Recent cybersecurity research has revealed a significant increase in cyber threats linked to the Russian bulletproof hosting service, Proton66. Analysts have documented a variety of malicious activities that include mass scanning, credential brute-forcing, and exploitation attempts emanating from this provider, with the uptick in activity noted since January 8, 2025. The Trustwave SpiderLabs team, in a detailed two-part report, stated that organizations across the globe have fallen victim to these aggressive tactics.
The research highlighted specific net blocks—45.135.232.0/24 and 45.140.17.0/24—as particularly active in conducting mass scanning and brute-force attacks. Security experts, Pawel Knapczyk and Dawid Nesterowicz, noted that several IP addresses connected with these campaigns were previously unidentified in malicious contexts and had been inactive for over two years.
The autonomous system controlling Proton66 is suspected to be associated with another system known as PROSPERO. A previous investigation by French security firm Intrinsec uncovered ties between Proton66 and bulletproof hosting services advertised on Russian cybercrime forums, such as Securehost and BEARHOST.
Notably, various malware families, including GootLoader and SpyNote, have utilized Proton66 for hosting command-and-control (C2) servers and phishing pages. In a recent disclosure, cybersecurity reporter Brian Krebs noted that operations from PROSPERO have begun routing traffic through networks managed by Kaspersky Lab. However, Kaspersky has denied any collaboration with PROSPERO, emphasizing that their network may appear in routing paths without providing direct services.
Trustwave’s latest findings reveal that requests coming from Proton66’s net block (193.143.1[.]65) aimed to exploit critical vulnerabilities such as CVE-2025-0108, an authentication bypass in Palo Alto Networks PAN-OS, and CVE-2024-41713, an input validation flaw in Mitel MiCollab. The tactics employed by the attackers fall under the MITRE ATT&CK Matrix’s “initial access” and “exploitation of remote services,” indicating methods likely aimed at discovering and exploiting weaknesses across various platforms.
The report further reveals that Proton66 is not only a hub for malware distribution but also plays a pivotal role in redirecting traffic through compromised WordPress websites. One such IP address, 91.212.166[.]21, has been implicated in redirecting Android users to fraudulent app listings that mimic legitimate offerings on the Google Play Store. This campaign is geared towards French, Spanish, and Greek-speaking users, deploying malicious JavaScript to facilitate the redirection.
Moreover, a ZIP archive hosted on Proton66 has been noted for facilitating the deployment of XWorm malware, specifically targeting Korean-speaking chat room users through social engineering. The attack sequence begins with a Windows Shortcut that invokes a PowerShell command leading to the execution of a Visual Basic Script designed to download a malicious .NET DLL.
Proton66’s infrastructure has facilitated numerous phishing campaigns, particularly those aimed at German-speaking individuals featuring StrelaStealer, an information-stealing malware that connects to the C2 via its infrastructure. Additionally, the WeaXor ransomware artifacts—an enhanced variant of Mallox—have been observed interacting with a Proton66 server for C2 communications.
In light of this evolving threat landscape, organizations are urged to block all CIDR ranges associated with Proton66 as well as related suppliers like Chang Way Technologies, which is believed to be linked to these activities. Businesses must remain vigilant and proactive in their cybersecurity measures to counteract the persistent and sophisticated tactics employed by these threat actors.
