Discovering kyuhn.host Bulletproof Hosting Behind a C2 Server

Project Details

Industry

Cybersecurity

Engagement Type

Cybersecurity Consulting / Managed infrastructure and security

SOC Analytics

Every result here started with a conversation

Book a Call

Discovering kyuhn.host Bulletproof Hosting Behind a C2 Server

Post by Mile Stojaković
Reading time: 5 minutes

Our security team continuously analyzes IP addresses flagged as potential Command and Control infrastructure. Command and Control servers, commonly called C2 servers, are systems used by attackers to remotely operate malware-infected computers, steal information, or launch ransomware.

During one of these scheduled reviews, our team found a newly flagged IP address and decided to investigate it further. This analysis led us to uncover a malicious hosting network operated by a provider called kyuhn.host. This provider is what is known as a bulletproof hosting service.

The outcome of this investigation helped prevent potential attacks targeting government employees, financial users, and unsuspecting individuals, while also improving global threat intelligence.

What Triggered the Investigation

During a routine C2 validation, we noticed a new IP address that appeared only one day earlier on Hunt.io listings:

IP address: 66.78.40.166

Rather than assuming the listing was correct, we performed a full investigation to confirm whether it was truly malicious or a false positive. This included verifying ownership details, network origin, hosted domains, and the service provider behind the infrastructure.

What Is a Command and Control Server

A Command and Control server is a system controlled by attackers to manage devices that are infected with malware. These servers are critical in cyberattacks because they allow hackers to:

  • Send commands to infected systems
  • Steal credentials and data
  • Deploy additional malware or ransomware
  • Control large botnets

If a C2 server is detected early, before it is actively used, an attack can be stopped before it even begins.

Investigation Process

Ownership and Network History (WHOIS)

We used WHOIS tools to analyze the history and ownership of IP address 66.78.40.166. Here’s what we found:

  • Previously associated with a legitimate US hosting company called Colocation America
  • Currently being announced by ASN (Autonomous System Number) Aokigahara SRL, created in 2024
  • The IP was leased through IPXO, an IP leasing platform

Frequent ownership and ASN changes are often indicators of malicious intent, as attackers use short-term IP leasing to avoid detection and blacklisting.

What Is an ASN

An ASN (Autonomous System Number) is a number assigned to organizations that manage blocks of IP addresses and internet routing.

Legitimate companies usually have stable ASNs over long periods of time. In contrast, malicious actors often create or rent temporary ASNs to hide their activity and disappear before being traced.

Domain Intelligence (NetworksDB Findings)

Next, we examined what domains were hosted on this IP and across the ASN.
We discovered several concerning patterns:

1. Suspicious top-level domain extensions
Domains using .cfd, .icu, .fun, .lol, and .sbs are frequently used in scams and phishing websites because they are cheap and rarely monitored.

2. Fake cryptocurrency domains
Domains that look similar to well-known companies, such as Coinbase or Gemini, but with slight spelling changes or additional characters. This is called typosquatting, and it is often used to steal user credentials.

3. Phishing-style subdomains
We found domains with subdomains like login.domain.com, auth.domain.com, and whitelist.domain.com. These are used to imitate real website login or authentication portals to mislead users.

4. Government impersonation
Domains such as cityofwilmington.org and police.cityofwilmington.org appeared on the same infrastructure. Real U.S. government websites always use .gov, not .org. This suggests preparation of phishing attacks against government employees in Wilmington, Delaware.

Identification of Hosting Provider

Using additional tools like IPinfo, we identified that the ASN hosting this IP is connected to a provider called kyuhn.host.

When researching kyuhn.host, we confirmed the following:

  • It publicly offers hosting with no verification requirements
  • It accepts cryptocurrency payments only
  • It ignores abuse reports
  • It is advertised as bulletproof hosting

What Is Bulletproof Hosting

Bulletproof hosting providers allow cybercriminals to rent servers to host malicious content such as phishing sites, malware, C2 servers, or scams.

They refuse to cooperate with legal authorities, move infrastructure frequently, and offer anonymity to attackers.

What We Learned

Through this investigation, we confirmed several important findings:

  • Not all IPs labeled as C2 are accurate – manual verification is essential.
  • Attackers use IP leasing platforms such as IPXO to temporarily gain control of clean IP addresses with no prior malicious history.
  • Creating new ASNs like Aokigahara SRL (2024) allows attackers to route malicious traffic without being blocked.
  • The presence of .org government impersonation domains shows that attackers intended to target real officials in Wilmington, Delaware.
  • Bulletproof hosting providers are often used for malicious intents.

Actions Taken and Final Result

Once malicious activity was confirmed, we took the following actions:

  • Reported government impersonation domains to officials in the City of Wilmington.
  • Our threat intelligence partner Hunt.io in the United States coordinated further communication with law enforcement.
  • All domains and IP addresses discovered were added to threat intelligence platforms to help other cybersecurity teams detect and block them.
  • Protection was applied to client environments through updated firewall rules, DNS blocks, and SOC monitoring.
  • This infrastructure was exposed before phishing campaigns or cyberattacks could fully begin.

Final Outcome

The investigation stopped a potential phishing and malware campaign targeting government employees and cryptocurrency users. It also revealed an active bulletproof hosting provider that can now be monitored globally.

The most important conclusion is that proactive security works. While most providers wait until an attack happens, we detect and stop the infrastructure before it’s used to cause harm.

Conclusion

This case proves that cyberattacks begin with preparation. Attackers first register domains, acquire hosting, set up IP addresses, and only then begin sending phishing emails or deploying malware. If this phase is detected early, an attack can be prevented entirely.

Our team detected and reported malicious infrastructure before it caused damage. The result was improved protection for government institutions, businesses, and online users.

Being proactive is not an advantage – it’s a requirement.

Mile Stojaković

A man with a short beard and glasses, wearing a light blue button-up shirt and a black watch, stands with his arms crossed, looking thoughtfully to the side against a plain white background.

Mile Stojaković

Navigating the intersections of cutting-edge technology domains at BlueGrid.io. In charge of operations in the BlueGrid.io organisation with focus on cybersecurity compliance.

Running marathons and trail races. Enjoying good coffee and trusting no one to make one but myself!

More from Mile Stojaković →
Share this post

Share this link via

Or copy link