02.09.2025
2 min
488
Cybersecurity experts have recorded large-scale brute-force and password spraying attacks originating from the Ukrainian autonomous system FDN3 (AS211736). Between June and July 2025, this infrastructure actively attacked SSL VPN and RDP devices, using methods often used by ransomware-as-a-service groups.
- Disclaimer: We apologize for the quality of some images – some of them come from leaks and were saved from virtual machines.
According to the French company Intrinsec, FDN3 is part of a larger network of malicious infrastructure that includes the Ukrainian systems VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), as well as the Seychelles provider TK-NET (AS210848). All of these systems were created in 2021 and constantly exchanged IPv4 prefixes to avoid blocking.
FDN3 announced new prefixes in June, some of which previously belonged to the Russian network SibirInvest OOO (AS44446) or the American bulletproof hosting Virtualine. It was the range 88.210.63\[.]0/24 that was associated with record waves of brute-force attacks, which peaked on July 6-8, 2025.
The attackers’ goal is to collect passwords to corporate services, creating potential entry points for further hacking and deployment of ransomware such as Black Basta, GLOBAL GROUP, or RansomHub.
Such infrastructure is often based on bulletproof hosting that masquerades as legitimate companies. Intrinsec found that FDN3 has ties to Alex Host LLC, which has already been implicated in cases of supporting malicious services. Seychelles and other offshore providers provide anonymity to the owners of such networks, making it difficult to directly hold them accountable.
The study also showed significant operational similarities between FDN3 and other autonomous systems used for spam, botnets, and command and control servers. All this indicates the existence of a centralized administrator who controls an entire ecosystem of malicious networks.
FDN3 and the networks associated with it once again confirm: bulletproof hosting infrastructure remains a critical problem for cybersecurity. Large-scale brute-force attacks on VPN and RDP are just one link in a larger chain that includes spam, malware, and financial fraud. To counter such threats, companies should implement multi-layered protection: from multi-factor authentication policies to systems for detecting suspicious network activity.
