1. Executive Summary

When the same Windows hostname turns up on tens of thousands of unrelated IP addresses, something is worth a closer look. Augur Security began tracking the WIN- hostname pattern in March 2025 after observing tightly clustered Windows Server deployments sharing identical default names across commodity VPS, bulletproof hosting, and major cloud providers. 

‍

This report documents a global pattern of Windows Server deployments sharing identical default hostnames across thousands of IP addresses. The analysis is based entirely on passive internet scan data and does not involve active probing of any system. The dataset covers 564,275 records across 27 countries, representing 168,362 unique WIN- hostnames.

‍

What Augur Saw

Augur predictive intelligence confirmed and protected against 82,102 connection events across customer organizations, mostly in MENA finance and energy.

‍

Our research found that the WIN- hostname pattern has two distinct root causes. The first is ISPsystem VMmanager, a legitimate commercial virtualization platform widely used by hosting providers globally. Sophos CTU confirmed in February 2026 that VMmanager default Windows templates ship with static pre-configured hostnames, meaning every VM deployed from the same template gets the same hostname automatically. The second root cause is deliberate VM cloning by criminal operators, where a single configured Windows image is copied and deployed at scale. Microsoft documented this technique in January 2026 as the foundation of the RedVDS platform operated by Storm-2470.

‍

A five-tier scoring methodology was applied to separate these populations. A BPH (Bulletproof Hoster) ASN overlap analysis was conducted as a secondary validation signal, cross-referencing all cluster IPs against a curated list of known bulletproof hosting autonomous systems. The key findings are summarized below.

‍

‍

Augur predictive threat intelligence independently confirmed 82,102 connection events from high-anomaly cluster IP ranges against customer organizations, with 4,294 currently active as of April 2026.

‍

1.1 Key Takeaways

• The WIN- hostname pattern has two confirmed root causes: ISPsystem VMmanager default templates shared across independent operators, and deliberate VM cloning by criminal actors. Attribution requires distinguishing between the two before drawing conclusions about operator identity.
• From 168,362 unique WIN- hostnames observed across 27 countries, 100 clusters score as confirmed anomalous, covering 49,134 unique IPs, with a further 56 likely anomalous covering 11,724 IPs. Six confirmed anomalous hostnames are independently documented in serious criminal campaigns, including RedVDS, Lazarus Group, LockBit, Conti, and Lumma Stealer delivery.
• Augur predictive intelligence confirmed 82,102 connection events from confirmed anomalous cluster IP ranges against customer organizations, with 4,294 currently active. The target profile is concentrated in MENA financial institutions and energy companies.
• The January 2026 Microsoft disruption of RedVDS reduced WIN-BUNS25TD77J infrastructure by 97.8% but did not stop the broader operation. High-anomaly clusters were active before the disruption and continue operating under different hostnames as of April 2026.
• The WIN- hostname fingerprint, combined with JARM fingerprinting and BPH ASN overlap analysis, provides a durable hunting pivot that persists through IP rotation and hosting provider changes.

‍

2. Methodology and Data Sources

2.1 Data Collection

All data is derived from passive internet-wide scanning indexed by Shodan. No active scanning or probing was performed. Data covers 27 countries. Total dataset: 564,275 records, 168,362 unique WIN- hostnames, approximately 15GB of raw JSON. Where dedicated per-cluster Censys exports were available, they were used to supplement the global Shodan dataset for specific hostnames. WIN-IS6O0UA2ENC was analyzed using a dedicated Censys pull, which provides higher-fidelity port and certificate data than the global Shodan records for that cluster.

‍

2.2 Two Root Causes of WIN- Hostname Clustering

1: ISPsystem VMmanager default templates. ISPsystem VMmanager is a legitimate commercial virtualization platform widely used by hosting providers. Sophos CTU confirmed in February 2026 that the default Windows Server templates in VMmanager ship with static, pre-configured hostnames. Every VM deployed from the same template automatically receives the same hostname, meaning multiple independent operators can produce identical hostnames with no operational connection. The hostname is a platform fingerprint, not an operator fingerprint. ISPsystem has since updated its templates to randomize hostname assignment.

‍

2: Deliberate VM cloning by criminal operators. A separate mechanism involves operators who intentionally clone a single configured Windows VM image and deploy it across multiple servers. Microsoft documented this as the foundation of RedVDS in January 2026. Here, the hostname is a genuine operator fingerprint because all hosts sharing it originate from the same deliberately maintained master image.

‍

2.3 Anomaly Scoring Model

Each hostname was scored on the following factors:

• High unique IP count with same hostname: 3 points for 100+ IPs, 1 point for 20+
• Spread across multiple ASNs: 3 points for 10+ ASNs, 1 point for 3+
• Spread across multiple countries: 2 points for 5+ countries
• RDP exposed on port 3389: 2 points
• WinRM exposed on port 5985 or 5986: 1 point
• Anomalous ports present, including 3128, 8080, 8888, 1080: 3 points
• Mixed OS versions across the cluster: 1 point
• Cert issuance date range spanning multiple months: 1 point

‍

2.4 BPH ASN Overlap Analysis

As a secondary validation signal, all cluster IPs were cross-referenced against a curated list of known bulletproof hosting ASNs, including AS44477 (Stark Industries), AS210644 (AEZA), AS216246 (RU-AEZA-AS), AS19318 (Interserver), AS18779, AS207957 (ServHost), AS215826 (Partner Hosting), AS56485, AS57043, and others. The percentage of a cluster's IPs landing on known BPH ASNs provides an independent signal separate from the scoring model. Hostnames with 80% or more of their IPs on BPH ASNs were elevated to the confirmed anomalous group regardless of their anomaly score.

‍

3. Global Distribution

3.1 Country Coverage

WIN- hostnames were observed across 130+ countries. The following shows the top countries by record count prior to anomaly filtering.

‍

‍

Finland, at 29,730 records, is disproportionately high relative to its population and appears repeatedly in high-anomaly cluster country distributions, consistent with Finnish data center infrastructure being used by ISP system-based providers and commodity hosting operators.

‍

3.2 OS Version Distribution

Across all records, the following OS versions were observed. The diversity confirms the presence of multiple independent provisioning pipelines.

‍

‍

4. Population Analysis

‍

The score distribution reveals three separate populations. The cliff between score 7 and 5-6 is sharp, and average unique IPs per hostname drops from 209 to 68. The cliff between score 3-4 and score 5-6 is sharper still, dropping from 68 to 2. These natural breaks validate the tier boundaries used in this analysis.

‍

‍

Score 7 distribution note: The 56 hostnames scoring 7 show a highly uneven distribution. The top cluster WIN-U36MVN46B5E has 3,170 unique IPs, while the bottom clusters have 2. The median is approximately 120 IPs. The primary differentiator from score 8+ is a limited country spread of 1 to 3 countries, rather than 5 or more. WIN-RP6J9OOV3EV within this band has 87% of its IPs on known BPH ASNs (AS210644, AEZA, and AS216246, RU-AEZA-AS), creating elevated concern. The full list of 56 score-7 hostnames is available upon request.

‍

5. Confirmed Anomalous Clusters

‍

5.1 Score 8+ Population

‍

‍

5.2 Hostnames Elevated via BPH ASN Overlap

Four hostnames below the score 8 threshold were elevated to confirmed anomalous based on BPH ASN concentration of 80% or above. This secondary signal provides independent validation that the infrastructure is operating on abuse-tolerant hosting regardless of the structural scoring.

‍

‍

5.3 Top ASNs in Confirmed Anomalous Clusters

‍

‍

5.4 Documented Threat Associations

The following table covers the primary confirmed anomalous hostnames with threat documentation. Root cause distinguishes ISPsystem VMmanager platform artifacts from deliberate VM cloning. BPH % shows the proportion of cluster IPs on known bulletproof hosting ASNs.

‍

* Score 7 or 4 in global run but elevated to confirmed anomalous based on BPH ASN overlap exceeding 80%.

‍

6. WIN-BUNS25TD77J: Before & After Jan 2026 Disruption

WIN-BUNS25TD77J is the only hostname in this dataset with confirmed attribution to a named threat actor and documented financial fraud losses. Unlike ISPsystem clusters, this was deliberate VM cloning: Storm-2470 created one Windows VM and repeatedly copied it without changing the hostname.

‍

‍

The 97.8% reduction confirms the disruption was effective against this specific cluster. The surviving 156 hosts migrated to AS44477 (Stark Industries Solutions Ltd), which the European Council sanctioned in May 2025 for enabling Russian state-sponsored and cybercriminal actors. The broader anomalous cluster population was already active before the disruption and continues as of April 2026.

‍

‍

7. Notable Individual Clusters

7.1 WIN-8OA3CCQAE4D: Lazarus Group C2 (Score 12, 22% BPH)

Red Asgard researchers documented in January 2026 that IP 216.250.251.87 with hostname WIN-8OA3CCQAE4D on AS396073 was serving as a backup C2 server in active Lazarus Group Contagious Interview infrastructure. The campaign used fake job interviews to deliver multi-stage cryptocurrency theft malware, including BeaverTail, a Tsunami backdoor with XMRig miner, and MetaMask injectors targeting crypto developers on Upwork. The cluster spans 3,510 unique IPs across 19 countries with cert range from December 2024 to April 2026. FalconFeeds has also linked Qilin ransomware infrastructure to this hostname.

‍

7.2 WIN-LIVFRVQFMKO: Multiple Ransomware Families (Score 12, 21% BPH)

Sophos CTU confirmed this is an ISPsystem VMmanager default template for Windows Server 2019. Despite being a platform artifact, it has been observed across LockBit, Conti, Qilin, WantToCry, and BlackCat ransomware campaigns by independent operators. Most significantly, a sanctioned individual known as Bentley, identified as Maksim Galochkin, used a device with this hostname to log into private Jabber communications involving GOLD ULRICK (Conti) and GOLD BLACKBURN (TrickBot), exposed in the February 2022 ContiLeaks. The cluster spans 1,915 unique IPs across 15 countries, active since March 2022.

‍

7.3 WIN-BS656MOF35Q: MIDDLEWARE Group, Highest Anomaly Score (Score 16, 34% BPH)

The highest anomaly score in the dataset. This ISPsystem VMmanager hostname for Windows Server 2022 exposes port 3128 (HTTP proxy) alongside RDP and WinRM across 1,301 unique IPs in 16 countries on 100 ASNs, with 22 distinct BPH ASNs represented. ThreatLocker documented in September 2025 that the MIDDLEWARE group used a host with this hostname as C2 for ClickFix campaigns delivering PureRAT and Lumma Stealer. Cert range from February 2024 to April 2026 indicates 26 months of continuous operation.

‍

7.4 WIN-KEJVO9CLD80: 81% BPH, 28 Open Ports (Score 11)

This cluster has 81% of its 2,081 unique IPs on AS19318 (Interserver, a BPH-listed provider). It exposes 28 ports simultaneously, including proxy ports 3128 and 9182, as well as RDP, WinRM, SMTP, LDAP, SQL, and multiple non-standard HTTP ports. All activity is within a single US-based ASN. No external campaign documentation has been found, but the port profile and BPH concentration make it one of the most anomalous single-provider clusters in the dataset.

‍

7.5 WIN-IS6O0UA2ENC: Active Password Reset Abuse (Score 9, Deliberate Clone)

This cluster is a deliberate VM clone, not an ISPsystem artifact. Approximately 150 Vultr-hosted Windows Server 2022 instances share an identical RDP certificate CN provisioned from the same golden image. The cluster is linked to active password reset abuse. The JARM hash 14d14d16d14d14d08c14d14d14d14dfd9c9d14e4f4f67f94f0359f8b28f532 provides a hunting pivot to recover hosts that have rotated their RDP certificate. 

‍

7.6 WIN-344VU98D3RU: Oldest Active Cluster (Score 13, 12% BPH)

Cert range begins in November 2019, making this the longest-running anomalous cluster in the dataset at over six years. Sophos CTU confirmed it is an ISPsystem VMmanager template for Windows Server 2012 R2. Despite being a platform artifact, it has been linked to LockBit, Conti, TrickBot, RagnarLocker, RedLine, and Lampion campaigns. The Netherlands dominates with 34,703 records, followed by Russia at 17,508. Spans 1,956 unique IPs across 94 ASNs.

‍

8. Augur Predictive Intelligence Validation

Cross-referencing the /24 subnets from confirmed anomalous clusters against Augur predictive threat intelligence provides independent validation that the anomaly scoring and BPH overlap methodology identifies infrastructure with real observed malicious behavior against customer networks.

‍

8.1 Coverage Summary

Of approximately 3,500 /24 CIDRs derived from the confirmed anomalous cluster IP list, 515 generated actual client hits, representing a 14.7% hit rate against the Augur customer base. The 515 active CIDRs plus 7 smaller subnets represent 522 total prediction IDs covering this infrastructure. While 14.7% of the IOC list directly touched customers, those 515 CIDRs generated 82,176 total events, meaning the ranges that did make contact hit hard and repeatedly.

‍

8.2 Connection Event Summary

‍

‍

8.3 Notable Observations

‍

62.122.185[.]12 was simultaneously observed by 6 different client organizations, including GADD, Ministry of Finance, Vodafone Oman, Oman Investment Authority, and EBank on January 6, 2026, all within the same window. This simultaneous multi-org hit on a single IP is consistent with a coordinated scanning or phishing campaign targeting the Gulf region from a single source.

‍

51.89.12[.]4 generated 228 allowed outgoing events from Orange Jordan in September 2025 under prediction 579807. This traffic was not blocked, representing unmitigated exposure. The same /27 subnet touched DEWA, Arab Bank, Fawry, Orange Jordan, CNA, Petroleum Development Oman, and Bank of Hope, making it the widest org spread of any single predicted range in the dataset.

194.146.47[.]0/25 under prediction 431637 shows a consistent weekly pattern of spam category hits against MCSD, suggesting scheduled campaign activity rather than opportunistic scanning.

‍

8.4 Top Affected Sectors

‍

‍

Seven of the top ten organizations are based in the Gulf region or Jordan. This concentration is consistent with financially motivated threat actor interest in MENA financial and energy sectors, aligning with the BEC and financial fraud use cases documented for this infrastructure type.

‍

8.5 Threat Category Breakdown

‍

‍

9. Detection and Hunting Guidance

‍

9.1 Censys and Shodan Queries

• Censys: services.tls.certificates.leaf_data.subject.common_name=WIN-[HOSTNAME] AND services.port=3389
• Shodan: ssl.cert.subject.cn:WIN-[HOSTNAME] port:3389
• JARM pivot for WIN-IS6O0UA2ENC: jarm:14d14d16d14d14d08c14d14d14d14dfd9c9d14e4f4f67f94f0359f8b28f532
• ISPsystem cluster pivot: search WIN-BS656MOF35Q, WIN-LIVFRVQFMKO, WIN-344VU98D3RU, WIN-J9D866ESIJ2 on Shodan to enumerate current ISPsystem-based criminal infrastructure
• BPH concentration check: cross-reference any WIN- cluster IPs against known BPH ASNs; clusters with 80%+ BPH overlap should be treated as confirmed anomalous

‍

9.2 Behavioral Detection Indicators

• Inbound SMTP connections from Windows Server 2022 hosts on ports 8008, 8010, or 8015 with self-signed certificates
• RDP certificate CN matching WIN-[A-Z0-9]{8,} pattern on commodity VPS or BPH providers with no organizational context
• ScreenConnect installer execution followed by AsyncRAT or PureHVNC deployment within minutes of connection
• M365 Direct Send messages failing composite authentication (compauth=fail) with spoofed internal From addresses
• WinRM port 5985 active alongside RDP on hosts with default WIN- hostnames on hosting provider IP space
• Express.js on port 1244 alongside RDP and WinRM on Windows Server hosts (Lazarus Group Contagious Interview indicator per Red Asgard Jan 2026)

‍

9.3 M365 Direct Send Mitigation

• Disable Direct Send if not required: Set-OrganizationConfig -RejectDirectSend $true
• Audit mail flow rules for accepted unauthenticated relay IPs
• Monitor message headers for compauth=fail on messages claiming internal origin
• Enforce DMARC p=reject and SPF hardfail policies
• Flag unauthenticated internal emails for quarantine review

‍

10. Prior Research and Vendor Timeline

‍

‍

11. Conclusions

‍

This research identifies and quantifies a global pattern of Windows Server deployments with anomalous hostname-clustering characteristics across 168,362 unique WIN-hostnames in 27 countries. Two distinct root causes have been confirmed.

‍

ISPsystem VMmanager default templates explain the majority of high-volume clusters. Multiple independent criminal operators purchased VMs from providers running ISPsystem and conducted attacks from them, but the shared hostname does not indicate a shared operator. ISPsystem has patched the issue. The four most prevalent ISPsystem hostnames (WIN-LIVFRVQFMKO, WIN-BS656MOF35Q, WIN-344VU98D3RU, WIN-J9D866ESIJ2) account for over 95% of all internet-facing ISPsystem virtual machines and have been linked to LockBit, Conti, Qilin, BlackCat, WantToCry ransomware, Lazarus Group C2, and infostealer campaigns by independent operators.

‍

Deliberate VM cloning by criminal operators constitutes the second, smaller population. WIN-BUNS25TD77J (RedVDS) and WIN-IS6O0UA2ENC are confirmed examples. Here, the hostname is a genuine operator fingerprint enabling tracking across IP rotation and provider changes.

‍

The BPH ASN overlap analysis added a second independent validation signal, elevating four additional hostnames to confirmed anomalous status based on 80%+ of their IPs residing on known bulletproof hosting infrastructure. The combined confirmed anomalous population is 104 hostnames covering 49,134+ unique IPs.

‍

Augur predictive threat intelligence confirmed 82,102 connection events from these IP ranges against customer organizations, with 4,294 currently active. The MENA financial institution and energy company target concentration is consistent with financially motivated threat actors operating from this infrastructure. The WIN- hostname fingerprint combined with JARM fingerprinting, cert issuance date analysis, and BPH ASN overlap remains a viable and durable detection mechanism as of April 2026.

‍

For questions or additional analysis, contact: research@augursecurity.com

‍