In the constantly shifting landscape of online threats, cybercriminals have found a new way to strengthen their attacks by hiding behind legitimate technology.
Late in 2025, a series of ransomware incidents revealed that attackers were using virtual machines provisioned through ISPsystem, a popular platform used by hosting companies to manage their servers.
By renting these virtual computers, criminals gained access to powerful infrastructure that appeared trustworthy, allowing them to launch attacks without triggering immediate alarms.
This abuse of commercial infrastructure highlights a growing sophistication in how threat actors procure their resources, shifting from compromised home computers to high-bandwidth data center assets.
These virtual machines became the launchpad for some of the most dangerous ransomware variants, including WantToCry, LockBit, and BlackCat.
The attackers utilized these servers to establish remote connections, distribute malicious software, and control infected networks from a safe distance.
Since the servers were hosted on legitimate networks, they bypassed many standard security blocks that typically flag suspicious traffic.
This method provided a stable and reliable base of operations, making it difficult for defenders to shut them down quickly.
The integration of commodity malware delivery mechanisms further complicates the defensive posture for affected organizations, requiring more advanced detection strategies.
Sophos analysts noted this malicious activity after observing a distinct pattern in the network identifiers of the attacking machines.
They discovered that thousands of these servers shared the exact same computer names, derived from the hosting software’s default templates.
.webp)
This oversight allowed researchers to trace the widespread infrastructure, identifying over 3,000 active devices in regions including Russia, Europe, and the United States.
The sheer volume of these machines suggests a highly organized effort to maintain a resilient network for criminal operations.
Exploiting Static Configuration Templates
The persistence of this threat relies heavily on how these virtual environments are sold.
Service providers like “MasterRDP,” operating as rdp.monster, have built a business model around selling these pre-configured servers.
They market these services on underground forums as “bulletproof,” promising that the servers will remain online despite abuse reports.
These providers act as a critical supply chain link, offering affordable access to dedicated hardware that facilitates large-scale malicious campaigns.
By purchasing these resources, attackers can bypass the complex technical challenges of building their own botnets.
.webp)
The technical mechanism enabling this scale is the use of static templates within the VMmanager software.
When a new virtual machine is set up using these default templates, it retains specific system identifiers instead of creating unique ones.
This lack of randomization means that every server spawned from the same template looks identical at a system level.
This feature simplifies management for legitimate administrators but inadvertently provided cybercriminals with a standardized, mass-produced fleet of attack servers ready for immediate deployment.
Recommendations include avoiding default templates and implementing stricter randomization protocols to prevent such uniform exploitation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
