Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs


  1. Report by Halcyon, a Texas-based cybersecurity startup.
  2. Cloudzy is registered in the USA but based in Iran.
  3. Cloudzy is suspected of providing C&C services to govt hacking groups.
  4. CEO Hannan Nozari denies services to cybercriminals.

The cybersecurity researchers at Halcyon claim that Cloudzy, a cloud service provider, is actively involved in providing command-and-control services to more than 20 hacking groups.

These groups encompass spyware and ransomware operators, as well as state-backed APT groups. Shockingly, approximately 40% – 60% of Cloudzy’s activities are deemed “malicious in nature,” involving activities such as espionage and extortion against its victims.

The Cloudzy Saga

Cybersecurity startup Halcyon researchers discovered that an Iranian-run ISP has been “unwittingly” supporting the “ransomware economy” and miscellaneous attack operations by providing C2P (Command-and-Control Providers) services to threat actors.

Halcyon researchers suggest there is yet another player that is, perhaps unwittingly, supporting the booming ransomware economy and other attack operations: the Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile.


Researchers suspect that the company, identified as Cloudzy (formally RouterHosting), sells services to state-sponsored APT (advanced persistent threat) actors and cybercriminals/hackers while keeping a “legal business profile.”

In a research report (PDF) published on August 1st, the Halcyon Research team wrote that Cloudzy is registered in the USA, but it operates from outside of Tehran, Iran, and has virtually no presence in the USA.

An individual identified as Hannan Nozari runs this company, allegedly the founder of another Iranian firm abrNOC. This is based on the finding that eight individuals employed by Cloudzy in Iran also work for abrNOC.

“Halcyon therefore assessed with high confidence that C2P Cloudzy is almost certainly a cutout for the actual hosting company, abrNOC, operating out of Tehran, Iran,” researchers confirmed.

Cloudzy Supporting Nation-State Actors

Halcyon researchers conducted a thorough assessment of Cloudzy’s activities over a three-month period before releasing their report. According to their analysis, Cloudzy not only provided command-and-control (C2P) services to threat actors worldwide, disguising them as anonymity-based services, but it also demonstrated an alarming lack of response when informed about malicious activities.

This lack of response strongly suggests that Cloudzy was actively aiding threat actors. Even more concerning is the discovery that its attack infrastructure was closely tied to government-backed hacking groups from various countries, including the following:

  • Iran
  • India
  • China
  • Russia
  • Vietnam
  • Pakistan
  • North Korea

In addition to its government ties, Cloudzy was found to have links with sanctioned spyware vendors, including the Israeli spyware vendor Candiru, who came to the limelight last year for using Chrome 0-day to target journalists.

Cloudzy allegedly also provided its services to infamous ransomware gangs such as Ghost Clown and Space Kook. Notorious cybercriminals were also found to be connected to the service.

Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs
Complete list of APT groups that Cloudzy is allegedly providing services to (Screenshot credit: Halcyon )

Halcyon Shares Shocking Evidence Against Cloudzy

In its report, Halcyon provided hard facts against Cloudzy. For instance, researchers noted that the company never verified its customers’ identities and got registered with just a working email address. Over half of its hosted servers were discovered supporting malicious activities directly on infrastructure loaned from a dozen different ISPs. 

Moreover, it accepts cryptocurrency payments from users wanting to anonymously use its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services. Its T&C policy prohibits it from getting involved in illegal activities, but the ISP services provider has allowed abusers to continue operations for a nominal fee.

Cloudzy’s Response

Cloudzy’s CEO Nozari has refuted Halcyon’s claims, stating that only 2% of its clients were malicious and that the company cannot be held responsible for having such clients. Talking to Reuters, Nozari explained that he is doing everything to get rid of such clients, but the firm should not be blamed if its services are being abused.

“If you are a knife factory, are you responsible if someone misuses the knife?” the CEO explained his stance in a LinkedIn exchange.

Nozari also explained that his company was registered in the US state of Wyoming because a US domicile is required to register IP addresses in America.

However, Halcyon executive Ryan Golden refuses to back down, claiming that his researchers tracked Cloudzy’s digital footprints by renting its servers and examining the social media pages of its employees before publishing the report.

Cybersecurity firm CrowdStrike stated that it never observed any state-sponsored actor using Cloudzy, but many other cybercriminals use it, and its operational base is definitely unclear.

  1. Feds seize VPN service used by hackers in cyber attacks
  2. Free VPN Service SuperVPN Exposes 360 Million User Records
  3. Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps
  4. US Warns Firms About North Korean Hackers Posing as IT Workers
  5. Microsoft-Signed Drivers Helped Hackers Breach System Defenses
Related Posts