A recent report from Hunt.io has mapped over 3,900 Command and Control (C2) servers primarily located in Eastern Europe, revealing a complex infrastructure used for various cybercrimes such as malware distribution and phishing. The analysis, conducted over three months, highlights significant contributions from Bulgaria, which hosts about 53.5% of these servers, particularly from Friendhosting LTD.
Multiple threat groups are associated with this infrastructure, including the APT Cloud Atlas and criminal organizations like ShinyHunters and Black Basta. The report emphasizes the importance of tracking hosting relationships rather than just individual IP addresses, as these stable hosting layers can persist despite changes in tactics and server usage.