Bulletproof Hosting (BPH) providers have been a part of the threat actor landscape for over two decades. Interestingly, over the past year, the market has experienced a renaissance, marked by notable changes that include a surge in providers globally, the emergence of new tactics, and increased resilience against takedown efforts. This demonstrates just how deep and complex the space has become from a defender’s perspective.
In developing this new white paper, our goal is to illustrate the current state of the practice of Bulletproof Hosting and to highlight the potentially lesser-known technical dynamics we’ve been observing.
Our world-class threat analyst team has been diligently working to provide and scale our detection of BPH infrastructure, so that our clients can utilize those detections within their Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tooling for accurate, dependable alerting on suspicious and malicious activity.
This white paper was created to raise awareness on internet hosting providers who’ve been labeled “Bulletproof” for their willingness to host services specifically designed to shield clients from technical and/or legal disruption. Our researchers employ a wide range of criteria to label the hosts we track as bulletproof, many of which are covered in the report and have not been discussed publicly elsewhere. Some, however, we cannot disclose for operational security reasons. We believe that sharing these criteria and methods publicly is crucial in informing defenders about where cybercriminals are hiding within their networks.
With the rise of artificial intelligence (AI) and large language models (LLMs), we anticipate that threat actor automation of infrastructure setup will continue to increase into 2026 and beyond. Extensive coverage of BPH providers enables defenders to remain vigilant against suspect infrastructure frequently used for obfuscation and weaponization, ensuring that actors using these networks as part of their automation fail before they can initiate attacks.
By circulating this information publicly without restriction, we aim to reach communities that have the means and motivation to shape a safer, more accountable threat landscape, with preemptive cyber defense for all kinds of defenders: threat hunters, policymakers, researchers, journalists, and government teams.
After reviewing the Bulletproof Hosting white paper, if you are interested in learning more about Silent Push preemptive cyber defense technology and how it can empower your organization’s security team, please get in touch with us or schedule a demonstration to discuss the platform with our experts.
Ready to dive deeper into the world of preemptive cyber defense? Take our technology for a test drive with the free Silent Push Community Edition today.
Join our final Silent Push workshop of the year. We’re unpacking the surge in end-of-year scam shops and shady websites — showing you how to spot them fast using our free Community Edition.
You’ll learn how to turn these insights into sharper security decisions, spot common patterns in fake shops and scam infrastructure and investigate domains and the systems behind them.
Date: 16 December, 2025
Time: 10am ET // 3pm CEST // 10am SGT // 12pm AEST
Location: Online – Zoom
Requirements: Silent Push free Community Edition | Sign-up here
For years, cyber defense has been like driving forward while staring into the rearview mirror.
Security teams operate primarily on artefacts of the past: Indicators of Compromise (IOCs). These generic data points, like a known malicious IP or file hash, are records of what has happened. While useful for forensics, they serve little purpose in preventing an attack that is currently forming.
Reliance on retrospective data keeps organizations playing catch-up, forcing SOCs into a constant, exhausting state of response. To close the visibility gap, we must move from response to preemption.
We need to focus less on the bullet that has already been fired, and more on the weapon being loaded.
“If knowing is half the battle, then why focus on the battlefield your enemies have already abandoned? It’s far more efficient to focus on where they are currently camped, what routes they are taking, and what tactics they plan to use next.”
By modeling adversary behaviors (TTPs) during their infrastructure setup phase, we provide critical data that exists “left of boom.” This approach delivers specific, measurable outcomes that directly strengthen your security posture. The below video dives further into what this means, and exactly what type of data is involved.
Here is what your team gains when you switch to pre-attack detection:
1. Seamless Integration and Operationalization
Outcome: Bridge the Gap Between Insight and Action
Data is only valuable when it’s operational. IOFA™ data is explicitly designed as finished, actionable defense data that can be automatically ingested into an organization’s security tools.
API-First architecture
We prioritize connectivity. With over 250 endpoints, the platform ensures preemptive data flows directly into your security fabric without friction.
Orchestrated defense
By feeding directly into SIEM and SOAR platforms like Splunk, Tines, and Cortex XSOAR, organizations automate the tactical response. This shifts the human role from manual data handling to high-value strategy and decision-making.
2. Optimized Security Operations (SOC/IR)
Outcome: Accelerate Triage and Decisive Response
The modern SOC is defined by how quickly it filters signal from noise. For Security Operations and Incident Response teams, preemptive data shifts the advantage back to the defender.
Eliminate the context deficit
Triage slows down when analysts face unknown indicators. IOFA™ provides immediate risk scoring and context, allowing for automated validation. This drastically reduces false positives and mitigates alert fatigue by stopping the noise before it distracts the analyst.
Accelerate your response
Reducing Mean Time to Detect (MTTD) and Respond (MTTR) requires better visibility, not just faster tools. During an incident, IR teams can instantly map associated adversary infrastructure and trace lateral movement. This high-confidence data allows teams to contain threats rapidly and significantly reduce dwell time.
3. Critical Brand and Asset Protection
Outcome: Preempt the Weaponization of Your Identity
Pre-attack behavioral fingerprinting directly tackles external brand threats and internal vulnerabilities. Silent Push continuously monitors the internet for malicious infrastructure mimicking an organization’s identity. This capability proactively prevents financial loss and reputational harm by defending against:
Prevent damage from phishing and domain impersonation
Neutralize typosquatted domains and spoofed MX records during fraudulent certificates, and email spoofing configurations during setup.
Detect content and brand spoofing
Identify fake login portals and cloned sites immediately by tracking the reuse of your specific HTML, logos, and trust markers.
Identify and mitigate infrastructure & DNS vulnerabilities
Proactively discover exploitable misconfigurations, such as dangling DNS records, before attackers can use them to launch high-credibility attacks.
4. Enhanced Proactive Threat Hunting (CTI)
Outcome: Expose the Full Scope of Adversary Campaigns
Pre-attack data allows Cyber Threat Intelligence (CTI) teams to conduct genuine proactive threat hunting, leveraging the Silent Push platform to track emerging threats and map adversary campaigns before they launch.
This capability has proven effective in exposing the full extent of adversary infrastructure, such as finding over 4,000 phishing domains used by FIN7 and uncovering sensitive details related to the Lazarus Group by pivoting from a single suspicious domain. This approach allows threat hunters to uncover and block the remaining hidden activity.
Construct high-fidelity attacker fingerprints
Build efficient queries that correlate over 200 parameters, including Passive DNS, HTML, and SSL to identify pre-weaponized assets based on behavior, not just known indicators.
Map APT and emerging threat campaigns at scale
Trace the full infrastructure of known groups like FIN7, Lazarus, and Scattered Spider and emerging groups. This turns raw hunting data into curated IOFA™ feeds that block entire campaigns before execution.
Moving “Left of Boom” with Silent Push
If your team is tired of playing catch-up, it’s time to change the rules of engagement.
Pre-attack detection provides a distinct competitive advantage, strengthening your posture against both known groups (like Scattered Spider) and emerging, unnamed threats. Stop waiting for the breach to tell you where the holes are.
The Cybersecurity and Infrastructure Security Agency (CISA) is the U.S. government agency responsible for protecting the nation’s critical infrastructure from cyber and physical threats. CISA works with public and private sector partners to improve resilience, share threat intelligence, and coordinate national-level cyber defense efforts.
As part of this collaboration, Silent Push contributed research and insights that helped inform CISA’s latest publication, “Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers.” CISA, working with the NSA, FBI, DoD Cyber Crime Center, and several international cyber agencies, developed this guidance to address one of the most persistent enablers of cybercrime, where infrastructure is intentionally leased to malicious actors: Bulletproof hosting providers.
Why CISA’s Guidance Matters
CISA’s report highlights a core industry challenge. Systems that are unprotected or misconfigured increase the opportunity for threat actors to operate at scale. Bulletproof hosting infrastructure often blends into the broader internet, making it difficult for organizations to detect and contain.
CISA and its partners are encouraging Internet Service Providers (ISPs) and network defenders to adopt more proactive strategies for reducing the effectiveness of this infrastructure. Their recommendations include:
Curating high-confidence lists of malicious internet resources
Applying filters and blocking actions based on these lists
Improving visibility into hosting infrastructure that repeatedly supports criminal operations
Limiting the freedom of Bulletproof hosting providers to keep malicious resources online
The guidance was developed through the Joint Ransomware Task Force (JRTF), reflecting the growing connection between Bulletproof hosting and ransomware campaigns targeting critical sectors.
Our Perspective
This publication brings much-needed clarity to a problem that has long shaped cyber operations. Bulletproof hosting infrastructure enables cybercriminal activity by providing threat actors with a dependable foundation for their campaigns. When this infrastructure is identified and constrained, defenders gain more meaningful opportunities to reduce the scale and impact of emerging threats.
Our work focuses on helping defenders detect malicious resources early, track infrastructure changes, and understand the patterns behind these operations. Seeing this issue addressed directly by CISA and its international partners is an important step for the broader security community.
In our public research on “infrastructure laundering,” we detailed how malicious actors illicitly acquire IP addresses from major cloud providers and map them via CNAME chains to make sure their scam websites load quickly for victims, providing a practical example of the kind of Bulletproof hosting activity CISA’s guidance addresses. We are committed to helping defenders identify and disrupt malicious infrastructure before it fuels large-scale operations.
Looking Ahead with Preemptive Cyber Defense
Improving visibility into Bulletproof hosting providers and limiting their ability to support cybercriminal activity is a practical and impactful measure. If ISPs and network defenders implement the recommendations in CISA’s guidance, the operational environment for attackers becomes more restricted and more costly.
We appreciate the opportunity to contribute insights to this conversation and support efforts that strengthen proactive defense across the ecosystem.
UK organisations are expanding their digital footprint, but reliance on reactive security is leaving them exposed. To align with the NCSC’s Active Cyber Defence (ACD) strategy, teams must shift to preemptive defence.
In response to growing cyber threats, the UK’s National Cyber Security Centre (NCSC) has implemented the Active Cyber Defence (ACD) programme. The ACD’s mandate is clear: to “Protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber-attacks the majority of the time.”
This strategy specifically targets the high-volume commodity attacks, like mass phishing and spoofing, that affect our everyday lives, rather than focusing only on highly sophisticated, targeted attacks. Achieving this level of protection at scale requires a fundamental shift in our defensive strategy.
The Limitations of a Reactive Cyber Defence
Historically, cyber defence has relied heavily on reactive security models that use Indicators of Compromise (IOCs). These traditional indicators typically provide generic, post-breach data about where an attack has been. This data often consists of stale lists that quickly become obsolete as attackers rapidly recycle infrastructure.
Relying solely on IOCs forces security teams into a reactive posture, where they are left struggling to manage complex incidents after the damage has already been done. To meet the NCSC’s aim of scalable protection, the industry must move beyond reaction and adopt a preemptive stance.
A New Approach: Preemptive Cyber Defence
Preemptive cyber defence is an approach focused on a single goal: identifying and preventing attacks before they cause harm.
This is possible because threat actors leave behind more than just IOCs; they leave behavioural fingerprints. The Tactics, Techniques, and Procedures (TTPs) they use to build and manage their infrastructure create a unique, digital DNA.
Our platform is built to analyse this DNA, correlating seemingly isolated indicators to map out the entire attack picture. This moves beyond simple pattern-matching, allowing us to connect all the pieces of a campaign and identify malicious infrastructure the moment it appears online, long before it’s fully weaponised.
Achieving preemptive defence requires two things:
Massive-Scale Data Collection: Continuously mapping and actively resolving DNS across the entire global IPv4 and IPv6 space to reveal new infrastructure the moment it comes online.
TTP-Led Behavioural Tracking: Analysing that data to spot the “fingerprints” of malicious activity, such as combining recurring patterns in domains, infrastructure, and operational behavior to track Scattered Spider.
This proactive process tracks and blocks adversary infrastructure during its staging phase. It generates high-fidelity Indicators of Future Attack (IOFA)™: proactive IP, domain, and URL data that allow security teams to identify, track, and ultimately block adversary infrastructure before it is even weaponised. This approach uncovers novel infrastructure yet to be reported.
Turning ACD Strategy into Tactical Reality
ACD and preemptive cyber defence are two sides of the same coin: ACD establishes the strategic mandate for scalable protection, while a preemptive approach to defence provides the technical capability to achieve it by neutralising threats at their source.
Achieving preemptive detection at scale isn’t about having more data; it’s about better data. This capability requires a foundation of Data Independence. By collecting 100% of our own data, we eliminate the noise and latency of third-party feeds and ensure a uniquely accurate and reliable view of global infrastructure.
By leveraging this pre-attack behavioural fingerprinting and the resulting infrastructure data, security teams can automate the detection and blocking of the very mass-volume threats the ACD programme is designed to stop.
This approach directly targets the high-volume attacks central to the ACD’s mission:
Phishing and spoofing: This method identifies brand impersonation attacks, including typo-squatted domains, before they are deployed. For example, analysts can track phishing campaigns targeting UK banks while they are still being set up.
Malvertising: It exposes malicious infrastructure hidden within online ads, a key vector for commodity attacks, allowing it to be blocked before ads are served.
Mass scams: Silent Push data is essential for uncovering large-scale criminal operations. A key example is the FUNNULL CDN, the hub of the Triad Nexus financial fraud network, which hid malicious activity within legitimate cloud services.
Infrastructure Scale: Over 200,000 hostnames were proxied through FUNNULL in just a few weeks.
Cloud IP Usage: FUNNULL rented more than 1,200 Amazon IPs and nearly 200 Microsoft IPs.
Malicious Activities: Supported retail phishing, money laundering, and fraudulent investment platforms targeting global victims.
This case demonstrates Silent Push’s ability to track hidden infrastructure, reveal novel TTPs, and deliver actionable intelligence to disrupt large-scale scams.
This case demonstrates Silent Push’s ability to track hidden infrastructure, reveal novel TTPs, and deliver actionable intelligence to disrupt large-scale scams.
Tracking and blocking this infrastructure before the malicious texts are sent is a perfect example of preemptive defence at scale. The focus on disrupting an attack at its origin (the infrastructure), turns the ACD’s strategic mandate into measurable protection against high-volume threats.
Empowering UK Cyber Resilience
The Silent Push Enterprise Edition operationalises preemptive defence at scale, feeding high-fidelity infrastructure data directly into existing security stacks (SIEM, SOAR, firewalls) for automated blocking.
By leveraging data that enables preemptive cyber defense, from community research to enterprise-grade automation, the UK can build a truly proactive digital defence. This stance aligns perfectly with the ACD’s goal, building national resilience by stopping threats before they strike.
See how automated, preemptive cyber defence can protect your organisation. Get a demo of the Silent Push Enterprise Edition today.
In cyber defense, reacting to a phishing attack means you’re already one step behind. A phishing email in an inbox is the end result of a long chain of attacker activity. The real win isn’t just analyzing the phish; it’s finding the infrastructure it came from before the attack is even launched using a proactive threat hunting model.
Moving from this reactive posture to a proactive one is the single most effective way to get ahead of adversaries. Instead of cleaning up a mess, you’re preventing the mess from happening (sounds nice, right?).
Based on a recent workshop on our Community Edition platform, we’ve outlined four practical, query-based techniques that defenders can use to shift “left of boom” and start proactively dismantling phishing campaigns.
Start Hunting With A Free Silent Push Community Edition Account
All of the queries shared below are supported in our free Community Edition. We’ve included a short link below if you’d like to sign up and follow along.
The hunting queries we’re sharing reflect data from a specific point in time, and threat activity may have changed since their creation. These are intended for threat hunting, not as perfect detections, so minor false positives are possible.
Each query has been validated by our threat analyst team to match relevant threat groups, and we use internal variations for broader coverage. You can adapt or refine these queries to align with your environment and the latest intelligence.
1. From a Single Phish to a Full Campaign (The “Ledger” Method)
Every reactive investigation is an opportunity to build a proactive hunt. Let’s take a real-world phishing email (a “Ledger” phish) and show how to pivot “upstream.”
The Reactive Clues: The investigation starts with email headers. We find IPs like 149.72.223.116 and 159.183.183.61, which indicate compromised SendGrid accounts. Using PTR (reverse DNS) records helps identify the sender, but this is all after-the-fact analysis. The malicious link itself was ledger-recovery-app[.]com.
The Proactive Pivots: Instead of stopping, we use that domain as our first “thread” to pull.
Content Pivot: We can hunt for other sites that share the same characteristics. A simple query can find all domains that also have an HTML Title of “Are you human?” and a URL that contains “ledger”. This immediately widens the net.
Domain/WHOIS Pivot: We can hunt for similar domains before they’re armed. Attackers use predictable patterns. We can build a proactive query to find all domains where:
Domain is one of: ledger-*-*.com OR *-ledger-*.com
AND
Registrar is: Amazon Registrar, Inc.
This query finds domains the moment they’re registered, long before they’re ever used in an email campaign.
2. Hunting with Infrastructure Fingerprints (The “Harbor Freight” Method)
Threat actors are lazy. They reuse the same server configurations, even when they host different campaigns. Instead of hunting for content (which changes), we can hunt for the server’s unique technical “fingerprint.”
The Example: A phishing domain harborfrieght[.]shop was identified.
The Technique: We can extract the server’s unique technical signatures. Even if the actor hosts a completely different lure (like a “jeans ad” found in the wild), the underlying server setup is often identical.
The Goal: Run a query to find all domains hosted on infrastructure with these exact HHV and JARM fingerprints. This technique cuts through the noise of different domain names and content, tying disparate campaigns to a single actor.
3. Uncovering Brand Impersonation with Multi-Layered Queries (The “Gmail” Method)
Proactively finding convincing clones of a major brand like Gmail is difficult; the internet is full of legitimate and benign sites that use the word “gmail.” The key is to use a multi-layered query that combines data points to filter out the noise.
The Technique: We can build a query that stacks several conditions to find only the fakes.
Search Logic:
Pivot on Favicon: First, find all sites using the official Gmail favicon hash.
Filter by Content: Add a condition that the HTML Title must contain “gmail”.
Exclude Legitimate Sites: This is the most important step. Filter out any site where the SSL Issuer Organization is “Google Trust Services” (as this would be a real Google-owned property).
The Result: This precise, multi-layered search successfully identifies high-fidelity phishing sites, such as the convincing clone gmaii.email, while completely ignoring legitimate Google infrastructure.
4. Getting Ahead of Supplier & Partner Spoofing (The “Eversource & Microsoft” Method)
Your organization’s attack surface includes your suppliers and third-party partners. Proactively monitoring for infrastructure that could be used to impersonate them is a critical, advanced defense.
The Goal: Identify newly registered domains that could be used in a Business Email Compromise (BEC) or phishing attack spoofing a partner.
Example 1: Eversource (Electric Provider)
Technique: Search DNS data for any domains that have set their MX (mail) records to point to your supplier (e.g., search for MX records containing *eversource.com).
The Finding: This uncovers more than just active malicious domains. It reveals a common attacker TTP: parked domains. For instance, wwweversource.com was found with its MX record pointing to park-mx.above.com. Attackers “park” domains to age them, bypassing reputation filters.
Example 2: Advanced Hunting (Microsoft) We can combine these techniques into an advanced query to find newly registered, parked domains actively set up for spoofing.
Search Logic:
Domain Regex: Use a regular expression to find domains that look like “microsoft” (e.g., (?i)(?:^|[^A-Za-z0-9-])microsoft…).
AND
MX Record: Look only for domains whose MX record is park-mx.above.com.
AND
WHOIS Date: Find domains registered after a specific date (e.g., whois_after: 2025-08-01).
This query provides a high-confidence alert feed of domains being purpose-built to attack your organization or impersonate your biggest partners.
Staying Ahead of Evolving Cyber Threats
Our Threat Analyst and product teams are hard at work creating fingerprints and capabilities to proactively detect the latest threats, helping our customers stay safe up to months in advance of many other tools.
If your team would like a platform tour to learn more about proactive threat hunting, book a demo with our team today.
New features, integrations, and updates simplify search, improve usability, and provide enterprise client benefits
Reston, VA, November 13, 2025 – Silent Push, a leading preemptive cybersecurity vendor, today announced the release of version 4.11 of its enterprise preemptive defense platform. The latest update continues the company’s mission to give defenders the advantage by revealing attacker infrastructure before threats can take hold.
Version 4.11 introduces a range of new capabilities designed to streamline how analysts search, investigate, and act on emerging intelligence. The release enhances the platform’s core search functionality, simplifies workflows, and introduces new integrations and updates to help enterprise users better identify specific risks that traditional scans may miss.
“Version 4.11 builds on our ongoing commitment to enhancing the analyst experience while expanding the depth and precision of threat discovery,” said Ken Bagnall, CEO and Co-Founder at Silent Push. “We’ve focused this release on giving users faster navigation, greater scanning flexibility, and more in-depth insights, to detect malicious intent earlier in the attack lifecycle.”
Key Updates in Version 4.11 Include:
Streamlined Automations: Streamlined save, monitor, and export processes into a single view, which will make for easier creation and management of queries and automations. Users can now edit existing monitors and have granular control over what data gets exported.
Customized Notifications: Users can now customize notifications for each monitor according to their personal preferences, and receive notifications in app, via email, or their preferred messaging platform, including Slack and Teams.
More Powerful Searches: Deployment of an updated version of the Silent Push Query Language (SPQL) API, with improved asynchronous processing, will provide enhanced support for long-running queries.
Integrations: Splunk and D3; Plus, Updated Chrome Extension
Splunk 3.0 is the latest big data platform integration. It includes Silent Push ThreatCheck support and provides multiple enterprise client benefits.
Splunk users often process millions of events per day, and running enrichment checks against every indicator (IP address, domain, URL, etc.) can become costly. With ThreatCheck, enterprise users can run indicators they have in Splunk through ThreatCheck to detect when Indicators Of Future Attack™ (IOFA™) have touched their environments at scale, without consuming usage credits. New dashboards enable deeper analysis of how and where threat actors manage their infrastructure.
Additionally, users can now create and manage feeds from within the Splunk app, facilitating bidirectional workflows.
The Chrome Extension 1.0.7 update helps enterprise users prioritize investigations more effectively by quickly checking any indicators referenced on a web page to see if they are on our IOFA™ feeds.
The new version enables automatic query generation from selected indicators to provide additional context from across all of Silent Push’s data sources.
Additional updates in version 4.11 include updated UX for search results tables to accommodate new data sources; expanded indicator history listings for IOFA™ feeds; and additional pivot controls for Total View and WHOIS data for faster, more intuitive platform navigation.
Get in Touch
Have any questions about the new release, or interested in learning more about our Community and Enterprise Editions? Get in touch today, and we’ll get back to you shortly.
