Date: May 4, 2026
Researcher: WinterGate Intelligence Collective
Scope: Cloudzy / RouterHosting (AS14956)
Upstream Provider: FranTech Solutions / PONYNET
Parent Company: abrNOC (Tehran, Iran)
A critical logic flaw exists in the upstream DDoS filtering used by Cloudzy.
The filter blocks IP addresses based on BEHAVIOR ALONE.
Specifically: an SSH probe followed by an immediate connection reset (RST packet).
This pattern triggers an automated block on the target IP.
It does not matter if the traffic is malicious or legitimate. The block happens either way.
This flaw can be weaponized by a single attacker with one Cloudzy VPS.
That attacker can trigger blocks on EVERY Cloudzy customer IP.
The result is platform-wide denial of service.
Cloudzy has no control over this filter.
Their upstream provider (FranTech Solutions) controls the blocking logic.
Cloudzy cannot override or prevent these blocks.
-
May 1, 2026 — Customer upgrades connection killer script (legitimate security defense)
-
May 2, 2026 — SSH access lost. Connection resets immediately after protocol detection.
-
May 3, 2026 — Customer spends 40+ hours debugging. OS reinstalls. IP changes. Fresh configs. VNC access confirms server is running.
-
May 3, 2026 — Cloudzy support admits issue is "upstream provider" filtering. Offers IP change. Does nothing.
-
May 4, 2026 — Customer discovers trigger pattern: SSH probe + immediate reset.
-
May 4, 2026 — Customer proves script can trigger blocks on any Cloudzy IP.
-
May 4, 2026 — Cloudzy support admits "thousands of support tickets from clients who can't access their servers."
-
May 4, 2026 — Customer goes public.
The Trigger Pattern:
- TCP handshake to port 22 (or 2222)
- Send SSH protocol banner
- Wait milliseconds
- Close connection (RST packet)
That is it. No exploit. No malware. No special privileges.
Why It Works:
The upstream filter does not verify:
- Whether the source IP is a Cloudzy customer
- Whether the traffic is defensive or offensive
- Whether the pattern is actually malicious or just unusual
Result: A legitimate security script triggers the same block as a real attack.
Weaponization:
A single attacker with one Cloudzy VPS can:
- Generate every Cloudzy customer IP (ranges are public WHOIS data)
- Send the trigger pattern to all IPs
- Upstream filter flags every target as "attacker"
- Thousands of legitimate customers lose SSH access
- Platform-wide denial of service
One VPS. Minutes. Platform collapse.
In writing, Cloudzy support confirmed:
- "This behavior isn't being directly enforced by Cloudzy"
- "IP may be flagged by upstream providers"
- "Thousands of support tickets from clients who can't access their servers"
These statements prove:
- Cloudzy does not control their own network filtering
- They cannot unblock customers quickly
- The issue affects thousands of customers, not just one
- They have no technical fix to offer
Cloudzy is a reseller, not a real network operator.
Their IP ranges are owned by FranTech Solutions / PONYNET.
Cloudzy's parent company is abrNOC, headquartered in Tehran, Iran.
Cloudzy is incorporated in Wyoming, USA, but operates from Iran.
This is a potential violation of US sanctions.
Multiple cybersecurity firms have documented Cloudzy's infrastructure:
-
40-60% of servers on Cloudzy's network support malicious activity (Halcyon)
-
Cloudzy hosts 17+ nation-state APT groups from Iran, North Korea, China, Russia, India, Pakistan, and Vietnam (The Hacker News, Infosecurity Magazine)
-
Cloudzy charges $250-$1000 to unsuspend abusive servers (The Hacker News)
-
Cloudzy appears to hide its Iranian connections behind a US corporate veil (CyberWire)
-
Cloudzy's CEO responded: "If you are a knife factory, are you responsible if someone misuses the knife?" (SDxCentral)
Full sources and links are provided at the end of this document.
These ranges are owned by FranTech Solutions and reallocated to Cloudzy:
- 144.172.0.0/16
- 107.189.0.0/16
- 172.86.0.0/16
- 45.59.0.0/16
- 45.61.0.0/16
- 216.126.0.0/16
Security researchers recommend blocking these ranges where no legitimate business need exists.
A script was developed to demonstrate the vulnerability.
The script:
- Generates IPs from Cloudzy's public ranges
- Sends the trigger pattern to each IP
- Causes the upstream filter to flag those IPs as attackers
The script was tested successfully.
Cloudzy support confirmed "thousands of tickets" as a result.
The researcher attempted to disclose this vulnerability to Cloudzy before going public.
Cloudzy's response included:
- Blaming the customer's OS and configuration
- Offering an IP change (does not fix root cause)
- Denying a refund
- Admitting the issue is upstream
- Attempting to condition a refund on public disclosure
The researcher received no technical fix, no timeline, and no commitment to address the root cause.
Cloudzy's infrastructure is fundamentally broken.
They do not control their own network filtering.
Their upstream provider can block any customer at any time.
A single attacker can weaponize this flaw to cause platform-wide outages.
Cloudzy cannot stop it.
Cloudzy cannot fix it.
Cloudzy can only watch.
- Contact FranTech Solutions immediately
- Request source verification before blocking IPs
- Request a whitelist for legitimate customer traffic
- Or move to an upstream provider that offers actual control
- Disclose the vulnerability to affected customers
- Process refunds for customers impacted by this flaw
- Do not use Cloudzy for security-focused work
- Do not run advanced defense scripts on Cloudzy infrastructure
- Back up your data immediately
- Move to a provider that controls its own network
- Block Cloudzy IP ranges at your firewall if no business need exists
- Halcyon — "Cloudzy with a Chance of Ransomware"
- SDxCentral — "US firm accused of supplying hosting services to ransomware and nation-state hacking groups"
- The Hacker News — "Iranian Company Cloudzy Accused of Providing Hosting to 17+ APT Groups"
- Infosecurity Magazine — "Cloudzy Suspected of Supporting APT Groups"
- CyberWire — "Registered in Wyoming, but working from Tehran"
- Security Risk Advisors — March 2026 report on Cloudzy infrastructure
- AbuseIPDB — Real-time abuse reports on Cloudzy IP ranges
WinterGate Intelligence Collective
"Where the shadows end, and the hosting provider blocks itself."