German ISP Aurologic GmbH has Become a Central Nexus for Hosting Malicious Infrastructure

November 7, 2025

Aurologic GmbH operates as a central facilitator for malicious cyber activities through its services connecting clients known for hosting command-and-control servers for malware. The company's infrastructure is pivotal to the functioning of various threat actors raising critical issues regarding the distinction between operational neutrality and enabling cybercrime.

Aurologic GmbH established in 2023 from the infrastructure of Combahton GmbH has quickly positioned itself as a key player in hosting networks that support cybercriminal activities globally. Operating from Tornado Datacenter GmbH in Langen Germany this ISP offers a suite of services—including dedicated host servers and IP transit services—asserting its role as a legitimate business participant within the European market. However investigations have revealed that it serves as a significant upstream provider to a range of networks associated with malicious activities such as Femo IT Solutions and Global-Data System which host command-and-control servers for various malware families including Cobalt Strike and RedLine Stealer.

The connections formed through Aurologic’s infrastructure have led to it effectively acting as a bridge between sanctioned entities and the broader internet with reports indicating as much as 50% of Aeza International’s IP prefixes routed through its services despite existing international sanctions. This situation highlights a troubling trend in which legitimate service providers unwittingly or knowingly facilitate cybercriminal endeavors bringing into question the efficiency of current regulatory measures and the extent to which upstream providers take responsibility for the downstream misuse of their services.

Moreover Aurologic’s extensive interconnection footprint across Europe anchored by major internet exchange points in Langen and Amsterdam positions it strategically within the internet hierarchy. This technical strength enhances its attractiveness to hosting companies operating in ambiguous legal environments. Such infrastructure allows it to maintain resilience against pressure to curtail abuse pointing to a broader structural vulnerability within the industry regarding accountability for internet infrastructure. The persistent relationships between Aurologic and various known malicious actors suggest a dilemma where internet connectivity not only supports daily operations but also complicates efforts to delineate between providing infrastructure and enabling persistent cybercrime activities.

As the cybersecurity landscape evolves the role of ISPs like Aurologic raises indispensable questions about the balance between operational neutrality and ethical responsibility in the digital realm. Cybersecurity experts urge stakeholders, including policymakers and hosting providers, to establish clearer guidelines that impose greater accountability on upstream providers, thereby enhancing the systemic integrity of the internet against malicious activities.