Cybersecurity experts have identified a dramatic rise in global cyberattacks leveraging IP ranges linked to Proton66, a Russian bulletproof hosting provider. According to a detailed two-part report by Trustwave SpiderLabs, attackers are using this infrastructure for mass scanning, brute-force credential attacks, and exploitation of critical vulnerabilities.
What Is Proton66?
Proton66, a Russian autonomous system, is linked to a second system called PROSPERO. According to past research from French cybersecurity firm Intrinsec, these systems are connected to bulletproof hosting operations marketed under names like Securehost and BEARHOST—popular in underground cybercrime forums.
Global Threat Campaign Since January 2025
The malicious activity dates back to January 8, 2025, and spans IP blocks 45.135.232.0/24 and 45.140.17.0/24, many of which were previously dormant or not linked to threat activity.
Key malware strains observed using Proton66 infrastructure:
GootLoaderSpyNote
XWorm
StrelaStealer
WeaXor (a Mallox variant ransomware)
High-Profile Exploits and Targeted Vulnerabilities
In February 2025, Proton66 IP 193.143.1[.]65 was linked to attempted exploitation of the following critical vulnerabilities:
CVE-2025-0108: PAN-OS auth bypass (Palo Alto Networks)
CVE-2024-41713: Input validation flaw in Mitel MiCollabCVE-2024-10914: Command injection in D-Link NAS
CVE-2024-55591 & CVE-2025-24472: Fortinet FortiOS auth bypass flaws
Notably, the Fortinet vulnerabilities have been connected to Mora_001, an initial access broker deploying the new SuperBlack ransomware.
Targeted Malware Campaigns Across Countries
🇫🇷 🇪🇸 🇬🇷 Android Users Lured via Phishing Pages
IP 91.212.166[.]21 was used to redirect mobile users to fake Google Play pages, tricking them into downloading malicious APK files. This Android phishing campaign primarily targets French, Spanish, and Greek-speaking users.
The redirection process includes:
Malicious JavaScriptVictim fingerprinting
VPN/proxy detection via ipinfo.io
Targeting Android browsers only
🇰🇷 Korean Chat Users Targeted with XWorm
One Proton66 IP hosts a malicious ZIP archive aimed at Korean-speaking users. The infection chain includes:
Windows.LNK shortcut filePowerShell execution
Visual Basic script
Base64-encoded .NET DLL download
XWorm malware deployment
🇩🇪 German Users Targeted with StrelaStealer
Cybercriminals also launched a phishing campaign targeting German speakers, using StrelaStealer malware with C2 communications routed through 193.143.1[.]205.
Ransomware Alert: WeaXor Detected
Artifacts of WeaXor ransomware, a revamped variant of Mallox, were found connecting to 193.143.1[.]139, part of the Proton66 infrastructure.
Security Recommendations
To protect against these evolving threats, security professionals are strongly advised to:
1. Block all CIDR ranges associated with Proton66 and Chang Way Technologies (a Hong Kong-based provider believed to be connected).
2. Continuously monitor logs and traffic for signs of compromise or unauthorized access attempts.
Final Thoughts
The abuse of Proton66's bulletproof hosting services highlights the persistent global threat posed by cybercriminals using resilient infrastructure. From phishing and info-stealers to ransomware and Android trojans, the scope of this campaign is vast and highly targeted.