Threat activity enablers (TAEs) are infrastructure providers and networks that deliberately support malicious cyber operations — including ransomware, botnets, and state-sponsored attacks — by ignoring abuse reports, avoiding KYC policies, and hiding behind shell companies. Recorded Future tracks these networks using a Threat Density Score based on concentration of validated malicious activity per IP prefix. TAEs evade accountability through corporate shell games, rapid rebranding, and control of autonomous systems (ASNs). Case studies include Virtualine Technologies, which pivoted infrastructure to a fraudulent German firm front before becoming a top malware distribution hub, and Stark Industries Solutions, sanctioned by the EU for enabling Russian cyber operations but continuing operations by pre-emptively shifting IP resources. Security leaders are advised to integrate ASN risk intelligence into prevention, detection, and exposure workflows to proactively manage infrastructure risk rather than reacting to individual indicators.
Table of contents
What Is a Threat Activity Enabler?How TAEs OperateIdentifying High-Risk TAE NetworksFrom Insight to ActionOperationalize TAE Intelligence1. Preventive Control Adjustments2. Elevate Detection & Prioritization3. Conduct Focused Hunting & Exposure AssessmentThe "metaspinner" Case StudyThe Stark Industries Case StudyWhat This Means for Security LeadersQuestions You Should Be AskingSort: