Eastern Europe C2 Servers: How Hunt.io Mapped 3,900 Malicious Nodes
Cyberattack infrastructure often outlives the domains and IP addresses it depends on. Indeed, a new report from Hunt.io reveals just how densely such nodes have clustered across Eastern Europe. From 12 March to 12 June 2026, its analysts studied infrastructure in ten countries. In total, they uncovered more than 3,900 active C2 servers across 302 providers.
What C2 Servers Actually Do
Command-and-control servers act as the nerve centers of malware operations. Through these nodes, operators issue commands to infected systems, collect stolen data, and keep their campaigns running. The study covered providers in Belarus, Bulgaria, Czechia, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine.
One Bulgarian Host Dominates the Map
The heaviest concentration sat with Bulgaria’s Friendhosting LTD. On its infrastructure alone, researchers found 2,100 C2 servers. That figure represents roughly 53.5% of every such node in the sample. Notably, this imbalance is hard to spot while tracking single domains or IPs. However, it emerges clearly once you analyze activity at the hosting level.
Beyond C2: A Wider Web of Malice
In all, Host Radar flagged 4,331 malicious objects. Alongside the 3,923 C2 servers, the sample held open directories of malicious content, phishing sites, and publicly known indicators of compromise. C2 infrastructure accounted for about 90.6% of every finding. Clearly, that share reveals the primary purpose of regional hosting.
The report also names real campaigns tied to the discovered nodes. For instance, Cloud Atlas infrastructure surfaced at several Eastern European providers. Beyond that, analysts traced nodes linked to phishing, infostealers, botnets, and the abuse of legitimate remote-administration tools.
The Malware Families Behind the Nodes
By infrastructure family, Keitaro led the pack with 1,277 unique C2 IPs. Tactical RMM and Acunetix followed close behind. The report separately highlighted Cobalt Strike, Sliver, Gophish, Mirai, Mozi, and Hajime.
This mix tells a revealing story. The same provider platforms serve mass criminal campaigns and more sophisticated post-breach operations alike.
Why Defenders Should Watch the Hosting Layer
The authors argue that defense should not rest on fast-changing IP addresses and domains alone. Instead, they urge security teams to weigh the risk of specific ASNs and providers. Furthermore, teams should track recurring infrastructure links. Finally, they should check whether suspicious sources have surfaced in earlier campaigns.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
