Hiding in Plain Sight: Tracking Bulletproof Hosting and Abused RDP Infrastructure

This report demonstrates how abuse-tolerant "bulletproof" hosting is tracked by correlating reused Windows RDP hostnames, Censys scan data, and GreyNoise telemetry to reveal persistent malicious infrastructure—including templated Windows images reused across thousands of hosts, active C2/open directories, and brute-force-as-a-service artifacts—and recommends operationalizing aggregated hostname signals to proactively block risky infrastructure.