Acquire Infrastructure: Virtual Private Server, Sub-technique T1583.003 - Enterprise | MITRE ATT&CK®

Acquire Infrastructure: Virtual Private Server, Sub-technique T1583.003 - Enterprise | MITRE
ATT&CK®
Currently viewing
ATT&CK v18.1
which is the current version of ATT&CK.
Learn more about the versioning system
or
see the live site
ATT&CK v19 will be released April 28th! Check out this
blog post
for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release.
Techniques
Enterprise
Acquire Infrastructure
Virtual Private Server
Acquire Infrastructure:
Virtual Private Server
Other sub-techniques of Acquire Infrastructure
(8)
ID
Name
T1583.001
Domains
T1583.002
DNS Server
T1583.003
Virtual Private Server
T1583.004
Server
T1583.005
Botnet
T1583.006
Web Services
T1583.007
Serverless
T1583.008
Malvertising
Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.
[1]
ID:
T1583.003
Sub-technique of:
T1583
Tactic:
Resource Development
Platforms:
PRE
Version:
1.1
Created:
01 October 2020
Last Modified:
24 October 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
G0007
APT28
APT28
hosted phishing domains on free services for brief periods of time during campaigns.
[2]
G1044
APT42
APT42
has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s environment.
[3]
[4]
C0046
ArcaneDoor
ArcaneDoor
included the use of dedicated, adversary-controlled virtual private servers for command and control.
[5]
G0001
Axiom
Axiom
has used VPS hosting providers in targeting of intended victims.
[6]
G1043
BlackByte
BlackByte
staged encryption keys on virtual private servers operated by the adversary.
[7]
C0032
C0032
During the
C0032
campaign,
TEMP.Veles
used Virtual Private Server (VPS) infrastructure.
[8]
G1052
Contagious Interview
Contagious Interview
has acquired virtual private servers from services such as Stark Industries Solutions and RouterHosting.
[9]
[10]
Contagious Interview
has also utilized hosting providers to include Tier[.]Net, Majestic Hosting, Leaseweb Singapore, and Kaopu Cloud.
[11]
G1012
CURIUM
CURIUM
created virtual private server instances to facilitate use of malicious domains and other items.
[12]
G0035
Dragonfly
Dragonfly
has acquired VPS infrastructure for use in malicious campaigns.
[13]
G1003
Ember Bear
Ember Bear
has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.
[14]
C0053
FLORAHOX Activity
FLORAHOX Activity
has used acquired Virtual Private Servers as control systems for the ORB network.
[15]
G0047
Gamaredon Group
Gamaredon Group
has used VPS hosting providers for infrastructure outside of Russia.
[16]
[17]
[18]
G0125
HAFNIUM
HAFNIUM
has operated from leased virtual private servers (VPS) in the United States.
[19]
C0050
J-magic Campaign
During the
J-magic Campaign
, threat actors acquired VPS for use in C2.
[20]
C0035
KV Botnet Activity
KV Botnet Activity
used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.
[21]
G1004
LAPSUS$
LAPSUS$
has used VPS hosting providers for infrastructure.
[22]
G1036
Moonstone Sleet
Moonstone Sleet
registered virtual private servers to host payloads for download.
[23]
G1041
Sea Turtle
Sea Turtle
created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.
[24]
C0052
SPACEHOP Activity
SPACEHOP Activity
has used acquired Virtual Private Servers as control systems for devices within the ORB network.
[15]
G1035
Winter Vivern
Winter Vivern
used adversary-owned and -controlled servers to host web vulnerability scanning applications.
[25]
Mitigations
ID
Mitigation
Description
M1056
Pre-compromise
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Detection Strategy
ID
Name
Analytic ID
Analytic Description
DET0838
Detection of Virtual Private Server
AN1970
Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.
[26]
[27]
[28]
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
References
Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.
Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024.
Hunt.io. (2025, April 8). State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure. Retrieved July 23, 2025.
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
Cisco Talos. (2019, April 17). Sea Turtle: DNS Hijacking Abuses Trust In Core Internet Service. Retrieved November 20, 2024.
Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.