T1584.003: Virtual Private Server
Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.[1]
Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.
Analyst context for executives and security teams
This technique matters because adversaries can use compromised third-party virtual private servers as staging or later command-and-control infrastructure while benefiting from the reputation of legitimate cloud providers and the unrelated victim organization that owns the VPS. For leaders, the key issue is that “known cloud provider” traffic is not automatically benign, and infrastructure preparation may occur before an intrusion is visible inside the enterprise.
Executive priority
Prioritize this as a resilience and detection-readiness issue rather than a simple blocklist problem. The ATT&CK relationships connect this behavior to resource development and to groups/campaigns with espionage and critical-infrastructure context, so executives should ask whether SOC, threat intelligence, and incident response teams can recognize suspicious use of reputable cloud-hosted infrastructure without disrupting legitimate business use of cloud services.
Technical view
T1584.003 is a PRE-platform, resource-development sub-technique of Compromise Infrastructure. MITRE provides no official detection text, but the related DET0854 detection strategy indicates detection is expected through infrastructure-focused analysis. Teams should validate external infrastructure hunting, network-scan-derived indicators, passive DNS/DNS history, proxy and firewall logs, NetFlow, and command-and-control investigation workflows that can distinguish normal VPS/cloud traffic from suspicious infrastructure patterns. Because this behavior precedes or supports later activity, internal endpoint telemetry alone may be insufficient.
Likely telemetry
- External attack-surface and internet scan data relevant to VPS-hosted services
- Passive DNS, DNS resolution history, and domain-to-IP infrastructure pivots
- Firewall, proxy, secure web gateway, and egress logs showing connections to cloud-hosted VPS ranges
- NetFlow or other network metadata for unusual beaconing or repeated outbound sessions
- Threat intelligence records linking domains, certificates, IPs, hosting providers, and observed infrastructure changes
Detection direction
- Do not rely solely on cloud provider reputation; validate behavioral and infrastructure context around connections to VPS-hosted assets.
- Tune detections for suspicious infrastructure patterns while accounting for high false-positive potential from legitimate cloud-hosted services.
- Use relationship-driven context: this is resource development and may only become visible when linked to later command-and-control or campaign infrastructure.
- Confirm whether DET0854-style infrastructure detection is operationalized with documented data sources, enrichment, and analyst playbooks.
- Review blind spots where proxy logs, DNS history, NetFlow, or external scan intelligence are missing or retained for too short a period.
Mitigation priorities
- Apply M1056 Pre-compromise principles: reduce exposed weaknesses and make adversary preparation harder to convert into successful operations.
- Maintain external attack-surface awareness and limit unnecessary public information that helps adversaries select or abuse infrastructure pathways.
- Strengthen egress governance so cloud-hosted destinations are evaluated by behavior and business need, not provider reputation alone.
- Prepare IR procedures for rapidly scoping suspicious VPS-hosted infrastructure across DNS, proxy, firewall, and network metadata.
- For critical infrastructure or cyber-physical environments, ensure monitoring and response plans include cloud-hosted intermediary infrastructure that may support disruptive campaigns.
Analyst notes and limits
The supplied ATT&CK object is about adversaries compromising third-party VPS infrastructure, not purchasing their own VPS. The strongest defensive value is in infrastructure correlation, egress visibility, and threat-intelligence-supported hunting. Relationships to Turla, Volt Typhoon, Operation MidnightEclipse, and the 2025 Poland Wiper Attacks show ATT&CK-observed relevance across serious threat contexts, but local exposure and activity must be established with organization-specific telemetry.
MITRE provides no official detection text for this technique, and the object is PRE-platform resource development, so many indicators may be external or only inferable after later-stage activity is observed. This take does not establish active exploitation, attribution, or detection coverage for any environment.
Virtual Private Server
Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.[1]
Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1584 | Compromise Infrastructure | This object subtechnique of Compromise Infrastructure. |
Groups, software, and campaigns
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
C0048: Operation MidnightEclipse
Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.[1][2]
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c3cfe8c75f29… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NSA NCSC Turla OilRig
NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
Open source URL -
[2]
Koczwara Beacon Hunting Sep 2021
Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
Open source URL -
[3]
Mandiant SCANdalous Jul 2020
Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
Open source URL -
[4]
ThreatConnect Infrastructure Dec 2020
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
Open source URL -
[5]
mitre-attack T1584.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.