Executive Summary

German hosting provider aurologic GmbH has emerged as a central nexus within the global malicious infrastructure ecosystem. It provides upstream transit and data center services to a large concentration of high-risk hosting networks, which have consistently ranked among the top sources of validated malicious infrastructure seen within Recorded Future’s Network Intelligence. This nexus includes several hosting providers Insikt Group assesses with a high degree of confidence as threat activity enablers (TAEs), such as Virtualine Technologies, Femo IT Solutions Ltd, Global-Data System IT Corporation (SWISSNETWORK02), Railnet, and the recently sanctioned Aeza Group.

Formed in 2023 following the transition of Combahton GmbH’s fastpipe[.]io network, aurologic operates from its primary facility at Tornado Datacenter GmbH & Co. KG in Langen, Germany. The company markets itself as a high-capacity European carrier, providing dedicated and cloud server hosting as well as data center colocation, IP transit services, and distributed denial-of-service (DDoS) protection to commercial and enterprise customers. Despite its core focus on legitimate network and data center operations, aurologic has emerged as a hub for some of the most abusive and high-risk networks operating within the global hosting ecosystem.

Although it is not possible to confirm why so many of aurologic’s known downstream customers form such a large concentration of high-risk hosting networks, the fact that the company serves as a common link between multiple suspected TAEs is significant. There are likely multiple contributing factors, including aurologic’s self-proclaimed neutrality, its continued provision of upstream connectivity to sanctioned entities such as Aeza, and the perception of limited enforcement risk within the European regulatory environment. Collectively, these factors may have made aurologic an attractive option for high-risk providers seeking operational stability and resilience.

Insikt Group assesses that aurologic's case exemplifies the broader structural challenges surrounding accountability within the hosting ecosystem. Upstream providers occupy a pivotal position within the internet’s infrastructure hierarchy and are uniquely positioned to disrupt persistent abuse. Yet many continue to defer responsibility for downstream activity, intervening only when legally compelled. While neutrality remains a foundational principle of internet governance, in practice, it has become a rationale for inaction, enabling networks repeatedly associated with cybercrime, disinformation, and other forms of abuse to persist. Meaningful progress against such activity can be made by upstream providers acting not solely out of legal obligation, but from an operational and ethical responsibility to prevent the misuse of the infrastructure.

Key Findings

• aurologic has become a central nexus within the global high-risk hosting ecosystem, repeatedly appearing as a common upstream provider.
• aurologic’s continued service to sanctioned and abuse-heavy networks demonstrates a practice of legal compliance over risk avoidance.
• aurologic’s reactive-based abuse handling exemplifies the systematic gap between legal neutrality and operational responsibility within the global hosting ecosystem.

Background

aurologic GmbH emerged in October 2023 as a German hosting provider built on the infrastructure and autonomous system number (ASN) AS30823, which was previously operated by combahton GmbH under the fastpipe[.]io brand. In November 2023, combahton GmbH formally announced its full transition into aurologic GmbH, cementing the rebrand and continuity of operations. aurologic markets a multi-terabit backbone across Europe, with its primary facility located at Tornado Datacenter GmbH & Co. KG. Both companies are headed by Joseph Maximilian Hofmann, who has served as CEO of aurologic since September 2015 and of Tornado Datacenter since April 2022.

Since its inception in 2023, aurologic has been repeatedly cited in intelligence reporting and forums for its role in the broader hosting ecosystem supporting questionable or illicit activity. For example, Qurium’s report on the Doppelgänger disinformation network identified aurologic as one of the German upstream providers enabling Russia-linked infrastructure, maintaining long-standing relationships with hosting providers such as WAIcore Hosting Ltd (AS210281), Daniil Yevchenko (under the brand Altawk; AS203727), and EVILEMPIRE, aka Tnsecurity Ltd (AS216309). Community discussions have further scrutinized aurologic’s ongoing connectivity with Aeza International Ltd, an entity under US sanctions and, more recently, UK sanctions, despite Hofmann’s defense on public forums that Aeza Group LLC was not its “contractual customer.” Hoffman further defended the relationship by emphasizing low abuse volumes, proactive investigations, and compliance with German law. Nevertheless, routing evidence as of writing confirmed that aurologic remained a primary upstream to Aeza International Ltd (AS210644), reinforcing concerns around its continued upstream role.

Beyond Aeza, aurologic has also appeared as a transit provider for some of the largest concentrations of suspected threat activity enablers tracked by Insikt Group, including metaspinner net GmbH, Femo IT Solutions Limited, Railnet LLC, Global-Data System IT Corporation, and more. These relationships position the company at the center of ongoing industry debates about infrastructure abuse and due diligence.

Threat Analysis

Infrastructure and Routing

aurologic maintains an extensive European interconnection footprint spanning key data centers across Germany, Finland, and the Netherlands. Its infrastructure is anchored in major European internet hubs in both Langen and Amsterdam, where the company maintains direct connections with large colocation facilities. These datacenters serve as central exchange points where networks, content delivery providers, and hosting companies interconnect to exchange traffic efficiently. By maintaining a presence in multiple facilities, aurologic ensures fast, redundant, and high-volume data transit across Europe.

This level of connectivity makes aurologic an attractive upstream provider for a range of hosting companies, including those operating in ambiguous or opaque areas of the hosting ecosystem. Whether through technical neutrality, permissive policy, or limited oversight, aurologic’s infrastructure effectively provides a degree of protection and continuity to providers with a reputation for hosting malicious activity. As a result, aurologic sits in a complex position in the hosting landscape, where connectivity and enablement obscure the difference between infrastructure provider and facilitator. This dynamic sets the stage for understanding how aurologic’s network can serve as a foundation for persistent malicious infrastructure and why it plays such a critical role in enabling a broader ecosystem of threat activity.

Threat Activity Enablers

While aurologic’s broad connectivity footprint underpins its strength as a transit provider, it also introduces an enabling function within the threat infrastructure ecosystem. Its combination of network reach, capacity, and perceived permissiveness appears to appeal to questionable hosting providers seeking stable transit relationships that face fewer disruptions from abuse reporting or network-level mitigation efforts. Insikt Group identified more than a dozen TAEs using aurologic for upstream connectivity, ranging from sanctioned entities to self-proclaimed bulletproof hosting providers. The TAEs discussed in this section represent the most significant examples, having displayed some of the highest levels of validated malicious infrastructure within Recorded Future’s Network Intelligence relative to their announced IP space. A full list of active networks analyzed by Recorded Future and linked to aurologic can be found in Appendix A.

Aeza Group

Aeza Group is a Russian hosting provider established in 2021 that primarily operates through its UK-registered company, Aeza International Ltd (AS210644). Since its inception, Aeza has become a well-known TAE, enabling cybercriminal and state-aligned operations through resilient, abuse-tolerant infrastructure. At the time of writing, approximately 50% of Aeza International’s announced IP prefixes are routed via aurologic, highlighting its continued dependence on the German provider for upstream connectivity.

Insikt Group highlighted Aeza as one of the most prominent sources of validated malicious infrastructure in the Recorded Future 2024 Malicious Infrastructure Report, detailing its role in enabling a range of threats, including ransomware and infostealers, and citing its significant role in the Russian disinformation network Doppelgänger. After the release of Qurium’s Doppelgänger report in July 2024, Aeza revealed in August 2024 that DataCamp Limited (AS60068), a UK-based hosting provider, had terminated its contract, and that, as a result, Aeza partnered with aurologic to continue operations (Figure 1). Aeza’s continued operations have since prompted law enforcement and regulatory responses from Russia, the United States, and the United Kingdom.

Figure 1: A post from “mw” on the forum LowEndTalk quoting Aeza (Source: LowEndTalk)

Arrests

In April 2025, Russian authorities arrested Aeza Group co-founders Yurii Meruzhanovich Bozoyan and Arsenii Aleksandrovich Penzev on charges related to their alleged involvement in operating the darknet drug marketplace BlackSprut. The arrests followed an April 1 raid by the Federal Security Service (FSB) on Aeza’s Saint Petersburg headquarters, located in the former Wagner PMC Center.

Both Bozoyan and Penzev were charged under Articles 210 and 228.1 of the Russian Criminal Code for participation in an organized criminal group and large-scale drug trafficking. Russian media reports described the two as having provided the “technical base” for BlackSprut’s operations, which Aeza hosted through its UK-registered entity, Aeza International Ltd.

Sanctions

On July 1, 2025, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), in

coordination with the UK’s National Crime Agency (NCA), sanctioned Aeza Group and its affiliated companies, labeling them a “bulletproof hosting services provider.” OFAC attributed Aeza Group infrastructure to operations involving BianLian ransomware, Lumma and Meduza infostealers, and RedLine Stealer.

The list of designated companies includes:

• Aeza Group
• Aeza International Ltd (UK branch)
• Aeza Logistic LLC (Russia-based subsidiary)
• Cloud Solutions LLC (Russia-based subsidiary)

On September 19, 2025, the UK government followed the OFAC action by sanctioning the UK-registered Aeza International Ltd, citing its involvement in “destabilizing Ukraine by providing internet services to Russian disinformation campaigns.” However, at the time of writing, Aeza International remains a legally registered company in the United Kingdom and has yet to be struck off the company register.

Continuity

Despite the arrests of its co-founders and the imposition of sanctions, Aeza has demonstrated a sustained ability to reallocate its infrastructure. Rather than signaling operational decline, these actions appear to have prompted a rapid reorganization of assets aimed at preserving control over key network resources and maintaining service continuity.

Within 24 hours of OFAC’s July 2025 sanctions, Insikt Group observed Aeza begin to reallocate its US IP resources to a Serbian organization under the name Smart Digital Ideas DOO, an entity registered mere hours after OFAC announced the sanctions (see Figure 2). Insikt Group assessed with high confidence that this was intended to retain control of any assets affected by the OFAC sanctions.

Figure 2: RIPE organization record for Smart Digital Ideas (Source: RIPE DB)

On July 3, 2025, Insikt Group identified the emergence of Hypercore Ltd, a UK-registered company with infrastructure directly linked to Aeza. On July 4, 2025, Hypercore Ltd was re-assigned IP prefix 45[.]142[.]122[.]0/24 from Smart Digital Ideas DOO, an allocation which was created only one day prior (see Figure 3).

Figure 3: Aeza IP prefix 45[.]142[.]122[.]0/24 reallocation to Hypercore Ltd (Source: RIPEstat)

On July 7, 2025, Smart Digital Ideas DOO was assigned ASN AS215829 in the RIPE database (see Figure 4). Notably, the sponsoring org ORG-AIL64-RIPE was Aeza International Ltd, and the AS object also contains references tracing back to Cloud Solutions LLC.

Figure 4: RIPE objects associated with Smart Digital Ideas AS215829 (Source: RIPE)

Aeza has remained a prominent source of malicious activity throughout 2025. Based on Recorded Future® Malware Intelligence, Insikt Group identified multiple malware samples exhibiting network connections to AS210644. These samples predominantly included infostealers and remote access trojans (RATs) such as AsyncRAT, Destiny Stealer, Meduza Stealer, REMCOS RAT, Rhadamanthys Stealer, RisePro Stealer, and QuasarRAT.

Insikt Group’s recent analysis of the pro-Russian group DDoSia further highlighted Aeza’s continued role in the cybercrime landscape, with Aeza International Ltd (AS210644) accounting for 7.5% of all identified Tier 1 command-and-control (C2) servers between July 2024 and July 2025 (see Appendix B). Also of note, other ASs using aurologic’s services collectively accounted for a further 6% of observed C2 infrastructure, while approximately 13.5% of DDoSia Tier 1 C2 IP addresses were announced either directly by aurologic or by ASNs receiving upstream transit from it.

Femo IT Solutions Limited

Femo IT Solutions Limited (AS214351) is a UK-incorporated organization that, despite announcing only two /24 prefixes, has consistently displayed one of the highest concentrations of validated malicious infrastructure relative to its size, according to Recorded Future Network Intelligence. IP addresses announced by Femo IT Solutions hosted C2 infrastructure for Cobalt Strike, DcRat, Rhadamanthys Stealer, TinyLoader, and THC Hydra. Furthermore, Recorded Futures Malware Intelligence highlighted a number of malware samples exhibiting network connections to Femo IT Solutions infrastructure, such as Amadey, Aurotun, QuasarRAT, RedLine Stealer, REMCOS RAT, Stealc, SystemBC, and SvcStealer.

Insikt Group also identified a significant number of CastleLoader C2 infrastructure hosted on Femo IT Solutions in a recent report titled “From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure.”

Femo IT Solutions' IP prefixes 62[.]60[.]226[.]0/24 and 176[.]46[.]152[.]0/24 are both routed exclusively via aurologic (see Figure 5).

Figure 5: Femo IT Solutions routing (Source: bgp[.]tools)

IP prefix 62[.]60[.]226[.]0/24 is directly controlled by Femo IT Solutions. The prefix was assigned from a larger /17 block belonging to the Iranian Research Organization for Science and Technology (IROST), a government-controlled body under Iran’s Ministry of Science, Research and Technology. Sub-allocations from this space have also been leveraged by other suspected TAEs tracked by Insikt Group, including Aeza entities Aeza International (AS210644), Hypercore Ltd, and Smart Digital Ideas DOO, as well as Global Connectivity Solutions and Global Internet Solutions (see Figure 6).

Figure 6: IP allocations from IROST to TAE Networks (Source: bgp[.]tools)

The second announced prefix, 176[.]46[.]152[.]0/24, is attributed to New Way LLC, a company registered in Oman. This allocation derives from a /19 netblock controlled by Iranian internet service provider (ISP) Farahoosh Dena PLC, which offers data center and hosting services. The RIPE object for this range lists contradictory details, including a Philadelphia residential address and an Omani registration (Figure 7).

Figure 7: IP allocation from Faroosh Dena PLC to New Way LLC (Source: RIPE DB)

The network relies exclusively on Aurologic for upstream connectivity and shows clear operational ties to the bulletproof hosting provider Defhost (see Figure 8).

Figure 8: Defhost Telegram channel (Source: Recorded Future)

Defhost emphasizes “fast abusive VPD/VDS” with resilience against takedown efforts by any government, specifically Western law enforcement, and anti-abuse organizations such as “The Spamhaus Project,” while simultaneously assuring customers that its operations will remain uninterrupted. Insikt Group assesses with high confidence that Femo IT Solutions is under the control of Defhost.

Global-Data System IT Corporation

Global-Data System IT Corporation (AS42624), also recognized under the name SWISSNETWORK02, emerged in July 2024 following the transfer of ASN resources from Simple Carrier LLC (Figure 9). Within just over a year of operation, the network accumulated one of the highest concentrations of malicious activity observed in Recorded Future’s Network Intelligence, ranking within the top ten for malicious activity density as of September 2025. Its infrastructure has hosted a wide range of malware families, including Cobalt Strike, Sliver, QuasarRAT, Remcos Rat, Dark Crystal RAT, Latrodectus, Amadey, and multiple stealer families such as Rhadamanthys, RedLine Stealer, and Meduza.

Figure 9: Simple Carrier LLC transferring AS34888 and AS42624 to Global-Data System IT Corporation (Source: RIPE DB)

Insikt Group has assessed with medium confidence that Global-Data System IT Corporation is closely tied to PrivateAlps, an offshore privacy-centric hosting provider registered in Switzerland that openly advertises no Know-Your-Customer (KYC) policies, Digital Millennium Copyright Act (DMCA)-ignored hosting, and Tor-friendly infrastructure.

Beyond malware hosting, the infrastructure has supported DDoSIA, Socks5Systemz, and other commodity malware ecosystems. It has also been leveraged in targeted campaigns, such as TAG-144’s operations against Latin American governments.

All of Global-Data System IT Corporation’s active prefixes are routed solely through aurologic. Routing graphs from September 2025 confirm that all eleven IPv4 prefixes are routed through aurologic, with no diversification, making aurologic the critical enabler of Global-Data System IT Corporation’s reach and resilience.

By anchoring its connectivity to a German upstream like aurologic, Global-Data Systems IT Corporation maintains global availability despite repeated associations with malicious infrastructure. Global-Data System IT Corporation’s reliance on a single upstream provider creates a natural single point of failure that could, if interrupted, materially disrupt its operations. The persistence of this arrangement, however, highlights how aurologic’s connectivity enables the network’s reach and suggests permissive or insufficient vetting practices, consistent with patterns observed in other aurologic-linked suspected TAEs such as metaspinner net GmbH and Railnet LLC.

Metaspinner net GmbH

Metaspinner net GmbH (AS209800) was a recently registered autonomous system created on April 25, 2025, and was announced exclusively through aurologic (Figure 10). The name “metaspinner net GmbH” had long since been associated with a legitimate Hamburg-based software company. However, multiple factors indicate that the autonomous system “metaspinner” was not controlled by the same entity, but rather by threat actors likely affiliated with Virtualine Technologies.

[UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Group’s original assessment that their identity was unlawfully and fraudulently used in the registration of AS209800. A falsified RIPE end-user agreement provided to Insikt Group highlights how a basic verification check against publicly accessible company registration documents could have prevented the fraudulent registration. metaspinner net GmbH (Hamburg, Germany) has no affiliation with AS209800, Virtualine Technologies, or any related malicious activity associated with that network.

Since its inception, AS209800 has accumulated a substantial malicious footprint. Recorded Future has observed infrastructure within the ASN hosting a wide array of malware families and related tooling, including loaders like TinyLoader and SmokeLoader, information stealers such as Stealc, Amadey, and Phorpiex, and multiple remote access trojans, including AsyncRAT, njRAT, QuasarRAT, Dark Crystal RAT, and REMCOS RAT. Botnets such as Moobot, as well as post-exploitation frameworks like Cobalt Strike, have also been detected. These observations align with Spamhaus, which has recently taken notice of the high volume of suspicious activities appearing from the network within a short timeframe.

Figure 10: AS209800 appearing downstream from AS30823, aurologic GmbH, on October 3, 2025 (Source: bgp[.]tools)

As of October 3, 2025, AS209800 originated twelve IPv4 prefixes within the ranges 91[.]92[.]240[.]0/22, 158[.]94[.]208[.]0/22, and 178[.]16[.]52[.]0/22. According to RIPE, none of these IPv4 blocks are owned by metaspinner. Instead, they are sub-allocated from a Turkish local internet registry (LIR) MGN Teknoloji Anonim Sirketi, headquartered in Istanbul (Figure 11). This LIR also sponsors several other suspicious ASNs, all of which were created in 2025 (Appendix C).

Figure 11: Visualization of IPv4 prefixes being assigned to metaspinner. (Source: Recorded Future)

AS209800’s historical footprint further suggests possible repurposing. AS209800 briefly advertised an IPv6 /48 in December 2020 before going dormant, only to reemerge in 2025 with entirely new IPv4 address spaces and links to MGN Teknoloji. While no official transfer was logged in RIPE, the shift in behavior suggests the ASN was taken over or reallocated, a tactic consistent with other impersonation incidents observed in the same timeframe, such as VSVK Onderhoud B.V. (AS213511).

Irregularities are evident in domain registrations. The legitimate software company by the same name, metaspinner, used to operate the domain metaspinner[.]de and meta-spinner[.]net, which over time redirected to its current domain, preispiraten[.]de (see Figures 12 and 13). The domain metaspinner[.]net, originally lapsed in the mid-2000s, was re-registered on April 18, 2025, initially through URL Solutions, Inc., and later its record was updated to reflect its registrar as NiceNIC, a registrar known for abuse-tolerant practices.

Figure 12: The legitimate software company metaspinner net GmbH listed on the US version of preispiraten[.]de, pricepirates[.]com (Source: pricepirates[.]com)

Figure 13: Preispiraten (aka Pricepirates) listed as a service of metaspinner net GmbH on the “Imprint” page (Source: preispiraten[.]de)

At the time of analysis, metaspinner[.]net was hosted at IP address 65[.]21[.]125[.]233, which Insikt Group assesses with high confidence to be associated with Virtualine Technologies. Both RIPE and WHOIS data for the domain list a virtual office address in London’s 71-75 Covent Garden, an address previously used by organizations tied to Virtualine Technologies. Historical IP hosting records for 65[.]21[.]125[.]233 show that metaspinner[.]net operated on shared infrastructure with domains linked to Virtualine Technologies, such as virtualine[.]net and virtualine[.]org. Historical IP hosting records also show that it shared infrastructure with vonie[.]net, a domain once associated with VSVK Onderhoud B.V. (AS213511). Furthermore, 65[.]21[.]125[.]233 is also hosting four additional suspicious hosting-related domains: proxio[.]net, proxio[.]cc, antired[.]net, and lanedo[.]net. More details on the significance of these domains and their connection to Virtualine Technologies are outlined in the next subsections.

VSVK Onderhoud B.V.

The name of a legitimate Dutch construction firm, VSVK Onderhoud B.V., was used to register AS213511 on January 27, 2025. The legitimate VSVK Onderhoud operates exclusively in the Netherlands and has no IT or telecommunications business. According to historical WHOIS data, AS213511 was observed having Railnet LLC (AS214943) as its upstream provider. Railnet LLC notably has strong ties to Virtualine Technologies. This observed incident underscores an emerging pattern in AS-level impersonation campaigns, where threat actors may fabricate corporate identities and leverage legitimate-seeming infrastructure to enable phishing and IP hijacking schemes. As of writing, AS213511 is no longer observed on the global routing table.

Proxio

Proxio (proxio[.]net) appears to be a newly established proxy service with notable connections to Virtualine Technologies. Proxio has been recently advertised across dark web and underground forums, positioning itself as a high-speed residential or mixed proxy provider. Notably, a forum user operating under the alias “Secury” on BlackHatWorld Forum, with a Virtualine Technologies logo as the profile picture, was observed promoting the Proxio service (see Figure 14). This overlap in branding and infrastructure strongly reinforces the likelihood that Proxio and Virtualine Technologies are linked.

Figure 14: BlackHatWorld user “Secury” advertising Proxio (Source: BlackHatWorld)

Anti-Red Hosting

Anti-Red Hosting (antired[.]net) claims to be providing “Anonymous Anti-Red Bulletproof Hosting,” with its domain registration also listing a virtual office address in London’s Covent Garden. Previously, antired[.]host was observed redirecting to antired[.]net, which showed an association with the hosting service named “Spamhouse - F**k The Haus!”. Notably, Virtualine Technologies’ logo can be seen on the top left of the page (Figure 15).

Figure 15: Home page of antired[.]net as of October 25, 2025 (Source: URLScan)

Lanedo GmbH

On October 16, 2025, all twelve IPv4 prefixes announced by metaspinner net GmbH via AS209800 with netname “METASPINNERNET” were re-allocated to Lanedo Datacenter (ORG-LD194-RIPE), under the new netname LANEDONET”, originating from Railnet LLC, AS214943 (see Figures 16 and 17). This shift occurred at the peak of malicious activity on the network, with Recorded Future’s Network Intelligence identifying over 76 validated C2 servers.

Figure 16: Prefixes once observed under “METASPINNER” (AS209800) are now showing a description of “LANEDONET” as of October 22, 2025 (Source: bgp[.]tools)

Figure 17: An example of one of metaspinner’s IPv4 prefixes being reassigned to lanedonet (Source: RIPEStat)

Lanedonet Datacenter was registered with RIPE on the same day of the IP prefix transfers from metaspinner, with a listed address of Strawinskylaan 3051 1077 ZX, Amsterdam. The address appears to be an office space for rent and is home to several different organizations. However, its domain, lanedo[.]net, presents as a German internet service provider (ISP) offering dedicated servers in Germany, the Netherlands, Bulgaria, the United States, and Ukraine. Insikt Group identified an additional organization, Lanedo GmbH (ORG-LG235-RIPE), within the RIPE database, registered just three days prior on October 13, 2025, through the email address listed on its record, info[@]lanedo[.]net.

Several open sources show a legitimate company named “Lanedo GmbH i.L.”, located at Kollaukamp 1,0 22453 Hamburg, Germany, that has operated as a software and open-source development consultancy since January 2009. The company’s operational domain is lanedo[.]com. There is currently only one RIPE resource assigned to Lanedo GmbH at the time of writing, IPv6 prefix 2a147::/48.

Insikt Group assesses with high confidence that the threat actor(s) behind metaspinner have mirrored their technique of impersonating a legitimate company when setting up lanedo[.]net, pivoting from metaspinner, as the network had come under increased scrutiny due to its high volume of malicious traffic.

Railnet LLC

Railnet LLC (AS214943) was incorporated in April 2024 and, within its first year of operation, quickly emerged as one of the most abuse-heavy networks tracked by Recorded Future. Infrastructure hosted in Railnet’s space has supported over 30 malware families, including DarkComet, Amadey, Remcos RAT, Latrodectus, Dark Crystal RAT, and commodity stealers such as Rhadamanthys, StealC, Vidar, and Lumma.

Railnet is formally registered in Kentucky under an address linked to an organization named Whitelabel Networks LLC, and an incorporation agent tied to several other questionable hosting entities. While Kentucky is not a traditional secrecy jurisdiction, the choice of state and use of mail-drop offices suggest an effort to reduce visibility by avoiding more obvious havens, such as Delaware or offshore jurisdictions.

According to routing data observed on August 28, 2025, Railnet originated nineteen IPv4 prefixes, of which approximately 95% are routed via aurologic (Figure 18), with only a single /24 range being routed through another German provider, Pfcloud UG.

Figure 18: Railnet LLC’s routing through aurologic GmbH as of August 28, 2025 (Source:bgp[.]tools)

Railnet’s operational significance lies not just in the malware hosted directly, but in its role enabling multiple bulletproof hosting entities like Virtualine Technologies, DripHosting (DiorHost), and RetryHost.

Virtualine Technologies, a Russia-linked bulletproof hoster that openly advertises on Russian-language forums, leases at least fourteen prefixes originated by Railnet (Figure 19). These prefixes are often registered to various LIRs, which are then announced via Railnet, allowing Virtualine to mask ownership while maintaining operational control. Virtualine’s registration address in London’s 71-75 Covent Garden, a hub for shell entities, has also been associated with other suspected TAEs, including Stark Industries Solutions, Aeza International Ltd, and Global Connectivity Solutions LLC.

Figure 19: IP sub-allocation from Rapidnet to Virtualine Technologies, routed through Railnet LLC (Source: RIPE)

Railnet originates multiple prefixes used by DripHosting, a provider that brands itself interchangeably as DiorHost (Figure 20). Forum chatter and domain infrastructure confirm the overlap with driphost[.]net resolving to a DiorHost-branded page. Abuse contacts also point to dior[.]host, reinforcing that both labels are likely organizations operated by the same operator.

Figure 20: IP sub-allocation from Euro Crypt EOOD to DripHosting, routed through Railnet LLC (Source: RIPE)

RetryHost, another forum-advertised bulletproof provider offering virtual private network (VPS) and remote desktop protocol (RDP) services, originates a single range through Railnet (Figure 21). RetryHost explicitly markets itself as “bulletproof,” and overlapping infrastructure suggests close coordination or common backend management between Railnet and RetryHost.

Figure 21: IP sub-allocation from Telco Power Ltd to RetryHost, routed through Railnet LLC (Source: RIPE)

These providers collectively demonstrate how Railnet acts as a common backbone for “bulletproof” hosting operations, offering anonymity, routing resilience, and the ability to cycle short-lived leased prefixes to evade detection and blacklisting (Figure 22).

Figure 22: Railnet LLC’s observed prefixes from September 2024 to August 2025 (Source: RIPE Stat)

By carrying the vast majority of Railnet’s traffic, aurologic effectively extends global reach to three separate bulletproof hosting brands that have been consistently tied to malware distribution, botnet infrastructure, and illicit VPS or RDP services. While Railnet’s operators leverage offshore formations, obscure company formations, and prefix cycling to obscure their footprint, the persistence of their upstream relationship with aurologic highlights a broader concern: the enabling role of established European networks in sustaining high-risk or high-abuse infrastructure.

As of October 27, 2025, Recorded Futures Network Intelligence observed over 80 validated C2 servers on Railnets AS. This is likely a direct result of originating the twelve IPv4 prefixes transferred from metaspinner to Lanedo Datacenter (lanedo[.]net).

The case with Railnet underscores a recurring theme: aurologic’s upstream connectivity does not appear incidental, but repeatedly visible in the routing paths of various TAEs. Railnet and other TAEs appear highly dependent on aurologic’s permissive transit to maintain continuity despite widespread abuse reporting.

The Fine Line Between Neutrality and Negligence

The persistence of aurologic’s upstream connectivity to multiple suspected TAEs raises a broader question that extends beyond any single provider: To what extent are such relationships the result of negligence, a failure to apply due diligence, as opposed to complicity, where providers knowingly accept or tolerate high-risk customers as a part of their business model? In the context of internet infrastructure, this distinction is critical but often difficult to prove. Transit providers occupy a unique position as gatekeepers of global connectivity. Their willingness or unwillingness to sever ties with abuse-heavy networks directly determines whether malicious infrastructure remains reachable.

Negligence in this context often manifests as weak Know-Your-Customer (KYC) procedures, insufficient abuse handling, or a lack of proactive monitoring of downstream announcements. Many upstream networks argue they cannot fully control their downstream customers’ actions and rely on complaints to trigger action or simply redirect any abuse reporting to the customer in question, taking no further action. While aurologic has echoed a similar line of defense, typically directing abuse complaints to its abuse email address, hosting community members have offered anecdotal evidence stating otherwise (Figures 23 and 24).

Figure 23: LowEndSpirit Forum user “Encoders” describing no responses to abuse complaints (Source: LowEndSpirit Forum)

Figure 24: LowEndSpirit user “Treesmokah” pointing out that Hofmann’s Tornado Datacenter had been allegedly raided due to its relationship with Pfcloud UG. (Source: LowEndSpirit Forum)

In June 2024, CORRECTIV, a German non-profit investigative journalism organization, met with aurologic CEO, Joseph Hofmann at his office in Langen to discuss Qurium’s findings that data traffic from Tnsecurity Ltd and other companies in Aeza’s sphere of influence ran through aurologic’s infrastructure, leveraging its connectivity to global internet providers and supporting the Doppelgänger disinformation campaign. Hofmann maintained that he was unaware of any of his customers supporting the campaign, but appeared surprised when shown a link to a fake news article that led to his organization. He argued that this did not constitute definitive proof and insisted that only formal contact from authorities would prompt action. Hofmann describes his situation as a business dilemma, stating, “I can kick everyone out, but then at some point I won’t make any sales,” and that is why he waits for law enforcement correspondence.

aurologic’s sustained relationships with multiple TAEs strain the boundaries of plausible negligence. Its continued role in providing upstream transit for Aeza International Ltd, despite US and UK sanctions, suggests a reactive posture focused on legal compliance rather than risk avoidance. Since aurologic operates under German jurisdiction, it may not be violating domestic law. On July 1, 2025, Joseph Hofmann, under the username “jh_aurologic”, publicly defended the company’s position on the LowEndTalk forum (Figure 25), claiming the customer under review was not Aeza Group LLC. As of this writing, aurologic is not an upstream provider for Aeza Group LLC (AS216246), but remains a major upstream provider for Aeza International Ltd (AS210644).

Figure 25: aurologic CEO Joseph Hofmann commenting on the situation surrounding Aeza Group LLC (Source: LowEndTalk)

The distinction between oversight and permissive policy is further blurred by the ease and pace at which fraudulent downstream providers rebrand by leveraging obscure or offshore entities, cycling through prefixes, and establishing new LIRs. This pattern was exemplified in a case documented by Spamhaus, which detailed a now-defunct network of TAEs all operating behind layers of decoy ISPs and ultimately routed through aurologic (see Figure 26).

Figure 26: The Spamhaus Project points out aurologic’s proximity to malicious networks (Source: X, formerly knows as Twitter)

On April 7, 2025, Spamhaus again cited aurologic, describing it as an ISP with a “considerable history of bulletproof hosting proliferation” in relation to its provision of connectivity 49.3 Networking LLC (AS399979). Hofmann publicly disputed the characterization, asserting that the company “has no considerable history of bulletproof hosting” and that employees “react according to applicable law” when receiving abuse reports (see Figure 27). In the same thread, Hofmann engaged in a broader discussion with security researcher “Gi7w0rm” regarding aurologic’s continued service to Aeza despite its founders’ arrests and sustained malicious activity. Hoffman outlined his broader stance on maintaining neutrality toward the activity occurring across aurologic’s network, describing neutrality as “the art of being impartial.” This position suggests a broader posture of deliberate non-interference in the name of neutrality, which in practice could explain the persistence of high-risk and abusive networks under aurologic’s infrastructure.

Figure 27: Joseph Hofmann’s public responses to Spamhaus’ post regarding 49.3 Networking LLC (Source: X, formerly known as Twitter)

From the perspective of impacted victims or network defenders, the difference between negligence and complicity is often meaningless if threat actors are enabled to operate freely. When transit providers like aurologic fail to regularly investigate recurring abuse, whether out of resource constraints, business tolerance, or the legal limitations placed on them, the effect is the same: malicious infrastructure remains globally accessible. Under current EU and German law, transit providers are not generally required to proactively monitor or police customer activity unless they possess actual knowledge of illegal use.

aurologic has alluded to strict German data-protection obligations as one of many reasons for avoiding actions such as direct traffic inspection. While that is a legitimate concern, overreliance on that stance can mask operational complacency. The posture is also reflected in the company’s own Terms of Service, which explicitly invoke the EU’s Digital Services Act (DSA) to disclaim liability for content “stored, processed, or transmitted on customer-leased infrastructure,” provided the company is unaware of its existence or does not “actively support illicit use.” Abuse reports are to be verified, forwarded to the customer, and, if unresolved within 24 hours, may result in null-routing of the affected IP address. Only in “rare cases posing higher risks” does aurologic reserve the right to take proactive measures.

The company’s public abuse-handling and authority-request policies follow a similar reactive model. All complaints must be submitted via a designated email channel (abuse@aurologic[.]com) and include a full evidentiary record. Invalid or incomplete submissions are dismissed automatically. These procedures illustrate how aurologic's operational structure aligns with the reactive, notice-based compliance regime established by the Digitale-Dienste-Gesetz (DDG) and DSA. The company’s obligations begin only once it receives valid notice of abuse, and its enforcement options are further bound by procedural and jurisdictional limits. This framework not only defines but effectively constrains how far a provider can intervene, creating an environment where inaction remains legally defensible even amid persistent abuse. In this sense, aurologic’s abuse handling can be seen as a product of the broader European intermediary-liability model, which tends to prioritize legal defensibility over proactive security stewardship.

In practice, this means a provider like aurologic remains compliant with national law even when its network is repeatedly leveraged by threat actors, so long as it can claim lack of awareness of intent. The legal framework effectively absolves transit and hosting providers from responsibility for downstream misuse of their services, allowing malicious infrastructure to persist as long as it operates within the boundaries of plausible deniability.

The uncertainty over whether upstream providers are merely negligent or knowingly complicit underscores a central challenge in combating infrastructure abuse. Larger transit providers often defend their practices by citing contractual compliance and legal obligations, yet this narrow framing leaves ample room for high-risk networks to operate undeterred. For the cybersecurity community, regulators, and policymakers, the question is not only whether negligence or permissiveness is at play, but also how to impose accountability when routing decisions repeatedly sustain threat actors engaged in disinformation, cybercrime, and malware distribution.

Mitigations

• Use Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate threats originating from malicious networks, such as those discussed in this report, by operationalizing Recorded Future Intelligence Cloud data. This can be achieved by leveraging continuously updated Risk Lists and by blocklisting validated malicious IP addresses to prevent internal communication with malicious infrastructure.
• Implement Robust Network Security Controls: Configure perimeter security appliances and internal network defenses to block traffic originating from the ASNs identified in this report, unless there is a clearly defined business justification for permitting such traffic.

Outlook

Insikt Group assesses with high confidence that aurologic is likely to remain a central hub for TAE networks. Despite growing public pressure and international sanctions against its downstream customers, aurologic continues to operate within the bounds of its legal obligations, providing upstream connectivity that is ultimately enabling the highest concentrations of malicious activity observed within Recorded Future Network Intelligence. This, combined with the absence of coordinated regulatory enforcement, suggests that the conditions enabling high-risk networks to persist under its infrastructure are unlikely to change.

While the exact reason for aurologic’s continued prominence among these networks cannot be confirmed, the company’s public defense of, and ongoing provision of services to, Aeza despite multiple international sanctions, coupled with its publicly stated position of neutrality toward activity on its network, has likely reinforced its reputation among TAEs as a dependable upstream provider.

This case also reflects the greater question at hand within the hosting ecosystem: At what point does neutrality or persistent inaction in the face of systemic abuse become indistinguishable from complicity? As long as transit providers are able to maintain legal compliance while continuing to service networks repeatedly associated with malicious activity, the responsibility for intervention remains displaced onto their customers, even when those customers are the source of the abuse. Until these gaps in compliance, accountability, and proactive oversight are addressed, TAEs will continue to thrive.

Appendix A: Active Networks Linked to aurologic

Appendix B: Top Fifteen ASes Observed Announcing DDoSia Tier 1 IP Address Space

(Source: Recorded Future)

Appendix C: Organizations that List Turkish Local Internet Registry MGN Teknoloji Anonim Sirketi as a Maintainer Reference

(Source: RIPE)