T1583 , Resource Development (TA0042)

Acquire Infrastructure

Building the foundation for adversary operations , servers, domains, cloud services, and the financial trails that fund them all...

DOMAIN

VPS

DNS

SERVER

BOTNET

WEB SVC

SERVERLESS

DOMAIN REGISTERED

VPS PROVISIONED

PAYMENT SENT

PLATFORM READY

// Section 02

Why Acquiring Infrastructure Matters

Infrastructure is the invisible backbone of every cyber operation. Before an adversary can phish a target, deploy ransomware, or exfiltrate sensitive data, they must first establish the servers, domains, and communication channels that make their attack possible. Without infrastructure, even the most sophisticated exploit is useless , there is no way to receive stolen credentials, no command-and-control channel to manage compromised machines, and no platform from which to launch payloads. Infrastructure acquisition is not an optional step in the attack lifecycle; it is the foundational prerequisite that transforms theoretical capability into operational reality.

The barriers to acquiring malicious infrastructure have never been lower. Major cloud providers , AWS, Azure, Google Cloud, DigitalOcean, and Linode , offer free trial periods that provide attackers with powerful computing resources at zero initial cost. Domain registrars process new registrations in minutes, and WHOIS privacy services allow anonymous ownership. Cryptocurrency payments, including Bitcoin and privacy-focused Monero, make it virtually impossible to trace financial transactions back to the real purchaser. According to threat intelligence reports, over 11,800 domains registered in the first half of 2025 alone were observed in malware communications, and APT groups routinely leverage commercial VPN services like ProtonVPN, IVPN, SurfShark, and the Tor network to anonymize their operational traffic.

The use of legitimate infrastructure services creates a significant detection challenge for defenders. When adversary traffic originates from AWS IP ranges, communicates through Google Drive webhooks, or uses Cloudflare CDN for payload delivery, it becomes extremely difficult to distinguish malicious activity from normal organizational traffic. Threat actors have exploited this by using HubSpot and MailerLite marketing platforms to hide phishing senders behind reputable domains, leasing servers from resellers to avoid direct interaction with hosting companies, and purchasing infrastructure with prepaid cards and stolen cryptocurrency to maintain complete anonymity. The MITRE ATT&CK framework identifies eight distinct sub-techniques under T1583, reflecting the extraordinary diversity of infrastructure options available to modern threat actors.

11,800+

Malicious Domains Registered (H1 2025)

91%

Malicious Rate on .cc TLDs

Distinct Infrastructure Sub-techniques

Cost to Start (Free Trials)

CISA.gov Advisories NIST Cybersecurity Framework MITRE ATT&CK T1583 CSO Online

// Section 03

Key Terms & Concepts

Definition

Acquiring Infrastructure (T1583) refers to the process by which adversaries obtain the servers, domains, DNS services, virtual private servers, web service accounts, serverless functions, botnets, and advertising networks needed to plan, stage, and execute cyber operations. This technique covers the full spectrum of infrastructure acquisition , from purchasing brand-new domains through legitimate registrars using cryptocurrency, to provisioning virtual machines on major cloud platforms, to leasing compromised servers from bulletproof hosting providers, to hijacking existing botnets for use as proxy networks. The acquired infrastructure serves as the operational foundation for command-and-control communications, payload delivery, data exfiltration, phishing campaigns, and virtually every other phase of the adversary kill chain.

Everyday Analogy

Think of it like a military general setting up bases, supply lines, and communication networks before launching a campaign. Without forward operating bases, the soldiers have nowhere to stage from. Without supply lines, ammunition and provisions never reach the front. Without communication networks, orders can't be transmitted and intelligence can't flow back. In cybersecurity, infrastructure is the digital equivalent of all three combined , servers are the bases, domain names and DNS entries are the supply lines, and C2 channels are the communication networks. An adversary who hasn't acquired infrastructure is like an army with soldiers but no battlefield to deploy them to.

C2 (Command & Control)

Infrastructure used by attackers to send commands to compromised systems and receive exfiltrated data. The central nervous system of every cyber operation.

Bulletproof Hosting

Hosting providers that intentionally ignore abuse complaints and takedown requests, allowing malicious infrastructure to remain online despite being reported.

Infrastructure-as-a-Service (IaaS)

Cloud computing model where providers offer virtualized computing resources over the internet , commonly abused by attackers using free trials or stolen payment cards.

Free Trial Abuse

The practice of exploiting free trial periods from cloud providers and SaaS platforms to build temporary attack infrastructure at zero cost, discarding accounts before billing begins.

Cryptocurrency Payments

Using Bitcoin, Monero, or other cryptocurrencies to pay for infrastructure anonymously, making it extremely difficult for investigators to trace transactions back to real identities.

WHOIS Privacy

Services that redact or replace the registrant's personal information in public WHOIS databases, allowing domain owners to remain anonymous when registering domains.

Related Terminology

Understanding T1583 also requires familiarity with concepts like fast-flux networks (rapidly changing IP addresses associated with a domain to evade blocking), domain generation algorithms (DGAs) (algorithmic creation of thousands of domain names to ensure at least some remain unblocked), residential proxies (using compromised home computers as intermediary nodes), and content delivery networks (CDNs) (leveraging legitimate CDN services to distribute malware payloads while blending with normal web traffic).

AWS Azure GCP DigitalOcean Linode Cloudflare Bitcoin Monero DGA Fast-Flux WHOIS Proxychains

// Section 04

Real-World Scenario

Elena Vasquez is a highly skilled APT operator affiliated with a state-sponsored cyber espionage group. Her mission: build a complete, resilient, and anonymous operational infrastructure platform from scratch to support a sustained campaign targeting critical infrastructure organizations across three countries. This is the story of how she did it , and how defenders eventually caught on.

Phase 1: Financial Preparation , Week 1

Elena begins by converting a portion of previously stolen cryptocurrency (Bitcoin obtained from earlier ransomware operations) into Monero through a series of decentralized exchanges, creating a financial trail that is practically impossible to follow. She purchases prepaid gift cards from online marketplaces using cryptocurrency, establishing an additional payment layer. Funds are now distributed across multiple wallets, exchange accounts, and prepaid cards , a technique known as "chain hopping" designed to break the link between the original illicit funds and the infrastructure she is about to acquire.

Phase 2: Domain Acquisition , Week 1–2

Using a commercial VPN service (ProtonVPN) connected through the Tor network, Elena registers eight new domain names across five different registrars , Namecheap, GoDaddy, Google Domains, and two lesser-known European registrars. Every domain is registered with fabricated contact information and maximum WHOIS privacy enabled. She intentionally selects domain names designed to mimic legitimate software update portals and IT service providers, including variations that could be confused with common enterprise tools. She sets up Cloudflare as the authoritative DNS provider for all domains, adding an additional layer of abstraction between the registration records and the actual hosting infrastructure. T1583.001: Domains

Phase 3: Server & VPS Provisioning , Week 2–3

Elena provisions virtual private servers across three cloud providers , one VPS on DigitalOcean for payload hosting, one on Linode as a relay node, and a third on a lesser-known European cloud provider (chosen specifically because it accepts Monero payments and has minimal abuse response). She also leases a dedicated server from a reseller in Southeast Asia using prepaid cards, avoiding any direct relationship with the hosting company. Each server runs a hardened Linux configuration with automated failover scripts. She sets up separate DNS resolution paths, using T1583.002: DNS Server infrastructure to manage the complex web of domain-to-IP mappings that will allow her to rapidly switch between servers if any single node is detected or blocked. T1583.003: Virtual Private Server

Phase 4: Web Services & Legitimate Platform Abuse , Week 3–4

To create communication channels that blend with normal traffic, Elena creates accounts on GitHub (for storing malicious payloads disguised as code repositories), Google Drive (for C2 data staging), Telegram (for real-time operator communication), and Trello (for tracking campaign progress). She also creates free accounts on Firebase and AWS API Gateway to set up serverless functions that act as redirectors and payload delivery endpoints. These legitimate platforms are chosen specifically because their traffic is unlikely to be blocked by enterprise firewalls, allowing her C2 communications to pass through perimeter defenses undetected. T1583.006: Web Services • T1583.007: Serverless

Phase 5: Botnet Integration & Advertising , Week 4–5

Elena rents access to a botnet of approximately 3,000 compromised IoT devices through a dark web marketplace, paying in Monero. These devices serve as proxy nodes, distributing her traffic across hundreds of IP addresses worldwide and making it impossible for defenders to block her activities based on source IP. She also purchases malvertising space on several ad networks, creating ads that appear to promote legitimate software downloads but actually redirect users to her payload delivery infrastructure when clicked. T1583.005: Botnet • T1583.008: Malvertising

The Before & After

Before: No infrastructure, no capability. Elena has exploit code and target intelligence, but no way to deliver payloads, receive stolen data, or communicate with compromised machines. She is effectively paralyzed , a general with an army but no battlefield, no supply lines, and no communication channels. The entire campaign exists only as plans on a whiteboard, unable to translate strategy into action without the operational foundation that infrastructure provides.

After: A fully operational, multi-layered infrastructure platform spanning 8 domains across 5 registrars, 5 servers across 4 cloud providers in 3 different countries, 4 web service accounts on legitimate platforms (GitHub, Google Drive, Telegram, Trello), 3 serverless function endpoints (Firebase, AWS API Gateway, Cloudflare Workers), a 3,000-node IoT proxy botnet, and multiple malvertising channels on legitimate ad networks , all paid for with untraceable cryptocurrency and accessed through anonymized VPN connections layered through Tor exit nodes. The platform is resilient, redundant, and ready for immediate use against any target worldwide. A single takedown or provider investigation can only disable a fraction of the total infrastructure, ensuring operational continuity even under active defense.

Key Takeaway from Elena's Campaign

What makes this scenario particularly dangerous is that every piece of infrastructure Elena acquired is legitimate in isolation. The domains were registered through reputable registrars. The servers were provisioned from mainstream cloud providers. The web service accounts were created on widely-used platforms. The advertising space was purchased through established ad networks. None of these activities would trigger suspicion on their own , it is only when the complete infrastructure ecosystem is viewed as a unified operational platform that the adversary's intent becomes clear. This is precisely why detecting infrastructure-based threats requires holistic analysis, cross-referencing multiple data sources, and maintaining visibility into the full spectrum of an organization's digital attack surface.

// Section 05

Step-by-Step Protection Guide

The following six-step guide is designed for defenders and security teams to understand the adversary infrastructure acquisition process, anticipate the methods used, and implement protective countermeasures at each stage.

Define Infrastructure Requirements

Adversaries begin by determining exactly what type and quantity of infrastructure is needed for their specific campaign objectives.

Assess communication needs: C2 channels, data exfiltration paths, payload delivery mechanisms DETECT
Calculate redundancy requirements: multiple providers, geographic distribution, failover capabilities PREVENT
Determine anonymization layers needed: VPN, Tor, proxies, cryptocurrency payment methods RESPOND

Select Infrastructure Providers & Anonymize Acquisition

Attackers choose providers based on cost, anonymity, abuse response speed, and payment methods accepted.

Evaluate cloud providers offering free trials (AWS, Azure, GCP, DigitalOcean) for zero-cost initial access DETECT
Prefer providers accepting cryptocurrency and requiring minimal identity verification , see T1583.001: Domains PREVENT
Layer anonymization: Tor exit node → commercial VPN → residential proxy → target provider RESPOND

Acquire & Provision Infrastructure

The actual purchase and setup of all required infrastructure components, including domains, servers, and services.

Register domains with privacy protection and configure CDN/DNS , see T1583.002: DNS Server and T1583.003: VPS DETECT
Provision cloud instances, dedicated servers, or T1583.004: Server infrastructure with automated deployment scripts PREVENT
Create accounts on T1583.006: Web Services and T1583.007: Serverless platforms using disposable identities RESPOND

Configure & Harden Adversary Infrastructure

Once acquired, infrastructure must be configured for operational security and resistance to takedown efforts.

Deploy SSL/TLS certificates (often free Let's Encrypt) to enable HTTPS and appear legitimate DETECT
Implement fast-flux DNS, domain rotation, and IP hopping to maintain availability PREVENT
Configure botnet proxy layers , see T1583.005: Botnet , and backup T1583.008: Malvertising channels RESPOND

Test Infrastructure & Validate Operational Security

Before operational use, adversaries verify that their infrastructure is functional, anonymous, and not already flagged by security vendors.

Test all domains and IP addresses against VirusTotal, URLhaus, and major threat intelligence platforms DETECT
Validate that VPN/proxy chains successfully mask real IP addresses through services like ipinfo.io PREVENT
Conduct dry-run communication tests between C2, relay, and payload delivery nodes RESPOND

Integrate Infrastructure into Campaign Workflow

The final step connects all infrastructure components into a cohesive operational platform ready for active exploitation.

Link phishing pages, payload delivery URLs, and C2 callbacks into automated attack tooling DETECT
Establish monitoring for infrastructure health: uptime checks, certificate expiry, domain suspension alerts PREVENT
Document failover procedures: if Node A is blocked, automatically shift to Node B via DNS changes RESPOND

// Section 06

Common Mistakes & Best Practices

⚠ Common Mistakes (Attacker Perspective)

Not using anonymization layers: Registering domains or provisioning servers from a personal IP address, directly linking the infrastructure to the attacker's real identity and location.
Using a single provider: Concentrating all infrastructure with one cloud provider or registrar means a single abuse report can take down the entire operation simultaneously.
Not rotating infrastructure: Reusing the same domains, IP addresses, and certificates across multiple campaigns creates patterns that threat intelligence teams can identify and block.
Using personal payment methods: Paying with personal credit cards, PayPal accounts, or bank transfers creates a direct financial paper trail that investigators can follow.
Ignoring free trial footprints: Free trial accounts often have identifiable patterns (limited resource quotas, specific IP ranges, trial-period metadata) that security tools can flag as suspicious.

🛡 Best Practices (Defender Perspective)

Multi-provider strategy: Distribute defensive monitoring across cloud providers, registrars, and DNS services to detect adversary infrastructure regardless of where it is hosted.
Cryptocurrency payment monitoring: Track blockchain transactions associated with known illicit wallets and cryptocurrency exchanges used by threat groups to identify infrastructure funding.
Regular infrastructure rotation detection: Monitor for rapid domain registrations, DNS changes, and IP address shifts that indicate adversary infrastructure rotation activities.
Use WHOIS privacy as an indicator: While WHOIS privacy is legitimate, newly registered domains with maximum privacy that quickly resolve to hosting infrastructure should be treated as higher risk.
Monitor for detection: Continuously query threat intelligence platforms, passive DNS databases, and SSL certificate transparency logs to identify adversary infrastructure before it is used in attacks.

// Section 07

Red Team vs Blue Team View

RED TEAM

Building Resilient, Anonymous Infrastructure

The red team perspective focuses on acquiring infrastructure that is invisible, resilient, and operationally flexible. A skilled red team operator will:

Multi-layered anonymization: Chain Tor, VPN, and residential proxy connections so that no single point of failure exposes the operator's real IP. Use different VPN providers for different infrastructure purchases to avoid correlation.

Financial separation: Convert stolen cryptocurrency through mixers and decentralized exchanges before purchasing infrastructure. Use different wallets for different providers, and never reuse a payment method across operations.

Infrastructure diversity: Spread infrastructure across at least three cloud providers, two domain registrars, and multiple DNS services. This ensures that a single takedown or provider investigation cannot destroy the entire platform.

Legitimate service abuse: Prefer platforms like GitHub Pages, Google Drive, Firebase, Telegram bots, and Cloudflare Workers for C2 communication. Traffic from these services is trusted by most enterprise security policies and will pass through firewalls without raising alerts.

Rapid rotation capability: Pre-configure automated scripts that can provision new VPS instances, register backup domains, and update DNS records within minutes of detecting a block or takedown, ensuring near-continuous operational availability. Advanced operators maintain "burner" infrastructure pre-provisioned and standing by, ready to be activated instantly when primary infrastructure is compromised. This concept of infrastructure redundancy mirrors military doctrine , always have a fallback position prepared before you need it.

BLUE TEAM

Discovering & Tracking Adversary Infrastructure

The blue team perspective focuses on identifying adversary infrastructure early, tracking its evolution, and disrupting it before it can be used effectively. A skilled defender will:

Passive DNS monitoring: Continuously monitor DNS resolution data for newly observed domains resolving to suspicious IP ranges, particularly those associated with cloud providers and bulletproof hosting. Track domain registration patterns and WHOIS changes over time.

SSL/TLS certificate monitoring: Query Certificate Transparency logs for newly issued certificates containing suspicious domain names or organizational details. Adversaries often request free Let's Encrypt certificates for newly registered domains, creating a detectable pattern.

Threat intelligence correlation: Cross-reference newly observed infrastructure against known threat actor IOCs from MITRE ATT&CK, CISA advisories, and commercial threat intelligence feeds. Identify infrastructure overlaps between different campaigns that suggest the same operator.

Free trial and throwaway account detection: Monitor for account creation patterns associated with free trials , specific IP ranges, temporary email addresses, and rapid account abandonment , that may indicate adversary infrastructure staging.

Blockchain analysis integration: Work with cryptocurrency tracing firms to identify wallet addresses associated with infrastructure purchases. While privacy coins like Monero are difficult to trace, Bitcoin payments leave a permanent public record that can sometimes be linked to identity through exchange KYC records, cluster analysis, and cooperation with financial regulators. Organizations should maintain a watchlist of cryptocurrency addresses associated with previous incidents and correlate new infrastructure registrations with known payment patterns.

Cross-Team Intelligence Sharing

The most effective infrastructure defense programs combine red team intelligence with blue team monitoring capabilities. Red team assessments that simulate real-world adversary infrastructure acquisition patterns provide invaluable data for calibrating detection thresholds and validating monitoring tooling. When red team operators discover new anonymization techniques or previously unknown legitimate service abuse patterns, this intelligence should immediately inform blue team detection rule development and threat model updates. Organizations that bridge the gap between offensive security research and defensive operations gain a significant advantage in the ongoing race between adversary innovation and defender response.

// Section 08

Threat Hunter's Eye

👁 How to Discover Adversary Infrastructure Through Proactive Scanning

Threat hunters can uncover adversary infrastructure acquisition activities before they are used in active attacks by monitoring the following indicators and hunting hypotheses. Proactive infrastructure hunting represents one of the earliest possible intervention points in the attack lifecycle , identifying and disrupting adversary infrastructure during the preparation phase, before any exploitation or data theft occurs. The key advantage of infrastructure-focused hunting is that every adversary operation, regardless of sophistication, must ultimately touch observable infrastructure at some point, creating opportunities for detection.

Certificate Transparency Monitoring

Every publicly-trusted Certificate Authority must publish certificates to Certificate Transparency (CT) logs. By monitoring these logs in near-real-time, hunters can identify suspicious certificate issuance patterns. Look for certificates issued for domain names that are typosquats of legitimate brands, certificates containing suspicious Subject Alternative Names (SANs) that include internal network names, and certificates issued to newly-registered domains (less than 72 hours old) that already resolve to cloud provider IP addresses. The crt.sh service and Censys Certificate Search provide public interfaces for querying CT logs. Certificate issuance for domains not matching any known organizational assets should trigger immediate investigation.

SSL/TLS Fingerprinting (JA3/JA4)

Beyond the certificates themselves, the TLS negotiation process reveals unique fingerprints of the client and server software. The JA3 and newer JA4 fingerprinting methods create hashes of TLS parameters (cipher suites, extensions, elliptic curves) that can identify specific malware families and attack tools. When a new domain exhibits a JA3 fingerprint matching known adversary tooling (such as Cobalt Strike's default beacon, Metasploit, or custom Python-based C2 frameworks), it provides strong evidence of adversary infrastructure. Hunters should maintain a database of known malicious JA3/JA4 fingerprints and alert on any new domain exhibiting matching fingerprints, regardless of how legitimate the domain name or website may appear.

Passive DNS Analysis

Passive DNS replication databases record the historical IP addresses associated with every domain name observed in DNS queries. By querying these databases , through services like SecurityTrails, VirusTotal Graph, PassiveTotal, or DNSDB , hunters can identify domain names that have resolved to IP addresses previously associated with known malicious activity. Even if an adversary changes the IP address a domain resolves to, the historical DNS record reveals the connection. Key hunting patterns include: domains that have resolved to IPs on multiple different cloud providers in short succession (infrastructure rotation), domains sharing the same IP address as known malicious domains (IP co-hosting), and newly observed domains that immediately resolve to long-tail IPs with no prior DNS history (newly provisioned infrastructure).

Domain Registration Pattern Analysis

Analyze bulk domain registration data for patterns indicative of automated acquisition campaigns. Red flags include: multiple domains registered within minutes of each other using the same registrar, domains using privacy protection services from the same provider, domains with auto-generated names (random character strings or algorithmic patterns suggesting DGAs), domains registered with similar registrant email patterns (temp emails, sequential usernames), and TLD concentration in registrars known for lax abuse response. The Forescout 2025 report identified that 91% of .cc domains used in phishing were malicious, and ccTLDs like .ru, .us, and .co showed similarly elevated abuse rates. By monitoring registration velocity , the rate at which new domains are acquired by a single registrant or within a narrow time window , defenders can identify infrastructure staging campaigns before the domains are actively weaponized.

ASN & IP Reputation Analysis

Autonomous System Numbers (ASNs) provide another valuable lens for identifying adversary infrastructure. Threat actors frequently reuse the same cloud providers, hosting companies, and VPN services across multiple campaigns, creating detectable patterns at the ASN level. By maintaining a reputation database of ASN-to-threat-group associations and monitoring for new infrastructure provisioned on previously clean ASNs that suddenly begin exhibiting suspicious behavior (such as rapid DNS changes, unusual certificate requests, or outbound connections to known malicious destinations), hunters can identify infrastructure acquisition in near-real-time. The CrowdStrike WARP PANDA report demonstrated how a single threat group consistently provisioned infrastructure on the same set of ASNs, a pattern that, once identified, enabled proactive detection of new campaign staging activity months before the actual attacks were launched.

🚨 Hunting Hypothesis Examples

H1: "An adversary is staging infrastructure for an imminent campaign against our sector. I will query CT logs for newly issued certificates containing our brand name or closely related typosquat variants, cross-referencing any matches against VirusTotal and passive DNS records to determine whether the domains are actively resolving."
H2: "Adversary infrastructure is being hosted on cloud providers. I will monitor our proxy logs for TLS connections to newly-registered domains resolving to cloud provider ASN ranges with no prior business relationship, correlating JA3 fingerprints against known adversary tooling."
H3: "A known threat actor is using infrastructure rotation to avoid detection. I will track passive DNS changes for all domains associated with their previous campaigns and alert on any new domains resolving to the same IP ranges, even if the domains themselves are newly registered."

Recommended Tooling for Infrastructure Hunting

Effective infrastructure hunting requires access to the right data sources and analytical tools. The following resources are recommended for building a comprehensive infrastructure monitoring program: crt.sh for Certificate Transparency log queries, SecurityTrails for historical DNS and WHOIS data, VirusTotal Graph for infrastructure relationship mapping, Censys for internet-wide scanning data, Shodan for device and service fingerprinting, and PassiveTotal (by Recorded Future) for passive DNS and SSL certificate monitoring. Many of these platforms offer API access that can be integrated into automated hunting pipelines, enabling continuous monitoring without manual intervention. Organizations should evaluate these tools based on their specific threat model, budget, and existing security stack integration capabilities.

// Section 09

Explore Sub-Techniques & Join the Discussion

T1583 encompasses eight distinct sub-techniques, each representing a different method adversaries use to acquire the infrastructure needed for their operations. Click any sub-technique below to explore it in depth , including detailed simulations, real-world scenarios, protection guides, and threat hunting playbooks. Each sub-technique page provides unique detection strategies and defensive countermeasures specific to that infrastructure type, enabling security teams to build comprehensive monitoring programs that cover the full spectrum of adversary infrastructure acquisition methods.

T1583.001 Domains T1583.002 DNS Server T1583.003 Virtual Private Server T1583.004 Server T1583.005 Botnet T1583.006 Web Services T1583.007 Serverless T1583.008 Malvertising

Questions, Observations, or Threat Intel to Share?

Infrastructure acquisition is one of the most critical and rapidly evolving areas of adversary operations. As cloud services become more accessible, AI-generated phishing pages become more convincing, and privacy technologies become more sophisticated, the challenge of detecting and disrupting adversary infrastructure will only intensify. Whether you are a threat hunter investigating suspicious domain registrations, a blue team analyst monitoring for C2 infrastructure in your network logs, a red team operator testing your organization's detection capabilities, or a security researcher tracking emerging infrastructure abuse patterns , your insights are valuable. The T1583 technique family encompasses an extraordinary range of acquisition methods, from traditional domain registration to cutting-edge serverless and CDN-based C2, and no single defender has visibility into all of them.

Discussion Topics: What infrastructure acquisition patterns have you observed in your environment? How effective are CT log monitoring and passive DNS analysis in your organization? Have you encountered adversaries abusing legitimate web services for C2? What detection rules and hunting queries have proven most effective against infrastructure-based threats? Have you observed threat actors leveraging AI-generated content for faster infrastructure provisioning? What role do you see AI playing in both adversary infrastructure acquisition and defensive detection over the next 12–24 months?

MITRE ATT&CK T1583 CISA Advisories NIST CSF CSO Online

Additional Resources & Further Reading

The following resources provide authoritative, up-to-date information on adversary infrastructure acquisition patterns, detection methodologies, and defensive countermeasures. Security professionals are encouraged to integrate these sources into their threat intelligence workflows and monitoring programs.

CISA KEV Catalog

The Known Exploited Vulnerabilities catalog maintained by CISA provides a authoritative list of vulnerabilities actively exploited in the wild, many of which were compromised through adversary-controlled infrastructure.

Forescout Research

The Forescout 2025 report on domain security analyzed 11,894 domains registered between December 2024 and June 2025, revealing patterns in domain registration abuse that directly relate to T1583 infrastructure acquisition.

CrowdStrike WARP PANDA

CrowdStrike's December 2025 report on the WARP PANDA threat group documented extensive use of T1583 sub-techniques, including Cloudflare DNS services for C2 domain registration and DigitalOcean VPS for payload staging.

CSC Domain Security

The 2024-2025 Domain Security Report by CSC analyzed the full spectrum of domain abuse , from compromised legitimate domains to malicious registrations , and their role in enabling cyber attacks across all industries.