Cybersecurity researchers have disclosed a surge in “mass scanning, credential brute-forcing, and exploitation makes an attempt” originating from IP addresses related to a Russian bulletproof internet hosting service supplier named Proton66.
The exercise, detected since January 8, 2025, focused organizations worldwide, in keeping with a two-part evaluation revealed by Trustwave SpiderLabs final week.
“Internet blocks 45.135.232.0/24 and 45.140.17.0/24 have been notably lively by way of mass scanning and brute-force makes an attempt,” safety researchers Pawel Knapczyk and Dawid Nesterowicz stated. “A number of of the offending IP addresses weren’t beforehand seen to be concerned in malicious exercise or have been inactive for over two years.”
The Russian autonomous system Proton66 is assessed to be linked to a different autonomous system named PROSPERO. Final yr, French safety agency Intrinsec detailed their connections to bulletproof companies marketed on Russian cybercrime boards below the names Securehost and BEARHOST.
A number of malware households, together with GootLoader and SpyNote, have hosted their command-and-control (C2) servers and phishing pages on Proton66. Earlier this February, safety journalist Brian Krebs revealed that Prospero has begun routing its operations via networks run by Russian antivirus vendor Kaspersky Lab in Moscow.
Nonetheless, Kaspersky denied it has labored with Prospero and that the “routing via networks operated by Kaspersky would not by default imply provision of the corporate’s companies, as Kaspersky’s automated system (AS) path would possibly seem as a technical prefix within the community of telecom suppliers the corporate works with and gives its DDoS companies.”
Trustwave’s newest evaluation has revealed that the malicious requests originating from certainly one of Proton66 web blocks (193.143.1[.]65) in February 2025 tried to use a number of the most up-to-date essential vulnerabilities –
- CVE-2025-0108 – An authentication bypass vulnerability within the Palo Alto Networks PAN-OS software program
- CVE-2024-41713 – An inadequate enter validation vulnerability within the NuPoint Unified Messaging (NPM) element of Mitel MiCollab
- CVE-2024-10914 – A command injection vulnerability D-Hyperlink NAS
- CVE-2024-55591 & CVE-2025-24472 – Authentication bypass vulnerabilities in Fortinet FortiOS
It is price noting that the exploitation of the 2 Fortinet FortiOS flaws has been attributed to an preliminary entry dealer dubbed Mora_001, which has been noticed delivering a brand new ransomware pressure known as SuperBlack.
The cybersecurity agency stated it additionally noticed a number of malware campaigns linked to Proton66 which are designed to distribute malware households like XWorm, StrelaStealer, and a ransomware named WeaXor.
One other notable exercise issues the usage of compromised WordPress web sites associated to the Proton66-linked IP tackle “91.212.166[.]21” to redirect Android system customers to phishing pages that mimic Google Play app listings and trick customers into downloading malicious APK information.
The redirections are facilitated via malicious JavaScript hosted on the Proton66 IP tackle. Evaluation of the pretend Play Retailer domains point out that the marketing campaign is designed to focus on French, Spanish, and Greek talking customers.
“The redirector scripts are obfuscated and carry out a number of checks towards the sufferer, akin to excluding crawlers and VPN or proxy customers,” the researchers defined. “Consumer IP is obtained via a question to ipify.org, then the presence of a VPN on the proxy is verified via a subsequent question to ipinfo.io. In the end, the redirection happens provided that an Android browser is discovered.”
Additionally hosted in one of many Proton66 IP addresses is a ZIP archive that results in the deployment of the XWorm malware, particularly singling out Korean-speaking chat room customers utilizing social engineering schemes.
The primary stage of the assault is a Home windows Shortcut (LNK) that executes a PowerShell command, which then runs a Visible Fundamental Script that, in flip, downloads a Base64-encoded .NET DLL from the identical IP tackle. The DLL proceeds to obtain and cargo the XWorm binary.
Proton66-linked infrastructure has additionally been used to facilitate a phishing e-mail marketing campaign focusing on German talking customers with StrelaStealer, an info stealer that communicates with an IP tackle (193.143.1[.]205) for C2.
Final however not least, WeaXor ransomware artifacts – a revised model of Mallox – have been discovered contacting a C2 server within the Proton66 community (“193.143.1[.]139”).
Organizations are suggested to dam all of the Classless Inter-Area Routing (CIDR) ranges related to Proton66 and Chang Means Applied sciences, a possible associated Hong Kong-based supplier, to neutralize potential threats.
