CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Sanctions imposed on Russian bulletproof hosting providers Media Land, ML.Cloud, and Aeza Group over ransomware support

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The U.S., U.K., and Australia have sanctioned Russian bulletproof hosting (BPH) providers Media Land, ML.Cloud, and Aeza Group, along with their executives, for supporting ransomware gangs and cybercrime operations. Media Land's infrastructure has been used by groups like LockBit, BlackSuit, and Play, as well as in DDoS attacks against U.S. companies and critical infrastructure. The sanctions target four executives, including Aleksandr Volosovik, Kirill Zatolokin, Yulia Pankova, and Andrei Kozlov, freezing their assets and exposing transactions with them to secondary sanctions. Additionally, the UK-registered Hypercore, a front for Aeza Group, was also sanctioned. The sanctions aim to disrupt the services that enable cybercriminals to operate with impunity, targeting both the providers and their financial backers. Five Eyes agencies released joint guidance to help mitigate cybercriminal activity using BPH infrastructure, advising traffic analysis, filtering, and customer verification. The coordinated sanctions will seize property and businesses in the US, UK, and Australia, making it harder for the entities to transact with the West through legitimate banking channels.

Timeline

  1. 19.11.2025 18:43 2 articles · 1d ago

    Sanctions imposed on Russian bulletproof hosting provider Media Land

    The U.S., U.K., and Australia have sanctioned Russian bulletproof hosting provider Media Land, ML.Cloud, and Aeza Group, along with their executives, for supporting ransomware gangs and cybercrime operations. The infrastructure has been used by groups like LockBit, BlackSuit, and Play, as well as in DDoS attacks against U.S. companies and critical infrastructure. The sanctions freeze assets and expose transactions with designated entities to secondary sanctions. Five Eyes agencies also released joint guidance to help mitigate cybercriminal activity using BPH infrastructure. The UK-registered Hypercore, a front for Aeza Group, was also sanctioned. The coordinated sanctions will seize property and businesses in the US, UK, and Australia, making it harder for the entities to transact with the West through legitimate banking channels.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Releases Guide to Mitigate Bulletproof Hosting Threats

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with U.S. and international partners, has released a guide titled 'Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers.' This guide provides internet service providers (ISPs) and network defenders with an overview of bulletproof hosting (BPH) cybercriminal activities and key steps to safeguard their networks. The guide emphasizes the growing use of BPH infrastructure by cybercriminals to conduct ransomware attacks, data extortion, and denial of service (DoS) attacks. The guide recommends implementing traffic analysis, maintaining lists of malicious internet resources, and establishing filters to mitigate BPH risks. CISA encourages ISPs and organizations to adopt these measures to reduce the effectiveness of BPH infrastructure and enhance network security. The guide also highlights the role of BPH providers in leasing or reselling infrastructure to malicious actors, enabling them to obfuscate operations and avoid detection. Key recommendations include curating a 'high confidence' list of malicious internet resources, conducting continuous traffic analysis, implementing automated reviews of blocklists, sharing threat intelligence, deploying filters at the network edge, and establishing feedback processes to reduce accidental blocking.

Open in new tab

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services. RomCom exploited a zero-day vulnerability in WinRAR to deploy malicious DLLs and deliver a variety of backdoors, focusing on the financial, manufacturing, defense, and logistics sectors in the EU and Canada.

Open in new tab

Stark Industries bulletproof hosting network rebrands to evade EU sanctions

Stark Industries Solutions Ltd., a bulletproof hosting provider linked to Kremlin cyberattacks and disinformation, rebranded to the[.]hosting under WorkTitans BV and transferred assets to PQ Hosting Plus S.R.L. to evade EU sanctions imposed in May 2025. The rebranding allowed the network to continue operating with minimal disruption. Stark Industries, established just before Russia's 2022 Ukraine invasion, became notorious for hosting DDoS attacks, Russian proxy services, malware, and fake news. The EU sanctions targeted PQ Hosting and its Moldovan owners, Yuri and Ivan Neculiti, but the network adapted by rebranding and transferring assets. The Dutch entity WorkTitans BV, associated with MIRhosting, is now managing the rebranded hosting services. MIRhosting, operated by Andrey Nesterenko, has historical ties to Russian cyber operations and has been identified as a key pillar of Stark's network.

Open in new tab

U.S. sanctions cyber scam operations in Southeast Asia

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The U.S. has established a new task force, the Scam Center Strike Force, to disrupt Chinese cryptocurrency scam networks. This task force, supported by the U.S. Attorney's Office, the Department of Justice, the FBI, and the Secret Service, has already seized over $401 million in cryptocurrency and filed forfeiture proceedings for an additional $80 million in stolen funds. The Treasury Department’s Office of Foreign Assets Control has imposed additional sanctions on the Democratic Karen Benevolent Army (DKBA) and related entities. The sanctions block these entities from the U.S. financial system, freeze their U.S.-based assets, and limit their access to international financial services. The move aims to disrupt the operations and impose legal and financial consequences on the perpetrators. The cybercriminal syndicates in Southeast Asia net nearly $40 billion annually in illicit profits. The U.S. actions are part of a broader effort to degrade the infrastructure supporting these scams and punish the system enabling their crimes.

Open in new tab

Kazakhstan Energy Sector Phishing Test Mistaken for Noisy Bear Campaign

A phishing campaign targeting KazMunayGas employees was initially attributed to the Noisy Bear threat actor. The activity, codenamed Operation BarrelFire, involved phishing emails with malicious attachments designed to deliver a reverse shell. However, KazMunayGas clarified that the campaign was a planned phishing test conducted in May 2025. The campaign utilized a compromised email address from KazMunayGas's finance department to send phishing emails containing a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file. The payloads included a batch script and a PowerShell loader named DOWNSHELL, culminating in the deployment of a DLL-based implant. The infrastructure was hosted on the Russia-based bulletproof hosting service Aeza Group, which was sanctioned by the U.S. in July 2025. The campaign was initially linked to a new threat group tracked by Seqrite Labs as Noisy Bear, active since at least April 2025. Seqrite Labs disputed KazMunayGas's claim that the attack was a security exercise, citing forensic clues and infrastructure overlaps with other Central Asian attacks. The threat activity has geopolitical implications, targeting a state-owned oil and gas company in Kazakhstan, which is a significant player in Europe's energy market.

Open in new tab