Bulletproof Hosting Providers Fuel Cybercrime with Identical Windows Servers
Sophos researchers have uncovered a large-scale abuse of virtual machine (VM) infrastructure by cybercriminals, enabling ransomware and malware campaigns with minimal effort. Attackers are leveraging bulletproof hosting providers companies that ignore takedown requests to rent VMmanager-based servers with identical Windows templates, creating thousands of exposed systems.
The issue stems from ISPsystem’s VMmanager, a legitimate virtualization platform used by hosting providers. When new VMs are deployed, the platform fails to randomize hostnames, resulting in servers with near-identical configurations. Sophos identified tens of thousands of exposed servers via Shodan, nearly all (95%) derived from just a few Windows templates. Many were also KMS-enabled, allowing unlicensed operation for up to 180 days.
The infrastructure has been linked to major cybercriminal groups, including LockBit, Conti, BlackCat (ALPHV), Qilin, TrickBot, Ursnif, RedLine, and NetSupport. Two hosting providers stood out: Stark Industries Solutions and First Server Limited, both tied to Russian state-sponsored threat actors and previously sanctioned by the EU and UK.
The findings highlight how cybercriminals exploit legitimate services to scale attacks without building custom infrastructure, underscoring the persistent threat posed by bulletproof hosting.
ISPsystem cybersecurity rating report: https://www.rankiteo.com/company/ispsystem
"id": "ISP1770323693",
"linkid": "ispsystem",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Hosting/ISP',
'name': 'Stark Industries Solutions',
'type': 'Bulletproof hosting provider'},
{'industry': 'Hosting/ISP',
'name': 'First Server Limited',
'type': 'Bulletproof hosting provider'}],
'attack_vector': 'Exploitation of VMmanager-based servers with identical '
'Windows templates',
'description': 'Sophos researchers have uncovered a large-scale abuse of '
'virtual machine (VM) infrastructure by cybercriminals, '
'enabling ransomware and malware campaigns with minimal '
'effort. Attackers are leveraging bulletproof hosting '
'providers that ignore takedown requests to rent '
'VMmanager-based servers with identical Windows templates, '
'creating thousands of exposed systems.',
'impact': {'systems_affected': 'Tens of thousands of exposed servers'},
'lessons_learned': 'Cybercriminals exploit legitimate services to scale '
'attacks without building custom infrastructure, '
'highlighting the persistent threat posed by bulletproof '
'hosting.',
'motivation': ['Financial gain', 'Cybercrime'],
'post_incident_analysis': {'root_causes': 'Failure to randomize hostnames in '
'VMmanager, KMS-enabled unlicensed '
'operation, abuse of bulletproof '
'hosting providers'},
'ransomware': {'ransomware_strain': ['LockBit',
'Conti',
'BlackCat (ALPHV)',
'Qilin']},
'references': [{'source': 'Sophos Research'}],
'regulatory_compliance': {'legal_actions': 'Sanctioned by the EU and UK'},
'threat_actor': ['LockBit',
'Conti',
'BlackCat (ALPHV)',
'Qilin',
'TrickBot',
'Ursnif',
'RedLine',
'NetSupport',
'Russian state-sponsored threat actors'],
'title': 'Bulletproof Hosting Providers Fuel Cybercrime with Identical '
'Windows Servers',
'type': ['ransomware', 'malware'],
'vulnerability_exploited': 'Failure to randomize hostnames in VMmanager, '
'KMS-enabled unlicensed operation'}