Threat Activity Enablers: The Backbone of Today’s Threat Landscape
Threat Activity Enablers (TAEs) are infrastructure providers that deliberately support malicious cyber operations by offering resilient, bulletproof hosting. By leveraging corporate shell companies, controlling Autonomous Systems (ASNs), and rapidly rebranding, TAEs like Virtualine Technologies and Stark Industries evade sanctions and takedowns to sustain ransomware, botnet, and state-sponsored campaigns.
Authors: Recorded Future
Source:
Recorded Future
Detection / HunterGoogle
What Happened
Shady internet hosting companies are intentionally providing servers and networks to cybercriminals and state-sponsored hackers. Any organization or individual targeted by ransomware, data theft, or botnets is affected by the persistence of these networks. These providers ignore the law, use shell companies, and constantly rebrand, making it nearly impossible to permanently shut down the hackers' operations. Organizations should monitor their network traffic and block connections to these known high-risk hosting providers to prevent attacks before they start.
Key Takeaways
- Threat Activity Enablers (TAEs) provide resilient, bulletproof infrastructure for cybercriminals and state actors, ignoring KYC policies and abuse reports.
- TAEs evade sanctions and law enforcement takedowns using corporate shell games, strategic resource control (LIRs/ASNs), and rapid rebranding.
- Virtualine Technologies impersonated a legitimate German firm to distribute Latrodectus and AsyncRAT, pivoting to new ASNs when exposed.
- Stark Industries Solutions continued operations despite EU sanctions by transferring IP resources to affiliated entities like WorkTitans B.V.
- Continuous monitoring of infrastructure patterns is essential, as corporate identities change but the underlying malicious infrastructure persists.
Attack Chain
Threat Activity Enablers (TAEs) establish infrastructure using front companies and local internet registries to acquire IP space and Autonomous Systems (ASNs). Cybercriminals and state-sponsored actors purchase this bulletproof hosting to distribute malware, such as Latrodectus and AsyncRAT, or conduct espionage. When targeted by sanctions or abuse reports, the TAEs rapidly transfer IP prefixes and rebrand under new corporate identities, maintaining the underlying routing relationships to ensure continuous operation for their malicious clients.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided in the article; the focus is on strategic intelligence and tracking infrastructure patterns.
Detection Engineering Assessment
EDR Visibility: None — The intelligence focuses entirely on external network infrastructure, BGP routing, and hosting providers, which are not visible at the endpoint level. Network Visibility: High — Tracking ASNs, IP prefixes, and BGP routing changes is highly visible at the network perimeter and through global routing telemetry. Detection Difficulty: Moderate — Detecting this requires integrating threat intelligence feeds that map ASNs and IP blocks to known TAEs, but once integrated, identifying the traffic is straightforward.
Required Log Sources
- Firewall Logs
- NetFlow/IPFIX
- DNS Query Logs
- BGP Routing Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Internal assets are communicating with known high-risk Autonomous Systems (ASNs) associated with Threat Activity Enablers. | Firewall Logs, NetFlow | Command and Control | Medium |
Control Gaps
- Lack of dynamic ASN/BGP risk scoring in perimeter defenses
- Over-reliance on static IP blocklists instead of tracking broader infrastructure providers
Key Behavioral Indicators
- Traffic to ASNs with high Threat Density Scores
- Rapid shifts in BGP announcements for known malicious IP blocks
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Identify and review any network traffic communicating with the listed high-risk TAE networks (e.g., Virtualine, Stark Industries).
- Block traffic to known malicious ASNs (AS209800, AS214943, AS209847) if no legitimate business need exists.
Infrastructure Hardening
- Integrate ASN and TAE risk intelligence into firewall and perimeter defense dynamic blocklists.
- Implement geo-blocking or ASN-level blocking for infrastructure providers with zero legitimate business justification.
User Protection
- Ensure endpoint protection (EDR) is configured to block known malware families distributed by these networks, such as Latrodectus and AsyncRAT.
Security Awareness
- Educate security operations teams on the resilience of TAEs and the need to track infrastructure patterns rather than just static IPs.
MITRE ATT&CK Mapping
- T1583.003 - Acquire Infrastructure: Virtual Private Server
- T1583.004 - Acquire Infrastructure: Server
- T1583.001 - Acquire Infrastructure: Domains
Additional IOCs
- Other:
CrazyRDP- High-risk suspected or confirmed TAE network in 2025.Kaopu Cloud HK Limited- High-risk suspected or confirmed TAE network in 2025.Aeza- High-risk suspected or confirmed TAE network in 2025.Private Alps- High-risk suspected or confirmed TAE network in 2025.4VPS- High-risk suspected or confirmed TAE network in 2025.Defhost- High-risk suspected or confirmed TAE network in 2025.Silent Connection Ltd.- High-risk suspected or confirmed TAE network in 2025.DolphinHost Limited- High-risk suspected or confirmed TAE network in 2025.UFO Hosting- Infrastructure pivot point for Russian operations previously on Stark Industries.PQ HOSTING PLUS S.R.L- Entity created in RIPE as part of Stark Industries' infrastructure shifting.THE.Hosting- Rebranded entity controlled by WorkTitans B.V. linked to Stark Industries.