The global average cost of a data breach has finally decreased for the first time in five years, falling to $4.44 million (IBM, 2025). However, detection remains a critical failure. According to the 2025 Verizon DBIR, external actors or ransomware groups still disclosed the incident in 82% of cases. This confirms that most organizations only discover a breach when the attacker chooses to reveal it, usually through an extortion demand or a public leak site.
Often we see Security Operations Centers (SOC) and Incident Response (IR) teams trapped in a reactive loop. Traditional tools are designed to alert you once a threat is already inside your wire. By then, the damage is underway. Your analysts are left to manually reconstruct infrastructure relationships using a fragmented mess of spreadsheets and disconnected point tools. This manual scramble is the primary driver of alert fatigue and extended response times.
Closing the Pivot Gap with Insight
Every second counts during triage, making tool-hopping a liability. Your team needs immediate clarity into unknown threat infrastructure to end the era of disjointed investigations.
Instead of guessing, analysts can now access a single, deterministic source of technical context that consolidates enrichment, risk scoring, and correlation into one view. This provides over 100 contextual attributes for any domain or IP, allowing your team to stop chasing tabs and start neutralizing threats.
Proprietary Risk Scores: Move beyond simple block or allow lists to understand the actual threat level.
Automated Clustering: See how a single IP fits into a wider network of malicious assets.
Contextual Depth: Understand the logic behind a risk score immediately so you can act with certainty.
Moving Beyond Probabilistic Research
Legacy tools often require analysts to perform the heavy lifting of correlation in the heat of a crisis. This is why we had to take a different approach. We spent years building the Context Graph so it could now become the foundational engine that pre-correlates changes in the global internet dataset.
While an attacker is still building their infrastructure, the Context Graph is already mapping those technical relationships. For example, when an analyst queries an unknown indicator, the platform uses Context Similarity to identify related malicious assets and cluster threats instantly. This allows an IR team to link a single indicator to an entire adversary campaign in seconds, rather than days of manual forensic work.
Measurable Outcomes for SOC and IR Leaders
Operationalizing forensic data before it is weaponized against you changes the math of your security stack. By moving the defense line upstream, you achieve several key metrics:
Objective
Operational Impact
Accelerated Triage
Drastically reduce Mean Time to Triage (MTTT) with unified enrichment that captures adversary infrastructure in its staging phase.
Workflow Consolidation
Eliminate tool sprawl by establishing a single source of truth for all analysts.
Resource Optimization
Free high-tier analysts from manual data gathering so they can focus on strategic mitigation.
Moving your defense upstream allows your team to identify and block attacker infrastructure weeks before a campaign is even launched. This shift from detect and respond to anticipate and prevent is how modern SOC teams to actually reclaim the advantage.
Shifting your SOC, IR, and CTI teams from reactive to preemptive cyber defense.
What data sources power the Context Graph? The Context Graph is powered by pre-correlating a massive global dataset, comprising of Passive-Aggressive DNS (PADNS), WHOIS, certificates, traffic sensors, and content hashes. It continuously analyzes benign, gray, and malicious infrastructure to detect adversary “management patterns” rather than just active exploits.
Does Insight integrate with our SIEM/SOAR/XDR platform natively? Yes. Insight is designed for native integration with SIEM, SOAR, and XDR platforms via APIs and prebuilt connectors, allowing enrichment, scoring, and context data to flow directly into existing workflows without requiring analysts to leave their current tools.
How does this help my team work across silos? The Context Graph acts as a single backbone for the entire company. Whether it is the SOC triaging alerts or fraud teams stopping fake logins, everyone uses the same engine to make fact-based decisions.
Why is deterministic data better than probability scores? Probability scores tell you something might be bad, which creates noise and alert fatigue. Deterministic data provides a binary ‘True’ or ‘False’ answer, allowing you to automate defense without the guesswork.
DNS investigations often stop at resolving a domain to an IP address, leaving valuable context undiscovered.
In this cyber defense workshop you’ll learn how to recognize meaningful DNS overlaps versus coincidence, so you can apply this practical workflow and confidently identify broader infrastructure patterns to enhance your preemptive strategy.
Date: 19 March, 2026
Time: 10am ET // 3pm CEST // 10am SGT // 12pm AEST
Location: Online – Zoom
Requirements: Silent Push free Community Edition | Sign-up here
Modern AI security tools are heavily focused on reducing operational bottlenecks. It might help analysts clear an alert queue faster or prioritize which fires to put out first. While these efforts are valuable for efficiency, they don’t fundamentally change the game; they just help teams react more effectively to attacks that have already breached the perimeter.
If your AI security tools only focus on making the SOC run faster, you are still just playing a faster version of the attacker’s game.
True strategic advantage requires a shift to Preemptive Cyber Defense. By identifying malicious activity while it is still being staged, organizations can stop bottlenecks before they ever occur.
The Dead End of Faster Reaction
Traditional security relies on Indicators of Compromise (IOCs). These are essentially digital post-game highlights of a match you already lost. If your AI strategy is solely focused on filtering these old signals faster, you are still just documenting a failure.
Making “Left of Boom” Real
In the security industry, the term “Left of Boom” is often straight-up marketing fluff. But attackers do not appear out of thin air; they build, stage, and test their infrastructure weeks or months before a campaign begins.
Being able to confidently identify these future attacks is the only way to get truly Left of Boom. Instead of waiting for an attack to hit your sensors, we constantly re-resolve and pre-correlate the global DNS record set. This provides a window into infrastructure while it is still being constructed by monitoring:
DNS relationships: Uncovering setup patterns in who manages malicious domains.
Infrastructure changes: Tracking actor configurations and certificate rotations over time.
Content changes: Using behavioral fingerprints to know what is being hosted, where and when it gets activated.
The Engine of Preemptive Defense: Enabling AI and Agentic Security with the Context Graph
The Context Graph is the engine that drives this strategic outcome.
Legacy tools are often stuck looking at static snapshots of known-bad infrastructure. The Context Graph maps the internet’s technical relationships and daily changes across benign, unknown, and known-bad assets to create a defined source of truth. It provides certainty because it acknowledges the reality of the cat-and-mouse game:the infrastructure that hits you tomorrow is almost certainly masquerading as “benign” today.
The Context Graph connects billions of disparate signals into a coherent map of internet infrastructure, moving security from probability-based guessing to deterministic certainty.
This engine is what makes AI-enhanced operations genuinely proactive. By becoming embedded upstream in security reasoning, both human and machine gets the reliable, preemptive context needed to act with confidence. Instead of giving an AI agent noisy probability scores to sort through, the Context Graph provides:
Machine consumption: APIs specifically designed for automated triage.
Provenance: Clear confidence signals that AI can trust to reduce hallucinations.
The backbone: A foundational context layer that enables truly automated defense.
By neutralizing threats before they reach your perimeter, you fundamentally change attacker economics. Every time you block staged infrastructure, the attacker must scrap their work and spend more resources to start over. This makes their iteration loop slower than your defensive loop, shifting the organization from emergency response to strategic control.
Shifting your SOC, IR, and CTI teams from reactive to preemptive defense.
Can I use this with my current security tools? Yes. Silent Push integrates with major platforms like Splunk, Tines, and Palo Alto XSOAR to feed high-fidelity data directly into your existing stack.
What is the difference between an IOC and a preemptive signal? An Indicator of Compromise (IOC) is a post-breach record of where an attack has been. A preemptive signal, such as an Indicator of Future Attack (IOFA)™, identifies malicious infrastructure while it is still being built and staged.
How does this help my team work across silos? The Context Graph acts as a single backbone for the entire company. Whether it is the SOC triaging alerts or fraud teams stopping fake logins, everyone uses the same Architecture of Certainty to make fact-based decisions.
Why is deterministic data better than probability scores? Probability scores tell you something might be bad, which creates noise and alert fatigue. Deterministic data provides a binary ‘True’ or ‘False’ answer, allowing you to automate defense without the guesswork.
Silent Push’s Traffic Origin exposes insights that help identify a threat actor’s true country of origin—visibility that’s otherwise inaccessible to defenders. We use a proprietary global observation network to analyze traffic signals, enabling the platform to identify the countries associated with an IP address. This reveals the traffic’s true physical origin, not just where the proxy server sits.
Offering critical enrichment capabilities that businesses can use to immediately unmask global threat actors, Traffic Origin shines a light on malicious behaviors, including North Korean IT workers attempting to obtain fraudulent employment while using residential proxies to conceal their actual physical location. Customers can also use Traffic Origin to automatically assess employee logins and identify when an IP address is masking traffic from an unexpected location or country of concern.
Traffic Origin complements our proprietary residential proxy data, which identifies tens of millions of residential proxy IPs and their service providers. Together, these two solutions can help customers differentiate between innocuous residential IPs and those rented for criminal use globally.
The Silent Push Preemptive Cyber Defense Team regularly analyzes Traffic Origin datasets to uncover new insights and research opportunities for customers. To better help readers understand what these opportunities can look like, we’re sharing an example below of an investigation into a series of IPs and domains connected to a low-quality Chinese virtual private network (VPN) provider.
Mystery Chinese VPN Used by Devices in Russia, China, Myanmar, Iran, and Venezuela
Within our Traffic Origin data, the IP address 205.198.91[.]155 stands out for its unique breakdown of origin traffic—which includes devices in Russia, China, Myanmar, Iran, and Venezuela. It’s highly unusual for an IP address to be observed exclusivelyin these locations.
Traffic Origin Total View for IP 205.198.91[.]155
Looking further into that same IP address, our PADNS data shows that the only domain mapped to it since November 2025 is lvcha[.]in, suggesting that the traffic may be associated with this domain.
DNS A Records Mapped to the domain lvcha[.]in for IP address 205.198.91[.]155
Looking more closely at lvcha[.]in in our Total View, the domain was registered with NameSilo in March 2024 and appears to host a Chinese-language VPN.
Total View for lvcha[.]in showing registrar and metadata highlights
Accessing the LVCHA VPN website reveals that the default language is Mandarin, and the site only offers an Android APK (Android Package Kit) for direct sideloaded download—sidestepping the Google Play Store entirely.
Here’s what the site looks like in English translation (shown below). Notice the prominent and seemingly inaccurate disclaimer: “This app has passed Google security certification, please install and use with confidence.”
Translated website for the LVCHA VPN at lvcha[.]in
Because this VPN app and domain align with the unexpected Traffic Origin data, we can further investigate the domain using dozens of searchable metadata fields captured by our Web Search data.
Total View Web Search results for lvcha[.]in
We quickly identified several fields that pivot into a larger group of suspicious domains, all of which promote the same VPN.
Some of the fields providing these pivots include:
body_analysis.js_ssdeep – Fuzzy hash (ssdeep) of JavaScript content to detect similar scripts.
datasource = [“webscan”] AND body_analysis.js_ssdeep = “24:toiwDsbneK8Ki3vr5y7zrlqCWJTI/Rk m5vY50lCvbHOPQ/:5wDrK8Ksr5y7zrlqCWJTL EWvbuPQ/”
body_analysis.telegram – Telegram account URL captured from the page
datasource = [“webscan”] AND body_analysis.telegram = “https://t.me/lvchavpn”
favicon_md5 – MD5 hash of the favicon binary
datasource = [“webscan”] AND favicon_md5 = “994dfe8573747f2b90e4d32b5ae07fc6”
Expanded Web Search results for lvcha[.]in
Conducting any of those queries above using Silent Push’s Web Search (Community Edition) returns nearly 50 domains featuring the same cloned VPN content:
lcabc[.]icu
lcapi[.]shop
lcapp[.]bar
lcapp[.]bond
lcapp[.]cfd
lcapp[.]cyou
lcapp[.]icu
lcapp[.]my
lcapp[.]qpon
lcapp[.]sbs
lcapp[.]shop
lcapp[.]xyz
lcpro[.]bar
lcpro[.]bond
lcpro[.]cc
lcpro[.]cfd
lcpro[.]cyou
lcpro[.]icu
lcpro[.]qpon
lcpro[.]sbs
lcpro[.]shop
lcpro[.]top
lcpro[.]vip
lcvpn[.]bond
lcvpn[.]cc
lcvpn[.]cfd
lcvpn[.]cyou
lcvpn[.]qpon
lcvpn[.]sbs
lcvpn[.]shop
lcvpn[.]top
lcvpn[.]xyz
loopvpn[.]org
lvcha[.]in
lvcha[.]org
lvcha[.]qpon
lvcha[.]sbs
lvcha[.]store
lvchaapp[.]bond
lvchaapp[.]cc
lvchaapp[.]cyou
lvchaapp[.]icu
lvchaapp[.]pw
lvchaapp[.]site
lvchaapp[.]store
lvchaapp[.]vip
lvchavpn[.]bond
lvchavpn[.]cfd
lvchavpn[.]one
Whenever we see campaigns promoting suspicious downloads or products using so many domains, it can indicate that the operator is rotating domains to work around country-level firewalls in regions where they’re trying to promote distribution. This process is commonly observed in campaigns attempting to bypass the Great Firewall of China, an authoritarian technical domain and IP-blocking system which has been replicated in Russia, Iran, Myanmar, and Venezuela—all countries seen in the Traffic Origin connections to this particular VPN provider.
While investigating Web Search results that reused the LVCHA VPN HTML title, favicon, or Telegram URL from the original website, the content was also found to be hosted on 205.198.91[.]136, an IP address from the earlier-mentioned ASN.
A closer analysis of this IP address in our Residential Proxy database shows it is used by the residential proxy provider “Asocks proxies” (asocks[.]com). The Traffic Origin data aligns with what we saw with the previous IP address, except with a minor difference: there are also hits in Ukraine.
Traffic Origin Total View for 205.198.91[.]136
The Traffic Origin data for IP address 205.198.91[.]136 confirms it’s being used in Russian-occupied Eastern Ukraine, as shown below.
Traffic Origin Total View for 205.198.91[.]136, zoomed into Ukraine
One last IP address connected to this VPN that’s worth highlighting is 194.147.16[.]244, which is from AS48266, a U.K. network owned by catixs[.]com. As of this writing (January 2026), this IP address is hosting the same content as the LVCHA VPN, seen here in our Total View overview.
Traffic Origin Total View highlight for 194.147.16[.]244
This IP address has appeared in the Traffic Origin data from many of the same countries previously seen (Russia, China, Iran, and Myanmar). The traffic also includes a single hit in Japan, several in Bangladesh, a large cluster along the Kazakhstan–Kyrgyzstan border, additional hits in Georgia, and a new cluster near the Ukrainian border in Western Russia.
Traffic Origin Total View for 194.147.16[.]244
Zooming into this map highlights heavy usage of this IP address in Moscow, Russia.
Traffic Origin Total View for 194.147.16[.]244, zoomed into Russia
Stop Suspicious Connections Before They Impact Your Organization
Trust is a liability in an era where it only costs a few dollars to rent domestic identities and clean residential IPs. Accurate compliance requires more than simply checking a passport; it requires verifying how connections behave on both physical and technical levels. Without the ability to identify upstream points of origin, your defensive readiness remains reactive and incomplete. You risk losing the critical window to block professional fraudsters and “invisible insiders” before they slip past your existing defenses.
Traffic Origin can protect your organization by providing the visibility needed to ensure your KYC (Know Your Customer), AML (Anti-Money Laundering), and fraud workflows are grounded in technical truth rather than digital deception.
When state-sponsored actors use stolen identities and spoofed locations, background checks are not enough to protect your organization. It’s essential to verify that remote employees are physically located where they claim to be.
Silent Push Traffic Origin unmasks deceptive network paths that operatives use to hide their true location. We help you spot the residential proxies and suspicious connection patterns that state-sponsored groups use to bypass traditional geofencing and let you flag high-risk infrastructure and individuals beforean attack occurs.
Interested in Learning More About Traffic Origin?
Connect with our team of preemptive cyber defense experts to get an overview of Traffic Origin and the Silent Push Enterprise Edition platform.
We can provide you with a tailored walkthrough for your specific use case, as well as insights into integrations and API capabilities, as we show you how to neutralize before compromise.
Now SVP at Silent Push and former CEO of HYAS, David Ratner is a seasoned operator who blends technical depth with global leadership to scale SaaS and security companies through complex growth and product reinventions.
Cybersecurity has spent decades perfecting the art of reacting. Faster alerts. Better correlation. More automation once something has already gone wrong. Automated playbooks and the power of agentic AI to make these reactions nearly automatic.
But the attacks didn’t stop, and in many ways have actually accelerated. Breaches continued. We continue to be plagued by financial, reputational, and other damage caused by these attacks. Even human life is impacted.
There is one simple but uncomfortable truth: by the time most security tools alert, the attacker has already won. We’re detecting what they’ve done, and either hoping we can see it and stop it before real damage ensues, or hoping we can now put it on some deny list to protect other organizations before they are similarly impacted. Strategies that depend on hope are neither practical nor pragmatic or reliable. The only real durable advantage defenders can reclaim is time – how fast can they react. To really implement a reliable, effective strategy that doesn’t rely on hope, one needs to see intent before compromise.
That belief is why HYAS becoming part of Silent Push makes so much sense – not just strategically, but philosophically.
Silent Push: Turning Signals Into a Living Context Graph
Where HYAS brought unique and exclusive adversary infrastructure data, Silent Push brings something equally, if not more important: deep expertise in both assembling disparate signals into a coherent, explainable wholecontext graph, and providing the clear, understandable outcome of “what does this mean” and “what you should do.”
Silent Push’s core strength is not just collecting data; it’s connecting it, discerning the patterns, and either providing outcomes and finished intelligence or providing the raw data and access to the context graph for analysts to perform their own investigations and generate their own outcomes.
Because when you study infrastructure at scale, and continually over time, you stop chasing indicators and start recognizing patterns and intent. The common thread across all of this work is simple: future attacks have specific fingerprints that you can see before they strike.
By combining both HYAS data and Silent Push capabilities, spanning global Internet telemetry, change detection, infrastructure fingerprints, and threat research, into a continuously evolving Context Graph, Silent Push enables security teams to see:
How infrastructure relates, not just whether it’s malicious
How attacker preparation unfolds over time
How small, early changes signal future risk
How patterns repeat across actors, regions, and campaigns
This is what turns raw intelligence into decision advantage.
For those who are focused on their specific mission and task, whether that is proprietary investigations, detection of digital fraud, ensuring compliance from an AML/KYC perspective, or even detecting fake workers trying to enter the organization, the Context Graph provides the ability to rapidly answer the hard questions. For those deploying Agentic AI within their processes, the Context Graph provides the data required for AI to make the right decisions.
And for those looking to counter the next attack before it happens, Silent Push provides easy-to-understand and proven Indicators of Future Attack™ (IOFA™) – signals that are:
Explainable
Defensible
Actionable before compromise
The combination of HYAS and Silent Push provides not just the data investigators need but the complete understanding, context, and finished intelligence that users need to operationalize it. Or, as one Head of Threat Intelligence at a Fortune 100 company put it:
“We think this combination is going to be incredibly powerful.”
They’re right – because the combination is unique, rare, and unparalleled in power.
Why Preemptive Defense Is No Longer Optional
Attackers don’t wake up and compromise an enterprise, commit fraud, move money to a sanctioned nation, sneak a spy into your organization, or otherwise commit illicit actions in a single step. They prepare.
They register infrastructure. They test hosting. They rotate certificates. They stage domains. They adjust configurations. They probe quietly.
All of that happens before a phishing email is sent. Before malware is delivered. Before ransomware detonates. Before the action occurs.
And reactive security tools are blind during this phase.
Preemptive cyber defense isn’t about predicting the future. Prediction is always fallible to false positives and false negatives. Preemptive cyber defense is about recognizing preparation. It’s about neutralizing threats before they become incidents, investigations, headlines, or board-level crises based on fact-based decisions.
This is the shift from:
Responding faster → Seeing earlier
Blocking artifacts → Disrupting intent
Counting alerts → Measuring time advantage
And it doesn’t matter if you have people or AI responding to your alerts. Regardless of the speed of reaction, every organization requires this combination to really defend itself, and every investigative unit needs this combination to see what criminals and nation states try to obfuscate.
Introducing Traffic Origin
The Silent Push acquisition of HYAS has led to a powerful new capability: Traffic Origin. Silent Push Traffic Origin shifts your security posture from reactive to proactive by exposing the true upstream country-of-origin of the adversary, whether they are hiding via residential proxy, laptop farm, VPN or other obfuscation techniques.
By providing origin certainty where other tools see only obfuscation, Traffic Origin allows investigators to identify high-risk remote sessions before they escalate into attacks or credential theft.
Right Team, Right Moment
Joining Silent Push isn’t about just some acquisition.
It’s about assembling the pieces of a new category. Together, Silent Push + HYAS enables security teams to act before damage occurs – not after. It enables AML and KYC teams to make proactive and preemptive decisions. It enables organizations to know what criminals are trying to hide, and enables investigators to find and see what their targets don’t want them to.
For customers, this means fewer incidents, less chaos, and real strategic advantage. For practitioners, it means working on problems that actually matter. For the industry, it means finally breaking the endless loop of reactive defense.
Preemptive cyber defense isn’t a slogan. It’s the next evolution of how security has to work.
And this combination is built to lead it.
If you’d like to learn more about Traffic Origin and the Silent Push preemptive cyber defense platform, you can get a 1:1 walkthrough with us here.
We’re well into the new year and moving fast with our latest updates. This month, we’re closing the visibility gaps that modern adversaries use to bypass traditional geo-fencing and identity controls with the launch of Silent Push Traffic Origin.
By exposing the true upstream country-of-origin behind residential proxies, VPNs, and laptop farms, Traffic Origin provides “origin certainty” for KYC, KYE, AML, and fraud workflows. This allows investigators to identify high-risk sessions earlier, improving regulatory compliance and avoiding the fines associated with sanctioned-region access and identity deception.
Traffic Origin
Traffic Origin unmasks the infrastructure behind residential proxies, VPNs, and laptop farms. It allows security teams to identify the high-risk or sanctioned region where a session originates, even when the surface IP appears domestic or clean.
Upstream Attribution: Safely identify and block “origin mismatches” without disrupting legitimate users.
Sanctioned Region Detection: Flag traffic originating from regions such as the DPRK, Iran, or Russia that is hidden behind obfuscated paths.
Total View Integration: A new tab provides Map and Table views to correlate surface geolocation with hidden upstream links.
Threat Check
Threat Check is now available as a native module in the Silent Push platform, enabling centralized validation of high-volume indicators across multiple data sources
Native IOFA™ Integration: Validate IPs, domains, and hashes against proprietary Indicators of Future Attack™ (IOFA™) feeds.
Consolidated Risk Logic: Threat Check now automatically incorporates Traffic Origin data to detect sanctioned country routing during lookups.
On-Demand Validation: Support for unlimited queries to identify attacker infrastructure before it is used in an active campaign.
Platform Performance
The console has been updated to unify the investigative experience and increase processing speed.
Unified Search: A standalone module that serves as the single entry point for querying all Silent Push data sources.
Asynchronous Processing: Full migration to the latest SPQL version enables faster result delivery without session disruption.
Navigation Update: A redesigned landing page and consolidated similarity data reduce the steps required to pivot between indicators.
Traffic Origin and Threat Check are available now for Enterprise Edition customers. Contact your account team to enable Traffic Origin permissions for your organization.
As organizations expand remote work, cloud access, and third-party connectivity, security and risk teams rely on IP reputation and GeoIP data to support KYC (Know Your Customer), AML (Anti-Money Laundering), KYE (Know Your Employee), and fraud controls. These tools, however, only evaluate the visible entry point of a connection.
When adversaries use residential proxies, virtual private networks (VPNs), or laptop farms, access can appear local even when it is remotely controlled from high-risk or sanctioned regions. This creates a blind spot where hostile activity blends into trusted access.
Address the Gap With Traffic Origin
Designed to address identity obfuscation, Traffic Origin unmasks proxy layers that hide fraudulent hires and state-sponsored actors in modern enterprise environments. Alongside a mix of new capabilities, Traffic Origin is being integrated into the Silent Push platform.
Even when the observed IP and geolocation appear clean, Traffic Origin identifies the upstream of origin behind a connection. Rather than relying on last-hop indicators, it shifts attribution to where web traffic is actually routed and controlled, providing origin certainty where traditional tools cannot.
By exposing upstream origin mismatch, organizations can identify high-risk sessions earlier, detect identity deception missed by existing controls, and intervene before activity escalates into fraud, regulatory exposure, or financial loss.
“Modern adversaries no longer rely on obviously malicious infrastructure,” said Ken Bagnall, Co-Founder and CEO of Silent Push. “They deliberately operate through clean networks to blend in. Traffic Origin gives security teams the ability to see past that deception and make decisions based on where access is actually being controlled.”
Threat Check
Threat Check is a new native module in the Silent Push console. It validates suspicious IPs and domains against continuously mapped attacker infrastructure, including Indicators of Future Attack™ (IOFA™). Customers can ingest their own indicators, run Threat Check across multiple data sources, and review results through dashboards and analytics.
This enables earlier identification of attacker infrastructure, reduces alert noise, accelerates investigations, and provides measurable lead-time metrics that demonstrate return on investment. Traffic Origin serves as an additional data source for Threat Check, providing upstream origin certainty that enhances the detection of identity obfuscation and malicious activity.
The Silent Push standalone platform is also available via API, integrating with a wide range of security tools, including SIEM & XDR, SOAR, TIP, and OSINT, to provide automated enrichment and actionable intelligence.
Interested in Learning More?
Connect with our preemptive cyber defense experts for an overview of the Silent Push Enterprise Edition platform and a demonstration of Traffic Origin and Threat Check.
Using a custom-built SystemBC tracker, Silent Push Preemptive Cyber Defense Analysts identified more than 10,000 unique infected IP addresses as part of this botnet. While we don’t have immediate visibility on any follow-on malware payloads deployed via this current SystemBC botnet, historically, many threat actors have used SystemBC to deploy ransomware on compromised networks, highlighting the importance of remediation.
Our analysis shows SystemBC infections are globally distributed at scale, with the highest concentration of infected IP addresses observed in the United States, followed by Germany, France, Singapore, and India.
We identified SystemBC infections within sensitive infrastructure, including compromised IP addresses hosting government websites in Burkina Faso and Vietnam.
SystemBC command-and-control (C2) infrastructure has been observed leveraging abuse-tolerant bulletproof hosting, including BTHoster (bthoster[.]com) and AS213790 (BTCloud).
Our research uncovered a previously undocumented SystemBC variant written in Perl, indicating continued development activity and ongoing evolution of the malware family.
Executive Summary
First documented publicly in 2019, SystemBC (also known as “Coroxy” or “DroxiDat”) is a long-running, multi-platform proxy malware that converts compromised systems into SOCKS5 proxies—and, in some cases, deploys additional malware.
Serving two primary functions, SystemBC proxies traffic through compromised systems and acts as a backdoor to maintain external access to infected internal networks. Some variants, including the Windows version, have been observed dropping additional malware, often alongside ransomware payloads, to tunnel malicious traffic back to attacker-controlled C2 infrastructure. The result is a resilient, anonymizing design that expands the potential blast radius of a compromise.
In May 2024, SystemBC was among the malware families targeted during Europol’s Operation Endgame, a coordinated effort to disrupt large-scale criminal infrastructure. That attention mirrors years of public reporting linking SystemBC activity to breaches that culminated in ransomware deployment—reinforcing why early detection of this activity matters.
Silent Push began tracking SystemBC in 2025, which led to the development of a SystemBC-specific tracking fingerprint to expand visibility into active infections and supporting infrastructure. Using that fingerprint, our team identified more than 10,000 unique infected IP addresses worldwide. Across the dataset, infections were widespread: the largest concentrations of detected victims appeared in the U.S., followed by Germany, France, Singapore, and India.
The dataset also captured infections in sensitive government environments, such as compromised high-density IP addresses hosting official websites in Burkina Faso and Vietnam. That same analysis revealed a previously undocumented SystemBC variant written in Perl, underscoring that this malware is continuing to evolve.
SystemBC is a multi-platform proxy malware that turns infected systems into SOCKS5 proxies, allowing all kinds of malicious traffic to be sent through them. Also known as “Coroxy” or “DroxiDat,” SystemBC was first documented by Proofpoint in 2019. Upon reviewing several forum posts by the creator, written in Russian, our team believes the creator may be Russian or have ties to the country.
SystemBC is commonly used to proxy traffic through compromised systems or to maintain persistent access to internal networks. In some cases, including observed Windows variants, SystemBC has also been used to deploy additional malware, meaning its presence may indicate broader compromise or follow-on infections on the affected system. When a victim server is compromised, SystemBC uses a custom binary protocol and RC4 encryption to encapsulate SOCKS5 traffic.
Unlike virtual private networks (VPNs), SOCKS/SOCKS5 is a specific internet protocol for proxies. Proxies are versatile network protocols that act as middlemen, or relays, between devices and the internet. They can route internet traffic (TCP, UDP, etc.) for different applications, masking IP addresses to bypass online blocks, access geo-restricted content, and enhance privacy for specific applications. Many threat actors use proxies to hide their real infrastructure from defenders.
Since most infected systems are not directly reachable over the internet, SystemBC employs a “backconnect,” or rotating, architecture: clients connect to the exposed C2 servers, which then relay traffic through the infected systems, acting as proxies. This design enables threat actors to route external traffic through compromised hosts and expose otherwise internal networks to external access, thereby significantly increasing the potential impact of any compromise.
Simple map of SystemBC’s network traffic
Initial Intelligence
Investigations have repeatedly documented SystemBC’s role in intrusions that later escalate into ransomware deployment. SystemBC was targeted during Europol’s Operation Endgame in May 2024, but updates from its developer, “psevdo,” continue to appear on the Russian-language forum forum[.]exploit[.]in. This activity prompted deeper analysis—uncovering a highly active SystemBC C2 cluster, a previously undocumented Perl variant, and a trail of global victims.
Psevdo’s updates are written in Russian, with selected translations shown below:
Screenshot of psevdo’s announcements (in Russian), posted on July 19, 2018
Post-Endgame forum activity shows the codebase continuing to evolve:
Announcement of “Linux bot and C2 server updates” (Russian text translated to English)
Announcement of “global tests and bug fixes” (Russian text translated to English)
The continued forum activity suggests that Operation Endgame did not, in fact, mark the end of SystemBC development.
Same Threat, New Platform
Files we saw communicating with a known C2 in this cluster included an unusual Perl script, which had zero detections across the 62 antivirus engines on VirusTotal.
The SafeObject file is a UPX-packed variant of StringHash. Once unpacked, it recursively hunts for writable directories before dropping and executing 264 embedded SystemBC payloads, including both ELF and Perl variants.
Behavior aside, the dropper is unusually noisy and littered with Russian-language strings—an unscientific but familiar clue about the threat actor’s origins.
Screenshot of Russian strings observed
Where Infections Hit Hardest
Much of the SystemBC C2 infrastructure observed here appears to rely on hosting tied to abuse-tolerant providers, including BTHoster-linked environments and AS213790 (BTCloud). Zeroing in on the AS213790-hosted cluster alone, we identified more than 10,340 distinct victim IP addresses. Activity was steady—averaging roughly 2,888 victim IPs per day—with infections persisting far longer than typical. On average, systems remained infected for 38 days, with some lasting more than 100 days.
The highest concentration of infected systems seen in our analysis was in the U.S., with more than 4,300 affected IPs. Germany (829), France (448), Singapore (419), and India (294) followed.
Global distribution of IP addresses map
ASNs Tied to Victim IP Addresses
Looking at the ASNs tied to victim IPs, this cluster overwhelmingly targets hosting providers rather than residential networks, which helps explain why infections tend to linger—residential IPs typically change far more frequently.
ASN
AS Name
AS Type
19871
NETWORK-SOLUTIONS-HOSTING
Hosting
46606
UNIFIEDLAYER-AS-1
Hosting
22612
NAMECHEAP-NET
Hosting
398101
GO-DADDY-COM-LLC
Hosting
8560
IONOS-AS
Hosting
16509
AMAZON-02
Hosting
16276
OVH
Hosting
24940
HETZNER-AS
Hosting
26496
AS-26496-GO-DADDY-COM-LLC
Hosting
14061
DIGITALOCEAN-ASN
Hosting
Table of the top 10 ASNs tied to victim IP addresses
Reviewing PADNS data led to an unexpected finding: infections tied to multiple government domains. One example surfaced at IP address 103.28.36[.]105, a sizable cloud host that was also found hosting phutho.duchop[.]gov[.]vn, a Vietnamese provincial government website.
Silent Push Total View of IP address 103.28.36[.]105
Silent Push Total View of domain phutho.duchop[.]gov[.]vn
Screenshot of phutho.duchop[.]gov[.]vn website
IP address 196.13.207[.]92, meanwhile, was linked to domains associated with the Government of Burkina Faso in West Africa.
Screenshot of IP address 196.13.207[.]92 revealing ties to the Burkina Faso government
Screenshot of concours[.]gov[.]bf website
Many infected IP addresses have been reported in VirusTotal comments for engaging in WordPress exploitation activity. Taken together, these observations indicate that threat actors are using SystemBC-associated proxies to target WordPress websites.
Interested in Learning More About Preemptive Cyber Defense?
Our enterprise customers have access to the exclusive report we created for the SystemBC botnet family. If you would like to learn more about our capabilities for tracking adversarial frameworks—or how you can hunt for them on our platform—we encourage you/your organization to reach out to our team for a demonstration of Silent Push cyber defense technology.
Connect with our platform experts for an overview of the Silent Push Enterprise Edition platform. We are happy to provide you with a tailored walkthrough for your specific use case, along with insights into integrations and API capabilities.
Mitigation
SystemBC-associated infrastructure presents a sustained risk due to its role early in intrusion chains and its use across multiple threat actors. Proactive monitoring is critical, as activity tied to SystemBC is often a precursor to ransomware deployment and other follow-on abuse.
Our analysts have developed SystemBC-specific Indicators of Future Attack™ (IOFA™) feeds to help identify related infrastructure and emerging variants before they cause downstream impact. These feeds include:
SystemBC C2 Domains
SystemBC C2 IPs
SystemBC Infected IPs
The IOFA™ feeds are available as part of a Silent Push Enterprise subscription. Enterprise users can ingest this data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Ready to dive deeper into the world of preemptive cyber defense? Take our technology for a test drive with the free Silent Push Community Edition today.
Our threat intelligence and research teams will continue to track the SystemBC malware while expanding our understanding of the code variants, victims, and methods for monitoring the associated infrastructure. We believe SystemBC remains an active threat to major enterprises and expect the Tactics, Techniques, and Procedures (TTPs) of the multiple threat actors leveraging this malware to continue evolving indefinitely.
If you or your organization has any information to share regarding the findings of this report, we would love to hear from you.
A massive identity-theft campaign is currently active, targeting Okta Single Sign-On (SSO) and other SSO platform accounts across 100+ high-value enterprises.
Silent Push has identified a surge in infrastructure deployment that mirrors the TTPs (Tactics, Techniques, and Procedures) of SLSH—a predatory alliance between Scattered Spider, LAPSUS$, and ShinyHunters. This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing (“vishing”) operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups.
The Threat: SLSH “Supergroup”
SLSH (Scattered LAPSUS$ Hunters) is an aggressive cybercrime group that emerged from “The Com” ecosystem. By merging Scattered Spider’s social engineering expertise with LAPSUS$’ extortion models, they have created a sophisticated initial access strategy that targets enterprise organizations through their identity providers.
The primary infrastructure being used is a new “Live Phishing Panel.” This allows a human attacker to sit in the middle of a login session, intercepting credentials and MFA tokens in real-time to gain immediate, persistent access to corporate dashboards.
Critical Target List (Last 30 Days)
If your organization is listed below, Silent Push has detected active targeting or infrastructure preparation directed at your domain within the last month.
Amway, Carvana, Do it Best, GameStop, Murphy USA, Sargento Foods, Sonos, Spin Master, Lamb Weston.
Insurance
HBF Health, Mercury Insurance, Risk Strategies.
Legal Services
Jones Day, Paul Hastings LLP, Perkins Coie.
Media, Education & Hospitality
Cengage, Choice Hotels, Hearst.
Telecommunications
Telstra.
Why Immediate Action Is Required
Standard security awareness training often fails to stop this specific threat. SLSH operators are highly persuasive, frequently calling help desks and employees while simultaneously manipulating a live phishing page to match the victim’s specific login prompts.
The Risk
Total SSO takeover: Once an Okta or another SSO provider’s session is hijacked, the attacker has a “skeleton key” to every app in your environment.
Data extortion: Following the LAPSUS$ playbook, these actors prioritize rapid data exfiltration for public extortion.
Lateral movement: The attackers use the initial SSO breach to move into internal communications (such as with Slack or Teams) to social-engineer higher-privilege admins.
Data encryption: A final step in an SLSH attack after data exfiltration is often to encrypt enterprise data and then blackmail organizations into paying ransom to acquire decryption keys.
Defensive Requirements
Organizations should not wait for a breach notification and immediately:
Warn customer support and employees about ongoing SLSH attacks: The best way to prevent unexpected vishing campaigns from succeeding is to alert your employees about ongoing attacks targeting your company. If someone receives any suspicious messages, calls, or emails during this time, they should be immediately escalated to managers and security teams for review.
Audit Okta system and other SSO provider logs: Hunt for “New Device Enrolled” events immediately followed by a login from an unfamiliar IP address.
Deploy pre-attack intelligence: Silent Push identifies these attack surfaces at the DNS level before vishing calls begin. Use of Silent Push Indicators of Future Attack™ (IOFA™) feeds can block malicious look-alike domains before they go live.
FAQs
What is the SLSH threat group? SLSH is a cybercriminal alliance of Scattered Spider, LAPSUS$, and ShinyHunters, specializing in vishing, SSO credential theft, and ransomware campaigns.
How does a live phishing panel work? It allows an attacker to intercept MFA tokens and login credentials in real-time, enabling them to bypass security prompts while the victim is on the phone.
How can I protect my Okta or other SSO provider account from vishing? The most effective defense is to use phishing-resistant MFA (FIDO2) and to verify all IT support calls through an official out-of-band channel.
Launch of Traffic Origin provides first dedicated defense layer against state-sponsored identity fraud and “laptop farm” infiltrations
Reston, VA, January 22, 2026—Silent Push, a leading preemptive cybersecurity vendor, today announced the debut of Traffic Origin, a unique cybersecurity solution that shifts an organization’s security posture from reactive to proactive by exposing the true upstream origin of adversaries—whether they are hiding via residential proxy, laptop farm, virtual private network (VPN), or other obfuscation technique.
Silent Push Traffic Origin continues the company’s mission to give defenders the advantage by providing origin certainty where other defensive tools see nothing but obfuscation. Traffic Origin allows investigators to identify high-risk remote sessions before they escalate into attacks or credential theft.
Traffic Origin Key Capabilities and Detection
Traffic Origin unmasks the “masking layer” of state-sponsored and cyber criminal actors through three core pillars:
Upstream Traffic Discovery: Goes beyond the surface to reveal the true origin of web traffic. Traffic Origin identifies the “Countries Connected” to an IP, analyzing upstream routing sources, IP address reputation and density, as well as host diversity and categorization (VPN, proxy, Tor, or residential proxy).
High-Confidence Risk Indicators: Eliminate analyst guesswork. Traffic Origin provides a definitive indicator when a residential proxy is routing traffic from sanctioned or high-risk countries (such as DPRK/North Korea, Iran, or Russia).
Total View Context: Visual correlation within the Silent Push platform. See the “UK” or “US” flag on an IP while simultaneously viewing the direct link to upstream traffic from high-risk zones.
“Silent Push Traffic Origin empowers organizations to detect if seemingly legitimate web traffic is actually being routed from high-risk regions or adversary-controlled infrastructure,” said Ken Bagnall, Co-Founder & CEO at Silent Push. “This gives security teams the immediate capabilities to mitigate fraud, identify high-risk logins, vet remote workers, and improve processes of Know Your Customer (KYC) and Anti-Money Laundering (AML).”
The “Invisible” Insider Threat that Organizations Face
Traditional cyber defense is inherently reactive, detecting attacker infrastructure only after it is used in an attack. Today’s most sophisticated adversaries, especially DPRK (North Korea) IT workers, exploit this lag by “hiding in plain sight.”
A significant example of this threat actor behavior is the use of fraudulent personas to gain legitimate employment, followed by the use of sophisticated obfuscation techniques to bypass geographic restrictions, which include:
Laptop Farms: U.S.-based facilitators host company laptops accessed via hardware KVM switches.
Residential Proxies: Masking true locations (often sanctioned jurisdictions) to appear as local, domestic residential traffic.
Infrastructure Mimicry: Using valid credentials and domestic IPs to bypass standard Conditional Access and MFA policies.
The result is high-risk actors that appear as legitimate remote employees, creating a devastating insider threat that traditional defenses cannot detect.
To learn more, start a conversation with Silent Push preemptive cyber defense experts and Book a Demo to see how we can help you uncover attacker infrastructure by searching smarter, faster, and with greater confidence.
About Silent Push
Silent Push is a preemptive cyber defense company. It is the first and only solution to provide a complete view of emerging threat infrastructure in real time, exposing malicious intent through its Indicators Of Future Attack™ (IOFA™) data, enabling security teams to proactively block hidden threats and avoid loss. The Silent Push standalone platform is also available via API, integrating with various security tools, including SIEM & XDR, SOAR, TIP, and OSINT, providing automated enrichment and actionable intelligence. Customers include some of the world’s largest enterprises within the Fortune 500 as well as government agencies. A free Community Edition is available. For more information, visit www.silentpush.com or follow on LinkedIn and X.
![Traffic Origin Total View for IP 205.198.91[.]155](https://www.silentpush.com/wp-content/uploads/to-1-image-20260122-191624.png)
![DNS A Records Mapped to the domain lvcha[.]in for IP address 205.198.91[.]155](https://www.silentpush.com/wp-content/uploads/to-2-image-20260122-163924.png)
![Total View for lvcha[.]in showing registrar and metadata highlights](https://www.silentpush.com/wp-content/uploads/to-3-image-20260122-171235-1.png)
![Translated website for the LVCHA VPN at lvcha[.]in](https://www.silentpush.com/wp-content/uploads/to-4-image-20260122-171655.png)
![Total View Web Search results for lvcha[.]in](https://www.silentpush.com/wp-content/uploads/to-5-image-20260122-171924.png)
![Expanded Web Search results for lvcha[.]in](https://www.silentpush.com/wp-content/uploads/to-6-image-20260122-172209.png)
![Traffic Origin Total View for 205.198.91[.]136](https://www.silentpush.com/wp-content/uploads/to-7-image-20260122-175450.png)
![Traffic Origin Total View for 205.198.91[.]136, zoomed into Ukraine](https://www.silentpush.com/wp-content/uploads/to-8-image-20260122-175834.png)
![Traffic Origin Total View highlight for 194.147.16[.]244](https://www.silentpush.com/wp-content/uploads/to-9-image-20260122-181128.png)
![Traffic Origin Total View for 194.147.16[.]244](https://www.silentpush.com/wp-content/uploads/to-10-image-20260122-181333.png)
![Traffic Origin Total View for 194.147.16[.]244, zoomed into Russia](https://www.silentpush.com/wp-content/uploads/to-11-image-20260122-181807.png)
![Silent Push Total View of IP address 103.28.36[.]105](https://www.silentpush.com/wp-content/uploads/sysbc-image-10-total-view-screenshot.png)
![Silent Push Total View of domain phutho.duchop[.]gov[.]vn](https://www.silentpush.com/wp-content/uploads/sysbc-image-11-phuto-total-view.png)
![Screenshot of phutho.duchop[.]gov[.]vn website](https://www.silentpush.com/wp-content/uploads/sysbc-image-12-phuto-site.png)
![Screenshot of IP address 196.13.207[.]92 revealing ties to the Burkina Faso government](https://www.silentpush.com/wp-content/uploads/sysbc-image-13-table-burkina-faso.png)
![Screenshot of concours[.]gov[.]bf website](https://www.silentpush.com/wp-content/uploads/sysbc-image-14-concours-bf.png)
![Screenshot of 202.142.184[.]234 on VirusTotal](https://www.silentpush.com/wp-content/uploads/sysbc-image-15-202-142-184-234.png)
![Screenshot of 148.113.208[.]227 on VirusTotal](https://www.silentpush.com/wp-content/uploads/sysbc-image-16-148-113-208-227.png)
![Screenshot of 103.112.211[.]167 on VirusTotal](https://www.silentpush.com/wp-content/uploads/sysbc-image-17-103-112-211-167.png)
