Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025.
The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec.
“We believe with a high level of confidence that FDN3 is part of a wider abusive infrastructure composed of two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), and a Seychelles-based autonomous system named TK-NET (AS210848),” according to a report published last week.
“Those were all allocated in August 2021 and often exchange IPv4 prefixes with one another to evade blocklisting and continue hosting abusive activities.”
AS61432 currently announces a single prefix 185.156.72[.]0/24, while AS210950 has announced two prefixes 45.143.201[.]0/24 and
185.193.89[.]0/24. The two autonomous systems were allocated in May and August 2021, respectively. A major chunk of their prefixes has been announced on AS210848, another autonomous system also allocated in August 2021.
“This network shares all its peering agreements with IP Volume Inc. – AS202425, a company based in Seychelles and created by Ecatel’s owners, infamous for running an extensively abusive bulletproof hosting service in the Netherlands since 2005,” Intrinsec noted.
The entirety of prefixes that were moved from AS61432 and AS210950 are now announced by bulletproof and abusive networks fronted by shell companies like Global Internet Solutions LLC (gir.network), Global Connectivity Solutions LLP, Verasel, IP Volume Inc., and Telkom Internet LTD.
The findings build upon prior disclosures about how multiple networks allocated in August 2021 and based in Ukraine and Seychelles – AS61432, AS210848, and AS210950 – were used for spam distribution, network attacks, and malware command-and-control hosting. In June 2025, some of the IPv4 prefixes announced by these networks were moved to FDN3, which was created in August 2021.
That’s not all. Three of the prefixes announced by AS210848, and one by AS61432, were previously announced by another Russian network, SibirInvest OOO (AS44446). Of the four IPv4 prefixes announced by FDN3, one of them (88.210.63[.]0/24) is assessed to have been previously announced by a U.S.-based bulletproof hosting solution named Virtualine (AS214940 and AS214943).
It’s this IPv4 prefix range that has been attributed to large-scale brute-force and password spraying attempts, with the activity scaling to a record high between July 6 and 8, 2025.
The brute-force and password spraying efforts aimed at SSL VPN and RDP assets could last up to three days, per Intrinsec. It’s worth noting that these techniques have been adopted by various ransomware-as-a-service (RaaS) groups like Black Basta, GLOBAL GROUP, and RansomHub as an initial access vector to breach corporate networks.
The two other prefixes that FDN3 announced in June, 92.63.197[.]0/24 and 185.156.73[.]0/24, were previously announced by AS210848, indicating a high degree of operational overlap. 92.63.197[.]0/24, for its part, has ties to Bulgarian spam networks like ROZA-AS (AS212283).
“All those strong similarities, including their configuration, the content they host, and their creation date, led us to assess with a high level of confidence the previously mentioned autonomous systems to be operated by a common bulletproof hosting administrator,” Intrinsec explained.
Further analysis of FDN3 has uncovered ties to a Russian company called Alex Host LLC that, in the past, has been linked to bulletproof hosting providers like TNSECURITY, which have been used to host Doppelganger infrastructure.
“This investigation once again highlights a common phenomenon of offshore ISPs such as IP Volume Inc. enabling smaller bulletproof networks through peering agreements and prefix hosting overall,” the company said. “Thanks to their offshore location, such as Seychelles, which provides anonymity to the owners of those companies, the malicious activities perpetrated through those networks cannot be directly imputed to them.”
The findings follow similar disclosures from Recorded Future about the rebranding of Stark Industries to THE.Hosting, alongside the creation of a new autonomous system (AS209847) in the wake of sanctions imposed against the bulletproof hosting provider by the European Union back in May 2025.
“This outcome highlights how threat activity enablers (TAEs) — entities that enable malicious cyber activity by providing infrastructure or services leveraged by threat actors — that retain such significant control over RIPE resources, such as Local Internet Registries (LIRs), Autonomous Systems (ASes), and IP prefixes, are particularly well-positioned to rebrand, reallocate infrastructure, and maintain operational continuity in the absence of meaningful intervention by RIPE NCC,” the company said.
The development comes as Censys uncovered a connect-back proxy management system associated with the PolarEdge botnet that’s currently running on over 2,400 hosts. The system is an RPX server that operates as a reverse-connect proxy gateway capable of managing proxy nodes and exposing proxy services.
“This system appears to be a well-designed server that may be one of the many tools used for managing the PolarEdge botnet,” senior security researcher Mark Ellzey said. “It is also possible that this specific service is completely unrelated to PolarEdge and is instead a service that the botnet utilizes to jump between different relays.”
