Just one hosting company is responsible for housing half of the command-and-control activity flowing out of Eastern Europe, a region that researchers say punches well above its weight in global cybercrime.
Command-and-control servers are the backbone of modern cybercrime. They support the remote infrastructure that lets attackers direct malware, coordinate ransomware deployments, and siphon stolen data from compromised systems worldwide. Hosting companies are the physical infrastructure where websites, applications, and, in this case, criminal operations exist online.
A three-month sweep of Eastern Europe’s malware infrastructure, published Wednesday by security vendor Hunt.io, turned up a hornet’s nest of criminal activity. The report decidedly does not focus on individual rogue IPs, rather who is hosting them.
“A single Bulgarian provider accounted for more than half of all detected C2 infrastructure, a level of concentration that doesn’t surface when you’re tracking individual IPs or domains,” the Hunt.io team explained.
“It only becomes visible when you look at the hosting layer itself.”
That host, Friendhosting LTD, was found to be housing 2,100 of the 3,900 catalogued C2 servers that were traced back to operators in Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine. That amounts to roughly 53% of all C2 activity running through a single hosting provider.
Friendhosting disputes research
UPDATE 6/26: Initially, Security Point Break reached out to Friendhosting, but didn’t receive a respond to a request for comment. On June 26, Friendhosting did reply stating only: “This is the first time we have become aware of the Hunt.io report. We are currently reviewing the publication and its methodology in order to provide you with an accurate and considered response.” Security Point Break will update this report with any additional Friendhosting comments.
UPDATE 6/26: Friendhosting LTD responded to a request for comment from Security Point Break after this story was first published. The company said it was unaware of the Hunt.io report until contacted by this publication, and disputed the methodology behind the findings.
“We have not been provided with the IP addresses, observation timestamps, technical indicators, or any other data that would allow us to verify the conclusion that Friendhosting LTD’s infrastructure included approximately 2,100 servers classified by the authors as C2 infrastructure,” a company representative said.
Friendhosting also questioned how Keitaro deployments were classified as C2 infrastructure in the report, noting that Keitaro is a traffic distribution system rather than a command-and-control framework — a distinction Security Point Break raised in its own coverage.
The company added that the 2,100 figure “appears unusually high,” citing the relatively low volume of abuse reports and law enforcement requests it receives. Friendhosting said it has since contacted Hunt.io directly to request the underlying data, and stated that any servers confirmed to be involved in malicious activity will be suspended immediately.
Hunt.io did not indicate in its report that it contacted the company prior to publication.
Timeline continued
Just weeks ago Europol’s 2026 Internet Organised Crime Threat Assessment warned that cybercriminals are deploying increasingly complex hosting arrangements to evade detection. Also just a month ago, the Dutch authorities dismantled a bulletproof hosting network linked to cyberattacks, disinformation campaigns, and Russian sanctions evasion.
While Hunt.io focused on a single portion of Eastern Europe, its findings have a global significance due to the region’s outsized role in the cybercrime landscape. A cocktail of lax law enforcement, unscrupulous hosting providers, and murky extradition policies has made the region a haven for malware, ransomware, and botnet operators.
The region is less a storefront than a back office — roughly 90% of the observed activity was C2 traffic running between attackers and infected machines, while the phishing pages and exploit sites that victims actually encounter were hosted elsewhere.
Among the most popular names to be connected to the identified C2 servers was Keitaro, a commercial traffic distribution system that threat actors have long abused to route victims toward phishing pages, malware downloads, and exploit kits.
A joint study by Infoblox and Confiant published in March identified roughly 15,500 domains tied to malicious Keitaro deployments over a four-month period, underscoring the platform’s entrenched role in cybercrime distribution infrastructure.
Additionally, the Hunt.io team found that several popular offensive frameworks including Cobalt Strike and Tactical RMM were making heavy use of hosting and management services in the region.
Hunt.io also identified C2 infrastructure linked to Cloud Atlas, the long-running espionage group, operating across multiple Eastern European providers. Kaspersky researchers confirmed in May that Cloud Atlas remained active into early 2026, targeting government and diplomatic entities in Russia and Belarus.
“The dominance of Keitaro across the malware family distribution reflects the region’s established role in traffic distribution and redirect infrastructure, a foundational layer for malvertising, phishing, and exploit kit operations,” the researchers said.
“The simultaneous presence of Cobalt Strike, Sliver, and Tactical RMM indicates that Eastern European hosting serves both commodity criminal operations and more sophisticated post-exploitation campaigns sharing the same infrastructure layer.”
Editor’s note: Security Point Break contacted Friendhosting LTD prior to publication of this report. The company did not respond before the original publication deadline. Friendhosting subsequently replied with a detailed statement disputing several findings in the Hunt.io research, which has been incorporated into this article. Hunt.io did not indicate in its published report that it contacted Friendhosting before publication, and had not responded to Security Point Break’s request for comment at the time this update was added. Security Point Break will continue to update this report as additional responses are received.
The headline of this article has been updated to reflect standard attribution practice for third-party research findings. Friendhosting LTD, named in the Hunt.io report, has disputed elements of the methodology underlying the original findings. Hunt.io had not responded to a request for comment at the time of this update. Security Point Break will continue to update this report as additional responses are received.
