In today’s threat landscape, cybercriminals rely on resilient infrastructure that persists through takedowns, evades remediation, and blends into legitimate internet traffic. Known broadly as bulletproof hosting (BPH), these environments play a critical but often overlooked role in sustaining long-running malicious activity. Recent research shows how defenders can peel back the layers on this abusive infrastructure — not just by blacklisting IPs, but by tracking subtle deployment signals attackers leave behind.
What Is Bulletproof Hosting — and Why Does It Matter?
Bulletproof hosting refers to hosting services that knowingly enable and tolerate malicious activity, often ignoring abuse complaints and takedown requests. Unlike mainstream hosting providers that act on abuse reports and enforce terms of service, BPH environments provide attackers with a sort of “safe haven” where phishing kits, malware distribution systems, botnet command servers, and large-scale scanning infrastructure can operate for extended periods.
These hosts are not always obviously malicious at the network level — a factor that makes them particularly tough to detect. Sophisticated operators increasingly leverage reseller ecosystems and mainstream infrastructure to hide their backend operations, making simple IP- or ASN-based blocking both ineffective and unsustainable.
Why Traditional Blocking Isn’t Enough
Historically, defenders and security researchers relied on network placement — specific IP blocks or autonomous systems (ASNs) — to categorize bulletproof hosting. But this strategy is losing ground:
- Reseller networks now blur the lines between malicious and legitimate infrastructure.
- Operators routinely rotate IP ranges, ASNs, and upstream providers to avoid being fenced in by blacklist rules.
- Static indicators such as BGP origin have become noisy and unreliable on their own.
Instead of focusing solely on where infrastructure exists, defenders now look at how it behaves and what artifacts it leaves behind when it is deployed.
Remote Desktop Protocol (RDP) — An Unexpected Window Into Abuse
One key insight in this research is the value of Remote Desktop Protocol (RDP) as a tracking signal. RDP is Microsoft’s protocol for interactive remote access, deeply integrated into Windows systems. Yet, when attackers use templated Windows virtual machines (VMs) at scale — such as cloned “golden images” — technical artifacts like the default Windows hostname and certificate information leak through the protocol.
These artifacts are important for a few reasons:
- Hostnames like
WIN-XXXXXXXXXXXoften reveal reused templates across thousands of hosts. - These names persist even when attackers change IPs or ASNs.
- They act as a fingerprint that can be tied back to provisioning workflows rather than individual network addresses.
In other words, although IPs and ASNs may shift, attackers tend to reuse the same VM images and automate provisioning using identical configurations — leaving behind stable and traceable markers that span networks.
How RDP Helps Expose Abuse-Tolerant Infrastructure
The research demonstrates that clusters of RDP hosts with identical or highly similar Windows hostnames often coincide with malicious scanning and brute-force activity, especially when correlated with data from internet-wide scanners like GreyNoise.
By identifying and aggregating these RDP template artifacts, analysts can:
- Detect infrastructure reuse across different networks and providers.
- Track migrations of bulletproof operations as they hop ASNs or rebrand.
- Surface downstream reseller networks that host otherwise hidden malicious infrastructure.
For example, by consolidating RDP hostnames associated with historically known bulletproof ASNs, researchers picked out specific templates that occurred not only in those environments but across hundreds of smaller downstream networks — suggesting resale or nested abuse.
What Attackers Do Once They’re In
RDP hosts aren’t just entry points; they are flexible infrastructure components in the broader cybercrime ecosystem. Once live, they:
- Perform widespread scanning for exposed services, especially brute-force attempts against other RDP endpoints.
- Serve as SOCKS5 proxy scanners — a common technique for layering attacks or anonymizing outbound traffic.
- Scan corporate-facing services (e.g., VPN gateways, remote administration panels) for exploitable weaknesses.
This multi-role behavior underscores the importance of looking beyond single signatures — host clusters often serve multiple purposes within criminal campaigns.
Putting the Research Into Action
The study provides a roadmap for defenders who want to move away from game-of-whack-a-mole blocking and toward more durable, artifact-based tracking:
- Aggregate RDP templates observed through internet-wide data.
- Correlate with malicious telemetry such as honeypot hits or scanning alerts.
- Look for density clusters of similar artifacts across networks — even when IPs change.
- Combine host-level identifiers with behavioral signals like proxy scanning or brute-force attempts.
By building blocklists and detection rules around reused RDP artifacts — rather than raw network identifiers — defenders can more reliably surface risky infrastructure that attackers want to keep hidden.
Conclusion
As cybercriminal infrastructure evolves, so must defensive strategies. Relying solely on IP blocks and ASN lists is no longer sufficient. Attackers craft their environments to “hide in plain sight” — blending into legitimate traffic and shifting networks at will.
What remains consistent are the fingerprints of how these systems are built and deployed. By tracking artifacts such as Windows hostnames leaked via RDP, security teams can gain enduring visibility into abuse-tolerant infrastructure long after traditional network indicators have faded. This strategic shift opens a new front in the fight against persistent malicious activity — one grounded in observable deployment signals rather than brittle blacklists
