Security researchers have disclosed a boom in “mass searching, token brute-forcing, and abuse attempts” originating from Internet addresses associated with a Russian bombproof hosting service provider named Proton66.
The activity, detected since January 8, 2025, targeted organizations globally, according to a two-part study published by Trustwave SpiderLabs last year.
” Online blocks 45. 135. 232. 0/24 and 45. 140. 17. 0/24 were particularly effective in terms of size monitoring and brute-force attempts,” security experts Pawel Knapczyk and Dawid Nesterowicz . ” Several of the offending IP addresses were not previously seen to be involved in malignant activity or were dormant for over two years. “
The Russian automatic program Proton66 is to be linked to another autonomous system named PROSPERO. Last year, European security firm Intrinsec detailed their relationships to armored services marketed on Russian crime forums under the names Securehost and BEARHOST.
Several malware families, including GootLoader and SpyNote, have hosted their command-and-control ( C2 ) servers and phishing pages on Proton66. Earlier this February, safety journalist Brian Krebs that Prospero has begun routing its functions through network run by Russian antivirus vendor Kaspersky Lab in Moscow.
However, Kaspersky denied it has worked with Prospero and that the “routing through networks operated by Kaspersky doesn’t by default mean provision of the company’s services, as Kaspersky’s automatic system ( AS ) path might appear as a technical prefix in the network of telecom providers the company works with and provides its DDoS services. “
Trustwave’s latest research has revealed that the malicious calls originating from one of Proton66 online prevents ( 193. 143. 1[. ]65 ) in February 2025 attempted to exploit some of the most recent important risks-
- CVE-2025-0108- An verification bypass risk in the Palo Alto Networks PAN-OS application
- – An unsatisfactory suggestions validation vulnerability in the NuPoint Unified Messaging ( NPM) element of Mitel MiCollab
- – A demand shot vulnerability D-Link NAS
- – Identification bypass risks in Fortinet FortiOS
It’s worth noting that the abuse of the two Fortinet FortiOS flaws has been attributed to an original access agent dubbed Mora_001, which has been observed delivering a new malware stress called SuperBlack.
The security firm said it furthermore observed several malicious promotions linked to Proton66 that are designed to spread malicious families like , , and a ransom named WeaXor.
Another significant exercise concerns the use of affected WordPress sites related to the Proton66-linked Internet address “91. 212. 166[. ]21” to divert Android device customers to hacking pages that resemble Google Play software listings and technique users into downloading malicious APK files.
The redirections are facilitated by means of malignant Browser hosted on the Proton66 IP address. Analysis of the false Play Store domain names indicate that the plan is designed to target French, Spanish, and Greek speaking customers.
” The redirector scripts are obfuscated and do some investigations against the victim, such as excluding bots and VPN or substitute people,” the researchers . ” User IP is obtained through a query to ipify. org, then the presence of a VPN on the proxy is verified through a subsequent query to ipinfo. io. Ultimately, the redirection occurs only if an Android browser is found. “
Also hosted in one of the Proton66 IP addresses is a ZIP archive that leads to the deployment of the XWorm malware, specifically singling out Korean-speaking chat room users using social engineering schemes.
The first stage of the attack is a Windows Shortcut ( LNK) that executes a PowerShell command, which then runs a Visual Basic Script that, in turn, downloads a Base64-encoded. NET DLL from the same IP address. The DLL proceeds to download and load the XWorm binary.
Proton66-linked infrastructure has also been used to a phishing email campaign targeting German speaking users with StrelaStealer, an information stealer that communicates with an IP address ( 193. 143. 1[. ]205 ) for C2.
Last but not least, WeaXor ransomware artifacts – a revised version of – have been found contacting a C2 server in the Proton66 network ( “193. 143. 1[. ]139” ).
Organizations are advised to block all the Classless Inter-Domain Routing ( CIDR) ranges associated with Proton66 and Chang Way Technologies, a likely related Hong Kong-based provider, to neutralize potential threats.