Page 10 – Silent Push

IP Tagging in Silent Push: VPN, Proxy and Sinkhole Detection

August 6, 2025/in Blog/by Gareth Howells

Security analysts face the constant challenge of gaining immediate and accurate context on IP addresses that pop up during an investigation, to minimize risk and prevent loss.

We’ve solved this problem by introducing an IP tagging system that categorizes every scanned IPv4 address as a residential VPN, proxy, or sinkhole, with detailed sub-categories available for each.

Tagging data is passed onto Community and Enterprise users via the Total View screen, within threat feed searches, and made available as a filterable bulk download for Enterprise users only.

What Is IP tagging in Silent Push?

We flag IPs across our global IPv4 datasets as belonging to one of the below categories:

Residential VPN – including attribution to the commercial provider

Proxy services – with subcategories for residential, open, HTTP, SOCKS4/5, or requiring authentication

Sinkhole – typically operated by security researchers or defenders attempting to neutralize malicious infrastructure

How can I access IP tagging data?

IP tagging is designed to work wherever analysts work. Users can access the data in the following locations:

Total View

Total View is the platform’s central interface, and a CTI landing page for gaining instant insight into unknown indicators.

From this screen, users can view tagging information on any IPs they come across alongside:

Historical DNS records

Hosting details

Campaign associations

Silent Push proprietary enrichment data

The IP’s presence in any threat feeds.

Daily bulk download (‘IP Context’)

Enterprise users have access to an ‘IP Context’ option, under the ‘Data Export’ menu, which acts as a central hub for bulk downloads of all tagged IPs per category, and their ‘last seen’ date.

From here, users can export all our tag data, or drill down into individual VPN providers and proxy services (including free proxies), allowing teams to feed tags into their SIEM/SOAR workflows via the Silent Push API, based on their unique operational requirements.

Data is available as an automated export via code snippets, or as a one-click CSV download.

Feed Scanner queries

Our Feed Scanner is a syntax-based search of all the data contained in threat feeds that are visible on a user’s Silent Push account – including any third-party feeds.

For example, the ‘Is Proxy’ field can be used to identify all proxied IPs on AS209372 that appear as malicious.

Why Contextual IP Tagging Data Matters

To evade detection, attackers rely on infrastructure that blends in with legitimate activity. VPNs and residential proxies help threat actors bypass geo-filters, rate limits, and detection logic.

Without context, defenders waste time chasing false positives and missing subtle links between malicious assets.

IP tagging reduces that uncertainty. It adds a functional layer to observed IPs that would otherwise appear generic or ambiguous, giving defenders a quick way to assess risk and relevance.

Enterprise Use Cases for IP Tagging

Credential stuffing and account takeover detection

Automated login attempts often originate from residential proxies, in order to appear as legitimate users. With IP tagging, SOC teams can flag or filter such IPs during authentication events and respond before credentials are compromised.

Infrastructure discovery

During investigations, unknown IPs sometimes emerge without clear ownership. Flagging suspect infrastructure helps identify whether these IPs belong to everyday users, anonymous VPNs, or proxy services – refining triage decisions and improving accuracy.

Threat Actor clustering

Attackers reuse infrastructure across campaigns. By identifying shared VPN or proxy use, teams can correlate threat activity and block related assets earlier in the kill chain.

Incident Response and malware triage

Sinkholes generate alerts that distract from active threats. Identifying sinkholes early on in an investigation helps responders recognize benign IPs, reducing noise and allowing teams to focus on containment and root cause analysis.

Advertising fraud and traffic manipulation

Proxied IPs play a central role in ad fraud, bot traffic, and coordinated inauthentic behavior. Tagging allows security and ad tech teams to identify suspicious sources, monitor patterns and build targeted defenses against fraudulent schemes.

Book a Demo

Contextual IP data helps answer the essential question that every defender asks themselves: what am I looking at?

IP tagging in Silent Push is a critical enabler for teams trying to detect fraud, uncover hidden attacker infrastructure, and slash false positives in noisy environments.

Get in touch with our team today, and let us show you how much more we know about the Internet than any other cybersecurity vendor.

Get in touch

Silent Push Expands Cyber Defense Capabilities with VPN, Proxy, and Sinkhole Tagging on all Public IP Addresses

August 5, 2025/in Press Releases/by Charlotte Pawson

Reston, VA., August 5, 2025 – Silent Push, a leading preemptive cybersecurity vendor, today announced the release of IP Context – a powerful new detection method that identifies all uses of IP addresses in one place, including use as a VPN, proxy, or sinkhole or benign scanner across the company’s global dataset.

IP Context allows defenders to minimize fraud and abuse through more effective identification of adversary infrastructure by gaining immediate context on the function and risk level of any given IP address. Tagged IPs are presented alongside everything else we know about an indicator – including its relationship with the rest of the Internet – in a single view, including DNS history, hosting relationships, campaign associations, and proprietary categories not available anywhere else.VPNs and proxies are tagged and filtered per commercial service provider. Proxies are further categorized as ‘residential’, ‘open’, ‘http’, ‘socks4/5’, or if authentication is required.

“Security teams need as much help as possible to identify the usage pattern of an IP address. When an IP appears on their radar, they need to be able to quickly understand its purpose and what role it plays in relation to a given campaign”, said Ken Bagnall, CEO and Co-Founder of Silent Push. “IP Context provides that ability. All tags are presented on the same screen as our proprietary enrichment datasets. That level of analysis is simply unmatched in the industry.”

With currently over 50 million IPs categorized daily as a VPN, proxy, or sinkhole, Silent Push brings full-spectrum tagging and enrichment to any IP it scans – whether it’s in an existing threat feed or discovered during an investigation.

Enterprise use cases for IP Context include:

Credential Stuffing & Account Takeover Detection: Flag login attempts from residential proxy IPs commonly used in automated attacks, helping SOC teams act before escalation.
Infrastructure Discovery: Reveal contextual information about unknown IP addresses, allowing differentiation between normal users, residential proxies, and VPNs.
Threat Actor Clustering: Identify shared proxy or VPN services across campaigns, enabling faster attribution and proactive blocking of related assets.
Incident Response & Malware Triage: Instantly recognize sinkhole-tagged IPs to avoid false alarms and focus efforts on containment and root cause analysis.
Advertising Fraud and Abuse Discovery: IP Context provides new opportunities to track ad fraud operators and coordinated inauthentic traffic schemes.

IP Context is available as an add-on for Enterprise customers. Tags are accessible through Silent Push’s Total View screen, or as a daily bulk data download, allowing teams to integrate tag intelligence into existing workflows and filter based on their unique operational needs.

About Silent Push

Silent Push is a preemptive cybersecurity intelligence company. It is the first and only solution to provide a complete view of emerging threat infrastructure in real-time, exposing malicious intent through its Indicators Of Future Attack™ (IOFA™) data to enable security teams to proactively block hidden threats and avoid loss. The Silent Push standalone platform is also available via API integrating with any number of security tools, including SIEM & XDR, SOAR, TIP, and OSINT providing automated enrichment and actionable intelligence. Customers include some of the world’s largest enterprises within the Fortune 500 and government agencies. Free community edition is available. For more information, visit www.silentpush.com or follow on LinkedIn and X.

Book A Demo

The Silent Push Chrome Extension is available to Enterprise users with an API key. Book a quick demo to see how upgrading can help you uncover attacker infrastructure smarter, faster, and with more confidence.

Book a demo

Workshop – Investigating Infrastructure: A Practical Workflow for Threat Analysts

July 31, 2025/in News, Webinars/by Charlotte Pawson

Threat analysts often face too many signals, limited context, and disconnected tools — slowing investigations and increasing the risk of missing early attacker infrastructure.

In this session, we’ll share a practical, repeatable workflow for quickly mapping attacker infrastructure. Using the Silent Push free Community Edition, we’ll show how to pivot across domains, IPs, and certificates to uncover attacker infrastructure before it goes live.

Whether you’re tracking phishing kits, C2s, or domain infrastructure, this workshop will help you hunt faster and more proactively.

Date: 14 August 2025
Time: 10am ET // 4pm CET // 10am SGT // 12pm AEST
Location: Online – Zoom
Requirements: Silent Push free Community Edition | Sign-up here

Webinar – SocGholish: From Fake Updates to Real Breaches

July 31, 2025/in News, Webinars/by Charlotte Pawson

SocGholish, known as the pioneer of fake browser update attacks, remains one of the most effective initial access tools in the wild.

Take a deep dive into the SocGholish ecosystem, tracing how a single deceptive JavaScript injection leads to full system compromise.

You’ll learn how a proactive approach to detection — focused on early-stage changes, infrastructure misuse, and behavioral fingerprinting, can help identify SocGholish activity before a breach occurs.

Whether you’re triaging alerts, responding to incidents in real time, or tracking threat actor infrastructure and TTPs, this session will equip you to better understand and preemptively mitigate one of the internet’s longest-running and most successful deception-based threats.

Ready to dive deeper into the world of preemptive cyber defense? Begin your journey with the Silent Push free Community Edition today.

Release 4.9 - Smarter HTML matching, sharper infrastructure insights

July 30, 2025/in News/by Charlotte Pawson

We’re excited to announce the launch of Release 4.9, delivering a set of powerful new features designed to sharpen visibility, streamline investigation, and offer greater control across the platform. Here’s what’s new:

HTML Similarity Content Search
Analysts can now pivot directly from Web Scanner results to uncover websites with matching HTML content. This new feature helps reveal related infrastructure and track down threat campaigns that rely on cloned or reused components.

Domain TLD and ASN Search & Filtering (Enterprise)
Feed Scanner has been upgraded with the ability to filter by TLD and search across multiple ASNs in a single query — making infrastructure scoping faster and more precise.

Web Hook Integration (Enterprise)
Keep your team in the loop with real-time notifications delivered to Microsoft Teams, Slack, or custom webhooks. Know the moment a scan or query completes.

Table View for Feeds and Exports (Enterprise)
A newly added table view makes it easier to compare, sort, and analyze feed data at a glance — ideal for more efficient investigations.

TAXII Integration Details in Automated Exports (Enterprise)
Automated exports now include a dedicated TAXII tab with server URLs, credentials, and collection IDs, plus ready-to-use Bash and Python snippets for faster integration.

‘Save To’ Functionality in Web Scanner (Enterprise)
Save Web Scanner results directly to feeds with the flexibility to include only the fields that matter to your workflow.

Centralized Notification Settings (Enterprise)
Take control of your alerting preferences with a single interface to manage all monitored event notifications.

Want to see these features in action? Book a demo or get in touch with our team to learn how these new capabilities can supercharge your threat intelligence workflows.

Silent Push HTML Content Similarity Search: One-Click Discovery of Linked Threat Domains

July 30, 2025/in Blog/by Gareth Howells

Adversaries often use multiple domains that feature the same visual characteristics, created in a ‘copy and paste’ fashion that makes it easier to deploy malicious content at scale.

Whether its infostealer control panels, Command and Control infrastructure, phishing sites, or malware delivery portals, manually discovering and traversing across malicious clusters of infrastructure can be a tedious and error-prone process.

Release 4.9 introduces HTML Content Similarity search – a feature that makes it quick and easy to shine a light on groups of malicious domains that share the same look and feel.

Available as a pivot control on Silent Push Web Scanner results, and as a standalone menu option, analysts can use HTML Content Similarity Search to uncover clusters of websites that share between 50% to 100% similarity.

HTML Content Similarity is almost like a separate product in itself – it’s that powerful – but we provide it as a feature, bundled in with a Silent Push Enterprise subscription.

This blog introduces the concept, but there’s a LOT more to discuss.

Over the next few weeks, we’ll be publishing more on how to ingest the data gained from a similarity search into your security stack, including SOAR and SIEM integration, and the tangible benefits that process provides to security teams.

How Does It Work?

HTML Content Similarity search uses ssdeep fuzzy hashing – a method designed to measure similarity between files, even if they are not exact copies.

We use an algorithm that hashes visible content on scanned domains, and identifies matching websites to a certain percentage value.

For HTML pages, this means we can detect sites with slight variations (e.g., minor visual and textual changes) that would otherwise be missed by exact matching.

HTML Content Similarity searches are conducted in two ways:

As a dedicated menu item under ‘Web Data’

A contextual pivot control on Web Scanner results

Both options provide the ability to increase or decrease the outputted match percentage from 50% to a full 100% match.

Why This Matters to Security Teams

Malicious actors don’t typically create every single domain or website they use from scratch. Instead, adversaries rely on templates to build out large networks of related infrastructure that share the same underlying characteristics.

This tactic helps them scale their operation in several ways – whether its delivering malware across hundreds of domains and IPs, or applying the same look and feel to phishing infrastructure targeting multiple brands and organizations.

Without automated tracking methods, identifying these clusters requires a significant amount of manual work – checking domain by domain, hunting for visual or textual similarities, and cross-referencing disparate intel sources – that quicky eats into threat discovery and resolution times.

HTML Content Similarity search facilitates fast discovery of threat infrastructure by:

Quickly uncovering related domains from a single suspicious site or hash

Providing a focused list of connected websites, reducing noise and guesswork

Facilitating rapid investigation by pivoting directly from Silent Push Web Scanner results

Helping to prioritize blocking actions based on cluster size and similarity

Integrating with our industry-leading DNS and content datasets to provide additional context for each domain

Detecting Similar Content: Chinese Retail Scam Campaign

Let’s look at an example.

tommyilfigershop[.]com is part of a larger campaign involving thousands of websites deployed by Chinese threat actors spoofing well-known brands.

Running a content similarity search on the domain immediately returns numerous lookalike websites, with a high correlation scores of between 80-100% similarity:

Once a set of results has been obtained, users can perform a live lookup of any returned domains using the Live Scan pivot, and get a real-time snapshot of live visual content.

Here’s a live lookup of wattlea[.]com from the above results, confirming visual similarity with tommyilfigershop[.]com, indicating deployment using the same template:

From one known malicious site, analysts can quickly pivot and generate results listing thousands of domains sharing similar HTML patterns, revealing additional campaign infrastructure in minutes instead of hours.

Feature Recap

Web Scanner pivot

Run a Web Scanner query using 200+ input parameters

Identify a suspicious or known malicious site

Click the pivot icon to view similar HTML results

Standalone query

Use the Web Data menu to launch an HTML Content Similarity search directly

Perform additional contextual pivots on returned domains

Silent Push Contextual Data

We present this data alongside everything else we know about each domain – which is significantly more than any other cybersecurity vendor can offer.

Our platform breaks down each website into over 200 pivotable categories, using a proprietary scanning and aggregation engine that’s all our own work.

We don’t rely on stale lists of publicly known IOCs. We collect and deliver our own infrastructure-level intelligence, which allows us to be infinitely flexible in how we present actionable data to our customers.

These data points enable teams to drill-down into the underlying TTPs that govern how a threat actor is managing their infrastructure, and uncover additional connections or infrastructure components that are otherwise difficult to get at.

For example, after discovering a cluster of phishing domains via a similarity search, analysts can pivot on common certificate issuers or matching Javascript code to find more suspicious sites, or look at similarities in HTML titles to confirm grouping.

Outcomes

By simplifying and accelerating the discovery of related malicious domains, our HTML Content Similarity search gives security teams the ability to:

Identify attacker domains faster, and with a greater degree of accuracy

Create customised Indicator of Future Attack™ feeds that reveal infrastructure targeting your organization

Reduce manual overhead and investigation fatigue

Proactively block clusters of malicious sites before they cause harm

Uncover previously hidden relationships between threat campaigns

Book A Demo

Ready to transform your threat intelligence workflows, and massively improve detection times? Use the form below for a customised walkthrough of our HTML Content Similarity functionallity, and everything else the platform has to offer.

Get in touch

Thumbnail for Reveal Additional Infrastructure Video

Example: Revealing Infrastructure in Silent Push Community Edition

July 28, 2025/in Video/by Tim Neece

In this video, we investigate a suspicious domain tied to DPRK infrastructure using our Community Edition platform. You’ll see how we pivot across DNS data, subdomains, and infrastructure fingerprints – including favicon hashes – to surface patterns and uncover hidden connections. A real-world look at proactive cyber defense in action.

Ready for more? Our Enterprise Edition unlocks Indicator of Future Attack™ Feeds, dedicated TLP: Amber Reports, advanced analytics, powerful integration capabilities and much more. Used by global enterprises to stop threats before they turn into attacks.

Talk with our team today

Know first.

Thumbnail for Pivoting Across Infrastructure Video

WORKSHOP: Pivoting Across Infrastructure to Detect Unknown Threats

July 28, 2025/in Video/by Tim Neece

Adversary infrastructure is often hidden or inactive – evading detection by most CTI tools – until it becomes active in an attack.

This is a condensed recording of a previous interactive workshop designed for those new to threat hunting on the Silent Push platform. Full-length workshop videos are available on request at [email protected].

In this session, attendees learned how to uncover the 98% of malicious infrastructure that typically goes undetected. We demonstrated how pivoting – linking data points like domains, IPs, and certificates – can reveal an attacker’s hidden network. Real-time examples showcased the power of pivots within the Silent Push free Community Edition, empowering participants to spot threats before they strike.

Thumbnail for How to Detect with Web Scan Video

Community Tutorial: How to Detect Threat Actor Infrastructure with Web Resource Scan

July 28, 2025/in Video/by Tim Neece

Silent Push Senior Threat Researcher Zach Edwards takes you through how to use Web Resource Scan to detect and fingerprint attacker infrastructure.

Sign-up for Silent Push free Community Edition

Link to researched used in this tutorial.

Thumbnail for The Evolving Web of Scattered Spider Video

Threat Webinar April 15: Evolving Web of Scattered Spider

July 28, 2025/in Video/by Tim Neece

Scattered Spider may be young, but their attacks are anything but amateur. These threat actors are still evolving – leveraging new phishing kits, shifting tactics, and using publicly rentable domains to evade detection.

Join Zach Edwards and Kasey Best on April 15th as they break down how we track them, what’s changing, and what to expect in 2025.

Don’t miss this deep dive into one of the most sophisticated social engineering and ransomware groups to date.