Russian Bulletproof Hosting Service Proton66 Exploited in Global Cyberattacks

Cybersecurity researchers are sounding the alarm about a surge in cyberattacks. These attacks involve "mass scanning, credential brute-forcing, and exploitation attempts," and they all seem to be coming from IP addresses connected to a Russian bulletproof hosting service called Proton66.

According to a recent two-part analysis by Trustwave SpiderLabs, this activity has been happening since January 8, 2025, and it's targeting organizations around the world. That's a lot of potential victims!

"Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active when it came to scanning and brute-force attempts," explain security researchers Pawel Knapczyk and Dawid Nesterowicz. They noted that some of these IP addresses hadn't been seen in malicious activity for over two years, or weren't known for it at all.

But wait, there's more. The Russian autonomous system Proton66 is believed to be linked to another autonomous system called PROSPERO. Last year, the French security firm Intrinsec revealed that they are connected to bulletproof services marketed on Russian cybercrime forums under the names Securehost and BEARHOST.

So, what kind of malware are we talking about? Well, several families, including GootLoader and SpyNote, have been hosting their command-and-control (C2) servers and phishing pages on Proton66. Earlier this year, Brian Krebs reported that Prospero had started routing its operations through networks run by Kaspersky Lab in Moscow.

Kaspersky, however, has denied any involvement with Prospero. They say the "routing through networks operated by Kaspersky doesn't by default mean provision of the company's services, as Kaspersky's automatic system (AS) path might appear as a technical prefix in the network of telecom providers the company works with and provides its DDoS services."

Trustwave's new analysis shows that malicious requests originating from one of Proton66's net blocks (193.143.1[.]65) in February 2025 tried to exploit some seriously nasty vulnerabilities:

• CVE-2025-0108 - Authentication bypass in Palo Alto Networks PAN-OS software.
• CVE-2024-41713 - Input validation issue in Mitel MiCollab's NuPoint Unified Messaging (NPM) component.
• CVE-2024-10914 - Command injection vulnerability in D-Link NAS devices.
• CVE-2024-55591 & CVE-2025-24472 - Authentication bypass flaws in Fortinet FortiOS.

The exploitation of those Fortinet flaws? It's been linked to an initial access broker called Mora_001, who's been seen delivering a new ransomware strain called SuperBlack.

The cybersecurity firm also found several malware campaigns tied to Proton66 spreading malware families like XWorm, StrelaStealer, and a ransomware called WeaXor.

And here's another trick: compromised WordPress websites linked to the Proton66 IP address "91.212.166[.]21" are redirecting Android users to fake Google Play app listings. This tricks people into downloading malicious APK files.

Malicious JavaScript hosted on a Proton66 IP address makes these redirections possible. Apparently, the campaign is designed to target French, Spanish, and Greek speakers.

"The redirector scripts are obfuscated and perform several checks against the victim, such as excluding crawlers and VPN or proxy users," the researchers explained. "User IP is obtained through a query to ipify.org, then the presence of a VPN on the proxy is verified through a subsequent query to ipinfo.io. Ultimately, the redirection occurs only if an Android browser is found."

There's also a ZIP archive hosted on a Proton66 IP address that deploys XWorm malware, specifically targeting Korean-speaking chat room users through social engineering.

This attack uses a Windows Shortcut (LNK) that runs a PowerShell command. This command executes a Visual Basic Script, which downloads a Base64-encoded .NET DLL from the same IP address. Then, the DLL downloads and loads the XWorm binary.

Proton66 infrastructure has also been used to facilitate a phishing email campaign targeting German speakers with StrelaStealer, which steals information and communicates with an IP address (193.143.1[.]205) for C2.

Finally, WeaXor ransomware – a tweaked version of Mallox – has been found contacting a C2 server in the Proton66 network ("193.143.1[.]139").

So, what can you do? Organizations should block all the Classless Inter-Domain Routing (CIDR) ranges linked to Proton66 and Chang Way Technologies (a likely related Hong Kong-based provider). This should help neutralize these potential threats.