Ransomware gang uses ISPsystem VMs for stealthy payload delivery

Published:

5 februari 2026 om 20:57:11

Alert date:

5 februari 2026 om 21:07:15

Source:

bleepingcomputer.com

Cloud & Virtualization, Ransomware & Malware

Ransomware operators are leveraging virtual machines provisioned by ISPsystem, a legitimate virtual infrastructure management provider, to host and deliver malicious payloads at scale. This technique allows the threat actors to conduct stealthy payload delivery operations while appearing to use legitimate infrastructure services. The abuse of ISPsystem VMs represents a concerning trend of cybercriminals exploiting trusted cloud and virtualization platforms to evade detection and distribute ransomware more effectively.

Technical details

Ransomware operators are abusing virtual machines (VMs) provisioned by ISPsystem to host and deliver malicious payloads. The attackers use Windows VMs with identical hostnames created from default templates generated by ISPsystem's VMmanager. VMmanager's default Windows templates reuse the same hostname and system identifiers every time they are deployed. Bulletproof hosting providers exploit this design weakness to allow cybercriminals to spin up VMs for command-and-control (C2) and payload-delivery infrastructure, hiding malicious systems among thousands of legitimate ones.

Mitigation steps:

Organizations should monitor for the identified default hostnames (WIN-LIVFRVQFMKO, WIN-344VU98D3RU, WIN-J9D866ESIJ2) in network traffic and security telemetry. Be aware of infrastructure hosted by providers with poor reputations including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, JSC IOT, and MasterRDP. Implement additional monitoring for VM-based infrastructure that may be used for C2 communications and payload delivery.

Affected products:

ISPsystem VMmanager
ISPsystem virtualization management platform