Executive Summary
In November 2025, the Cybersecurity and Infrastructure Security Agency (CISA), together with the NSA, FBI, Department of Defense Cyber Crime Center, and international partners, released comprehensive guidance to combat risks posed by Bulletproof Hosting Providers (BPHs). BPHs are infrastructure providers that knowingly lease servers and networking resources to cybercriminals, enabling ransomware, phishing, malware distribution, and denial-of-service attacks at scale. The guidance urges Internet Service Providers and network operators to apply blocklists, traffic analysis, intelligence sharing, and stronger vetting to prevent malicious actors from exploiting BPH resources, aiming to bolster the digital resilience of critical infrastructure sectors globally.
The ongoing proliferation of cyberattacks leveraging BPH infrastructure underscores the urgency of these recommendations. With threat actors increasingly turning to anonymized, resilient hosting to evade law enforcement and detection, proactive mitigation by ISPs is crucial to limiting damage and strengthening industry-wide cybersecurity defense.
Why This Matters Now
Bulletproof Hosting Providers remain a key enabler for organized cybercrime, supplying resilient infrastructure for ransomware, malware, and phishing operations. As defenders modernize their controls, attackers shift to more sophisticated BPH services, making urgent coordinated action critical to disrupt criminal operations and protect critical systems.
Attack Path Analysis
Attackers leveraged bulletproof hosting infrastructure to launch phishing or malware delivery campaigns, resulting in an initial foothold via malicious external resources. After initial access, attackers escalated privileges by exploiting misconfigurations or weak controls in cloud identities or network segmentation. The threat actors traversed east-west within hybrid or multi-cloud environments to locate high-value systems, leveraging poor traffic visibility. They established command and control using encrypted or covert outbound channels to their resilient, attacker-controlled servers. Sensitive data was then exfiltrated through unmonitored egress routes, evading detection. Finally, the impact phase involved deployment of ransomware or disruptive malware, resulting in business disruption or data loss.
Kill Chain Progression
Initial Compromise
Description
Attackers used bulletproof-hosted infrastructure to deliver phishing emails or malware, resulting in initial access to cloud workloads or endpoints.
MITRE ATT&CK® Techniques
Acquire Infrastructure: Virtual Private Server
Acquire Infrastructure: Domains
Compromise Infrastructure: Web Servers
Application Layer Protocol: Web Protocols
Dynamic Resolution: Domain Generation Algorithms
Deliver Malicious App via Third-Party Infrastructure
Active Scanning: Vulnerability Scanning
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and log access to network resources and cardholder data
Control ID: 10.5.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Risk Management Framework
Control ID: Article 8
CISA Zero Trust Maturity Model (ZTMM 2.0) – Ensure visibility across network and external services
Control ID: Network Pillar - Visibility and Analytics
NIS2 Directive – Incident Detection and Handling
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Internet
Internet Service Providers directly targeted by CISA guidance, requiring immediate implementation of bulletproof hosting mitigation controls and traffic filtering systems.
Information Technology/IT
IT infrastructure providers face compliance requirements for east-west traffic security, zero trust segmentation, and threat detection capabilities against BPH abuse.
Financial Services
Banking sector vulnerable to BPH-enabled ransomware and phishing attacks, requiring enhanced egress security and encrypted traffic monitoring per compliance frameworks.
Government Administration
Critical government systems targeted by BPH infrastructure abuse for ransomware and DoS attacks, necessitating multicloud visibility and anomaly detection implementation.
Sources
- CISA Releases Guide to Mitigate Risks from Bulletproof Hosting Providershttps://www.cisa.gov/news-events/alerts/2025/11/19/cisa-releases-guide-mitigate-risks-bulletproof-hosting-providersVerified
- Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providershttps://media.defense.gov/2025/Nov/19/2003826020/-1/-1/0/CSI_BULLETPROOF_DEFENSE_MITIGATING_RISKS_FROM_BULLETPROOF_HOSTING_PROVIDERS.PDFVerified
- NSA Joins CISA and Others to Release Guidance on Mitigating Malicious Activity from Bulletproof Hosting Provider Infrastructurehttps://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4336940/nsa-joins-cisa-and-others-to-release-guidance-on-mitigating-malicious-activity/Verified
- Bulletproof hosting service shut down in massive police stinghttps://www.techradar.com/pro/security/bulletproof-hosting-service-shut-down-in-massive-police-stingVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust network segmentation, workload isolation, egress policy enforcement, inline threat detection, and encrypted traffic controls would have limited attacker movement, prevented command-and-control, and reduced the likelihood and blast radius of both exfiltration and ransomware impact.
Control: Cloud Firewall (ACF)
Mitigation: Malicious inbound traffic is detected and blocked at the perimeter.
Control: Zero Trust Segmentation
Mitigation: Lateral privilege escalation paths are minimized through strict segmentation.
Control: East-West Traffic Security
Mitigation: East-west traffic monitoring and controls detect and prevent unauthorized lateral movement.
Control: Egress Security & Policy Enforcement
Mitigation: Known malicious C2 destinations are blocked; risky egress channels are restricted.
Control: Inline IPS (Suricata)
Mitigation: Anomalous exfiltration is detected and can be stopped in real-time.
Malicious or anomalous behaviors trigger near-real-time alerts and automated response.
Impact at a Glance
Affected Business Functions
- Internet Service Provision
- Network Security Operations
- Critical Infrastructure Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive customer data due to cybercriminal activities facilitated by bulletproof hosting providers.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to restrict both north-south and east-west traffic, containing attacker movement post-compromise.
- • Deploy centralized, multi-cloud-aware firewall and intrusion prevention controls to block traffic from known malicious and bulletproof hosting sources.
- • Apply granular egress filtering and policy enforcement to prevent unauthorized outbound connections and data exfiltration.
- • Enhance threat detection and automated response capabilities to rapidly identify and contain emerging threats, including ransomware and exfiltration events.
- • Maintain real-time visibility, baselining, and logging across hybrid/cloud environments to quickly detect anomalies and support investigations.
