Hiding in Plain Sight Tracking Bulletproof Hosting and Abused RDP Infrastructure

Hiding in Plain Sight: Tracking Bulletproof Hosting and Abused RDP Infrastructure

Bulletproof hosting enables long-term malicious activity by providing infrastructure that consistently dodges abuse complaints, takedowns, and remediation, making it a key component of the cybercrime supply chain. Bulletproof hosting (often abbreviated as BPH) refers to hosting providers that knowingly enable malicious activity and consistently evade abuse complaints and takedown requests. BPH environments provide reliable safe havens where tools like phishing kits, malware loaders, command-and-control servers, brute-force infrastructure, and large-scale scanning operations can be staged and maintained over time. The defining feature of bulletproof hosting is not the specific services running, but the predictable resilience of malicious activity on the network and a documented history of ignoring remediation efforts.

Tracking bulletproof hosting has become increasingly difficult as operators move away from monolithic networks and instead distribute infrastructure across reseller ecosystems and mainstream providers, reducing the effectiveness of IP- or ASN-based blocking. Modern BPH infrastructure is no longer confined to a small number of “monolithic” autonomous systems, which are easy for defenders to just block at scale. Instead, many operators now rely on reseller ecosystems, where large ISPs or VPS providers lease blocks of infrastructure to intermediaries who, in turn, rent them out with fewer restrictions. By spreading their deployments across mainstream providers and frequently rotating IPs, routes, and ASNs, bulletproof operators more easily blend into otherwise legitimate infrastructure. This makes IP-based blocklisting a game of whack-a-mole.

There is no single ground-truth dataset of bulletproof hosting providers, and attribution is inherently uncertain. Instead, the security community infers BPH through the convergence of technical, behavioral, and longitudinal signals: reusable deployment artifacts, patterns of abuse tolerance, repeated evasion of takedowns, and malicious infrastructure that persists far longer than it should. Abuse-tolerant and bulletproof-hosting–adjacent infrastructure can be identified at internet scale by analyzing observable deployment and operational patterns rather than relying on provider attribution. While IPs are cheap for large operators to replace, rebuilding tooling, VM images, and provisioning workflows is more expensive and cumbersome – which is why they tend to change less frequently. This is where Remote Desktop Protocol (RDP) infrastructure becomes particularly useful for studying abuse-tolerant and bulletproof-adjacent operations.

RDP is Microsoft’s remote administration protocol for Windows systems, providing interactive control over a host’s desktop environment. Because it grants deep, persistent access to remote infrastructure, RDP is frequently abused for malicious operations. Unlike many other commonly abused services, RDP consistently exposes useful system identifiers: most notably the Windows VM’s hostname. Attackers deploying templated RDP “cutouts” commonly reuse cloned Windows VM images, which then appear as clusters of identical default hostnames across hosts (for example, WIN-XXXXXXXXXXX) and near-identical TLS stacks replicated across dozens of prefixes. These repeating artifacts expose provisioning lineage regardless of where the infrastructure is hosted. Correlating RDP template reuse with internet-wide scan data and honeypot telemetry surfaces active malicious activity and potential downstream reseller infrastructure.

To read the complete article see: Read full article 🚀