Utilizing adversary infrastructure insights to derail attacks
Imagine intruders have infiltrated your network and run some malware. Yet, the attack can be stopped before it escalates. The intruders must be cut off from their backbone infrastructure with a command and control server and exfiltrated data storage.
This is the fourth article dedicated to actionable threat intelligence and the adoption of an adversary‑centric approach. In particular, it explores how information about threat actors’ infrastructure helps prevent attacks.
Adversary infrastructure components
Commonly, attackers seek to:
- Host phishing pages. They are used to harvest credentials and deliver malware to target systems. Such pages may contain download links to phishing files or malware execution instructions (e.g., User Execution: Malicious Copy and Paste (T1204.004)). Both rented and compromised infrastructure, including hijacked web servers, is leveraged for phishing.
- Store malware and tools. Since loaders are typically deployed as initial malware, adversaries need infrastructure to store malicious payloads. As the attack progresses, they may download various malware and utilities through Ingress Tool Transfer (T1105). For that purpose, specially rented servers, compromised legitimate websites, and various web services are used.
- Host C2 and proxy servers. Once the malware is delivered, intruders need to establish remote control. In addition to rented and compromised servers, they take advantage of legitimate remote administration tools and web services.
- Employ remote access services. Many attackers start with abusing valid credentials rather than delivering malware. Access is frequently gained through the infrastructure of commercial VPN providers, apart from rented servers.
- Exfiltrate sensitive data. Information is a lucrative target for most threat actors, regardless of their motivations. Although C2 servers can be used to exfiltrate and store data, attackers often turn to alternative channels, including legitimate web services for large‑scale data storage.
Below, we examine the indicators of compromise associated with adversary infrastructure and the ways they can be leveraged.
Dynamic indicators (IP addresses, domains, URLs)
At first glance, it might appear simple: IP addresses of malicious infrastructure components can be blocked on firewalls or proxies. This will disconnect the attackers from their infrastructure, making it impossible to deliver and control malware or tools.
However, adversary infrastructure can change dynamically. Once used for command and control, a server may function as legitimate the next day. While malicious domain names and especially URLs seldom regain their legitimacy, this is a common case for IP addresses.
Portals like BI.ZONE Threat Intelligence utilize the time‑to‑live (TTL) metric which defines a period before an indicator is archived. This way, relegitimized resources are prevented from blocking. TTL can range from days to months and extends with continued exploitation of an infrastructure component. To detect currently affected components, threat intelligence teams run infrastructure scanning for indicators of malware’s C2 servers. Scans are also run for new malware samples linked to certain IP addresses.
Analyzing hosting providers favored by attackers would be good practice. Thus, IP addresses of minor providers in high‑risk jurisdictions can be blocked entirely—they are unlikely to be accessed from a corporate network. The same applies to rarely used domain extensions. Attackers tend to register domain names in unusual top‑level domains (TLDs) which can be blocked by default. Such domains are not expected to host critical corporate resources.
Exploited legitimate components
Malicious actors’ infrastructure may contain absolutely legitimate components which are abused at certain attack stages.
Remote access tools
Attackers may resort to legitimate remote access software instead of malware. For example, Rare Werewolf exploited AnyDesk, and Quartz Wolf utilized ASSISTANT (Russian software).
Others make ample use of tunneling utilities. Dirty Wolf, for example, gave preference to Localtonet while Rainbow Hyena relied on ngrok. These and other cases are covered in our detailed research Threat Zone 2025.
Such tools are often operated through their developers’ infrastructure. Therefore, remote access to that infrastructure should be restricted to approved corporate software.
Web services
Messengers and cloud storage locations can serve as repositories for malicious files, C2 server addresses, etc. Besides, they can even function as C2 servers.
Specifically, Bloody Wolf stored its C2 server address on Pastebin, Red Wolf used cloud services to receive commands and transmit outputs, and Guerrilla Hyena leveraged its Telegram bot.
Blocking access to such web services may prevent malware delivery at the initial access stage and hinder communication with C2 servers.
Public VPN providers and Tor
Adversaries frequently use VPN and Tor infrastructures to compromise credentials and exploit remote access services. Hence, certain VPN providers and Tor should rather be blocked unless necessary for infrastructure operations.
Specific IP addresses are usually available on portals like BI.ZONE Threat Intelligence.
Infrastructure insights in practice
Understanding attacker infrastructure equips organizations with concrete advantages:
Reduced likelihood of successful malware and tool delivery. Blocking malicious infrastructure components may impede lateral movement and the achievement of attack objectives.
Limited ability to control tools that have already been delivered. Communication with deployed malware can be disrupted, thereby severing the attacker’s control.
Lower risk of data leakage. Blocking exfiltration channels (C2 servers, cloud storage, and web services) significantly hinders data theft.
More targeted and effective blocking policy. Blanket restrictions give way to fine-tuned policies for:
- IP addresses and domains
- hosting providers
- TLDs, VPN providers, Tor, and legitimate web services
Greater practical value derived from threat intelligence. Such data evolves beyond standard reports and security feeds into a mechanism that reinforces firewalls, proxy servers, and other defenses.
Using information about adversary infrastructure can dramatically complicate attack execution. It is even possible to prevent intruders from controlling delivered malware and utilities. Such information is published on dedicated portals like BI.ZONE Threat Intelligence.
The next article will examine how insights into malicious methods and tools help constrain attackers.