Cybersecurity researchers have disclosed a surge in “mass scanning, credential brute-forcing, and exploitation makes an attempt” originating from IP addresses related to a Russian bulletproof internet hosting service supplier named Proton66.
The exercise, detected since January 8, 2025, focused organizations worldwide, in keeping with a two-part evaluation revealed by Trustwave SpiderLabs final week.
“Internet blocks 45.135.232.0/24 and 45.140.17.0/24 have been significantly energetic when it comes to mass scanning and brute-force makes an attempt,” safety researchers Pawel Knapczyk and Dawid Nesterowicz stated. “A number of of the offending IP addresses weren’t beforehand seen to be concerned in malicious exercise or have been inactive for over two years.”
The Russian autonomous system Proton66 is assessed to be linked to a different autonomous system named PROSPERO. Final 12 months, French safety agency Intrinsec detailed their connections to bulletproof providers marketed on Russian cybercrime boards beneath the names Securehost and BEARHOST.
A number of malware households, together with GootLoader and SpyNote, have hosted their command-and-control (C2) servers and phishing pages on Proton66. Earlier this February, safety journalist Brian Krebs revealed that Prospero has begun routing its operations by networks run by Russian antivirus vendor Kaspersky Lab in Moscow.
Nonetheless, Kaspersky denied it has labored with Prospero and that the “routing by networks operated by Kaspersky would not by default imply provision of the corporate’s providers, as Kaspersky’s computerized system (AS) path may seem as a technical prefix within the community of telecom suppliers the corporate works with and offers its DDoS providers.”
Trustwave’s newest evaluation has revealed that the malicious requests originating from considered one of Proton66 web blocks (193.143.1[.]65) in February 2025 tried to take advantage of a few of the most up-to-date essential vulnerabilities –
- CVE-2025-0108 – An authentication bypass vulnerability within the Palo Alto Networks PAN-OS software program
- CVE-2024-41713 – An inadequate enter validation vulnerability within the NuPoint Unified Messaging (NPM) part of Mitel MiCollab
- CVE-2024-10914 – A command injection vulnerability D-Hyperlink NAS
- CVE-2024-55591 & CVE-2025-24472 – Authentication bypass vulnerabilities in Fortinet FortiOS
It is price noting that the exploitation of the 2 Fortinet FortiOS flaws has been attributed to an preliminary entry dealer dubbed Mora_001, which has been noticed delivering a brand new ransomware pressure referred to as SuperBlack.
The cybersecurity agency stated it additionally noticed a number of malware campaigns linked to Proton66 which might be designed to distribute malware households like XWorm, StrelaStealer, and a ransomware named WeaXor.
One other notable exercise issues using compromised WordPress web sites associated to the Proton66-linked IP deal with “91.212.166[.]21” to redirect Android gadget customers to phishing pages that mimic Google Play app listings and trick customers into downloading malicious APK information.
The redirections are facilitated via malicious JavaScript hosted on the Proton66 IP deal with. Evaluation of the faux Play Retailer domains point out that the marketing campaign is designed to focus on French, Spanish, and Greek talking customers.
“The redirector scripts are obfuscated and carry out a number of checks towards the sufferer, equivalent to excluding crawlers and VPN or proxy customers,” the researchers defined. “Person IP is obtained by a question to ipify.org, then the presence of a VPN on the proxy is verified by a subsequent question to ipinfo.io. In the end, the redirection happens provided that an Android browser is discovered.”
Additionally hosted in one of many Proton66 IP addresses is a ZIP archive that results in the deployment of the XWorm malware, particularly singling out Korean-speaking chat room customers utilizing social engineering schemes.
The primary stage of the assault is a Home windows Shortcut (LNK) that executes a PowerShell command, which then runs a Visible Primary Script that, in flip, downloads a Base64-encoded .NET DLL from the identical IP deal with. The DLL proceeds to obtain and cargo the XWorm binary.
Proton66-linked infrastructure has additionally been used to facilitate a phishing e-mail marketing campaign focusing on German talking customers with StrelaStealer, an data stealer that communicates with an IP deal with (193.143.1[.]205) for C2.
Final however not least, WeaXor ransomware artifacts – a revised model of Mallox – have been discovered contacting a C2 server within the Proton66 community (“193.143.1[.]139”).
Organizations are suggested to dam all of the Classless Inter-Area Routing (CIDR) ranges related to Proton66 and Chang Approach Applied sciences, a possible associated Hong Kong-based supplier, to neutralize potential threats.
