In the evolving domain of cyber threats, malicious actors are increasingly turning to legitimate technology platforms to bolster their attacks. This trend was highlighted in late 2025 when a series of ransomware incidents came to light. Attackers were found using virtual machines provisioned through ISPsystem, a widely-used platform for managing servers in hosting companies.
Leveraging Legitimate Infrastructure
By renting these virtual machines, cybercriminals gained access to robust infrastructure that appeared credible, enabling them to launch attacks without immediately raising suspicions. This misuse of commercial infrastructure underscores a shift towards more sophisticated resource procurement by threat actors, moving from compromised personal computers to high-bandwidth data center assets.
These virtual environments served as the foundation for deploying some of the most potent ransomware variants, such as WantToCry, LockBit, and BlackCat. Attackers used these servers to forge remote connections, disseminate malicious software, and manage infected networks from a secure distance, effectively bypassing many conventional security measures.
Challenges in Detection and Defense
Due to these servers being hosted on legitimate networks, they evaded standard security protocols that typically identify suspicious activity. This method provided a stable, reliable base for operations, complicating efforts to neutralize them swiftly. The integration of commodity malware delivery mechanisms further challenges organizations, necessitating more advanced detection strategies.
Analysts at Sophos detected this malicious behavior after identifying a pattern in the network identifiers of the attacking machines. They found thousands of servers sharing identical computer names derived from the hosting software’s default templates. This oversight allowed researchers to trace the extensive infrastructure, revealing over 3,000 active devices across regions like Russia, Europe, and the United States.
Exploiting Static Configuration for Scale
The persistence of this threat heavily relies on how these virtual environments are marketed. Service providers like ‘MasterRDP,’ operating under rdp.monster, have established a business model selling these pre-configured servers. They advertise these offerings on underground forums as ‘bulletproof,’ ensuring that the servers remain operational despite abuse reports.
These providers form a crucial link in the supply chain, offering cost-effective access to dedicated hardware that supports extensive malicious campaigns. By acquiring these resources, attackers can circumvent the complex technical challenges of constructing their own botnets.
The technical mechanism supporting this scale involves static templates within the VMmanager software. When a new virtual machine is created using these default templates, it retains specific system identifiers, lacking unique characteristics. This uniformity simplifies management for legitimate administrators but inadvertently offers cybercriminals a standardized fleet of attack servers ready for immediate use.
Recommendations to counteract this threat include avoiding default templates and implementing stricter randomization protocols to prevent uniform exploitation. For more updates, follow us on Google News, LinkedIn, and X.
