Security Experts:

Connect with us

Hi, what are you looking for?



Attacker Friendly Hosting Firm Leveraged by Pawn Storm Hackers

A Small VPS Provider Registered in the United Arab Emirates Has Been Providing Services to Pawn Storm Attackers and Other Cybercriminal Operations

A Small VPS Provider Registered in the United Arab Emirates Has Been Providing Services to Pawn Storm Attackers and Other Cybercriminal Operations

The servers of a small web hosting provider have been used in a series of targeted attacks by persistent threats (APT) since early 2015, Trend Micro researchers have discovered.

The small Virtual Private Server (VPS) hosting company is formally registered in Dubai, United Arab Emirates (UAE), but it has servers in the Netherlands and Romania. Over the past 12 months, the company’s servers were used in more than 100 “serious” cyber-attacks, Feike Hacquebord, Senior Threat Researcher, Trend Micro, says.

According the security firm, the Pawn Storm group has abused the small hosting provider’s servers for at least 80 high profile attacks against governments of countries like Bulgaria, Greece, Malaysia, Montenegro, Poland, Qatar, Romania, Saudi Arabia, Turkey, Ukraine, United States, and UAE.  The Pawn Storm group was also observed using the VPS hosting provider for C&C servers, exploit sites, spear-phishing campaigns, domestic espionage in Russia, and free Webmail phishing sites targeting high profile users.

Bullet Proof Hosting Provider

What’s more, the VPS provider is also used by threat actors like DustySky (also known as the Gaza hackers, targeting Israel, other Middle Eastern countries, and companies who do business in Israel and Egypt) to host their command-and-control (C&C) servers and to send spear phishing e-mails. The provider has been engaged into other cybercrime as well, including the hosting of a C&C server of the infamous Carbanak banking malware in 2014.

Furthermore, last year, the provider “invited” spammers to come to its services by publicly saying on a shady webforum that “sending campaigns of email marketing” is allowed. What’s more, researcher say that it also had the notorious bulletproof hosting provider Maxided as a customer and that, for the past several months, border gateway protocol (BGP) routing tricks were employed to hide that Maxided was routing IP addresses via its servers.

Other malicious activities associated with the provider include announcing small IP ranges (CIDRs) assigned to Russia or Chile for a short period of time, with researchers observing bursts of e-crime like phishing sites and C&C servers hosted during these intervals. This happened more than once and the IP ranges were removed from the routing table as soon as the complaints stated appearing or when the attack campaigns were finished. 

What’s also interesting about the web hosting provider, is that it serves a mix of customers, including a series of legitimate ones. This year, the cybercrime spam problem was diminished, but the company’s servers are still associated with a high number of APT attacks.

The identity of the owner of the VPS company is yet unclear, albeit a name is used in the public RIPE whois database. The LinkedIn page of the company’s director has only two connections, and shows no working history. However, researchers tracked other people working for the company to the Philippines, Egypt, and Palestine, which suggests that the VPS provider might be using a virtual team of employees who work remotely.

One of the main reasons the small VPS provider in Amsterdam appears to be preferred by cybercriminals and APT actors is the good Internet connectivity in the Netherlands. Moreover, researchers suggest that the Dutch web hosting industry might be vulnerable to off shore constructions that offer enhanced anonymity to cybercrime and cyber espionage.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.