ADVERTISEMENT

Bulletproof hosting reused Windows images, masking ransomware infrastructure

New Sophos research finds bulletproof hosting providers repeatedly deploy virtual machines from the same preconfigured Windows images, creating thousands of identically named servers that cybercriminal groups continue to exploit for cover.

Botnet
Stefanie Schappert
Stefanie Schappert Senior Journalist
Feb 4, 2026 3 min read
Key takeaways:
Microsoft Windows, vulnerability
Thousands of deployed Windows machines have the same hostname. Image by Cybernews.
Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.

Why thousands of virtual servers share the same hostname

Ransomware
Ransomware groups are known to rent servers from bulletproof hosting companies, instead of building their own. Image by Cybernews.
ADVERTISEMENT
  • WIN-344VU98D3RU
  • WIN-J9D866ESIJ2
  • WIN-LIVFRVQFMKO
  • WIN-BS656MOF35Q
Locations of reused Windows machine hostnames
Locations of devices using these hostnames based on associated IP address. Image by Sophos.
RDP.monster bulletproof hosting
Virtual machine services offered by "rdp.monster" (also known as MasterRDP). Image by Sophos.

How identical hostnames break ransomware attribution

  • Ransomware strains: LockBit, Qilin, ALPHV/BlackCat, Conti, WantToCry
  • Malware campaigns: ClickFix, PureRAT, and Lumma stealer
  • Infostealers/Trojans: Ursnif, RedLine, TrickBot, NetSupport RAT

ADVERTISEMENT