- Company
Silent Push Inc. ©2025
What Is Preemptive Threat Intelligence?
Preemptive Threat Intelligence is the practice of identifying threat infrastructure as it’s being set up, and before an adversary launches an attack.
The data used in Preemptive Threat Intelligence provides teams with the ability to proactively respond to threats using enhanced insights, feeds and automated queries that reveal known and hidden infrastructure.
In this blog, we’ll explore the concept of preemptive threat intelligence by explaining how much of global threat infrastructure is know at any one time, and the need for organizations to adopt a preemptive approach to threat intelligence, before explaining how Silent Push is helping organizations to detect and block hidden threats quicker and more effectively with its unique Indicators of Future Attack™.
Did you know that only 2% of threat infrastructure is known?
Most security teams rely on inadequate threat intelligence data that does not reveal the full extent of an attack.
As little as 2% of the infrastructure used by a threat actor in an attack is being tracked at any given point in time, with the remainder lurking under the surface and out of reach of traditional detection methods.
This means that cyber defenders and threat hunters are operating mostly in the dark, as they attempt to understand where attacks originate from, and where they may appear next.
Organizations need to have the ability to go beyond the 2% that’s easily detectable, and dive under the surface of the water to establish just how far down the iceberg goes – and what it’s actually made of – to make sure they’re better positioned to prevent a breach.
Why is 98% of threat infrastructure hidden?
Like any criminal, threat actors continually change their attack strategies to cover their tracks, and avoid detection.
They understand and monitor traditional approaches to security that rely on stale lists (feeds) of domains and IPs that tell teams where an attack has BEEN, rather than where it’s coming FROM, and are constantly cycling through large amounts of infrastructure to cover their tracks.
These feeds do not contain all the linked infrastructure used by a threat actor, and only contain publicly known Indicators of Compromise (IOCs).
What if you could take one piece of infrastructure that is currently visible in an attack, and get insight on how it’s moved across the Internet, along with all the other pieces of Internet data it’s associated with, how its hosted (or has ever been hosted), and how it all fits together?
These are the elements that are impossible for teams to reveal using a standard approach, and this is what makes up the 98% that’s currently hidden to the rest of the security industry.
Why are organizations adopting Preemptive Threat Intelligence?
Let’s use an analogy. You’re lucky enough to own a large house, on a sprawling estate, with multiple potential entry points dotted around that need to be monitored and secured 24/7.
Would you rather rely on an alarm system that tells you when an intruder is at the door (or worse still, when they’re in your house), or would you prefer to get alerted when they’re on their way and before they get anywhere near your neighborhood, so that you can stop them before they get to you?
This is why security teams are pivoting away from legacy “at the gates” detection mechanisms.
Preemptive Threat Intelligence data needs to deliver a cyber early warning system that stops criminals before they arrive at your organization’s digital front door – wherever that may be.
How Silent Push Preemptive Threat Intelligence exposes threats and minimizes the risk of an attack
Silent Push was started in 2020 by security industry veterans to improve the world’s ability to counteract global cybercrime.
Our founders are determined to provide the most innovative solution to address the growing imbalance of security teams wasting time and resources fumbling around for information on hidden threat infrastructure, and increasing their organization’s exposure to an attack.
Silent Push is the first and ONLY cybersecurity platform to deliver Indicators Of Future Attack (IOFA)™ – immediately actionable preemptive threat intelligence data that informs teams where attacks are coming FROM, in addition to where hey have been.
Our early warning system stops the burglar from ever entering your neighbourhood, let alone your property, by giving your teams the ability to locate the 98% of threat infrastructure that they aren’t currently able to pinpoint.
We do this by mapping out the relationship between billions of Internet data points using proprietary technology that gives security teams a 360-degree picture of any given attack landscape.
Learn more about our unique approach to Preemptive Threat Intelligence
Find out how your organization can use Preemptive Threat Intelligence to reveal hidden infrastructure and stop attacks at source.
Contact us here for more information.
ITSDI Partners with Silent Push Offering Preemptive Global Threat Intelligence to Avoid Loss
Attacker Behaviors are Exposed Before They Strike Through Indicators of Future Attack (IOFA) Data from Silent Push
Manila, Philippines, February 10, 2025. Information Technology Security Distribution, Inc. (ITSDI), a cybersecurity distributor, announced today its partnership with Silent Push to offer early global threat detection services to its customers to block unknown attacks, stop breaches and minimize financial risk.
Organizations find it’s difficult to stay ahead of cyber threats. Without preemptive cyber defense, they’re exposed and vulnerable to hidden adversary infrastructure. Silent Push provides a complete view of emerging threat infrastructure in real-time, revealing cyber-attackers and malicious intent all within a single platform.
Luichi Robles, President of ITSDI, stated, “Silent Push shares in our mission to ensure the freedom and safety of cyberspace by strengthening our customers cyber security posture. The unique approach from Silent Push is a game changer for our customers. It’s TTP-led cyber defense acts as an early warning system so our customers can gain visibility and quickly action to protect their organization.”
“All too often legacy solutions just rely on Indicators of Compromise (IOC) with limited visibility and missing data. We go beyond IOCs and expose Indicators of Future Attack through our proprietary behavioral threat modeling; allowing security teams to identify detailed and unique patterns that reveal attacker campaigns before they even start—neutralizing threats and avoiding loss,” said Ken Bagnall, Silent Push CEO. “We welcome this partnership with ITSDI in Philippines to help organizations quickly pinpoint malicious actors and disrupt their plans,” added Ken Bagnall.
ITSDI encourages its customers to experience the power and effectiveness of the Silent Push preemptive threat intelligence solution through the free community edition. Learn more here.
About ITSDI
Information Technology Security Distribution, Inc. (ITSDI) is a cybersecurity distributor in the Philippines. With over 90 years of combined information and communications industry experience, it delivers the most innovative and cutting-edge cybersecurity solutions available to help its customers strengthen their security posture. ITSDI is committed to meeting the demands of the evolving cyber threat landscape. It offers a holistic approach to cybersecurity enabling organizations to proactively protect against threats and adversaries and comply with the Data Privacy Act of 2012. For more information, visit www.itsdi.com.ph.
Ready to dive deeper into the world of preemptive threat intelligence? Begin your journey with the Silent Push free Community Edition today.
WHOIS scanning in Silent Push Community Edition
In this blog, we’ll show you how to use Silent Push Community Edition‘s WHOIS scanning feature to locate and traverse threat infrastructure, using a WHOIS fingerprint that enables fast and accurate tracking of attacker Tactics, Techniques and Procedures (TTPs).
We’ll start by explaining the concept of WHOIS data and how security teams can utilize WHOIS intelligence to defend against attacks, before showing you how to pivot across data with a simple WHOIS scan that uses a domain owner’s email address as the starting point.
Sign-up to Silent Push Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense tool, featuring a range of advanced queries and lookups, that outputs known and hidden threat infrastructure.
What is WHOIS data?
WHOIS is a publicly accessible database containing information on the ownership, registration, and administrative details of a domain.
When someone registers a domain (the “registrant”), they need to provide contact details and other relevant information to the company that facilitates the registration (the “registrar”).
This data is then made available through various WHOIS lookup tools, which allow any interested parties – including security teams – to query a domain name, and retrieve details about the registration.
The global WHOIS system performs three key functions:
- Accountability: Ensures that domain owners can be contacted in case of legal, technical, or business issues.
- Cybersecurity and threat hunting: Tracking illegal activities related to domain usage, including domain spoofing, fraud, or copyright infringement.
- Technical support: Diagnosing domain-related issues, and DNS problems.
WHOIS data privacy
“WHOIS privacy” is a service offered by registrars that masks a domain owners’ personal information in the public WHOIS database, by using a proxy service to hide the real owner’s details and display generic responses in its place.
The legitimate purpose of WHOIS privacy is to counteract spam, identity theft, and harassment, but threat actors use the facility to evade detection and prevent security teams from tracking their activity.
How is WHOIS scanning used in cybersecurity?
Security Operations Centre (SOC) and Incident Response (IR) teams use WHOIS data to identify and analyze malicious domains, and gather intelligence that can be used to perform additional scans that reveal even more threat infrastructure.
Lets take a look at some common use cases…
Identifying linked threat activity
WHOIS data includes information on the domain owner – such as the email they used to register the domain – and any nameservers associated with a domain.
Threat hunters use this data to locate other domains registered by the domain owner, or hosted on the same IP infrastructure using additional DNS queries.
If a domain shares the same WHOIS or DNS characteristics as a known malicious domain, this can be an indication of linked threat activity.
Correlating registration dates and patterns
Security teams use domain registration and expiration dates to detect suspicious activity, based on how long a domain has been in operation.
Recently registered domains are more likely to be used in an attack. Threat actors register new domains for short-term campaigns to counteract traditional IOC-based defense mechanisms that rely on lists of publicly known infrastructure.
Short-lived domains that are quickly registered and then allowed to expire (or disappear after use) are often used as disposable domains in a variety of threat campaigns, such as brand impersonation and typosquatting attacks.
Targeting suspicious domain registrars
Certain domain registrars are used by threat actors because they have lax verification procedures, and operate with poor security policies that ignore domain takedown requests.
Such registrars also allow the purchase of domains at low cost and in bulk, allowing threat actors to deploy large amounts of domains in a single campaign that hinders detection.
Threat hunters are able to identify these registrars, and traverse across elements of their hosting infrastructure to locate malicious infrastructure.
WHOIS scanning with Silent Push
WHOIS information is a useful starting point in an investigation into named or unknown threat activity, but retrieving and using WHOIS data at scale, in a way that makes it easy to perform additional DNS and content-based pivots across an enriched dataset that complements the original scan, can be difficult to achieve.
All Silent Push subscription tiers – including Community Edition – feature a built-in WHOIS Scanner, than returns WHOIS infrastructure using a combination of the following data types:
address: Address associated with the owner, including fields for each line of the address (e.g. state and zip_code)created: Date and time the domain was registered ondomain: The final domain the the original domain resolves toemail: Email of the registered domain ownerexpires: Date and time the domain is set to expire, unless it’s renewedname: Given name of the domain registrantnameserver: The nameserver used to connect the domain name to the hosts IPns_hash: Searchable hash of the nameserver and domainorganization: Name of the organization that the domain is associated withregistrar: Registrar associated with the domainscan_date: Date the domain was scanned by Silent Push
Once you’ve executed a scan, you can one-click pivot across the results set to reveal additional intelligence linked to your original scanning parameters – including all associated DNS records and IP addresses – or drill down into the results by including or excluding key pieces of data.
WHOIS scanning example: registrant email address
The registrant email [email protected] is associated with financial scams that attempt to spoof known and fake credit unions, and banking sites.
Executing a WHOIS Scan on the email address reveals a timestamped list of domains set up by the threat actor, mostly via a legitimate registrar (NameSilo), with Silent Push risk scores attached to each returned domain.
All of these domains are involved in financial threat activity, linked to the same registrant email address:
You can use the column view to display or omit data fields from the results table:
Executing a Live Scan on one such domain (phoenixvaultcreditunion.com) from within the WHOIS scanning results table reveals live infrastructure, with an expandable screenshot and additional data, including the domain’s HTML title and a favicon (if present):
You can use the same pivot box to execute a range of additional queries and lookups that provide a wealth of additional information on the target domain, without leaving the WHOIS scanning screen:
- Web Scanner: A powerful tool that uses 150+ data fields to discover infrastructure that shares the same set of characteristics – including HTML body data, certificate information, favicons, server-returned data, and a lot more
- Passive DNS: Get an immediate and complete list of all current and historic DNS records associated with the domain
- Total View: Provides a detailed overview of all the infrastructure associated with the domain, including how it’s moved across the global IP space over time
- Save To: Add the domain to an existing or new IOFA™ Feed
- Takedown: Request that the domain be taken down, based on its status as an IOFA™
WHOIS scanning history
Once you’ve identified a malicious domain, you can quickly jump into the WHOIS History feature to get a timestamped table of changes to the domain’s WHOIS records.
This allows you to evaluate the Tactics, Techniques and Procedures (TTPs) used by a threat actor as they deploy their infrastructure, track similar patterns, and proactively blocks attacks.
Here’s the WHOIS history for phoenixvaultcreditunion.com, with WHOIS changes displayed as the data type, and date of the change underneath a graphical timeline:
Sign-up to Silent Push Community Edition
WHOIS Scanning is included in Silent Push Community Edition, a free threat hunting and cyber defense tool featuring a range of advanced queries and lookups, that allows users to locate known and hidden threat infrastructure.
Threat Actors Still Leveraging Legit RMM Tool ScreenConnect for Persistence in Cyberattacks
Key Summary
- Silent Push Threat Analysts recently observed a rise in the use of ScreenConnect, a remote monitoring and management (RMM) tool, on bulletproof hosts (BPHs). This raises suspicion that threat actors have continued to leverage legitimate software to gain access and control over victims’ endpoints.
- We published our first blog post on ScreenConnect threats in October 2022, which CISA cited in a January 2023 advisory. Since then, we have been tracking the ScreenConnect exploit from CVE CVE-2024-1709, which threat actors have been widely abusing.
- Our discovery of a suspicious domain, filessauploaderchecker[.]com, in the Silent Push Web Scanner, led us to further explore for malicious intent.
- As we continue investigating, we believe potential attackers have been using social engineering to lure victims into installing legitimate software copies configured to operate under the threat actor’s control.
- Today, we are sharing an update on a threat actor group’s campaign that is abusing ScreenConnect to target Social Security recipients, which was first covered in 2024 by other security researchers.
Initial Intelligence
Organizations typically use a single RMM tool to manage their IT assets. However, the discovery of legitimate RMM tools used in cyberattacks can be complicated, as third-party suppliers sometimes use a different RMM tool than their clients when performing technical support or other legitimate activities.
The ScreenConnect software agent typically has a generic name like “ScreenConnect.Client[.]exe” or a similarly structured company-branded name if it has been customized by a subscribing organization. Our research uncovered a suspicious filename that deviates significantly from those conventions, suggesting it has been deliberately altered.
The observed filename from the domain filessauploaderchecker[.]com raises even more suspicion of malicious intent. Captured on VirusTotal (WARNING: this file is likely malicious). The full file name appears as: “Recently_S_S_A_eStatementsForum_Viewr66985110477892_Pdf[.]Client[.]exe”
Our team noted the file name includes the keyword “S_S_A,” a potential reference to “SSA,” aka the Social Security Administration, and the keyword “eStatements,” which alludes to a document someone could be requested to review. The lure essentially appears to be an eStatement from the Social Security Administration—and it is not a PDF but an executable file.
Closer examination of the file reveals it includes terms such as “eStatements,” “Forum,” “Viewr,” and “Pdf[.]client,” which appear to have been designed to resemble document viewing or financial statements. The terms are irrelevant to ScreenConnect agents and are likely crafted to mislead users into thinking the file is harmless.
To complicate defensive actions, Silent Push Threat Analysts believe threat actors have been using various social engineering methods, such as SMS text messages, phone calls, or emails, to get unsuspecting victims to install legitimate copies of the ScreenConnect agent. Once installed, the attackers use the altered installer to quickly gain access to the victim’s files.
Silent Push Threat Analysts were able to craft a unique fingerprint that allows our team to detect a large amount of malicious infrastructure using ScreenConnect. This fingerprint powers our Indicators of Future Attack™ (IOFA™) feed for this threat and will be available to Silent Push enterprise customers.
The Bulletproof Hosting Connection
Bulletproof hosting providers are infamous for turning a blind eye to complaints of malicious or illegal content hosted on their servers. They are known for allowing cybercriminals to operate phishing websites, malware distribution networks, and command and control (C2) infrastructure without interruption.
Typically operating in jurisdictions with weak law enforcement, BPHs frequently leverage offshore locations that shield threat actors from takedowns. While often marketed for privacy and resilience, these providers are notorious for enabling illegal activities, making them a significant challenge for cybersecurity professionals and law enforcement agencies worldwide.
Our team has identified multiple bulletproof hosting providers being utilized by this threat. Filtering by bulletproof providers (easily done via a simple field in our platform while querying) in conjunction with other fingerprinting methods can often prove a useful method to track malicious infrastructure, as threat actors (like all criminals) tend to fall into predictable patterns. For operational security reasons, we have omitted the specific names of each for this blog so as not to tip off the threat actors. We encourage readers to look forward to our larger piece covering bulletproof hosting providers in greater detail and depth coming later this year.
Persistence in Cyberattacks
Threat actors use many techniques to establish persistence and maintain their foothold when working to compromise endpoints. These may include employing Windows services (such as abusing Task Scheduler), malware, misconfiguration, or even attacking an intended victim’s domain as a means to gain access, perform actions, or make configuration changes (such as replacing or hijacking legitimate code or adding startup code for malicious purposes).
| What is persistence in cyberattacks? Mitre ATT&CK, the global knowledge base of adversarial tactics and techniques, describes persistence as an enterprise tactic: “Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.” |
Mitigation
Silent Push Threat Analysts recommend making use of our Enterprise edition to receive the newest IOFA™ and enrich the IOFA™ in your security solutions to detect, prevent, and respond to future cyberattacks. Our proprietary set of analytics and persistent manual review matches patterns against known malicious examples hosted on BPHs to ensure our IOFA™ do not contain false positives.
We are continuously searching to uncover emerging threats from APTs, bulletproof hosting providers, financial crimes, malvertising, and more.
Register for Free Silent Push Community Edition, a free threat hunting and cyber defense tool used by security teams, bug bounty hunters, and researchers that features a range of basic and advanced DNS queries which interrogate the Silent Push database, built from our daily scans of the internet’s global IP range.
Sample List of IOFA™
Silent Push identified several BPH providers in conjunction with this research. We are providing a sample list of IOFA™ below:
| Hostname |
|---|
awedinetwork[.]com |
cloudfilesmanger[.]com |
docusignsafe[.]com |
fat7olafat7olas[.]com |
filessauploaderchecker[.]com |
hamadasoltanfans[.]co |
helpmysupport[.]top |
sallysolaro[.]com |
helpmysupport[.]top |
ttlhelp[.]top |
Related Reading
Here are a few more blogs that you may find of interest: