Happy New Year from ThreatSTOP. As mentioned in our previous update, December was intentionally designated as a cleanup and optimization month. We completed a significant amount of internal restructuring and enhancement work but chose not to release those changes during the holiday season to avoid any risk of disruption to customer networks.

With the New Year underway, all updates have now been successfully released and deployed without interruption. The result is a stronger, more precise protection portfolio that delivers faster response, broader coverage, and greater control across modern threat vectors.

Faster Threat Detection with Bambenek Premium Feed Bundles

We have streamlined delivery of high quality threat intelligence through the introduction of the Bambenek Premium Feed Bundle. Consolidating these premium feeds into a single bundle enables faster detections, simplified configuration, and consistent enforcement across environments.

In addition, a new Bambenek phishing feed is now available, further strengthening protection against credential harvesting and brand impersonation campaigns. More details on this release are available in our earlier blog post.

 

Bolstering Phishing and Credential Harvesting Protections

Phishing remains one of the most effective initial access techniques used by attackers. Our latest detector enhancements significantly improve phishing and credential harvesting identification by incorporating advanced hash based analysis of phishing login imagery. This allows ThreatSTOP to identify reused and rapidly evolving phishing kits before they can cause harm.

 

Uncovering Hidden Threats with IOC and Certificate Based Detection

Attackers frequently reuse infrastructure to avoid detection and reduce operational cost. New detection logic that leverages SSL and TLS certificate hashes allows ThreatSTOP to identify related malicious infrastructure even when domains and IP addresses change. This adds an additional layer of protection against evasive malware and persistent threat campaigns.

 

Enhanced Visibility into Third Party VPN Traffic

As remote access continues to expand, third party VPN usage has become a critical visibility and policy concern. Dedicated third party VPN bundles now simplify enforcement and provide clearer insight into VPN based access paths, helping organizations maintain security without sacrificing operational flexibility.

 

Revitalizing Threat Intelligence with OTX Enhancements

Threat intelligence loses value when it becomes stagnant. By reorganizing and activating Open Threat eXchange domain and IP feeds, previously unused intelligence is now delivering immediate protective value. These enhancements ensure continued benefit from one of the industry’s most widely shared intelligence sources.

Activating Dormant Detections for Immediate Impact

Our proactive approach extends to dormant threats as well. Through a comprehensive cleanup effort, we’ve converted dormant malware detections into active protections, immediately enhancing your detection efficacy. 

URLAbuse Domains and URLAbuse IPs

Command and control infrastructure remains one of the most critical components of modern cyber threats. Malware, botnets, phishing frameworks, and data exfiltration tooling all depend on reliable communication channels to remain effective. Disrupting those channels early dramatically reduces attacker impact.

To strengthen this layer of protection, the ThreatSTOP Security, Intelligence, and Research team has added two new high confidence targets to the Command and Control bundle:

  • URLAbuse Domains
  • URLAbuse IPs

URLAbuse is a modern URL intelligence platform focused on identifying and cataloging actively abused internet infrastructure. Its data is community reported, analyst reviewed, and curated to emphasize accuracy and real world abuse over raw volume. URLAbuse tracks malicious URLs and associated IP addresses tied to phishing, malware delivery, command and control activity, and infrastructure abuse.

By integrating URLAbuse intelligence into ThreatSTOP protections, customers gain access to a high fidelity signal that blocks a significant volume of malicious traffic while maintaining a low false positive rate. These new targets immediately enhance the ability to interrupt malware callbacks, botnet coordination, and covert attacker communications.

Expanding Control and Precision with Geographic and Application Protections

Modern threats rarely respect borders or application boundaries. Attackers routinely abuse geographic infrastructure and popular consumer platforms to blend malicious activity into legitimate traffic. ThreatSTOP focuses on giving organizations precise control over where their networks connect and which applications are allowed to communicate.

All protections described below are created and maintained by the ThreatSTOP Security, Intelligence, and Research team and are available across Protective DNS and IP Defense environments.

New Geographic Based IP and Domain Protections

Available in the Governance Bundle

The following country level protections are now available at both the IP and domain layers:

Sierra Leone, Kuwait, Palestinian Territories, Qatar, Jordan, Bahrain, United Arab Emirates, Mauritania, Oman, Saudi Arabia, Egypt, Tunisia, Djibouti, Comoros, Algeria, Morocco, Taiwan, Thailand, Grenada, Philippines, Dominica

These protections allow security teams to align access with business operations, regulatory requirements, and threat intelligence insights. Whether restricting exposure to higher risk regions or explicitly allowing trusted geographies, Protective DNS and IP Defense make geographic policy enforcement clear and auditable.

Expanded Application Control Protections

Applications are frequently abused for data exfiltration, command and control communication, and policy evasion. The Application Control Bundle has been expanded with new protections that enable domain and IP level enforcement for commonly abused platforms, including:

eBay, AliExpress, Temu, Wish, Etsy, Rakuten, WhatsApp, Telegram, Facebook Messenger, Snapchat, Zoom, YouTube, QQ, Gemini

These controls support use cases such as reducing shadow IT, limiting unsanctioned communication channels, preventing data leakage, and enforcing acceptable use policies across on premises, cloud, and hybrid environments.

 

Connect with Customers, Disconnect from Risks

At ThreatSTOP, we understand that every organization’s security needs are unique. That’s why our suite of products—including DNS Defense Cloud, DNS Defense, and IP Defense—offers flexible, proactive protections tailored to your environment. Whether you’re looking to safeguard your network infrastructure or end-user devices, ThreatSTOP has you covered.

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!

 

Threat Activity Addressed

MITRE ATT&CK Technique

Description

Command and control traffic

T1071

Application layer protocol abuse

Command and control over common services

T1071.001

Web based command channels

Application abuse and covert communications

T1090

Proxy and relay techniques

Data exfiltration via applications

T1041

Exfiltration over command and control channel

Geographic infrastructure abuse

T1583

Acquisition and use of infrastructure

Network denial and disruption

T1498

Network denial of service

Botnet and URL Abuse Detection Enhancements

T1571.001

Remote Access Software


Stay secure, stay connected, and let ThreatSTOP be your trusted partner in the fight against cyber threats.