On November 19, 2025, CISA, NSA, FBI, and DC3 jointly published guidance on mitigating risks from bulletproof hosting providers, accompanied by U.S. Treasury sanctions against Media Land LLC and its operators for enabling LockBit, BlackSuit, Evil Corp, and Play ransomware — cyber activity costing the UK alone an estimated $14.7 billion per year. The European Council sanctioned Stark Industries Solutions Ltd in May 2025 for enabling Russian state-sponsored and affiliated cyber operations. Resecurity documented the BEARHOST/Ghost BPH conglomerate providing infrastructure to Qilin ransomware. Despite these enforcement actions, the BPH ecosystem is resilient: BEARHOST transitioned to an invitation-only model, Media Land's fast-flux proxy network continues through rebranded entities, and new providers emerge continuously. T1583 is the only MITRE ATT&CK technique that addresses a Resource Development tactic — it covers activity that occurs entirely before any intrusion, making it inherently difficult for victim organizations to detect or prevent.
T1583 falls under the Resource Development tactic (TA0042). The technique covers any acquisition of infrastructure by adversaries to support targeting. This includes purchasing domains, renting servers and VPS instances, buying access to botnets, creating accounts on legitimate web services, provisioning serverless compute resources, and purchasing advertising placements. The infrastructure may be used for phishing, C2 communication, malware delivery, data exfiltration staging, anonymization, or credential harvesting. The key distinction from T1584 (Compromise Infrastructure) is that T1583 covers infrastructure the adversary obtains through legitimate (or pseudo-legitimate) channels — purchasing, leasing, or creating accounts — rather than stealing through compromise.
Sub-Techniques
T1583.001: Domains
Adversaries register domain names for phishing, C2, and malware delivery. Techniques include typosquatting (registering domains similar to legitimate targets, e.g., micr0soft.com), homoglyph attacks (using visually similar characters from different character sets, e.g., Cyrillic "а" for Latin "a"), IDN homograph attacks (internationalized domain names that render identically to legitimate domains in browser address bars), and registering domains in TLDs with minimal verification requirements. APT28 (Fancy Bear) is documented registering phishing domains mimicking government services. APT29 (Cozy Bear) registered domains impersonating legitimate organizations for spear-phishing campaigns. Transparent Tribe uses lookalike domains targeting Indian and Pakistani government entities. Lazarus Group has been tracked through cryptocurrency-themed phishing domains used in Operation In(ter)ception targeting aerospace and military companies. SocGholish malware uses a diversified staging infrastructure of acquired domains that rotate frequently to counter defender blocking.
T1583.002: DNS Server
Adversaries set up their own DNS servers for C2 resolution, DNS tunneling, and DNS hijacking. A controlled DNS server allows the adversary to dynamically resolve C2 domains to different IP addresses (fast flux), implement DNS-based C2 channels (as used by Cobalt Strike DNS beacons, dnscat2, and Sliver), and perform DNS hijacking to redirect victim traffic. Sea Turtle, a Turkish state-sponsored group, operated DNS hijacking campaigns that required control of DNS infrastructure. Axiom (PRC) and Lyceum (Iran) have both operated dedicated DNS servers for their espionage operations.
T1583.003: Virtual Private Server (VPS)
VPS instances provide adversaries with remote servers for C2, phishing hosting, and proxy operations. VPS providers offering cryptocurrency payment and minimal identity verification are preferred. Adversaries use VPS instances as C2 servers (Cobalt Strike team servers, Sliver implant listeners), phishing page hosts, proxy servers for anonymizing their connections to victim networks, and staging points for malware delivery. The Salt Typhoon campaign used VPS infrastructure that could not be attributed to known botnets or obfuscation networks. BPH providers specifically market VPS services to cybercriminals, with providers like PQ Hosting (rebranded from MoreneHost) advertising on 14+ cybercrime forums.
T1583.004: Server
Beyond VPS, adversaries may acquire dedicated physical or virtual servers, including purchasing cloud compute instances through fraudulent accounts. PurpleUrchin bypassed CAPTCHA systems to create fraudulent cloud accounts for stealing platform compute resources. Earth Lusca (PRC) operated dedicated servers for C2 and data staging. The Stuxnet operation reportedly involved dedicated server infrastructure for its deployment chain. SocGholish operates dedicated staging servers that host second-stage payloads and rotate infrastructure to evade detection.
T1583.005: Botnet
Adversaries acquire access to botnets — networks of compromised computers — for DDoS attacks, credential stuffing, spam distribution, and proxy services. Botnets can be rented on cybercrime forums, with pricing based on geography, infection count, and capability. The FBI documented threat actors using residential proxy services (built on botnets) for credential stuffing attacks against online accounts. Botnets provide anonymization because the traffic originates from thousands of different residential IP addresses, making blocking and attribution extremely difficult.
T1583.006: Web Services
Adversaries create accounts on legitimate web services to support operations. This includes creating GitHub repositories for malware hosting, registering Dropbox/Google Drive accounts for C2 or exfiltration, creating Telegram/Discord channels for C2 communication, and using Pastebin or similar services for dead drop communication. APT29 has abused legitimate cloud services (Notion, Trello, Firebase, Dropbox) for C2 to blend with normal enterprise traffic. Contagious Interview (DPRK) creates fraudulent profiles on job platforms, freelancing sites, and GitHub to support social engineering operations targeting developers. APT43/Kimsuky uses stolen cryptocurrency to fund the creation of web service accounts for infrastructure.
T1583.007: Serverless
Adversaries leverage serverless compute platforms (AWS Lambda, Azure Functions, Cloudflare Workers, Google Apps Script) for C2, redirectors, and data processing. Serverless infrastructure is attractive because it requires minimal configuration, scales automatically, provides high availability, is difficult to attribute, and costs virtually nothing for low-volume C2 traffic. BlackWater malware abused Cloudflare Workers for C2 communication. APT41 has used Google Calendar as a C2 mechanism through serverless function integration. Google Apps Script has been abused for credit card skimming operations. AWS Lambda has been documented as a C2 redirector that makes traffic appear to originate from Amazon infrastructure.
T1583.008: Malvertising
Adversaries purchase advertising placements (Google Ads, Bing Ads, social media advertising) to deliver malware through search engine results or display ads. This sub-technique, added to MITRE ATT&CK in February 2023, covers the growing trend of threat actors bidding on search terms for legitimate software (Slack, Zoom, OBS, Notepad++, VLC) and displaying ads that lead to malware-laden download pages. The FBI issued a public warning about this technique in December 2022. Raspberry Robin malware has been distributed through malvertising campaigns. Ransomware-as-a-Service operators have used malvertising for initial access delivery. The technique is particularly effective because the malicious ads appear above organic search results, and the landing pages closely mimic legitimate software download sites.
The Bulletproof Hosting Ecosystem
How BPH Works
Bulletproof hosting providers knowingly lease infrastructure to cybercriminals while actively resisting abuse complaints, takedown requests, and law enforcement action. Unlike legitimate hosting companies that comply with abuse reports within hours, BPH providers may ignore complaints entirely, move reported clients to different IP ranges, or simply forward warnings without action. The November 2025 CISA/NSA/FBI/DC3 joint advisory documented BPH infrastructure supporting ransomware C2 servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging. BPH providers use several resilience techniques: fast flux DNS rotates domains across pools of IP addresses at intervals as short as minutes, making static blocking ineffective; multi-ASN distribution spreads infrastructure across multiple autonomous systems to survive individual AS-level blocking; and CDN fronting routes malicious traffic through legitimate CDN providers (particularly Cloudflare) to blend with normal web traffic.
Key BPH Providers (2024–2025)
Media Land LLC (operated by Alexander Volosovik / "yalishanda" from St. Petersburg) provided fast-flux reverse proxy infrastructure to LockBit, BlackSuit, Evil Corp, Play, Snatch, and other ransomware groups. Sanctioned by the U.S. Treasury in November 2025. Stark Industries Solutions Ltd (founded February 2022, just before the Russian invasion of Ukraine) hosted infrastructure for Russian state-sponsored and cybercriminal operations. Sanctioned by the European Council in May 2025. BEARHOST/Ghost BPH conglomerate (linked to Cat Technologies Co. Limited and Aeza Group) provided infrastructure supporting Qilin ransomware and other operations. BEARHOST transitioned to invitation-only service after increased scrutiny in late 2024. PQ Hosting (formerly MoreneHost) promotes services on 14+ cybercrime forums; infrastructure linked to DarkSide (Colonial Pipeline) and FiveHands/HelloKitty ransomware. Aeza Group was sanctioned by the U.S. Treasury in July 2025 for providing BPH services to BianLian ransomware and hosting the BlackSprut illicit marketplace.
Why Acquire Infrastructure Matters
Pre-Compromise Blind Spot
T1583 activity occurs entirely before any intrusion of the victim's network. Victim organizations cannot detect when an adversary registers a phishing domain, provisions a C2 server, or purchases a malvertising placement. This makes T1583 fundamentally different from all post-compromise techniques: the defender's visibility begins only when the acquired infrastructure is used against them (i.e., when the phishing email arrives or the C2 beacon connects).
Infrastructure Resilience
The BPH ecosystem ensures that adversary infrastructure survives takedown attempts. When LockBit's infrastructure was seized in Operation Cronos (February 2024), the group rebuilt C2 infrastructure within days using alternative BPH providers. When BEARHOST faced increased scrutiny, it shifted to invitation-only service rather than shutting down. This resilience means that infrastructure-focused disruption operations provide temporary relief but do not permanently degrade adversary capabilities unless combined with arrests and sanctions.
Attribution Evasion
Infrastructure acquired through cryptocurrency payments, fraudulent identities, stolen financial data, and privacy-focused registrars makes attribution extremely difficult. Nation-state actors (APT43/Kimsuky funding infrastructure with stolen cryptocurrency, Ember Bear using IVPN/SurfShark/Tor for anonymization, Agrius using commercial VPN services) and cybercriminals (Indrik Spider purchasing VPN access to victim networks) both invest heavily in infrastructure that breaks the attribution chain between the attack and the attacker.
Real-World Case Studies
Case 1: Media Land Sanctions — Exposing Ransomware's Hosting Backbone (November 2025)
The U.S. Treasury's November 2025 sanctions against Media Land LLC and its operators exposed the infrastructure backbone supporting multiple tier-one ransomware groups. Media Land, operated by Alexander Volosovik ("yalishanda") from St. Petersburg, provided a fast-flux reverse proxy network that cycled ransomware C2 domains and data leak sites across rotating IP pools. The infrastructure had been used by LockBit, BlackSuit, Evil Corp, and Play ransomware, as well as Smokeloader malware distribution and GandCrab ransomware before its 2019 retirement. CISA simultaneously published guidance for ISPs and network defenders on mitigating BPH risks, recommending traffic analysis, malicious resource list curation, and know-your-customer capabilities for infrastructure providers. The sanctions identified three individuals: Volosovik, Kirill Zatolokin ("downlow"), and Yulia Pankova, who handled finances while aware of the illicit operations.
Case 2: Qilin Ransomware / BEARHOST BPH Conglomerate (2024–2025)
Resecurity documented the infrastructure relationship between Qilin ransomware and the BEARHOST bulletproof hosting conglomerate, which operates through multiple legal entities including Cat Technologies Co. Limited (Hong Kong) and entities linked to Aeza Group. BEARHOST provided VPS, domain registration, and fast-flux hosting services to Qilin's RaaS platform, including infrastructure for its Tor-hosted data leak site and affiliate management panel. When BEARHOST announced it was ceasing public operations in late 2024, it transitioned to an invitation-only model servicing vetted underground actors — maintaining service to existing customers like Qilin while reducing exposure to law enforcement and security researchers. The Aeza Group was separately sanctioned by the U.S. Treasury in July 2025 for providing BPH services supporting BianLian ransomware and the BlackSprut darknet marketplace.
Case 3: Stark Industries Solutions — Russian State-Sponsored Infrastructure (2022–2025)
Stark Industries Solutions Ltd, founded in February 2022 just before Russia's invasion of Ukraine, rapidly became a primary infrastructure provider for both Russian state-sponsored cyber operations and cybercriminal activity. Sophos Counter Threat Unit researchers documented multiple state-sponsored and cybercriminal threat groups using Stark Industries infrastructure since its founding. The European Council sanctioned Stark Industries and its operators in May 2025 for enabling Russian destabilizing cyber activities. The provider also hosted infrastructure associated with the Doppelganger Russian disinformation campaign. Sophos's February 2026 research documented WantToCry ransomware operators using Stark Industries VPS infrastructure provisioned through ISPsystem templates, confirming the ongoing use of this infrastructure for criminal operations despite sanctions.
Case 4: APT43/Kimsuky — Cryptocurrency-Funded Infrastructure (2024–2025)
APT43, the North Korean group closely aligned with Kimsuky, has pioneered using stolen and laundered cryptocurrency to fund infrastructure acquisition. Mandiant's March 2024 report documented the group stealing cryptocurrency through targeted campaigns, laundering it through mixing services, and then using the clean funds to register domains, provision VPS instances, and create accounts on web services for subsequent espionage operations. This creates a self-sustaining cycle: cybercrime funds espionage infrastructure, which enables further cybercrime. The Contagious Interview campaign (also DPRK-linked) extends this model by acquiring infrastructure on freelancing platforms, code repositories, and job sites to support social engineering operations targeting cryptocurrency developers.
Case 5: Malvertising as an Initial Access Vector (2023–2025)
The rise of malvertising (T1583.008) as a primary initial access vector has made search engine advertising infrastructure a direct component of the attack chain. Threat actors bid on Google Ads keywords for legitimate software (Slack, Zoom, OBS Studio, Notepad++, 7-Zip, VLC), creating ad campaigns that appear above organic search results. The landing pages closely mimic official download sites but deliver malware payloads — typically infostealers (LummaC2, Raccoon, Redline) or loader malware (Raspberry Robin). The FBI's December 2022 warning documented this trend, and the technique has only intensified through 2024–2025. Ransomware-as-a-Service operators use malvertising as part of their affiliate initial access toolkit, and the technique has been documented as a distribution vector for multiple ransomware families including IcedID-to-ransomware chains.
Detection Strategies
T1583 is inherently difficult to detect because the infrastructure acquisition happens outside the victim's network. Detection focuses on identifying adversary infrastructure when it is used against the organization, and on proactive threat intelligence to identify infrastructure before it is operationalized.
| Data Source | Detection Focus | Key Indicators |
|---|---|---|
| Domain Registration (WHOIS) | Newly registered domains | Domains registered within 30 days that mimic your brand or partner brands; domains with privacy protection from known BPH-associated registrars; bulk registrations from single entities |
| Internet Scan Data | C2 infrastructure fingerprinting | Shodan/Censys scans identifying Cobalt Strike team servers, Sliver C2 listeners, or Metasploit handlers by TLS certificate patterns, default configurations, or JARM hashes |
| Passive DNS | Fast-flux and infrastructure patterns | Domains resolving to many different IPs over short periods (fast flux); domains hosted on known BPH ASNs; domain-to-IP mapping changes at abnormal frequencies |
| DNS Traffic | Connections to adversary infrastructure | DNS queries to newly registered domains, known malicious domains, or domains hosted on sanctioned infrastructure (Media Land, Stark Industries ASNs) |
| Certificate Transparency | New certificates for lookalike domains | SSL certificates issued for domains that are visually similar to your organization's domains; certificates from free CAs (Let's Encrypt) for suspicious domains |
| Ad Platform Monitoring | Malvertising detection | Ads for your brand or products leading to non-official URLs; competitor brand impersonation ads; ads with suspicious tracking parameters or redirect chains |
| Threat Intelligence Feeds | Known adversary infrastructure | IP addresses and domains attributed to specific threat actors in commercial and open-source threat intelligence; infrastructure IOCs from government advisories (CISA, FBI flash alerts) |
Splunk / SIEM Detection Queries
Detect connections to recently registered domains (NRDs):
index=proxy OR index=dns
| lookup domain_age_lookup domain AS query OUTPUT domain_age_days
| where domain_age_days < 30 AND domain_age_days >= 0
| stats count dc(src_ip) as unique_sources values(src_ip) as sources
by query domain_age_days
| where count > 5
| sort -countDetect connections to known BPH ASNs and sanctioned infrastructure:
index=firewall OR index=proxy
| iplocation dest_ip
| lookup bph_asn_list asn AS dest_asn OUTPUT bph_provider
| where isnotnull(bph_provider)
| stats count values(dest_ip) as dest_ips values(bph_provider) as providers
by src_ip dest_asn
| sort -countDetect fast-flux DNS patterns (domain resolving to many IPs):
index=dns sourcetype=stream:dns OR sourcetype=dns
record_type IN ("A", "AAAA")
| bin _time span=1h
| stats dc(answer) as unique_ips count by query _time
| where unique_ips > 5
| stats avg(unique_ips) as avg_ips max(unique_ips) as max_ips
sum(count) as total_queries by query
| where avg_ips > 3 AND total_queries > 20
| sort -avg_ipsDetect malvertising redirects from search engines to suspicious downloads:
index=proxy
(referrer="*google.com/aclk*" OR referrer="*bing.com/aclick*"
OR referrer="*googleads*" OR referrer="*doubleclick*")
AND (url="*.exe" OR url="*.msi" OR url="*.zip" OR url="*.iso")
AND NOT dest_domain IN ("official-domain1.com", "official-domain2.com")
| stats count by src_ip dest_domain url referrer
| sort -countThreat Actors and Infrastructure
State-Sponsored Groups
| Actor | Infrastructure Methods | Notable Context |
|---|---|---|
| APT43 / Kimsuky (DPRK) | Crypto-funded domains, VPS, web service accounts | Self-sustaining cybercrime-to-espionage infrastructure cycle |
| Contagious Interview (DPRK) | Freelance platform accounts, GitHub repos, job site profiles | Social engineering infrastructure targeting developers |
| APT28 / Fancy Bear (Russia) | Phishing domains, C2 servers, lookalike domains | Government-impersonation phishing infrastructure |
| APT29 / Cozy Bear (Russia) | Domains, cloud service accounts (Notion, Trello, Firebase) | Legitimate service abuse for C2 blending |
| Cadet Blizzard (Russia) | VPS, domains, web services | Destructive operations against Ukraine |
| Ember Bear (Russia) | IVPN, SurfShark, Tor for anonymization | VPN services for attribution evasion |
| Sea Turtle (Turkey) | DNS servers, VPN infrastructure | DNS hijacking requiring controlled DNS infrastructure |
| APT41 (PRC) | Serverless (Google Calendar C2), VPS, domains | Dual espionage/financial operations |
| Agrius (Iran) | Commercial VPN services for anonymization | Destructive operations disguised as ransomware |
BPH Providers and Ransomware Infrastructure
| Provider | Status | Known Clients |
|---|---|---|
| Media Land LLC / yalishanda | Sanctioned (U.S. Treasury, Nov 2025) | LockBit, BlackSuit, Evil Corp, Play, Snatch, GandCrab |
| Stark Industries Solutions | Sanctioned (EU Council, May 2025) | Russian state-sponsored operations, Doppelganger disinfo |
| Aeza Group / Aeza International | Sanctioned (U.S. Treasury, Jul 2025) | BianLian ransomware, BlackSprut marketplace |
| BEARHOST / Ghost conglomerate | Active (invitation-only since late 2024) | Qilin ransomware, various RaaS operators |
| PQ Hosting (fmr. MoreneHost) | Active; advertised on 14+ forums | DarkSide (Colonial Pipeline), FiveHands/HelloKitty |
Defensive Recommendations
- Implement domain monitoring for brand impersonation. Use commercial domain monitoring services or DNSTWIST-based tools to detect newly registered domains that visually resemble your organization's domains (typosquatting, homoglyphs, TLD variations). Monitor Certificate Transparency logs for SSL certificates issued against lookalike domains. Act quickly to report and take down impersonation domains through registrar abuse processes before they are used in phishing campaigns.
- Block connections to recently registered domains. Newly Registered Domains (NRDs — domains less than 30 days old) are disproportionately used for malicious purposes. Implement DNS-layer blocking or proxying that flags or blocks connections to NRDs, allowing exceptions for legitimate new domains through an allowlist process. This single control blocks a significant percentage of phishing and malware delivery infrastructure.
- Leverage threat intelligence for infrastructure blocking. Subscribe to commercial and open-source threat intelligence feeds that provide indicators of adversary infrastructure including BPH ASNs, known C2 server IPs, and malicious domains. Integrate these feeds into firewalls, DNS resolvers, and proxy servers for automated blocking. Monitor government advisories (CISA, FBI, NCSC) for sanctioned infrastructure identifiers.
- Monitor for fast-flux DNS patterns. Fast-flux DNS — where a domain rapidly rotates through many IP addresses — is a signature of BPH infrastructure. Monitor DNS resolution logs for domains that resolve to more than 5 unique IPs within a one-hour window. While CDN-hosted domains also resolve to multiple IPs, the resolution patterns differ: CDN domains resolve to IPs within the same network, while fast-flux domains resolve to IPs across diverse networks and geographies.
- Implement anti-malvertising controls. Deploy ad blockers on corporate endpoints to prevent exposure to malicious search engine advertisements. Implement application whitelisting to prevent execution of software downloaded from non-approved sources. Train users to navigate directly to software vendor websites rather than clicking search engine ads for software downloads. Monitor proxy logs for executable downloads originating from search engine advertising redirect chains.
- Track adversary infrastructure through internet scanning. Use tools like Shodan, Censys, and JARM fingerprinting to proactively identify C2 servers that match known adversary profiles (Cobalt Strike team server TLS patterns, Sliver default configurations, Metasploit handler signatures). This proactive hunting can identify adversary infrastructure before it is used in attacks against your organization.
- Block known BPH autonomous system numbers. While blocking entire ASNs risks impacting legitimate traffic, ASNs associated with sanctioned or well-documented BPH providers (Media Land, Stark Industries, Aeza) present low risk of legitimate use. Implement blocklists for the most egregious BPH ASNs and monitor connections to others. Use resources like Spamhaus ASN blocklists and ipapi.is abuse lists to maintain current BPH ASN intelligence.
- Report adversary infrastructure to registrars and hosting providers. When adversary infrastructure is identified, report it to the domain registrar (through WHOIS abuse contacts), hosting provider, and relevant CERTs. For domains used in phishing, submit to Google Safe Browsing, Microsoft SmartScreen, and PhishTank. For BPH-hosted infrastructure, report to the upstream transit providers who peer with the BPH ASN, as transit providers may be more responsive than the BPH provider itself.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1583 |
| Technique Name | Acquire Infrastructure |
| Tactic | Resource Development (TA0042) |
| Sub-techniques | T1583.001 (Domains), T1583.002 (DNS Server), T1583.003 (Virtual Private Server), T1583.004 (Server), T1583.005 (Botnet), T1583.006 (Web Services), T1583.007 (Serverless), T1583.008 (Malvertising) |
| Platforms | PRE (Pre-compromise) |
| Data Sources | Domain Name: Active DNS, Domain Name: Domain Registration, Domain Name: Passive DNS, Internet Scan: Response Content, Internet Scan: Response Metadata |
| Mitigations | M1056 (Pre-compromise — cannot be easily mitigated with preventive controls) |
| Related Techniques | T1584 (Compromise Infrastructure), T1608 (Stage Capabilities), T1566 (Phishing), T1071 (Application Layer Protocol), T1102 (Web Service) |
| MITRE ATT&CK Reference | attack.mitre.org/techniques/T1583 |
Sources and References
The following references were used in compiling this technique briefing. Where possible, primary sources (vendor advisories, government alerts, original research) were prioritized over secondary reporting.
- MITRE ATT&CK — T1583 Acquire Infrastructure (updated April 2025): attack.mitre.org
- CISA/NSA/FBI/DC3 — Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers (November 2025): cisa.gov
- Intel 471 — Bulletproof Hosting: A Critical Cybercriminal Service (August 2025): intel471.com
- Resecurity — Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate (2025): resecurity.com
- Sophos Counter Threat Unit — Malicious Use of Virtual Machine Infrastructure (February 2026): sophos.com
- Spamhaus — The Anatomy of Bulletproof Hosting: Past, Present, Future: spamhaus.org
- OWN-CERT — 50 Shades of Bulletproof Hosting: BPH Landscape on Russian-Language Cybercrime Forums (August 2024): own.security
- Mandiant — APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (March 2024): cloud.google.com
- FBI — Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services (December 2022): ic3.gov
- Breached.company — The Bulletproof Fortress: Inside the Shadowy World of Cybercrime Hosting Infrastructure (November 2025): breached.company