Cybersecurity researchers have revealed a surge in “mass scans, brute-enabled qualifications and attempts to exploit” derived from an IP address associated with a Russian bulletproof hosting service provider named Proton 66.
According to a two-part analysis published by TrustWave SpiderLabs, this activity detected since January 8, 2025 is targeted at organizations around the world.
“Netblocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scans and brute force attempts,” said security researchers Pawel Knapczyk and Dawid Nesterwicz. “Some of the problematic IP addresses were previously not seen as involved in malicious activities and were inactive for over two years.”
Proton 66 in the Russian autonomous system is rated as linked to another autonomous system named Prospero. Last year, French security company Intrinsec detailed its relationship with SecureHost and bulletproof services sold at Russian Cybercrime Forum under the name Bearhost.
Several malware families, including Gootloader and Spynote, host command and control (C2) servers and phishing pages on Proton66. Earlier this February, security journalist Brian Krebs revealed that Prospero had begun to route operations through a network run by Moscow’s Russian anti-virus vendor Kaspersky Lab.
However, Kaspersky has denied that he is working with Prospero as Kaspersky’s automated system (AS) path may appear as a technical prefix because the company works and provides DDOS services and provides DDOS services, and that “routing through the network through a network operated by Kaspersky does not mean providing the company’s services.”
TrustWave’s latest analysis reveals a malicious request derived from one of the Proton66 netblocks (193.143.1[.]65) In February 2025, we tried to exploit some of the latest important vulnerabilities –
CVE-2025-0108-Palo Alto Networks Authentication Bypass Vulnerability Pan-OS Software CVE-2024-41713-Mytel Miko Love CVE-2024-10914’s Mytel Miko Love CVE-2024-10914’s Nupoint Unified Messaging (NPM) Component Insufficient Input Verification Vulnerability CVE-2025-24472-Fortinet Fortios Authentication Bypass Vulnerability
It is worth noting that the exploitation of the two Fortinet Fortios flaws is attributed to an early access broker called Mora_001. MORA_001 has been observed to offer a new ransomware strain called SuperBlack.
The cybersecurity company also observed several malware campaigns linked to Proton66, designed to distribute ransomware named Xworm, Strellastealer and Weaxor.
Another notable activity concerns the use of compromised WordPress websites related to Proton66-related IP addresses.[.]21″ Redirect Android device users to a phishing page that mimics a list of Google Play apps and tricks users into downloading malicious APK files.
Redirection is facilitated by malicious JavaScript hosted on a Proton66 IP address. Analyses of fake playstore domain names show that the campaign is designed to target speaking users in French, Spanish and Greek.
“The redirector script is obfuscated and performs several checks on the victim, including excluding crawlers and VPN or proxy users,” the researchers explained. “The user IP is retrieved through a query to ipify.org. The presence of the VPN in the proxy is then verified through subsequent queries to ipinfo.io. Ultimately, the redirection only occurs when an Android browser is found.”
Also hosted on one of the Proton66 IP addresses is a ZIP archive that leads to the deployment of XWorm malware, which selects Korean-speaking chat room users, particularly using social engineering schemes.
The first stage of an attack is the Windows Shortcut (LNK) that runs the PowerShell commands. This runs a visual basic script that downloads base64-encoded .NET DLLs from the same IP address. The DLL proceeds to download and loading the XWorm binaries.
The Proton66-linked infrastructure is also used to promote phishing email campaigns targeting German-speaking users with Strelasteler, an information steeler that communicates with IP addresses (193.143.1)[.]205) For C2.
Finally, I found out that the Weaxor ransomware artifact (revised version of Mallox) is contacting the C2 server on the Proton66 network (193.143.11[.]139″).
Organizations are advised to block all Classless Inter-Domain Routing (CIDR) ranges associated with Hong Kong-based providers Proton66 and Chang Way Technologies to neutralize potential threats.
Source link
