Cybersecurity researchers have disclosed a surge in “mass scanning, credential brute-forcing, and exploitation attempts” originating from IP addresses associated with a Russian bulletproof hosting service provider named Proton66.
The activity, detected since January 8, 2025, targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs last week.
“Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute-force attempts,” security researchers Pawel Knapczyk and Dawid Nesterowicz said. “Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years.”
The Russian autonomous system Proton66 is assessed to be linked to another autonomous system named PROSPERO. Last year, French security firm Intrinsec detailed their connections to bulletproof services marketed on Russian cybercrime forums under the names Securehost and BEARHOST.
Several malware families, including GootLoader and SpyNote, have hosted their command-and-control (C2) servers and phishing pages on Proton66. Earlier this February, security journalist Brian Krebs revealed that Prospero has begun routing its operations through networks run by Russian antivirus vendor Kaspersky Lab in Moscow.
However, Kaspersky denied it has worked with Prospero and that the “routing through networks operated by Kaspersky doesn’t by default mean provision of the company’s services, as Kaspersky’s automatic system (AS) path might appear as a technical prefix in the network of telecom providers the company works with and provides its DDoS services.”
Trustwave’s latest analysis has revealed that the malicious requests originating from one of Proton66 net blocks (193.143.1[.]65) in February 2025 attempted to exploit some of the most recent critical vulnerabilities –
- CVE-2025-0108 – An authentication bypass vulnerability in the Palo Alto Networks PAN-OS software
- CVE-2024-41713 – An insufficient input validation vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab
- CVE-2024-10914 – A command injection vulnerability D-Link NAS
- CVE-2024-55591 & CVE-2025-24472 – Authentication bypass vulnerabilities in Fortinet FortiOS
It’s worth noting that the exploitation of the two Fortinet FortiOS flaws has been attributed to an initial access broker dubbed Mora_001, which has been observed delivering a new ransomware strain called SuperBlack.
The cybersecurity firm said it also observed several malware campaigns linked to Proton66 that are designed to distribute malware families like XWorm, StrelaStealer, and a ransomware named WeaXor.
Another notable activity concerns the use of compromised WordPress websites related to the Proton66-linked IP address “91.212.166[.]21” to redirect Android device users to phishing pages that mimic Google Play app listings and trick users into downloading malicious APK files.
The redirections are facilitated by means of malicious JavaScript hosted on the Proton66 IP address. Analysis of the fake Play Store domain names indicate that the campaign is designed to target French, Spanish, and Greek speaking users.
“The redirector scripts are obfuscated and perform several checks against the victim, such as excluding crawlers and VPN or proxy users,” the researchers explained. “User IP is obtained through a query to ipify.org, then the presence of a VPN on the proxy is verified through a subsequent query to ipinfo.io. Ultimately, the redirection occurs only if an Android browser is found.”
Also hosted in one of the Proton66 IP addresses is a ZIP archive that leads to the deployment of the XWorm malware, specifically singling out Korean-speaking chat room users using social engineering schemes.
The first stage of the attack is a Windows Shortcut (LNK) that executes a PowerShell command, which then runs a Visual Basic Script that, in turn, downloads a Base64-encoded .NET DLL from the same IP address. The DLL proceeds to download and load the XWorm binary.
Proton66-linked infrastructure has also been used to facilitate a phishing email campaign targeting German speaking users with StrelaStealer, an information stealer that communicates with an IP address (193.143.1[.]205) for C2.
Last but not least, WeaXor ransomware artifacts – a revised version of Mallox – have been found contacting a C2 server in the Proton66 network (“193.143.1[.]139”).
Organizations are advised to block all the Classless Inter-Domain Routing (CIDR) ranges associated with Proton66 and Chang Way Technologies, a likely related Hong Kong-based provider, to neutralize potential threats.
