Malicious use of virtual machine infrastructure

CTU researchers found that ISPsystem VMmanager distributes prebuilt Windows templates that embed static hostnames and system identifiers, causing thousands of VMs to expose identical hostnames (e.g., WIN-LIVFRVQFMKO, WIN-J9D866ESIJ2). Those hostnames appear widely across a few hosting providers and countries and have been linked to active ransomware and malware operations, bulletproof hosting advertisements, and exploitation activity, meaning template reuse is creating misleading shared infrastructure and enabling criminal use.