Russian Hosting Provider Proton Linked to Global Surge in Cyberattacks

Listen to this Post

A sharp escalation in cyberthreats has been linked to a Russian bulletproof hosting provider known as Proton66, raising major concerns across the global cybersecurity landscape. Since early January 2025, waves of mass scanning, brute-force credential attacks, and active exploitation of vulnerabilities have been traced back to Proton66 infrastructure, according to detailed findings from Trustwave SpiderLabs.

These malicious operations are not isolated. Instead, they reflect a wider pattern of coordinated cybercrime often supported by hosting providers willing to look the other way or even enable threat actors by offering anonymous, untraceable services. Proton66 appears to be one such enabler, drawing significant attention for its ties to known malware campaigns, phishing schemes, and even ransomware distribution platforms.

Global Cyber Attacks from Russian IP Blocks: A Breakdown

Since January 8, 2025, cybersecurity researchers have observed significant malicious activity emanating from IP ranges 45.135.232.0/24 and 45.140.17.0/24, both linked to Proton66. These IPs were not previously flagged or had been inactive for years, indicating a deliberate and sudden activation likely aimed at evading existing security blacklists.

Further investigation shows that Proton66 is not acting alone. It is affiliated with another Russian autonomous system dubbed Prospero, which has previously been flagged for operating under alias names like Securehost and BEARHOST on Russian-language cybercrime forums.

Malware families such as GootLoader, SpyNote, XWorm, StrelaStealer, and a ransomware variant called WeaXor have all leveraged Proton66’s infrastructure for command-and-control (C2) operations, phishing redirections, and malicious file hosting.

One striking revelation is the routing of some of these operations through Kaspersky Lab networks, although Kaspersky has firmly denied any cooperation, stating that their AS path might appear in routes due to technical overlap with DDoS protection partners.

Among the vulnerabilities exploited from Proton66 infrastructure:

– CVE-2025-0108: PAN-OS authentication bypass

– CVE-2024-41713: Mitel MiCollab input validation bug

– CVE-2024-10914: D-Link NAS command injection

– CVE-2024-55591 & CVE-2025-24472: Fortinet FortiOS authentication bypass

These vulnerabilities have been used by a threat group known as Mora_001, which is believed to be selling access to infected systems and deploying the SuperBlack ransomware.

Proton66 is also involved in more subtle campaigns. For instance, a Proton66 IP has been implicated in phishing attacks that impersonate the Google Play Store, tricking Android users into downloading malware. These attacks are regionally targeted, focusing on French, Spanish, and Greek-speaking victims, and use advanced obfuscation and anti-detection methods.

There’s also been evidence of ZIP-based social engineering attacks aimed at Korean users in chat rooms, using deceptive Windows LNK files to launch PowerShell-based malware loaders.

German-speaking users haven’t been spared either—StrelaStealer malware has been delivered via Proton66-based phishing emails.

Finally, a variant of WeaXor ransomware, a rework of Mallox, was found communicating with a Proton66-hosted server at 193.143.1[.]139.

Trustwave recommends blocking all Proton66-related CIDRs, along with IP ranges tied to Chang Way Technologies, a Hong Kong-based provider that appears to be affiliated with these threats.

What Undercode Say:

Undercode has tracked the evolution of bulletproof hosting services for over a decade, and Proton66 is a textbook case of how these providers enable the darker side of the internet.

Let’s break down the implications and real-world impact of this report:

  1. Bulletproof Hosting Isn’t New — But It’s Evolving
    What we’re seeing with Proton66 is a sophisticated adaptation. These providers aren’t just hosting dark web marketplaces anymore — they’re part of the infrastructure for complex, multinational cybercrime campaigns.

2. The Multi-Malware Environment

Hosting providers like Proton66 are becoming the Swiss Army knives of cybercrime. From ransomware and stealers to mobile phishing kits, their servers are used to deploy a range of tools that adapt quickly to the target ecosystem.

3. Global Footprint, Local Targets

These campaigns are geolocated and customized. Targeting Android users in specific language regions shows how the operators are optimizing for conversion — this is cybercrime meeting marketing analytics.

4. Tactical Silence: Long Dormant IPs

Dormant IPs reactivated after years of silence are a classic APT tactic — hide in plain sight, then strike. It’s a signal that adversaries are getting better at OPSEC.

5. AS Path Confusion and Legal Grey Zones

The involvement of the Kaspersky AS path shows the challenges in attributing internet routing. Whether malicious or not, such overlaps muddy the waters and make attribution even harder.

6. First-Stage Infection Chains Are More Layered

LNK > PowerShell > VBScript > Base64 > .NET > XWorm — this is not a kiddie script. The sophistication here rivals mid-tier nation-state tooling, indicating a rise in black-market commodification of advanced TTPs.

7. The Rise of Initial Access Brokers (IABs)

Mora_001 is a textbook IAB — a group that sells access to compromised networks to ransomware gangs. Their links to Fortinet exploitations make them a serious player.

8. Return of Android Malware Campaigns

Android hasn’t been at the top of APT radar recently, but this renewed focus indicates a pivot back to mobile exploitation — likely tied to financial fraud.

9. Geopolitical Shielding

Being based in Russia, Proton66 benefits from a level of impunity. Western legal authorities have limited reach, and international cooperation is at a low due to global tensions.

10. Prevention, Not Cure

Blocking IPs is a temporary measure. What’s needed is stronger detection, better behavioral baselining, and a focus on infrastructure-level takedowns.

These developments underscore the increasingly blurred line between state-tolerated cybercrime and criminal opportunism. Proton66 is part of a growing list of providers enabling hostile digital activity with global consequences. For defenders, the time to act is now — while the infrastructure is still traceable and disruptable.

Fact Checker Results:

  • The IP addresses and CVEs mentioned in the Trustwave report have been verified and cross-referenced with public vulnerability databases.
  • Kaspersky Lab’s denial aligns with previous cases of BGP routing overlaps, suggesting no direct malicious involvement.
  • The malware families referenced (XWorm, StrelaStealer, WeaXor) have all been independently confirmed to be active in 2025 by multiple security vendors.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image