Proton66 Hosting Service Exploited in Global Cyberattacks

Article Highlights
Off On

The global cybersecurity landscape has been significantly impacted by the exploitation of Proton66, a Russian bulletproof hosting service provider. Since January 8, 2025, cybersecurity researchers from Trustwave SpiderLabs have observed a disturbing increase in malicious activities such as mass scanning, credential brute-forcing, and exploitation attempts originating from Proton66’s IP addresses. Specifically, net blocks 45.135.232.0/24 and 45.140.17.0/24 have demonstrated notable activity. Alarmingly, several of the IP addresses involved were previously unrelated to malicious actions or had been dormant for years, raising concerns about the evolving capabilities of cybercriminals leveraging Proton66’s infrastructure.

Connection to PROSPERO and Historical Context

Proton66’s link to another autonomous system named PROSPERO adds a layer of complexity to its operations. Historically connected to bulletproof hosting services such as Securehost and BEARHOST, PROSPERO has been a notable player in Russian cybercrime forums. This connection enhances Proton66’s ability to support various cyberattacks. Several malware families, including GootLoader and SpyNote, have exploited Proton66 to host their command-and-control servers and phishing pages, underlining its operational significance. In February 2025, revelations indicated that PROSPERO had been routing operations through networks managed by Kaspersky Lab, although Kaspersky firmly denies any collaboration. This historical backdrop provides insights into Proton66’s expanded role in recent cyberattacks. Exploitation of critical vulnerabilities such as CVE-2025-0108, CVE-2024-41713, CVE-2024-10914, CVE-2024-55591, and CVE-2025-24472 underscores the advanced threat landscape. Notably, an access broker known as Mora_001 exploited two Fortinet FortiOS flaws to deliver a new ransomware strain called SuperBlack, emphasizing the potency of such vulnerabilities in facilitating complex attacks.

Noteworthy Malware Campaigns and Exploitation Techniques

Trustwave’s findings highlight various malware campaigns associated with Proton66, revealing sophisticated techniques used in these attacks. Among the notable campaigns is the distribution of XWorm, StrelaStealer, and a ransomware known as WeaXor. One particularly concerning campaign involved compromised WordPress sites linked to the Proton66 IP address 91.212.166[.]21, which redirected Android users to phishing pages mimicking Google Play. These phishing pages deceived users into downloading malicious APK files. The redirection mechanism employed obfuscated JavaScript and implemented checks to exclude crawlers and VPN users, targeting French, Spanish, and Greek speakers. Another significant Proton66 activity involved malware deployment through a ZIP archive, which led to XWorm infiltration. This campaign specifically targeted Korean-speaking chat room users, employing a complex sequence starting from a Windows shortcut executing a PowerShell command, eventually downloading and running the XWorm binary. Additionally, Proton66 infrastructure was linked to a phishing campaign targeting German-speaking users with StrelaStealer, which communicated with a specific command-and-control (C2) IP address, further demonstrating the adaptability and range of Proton66-facilitated attacks.

Mitigation Strategies and Future Considerations

The WeaXor ransomware, a revised iteration of Mallox, was also discovered communicating with a Proton66 C2 server, posing significant risks to targeted organizations. In light of these threats, cybersecurity experts advocate for blocking all Classless Inter-Domain Routing (CIDR) ranges associated with Proton66 as well as Chang Way Technologies, a potentially related provider based in Hong Kong. This proactive measure aims to minimize the risk of cyber threats emanating from this infrastructure. Organizations must prioritize robust monitoring and advanced threat detection to mitigate potential vulnerabilities. Continuous updates to security protocols, alongside comprehensive training for personnel, are essential in staying ahead of evolving cyber threats. By focusing on these strategies, entities can better defend against the diverse range of attacks facilitated by Proton66 and similar malicious infrastructures.

Moving Forward

The global cybersecurity scene has been deeply affected by the misuse of Proton66, a Russian bulletproof hosting service. Since January 8, 2025, Trustwave SpiderLabs’ cybersecurity experts have witnessed a troubling rise in malicious activities linked to Proton66’s IP addresses, including mass scanning, credential brute-forcing, and exploitation attempts. Particularly, net blocks 45.135.232.0/24 and 45.140.17.0/24 have shown significant activity. Disturbingly, some of these IP addresses had no prior history of malicious use or had been inactive for several years, raising serious concerns about the growing capabilities of cybercriminals who are exploiting Proton66’s infrastructure. This development indicates an alarming shift in cyber threats, making it evident that these criminals are evolving and becoming more sophisticated. The use and abuse of such services highlight the need for stronger cybersecurity measures and more vigilant monitoring to counteract these emerging threats in the digital landscape.

Explore more

Agency Management Software – Review

Setting the Stage for Modern Agency Challenges Imagine a bustling marketing agency juggling dozens of client campaigns, each with tight deadlines, intricate multi-channel strategies, and high expectations for measurable results. In today’s fast-paced digital landscape, marketing teams face mounting pressure to deliver flawless execution while maintaining profitability and client satisfaction. A staggering number of agencies report inefficiencies due to fragmented

Edge AI Decentralization – Review

Imagine a world where sensitive data, such as a patient’s medical records, never leaves the hospital’s local systems, yet still benefits from cutting-edge artificial intelligence analysis, making privacy and efficiency a reality. This scenario is no longer a distant dream but a tangible reality thanks to Edge AI decentralization. As data privacy concerns mount and the demand for real-time processing

SparkyLinux 8.0: A Lightweight Alternative to Windows 11

This how-to guide aims to help users transition from Windows 10 to SparkyLinux 8.0, a lightweight and versatile operating system, as an alternative to upgrading to Windows 11. With Windows 10 reaching its end of support, many are left searching for secure and efficient solutions that don’t demand high-end hardware or force unwanted design changes. This guide provides step-by-step instructions

Mastering Vendor Relationships for Network Managers

Imagine a network manager facing a critical system outage at midnight, with an entire organization’s operations hanging in the balance, only to find that the vendor on call is unresponsive or unprepared. This scenario underscores the vital importance of strong vendor relationships in network management, where the right partnership can mean the difference between swift resolution and prolonged downtime. Vendors

Immigration Crackdowns Disrupt IT Talent Management

What happens when the engine of America’s tech dominance—its access to global IT talent—grinds to a halt under the weight of stringent immigration policies? Picture a Silicon Valley startup, on the brink of a groundbreaking AI launch, suddenly unable to hire the data scientist who holds the key to its success because of a visa denial. This scenario is no