Happy New Year from ThreatSTOP. As mentioned in our previous update, December was intentionally designated as a cleanup and optimization month. We completed a significant amount of internal restructuring and enhancement work but chose not to release those changes during the holiday season to avoid any risk of disruption to customer networks.
With the New Year underway, all updates have now been successfully released and deployed without interruption. The result is a stronger, more precise protection portfolio that delivers faster response, broader coverage, and greater control across modern threat vectors.
We have streamlined delivery of high quality threat intelligence through the introduction of the Bambenek Premium Feed Bundle. Consolidating these premium feeds into a single bundle enables faster detections, simplified configuration, and consistent enforcement across environments.
In addition, a new Bambenek phishing feed is now available, further strengthening protection against credential harvesting and brand impersonation campaigns. More details on this release are available in our earlier blog post.
Phishing remains one of the most effective initial access techniques used by attackers. Our latest detector enhancements significantly improve phishing and credential harvesting identification by incorporating advanced hash based analysis of phishing login imagery. This allows ThreatSTOP to identify reused and rapidly evolving phishing kits before they can cause harm.
Attackers frequently reuse infrastructure to avoid detection and reduce operational cost. New detection logic that leverages SSL and TLS certificate hashes allows ThreatSTOP to identify related malicious infrastructure even when domains and IP addresses change. This adds an additional layer of protection against evasive malware and persistent threat campaigns.
As remote access continues to expand, third party VPN usage has become a critical visibility and policy concern. Dedicated third party VPN bundles now simplify enforcement and provide clearer insight into VPN based access paths, helping organizations maintain security without sacrificing operational flexibility.
Threat intelligence loses value when it becomes stagnant. By reorganizing and activating Open Threat eXchange domain and IP feeds, previously unused intelligence is now delivering immediate protective value. These enhancements ensure continued benefit from one of the industry’s most widely shared intelligence sources.
Activating Dormant Detections for Immediate Impact
Our proactive approach extends to dormant threats as well. Through a comprehensive cleanup effort, we’ve converted dormant malware detections into active protections, immediately enhancing your detection efficacy.
Command and control infrastructure remains one of the most critical components of modern cyber threats. Malware, botnets, phishing frameworks, and data exfiltration tooling all depend on reliable communication channels to remain effective. Disrupting those channels early dramatically reduces attacker impact.
To strengthen this layer of protection, the ThreatSTOP Security, Intelligence, and Research team has added two new high confidence targets to the Command and Control bundle:
URLAbuse is a modern URL intelligence platform focused on identifying and cataloging actively abused internet infrastructure. Its data is community reported, analyst reviewed, and curated to emphasize accuracy and real world abuse over raw volume. URLAbuse tracks malicious URLs and associated IP addresses tied to phishing, malware delivery, command and control activity, and infrastructure abuse.
By integrating URLAbuse intelligence into ThreatSTOP protections, customers gain access to a high fidelity signal that blocks a significant volume of malicious traffic while maintaining a low false positive rate. These new targets immediately enhance the ability to interrupt malware callbacks, botnet coordination, and covert attacker communications.
Modern threats rarely respect borders or application boundaries. Attackers routinely abuse geographic infrastructure and popular consumer platforms to blend malicious activity into legitimate traffic. ThreatSTOP focuses on giving organizations precise control over where their networks connect and which applications are allowed to communicate.
All protections described below are created and maintained by the ThreatSTOP Security, Intelligence, and Research team and are available across Protective DNS and IP Defense environments.
Available in the Governance Bundle
The following country level protections are now available at both the IP and domain layers:
Sierra Leone, Kuwait, Palestinian Territories, Qatar, Jordan, Bahrain, United Arab Emirates, Mauritania, Oman, Saudi Arabia, Egypt, Tunisia, Djibouti, Comoros, Algeria, Morocco, Taiwan, Thailand, Grenada, Philippines, Dominica
These protections allow security teams to align access with business operations, regulatory requirements, and threat intelligence insights. Whether restricting exposure to higher risk regions or explicitly allowing trusted geographies, Protective DNS and IP Defense make geographic policy enforcement clear and auditable.
Applications are frequently abused for data exfiltration, command and control communication, and policy evasion. The Application Control Bundle has been expanded with new protections that enable domain and IP level enforcement for commonly abused platforms, including:
eBay, AliExpress, Temu, Wish, Etsy, Rakuten, WhatsApp, Telegram, Facebook Messenger, Snapchat, Zoom, YouTube, QQ, Gemini
These controls support use cases such as reducing shadow IT, limiting unsanctioned communication channels, preventing data leakage, and enforcing acceptable use policies across on premises, cloud, and hybrid environments.
Connect with Customers, Disconnect from Risks
At ThreatSTOP, we understand that every organization’s security needs are unique. That’s why our suite of products—including DNS Defense Cloud, DNS Defense, and IP Defense—offers flexible, proactive protections tailored to your environment. Whether you’re looking to safeguard your network infrastructure or end-user devices, ThreatSTOP has you covered.
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!
|
Threat Activity Addressed |
MITRE ATT&CK Technique |
Description |
|
Command and control traffic |
T1071 |
Application layer protocol abuse |
|
Command and control over common services |
T1071.001 |
Web based command channels |
|
Application abuse and covert communications |
T1090 |
Proxy and relay techniques |
|
Data exfiltration via applications |
T1041 |
Exfiltration over command and control channel |
|
Geographic infrastructure abuse |
T1583 |
Acquisition and use of infrastructure |
|
Network denial and disruption |
T1498 |
Network denial of service |
|
Botnet and URL Abuse Detection Enhancements |
T1571.001 |
Remote Access Software |
Stay secure, stay connected, and let ThreatSTOP be your trusted partner in the fight against cyber threats.