Summary :

Threat actors are increasingly abusing legitimate virtualization management platforms to host and distribute malicious payloads at scale, as observed in recent ransomware campaigns. Multiple ransomware groups, including LockBit, BlackCat/ALPHV, and Conti, leveraged Windows virtual machines provisioned through ISPsystem’s VMmanager platform using default templates that reused identical hostnames and system identifiers.
Threat actors are increasingly abusing legitimate virtualization management platforms to host and distribute malicious payloads at scale, as observed in recent ransomware campaigns. Multiple ransomware groups, including LockBit, BlackCat/ALPHV, and Conti, leveraged Windows virtual machines provisioned through ISPsystem’s VMmanager platform using default templates that reused identical hostnames and system identifiers.
Although ISPsystem has since addressed the issue by implementing randomized hostname generation in updated templates, the broader risk is that cybercriminals can exploit trusted cloud and virtualization platforms to secretly expand ransomware infrastructure. This highlights the need for better provider risk assessment, infrastructure-aware threat hunting, and increased visibility into virtualized environments.

‍

Technical Description :

Investigations into recent ransomware operations revealed that threat actors leveraged Windows virtual machines provisioned via ISPsystem’s VMmanager platform to host command-and-control (C2) servers and distribute secondary payloads.
The abuse stemmed from default Windows templates within VMmanager that reused static hostnames and system identifiers across deployments. This allowed attackers to rapidly instantiate numerous virtual machines with identical system fingerprints, creating scalable and standardized infrastructure with minimal configuration effort.
These virtual machines were deployed across multiple malware campaigns, including ransomware and information-stealing operations, and were primarily hosted by bulletproof or high-risk providers. The infrastructure blended with legitimate hosting activity, complicating detection and delaying takedown actions.
ISPsystem has since addressed the issue by introducing randomized hostname assignment within updated templates, reducing the risk of uniform system fingerprinting across deployments.

‍

Delivery and infection Chain :

Threat actors utilized Windows virtual machines provisioned through ISPsystem VMmanager to host and distribute malicious payloads. These VMs primarily functioned as command-and-control endpoints, payload staging servers, and distribution nodes for ransomware droppers.
By leveraging standard Windows services such as HTTP(S) and RDP, and operating from established hosting providers, the infrastructure blended into normal enterprise traffic patterns, reducing the likelihood of rapid blocking or enforcement actions.
‍
The infection chain was identified as follows:

• Initial access is obtained via phishing campaigns, exploitation of exposed services such as RDP, or acquisition of credentials from access brokers
• Following the compromise, the infected system establishes communication with the attacker-controlled infrastructure hosted on the VMmanager virtual machines.
• Secondary payloads are retrieved, including loaders, credential harvesting tools, and lateral movement frameworks.
• Command-and-control communications are maintained over standard web protocols, enabling tasking, updates, and data staging
• The operation culminates in ransomware deployment after reconnaissance and privilege escalation to maximize operational impact.

‍

Technical Capabilities :

The observed threat activity demonstrates strong operational scalability centered on infrastructure abuse rather than novel exploitation techniques. By leveraging VMmanager’s default templates, ransomware operators rapidly provisioned Windows virtual machines with consistent configurations, enabling repeatable deployment of C2 infrastructure, payload hosting, data staging, and remote administration capabilities.
The use of standard services such as HTTP(S) and RDP within legitimate hosting environments reduced detection by reputation-based controls and network filtering mechanisms. The infrastructure closely resembled benign enterprise workloads, complicating differentiation between legitimate and malicious activity.
From a defensive evasion perspective, shared system fingerprints and reusable templates enabled infrastructure reuse across multiple campaigns and threat groups. Hosting with abuse-tolerant providers facilitated long-lived C2 nodes and resilient payload distribution points.
This activity reflects an evolution toward infrastructure-as-a-service tradecraft, where threat actors leverage commercial virtualization platforms as operational force multipliers, prioritizing scalability, anonymity, and resilience over bespoke malware development.

‍

Attribution and Evoluation :

Infrastructure traits, including recurring hostnames and shared deployment patterns, were observed across multiple ransomware families and malware operations, including LockBit, BlackCat/ALPHV, Conti, Qilin, and various commodity information-stealers.
The consistency in infrastructure suggests shared operational playbooks, infrastructure resale models, or coordinated use of permissive hosting environments.
This represents a shift from attacker-owned custom servers to systematic abuse of reputable and scalable virtualization platforms.
‍

Active Campaign and Geographic Spread:

Malicious VMmanager-hosted infrastructure was distributed across multiple geographic regions aligned with the data center locations of a limited set of high-risk or abuse-tolerant hosting providers.
Victim telemetry indicates global targeting consistent with financially motivated ransomware operations. No single industry or region appears exclusively targeted, reinforcing the opportunistic and scalable nature of the infrastructure model.

‍

Conclusion :

The abuse of ISPsystem VMmanager illustrates how threat actors can operationalize default configurations within trusted virtualization platforms to build scalable ransomware infrastructure.
While vendor mitigation through hostname randomization reduces this specific exposure, organizations must assume that legitimate hosting environments can be weaponized. Defensive strategies should incorporate infrastructure-aware monitoring, provider risk evaluation, and threat hunting techniques tailored to virtualized environments.

‍

Impact :

This technique significantly impedes detection and response by embedding malicious infrastructure among large volumes of legitimate virtual machines.
It delays takedown efforts, reduces attribution confidence, and increases dwell time, thereby improving ransomware success rates and expanding victim impact. The blending of malicious and legitimate infrastructure increases the operational burden on defenders and complicates coordinated remediation efforts.

‍

IOC and Context Details :

‍

‍

Recommended Actions:

• Monitor for anomalous or duplicate hostnames and system identifiers within virtualized environments.
• Conduct periodic risk assessments of hosting and cloud providers, prioritizing those with histories of abuse tolerance or non-compliance.
• Restrict and monitor RDP and remote administration services through strict segmentation and access controls.
• Implement threat-hunting programs focused on command-and-control behavior, unusual outbound traffic, and VM-based payload staging patterns.
• Ensure virtualization management platforms are hardened and configured with randomized hostnames and unique system identifiers.
• Integrate updated threat intelligence indicators into endpoint and network detection systems.
• Train IT and security teams to recognize signs of infrastructure abuse within virtualized environments.
• Review contractual and security requirements with hosting providers to limit exposure to high-risk infrastructure ecosystems.

‍

References :

https://www.sophos.com/en-gb/blog/malicious-use-of-virtual-machine-infrastructure

‍