Understanding Residential Proxy Detection and Upstream IP Attribution
Adversaries hide in plain sight by mimicking employee footprints. When attackers mask their true location behind Residential Proxies and Laptop Farms, traditional perimeters fail to see the threat. The result? A high-risk actor appears as a legitimate remote employee, creating a devastating insider threat that traditional defenses are not equipped to detect.
Download our free White Paper
Learn how to unmask geographic deception and end the risk of DPRK insider threats, AML compliance failures, and identity fraud driven by residential proxies and domestic laptop farms.
Achieving Origin Certainty
Traffic Origin unmasks the upstream source managing the connection. Move your posture from reactive blocking to proactive validation by exposing the true country of origin before high-risk actors can escalate access.
Unmask the True Origin: Move beyond deceptive geolocations to identify the true country of origin for every connection.
Optimize Security Ops: Reduce alert fatigue and investigation times by replacing ambiguous IP data with definitive, verifiable origin intelligence.
Automate Proactive Defense: Integrate high-confidence origin data into your SIEM and IdP to block location deception in real-time.
1. What is the risk of using residential proxies for identity obfuscation?
Residential proxies allow adversaries, such as state-sponsored actors, to mask their true country of origin by routing traffic through domestic home networks. This bypasses traditional geofencing and makes a high-risk connection from a sanctioned jurisdiction appear as a legitimate remote employee.
2. How does Traffic Origin expose connections routed through laptop farms?
Traffic Origin unmasks the upstream source managing the connection. By identifying the technical metadata of the upstream controller, it exposes when a domestic connection is actually being backhauled from a high risk region through a proxy service or laptop farm infrastructure.
3. Why is IP geolocation insufficient for modern perimeter defense?
Standard geolocation only identifies the “last-mile” IP address, which adversaries easily manipulate. To achieve origin certainty, organizations must move beyond the IP and validate the true point of inception to prevent geographic deception and unauthorized access.
Silent Push Preemptive Cyber Defense Analysts recently uncovered an extensive network of domains associated with a long-term, ongoing web-skimmer campaign, known under the umbrella name: “Magecart.”
Several global payment networks are currently being targeted, including American Express, Diners Club, Discover, and Mastercard.
The most likely victims of this web-skimming campaign are online shoppers, the e-commerce stores that are compromised, and the payment providers.
This campaign has been active since at least January 2022.
Executive Summary
While investigating intelligence shared with us, a set of indicators that were also found on our Bulletproof Host Indicators Of Future Attack™ (IOFA™) feeds, our team discovered a vast network of domains related to a long-term and ongoing credit card skimming campaign. Current findings suggest this campaign has been active for several years, dating back to the beginning of 2022.
This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted.
This blog provides an overview of online credit card skimming (a practice referred to as “Magecart”) and how our technology uncovered the campaign’s infrastructure. Due to operational security (OpSec) concerns, we cannot disclose all of the methods developed by our analysts to track this specific campaign. Please contact our Sales team for access if you would like details.
Web skimming attacks, also known as credit card skimmer attacks, are cyberattacks where malicious code, often JavaScript, is injected into legitimate e-commerce websites or payment portals to stealthily intercept and steal customers’ credit card information and other sensitive personal data during the checkout process.
These attacks typically operate client-side, meaning the code runs in the victim’s browser and is thus nearly invisible to both users and site owners. The goal for the threat actor is to harvest card payment details for fraudulent transactions, identity theft, or resale on dark web marketplaces, ultimately leading to acts of identity fraud and/or bank fraud. This often depends on whether the threat actor is involved in the actual looting themselves or if they’re more interested in simply reselling the data.
As previously noted, the common term used to refer to this type of online credit card theft is “Magecart.” Initially, however, the term Magecart referred to a coalition of cybercriminal groups targeting web shops that used the e-commerce software Magento. Over time, as these attacks proliferated and diversified against other e-commerce products, the name “Magecart” shifted from denoting specific actors targeting the Magento e-commerce software to that of a general label for nearly all web-based credit card skimming, web skimming, and formjacking attacks, regardless of which threat group or technology is, or was, involved.
These days, “Magecart” is an accepted term used to describe the entire class of client-side attacks that covertly exfiltrate sensitive user data from web forms during online transactions, encompassing activity from both the original groups from which the moniker originated and all subsequent copycat groups.
Process of a Web-Skimmer Attack: Step by Step
Silent Push infographic chronicling steps in the web skimmer process
Magecart Unmasked Webinar: February 3, 2026
Join us for a special Silent Push threat intelligence webinar, where we will discuss identifying hidden Magecart activity, defeating client-side threats that steal data from online transactions, and the steps to take in protecting your organization from sophisticated web-skimming networks.
We’ll be hosting three sessions: AMER (1pm ET), EMEA (12pm CET), and APJ (10am SGT) to support our global community.
What Did Our Threat Team Observe?
One of the indicators we started from was cdn-cookie[.]com, which pointed to an IP address on ASN 209847, which was only recently acquired by the European-sanctioned entity, PQ.Hosting/Stark Industries, also known as THE.Hosting/WorkTitans B.V.
During initial analysis, our team determined that this domain was hosting a few URLs that loaded highly obfuscated scripts, such as:
cdn-cookie[.]com/recorder.js
Further analysis of the scripts and related domains revealed a broader picture: a long-term web-skimming campaign with several ongoing infections dating back to approximately 2022.
We identified additional technical fingerprints that extend beyond the current campaign’s infrastructure. However, due to OpSec concerns and our desire not to highlight mistakes the threat actor is making in its deployments, those details are only available to our enterprise clients and law enforcement. Please contact our Sales team for access if you would like more information or book a demonstration with our experts.
Before examining the web skimming code and its operation, let’s first highlight how we utilize the Silent Push platform to identify additional indicators and compromised websites related to this campaign.
Besides a simple search for the indicator itself, one of the first queries performed is often done to see whether a given indicator has been loaded in the context of any other website in our database. To achieve this, we utilize our proprietary Web Resources data set, which contains data on all resources loaded by any websites that Silent Push has scanned.
The query below showcases this for the initial seed domain: cdn-cookie[.]com.
datasource = ["webresources"] AND resource_hostname = "cdn-cookie.com" AND hostname != "cdn-cookie.com" AND hostname != "www.cdn-cookie.com"
In the results below, notice that the “hostname” field includes numerous seemingly unrelated domains. You can see that our Web Scanner caught this domain loaded as a resource on several different websites. In this instance, that means those returned domains are actually the compromised domains embedding this specific injector domain:
Our Web Search query revealed more than a dozen results
Also of note, the following files were loaded from this domain:
/1-197056a9.js
/763825
/cplnfwtlrkb.js
/tab-gtm.js
Opening any of these files will present the viewer with obfuscated code, as with the previous “recorder.js” file.
Our team examined which pages were loading these external files. It did not take long to see that three out of four pages we logged as loading code from cdn-cookie[.]com are clearly identifiable webshops. At the same time, one of the three webshops currently presents visitors with a rather interesting message that informs its customers about recent payment system issues, which was further confirmation that we were on the right track.
Webshops are especially prone to credit card skimming attacks, as seen here, where the four websites from our query are all from different vendors, on various infrastructure and in other countries, each loading strange, obfuscated code from a domain hosted on a known bulletproof host.
Next up in our investigation was an examination of the actively compromised website (at time of writing): hxxps[:]//colunexshop[.]com/. Pulling it up in our Web Resources data and using the hostname field as well as resource_hostname to check for any references to it, the results made it apparent that this site contacts the previously discovered malicious domain via the following file: “1-97056a9[.]js”
datasource = [“webresources”] AND resource_hostname = “*cdn-cookie[.]com*” AND hostname != “cdn-cookie[.]com”
Web Search of cdn-cookie[.]com
Opening the link in a web browser in a safe environment returned the following script:
Screenshot of the script observed in a safe environment
This page displays obfuscated JavaScript code, and the script’s analysis is provided below. Before we dive in, however, we want to first find out how the infected website loads the code in question. This can be done by analyzing the website via a Web Developer Console.
As referenced earlier, web skimmers aim to manipulate the payment process of a legitimate e-commerce website to steal credit card details. Due to this, many of them only initiate their injection process when the checkout page is accessed, and the payment process begins.
To identify where a web skimmer’s starting point may be, one can go through the normal steps of buying an item until reaching the “checkout” page, where a visitor is typically asked to enter their personal details and preferred payment method. The exact layout of this process varies by webshop; however, once we open the checkout page for colunexshop[.]com, we can see the expected web request to the file mentioned above, “1-97056a9[.]js”:
Malicious file callout on the checkout page for colunexshop[.]com
If we click on the “initiator” link, we can see the file that triggered the web request in our console. It even focuses on the piece of code that triggered the request in the larger file.
Screenshot in our console examining the initiator link that triggered the web request
In the case of colunexshop[.]com, the initiation of the request is done by a small piece of code in the file:
This code tries to imitate a Facebook-related code-loading script. However, it does a bad job of faking this, as no known Facebook script uses a list of character concatenations from a long string. An obfuscated code segment then creates a self-executing function that gets called with three arguments. These arguments are:
f = hxxps[:]//connect[.]facebook[.]net/en_US/fbevents.js (defanged by Silent Push)
b = window
e = teancmLodlErvNsipbxH925zfhuCR0M6yjZG4YS8TA1SIVGSJ4NoWBiMWEmXHr2zdhgcdNJChca11pvh0GtB17ExVpOu1onzFpd4rIx4mc7i2LXMrRSguok6z3xxdpph
Working our way through, this “e” argument is used regularly throughout the script. It serves as an alphabet used by the code to derive strings. For example, e[2] = a, e[8] = d, e[10] = E and so on. We can thus use it to deobfuscate the strings and derive the following code (comments added for clarity, with the last string shortened for brevity):
Example of the code strings
This code does not load the actual Facebook fbevents[.]js file; instead, it reaches out to a base64-obfuscated URL and injects the returned code. It can be seen in the script located at:
hxxps[:]//cdn-cookie[.]com/1-197056a9.js
Given that this code is highly obfuscated and loaded via a purposely obfuscated JavaScript, the red flags here are enough to know we are headed in the right direction.
This code is also loaded via the “wp_enqueue_scripts” functionality, as shown below, which is an action hook mechanism in WordPress that allows WordPress to load scripts and CSS at the proper time during the website’s rendering in the browser.
add_action('wp_enqueue_scripts', function () { echo '<code here>'; });
The action hook is ordinarily intended to run at the optimal time during page load to ensure that all relevant scripts and styles are included in the correct order, with proper dependency management, thereby preventing conflicts between themes and plugins.
However, this is not typically done by directly echoing JavaScript code, as is done here. The attacker’s improper use of the code actually results in a visible bug on the infected website, revealing that segment at the bottom of the page, as shown in the red box below:
Improper use of code results in a visible bug on the infected website
Despite this bug, the code as a whole indicates that this attacker has advanced knowledge of WordPress’s inner workings and integrates even lesser-known features into their attack chain.
Skimmer Analysis
In addition to being highly obfuscated, the code employs several techniques, including string concatenation, array-based string storage, self-executing anonymous functions, and other encodings.
Deobfuscation of the code reveals that, as expected, we encounter approximately 600 lines of JavaScript code implementing the credit card skimmer. The code is then split into several functions, each with functionality related to a larger attack.
The following is a step-by-step walkthrough from initial execution to the end goal of victim credential theft:
Screenshot of initial code executed by the web skimmer, establishing content monitoring and WordPress Admin evasion
The inject begins its execution by setting up a MutationObserver (a JavaScript API that provides the ability to detect modifications made to the Document Object Model (DOM) tree), which will execute the function “a()” every time the webpage’s DOM is changed.
The DOM is a tree-like representation of all HTML elements on a webpage that browsers create when loading a page. It’s essentially a live, interactive map where each HTML tag becomes a “node” that can be accessed, modified, or monitored by JavaScript. When users interact with the page (by clicking, typing, or loading content), the DOM changes in real-time.
This MutationObserver ensures that any change made to the website will cause the web skimmer to reattempt execution.
After starting the Observer, the “a()” function is executed a single time in what could be described as an independent initial execution attempt.
The code continues by executing a check for the Element “wpadminbar” in the current DOM, looking for the WordPress Admin Bar, which is a horizontal toolbar that appears at the top of WordPress websites when logged-in administrators or users with appropriate permissions are viewing the site. It provides quick access to standard WordPress functions, such as editing posts, managing users, accessing the dashboard, and viewing site statistics, without requiring navigation to the admin area.
If the wpadminbar element is defined in the DOM, the code will completely remove itself from the current DOM. It does so by removing any injected code and terminating the MutationObserver. This is done to evade the prying eyes of website administrators, increasing the chance of the malware’s survival.
The image below shows the “a()” function, which is called both on every DOM change and once initially.
Screenshot of the “a()” function
This function is designed to check if the website is prepared to execute the skimmer. It first checks to see if the page has loaded fully by looking for the WooCommerce “BlockUI” element. The BlockUI element is a native WooCommerce overlay (typically a semi-transparent div with a “Please wait…” message) that WooCommerce displays when it is processing checkout data, loading payment methods, or updating cart contents. It is intended to block user interaction until the complete page has been loaded successfully.
The presence of elements with the class blockUI in the DOM indicates that WooCommerce is still performing background operations. The skimmer code then waits 1000 ms (or one second) before re-execution.
Once the blockUI check is passed successfully, the code checks to see if the “Stripe” payment method was selected on the website. Notably, this indicates that the skimmer was specifically designed for the type of webshop it was injected into, as not all WooCommerce websites utilize Stripe.
If Stripe is selected, the skimmer checks to see if the fake payment form it will create is already loaded, which would indicate that a previous execution of the skimmer has already changed the page. It also checks to see if there is a “wc_cart_hash” element in the website’s localStorage.
The malware uses the localStorage variable “wc_cart_hash” to indicate whether it has already successfully skimmed a victim. It is set to be “true” for successful credit card exfiltration and serves as a re-execution prevention measure.
If the Stripe form hasn’t been injected yet, the visitor hasn’t chosen Stripe as their payment method, or an error occurs, then the malware re-runs “a()” every 500 ms.
The real web skimmer execution starts with the function “i()”. Since this function exceeds 500 lines of code, we will break it down into several steps.
Screenshot of the “i()” function
The “i” function first executes yet another check for the existence of the “wc-stripe-form.” If it does not exist but the “wc-stripe-upe-form” does, this means that the legitimate Stripe “Universal Payment Elements” form has loaded.
If this is the case, the skimmer gets to work. It makes sure that the legitimate Stripe Payment Form is hidden by setting its style.display variable to “none.” The skimmer then creates a malicious iframe in which it renders a fake Stripe Payment Form with legitimate-looking variable names, titles, styling, and so on. The iframe is then added to the legitimate container for the Stripe Payment method.
Screenshot of the web skimmer creating a malicious iframe
The code then continues by adding features that make the injected iframe responsive to changes in the website’s size, further enhancing its “legitimate” look and feel.
Next, it opens the iframe and writes a complete fake Stripe Payment Form into it. This particular payment form is in Portuguese, the same language as the compromised website. The HTML form contains three input fields with the IDs “cardnumber-Input,” “expiry-Input,” and “cvc-Input.”
At this point, the skimmer has effectively replaced the real payment form with its own malicious payment form, which, as previous code sections have already indicated, has the ID “wc-stripe-form.” Thereafter, all re-executions of the earlier “a()” function will fail because the fake form already exists.
With the fake form successfully injected, the skimmer then defines the logic to make the payment form appear functional. This includes adding script-based checks for “card brand” detection on input credit card numbers.
Providers that the script explicitly recognizes include:
Mastercard
American Express
JCB Co., Ltd.
Diners Club
Discover
UnionPay
Note: The companies listed here are the payment transaction providers themselves. This means that the skimmer most likely covers most issued credit cards globally, even if the card itself is branded by one’s local bank or payment card provider (Source: The Motley Fool)
The skimmer then uses this information to automatically adapt the input field with an image of the correct card brand, making the input form appear even more legitimate. The image below shows the changes for a Mastercard and a JCB card.
Screenshots of the skimmer showing branded images for Mastercard and JCB payment methods
Additional features added for the sake of legitimacy include:
Automatic formatting of the validity date entered
Automatic formatting of the entered credit card number according to the card’s brand
American Express: 4-6-4 and a 4-digit CVC
Diners Club: 4-6-4
Most other cards: 4-4-4-4
Automatic error highlighting in red if a field loses focus, but the entered details are invalid.
Verify the credit card number’s validity by ensuring it is associated with a recognized brand, not an unknown one, and has a length of at least 13 characters.
Check that the entered date is valid by ensuring its year is not in the past, at least five characters long, has a “/” separator, and contains a month between 1 and 12.
CVC is at least one character long
These checks are relatively simple compared to more advanced ones, like the Luhn algorithm.
Screenshot showing the malicious script features used to validate credit card fields
The styling and validation features are added to the three input fields via EventListeners.
After this step, the web skimmer monitors all input forms of the checkout page. It uses two state variables, “w” and “h”, to store even partial input data, as long as there are at least two characters.
Stolen data is not limited to just credit card details. Every input element on the website is collected, including the name, address, and shipping address fields.
Data is then stored as key-value pairs, where the input field’s ID serves as the key and the entered value becomes the corresponding value.
A correctly formatted value for “w”, after a victim has filled out the form, would then look like the following:
w = { "billing_first_name": "John", "billing_last_name": "Doe", "billing_email": "[email protected]", "billing_phone": "555-1234", "billing_address_1": "123 Main St", // ... etc }
Duplicate content would be in the “h” value.
The “w” value is never used after it is created and filled with the various values. The reason for that is unknown; however, it could be that “w” is simply a code artifact leftover from a previous version.
On the other hand, the “h” value is crucial for the exfiltration process. It is dynamically filled during the victim’s entire form-filling process. While the victim is filling out the payment data forms, the skimmer has additionally hijacked another feature of the payment site: the “Place Order” button.
The relevant code for this starts as:
Example of the relevant code
The code is designed to add an EventListener to a button that reacts to a click event. This event is the equivalent of the victim having finished filling out the entire web form, including the Stripe payment information, and wanting to submit the order. When clicked, the code executes and stores each checkout form’s value in a new set of variables, one field at a time.
It does this by first checking if the value for the field was previously captured by the dynamic data storage functionality that stores data into the “w” and “h” variables. In this case, the data stored in the “h” variable is used for the queried key.
Suppose the dynamic data parser fails to store the specific key-value pair queried. If that happens, the code will then fall back to using the value currently stored in the field, accessing it directly via the “getElementById()” function.
A more thorough check is done for the payment data values entered into the fake Stripe Payment Form, shown here:
The code checks for prior skimming execution against the current intended victim
This code explicitly checks to ensure there has been no prior skimming execution against the current victim by checking the local storage variable wc_cart_hash.
It then prevents the hijacked form’s default functionality and ensures that none of the three credit card data input fields are empty.
If any of the fields are empty, the empty fields are changed to throw the same red error styling that the previous checks applied in case any of the entered card data did not pass the value checks. This prompts a victim to correct the missing data issues before proceeding further.
If these checks are passed, the skimming code then prepares the collected data for exfiltration by creating a data object that contains all previously collected data.
An example of this can be seen here:
The skimming code creates a data object that contains the previously collected data
Some of the collected data is reformatted before exfiltration. For example, the first name and last name of the billing form are joined around a “ ” to create the space in a victim’s “Full Name.”
Once the data structure has been created, the skimmer moves to the actual exfiltration.
Screenshot of the skimmer moving to exfiltration
It begins by ensuring that the previously created data object is JSON-formatted, XOR-encrypted, and Base64-encoded using the hardcoded key “777.”
The skimmer then sends an HTTP POST request to the Exfiltration Server via the following URL:
hxxps[:]//lasorie[.]com/api/add
This URL is a base64-encoded data string prepended by “data=” as the body.
Once this request has been sent, the skimmer then cleans itself from the current checkout page, removing the fake payment form it had created previously.
Screenshot of the skimmer clearing itself from the checkout page
After that has been removed, it restores the legitimate Stripe input form, changing its display style back to “block.” Finally, it sets the localStorage variable “wc_cart_hash” to “true,” preventing the skimmer from being executed again for the current victim. It concludes by simulating a “click” on the actual checkout button to initiate the actual payment process.
Important note: As the victim entered their credit card details into a fake form instead of the real Stripe payment form, which was initially hidden by the skimmer when they initially filled it out, the payment page will display an error. This makes it appear as if the victim had simply entered their payment details incorrectly.
Most of the time, online shoppers are unaware that they have just been victimized. Instead, they will assume they made a mistake, then re-enter their credentials, and proceed as usual. The second payment attempt will then be processed successfully as they interact with the original benign payment form.
The only chance a non-technical victim would have to detect this attack would be noticing this error when trying to pay, and seeing that their information has disappeared after filling out the form.
The effectiveness of this is further reinforced by work shared by security researcher Mikhail Kasimov, who attributed several of these older domains to Magecart activity more than three years ago, demonstrating the threat actor’s staying power.
Indicators Of Future Attack™ (IOFA)™
The following are a small sample of the indicators gathered by our team for the Magecart network.
cdn-cookie[.]com
lasorie[.]com
Mitigation
Taking Defensive Measures Against Web Skimmer Campaigns
There are several defensive measures that both vendors and consumers can take to help protect themselves from web skimmer campaigns.
Defensive Measures for Vendors
Implement a Content Security Policy(CSP) to restrict the loading of external resources, particularly JavaScript, thereby reducing the risk of malicious code injection.
Comply with Payment Card Industry Data Security Standard (PCI DSS) Requirements. Following the PCI DSS standard helps ensure secure storage, processing, and transmission of cardholder and authentication data.
Keep Systems Up to Date. Regularly maintain software components, including content management system (CMS) platforms, plugins, and security patches, to minimize vulnerabilities that threat actors might exploit.
Enforce Strong Access Controls. Use complex, unique credentials for administrative accounts and enable multi-factor authentication to prevent unauthorized access.
Testing From the User Perspective. Website administrators should periodically review their sites using either their browser’s incognito/private mode or after clearing the browser cache and history. This practice is essential because many web injection-based threats employ detection mechanisms that identify administrative users through cookies and deliberately avoid executing malicious code in their presence. By viewing the site without administrative credentials or cached data, administrators can detect threats that would otherwise remain hidden.
Defensive Measures for Consumers
Shop on Trusted Platforms: Select established and reputable e-commerce websites with a proven track record of security.
Carefully Evaluate Offers: Be cautious of deals that appear excessively discounted or unrealistic, as these may indicate fraudulent sites or malicious vendors. When offers sound too good to be true, they probably are.
Monitor Financial Activity: Review bank and credit card statements regularly to promptly detect any unauthorized transactions.
Beware of Checkout Anomalies: If a payment page unexpectedly displays errors after entering your card details, consider abandoning the transaction and report the issue as suspicious.
Leverage Security Tools: Use browser or endpoint security solutions that block known malicious domains and scripts to enhance your online safety.
Ready to dive deeper into the world of preemptive cyber defense? Take our technology for a test drive with the free Silent Push Community Edition today.
Our team will continue to track Magecart campaigns while expanding our understanding of the obfuscations and skimmer variants being delivered throughout 2026.
We believe Magecart remains an active threat to both online stores and their customers worldwide, and expect this multi-year campaign to continue indefinitely.
If you or your organization has any information to share regarding the findings in this report, we would love to hear from you.
The DPRK remote worker program functions as a high-volume revenue engine for the North Korean regime. These state-sponsored operatives use stolen identities to secure remote roles within Western enterprises. They establish long-term persistence inside corporate infrastructure before their first meeting. These actors bypass standard IAM and EDR by mimicking the behavior, location, and hardware signatures of a domestic employee.
The Weaponization of Remote Onboarding
The Department of Justice and the FBI have issued urgent warnings regarding North Korean IT workers. These operatives use sophisticated identity theft to secure high-paying remote roles at Western enterprises.
These fake IT workers are strategic assets used to:
Generate untraceable revenue for prohibited weapons programs.
Gain administrative access to sensitive codebases.
Establish “living off the land” persistence within corporate infrastructure.
The “Invisible Insider” scheme: How fake IT workers from DPRK are bypassing existing security controls
The Two Variants of the DPRK “Invisible Insider”
Based on recent research, the DPRK typically utilizes two distinct variants of this infiltration:
Variant 1: The long term infiltrator: This is an IT worker who secures a legitimate role to earn a salary or gain administrative access. They may perform their job for months without spreading malware, focusing instead on revenue generation and establishing long term persistence within your infrastructure.
Variant 2: The front company lure: The regime creates fake front companies that mimic real software firms to lure high value victims into interviews. These interviews involve skill assessments that eventually lead to the victim executing malicious code. This puts the entire company at risk of a breach, turning a standard hiring interaction into a systemic threat through calculated deception.
Applicants frequently seek new opportunities while still employed. Our analyst team has observed instances where candidates inadvertently compromise their current employer’s security by using corporate devices for job-seeking activities, leading to malware infections.
The Identity Verification Trap
Traditional security stacks verify who a person is based on their credentials. If a worker provides a valid Social Security Number, passes a third-party background check, and clears a video interview using AI-driven deepfake filters, they are into your system.
Suspected fake persona: Mehmet Demir hxxps://linkedin[.]com/in/mehmet-demir-godev Backend Developer | Golang, Python
Once onboarded, your logs show a “local” employee. They use Western residential IP addresses to appear as though they are working from a suburban home.
Why Geographic Certainty is Fading
Security teams often rely on IP geolocation to flag suspicious logins. While geofencing does catch many low level attempts, the public is often unaware of which specific IPs or providers the DPRK is currently leveraging. Through our research, we constantly discover new IPs and new VPN or proxy providers that these state-sponsored actors use to stay hidden.
To defeat advanced geofencing, the DPRK utilizes a multi layered proxy chain. By routing traffic through a domestic “hop” (i.e., a physical laptop inside the US) the worker bypasses simple geo-fencing. To your SIEM, the traffic looks identical to a standard remote employee.
This creates three critical visibility gaps:
The residential IP fallacy: You trust the traffic because it originates from a standard ISP like Comcast or AT&T rather than a datacenter.
The background check gap: Providers verify the stolen identity, not the person behind the keyboard.
The hardware authenticity trap: Unlike botnets using virtual machines, these “laptop farms” use real hardware. They pass MAC address checks and device posture assessments.
The Cost of a “Bad Hire”
Discovery of a DPRK operative on your payroll involves more than a simple termination:
Sanctions risks
Your company may be in violation of OFAC regulations for inadvertently funding a sanctioned regime.
Intellectual property lost
By the time state-sponsored actors are caught, proprietary code or customer data is likely already exfiltrated.
Incident response burnout
Cleaning up backdoors left by a state-sponsored operative requires a total infrastructure audit.
Secure Your Hiring Perimeter
When state-sponsored actors use stolen identities and spoofed locations, background checks are not enough to protect your organization. You need to verify that remote employees are physically located where they claim to be.
Silent Push Traffic Origin unmasks the deceptive network paths used by these operatives to hide their true location. We help you spot the residential proxies and suspicious connection patterns that state sponsored groups use to bypass traditional geofencing. This allows you to identify high risk infrastructure before a new hire is granted access to your sensitive systems.
Most of us in cybersecurity have fallen into a bit of a trap. We have been taught to defend our networks by looking at the past. We rely on Indicators of Compromise (IOCs). These are things like malicious IPs or file hashes. Using them as a primary defense is not really a strategy. It is just playing catch-up.
An IOC is a record of a crime that has already happened. By the time it shows up on your screen, you are already “right of boom.” You are struggling to clean up a mess while the attacker has already achieved what they wanted. It is forensics, not defense.
The first victim problem
I have spent years seeing people deploy and then rip out overhyped technologies that promised the world and delivered nothing. IOC-based security is a bit like that. It is a reactive cycle that is actually quite grim when you look at it. For a piece of intelligence to exist in that model, someone else has to get hit first. A domain only becomes an indicator after it has been used to successfully strike a company.
While we wait for these lists of “known bad” assets to update, criminals are using automation to spin up new infrastructure in seconds. They use techniques like fast flux to rotate IPs or hide their intent behind big providers like AWS and Azure. Most security tools are essentially blind to the majority of what these groups are doing.
Why we do the hard work
When John Jensen and I built Silent Push, we knew we had to stop looking at what happened and start looking at what is being built. To do that properly, you cannot rely on third-party feeds or recycled data. You have to manage the collection and contextualization of the data yourself.
We took on the task of setting up the most aggressive data collection platform to monitor all internet infrastructure and its changing relationships as it is the only way to get an unadulterated view of the world. We do not wait for a threat actor to hit someone. We look for the fingerprints they leave behind while they are still in the staging phase.
Finding the fingerprints
I like to think of the current cyber crime landscape like the era of privateers. These groups have a subtle nod from their home government to commit crimes as long as the money comes home and there are no domestic victims. But they are creatures of habit. They leave signatures in their DNS records and the way they configure their web servers.
By tracking all internet signals in one place, we can see an attack being prepared. We spot the “activation” events where a parked domain suddenly switches over to an attacker-controlled server. This gives us what we call Indicators of Future Attack (IOFA). On average, this approach provides a lead time of 104 days. That is months of warning before a strike is even launched.
No more guesswork (it’s possible)
I have no time for tools that give you “maybe suspicious” alerts or vague probability scores. That just leads to alert fatigue and burns out your team. The focus has to be on deterministic data. It is either attacker infrastructure or it is not.
When you have that level of clarity, you do not have to guess. You see the threat actor’s intent as it is being organized and you shut it down. It is about moving away from the “first victim” model and finally staying one step ahead of them.
The escalation of AI-driven cyber threats has fundamentally broken the traditional security lifecycle. For decades, the industry has operated on a reactive cadence: an attack occurs, indicators are gathered, and defenses are updated. This model assumes that defenders have time to react.
In an era where threat actors leverage Artificial Intelligence (AI) to automate the creation and deployment of malicious infrastructure, that assumption is no longer valid. AI has granted adversaries the ability to operate at machine speed and infinite scale.
To a CISO, the strategic imperative is becoming clearer by the day. You cannot defeat an automated enemy with a reactive defense. The only way to combat AI-driven threats is to adopt a Preemptive Cyber Defense posture that neutralizes infrastructure before the attack is ever launched.
The Asymmetry of AI-Driven Attacks
AI and advanced automation have shifted the balance of power by solving the two biggest constraints for attackers: cost and complexity.
Infinite disposable Infrastructure: Automation allows threat actors to spin up thousands of unique domains, subdomains, and IPs for a single campaign. These assets are “disposable.” They are used once for phishing or malware delivery and then abandoned immediately.
Hyper-evasion: AI tools can instantly generate infinite variations of web content and code. This allows attackers to bypass signature-based detection systems by ensuring that no two attacks look exactly the same, even if they originate from the same group.
In this environment, waiting for an alert means you have already lost. The speed at which AI-generated campaigns are deployed and discarded outpaces the speed at which reactive security tools can ingest and distribute Indicators of Compromise (IOCs).
Moving Left of the Launch
To survive this new threat landscape, security strategies must move “left” of the attack launch. This is the core mandate of Preemptive Cyber Defense.
The goal is no longer to detect a payload as it hits the network. The goal is to identify Indicators of Future Attack (IOFA™). These are the traceable digital footprints that adversaries leave behind while they are still staging their infrastructure.
Even AI-driven automation follows rules. While an attacker can change an IP address in milliseconds, they cannot easily hide the Tactics, Techniques, and Procedures (TTPs) they use to procure, configure, and manage their network.
Silent Push: Combatting AI with Contextual Pre-Attack Data
Our platform uses a unified data model that treats the internet like a living, breathing network. By tracking how every piece of data (IPs, domains, hostnames and more) relates to one another, we create a highly contextual map of global infrastructure.
This framework turns billions of raw data points into a definitive opinion, allowing us to see the “DNA” of a threat actor even when they use AI to change their behavior.
This approach counters AI velocity with behavioral precision:
Mapping the Unknown: Silent Push scans the entire IPv4 and IPv6 space to identify the hidden attacker infrastructure that traditional feeds miss. This reveals the staging grounds where AI-driven campaigns are born.
Behavioral Fingerprinting: By analyzing over 200 parameters, including DNS records, certificate authorities, and WHOIS patterns, Silent Push creates fingerprints of adversary behavior. This allows the platform to link thousands of seemingly unrelated, AI-generated domains and content back to a specific threat actor.
Content Similarity Analysis: To defeat AI-generated phishing pages, Silent Push employs fuzzy hashing (ssdeep) and proprietary structural hashing. This allows defenders to identify and block entire clusters of malicious sites based on shared code structures, regardless of how the attacker tries to visually disguise them.
The CISO Advantage: Deterministic Neutralization
Adopting a preemptive approach changes the economic reality for the attacker. By blocking the underlying infrastructure rather than chasing individual IOCs, you disrupt the attacker’s ability to scale.
For the CISO, this shifts the organization from a posture of constant emergency response to one of strategic control.
Pre-weaponization blocking: High-confidence IOFA™ feeds can be fed directly into firewalls and SIEMs to block connections to malicious infrastructure days or weeks before a campaign goes live.
Eliminating noise: By filtering out the noise of disposable AI-generated indicators, security teams can focus their resources on verified, high-priority threats.
In the era of AI-driven attacks, hesitation is a terminal risk. Traditional defense is mathematically incapable of keeping pace with automated scale. To win, we must move beyond existing security approaches and embrace a truly preemptive posture, neutralizing infrastructure before it is weaponized.
The Economics of Preemption vs. Reaction
Automated attacks create a scale problem that reactive budgets cannot solve. When threats move at machine speed, relying on an IOC-and-respond cycle leads to unpredictable spending and avoidable downtime.
Neutralizing infrastructure before it is weaponized stabilizes the security budget and removes the operational volatility inherent in reactive security models.
Focus Area
The Cost of Reaction
The ROI of Preemption
Budget Control
Linear growth: You pay for every attack via incident response, forensics, and legal fees.
Cost avoidance: Neutralizing infrastructure early stops the billable hours of a breach before they start.
Operational Uptime
Recovery mode: Success is measured by how fast you get back online after a hit.
Stability-based: Success is measured by the attacks that never reached your network in the first place.
Resource Allocation
SOC burnout: High-tier talent is wasted triaging thousands of automated “noise” alerts.
Strategic focus: Filtering threats at the source allows your team to focus on high-value architecture and strategy.
Why this matters for the bottom line
In an AI-driven threat landscape, the gap between “compromise” and “encryption” is shrinking to seconds. If you are still relying on a human-led response to an automated probe, the ROI will always be negative.
Traditional defense manages the damage; preemptive defense manages the risk. Shifting to a preemptive posture ensures that your security budget is spent on maintaining growth rather than chasing ghosts.
Learn how to detect, investigate, and stop invisible client-side threats targeting web applications and online transactions.
Client-side attacks like Magecart skimming are one of the most dangerous and hardest-to-detect threats facing modern web applications. These attacks bypass traditional server-side security, silently injecting malicious JavaScript to steal payment card data, PII, and credentials during online transactions.
In this webinar, security teams will learn how to identify Magecart activity early, uncover hidden skimming infrastructure, and protect web forms from sophisticated client-side supply chain attacks.
Date: February 3, 2026
Time: 10am SGT (APJ), 12pm CET (EMEA), 1pm ET (AMER)
Most analysts are stuck in a cycle of reactive guesswork. Get the tactical blueprint to transition to Preemptive Cyber Defense through high-speed enrichment and noise reduction.
This cyber defense workshop covers deep enrichment, noise reduction, and smarter triage techniques to help you move from reactive guesswork to preemptive defense.
Date: 27 January, 2025
Time: 10am ET // 3pm CEST // 10am SGT // 12pm AEST
Location: Online – Zoom
Requirements: Silent Push free Community Edition | Sign-up here
Bulletproof Hosting (BPH) providers have been a part of the threat actor landscape for decades. Interestingly, the market has experienced a renaissance in the past year, marked by notable changes that include a surge in providers globally, the emergence of new tactics, and increased resilience against takedown efforts. This demonstrates just how deep and complex the space has become from a defender’s perspective.
Silent Push Threat Analysts have developed a new white paper, “Shining a Light on the Global Bulletproof Hosting Ecosystem,” to illustrate the current state of the BPH practice and highlight the potentially lesser-known technical dynamics we’ve been observing.
The Allure of BPH
Threat actors are drawn to BPH providers for their permissive policies regarding hosted content and their hands-off approach to abuse complaints and takedown requests. These providers enable malicious infrastructure, such as phishing kits, Command-and-Control (C2) servers, and data exfiltration points, to remain online for longer periods with fewer disruptions.
Throughout the report, we discuss exactly what defenders need: real-time data and hunting tools to block malicious traffic emanating from BPHs. Our Indicators of Future Attack™ (IOFA™) feeds for BPHs are explicitly designed to expose threat actors as they migrate infrastructure, flagging new ASNs, IP ranges, and hosting providers long before they appear on other threat radars.
Engaging Preemptive Cyber Defense
The Silent Push platform features an ever-increasing catalogue of Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and other integrations to support organizations’ need for preemptive cyber defense, equipping defenders with accurate and dependable alerting on suspicious and malicious activity.
Our goal is to raise awareness on internet hosting providers who’ve been labeled “Bulletproof” for their willingness to host services specifically designed to shield clients from technical and/or legal disruption. During the course of our research, we employed a wide range of criteria to label the hosts we track as bulletproof, many of which are covered in the report and have not been discussed publicly elsewhere. Some, however, we cannot disclose for operational security reasons. We believe that sharing these criteria and methods publicly is crucial in informing defenders about where cybercriminals are hiding within their networks.
BPH: Expanding, Not Going Away
With the rise of artificial intelligence (AI) and large language models (LLMs), we anticipate that threat actor automation of infrastructure setup will continue to increase into 2026 and beyond. Extensive coverage of BPH providers enables defenders to remain vigilant against suspect infrastructure frequently used for obfuscation and weaponization, ensuring that actors using these networks as part of their automation fail before they can initiate their attacks.
By circulating this information publicly without restriction, we want to reach communities that have the means and motivation to shape a safer, more accountable threat landscape, with preemptive cyber defense for all kinds of defenders: threat hunters, policymakers, researchers, journalists, and government teams.
After reviewing our Bulletproof Hosting white paper, if you are interested in learning more about Silent Push preemptive cyber defense technology and how it can empower your organization’s security team, please get in touch with us or book a demonstration to discuss the platform with our experts.
Ready to dive deeper into the world of preemptive cyber defense? Take our technology for a test drive with the free Silent Push Community Edition today.
Acquisition strengthens Silent Push’s capabilities to deliver deeper visibility, stronger intelligence correlations, and enhanced defensive outcomes
Reston, VA, December 15, 2025 – Silent Push, the leading preemptive cyber defense vendor, today announced that it has acquired HYAS, the adversary infrastructure platform provider offering unparalleled visibility, protection, and security.
Combining HYAS Insight with the larger Silent Push platform enables customers to benefit from HYAS’s unique data, infrastructure intelligence, and capabilities with Silent Push’s industry-leading adversary and infrastructure reconnaissance technologies. Together, this will result in unparalleled preemptive and proactive security.
“The acquisition of HYAS marks a significant milestone in our strategy to extend our global presence and deliver the industry’s most leading-edge cyber defense solutions,” said Ken Bagnall, CEO, Silent Push. “Our combined expertise will accelerate Silent Push’s leadership position as we continue to innovate and build best-in-class products that enable our customers to preemptively and proactively stop threats.”
Silent Push’s flagship solution is the first and only to provide a complete view of emerging threat infrastructure in real time. By exposing malicious intent through its Indicators Of Future Attack™ (IOFA™) data, Silent Push enables security teams to proactively block hidden threats, discover previously unknown infrastructure, and avoid loss. Silent Push will integrate HYAS Insight to contribute to its Total View, which consolidates comprehensive Domain and IP intelligence into a single screen.
“Our mission is simple – empowering organizations to see malicious infrastructure usage and behavior to block attacks before damage occurs, prevent fraud, accelerate investigative time to close, and complete both task and mission,” said Dave Ratner, CEO at HYAS. “Joining Silent Push is a natural fit that enables us to further accelerate that mission and creates significant opportunities for our customers and the market in general. My colleagues and I look forward to combining our skillsets with Silent Push to deliver the solutions that provide security and investigative teams with true power and intelligence against cyber threats, financial fraud, and other nefarious activity committed by bad actors.”
“This acquisition brings together two cybersecurity leaders with similar visions and culture, while each organization brings its own set of proven capabilities,” said Dave Palmer, Ten Eleven Ventures. “Together, they are providing one of the industry’s most comprehensive security portfolios for preemptive and proactive security, and strengthening Silent Push’s go-to-market strategies as they expand their global footprint.”
HYAS’s leadership and team will join Silent Push, with operations continuing under the Silent Push brand.
About Silent Push
Silent Push is a preemptive cybersecurity intelligence company. It is the first and only solution to provide a complete view of emerging threat infrastructure in real-time, exposing malicious intent through its Indicators Of Future Attack™ (IOFA™) data to enable security teams to proactively block hidden threats and avoid loss. The Silent Push standalone platform is also available via API, integrating with any number of security tools, including SIEM & XDR, SOAR, TIP, and OSINT, providing automated enrichment and actionable intelligence. Customers include some of the world’s largest enterprises within the Fortune 500 as well as government agencies. A free community edition is available. To stay up to date with Silent Push, follow us on LinkedIn and X.
Bulletproof Hosting (BPH) providers have been a part of the threat actor landscape for over two decades. Interestingly, over the past year, the market has experienced a renaissance, marked by notable changes that include a surge in providers globally, the emergence of new tactics, and increased resilience against takedown efforts. This demonstrates just how deep and complex the space has become from a defender’s perspective.
In developing this new white paper, our goal is to illustrate the current state of the practice of Bulletproof Hosting and to highlight the potentially lesser-known technical dynamics we’ve been observing.
Our world-class threat analyst team has been diligently working to provide and scale our detection of BPH infrastructure, so that our clients can utilize those detections within their Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tooling for accurate, dependable alerting on suspicious and malicious activity.
This white paper was created to raise awareness on internet hosting providers who’ve been labeled “Bulletproof” for their willingness to host services specifically designed to shield clients from technical and/or legal disruption. Our researchers employ a wide range of criteria to label the hosts we track as bulletproof, many of which are covered in the report and have not been discussed publicly elsewhere. Some, however, we cannot disclose for operational security reasons. We believe that sharing these criteria and methods publicly is crucial in informing defenders about where cybercriminals are hiding within their networks.
With the rise of artificial intelligence (AI) and large language models (LLMs), we anticipate that threat actor automation of infrastructure setup will continue to increase into 2026 and beyond. Extensive coverage of BPH providers enables defenders to remain vigilant against suspect infrastructure frequently used for obfuscation and weaponization, ensuring that actors using these networks as part of their automation fail before they can initiate attacks.
By circulating this information publicly without restriction, we aim to reach communities that have the means and motivation to shape a safer, more accountable threat landscape, with preemptive cyber defense for all kinds of defenders: threat hunters, policymakers, researchers, journalists, and government teams.
After reviewing the Bulletproof Hosting white paper, if you are interested in learning more about Silent Push preemptive cyber defense technology and how it can empower your organization’s security team, please get in touch with us or schedule a demonstration to discuss the platform with our experts.
Ready to dive deeper into the world of preemptive cyber defense? Take our technology for a test drive with the free Silent Push Community Edition today.
![Total View image of cdn-cookie[.]com](https://www.silentpush.com/wp-content/uploads/mage-2-cdn-cookie-total-view-scaled.jpeg)
![Screenshot of the Web Search for cdn-cookie[.]com](https://www.silentpush.com/wp-content/uploads/mage-3-datasource-hostname-scaled.jpeg)
![Screenshot of colunexshop[.]com code](https://www.silentpush.com/wp-content/uploads/mage-6-colunexshop-com-code.jpg)
