A wave of brute-force and password spraying attacks targeting SSL VPN and Remote Desktop Protocol systems has been traced to Ukrainian-based networks, according to new research.

The activity was observed between June and July 2025 and involved hundreds of thousands of coordinated login attempts, often peaking during three-day periods. The Hacker News reported that the attacks originated from the autonomous system FDN3 (AS211736), with links to VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950).

Intrinsec researchers noted that “all those strong similarities, including their configuration, the content they host, and their creation date, led us to assess with a high level of confidence the previously mentioned autonomous systems to be operated by a common bulletproof hosting administrator.” The infrastructure is tied to Seychelles-based IP Volume Inc. (AS202425), a company previously associated with bulletproof hosting providers such as Ecatel.

Attack logs revealed that individual IP addresses generated up to 113,000 attempts each, often using password spraying rather than traditional brute-force methods to avoid account lockouts. Targets included remote access systems from Fortinet, Palo Alto, and Cisco, with the aim of establishing privileged access points inside enterprise networks.

The Hacker News highlighted that the campaign was “coordinated” and sustained, with synchronized activation patterns across multiple IP addresses. This level of organization, combined with ties to Russian firm Alex Host LLC, suggests the networks are part of a larger ecosystem of resilient, anonymized hosting infrastructure.

The attacks were further connected to Amadey malware panels hosted within the same autonomous systems, with active command-and-control servers such as 185.156.72.96 and 185.156.72.97 managing compromised endpoints. Several C2 servers remain online, indicating that successful post-exploitation activity is ongoing.

The findings follow a separate Censys report describing related infrastructure linked to PolarEdge botnet operations, underscoring the growing use of bulletproof networks to sustain credential attacks against critical enterprise systems.