Threat Activity Enablers: The Backbone of Today’s Threat Landscape

This article introduces threat activity enablers (TAEs), the infrastructure providers and networks that underpin modern cyber threats across both criminal and state-sponsored activity. These entities sustain operations by enabling resilient, high-risk infrastructure that persists despite sanctions, takedowns, and public exposure.

Behind every ransomware demand, botnet, or threat activity group is a server sitting in a data center. While most legitimate hosting providers evict threat actors once identified, a specific class of providers does the opposite. Recorded Future^® calls these providers threat activity enablers(TAEs).

What Is a Threat Activity Enabler?

Figure 1: Overview of threat activity enablers’ patterns, ecosystem, and impact

A threat activity enabler (TAE) is an individual, organization, or service provider that supports malicious cyber activity by providing infrastructure or services leveraged by threat actors. More commonly, this includes providers that lack a formal physical or virtual storefront, conduct business only via email or messaging platforms, and do not enforce know-your-customer (KYC) policies. It also includes hosting providers that selectively respond to abuse reports or law enforcement inquiries to maintain plausible deniability, as well as more traditional self-proclaimed “bulletproof” providers that openly ignore oversight or advertise non-cooperation.

TAE networks serve as the backbone for ransomware groups, infostealer campaigns, botnets, and even state-sponsored threat actor operations. What distinguishes TAE networks is the sustained concentration of malicious infrastructure within their networks.

How TAEs Operate

TAEs are masters of obfuscation and are highly resilient, hiding behind layers of decoy companies to evade accountability. They use several core tactics:

Corporate Shell Games: They establish front companies across multiple jurisdictions to create legal distance between the infrastructure and the operators.
Strategic Resource Control: They often operate as local internet registries (LIRs). This gives them direct control over IP resources and autonomous systems (ASNs), allowing them to manipulate network resources at will.
Rapid Rebranding: When a network becomes too "hot" due to scrutiny, TAEs rapidly transfer IP address prefixes to a newly registered, clean-looking entity.

Identifying High-Risk TAE Networks

Recorded Future actively identifies high-risk TAE networks through its Network Threat Density List. These networks are ranked by their Threat Density Score, calculated from the concentration of validated malicious activity relative to the total number of IP address prefixes a network announces.

This approach cuts through the noise to quickly expose infrastructure that is disproportionately associated with threat activity, a core characteristic of TAEs, allowing network defenders to prioritize the infrastructure most likely to pose material risk.

Figure 2: High-risk suspected or confirmed TAE networks in 2025, ranked by Threat Density Score

From Insight to Action

Tracking TAE networks allows security teams to move from reacting to individual threats to proactively managing infrastructure risk. In practice, this means applying TAE intelligence across three core areas: prevention, detection, and exposure.

Operationalize TAE Intelligence

https://main--2025recordedfuturewebsite--recorded-future-website.aem.page/data/blog/threat-activity-blog-icon-card.json

Figure 3: Three steps for operationalizing TAE intelligence:

TAEs are persistent and continuously evolving, adapting quickly in response to sanctions, enforcement actions, and exposure. While their identities may change, their underlying infrastructure patterns often remain consistent.

The "metaspinner" Case Study

In April 2025, a TAE tracked by Recorded Future, Virtualine Technologies, shifted its IPv4 resources to a newly registered network that fraudulently impersonated a legitimate German software firm, metaspinner net GmbH. Because this provider’s historical infrastructure patterns were already being tracked, the newly created network was immediately identified as a front. Within weeks, this network became a primary distribution hub for malware families such as Latrodectus and AsyncRAT. When the operation was eventually exposed, Virtualine Technologies simply pivoted the infrastructure to a new identity within one of its existing autonomous systems to maintain its operations.

Figure 4: Validated malicious activity associated with Virtualine Technologies in 2025

This case underscores the reality of TAE networks: while identities, ownership records, and corporate fronts may change, the underlying infrastructure and its associated risk persist, making continuous tracking essential to identifying and prioritizing the networks that will drive future threat activity, as demonstrated by Virtualine subsequently emerging as the highest-risk TAE network in 2025.

The Stark Industries Case Study

In May 2025, the European Union sanctioned UK-registered hosting provider Stark Industries Solutions and its executives for enabling Russian state-sponsored cyber operations. However, enforcement did not halt Stark Industries’ operations. In the weeks leading up to the sanctions announcement, Stark Industries began transferring IP resources, modifying RIPE registrations, and shifting infrastructure to affiliated entities.

Figure 5: Timeline of Stark Industries-related events in 2025

Despite the sanctions, the underlying infrastructure, routing relationships, and operational patterns remained traceable across these new fronts. Continuous monitoring of TAE ecosystems enables defenders to detect these pivots in near real time, revealing continuity beneath corporate rebrands and legal restructurings. This case underscores a broader reality: sanctions may change names and ownership records, but without infrastructure-level visibility, the enabling networks behind malicious activity often persist.

What This Means for Security Leaders

TAEs represent an ongoing challenge. While individual campaigns and threat actors may come and go, the infrastructure that supports them remains adaptive and deliberately resilient.

For security leaders, this requires an additional shift from solely reacting to individual indicators to understanding and prioritizing the infrastructure that enables threat activity at scale. By identifying and tracking high-risk networks, organizations can reduce investigative noise, focus resources on the most impactful threats, and take proactive steps to limit exposure before attacks materialize.

Ultimately, addressing TAEs is not just about detection; it’s also about disrupting the conditions that enable modern cyber threats to operate.

Questions You Should Be Asking

How much of your network communicates with high-risk infrastructure?
Are you prioritizing alerts involving high-risk networks?
Is TAE or ASN risk intelligence integrated into your detection and triage workflows to ensure the highest-risk activity is addressed first?
Do any of your third-party providers rely on TAE-linked infrastructure?
Do you have hidden exposure to TAE networks?
Are your controls dynamically adjusting to infrastructure risk?
Can you proactively restrict or challenge traffic to and from high-risk networks?

For a deeper analysis of threat activity enablers and the broader malicious infrastructure landscape, including detailed case studies and data-driven insights, see Recorded Future’s report

2025 Year in Review: Malicious Infrastructure