Cybersecurity researchers have flagged a Ukraine-based IP network as the origin of massive brute-force and password-spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity is attributed to the Ukraine-based autonomous system FDN3 (AS211736), according to French firm Intrinsec.
Intrinsec said FDN3 is part of a wider abusive infrastructure that includes two other Ukrainian networks—AS61432 (VAIZ-AS) and AS210950 (ERISHENNYA-ASN)—and a Seychelles-based autonomous system named TK-NET (AS210848). The networks are described as exchanging IPv4 prefixes to evade blocklisting while hosting abusive activities, according to a report published by Intrinsec last week.
Intrinsec noted that AS61432 currently announces a single prefix, 185.156.72.0/24, while AS210950 has announced two prefixes, 45.143.201.0/24 and 185.193.89.0/24. A major portion of these prefixes has since been moved to FDN3 in June 2025, as the networks continued to share peering arrangements with other abusive providers.
Intrinsec observed that the entirety of prefixes moved from AS61432 and AS210950 are now announced by bulletproof and abusive networks fronted by shell companies such as Global Internet Solutions LLC (gir.network) and Global Connectivity Solutions LLP, as well as Verasel, IP Volume Inc., and Telkom Internet LTD. The report links IP Volume Inc. to AS202425, a Seychelles-based entity long associated with abusive hosting operations.
The findings build on earlier disclosures about networks allocated in August 2021 – AS61432, AS210848, and AS210950 – being used for spam distribution, network attacks and malware command-and-control hosting. In June 2025, some IPv4 prefixes from these networks were moved to FDN3, which was created in August 2021, as part of a broader reorganization intended to sustain abusive activities.
Intrinsec also notes ties between FDN3 and a Russian company, Alex Host LLC, previously linked to other bulletproof hosting operations such as TNSECURITY, which hosted Doppelganger infrastructure. The researchers described offshore ISPs like IP Volume Inc. as enabling smaller bulletproof networks through peering and prefix hosting, aided by Seychelles’ anonymity benefits.
Separately, the investigation comes as Censys disclosed a connect-back proxy management system associated with the PolarEdge botnet, running on more than 2,400 hosts. The system – an RPX server that acts as a reverse-connect proxy gateway – appears to be a tool for managing proxy nodes and exposing proxy services. Censys senior security researcher Mark Ellzey said the system may be one of several tools used by the botnet, though it could also be unrelated to PolarEdge and used by the botnet to jump between relays. Censys Blog and RPX on GitHub were cited in the analysis.
Observers note that the techniques used by these networks – brute-force, password spraying and abuse of SSL VPN/RDP access – remain attractive to ransomware groups and other cybercriminal outfits as initial access vectors. Intrinsec highlighted continued use of such methods by ransomware-as-a-service (RaaS) groups, including Black Basta and others referenced in related coverage.