title: Virtual Private Server (T1584.003)
id: df00tech-t1584-003
status: experimental
description: "Adversaries may compromise third-party Virtual Private Servers (VPSs) to use as operational infrastructure. By taking over VPS instances purchased by legitimate third parties at providers such as DigitalOcean, Linode, Vultr, Hetzner, or OVH, adversaries gain infrastructure that carries the reputation of trusted cloud providers while obscuring the true origin of their operations. Compromised VPS infrastructure is typically leveraged for Command and Control, staging payloads, proxying traffic, or exfiltrating data. Notable examples include Volt Typhoon compromising VPS nodes to proxy C2 traffic through legitimate-appearing cloud infrastructure, and Turla reusing compromised Iranian threat actor VPS infrastructure. Detection must pivot from the adversary's external preparatory action (compromising the VPS itself, which is unobservable from the victim network) to the observable USAGE patterns: beaconing connections to VPS provider IP space, C2-characteristic network behavior such as regular connection intervals with low data volume, and threat intelligence matches against known-compromised VPS nodes."
references:
  - https://attack.mitre.org/techniques/T1584/003/
  - https://df00tech.com/detections/T1584.003
author: df00tech
date: 2026/03/13
tags:
  - attack.t1584.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Cloud-hosted SaaS applications and business tools (Slack, Zoom, Datadog agents) that make frequent small HTTPS connections to cloud provider IP ranges"
  - "Software update services (OS updates, antivirus definitions) that poll VPS-hosted CDN endpoints on regular intervals"
  - "Developer workstations with personal VPS instances for legitimate remote work, CI/CD pipelines, or side projects hosted at the listed providers"
  - VPN clients and corporate proxy configurations that route traffic through VPS-hosted endpoints at the listed providers
  - "Telemetry and monitoring agents that beacon regularly to cloud-hosted collection infrastructure (e.g., Elastic Agents, Splunk UFs reporting to cloud-hosted indexers)"
level: high