Block One ASN, Kill Sixteen Malware Families: Mapping OMEGATECH, a Three-Month-Old Bulletproof Hosting Network Running 67 C2 Servers on a Single Subnet

When @Fact_Finder03 flagged 158.94.210[.]91 as a C2 panel, the Amadey botnet behind it was almost unremarkable. Amadey is commodity malware -- well-documented by Check Point, Cisco Talos, Trellix, and Microsoft. Another instance on another server.

But the server it was running on told a different story. The /24 subnet surrounding that IP hosts 67 distinct command-and-control operations spanning 16 malware families. The ASN it belongs to -- AS202412, registered to OMEGATECH -- is three months old. And every prefix it announces routes through a known bulletproof hosting upstream.

The Subnet

158.94.210.0/24 is one of 18 /24 prefixes announced by AS202412. ThreatFox data reveals the concentration of malicious infrastructure on this single block:

Family	ThreatFox Sightings	Type
Remcos	6,562	RAT
AsyncRAT	4,379	RAT
Amadey	1,100+	Botnet/Loader
Latrodectus	—	Loader
XWorm	—	RAT
Stealc	—	Stealer
DCRat	—	RAT
LOBSHOT	—	RAT/hVNC
Eye Pyramid	—	Spyware
Mirai	—	IoT botnet
Bashlite	—	IoT botnet
Quasar RAT	—	RAT
ClearFake	—	Loader
SectopRAT	—	RAT
SuperShell	—	C2 framework
SheetRAT	—	RAT

Sixteen families. One subnet. This isn't a hosting provider that occasionally has abuse problems -- this is a purpose-built criminal infrastructure network.

OMEGATECH

AS202412 was registered approximately three months ago. The organization behind it uses a Seychelles .sc domain for its abuse contact -- a jurisdiction chosen specifically for its lack of international law enforcement cooperation.

The ASN announces 18 /24 prefixes, totaling 4,608 IP addresses. Its upstream transit provider is Pfcloud UG, a German entity that has appeared repeatedly in bulletproof hosting research. The pattern -- fresh ASN, Seychelles registration, Pfcloud transit, immediate population with malware infrastructure -- is a textbook BPH deployment.

The Amadey Panel

The specific C2 at 158.94.210[.]91 ran an Amadey botnet panel at /g8hrS4f4vh/Login.php. The randomized directory path is a standard Amadey deployment pattern. The panel served a Russian-language interface, confirmed through UI strings in the captured HTML.

The panel went offline between April 2-3, but not before we recovered:

• cred64.dll -- An Amadey credential stealer plugin (compiled February 21, 2026) targeting Chrome, Firefox, Outlook, Thunderbird, FileZilla, WinSCP, Gajim, and Monero wallets
• The panel login page with Russian UI strings and CSS theme (useful as fingerprinting artifacts)
• Full nmap scan data showing the server profile

Why This Matters

Most threat intelligence focuses on individual C2 servers. Take one down, the operator stands up another. But the hosting layer underneath persists.

OMEGATECH's 18 /24 blocks are the shared infrastructure that enables all 16 malware families to operate. A single network-level block of AS202412 at an organization's perimeter would disrupt:

• All Remcos C2 communications through this network (6,562 documented instances)
• All AsyncRAT callbacks (4,379 instances)
• All Amadey bot check-ins
• And 13 other malware families sharing the same bulletproof hosting

This is the argument for ASN-level blocking of known BPH networks. The cost of false positives is near zero -- there is no legitimate traffic originating from a three-month-old ASN with a Seychelles abuse contact and 67 C2 servers on one subnet.

Indicators of Compromise

Network Indicators

• 158.94.210[.]91 (Amadey C2)
• AS202412 (OMEGATECH) -- all 18 /24 prefixes
• Upstream: Pfcloud UG

File Indicators

• cred64.dll (Amadey credential stealer plugin, compiled 2026-02-21)
• Imphash: 3f175edea93fa7a76a78004d12de2235

Detection

Three YARA rules and ten Suricata signatures covering the Amadey panel, credential stealer plugin, and OMEGATECH network ranges are available on our GitHub:

• STIX Bundle
• IOCs by investigation
• All YARA rules
• All Suricata rules
• Full IOC feed (JSON)

---

h/t @Fact_Finder03 for the initial IP.