1. Home
  2. Techniques
  3. Enterprise
  4. Acquire Infrastructure
  5. Virtual Private Server

Acquire Infrastructure: Virtual Private Server

ID Name
T1583.001 Domains
T1583.002 DNS Server
T1583.003 Virtual Private Server
T1583.004 Server
T1583.005 Botnet
T1583.006 Web Services
T1583.007 Serverless
T1583.008 Malvertising

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.[1]

ID: T1583.003
Sub-technique of:  T1583
Tactic: Resource Development
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0007 APT28

APT28 hosted phishing domains on free services for brief periods of time during campaigns.[2]
G1044 APT42

APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s environment.[3][4]

C0046 ArcaneDoor

ArcaneDoor included the use of dedicated, adversary-controlled virtual private servers for command and control.[5]
G0001 Axiom

Axiom has used VPS hosting providers in targeting of intended victims.[6]
G1043 BlackByte

BlackByte staged encryption keys on virtual private servers operated by the adversary.[7]
C0032 C0032

During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastructure.[8]
G1012 CURIUM

CURIUM created virtual private server instances to facilitate use of malicious domains and other items.[9]
G0035 Dragonfly

Dragonfly has acquired VPS infrastructure for use in malicious campaigns.[10]
G1003 Ember Bear

Ember Bear has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.[11]
C0053 FLORAHOX Activity

FLORAHOX Activity has used acquired Virtual Private Servers as control systems for the ORB network.[12]
G0047 Gamaredon Group

Gamaredon Group has used VPS hosting providers for infrastructure outside of Russia.[13]
G0125 HAFNIUM

HAFNIUM has operated from leased virtual private servers (VPS) in the United States.[14]
C0050 J-magic Campaign

During the J-magic Campaign, threat actors acquired VPS for use in C2.[15]
C0035 KV Botnet Activity

KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.[16]
G1004 LAPSUS$

LAPSUS$ has used VPS hosting providers for infrastructure.[17]
G1036 Moonstone Sleet

Moonstone Sleet registered virtual private servers to host payloads for download.[18]
G1041 Sea Turtle

Sea Turtle created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.[19]
C0052 SPACEHOP Activity

SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.[12]
G1035 Winter Vivern

Winter Vivern used adversary-owned and -controlled servers to host web vulnerability scanning applications.[20]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[21][22][23] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
Response Metadata

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References

  1. Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.
  2. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  3. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  4. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
  5. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  6. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  7. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  8. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  9. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  10. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  11. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  12. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
  1. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
  2. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  3. Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
  4. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  5. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  6. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  7. Cisco Talos. (2019, April 17). Sea Turtle: DNS Hijacking Abuses Trust In Core Internet Service. Retrieved November 20, 2024.
  8. Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
  9. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
  10. Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
  11. Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.