Researchers have uncovered a dramatic increase in malicious activity emanating from IP addresses tied to a Russian bulletproof hosting provider known as Proton66.
According to a two-part report published last week by Trustwave SpiderLabs, Proton66 has become a central hub for cybercriminal operations since early January, facilitating a surge in mass scanning, credential brute-forcing, and exploitation attempts targeting a wide array of organizations across the globe.
The primary sources of these attacks were traced to IP ranges 45.135.232.0/24 and 45.140.17.0/24, both registered to Proton66.
“Several of the offending IP addresses were not previously associated with malicious behavior or had been dormant for over two years,” noted researchers Pawel Knapczyk and Dawid Nesterowicz.
Proton66 operates under a Russian autonomous system believed to be linked with another controversial network named PROSPERO. A 2024 report by French cybersecurity firm Intrinsec previously connected both entities to Russian underground cybercrime forums, where they were marketed under pseudonyms Securehost and BEARHOST – notorious names in bulletproof hosting services.
A February 2025 exposé by cybersecurity journalist Brian Krebs revealed that Prospero had begun routing operations through networks owned by Kaspersky Lab in Moscow. Though Kaspersky denied any involvement, clarifying that routing paths do not equate to service partnerships, the incident has raised eyebrows within the international security community.
Exploiting the Latest Vulnerabilities
Trustwave reports that malicious activity originating from Proton66’s IP 193.143.1[.]65 in February targeted a range of newly disclosed vulnerabilities, including:
- CVE-2025-0108 (Palo Alto Networks PAN-OS auth bypass)
- CVE-2024-41713 (Mitel MiCollab NPM input validation flaw)
- CVE-2024-10914 (D-Link NAS command injection)
- CVE-2024-55591 and CVE-2025-24472 (Fortinet FortiOS auth bypasses)
Exploitation of the Fortinet flaws was attributed to an initial access broker named Mora_001, known for deploying a ransomware strain dubbed SuperBlack.
Beyond exploitation attempts, Proton66’s infrastructure has been leveraged for extensive malware distribution campaigns, involving strains such as:
- GootLoader and SpyNote for command-and-control (C2) hosting
- XWorm and StrelaStealer for data exfiltration
- WeaXor, a revamped variant of the infamous Mallox ransomware
One campaign employed compromised WordPress sites linked to Proton66’s 91.212.166[.]21 IP to redirect Android users to phishing pages disguised as Google Play listings. The redirect chain, facilitated by obfuscated JavaScript, targets users in France, Spain, and Greece, employing anti-bot and anti-VPN logic to evade detection.
Another operation singled out Korean-speaking chat users, tricking them into downloading ZIP files laced with XWorm. The infection chain uses Windows shortcuts (LNK) that launch PowerShell and Visual Basic Scripts to stealthily download and execute a .NET DLL containing the malware.
A separate phishing campaign was also detected targeting German speakers, with emails delivering StrelaStealer, which connects to a Proton66-hosted C2 at 193.143.1[.]205.
In light of these revelations, cybersecurity experts are urging organizations to block all CIDR ranges linked to Proton66 and Chang Way Technologies, a suspected affiliated provider based in Hong Kong.
You must be logged in to post a comment.