Sophos researchers are bad, here's why
- February 6, 2026
- 10:23 pm
- News
Over the past few days, our support team has received multiple alerts regarding a report published by the research team at Sophos. (https://www.sophos.com/en-gb/blog/malicious-use-of-virtual-machine-infrastructure)
For those unaware, Sophos is a British security software and hardware company, supposedly renowned for its expertise in cybersecurity threat analysis. However, after reading their latest piece concerning us, we have serious doubts about the quality of their “investigation.”
The report accuses rdp.monster of being a subsidiary of (or owning) “MasterRDP,” of providing services specifically tailored for criminals to conduct phishing campaigns, and of operating as a “bulletproof” host.
We have read the article carefully. Our conclusion? Everything inside is false, baseless, and defamatory. Let’s debunk this “research” point by point.
The Myth: “MasterRDP = rdp.monster”
According to the “super researchers” at Sophos, rdp.monster either belongs to MasterRDP or vice versa.
We were quite surprised to learn this ourselves! We are always delighted to discover we have ghost partners we’ve never met. But let’s be serious for a moment: rdp.monster belongs to… rdp.monster.
We have hundreds of resellers globally. MasterRDP is not one of them. There is no corporate link, no shared infrastructure, and no partnership. This is a classic case of mistaken identity or lazy association.
The “Shared Hostnames” Accusation
The article lists several specific Windows RDP hostnames that were allegedly used for malicious activities, linking them to us.
We checked our database. NONE of the hostnames mentioned by Sophos belong to rdp.monster. A simple WHOIS or IP check would have cleared this up in seconds.
The ISPsystem Hallucination
Sophos claims that rdp.monster uses ISPsystem software for deploying its Virtual Machines (VMs).
Wrong again. We do not use ISPsystem. We never have.
Verifying this information is incredibly easy: just buy a VPS and look at the panel. But perhaps purchasing a $8.99 server was too expensive for the Sophos research budget?
To help the research team verify their facts next time, we created a special promo code.
Use code SOPHOS10 for 10% OFF.
(This will allow you to log in and see that you are wrong from A to Z).
Imaginary Suppliers
The report lists several companies as our upstream providers: First Server Limited, Stark Industries Solutions Ltd, Zomro, etc.
Out of the list of 5 providers mentioned… zero are providers for rdp.monster. Neither currently nor historically. It seems the research methodology involved throwing darts at a map of hosting companies.
Servers in Russia, Iran, and Kazakhstan?
This is our favorite part. Apparently, rdp.monster operates servers in Russia, Iran, and Kazakhstan.
We would love to know the addresses of these data centers so we can visit them!
How can anyone take this report seriously when rdp.monster only offers servers in Europe (France, Germany, UK, Netherlands) and the USA? This information is publicly available on our homepage. One click. That’s all it took to verify.
The Grain of Truth (And where Sophos is right)
To be fair, not everything is wrong. Sophos correctly noted that rdp.monster is present on many internet forums, including some black-hat or gray-hat SEO communities.
Yes, this is true. We market our services everywhere. We do SEO and SEA. We are a business, and we sell hosting infrastructure. However, advertising on a forum does not make us a “criminal host.”
rdp.monster is NOT a bulletproof host. Never was, never will be.
Our Terms of Service (ToS) are crystal clear. We have zero tolerance for phishing or illegal activities. We are integrated with major abuse reporting APIs (SBL, CSS, AbuseIPDB) and we suspend instances immediately upon verified abuse reports.
Conclusion
We advocate for privacy and data respect, not for crime. There is a massive difference between an “Anonymous VPS” (protecting user identity) and a “Bulletproof VPS” (protecting criminal activity). rdp.monster stands for the former.
We are waiting for a correction from the Sophos team regarding this misleading research. In the meantime, we remain available for any questions—or if they need a tutorial on how to use `traceroute`.
To the Sophos research team, no hard feelings, but… you dropped this.
