Executive Summary
During the week of June 14-20, network activity across the 26 monitored bulletproof hosting ASNs remained elevated, with 15 of 26 ASNs showing detectable scanning behavior. PFCLOUD (AS51396) continued as the dominant source of observed scanning traffic, generating approximately 96,000 sessions across its IP fleet, followed by KAOPU Cloud HK (AS138915) with approximately 79,000 sessions. A notable addition this week is HOSTKEY-AS (AS57043), which appears as a significant Censys-tracked network with just under 100,000 hosts, though its observed scanning activity in our honeypots is relatively low (377 sessions).
The most significant change from the prior week is the normalization of PROTON66 (AS198953) activity. Last week this ASN generated over 42,000 honeypot events from a single IP; this week it dropped to just 112 events, suggesting either a completed campaign or infrastructure rotation. PFCLOUD showed a slight increase in host inventory (3,476 vs 3,424, +1.5%), driven primarily by new WireGuard (wg-easy) deployments. No new zero-day exploitation or C2 infrastructure was identified this week.
By the Numbers
| ASN | Provider | Sponge Sessions | Honeylabs Events | Top Port (Sponge) | Censys Hosts | delta vs prior |
|---|---|---|---|---|---|---|
| AS51396 | PFCLOUD | 96,045 | ~14,700 | 22 (SSH) | 3,476 | +1.5% |
| AS138915 | KAOPU-HK | 78,971 | 20 | 123 (NTP) | 34,264 | -4.6% |
| AS51852 | PLI-AS | 3,014 | 1,416 | 443 (HTTPS) | 11,209 | -0.4% |
| AS57043 | HOSTKEY-AS | 377 | 0 | 23 (Telnet) | 99,992 | new |
| AS210644 | AEZA-AS | 408 | 2 | 22 (SSH) | 76,411 | -0.4% |
| AS14956 | ROUTERHOSTING | 354 | 116 | 22 (SSH) | 25,182 | -2.7% |
| AS198953 | PROTON66 | 390 | 168 | 23 (Telnet) | 62 | stable |
| AS214940 | KPRONET | 498 | 100 | 22 (SSH) | — | stable |
| AS400992 | ZHOUYISAT | 347 | 1 | 22 (SSH) | — | stable |
| AS200651 | FLOKINET | 83 | 23 | 22 (SSH) | 3,462 | stable |
| AS200593 | PROSPERO-AS | 52 | 9 | 22 (SSH) | — | stable |
| AS209847 | THE | 17 | 0 | 22 (SSH) | 13,517 | stable |
| AS213702 | QWINS-LTD | 11 | 0 | 22 (SSH) | 6,967 | stable |
| AS33993 | UFO-AS | 8 | 0 | 22 (SSH) | — | stable |
| AS30823 | AUROLOGIC | 1 | 0 | 22 (SSH) | — | stable |
11 of 26 ASNs showed zero observed activity in Sponge this week.
Top ASN Deep Dives
AS51396 — PFCLOUD (Pfcloud UG)
PFCLOUD remains the most active bulletproof hosting ASN in our dataset, generating over 96,000 Sponge sessions and approximately 14,700 honeypot events this week. The activity is distributed across 20+ unique IPs, primarily hosted in the Netherlands (204.76.203.0/24 range) and Germany (45.135.193.0/24, 176.65.0.0/16).
Sponge profile: Port 22 (SSH) dominates with 31,594 sessions, followed by port 80 (6,582) and the unusual port 22222 (4,392). The high volume on port 22222 is notable and may indicate custom service scanning. The top source IP (176.65.148.147) alone generated 8,600 sessions.
Honeylabs profile: Honeylabs captured 20 distinct attacker IPs from this ASN. The most active (204.76.203.78) generated 3,716 events targeting non-standard ports (7700, 1090, 4003). User agent analysis reveals diverse tooling: Mozilla/5.0 generic (950 events), Go-http-client/1.1 (280 events), and Shodan-Pull/1.0 (113 events). Notably, “zgrab/0.x” user agent variants were observed (55 events), suggesting active ZGrab scanning campaigns.
Censys infrastructure: 3,476 hosts (up from 3,424 last week, +1.5%). All carry the BULLETPROOF label. The top software stack is notable: wg-easy (WireGuard VPN, 805 hosts) is the most identified product, followed by OpenSSH (750), Python (649), and Werkzeug (606). The prevalence of wg-easy is unusual compared to traditional hosting ASNs and suggests PFCLOUD may be specializing in VPN/proxy services in addition to traditional hosting. Port 5335 (829 instances) appears to be a frequently deployed non-standard service.
AS138915 — KAOPU Cloud HK Limited
KAOPU-HK showed a slight decline in Censys host count (34,264 vs 35,900, -4.6%), possibly indicating infrastructure churn. Despite this, network scanning remains significant with 78,971 Sponge sessions.
Sponge profile: Port 123 (NTP) is the dominant target with 17,838 sessions, suggesting NTP amplification scanning. Port 443 (HTTPS, 13,711) and port 80 (HTTP, 13,678) follow closely. The top source IP (38.54.2.209) alone generated 58,548 sessions, making it the single most active observed IP across all ASNs this week.
Honeylabs profile: Three attacker IPs observed from Peru, Thailand, and Seychelles. The 149.104.66.228 (Peru) IP was conducting UPnP exploitation attempts (AddPortMapping SOAP actions targeting /wanipcn.xml and /picdesc.xml) — a classic router/NAT injection technique. The 38.60.254.173 (Thailand) IP used Go-http-client/1.1 probing HTTP, HTTPS, and Elasticsearch (port 9200).
Censys infrastructure: Massive network of 34,264 hosts (all BULLETPROOF labeled). The software stack reveals a mix of Chinese and Western infrastructure: OpenSSH (20,287), Nginx (10,895), OpenResty (6,219), and Tengine (2,904). The presence of both OpenResty and Tengine — both Nginx variants popular in Chinese CDN/hosting environments — alongside LiteSpeed Web Server (2,301) suggests a heterogeneous infrastructure with multiple service stacks.
AS51852 — PLI-AS (Private Layer INC)
PLI-AS remains a persistent scanner with 3,014 Sponge sessions and 1,416 honeypot events. The network hosts 11,209 hosts (stable).
Sponge profile: Port 443 (HTTPS) dominates with 1,131 sessions, followed by port 8443 (832). Top source IP (179.43.163.26) from Switzerland generated 2,786 sessions.
Honeylabs profile: Six attacker IPs observed, all from Switzerland. The most active (179.43.168.58) generated 504 events targeting port 443. User agents suggest Chrome 144 on Windows (882 events) and Chrome 124 on Linux (449 events) as the primary scanning tools. Notably, aiohttp/3.13.5 (8 events) was observed probing ports 2083 and 2087, suggesting application-layer scanning for CPanel/RADIUS services.
Censys infrastructure: 11,209 hosts. Uniquely among monitored ASNs, Squid (16,289 instances) is the dominant software product, indicating this network is heavily oriented toward proxy services. Other notable software: Nginx (4,698), OpenSSH (4,420), Dovecot (2,991), Exim (1,707), and cPanel (808). The high cPanel count suggests reseller hosting is a significant line of business. Port 3128 (Squid proxy, 2,210 instances) confirms the proxy-heavy infrastructure.
AS57043 — HOSTKEY-AS
This is the first week HOSTKEY-AS appears in our active tracking. Censys reports 99,992 hosts (all BULLETPROOF labeled), making it the largest single network in our watchlist by host count. However, observed scanning activity is modest with only 377 Sponge sessions.
Sponge profile: Four source IPs observed, with top IP (193.17.95.129) generating 311 sessions. Port 23 (Telnet, 56 sessions) is the most targeted, followed by port 19. The low session count relative to the massive host inventory suggests this network’s scanning activity may be routed through specific exit IPs rather than distributed across the full range.
Censys infrastructure: Nearly 100,000 hosts. The software stack is dominated by OpenSSH (75,058) and Nginx (54,599). Notable is the presence of Ghost CMS (9,127), App & API Protector (9,123), and Cloudflare Load Balancer (2,925), suggesting a mix of CMS hosting and DDoS-protected infrastructure. The presence of Google Web Services (12,061) as a detected product may indicate reverse proxy relationships. Port 2096 (16,201 instances, likely cPanel’s alternate SSL port) confirms significant web hosting operations.
AS14956 — ROUTERHOSTING (RouterHosting LLC)
RouterHosting showed 354 Sponge sessions, down 2.7% in Censys host count (25,182 from 25,869).
Honeylabs profile: Eleven attacker IPs from US-based infrastructure. The most interesting profile is 216.126.239.17 (34 events) using the user agent “PMTA-Auto” targeting ports 6541, 8000, 1212, and 8181 — this suggests bulk email infrastructure testing. Another IP (167.88.165.96) used “CLIProxyScanner/1.0” targeting port 8317. SMB scanning (port 445) was observed from two IPs. Minecraft server scanning (port 25565) was detected from one IP.
Infrastructure Correlation
Shared fingerprint across ASNs: The TLS fingerprint t13i131000_f57a46bbacb6_ab7e3b40a677 (TLSv1.3, AES_128_GCM_SHA256) was observed from AS138915 (KAOPU-HK) across all three attacker IPs and was also present in prior week data from AS209847. This suggests shared scanning tooling or potentially shared infrastructure operators between these two geographically and organizationally distinct ASNs.
WireGuard deployment correlation: PFCLOUD (AS51396) shows wg-easy on 805 hosts, a pattern also emerging in AEZA-AS’s Censys profile (wg-easy detected on 1,286 hosts last week). While both ASNs deploy WireGuard, the different footprints suggest independent operations rather than shared management.
BULLETPROOF label universality: All monitored ASNs with Censys data carry the BULLETPROOF label, confirming the curated list accurately targets providers that Censys’s threat intelligence pipeline flags as bulletproof hosting.
Fleet Observations
Host inventory changes: The most significant change this week is the addition of HOSTKEY-AS (99,992 hosts) to the active tracking set. Among previously tracked ASNs, KAOPU-HK showed the largest decrease (-4.6%) from 35,900 to 34,264 hosts, while PFCLOUD showed a small increase (+1.5%) from 3,424 to 3,476.
Scan-only node ratios: Across all monitored ASNs, the gap between Censys host counts and observed scanning IPs remains wide. PFCLOUD has 3,476 Censys-tracked hosts but only 20 IPs observed in honeypots, giving a scan-only ratio of approximately 99.4%. Similarly, HOSTKEY-AS has 99,992 hosts but only 4 observed scanning IPs (99.996% scan-only). This is expected behavior — most hosts in bulletproof networks serve legitimate (or at least non-scanning) purposes, with dedicated exit nodes handling scanning operations.
Software version churn: PFCLOUD’s wg-easy count increased from 779 to 805 (+3.3%), while its OpenSSH footprint grew from 737 to 750 (+1.8%). These small but consistent increases suggest ongoing infrastructure deployment rather than static operations.
IoCs and Detection Guidance
Notable IPs:
38.54.2.209(KAOPU-HK) — 58,548 Sponge sessions, the single most active scanning IP this week204.76.203.78(PFCLOUD) — 3,716 honeypot events targeting non-standard ports176.65.148.147(PFCLOUD) — 8,600 Sponge sessions, primarily port 22/SSH149.104.66.228(KAOPU-HK, Peru) — UPnP exploitation attempts (AddPortMapping)179.43.163.26(PLI-AS) — 478 events, HTTPS scanning across multiple SSL ports
JA4/JA4H fingerprints to watch:
t13i131000_f57a46bbacb6_ab7e3b40a677— TLSv1.3 client, observed across KAOPU-HK and THE ASNsge11nn0300_0db47b7d240d— Go HTTP client fingerprint from KAOPU-HK
Detection rules:
- Monitor port 22222 inbound traffic as a PFCLOUD scanning signature
- Flag UPnP AddPortMapping SOAP requests from KAOPU-HK IP ranges (138915)
- Track port 2096 traffic from HOSTKEY-AS (57043) and AEZA-AS (210644) as web hosting scanning
- Watch for Shodan-Pull/1.0 user agent from PFCLOUD IP ranges
Full data: https://git.sr.ht/~hrbrmstr/gists/tree/main/item/kevlar/2026-06-20/