title: Virtual Private Server (T1583.003)
id: df00tech-t1583-003
status: experimental
description: "Adversaries may rent Virtual Private Servers (VPSs) to stage malicious infrastructure including command-and-control (C2) servers, phishing pages, payload delivery endpoints, and exfiltration destinations. VPS providers offer rapid provisioning, geographic flexibility, and—when chosen carefully—minimal registration requirements, making attribution difficult. Because VPS-hosted IPs typically carry commercial hosting ASN reputation rather than residential or known-malicious reputation, they can evade naive geo-blocking and ASN-based controls. Real-world actors documented using this technique include Gamaredon, APT28, LAPSUS$, Ember Bear (GRU Unit 29155), HAFNIUM, APT42, Moonstone Sleet, and Contagious Interview. Detection from a defender perspective focuses on three observable effects: outbound C2 beaconing FROM compromised endpoints TO VPS-hosted IPs, inbound attack traffic (scanning, exploit delivery, phishing redirectors) FROM VPS IP ranges, and identity-based signals such as authentication attempts from datacenter IP space. Because T1583.003 is a Resource Development technique (TA0042), it is not directly observable on victim endpoints—detection is necessarily inferential, relying on behavioral patterns that betray VPS-based infrastructure in use."
references:
  - https://attack.mitre.org/techniques/T1583/003/
  - https://df00tech.com/detections/T1583.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1583.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software update agents (e.g., Google Update, Adobe Updater, Zoom updater) that periodically poll VPS-hosted CDN endpoints — mitigate by adding their process names to the exclusion list"
  - "Monitoring and observability agents (Datadog, Splunk UF, Elastic Agent, SolarWinds) that beacon frequently to cloud-hosted collection endpoints on fixed intervals"
  - "Endpoint security agents (CrowdStrike, Carbon Black, SentinelOne) that maintain persistent cloud connections with regular heartbeat patterns"
  - Business applications with embedded telemetry or license validation that periodically connect to vendor-hosted VPS infrastructure
  - "Developer workstations where IDEs, CLIs, or containers make repeated API calls to cloud development services hosted on VPS infrastructure"
level: high