Hackers Hijack VPS Servers to Breach Software-as-a-Service Accounts

Virtual Private Servers (VPS) have long served as versatile tools for developers and businesses, offering dedicated resources on shared physical hardware with enhanced control and scalability.

However, threat actors are increasingly exploiting these platforms to orchestrate stealthy attacks against Software-as-a-Service (SaaS) environments.

Rising Abuse of VPS Infrastructure

By leveraging VPS providers, attackers can mimic legitimate local traffic to bypass geolocation-based defenses, evade IP reputation monitoring through fresh, clean infrastructure, and blend malicious activities with normal user behavior.

This tactic, while not new, has surged in SaaS-targeted campaigns, enabling persistent and targeted intrusions that traditional security measures struggle to detect.

Providers such as Hyonix and Host Universal facilitate rapid deployment with minimal OSINT footprints, providing affordable anonymity that appeals to cybercriminals aiming for scalable operations.

These attacks often align with peak legitimate activity periods, further complicating detection and rendering rule-based tools ineffective against sophisticated session hijacking and credential misuse.

VPS-Driven Compromises

In a detailed investigation released in May 2025, Darktrace’s Threat Research team analyzed a spike in anomalous activities linked to VPS infrastructure across its customer base.

Focusing on Hyonix (ASN AS931), the probe revealed a March 2025 surge in alerts involving brute-force attempts, unusual logins, and phishing-related inbox manipulations.

Two customer networks exhibited standout patterns of compromise, traced back to VPS IPs.

In the first case, internal devices showed mirrored suspicious behaviors, including logins from rare endpoints tied to Hyonix and Host Universal via Proton VPN, followed by deletions of phishing-related emails from “Sent Items” folders.

Darktrace’s IDENTITY models flagged these as potential session hijackings, triggered by improbable geolocation travel and concurrent active sessions, under the “Login From Rare Endpoint While User Is Active” detection.

Initial access likely stemmed from phishing or prior hijacking, with attackers deleting evidence to maintain stealth.

The second incident involved coordinated logins from multiple VPS providers, including Hyonix, Mevspace, and Hivelocity, with MFA bypassed through token claims.

Attackers then created obfuscated inbox rules to delete or redirect emails, such as those referencing VIP-shared documents or fake invoices, aiming to conceal ongoing malicious activities.

Mirrored rule creations across accounts suggested a unified campaign leveraging shared tactics.

Further escalation included privilege modifications, like updating account recovery settings and password resets from rare IPs, potentially paving the way for data exfiltration or spam dissemination.

Outbound spam with finance-themed subjects was observed, alongside network-level indicators like domain fluxing DNS requests and deployments of remote access tools such as SplashtopStreamer.exe on domain controllers, hinting at lateral movement or persistence efforts.

According to the report, Darktrace’s Self-Learning AI detected these anomalies early, identifying deviations like unusual SaaS activities, mass email deletions from rare locations, and anomalous new email rules.

However, with Autonomous Response disabled in affected environments, no automated blocks occurred, allowing escalation. Enabling such features could have neutralized threats by isolating suspicious VPS connections.

This underscores the need for behavioral analytics in countering VPS abuse, as attackers exploit trusted infrastructure to mimic users, emphasizing proactive monitoring of login anomalies, rule changes, and improbable travel patterns.

Indicators of Compromise

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!