Exposing Russian Malicious Infrastructure: 1,250+ C2 Servers Mapped Across 165 Providers

This report uses Host Radar and HuntSQL telemetry to map malicious infrastructure inside Russian hosting and ISP ecosystems over a three-month window, identifying ~1,252 C2 servers across 165 providers. It highlights a small set of providers (TimeWeb, REG.RU, WebHost1, VDSina, PROSPERO OOO) hosting disproportionate volumes of C2s, enumerates dominant malware families (Keitaro, Hajime, Tactical RMM, Cobalt Strike, Sliver, Ligolo-ng, etc.), and provides campaign-level examples linking IPs to infostealers, RAT deployments, botnets, and targeted intrusion activity, concluding that a host-centric mitigation focus can disrupt attacker operations at scale.