SafetyDetectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

Ukrainian Networks Linked to Large-Scale Brute-Force Attacks on VPN and RDP Systems

Husain Parvez
Husain Parvez Former Writer
Published on: September 10, 2025
Husain Parvez Husain Parvez Former Writer
Published on: September 10, 2025

A wave of brute-force and password spraying attacks targeting SSL VPN and Remote Desktop Protocol systems has been traced to Ukrainian-based networks, according to new research.

The activity was observed between June and July 2025 and involved hundreds of thousands of coordinated login attempts, often peaking during three-day periods. The Hacker News reported that the attacks originated from the autonomous system FDN3 (AS211736), with links to VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950).

Intrinsec researchers noted that “all those strong similarities, including their configuration, the content they host, and their creation date, led us to assess with a high level of confidence the previously mentioned autonomous systems to be operated by a common bulletproof hosting administrator.” The infrastructure is tied to Seychelles-based IP Volume Inc. (AS202425), a company previously associated with bulletproof hosting providers such as Ecatel.

Attack logs revealed that individual IP addresses generated up to 113,000 attempts each, often using password spraying rather than traditional brute-force methods to avoid account lockouts. Targets included remote access systems from Fortinet, Palo Alto, and Cisco, with the aim of establishing privileged access points inside enterprise networks.

The Hacker News highlighted that the campaign was “coordinated” and sustained, with synchronized activation patterns across multiple IP addresses. This level of organization, combined with ties to Russian firm Alex Host LLC, suggests the networks are part of a larger ecosystem of resilient, anonymized hosting infrastructure.

The attacks were further connected to Amadey malware panels hosted within the same autonomous systems, with active command-and-control servers such as 185.156.72.96 and 185.156.72.97 managing compromised endpoints. Several C2 servers remain online, indicating that successful post-exploitation activity is ongoing.

The findings follow a separate Censys report describing related infrastructure linked to PolarEdge botnet operations, underscoring the growing use of bulletproof networks to sustain credential attacks against critical enterprise systems.

About the Author
Husain Parvez
Husain Parvez
Former Writer
Published on: September 10, 2025

About the Author

Husain Parvez is a former tech writer at Safety Detectives with a focus on cybersecurity, privacy, and all things digital. He has a knack for breaking down complex topics into clear, engaging content, driven by a genuine curiosity about how things work under the hood. When he’s not writing, you’ll find him gaming, watching tech repair videos, or geeking out over the latest AI tools.