Bulletproof Hosting Hunt

The report details a hunt originating from recent Lumma samples that pivots into AS213702 (QWINS LTD), identifying clusters of IPs and domains used for hosting payloads, phishing (e.g., Brex, DBeaver impersonation), and C2 across subnets such as 93.123.39.0/24 and 141.98.6.0/24. Using VT and Censys, it links multiple services, shared self-signed certificates, and ports (e.g., 5554, 3389) to ongoing activity involving infostealers and botnets (Lumma, Vidar, Amadey, Mirai, DarkGate), suggesting the ASN may function as bulletproof hosting. The author summarizes observed distribution-to-C2 flows and provides an external list of IoCs for further investigation.