The notorious Qilin ransomware-as-a-service (RaaS) group has intensified its global campaign using a network of shadowy bulletproof hosting (BPH) providers to conceal its operations.
According to recent intelligence from Resecurity, Qilin’s infrastructure spans multiple jurisdictions, leveraging rogue hosting companies in Russia, Hong Kong, Cyprus, and the UAE to evade law enforcement and sustain long-term activity.
The group has become one of 2025’s most prolific ransomware actors, recently crippling Asahi Group Holdings, Japan’s largest beverage manufacturer, in a significant attack that halted production across 30 factories.
Qilin, formerly known as Agenda, emerged in mid-2022 and operates an advanced RaaS model supporting affiliates with ransomware payloads written in Rust and Golang. Its affiliates are responsible for executing attacks retain 80–85% of the ransom, while operators keep the rest.
The group employs BPH providers to host stolen data, negotiation portals, and command-and-control (C2) servers anonymously. These BPH services disregard customer identification (zero KYC), operate through shell companies, and exploit pro-secrecy jurisdictions to remain unchecked.
Resecurity linked several entities to Qilin’s infrastructure, including Hong Kong-based Cat Technologies Co. Limited and its Cyprus-linked affiliate Starcrecium Limited. Both share ties to Chang Way Technologies Co.
Limited, whose director, Lenar Davletshin, is reportedly connected to other Russian firms like Hostway.ru and Red Bytes LLC. These providers collectively form an underground network enabling Qilin’s affiliates to host C2 servers for malware such as Amadey, StealC, and Cobalt Strike.
Notably, the U.S. Treasury Department sanctioned Aeza Group in mid-2025 for providing BPH services to ransomware gangs and dark web marketplaces, including BianLian and BlackSprut.
Some Qilin infrastructure overlaps with Aeza-linked networks IPs like 194[.]58[.]112[.]174 suggesting shared backend support.
Similarly, BEARHOST Servers, another long-standing BPH provider, advertised its services on Qilin’s leak site “WikiLeaksV2” before rebranding as “Voodoo Servers” in 2025, later vanishing through an exit scam.
Researchers believe former BEARHOST clients, including Qilin operators, migrated to successor entities such as Next Limited and Proton66, both registered at the same Hong Kong address used by Chang Way.
Resecurity analysts confirmed that Qilin’s BPH-linked IPs frequently rotate to obscure ownership, with some registered under IPX-FZCO in Dubai. IP historical records (AS57523) reveal shared administrative contacts with Chang Way, reinforcing evidence of cross-entity collaboration.
As of mid-October, Qilin has claimed over 50 new victims, including Spain’s Tax Administration Agency, U.S. electric cooperatives, and pharmaceutical manufacturers.
The operation’s reliance on ghost BPH networks demonstrates how anonymized, resilient hosting infrastructure continues to empower ransomware groups to thrive beyond the reach of international law enforcement.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
