Attacker infrastructure often persists for months. Tools like GoPhish, GOST, and Metasploit regularly remained online for the full 90-day analysis window.
Lifespan reflects purpose. Short-lived frameworks like Cobalt Strike and Sliver support hands-on-keyboard operations, while proxies like SoftEther are left running to serve longer-term goals.
Exposed infrastructure still gets used. Attackers continue to use exposed systems to achieve real-world objectives, even well after they’ve been identified by defenders.
In our recent publication, The Linuxsys Cryptominer, we discussed attacker infrastructure that had been in use for eight months. Despite widespread exploit attempts, blog coverage, and security community chatter, the attacker stuck with the same setup. Same hosting. Same domain. No apparent disruption. So we took a closer look: how long do attackers typically keep their infrastructure running?
As part of our IP Intelligence offering, VulnCheck tracks over 100 different types of attacker software operating on internet-facing systems. Using this data, we examined how long attackers maintained their infrastructure over a 90-day period, from March through July 2025.
For this analysis, we focused on hosts associated with domain names. This allowed us to track infrastructure across IP rotations but excluded setups that do not rely on traditional domain resolution. These include IP-only botnets, peer-to-peer malware, TOR-based C2, and domain fronting via services like Cloudflare. These techniques add complexity to attribution and persistence tracking and were omitted to keep the analysis consistent.
Over the 90-day period, we observed a wide range of attacker tooling in use. To keep things concise, here are the top ten by number of observed instances.
| Tool Name | Instances Observed | Shortest Duration | Longest Duration | Median Duration |
|---|---|---|---|---|
| GoPhish | 376 | 1 day | 90 days | 28 days |
| Cobalt Strike | 196 | 1 day | 90 days | 12.5 days |
| Sliver | 178 | 1 day | 90 days | 8 days |
| Metasploit | 94 | 1 day | 90 days | 90 days |
| Starkiller | 78 | 1 day | 90 days | 10 days |
| Havoc | 60 | 1 day | 90 days | 10.5 days |
| Mythic | 39 | 1 day | 90 days | 9 days |
| msfconsole | 24 | 1 day | 90 days | 22.5 days |
| Confluence Godzilla Loader | 20 | 1 day | 79 days | 19 days |
| Gh0st RAT | 18 | 1 day | 90 days | 1 day |
Nearly every tool we tracked hit the maximum possible value for “Longest Duration,” filling or exceeding the 90-day window. This suggests that, despite exposure and visibility, it’s not unusual for attackers to run the same infrastructure for months at a time.
However, the median durations are more modest. For offensive tooling, such as Cobalt Strike, Sliver, Havoc, and Mythic, a median lifespan of about a week makes operational sense. These frameworks are typically spun up temporarily by red teams or APT groups, then torn down when the operation ends or transitions to a new stage.
A surprising outlier among offensive tools is msfconsole. (Note: our dataset distinguishes “Metasploit” as the web-based UI, while “msfconsole” refers to active exploit listeners.) msfconsole sessions are usually short-lived—just seconds or minutes when used for single-shot exploitation. So, when we observe long durations, like the 22.5-day median above, it likely reflects client-based attacks (e.g., phishing or malicious documents) that require the listener to remain active indefinitely, or broad internet-wide scanning efforts.
Long durations for Metasploit and GoPhish are less surprising, as we’re tracking their web interfaces. These likely include testing setups or production instances deployed by legitimate security teams, systems that simply don’t move much. This is supported by domain names like gophish.secopan[.]de and gophish.dev.apollosecure[.]com.
That said, real-world attackers do use GoPhish^1, and our dataset includes domains like mlcrosoft[.]in and githuh[.]fr. Fortunately, many of these are eventually picked up and blocked by Spamhaus, although we observed a significant delay between our first sighting and Spamhaus enforcement.
Starkiller, the GUI front-end for PowerShell Empire, might also fall into this mixed-use category. However, its 10-day median duration aligns more closely with frameworks like Cobalt Strike and Sliver, suggesting it’s more often used for hands-on-keyboard activity.
The final entry worth highlighting is the Confluence Godzilla Loader, an in-memory webshell that we documented in Does Confluence Dream of Shells?, published approximately 16 months ago. Its continued presence is a reminder that n-day vulnerabilities, even well-documented ones, can persist long after initial disclosure.
We track a wide array of proxies, but there is a subset we classify as attack-oriented due to their popularity among APTs or their design for offensive operations. For example, SoftEther has been linked to Flax Typhoon, Earth Krahang, ToddyCat, and others, while Fast Reverse Proxy (frp) is used by groups like Volt Typhoon and APT35. These tools often form the backbone of covert channels or post-exploitation pivots, and are treated as critical infrastructure by operators.
Focusing again on domain-associated instances, our top three attack-oriented proxies were:
| Tool Name | Instances Observed | Shortest Duration | Longest Duration | Median Duration |
|---|---|---|---|---|
| SoftEther | 25833 | 1 day | 90 days | 59 days |
| GOST | 1633 | 1 day | 90 days | 48 days |
| FRP Dashboard | 21 | 1 day | 90 days | 12 days |
The median durations of SoftEther and GOST reflect what we typically expect from long-lived attacker infrastructure. In contrast, the FRP dashboard, a web interface for FRP, had a much shorter median lifespan of 12 days. This aligns with attacker behavior observed in the wild, where FRP is used to create temporary reverse proxy tunnels during targeted operations^2.
For this analysis, we only included instances where the dashboard was exposed over a domain name, so the actual number of FRP deployments is likely higher. Even so, the short-lived nature of these dashboards suggests intentional churn. Attackers appear to spin up access points when needed, then quickly tear them down to avoid detection and reduce risk.
The infrastructure we track is largely misconfigured. Our visibility depends on factors like default TLS certificates, exposed web dashboards, unchanged landing pages, or services that simply shouldn’t be internet-facing. That means our dataset is inherently biased. We’re likely missing the more disciplined attackers who know how to hide their infrastructure properly. There’s no perfect fix for this, but it’s worth calling out. The analysis here reflects what we can see, not necessarily the full picture.
Attacker infrastructure doesn’t always disappear quickly. Some tools, like Cobalt Strike and Sliver, are used briefly and torn down, but others, like GoPhish, SoftEther, and GOST, often stick around for months. Even when domains are publicly flagged or discussed, attackers seem to be able to use these systems, presumably sufficiently enough to achieve their goals. In the end, infrastructure lifespan depends on intent. Whether temporary or persistent, attackers are clearly comfortable leaving systems exposed longer than defenders might expect.
The VulnCheck team is always on the lookout for new and interesting attacker behavior. For more research like this, see our blogs Novel Use of “mount” Spotted in Hikvision Attacks, The Linuxsys Coinmine, ProjectSend CVE-2024-11680 Exploited in the Wild, and Fileless Remote Code Execution on Juniper Firewalls.
Sign up on our website today to get free access to our VulnCheck KEV, enjoy our vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.
