top of page
perceptive_background_267k.jpg

Ransomware gang uses ISPsystem VMs for stealthy payload delivery

Published:

5 February 2026 at 20:57:11

Alert date:

5 February 2026 at 21:07:15

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Cloud & Virtualization, Ransomware & Malware

Ransomware operators are leveraging virtual machines provisioned by ISPsystem, a legitimate virtual infrastructure management provider, to host and deliver malicious payloads at scale. This technique allows the threat actors to conduct stealthy payload delivery operations while appearing to use legitimate infrastructure services. The abuse of ISPsystem VMs represents a concerning trend of cybercriminals exploiting trusted cloud and virtualization platforms to evade detection and distribute ransomware more effectively.

Technical details

Ransomware operators are abusing virtual machines (VMs) provisioned by ISPsystem to host and deliver malicious payloads. The attackers use Windows VMs with identical hostnames created from default templates generated by ISPsystem's VMmanager. VMmanager's default Windows templates reuse the same hostname and system identifiers every time they are deployed. Bulletproof hosting providers exploit this design weakness to allow cybercriminals to spin up VMs for command-and-control (C2) and payload-delivery infrastructure, hiding malicious systems among thousands of legitimate ones.

Mitigation steps:

Organizations should monitor for the identified default hostnames (WIN-LIVFRVQFMKO, WIN-344VU98D3RU, WIN-J9D866ESIJ2) in network traffic and security telemetry. Be aware of infrastructure hosted by providers with poor reputations including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, JSC IOT, and MasterRDP. Implement additional monitoring for VM-based infrastructure that may be used for C2 communications and payload delivery.

Affected products:

ISPsystem VMmanager
ISPsystem virtualization management platform

Related links:

https://www.sophos.com/en-gb/blog/malicious-use-of-virtual-machine-infrastructure

Related CVE's:

Related threat actors:

IOC's:

WIN-LIVFRVQFMKO, WIN-344VU98D3RU, WIN-J9D866ESIJ2

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page