惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
V2EX
Cisco Talos Blog
Cisco Talos Blog
MongoDB | Blog
MongoDB | Blog
IT之家
IT之家
N
News and Events Feed by Topic
博客园 - 叶小钗
Help Net Security
Help Net Security
美团技术团队
Attack and Defense Labs
Attack and Defense Labs
雷峰网
雷峰网
S
Security @ Cisco Blogs
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
WordPress大学
WordPress大学
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
AI
AI
Hacker News: Ask HN
Hacker News: Ask HN
T
The Blog of Author Tim Ferriss
Security Latest
Security Latest
Last Week in AI
Last Week in AI
S
Secure Thoughts
Simon Willison's Weblog
Simon Willison's Weblog
TaoSecurity Blog
TaoSecurity Blog
N
News and Events Feed by Topic
A
Arctic Wolf
Y
Y Combinator Blog
MyScale Blog
MyScale Blog
Cyberwarzone
Cyberwarzone
酷 壳 – CoolShell
酷 壳 – CoolShell
S
SegmentFault 最新的问题
罗磊的独立博客
Vercel News
Vercel News
D
DataBreaches.Net
博客园 - 聂微东
P
Palo Alto Networks Blog
N
News | PayPal Newsroom
GbyAI
GbyAI
B
Blog
A
About on SuperTechFans
PCI Perspectives
PCI Perspectives
S
Schneier on Security
Apple Machine Learning Research
Apple Machine Learning Research
I
InfoQ
The GitHub Blog
The GitHub Blog
P
Privacy International News Feed
Blog — PlanetScale
Blog — PlanetScale
博客园_首页
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
aimingoo的专栏
aimingoo的专栏
Google DeepMind News
Google DeepMind News

Darktrace Blog

Why behavioral AI is the answer to Mythos 7 MCP Risks CISO’s Should Consider and How to Prepare How To Secure AI And Find The Gaps In Your Security Operations 92% of Security Pros Concerned About AI Agents Darktrace Launches Unified Security Awareness Training and Messaging Security Darktrace Identifies Encryption in a World Leaks Ransomware Attack NetSupport RAT: Why Legitimate Tools Are as Damaging as Malware What the Darktrace Annual Threat Report 2026 Means for Security Leaders CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding AppleScript Abuse: Unpacking a macOS Phishing Campaign Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access Medusa Ransomware 2025: RMM Abuse in Ransomware Campaigns How a Leading Bank is Prioritizing Risk Management with Darktrace A framework for securing AI in the enterprise The Year Ahead: AI Cybersecurity Trends to Watch in 2026 Phishing attacks surge by 620% in the lead-up to Black Friday How to Manage Risk in Amazon Bedrock Vo1d Botnet Exposed: How Darktrace Detected a Global Android Threat Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace Why API + Journaling Delivers Faster, SLA-Backed Email Security for Microsoft 365 Darktrace delivers the next evolution of unified and proactive NDR Salty Much: Darktrace’s take on a recent Salt Typhoon intrusion Akira SonicWall Campaign Uncovered Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace Industry-First Automated Cloud Forensics ShadowV2: An emerging DDoS for hire botnet SEO Poisoning and Fake PuTTY sites: Darktrace’s Investigation into the Oyster backdoor Why Unifying Email and Network Security Is Critical for Modern Cyber Defense Investigating the Ivanti Endpoint Manager Mobile Vulnerabilities 2025 Cyber Threats: A Mid‑Year Review AI Analyst in Action: 4 Real-World Investigations using AI Investigations AI Maturity Model: A Roadmap for Security 5 Core Capabilities for Cloud Forensics and IR Wallet Drainers: How Scams Steal Funds Top Eight Threats to SaaS Security and How to Combat Them Darktrace Tracks CVE‑2025‑31324 Activity UK Cyber Bill: What CISOs Need to Know Unpacking ClickFix: Darktrace Detection Insights Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response Evaluating Email Security: How to Select the Best Solution for Your Organization AsyncRAT Exposed: Signals and Mitigations Anomaly-Based Threat Hunting: Darktrace's Approach in Action Darktrace Tracks SocGholish to RansomHub How NDR and Secure Access Service Edge (SASE) Work Together to Achieve Network Security Outcomes Force Multiply Your Security Team with Agentic AI: How the Industry’s Only True Cyber AI Analyst™ Saves Time and Stop Threats Why Data Classification Isn’t Enough to Prevent Data Loss Email bombing exposed: Darktrace’s email defense in action Global Technology Provider Transforms Email Threat Detection with Darktrace Survey findings: How is AI Impacting the SOC? Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats New Threat on the Prowl: Investigating Lynx Ransomware Why Darktrace / EMAIL Excels Against APTs RansomHub’s Rise: RaaS Market Insights CNAPP Alone Isn’t Enough: Focusing on CDR for Real-Time Cross Domain Protection Reimagining Your SOC: How to Shift Away From Reactive Network Security RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal Why AI-powered Email Protection Became Essential for this Global Financial Services Leader Agent vs. Agentless Cloud Security: Why Deployment Methods Matter Defending AITM Phishing and Mamba Attacks Breaking Down Nation State Attacks on Supply Chains Darktrace is Positioned as a Leader in the IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment Protecting Your Hybrid Cloud: The Future of Cloud Security in 2025 and Beyond Phishing Attacks Surge Over 600% in the Buildup to Black Friday Why Artificial Intelligence is the Future of Cybersecurity Darktrace Leading the Future of Network Detection and Response With Recognition from KuppingerCole AI and Cybersecurity: Predictions for 2025 Navigating Buying and Adoption Journeys for AI Cybersecurity Tools How Darktrace won an email security trial by learning the business, not the breach Introducing Real-Time Multi-Cloud Detection & Response Powered by AI From Call to Compromise: Darktrace’s Response to a Vishing-Induced Network Attack Business Email Compromise (BEC) in the Age of AI How AI can help CISOs navigate the global cyber talent shortage What you need to know about FAA Security Protection Regulations 2024 Introducing ‘Defend Beyond’: Our promise to customers in the face of evolving threats How Darktrace’s AI Applies a Zero-Trust Mentality within Critical Infrastructure Supply Chains Darktrace Releases 2024 Half-Year Threat Insights Safelink Smuggling: Enhancing Resilience Against Malicious Links CDR is just NDR for the Cloud... Right? Qilin RaaS: Darktrace Detection Insights Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks Safeguarding Distribution Centers in the Digital Age Darktrace Investigation Into Medusa Ransomware Exploring the Benefits and Risks of Third-Party Data Solutions Strategies to Combat Microsoft Teams Phishing Attacks Lost in Translation: Darktrace Blocks Non-English Phishing Campaign Concealing Hidden Payloads How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC The Rise of Alternative Access in Cloud Attacks The State of AI in Cybersecurity: How AI will impact the cyber threat landscape in 2024 Moving Beyond XDR to Achieve True Cyber Resilience with Darktrace ActiveAI Security Platform The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners Balada Injector: Darktrace’s Investigation into the Malware Exploiting WordPress Vulnerabilities Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace / EMAIL Utilizing AI Security Against Phishing Campaigns AI Function Assistance to Humans in Cyber Crises How Darktrace SOC Thwarted a BEC Attack Understanding Email Security & the Psychology of Trust Breaking Down "ICES": An Umbrella Term With Wide Variety Boosting Security Posture with Email Integration Enhancing Darktrace with Microsoft Defender Flexible Deployments for Enhanced Email Security
What is a VPS and How Do Attackers Abuse Virtual Servers?
Rajendra Rushanth · 2025-08-21 · via Darktrace Blog

What is a VPS and how are they abused?

A Virtual Private Server (VPS) is a virtualized server that provides dedicated resources and control to users on a shared physical device.  VPS providers, long used by developers and businesses, are increasingly misused by threat actors to launch stealthy, scalable attacks. While not a novel tactic, VPS abuse is has seen an increase in Software-as-a-Service (SaaS)-targeted campaigns as it enables attackers to bypass geolocation-based defenses by mimicking local traffic, evade IP reputation checks with clean, newly provisioned infrastructure, and blend into legitimate behavior [3].

VPS providers like Hyonix and Host Universal offer rapid setup and minimal open-source intelligence (OSINT) footprint, making detection difficult [1][2]. These services are not only fast to deploy but also affordable, making them attractive to attackers seeking anonymous, low-cost infrastructure for scalable campaigns. Such attacks tend to be targeted and persistent, often timed to coincide with legitimate user activity, a tactic that renders traditional security tools largely ineffective.

Darktrace’s investigation into Hyonix VPS abuse

In May 2025, Darktrace’s Threat Research team investigated a series of incidents across its customer base involving VPS-associated infrastructure. The investigation began with a fleet-wide review of alerts linked to Hyonix (ASN AS931), revealing a noticeable spike in anomalous behavior from this ASN in March 2025. The alerts included brute-force attempts, anomalous logins, and phishing campaign-related inbox rule creation.

Darktrace identified suspicious activity across multiple customer environments around this time, but two networks stood out. In one instance, two internal devices exhibited mirrored patterns of compromise, including logins from rare endpoints, manipulation of inbox rules, and the deletion of emails likely used in phishing attacks. Darktrace traced the activity back to IP addresses associated with Hyonix, suggesting a deliberate use of VPS infrastructure to facilitate the attack.

On the second customer network, the attack was marked by coordinated logins from rare IPs linked to multiple VPS providers, including Hyonix. This was followed by the creation of inbox rules with obfuscated names and attempts to modify account recovery settings, indicating a broader campaign that leveraged shared infrastructure and techniques.

Darktrace’s Autonomous Response capability was not enabled in either customer environment during these attacks. As a result, no automated containment actions were triggered, allowing the attack to escalate without interruption. Had Autonomous Response been active, Darktrace would have automatically blocked connections from the unusual VPS endpoints upon detection, effectively halting the compromise in its early stages.

Case 1

Timeline of activity for Case 1 - Unusual VPS logins and deletion of phishing emails.

Figure 1: Timeline of activity for Case 1 - Unusual VPS logins and deletion of phishing emails.

Initial Intrusion

On May 19, 2025, Darktrace observed two internal devices on one customer environment initiating logins from rare external IPs associated with VPS providers, namely Hyonix and Host Universal (via Proton VPN). Darktrace recognized that these logins had occurred within minutes of legitimate user activity from distant geolocations, indicating improbable travel and reinforcing the likelihood of session hijacking. This triggered Darktrace / IDENTITY model “Login From Rare Endpoint While User Is Active”, which highlights potential credential misuse when simultaneous logins occur from both familiar and rare sources.  

Shortly after these logins, Darktrace observed the threat actor deleting emails referring to invoice documents from the user’s “Sent Items” folder, suggesting an attempt to hide phishing emails that had been sent from the now-compromised account. Though not directly observed, initial access in this case was likely achieved through a similar phishing or account hijacking method.

 Darktrace / IDENTITY model "Login From Rare Endpoint While User Is Active", which detects simultaneous logins from both a common and a rare source to highlight potential credential misuse.

Figure 2: Darktrace / IDENTITY model "Login From Rare Endpoint While User Is Active", which detects simultaneous logins from both a common and a rare source to highlight potential credential misuse.

Case 2

Timeline of activity for Case 2 – Coordinated inbox rule creation and outbound phishing campaign.

Figure 3: Timeline of activity for Case 2 – Coordinated inbox rule creation and outbound phishing campaign.

In the second customer environment, Darktrace observed similar login activity originating from Hyonix, as well as other VPS providers like Mevspace and Hivelocity. Multiple users logged in from rare endpoints, with Multi-Factor Authentication (MFA) satisfied via token claims, further indicating session hijacking.

Establishing control and maintaining persistence

Following the initial access, Darktrace observed a series of suspicious SaaS activities, including the creation of new email rules. These rules were given minimal or obfuscated names, a tactic often used by attackers to avoid drawing attention during casual mailbox reviews by the SaaS account owner or automated audits. By keeping rule names vague or generic, attackers reduce the likelihood of detection while quietly redirecting or deleting incoming emails to maintain access and conceal their activity.

One of the newly created inbox rules targeted emails with subject lines referencing a document shared by a VIP at the customer’s organization. These emails would be automatically deleted, suggesting an attempt to conceal malicious mailbox activity from legitimate users.

Mirrored activity across environments

While no direct lateral movement was observed, mirrored activity across multiple user devices suggested a coordinated campaign. Notably, three users had near identical similar inbox rules created, while another user had a different rule related to fake invoices, reinforcing the likelihood of a shared infrastructure and technique set.

Privilege escalation and broader impact

On one account, Darktrace observed “User registered security info” activity was shortly after anomalous logins, indicating attempts to modify account recovery settings. On another, the user reset passwords or updated security information from rare external IPs. In both cases, the attacker’s actions—including creating inbox rules, deleting emails, and maintaining login persistence—suggested an intent to remain undetected while potentially setting the stage for data exfiltration or spam distribution.

On a separate account, outbound spam was observed, featuring generic finance-related subject lines such as 'INV#. EMITTANCE-1'. At the network level, Darktrace / NETWORK detected DNS requests from a device to a suspicious domain, which began prior the observed email compromise. The domain showed signs of domain fluxing, a tactic involving frequent changes in IP resolution, commonly used by threat actors to maintain resilient infrastructure and evade static blocklists. Around the same time, Darktrace detected another device writing a file named 'SplashtopStreamer.exe', associated with the remote access tool Splashtop, to a domain controller. While typically used in IT support scenarios, its presence here may suggest that the attacker leveraged it to establish persistent remote access or facilitate lateral movement within the customer’s network.

Conclusion

This investigation highlights the growing abuse of VPS infrastructure in SaaS compromise campaigns. Threat actors are increasingly leveraging these affordable and anonymous hosting services to hijack accounts, launch phishing attacks, and manipulate mailbox configurations, often bypassing traditional security controls.

Despite the stealthy nature of this campaign, Darktrace detected the malicious activity early in the kill chain through its Self-Learning AI. By continuously learning what is normal for each user and device, Darktrace surfaced subtle anomalies, such as rare login sources, inbox rule manipulation, and concurrent session activity, that likely evade traditional static, rule-based systems.

As attackers continue to exploit trusted infrastructure and mimic legitimate user behavior, organizations should adopt behavioral-based detection and response strategies. Proactively monitoring for indicators such as improbable travel, unusual login sources, and mailbox rule changes, and responding swiftly with autonomous actions, is critical to staying ahead of evolving threats.

Credit to Rajendra Rushanth (Cyber Analyst), Jen Beckett (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

References

·      1: https://cybersecuritynews.com/threat-actors-leveraging-vps-hosting-providers/

·      2: https://threatfox.abuse.ch/asn/931/

·      3: https://www.cyfirma.com/research/vps-exploitation-by-threat-actors/

Appendices

Darktrace Model Detections

•   SaaS / Compromise / Unusual Login, Sent Mail, Deleted Sent

•   SaaS / Compromise / Suspicious Login and Mass Email Deletes

•   SaaS / Resource / Mass Email Deletes from Rare Location

•   SaaS / Compromise / Unusual Login and New Email Rule

•   SaaS / Compliance / Anomalous New Email Rule

•   SaaS / Resource / Possible Email Spam Activity

•   SaaS / Unusual Activity / Multiple Unusual SaaS Activities

•   SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

•   SaaS / Access / Unusual External Source for SaaS Credential Use

•   SaaS / Compromise / High Priority Login From Rare Endpoint

•   SaaS / Compromise / Login From Rare Endpoint While User Is Active

List of Indicators of Compromise (IoCs)

Format: IoC – Type – Description

•   38.240.42[.]160 – IP – Associated with Hyonix ASN (AS931)

•   103.75.11[.]134 – IP – Associated with Host Universal / Proton VPN

•   162.241.121[.]156 – IP – Rare IP associated with phishing

•   194.49.68[.]244 – IP – Associated with Hyonix ASN

•   193.32.248[.]242 – IP – Used in suspicious login activity / Mullvad VPN

•   50.229.155[.]2 – IP – Rare login IP / AS 7922 ( COMCAST-7922 )

•   104.168.194[.]248 – IP – Rare login IP / AS 54290 ( HOSTWINDS )

•   38.255.57[.]212 – IP – Hyonix IP used during MFA activity

•   103.131.131[.]44 – IP – Hyonix IP used in login and MFA activity

•   178.173.244[.]27 – IP – Hyonix IP

•   91.223.3[.]147 – IP – Mevspace Poland, used in multiple logins

•   2a02:748:4000:18:0:1:170b[:]2524 – IPv6 – Hivelocity VPS, used in multiple logins and MFA activity

•   51.36.233[.]224 – IP – Saudi ASN, used in suspicious login

•   103.211.53[.]84 – IP – Excitel Broadband India, used in security info update

MITRE ATT&CK Mapping

Tactic – Technique – Sub-Technique

•   Initial Access – T1566 – Phishing

                       T1566.001 – Spearphishing Attachment

•   Execution – T1078 – Valid Accounts

•   Persistence – T1098 – Account Manipulation

                       T1098.002 – Exchange Email Rules

•   Command and Control – T1071 – Application Layer Protocol

                       T1071.001 – Web Protocols

•   Defense Evasion – T1036 – Masquerading

•   Defense Evasion – T1562 – Impair Defenses

                       T1562.001 – Disable or Modify Tools

•   Credential Access – T1556 – Modify Authentication Process

                       T1556.004 – MFA Bypass

•   Discovery – T1087 – Account Discovery

•      Impact – T1531 – Account Access Removal

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.