Cybersecurity researchers have revealed a surge in “mass scans, entitlement brutes and attempts to exploit” derived from IP addresses associated with Russian bulletproof hosting service providers. Proton 66.
According to a two-part analysis published by TrustWave SpiderLabs, this activity detected since January 8, 2025 is targeted at organizations around the world.
“Netblocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scans and brute force attempts,” said security researchers Pawel Knapczyk and Dawid Nesterwicz. “Some of the problematic IP addresses were previously not seen as involved in malicious activities and were inactive for over two years.”
Proton 66 of the Russian autonomous system is rated as linked to another autonomous system named Prospero. Last year, French security company Intrinsec detailed its relationship with SecureHost and bulletproof services sold at Russian Cybercrime Forum under the name Bearhost.
Several malware families, including Gootloader and Spynote, host command and control (C2) servers and phishing pages on Proton66. Earlier this February, security journalist Brian Krebs revealed that Prospero had begun to route operations through a network run by Moscow’s Russian anti-virus vendor Kaspersky Lab.
However, Kaspersky has denied that he is working with Prospero as Kaspersky’s automated system (AS) path may appear as a technical prefix because the company works and provides DDOS services and provides DDOS services, and that “routing through the network through a network operated by Kaspersky does not mean providing the company’s services.”
A recent analysis from TrustWave reveals that a malicious request originating from one of the February 2025 Proton66 netblocks (193.143.1 (.)65) attempted to exploit some of the latest important vulnerabilities.
- CVE-2025-0108 -PaloAlto Networks Pan-OS Software Authentication Bypass Vulnerability
- CVE-2024-41713 – Insufficient input validation vulnerability in Nupoint Unified Messaging (NPM) components in Mitel Micollab
- CVE-2024-10914 – Command injection vulnerability D-Link NAS
- CVE-2024-55591 & CVE-2025-24472 – Fortinet Fortios Authentication Bypass Vulnerability
It is worth noting that the exploitation of the two Fortinet Fortios flaws is attributed to an early access broker called Mora_001. MORA_001 has been observed to offer a new ransomware strain called SuperBlack.
The cybersecurity company also observed several malware campaigns linked to Proton66, designed to distribute ransomware named Xworm, Strellastealer and Weaxor.
Another notable activity concerns the use of compromised WordPress websites related to Proton66-related IP address “91.212.166(.)21” and redirects Android device users to phishing pages that mimic the list of Google Play apps and mimic the users of malicious APK files downloads.
Redirection is facilitated by malicious JavaScript hosted on a Proton66 IP address. Analyses of fake playstore domain names show that the campaign is designed to target speaking users in French, Spanish and Greek.
“The redirector script is obfuscated and performs several checks on the victim, including excluding crawlers and VPN or proxy users,” the researchers explained. “The user IP is retrieved through a query to ipify.org. The presence of the VPN in the proxy is then verified through subsequent queries to ipinfo.io. Ultimately, the redirection only occurs when an Android browser is found.”
Also hosted on one of the Proton66 IP addresses is a ZIP archive that leads to the deployment of XWorm malware, which selects Korean-speaking chat room users, particularly using social engineering schemes.
The first stage of an attack is the Windows Shortcut (LNK) that runs the PowerShell commands. This runs a visual basic script that downloads base64-encoded .NET DLLs from the same IP address. The DLL proceeds to download and loading the XWorm binaries.
The Proton66-linked infrastructure is also used to facilitate phishing email campaigns targeting German-speaking users with Strelasteler, an information stolen communication with C2 IP addresses (193.143.1 (.)205).
Finally, I found out that the Weaxor ransomware artifact (a revised version of Mallox) is in contact with a C2 server on the Proton66 network (“193.143.1(.)139”).
Organizations are advised to block all Classless Inter-Domain Routing (CIDR) ranges associated with Hong Kong-based providers Proton66 and Chang Way Technologies to neutralize potential threats.
