Cloud Hosting Provider Accused for Providing Infrastructure to APT Hackers

The potentially unaware C2P entities that serve as legit businesses could be exploited easily by threat actors for attack campaigns and other illicit purposes.

While scenario like this could allow advanced threat actors to build and run an extensive attack infrastructure, as this scenario stands as a key pillar.


Researchers at Halcyon Research and Engineering Team identified recently that Cloudzy, an Iranian VPS hosting provider with 15+ data centers all around the globe, had been leasing and reselling their server space to 17 different state-sponsored hacking groups from the following countries:-

  • China
  • Russia
  • Iran
  • North Korea
  • India
  • Pakistan
  • Vietnam

Cloudzy Providing Infrastructure to APT Hackers

Halcyon labeled Cloudzy and similar ISPs as “Command-and-Control Providers” (C2P), an unexplored part of the ransomware economy.

However, the most striking thing is how efficiently legitimate ISPs are aiding nation-state threat actors, ransomware operators, and sanctioned entities without needing to stop illicit actions.

Profiting from the global attack ecosystem, these C2Ps become major players in the ransomware economy, knowingly or unknowingly.

Cloudzy appears legit on social media, but its CEO, Hannan Nozari, remained silent on the report, and despite its U.S. claims, researchers trace its origin to Tehran.

Moreover, this platform offers RDP, VPS, and other services with no questions asked, utilized by criminals and state-sponsored hackers to obfuscate origins and host attack tools.

New Ransomware affiliates

Halcyon reveals the following new ransomware affiliates using BlackBasta and Royal, previously undisclosed:-

  • Ghost Clown
  • Space Kook

Hackers gain system access via Cloudzy’s IP address. Ghost Clown shifted from Conti to Black Basta, while Space Kook moved from Quantum Locker to Royal, using infrastructure linked to Exotic Lily by Google’s Threat Analysis Group.

A deep investigation revealed a link to abrNOC, an Iranian firm founded by Hannan Nozari in Tehran. Eight Cloudzy employees in Iran showed crossover with abrNOC staff.


Cloudzy responded to Cyber Security news, stating that they do not tolerate or welcome any malicious activity on their infrastructure. They are committed to compliance with all applicable laws, including those related to export control.

“Cloudzy does not believe that the research is accurate, and it lacks the requisite substantiation and justification. It is imperative that we do not criminalize the provision of technology-neutral infrastructure, simply because there are malicious actors seeking to do harm.”

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.