📡 Why We Suddenly Went Offline
On April 30, 2026, our legitimate security defense systems triggered Cloudzy's upstream DDoS filter. The result: complete loss of access to our own infrastructure.
The Sequence of Events
Our defense script initiated SSH handshakes + immediate RST packets (normal behavior for connection termination)
Cloudzy's upstream filter (operated by FranTech Solutions/RouterHosting LLC) flagged this as an attack
Our server was blocked. Then our new IP was blocked. Then a fresh OS install was blocked.
40+ hours of debugging. Multiple IP changes. Full OS reinstall. Nothing worked.
Cloudzy's Response
• "Here's an IP change" (treating symptoms, not the disease)
• "We don't control the upstream filter" (admission of no network control)
• "Your refund request is denied" (despite being locked out of their service)
• Repeated gaslighting: "It's your config. It's your OS. It's your problem."
🔍 What We Discovered: Cloudzy Is Not What They Seem
During 40+ hours of debugging, we investigated Cloudzy's infrastructure and found:
🏢 Corporate Structure
Cloudzy is almost certainly operated out of Tehran, Iran, registered in the US as a front company. Parent company is Tehran-based abrNOC.
🎯 C2P Infrastructure
Independent research (Halcyon, April 2026) identified Cloudzy as a Command-and-Control provider (C2P) for 17+ nation-state APT groups including China, Iran, North Korea, Russia, India, Pakistan, and Vietnam.
💀 Ransomware Affiliates
Cloudzy's network has hosted ransomware affiliates including BlackBasta, Royal, and Evil Corp.
🛡️ "BULLETPROOF" Label
GreyNoise Labs (February 2026) labeled Cloudzy's network "BULLETPROOF" and documented a Russian-operated mass scanner running on their IPs.
Key Finding: 40-60% of Cloudzy's traffic was estimated to be malicious. Their upstream filter blocks based on behavior alone, with no source verification — a critical logic flaw that can be weaponized.
⚠️ Support Lead Admission: "Thousands of tickets from clients who can't access their servers." Their Acceptable Use Policy demands a $250-$1000 fine for "attacking other people" — which would now apply to their own network.
⚡ The Vulnerability: Technical Summary
The upstream DDoS filter has a critical logic flaw:
TRIGGER PATTERN:
TCP handshake + SSH protocol banner + immediate connection reset (RST)
EFFECT:
The filter blocks based on BEHAVIOR ALONE.
No source verification. No intent check. No whitelist for customer IPs.
WHY THIS IS A PROBLEM:
Our legitimate security software was blocked.
Cloudzy could not override it.
They have no control over their own network filtering.
🚀 Why We Moved to VPSLab
After exhausting all options with Cloudzy, we migrated our entire infrastructure to VPSLab.
💰 Crypto Payments
No KYC, no identity verification required. True privacy.
🔓 Full Root Access
We control our server completely. No restrictions.
🛡️ No Upstream Filter
Our defensive traffic is never interfered with.
✅ Actually Legal & Reliable
No Iranian front, no sanctions evasion. Legitimate hosting.
VPSLab does not block our legitimate security traffic. They do not blame our OS. They do not close the ticket and disappear. They give us the freedom to operate.
📁 Public Disclosure
We have released a full, independent security assessment of Cloudzy's upstream filter vulnerability:
The repository contains:
• Full vulnerability report
• Proof of concept (educational use only)
• Complete test logs
• Timeline of events
• Independent research sources
🌍 What Happened After Our Disclosure
Independent security researchers have since documented:
DataDome (May 5, 2026)
Documented "one of the most sophisticated DDoS infrastructures ever observed":
• 2.45 billion malicious requests in 5 hours
• 1.2 million unique IP addresses
• 16,402 distinct ASNs affected
• Wave modulation, adaptive pauses, "managed operation" signature
Cisco Talos (May 4, 2026)
Published research on "CloudZ RAT" — malware active since January 2026 abusing Microsoft Phone Link to steal OTPs.
Public abuse databases now show Cloudzy IPs with 100% confidence malicious activity. Several are actively blacklisted for spam, hacking, and port scanning.
🚫 Affected IP Ranges
Security researchers are advised to block the following Cloudzy IP ranges where no legitimate need exists:
144.172.x.x
107.189.x.x
172.86.x.x
45.59.x.x
45.61.x.x
216.126.x.x
🎯 The Bottom Line
Cloudzy is not a legitimate hosting provider. It is a documented Iranian front that hosted criminal infrastructure for nation-state APTs, ransomware gangs, and spyware vendors.
We left because:
1. Their upstream filter blocked our legitimate security traffic
2. They admitted they could not fix it
3. They refused to address the root cause
4. They denied our refund despite locking us out of their service
We moved to VPSLab because:
1. They respect our privacy (crypto, no KYC)
2. They give us full control (root access)
3. They do not interfere with our defensive traffic
4. They are actually legal and reliable
⚠️ Warning to Security Researchers
Do not use Cloudzy for security-focused work.
Your defense scripts will trigger their upstream filter. You will be locked out. They will not help you. They will blame your OS. They will keep your money.
Recommended action: Block Cloudzy IP ranges (144.172.x.x, 107.189.x.x, 172.86.x.x, 45.59.x.x, 45.61.x.x, 216.126.x.x) where no legitimate need exists.
