ISPsystem VMmanager Windows VM abuse for payload delivery and C2
Malware Activity
Summary
Hide ▲
Show ▼
The abuse of ISPsystem VMmanager is letting ransomware operators run Windows VMs that deliver payloads and support C2 infrastructure, reducing visibility and slowing takedowns. Researchers linked the tactic to recent WantToCry incidents and found repeated hostnames from VMmanager default templates. The same infrastructure pattern also showed up across LockBit, Qilin, Conti, BlackCat/ALPHV, Ursnif, RedLine, and Lummar activity.
Related Happenings
Payouts King ransomware QEMU reverse SSH backdoor activity
Malware Activity
First: 17.04.2026 22:10
Last: 17.04.2026 22:10
Sources 1
About this happening:
**Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...
Payouts King ransomware QEMU reverse SSH backdoor activity
Malware ActivityAbout this happening: **Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...
ModeloRAT DNS-delivered malware staging
Malware Activity
First: 16.02.2026 02:29
Last: 16.02.2026 02:29
Sources 1
About this happening:
**ModeloRAT** is now being delivered through a **DNS-based staging chain**, increasing the chance that malicious traffic blends into ordinary name-resolution activity. In the obse...
ModeloRAT DNS-delivered malware staging
Malware ActivityAbout this happening: **ModeloRAT** is now being delivered through a **DNS-based staging chain**, increasing the chance that malicious traffic blends into ordinary name-resolution activity. In the obse...
Uphero/hero trojanized 7-Zip installer proxyware activity
Malware Activity
First: 10.02.2026 21:12
Last: 10.02.2026 21:12
Sources 1
About this happening:
A **trojanized 7-Zip installer** is now dropping **Uphero/hero** payloads that turn **Windows hosts** into **residential proxy nodes**, letting attackers route traffic through vic...
Uphero/hero trojanized 7-Zip installer proxyware activity
Malware ActivityAbout this happening: A **trojanized 7-Zip installer** is now dropping **Uphero/hero** payloads that turn **Windows hosts** into **residential proxy nodes**, letting attackers route traffic through vic...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
Campaign
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
CampaignAbout this happening: The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Reynolds ransomware BYOVD defense-evasion activity
Malware Activity
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Reynolds ransomware BYOVD defense-evasion activity
Malware ActivityAbout this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Timeline
-
05.02.2026 22:57 1 articles · 3mo ago
Sophos identifies ISPsystem VMmanager abuse
Technical Analysis UpdateSophos identified ransomware operators abusing ISPsystem VMmanager Windows virtual machines to host and deliver malicious payloads and command-and-control infrastructure. The researchers said VMmanager default Windows templates reuse identical hostnames and system identifiers across deployments, and they linked the same hostnames to activity involving LockBit, Qilin, Conti, BlackCat/ALPHV, Ursnif, RedLine, and Lummar, with malicious VMs concentrated among providers including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, JSC IOT, and MasterRDP.
Show sources
- Ransomware gang uses ISPsystem VMs for stealthy payload delivery — www.bleepingcomputer.com — 05.02.2026 22:57