Attackers were discovered on virtual machines (VMs) with hostnames derived from ISPsystems, such as WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO, by SophosLabs' late 2025 WantToCry probes This article explores attackers discovered virtual. . These included FortiClient EMS exploits, Ursnif banking trojan, NetSupport RAT, Qilin, BlackCat/ALPHV ransomware, and LockBit.

Notably, "Bentley" (Maksim Galochkin, U.S./UK-sanctioned) used WIN-LIVFRVQFMKO in Jabber chats with GOLD ULRICK (Conti) and GOLD BLACKBURN (TrickBot), which was linked to the 2021 ContiLeaks. Shodan December 19, 2025: 7,937 WIN-LIVFRVQFMKO (Russia/CIS/Europe/U.S./Iran), 3,645 RDP-exposed WIN-J9D866ESIJ2 (primarily Russia). Play2Go is used for CTU tests.WIN-J9D866ESIJ2 was replicated by cloud; trial VMmanager produced static names from embedded templates (Server 2012R2-2025, Win10/11). No randomization is confirmed by the public repository, supporting KMS unlicensed 180-day runs.

Top Provider, Top Country, Hostname OS KMS 7,937 for WIN-LIVFRVQFMKO Server 2019 WIN-BS656MOF35Q Server 2022 KMS 7,825 by Russia Stark Industries WIN-344VU98D3RU Server 2012R2 7,437 Germany Stark Industries Zomro B.V., Netherlands.

Russia's WIN-J9D866ESIJ2 Server 2016 3,645 WIN-9C3K8L5M5Q7 Server 2022 GPT 541 First Server Ltd Stark Industries in Russia Top four: according to Sophos data, 95% of exposed virtual machines (VMs) were malicious (ClickFix/PureRAT/Lumma; Cerberus; RedLine/Lampion; Trickbot/RagnarLocker). Malicious Activity with the hostname WIN-BS656MOF35Q ClickFix, PureRAT, Lumma, Cerberus WIN-344VU98D3RU LockBit, Conti, Trickbot, RagnarLocker, RedLine, Lampion WIN-J9D866ESIJ2 WantToCry, NetSupport RAT Bulletproof Ecosystem and Responses WIN-LIVFRVQFMKO LockBit, Qilin, WantToCry, BlackCat, Ursnif, FortiClient WIN-BS656MOF35Q ClickFix Clusters on Zomro, First Server (UK-sanctioned Doppelganger ties), Stark Industries (EU-sanctioned May 2025 for state operations following the invasion of Ukraine), etc. Device locations utilizing these hostnames according to the corresponding IP address (Source: Sophos) Leading Suppliers WIN-J9D866ESIJ2 Zomro: 308 Top Providers; Stark: 576; First Server: 592 WIN-LIVFRVQFMKO Zomro: 455; Stark: 634; First Server: 414 Telegram/forums promote MasterRDP BPH: VPS/RDP, disregarding C2/malware/phishing/botnet takedowns.

Cheap VMmanager combines lawful hosting with criminal activity. "We have already released an update for the Windows templates: now, each time a new virtual machine is deployed, its name is generated randomly," the ISPsystem fixed. Randomization is confirmed by the VMmanager 6 changelog (January 2026).

Protections: IOC block: RDP (3389) from malicious ASNs/providers, hostnames, and self-signed certificates. Behavioral: Examine odd Windows images and VMmanager templates. Hosting vigilance: Providers check tenants and pay attention to complaints of abuse. Tools: Exposure hunting with Shodan/Censys.

Sophos claims that this ISPsystem tale exposes the dual-use danger of virtualization: low-cost, turnkey virtual machines (VMs) enable ransomware-as-a-service (RaaS) while disguising thousands of clean deployments. Global fingerprints WIN-LIVFRVQFMKO were created using static templates across Conti to BlackCat; however, randomization now calls into question IOC reliance.

broader ramifications: Policy Push: Upstream chokes, such as payment processors and domains, are recommended by agencies' BPH guidelines; leasing is disrupted by intelligence sharing. BPH Resilience: Coordinated blocks are required because providers such as MasterRDP and Stark (which was rebranded after EU sanctions) thrive on abuse tolerance, which feeds state-crime hybrids. Defender Shifts: Integrate Shodan/Censys with EDR; go beyond hostnames to behaviors like RDP spikes, KMS anomalies, and template hashes.

Provider responsibilities include randomizing, auditing tenants, and promptly honoring reports; the ISPsystem's fix establishes a precedent.