISPs akin to IP Quantity Inc. enabling smaller bulletproof networks by means of peering agreements and prefix internet hosting general,” the corporate mentioned. “Because of their offshore location, akin to Seychelles, which offers anonymity to the homeowners of these firms, the malicious actions perpetrated by means of these networks can’t be instantly imputed to them.”
The event comes as Censys uncovered a connect-back proxy administration system related to the PolarEdge botnet that is at present operating on over 2,400 hosts. The system is an RPX server that operates as a reverse-connect proxy gateway able to managing proxy nodes and exposing proxy providers.
“This technique seems to be a well-designed server which may be one of many many instruments used for managing the PolarEdge botnet,” senior security researcher Mark Ellzey mentioned. “It’s also doable that this particular service is totally unrelated to PolarEdge and is as a substitute a service that the botnet makes use of to leap between completely different relays.”
