Increased Cyber Threats Linked to Proton66’s Bulletproof Hosting Service
Cybersecurity analysts at Trustwave’s SpiderLabs have identified an alarming rise in cybercriminal activities emanating from Proton66, a Russian bulletproof hosting provider. These services, notoriously favored by malicious actors for their lenient operational policies, are reportedly linked to a variety of attacks, including operations conducted by SuperBlack ransomware groups, distribution of Android malware through compromised WordPress sites, and targeted assaults utilizing XWorm and Strela Stealer. The spectrum of activities appears to be connected to potential affiliations with a Hong Kong-based entity, Chang Way Technologies.
This surge in cyber threats was meticulously recorded following significant research that began in early January 2025. The analysis unveiled an escalation in mass scanning, credential brute-forcing, and exploitation attempts originating from ASN 198953, the network identifier for Proton66. Such activities characterize an aggressive probing for system vulnerabilities and unauthorized access to user credentials on a massive scale.
SpiderLabs reported that while January 2025 saw a notable uptick in malicious traffic from the Proton66 network, this trend was met with a sharp decline in February. The most frequently targeted network blocks included 45.135.232.0/24 and 45.140.17.0/24, with some previously active blocks going silent since mid-2021. The intensity of these attacks underscores the endpoint risks many organizations face from well-resourced adversaries leveraging sophisticated techniques.
Notably, the IP address 193.143.1.65 was linked to operations by the SuperBlack ransomware group, which has been deploying some of the latest critical exploit techniques noted in the field. Recent intelligence points to malware campaigns involving compromised WordPress pages that lead unsuspecting Android users to fraudulent Google Play Store-like sites aimed at harvesting personal data or disseminating harmful applications. This tactic illustrates a broad targeting strategy, reaching users of various demographics, as evident from domain registrations designed for English, French, Spanish, and Greek speakers.
Additionally, the investigation unveiled that Strela Stealer—a tool used for extraction of email credentials—was actively in play between January and February 2025. Another significant campaign targeting Korean-speaking chat room users involved XWorm malware, revealing a diverse attack landscape catering to different linguistic audiences. Moreover, connections to WeaXor ransomware, a variant of Mallox demanding BTC or USDT for file recovery, were also documented.
Intriguingly, the probe into Proton66 hinted at a rebranding or possible operational link to Chang Way Technologies. Previous work by security firm Intrinsec has connected Proton66 with other underground bulletproof hosting services advertised on illicit forums. Despite a change in front-facing web elements, historical ties in the technical infrastructure suggest a continuity that could be strategically leveraged by cybercriminals.
The primary targets of these expanded campaigns have included technology and financial organizations. However, the SuperBlack ransomware group has shown a particular interest in non-profit and engineering sectors, hinting at a wider array of motivations behind their ransomware deployments. Notably, recent research attributed similar tactics to a threat actor known as Mora_001, which successfully exploited vulnerabilities in Fortinet’s FortiOS, accentuating the need for organizations to bolster their defensive postures against known vulnerabilities.
Moreover, hackers have exploited flaws in Palo Alto Networks’ PAN-OS software and Mitel MiCollab products, with D-Link NAS devices also identified as vulnerable due to their end-of-life status. In the face of such pervasive threats, security experts strongly advise organizations to block all IP address ranges associated with Proton66 and Chang Way Technologies to mitigate potential compromises.
As the landscape of cyber threats continues to evolve, professionals must remain vigilant. Patterns of brute-force attempts and coordinated attacks necessitate a proactive security posture, underscoring the importance of monitoring login activities, enhancing defenses on exposed services, and implementing risk-reduction strategies to deter low-effort adversaries. The findings amplify the pressing need for comprehensive cybersecurity measures across all sectors to protect sensitive information in an increasingly hostile digital environment.
