SophosLabs late 2025 WantToCry probes found attackers on VMs with ISPsystem-derived hostnames like WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO. These spanned LockBit, Qilin, BlackCat/ALPHV ransomware, NetSupport RAT, Ursnif banking trojan, and FortiClient EMS exploits. Notably, WIN-LIVFRVQFMKO was tied to the 2021 ContiLeaks: “Bentley” (Maksim Galochkin, U.S./UK-sanctioned) used it in Jabber chats with GOLD ULRICK (Conti) and GOLD BLACKBURN […] The post Cybercriminals Leverage Reputable ISP Networks via Bulletproof Hosting Services appeared first on Cyber Security News.