Cybersecurity researchers have reported a significant rise in malicious online activities traced to IP addresses managed by Proton66, a Russian bulletproof hosting service provider. This provider is believed to be facilitating a wide array of cyberattacks, including mass scanning, brute-force login attempts, and exploitation of critical software vulnerabilities. The campaign, active since January 8, 2025, appears to be global in scale, with thousands of organizations potentially at risk.
Proton66 Role in Coordinated Attack Campaigns
According to a comprehensive two-part investigation by Trustwave SpiderLabs, malicious traffic has been consistently observed from net blocks 45.135.232.0/24 and 45.140.17.0/24, both attributed to Proton66. “These blocks were especially active in launching credential brute-force attacks and probing systems for vulnerabilities,” explained researchers Pawel Knapczyk and Dawid Nesterowicz. Notably, many of the IP addresses involved had either not been previously flagged or had remained dormant for over two years.
Proton66 is linked to another Russian autonomous system known as PROSPERO. In 2023, French cybersecurity firm Intrinsec highlighted both entities’ involvement in providing bulletproof hosting under pseudonyms such as Securehost and BEARHOST—services often advertised on underground cybercrime forums.
Hosting Malware and Exploiting Vulnerabilities
Numerous malware families, including GootLoader, SpyNote, XWorm, StrelaStealer, and the WeaXor ransomware, have been found to rely on Proton66 for their command-and-control (C2) infrastructure. A key IP address, 193.143.1[.]65, was observed in February 2025 exploiting recent high-severity vulnerabilities:
- CVE-2025-0108: Authentication bypass in Palo Alto Networks PAN-OS
- CVE-2024-41713: Input validation flaw in Mitel MiCollab’s NuPoint Messaging
- CVE-2024-10914: Command injection vulnerability in D-Link NAS devices
- CVE-2024-55591 & CVE-2025-24472: Fortinet FortiOS authentication bypass flaws
The Fortinet exploits have been associated with Mora_001, an initial access broker tied to the distribution of the SuperBlack ransomware. This suggests Proton66’s infrastructure may be part of a broader, highly organized criminal supply chain.
Trustwave also uncovered Proton66’s involvement in phishing campaigns aimed at Android users. A Proton66-linked IP (91.212.166[.]21) was used to redirect users to fake Google Play pages pushing malicious APKs. These phishing efforts specifically target French, Spanish, and Greek-speaking audiences.
The redirection is achieved via obfuscated JavaScript hosted on Proton66 servers, which performs various checks to avoid detection. It filters out crawlers, VPN, or proxy users by querying services like ipify.org and ipinfo.io. Only Android browsers are redirected, increasing the likelihood of successfully targeting mobile users.
Proton66 Malware Distribution Tactics and Target Profiles
One campaign identified a ZIP archive hosted on a Proton66 IP that installs XWorm malware. This effort targets Korean-speaking users in chat forums, using social engineering to trigger the attack. The multi-stage process involves a Windows LNK shortcut executing a PowerShell command, which then launches a VBScript. This script downloads a Base64-encoded .NET DLL responsible for installing XWorm.
Proton66 is also implicated in spreading StrelaStealer, a potent information stealer. German-speaking users have been targeted through phishing emails, which establish C2 communication with the IP 193.143.1[.]205. Meanwhile, WeaXor ransomware—a variant of the known Mallox ransomware—has been observed reaching out to 193.143.1[.]139, another Proton66 IP, to initiate encryption operations.
Earlier in 2025, cybersecurity journalist Brian Krebs reported that Prospero operations, associated with Proton66, were using network routes provided by Kaspersky Lab in Moscow. Kaspersky responded by denying any direct involvement, stating that automatic routing paths might appear in logs due to DDoS protection services they offer to telecom clients. Still, the incident raises questions about the complexity of modern internet routing and how it can be misused.
Mitigation Recommendations
Given the extensive infrastructure linked to Proton66 and the severity of the ongoing campaigns, Trustwave advises all organizations to block CIDR ranges associated with Proton66 and its suspected Hong Kong-based partner Chang Way Technologies. Proactive network filtering and up-to-date threat intelligence feeds can help reduce the risk posed by these actors.
