Skip to Content

Latest News

Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery

Cybersecurity researchers have reported a significant surge in mass scanning, credential brute forcing, and exploitation attempts originating from IP addresses linked to Proton66—a Russian bulletproof hosting provider. The malicious activity, active since January 8, 2025, has targeted organizations worldwide, with net blocks such as 45.135.232.0/24 and 45.140.17.0/24 showing particularly high activity levels. Researchers noted that some of these IP addresses had not been involved in prior malicious actions or had been dormant for over two years.

The Proton66 infrastructure is associated with another autonomous system, PROSPERO, and has historical links to services like Securehost and BEARHOST discussed on Russian cybercrime forums. Various malware families, including GootLoader, SpyNote, XWorm, StrelaStealer, and a new ransomware strain dubbed SuperBlack (delivered by the initial access broker Mora_001), have exploited this network to host command-and-control servers, phishing pages, and malicious payloads.

Additional tactics involve abusing compromised WordPress sites to redirect Android users to fake Google Play pages that download malicious APK files, with obfuscated JavaScript performing checks against VPNs or proxies, using services such as ipify and ipinfo.io. Other malicious activities include deploying phishing email campaigns and hosting ZIP archives on Proton66 IP addresses to distribute malware via sophisticated social engineering schemes.

Organizations are advised to block all Classless Inter-Domain Routing (CIDR) ranges associated with Proton66 and related providers (like Chang Way Technologies) to mitigate potential cybersecurity threats.

Key Points:

  • Surge in Attacks: Mass scanning, brute forcing, and exploitation attempts since January 8, 2025.
  • Threat Infrastructure: Proton66 (Russian bulletproof hosting) linked to PROSPERO and historically connected to cybercrime forums.
  • Exploitation Targets: Critical vulnerabilities in products from Palo Alto Networks, Mitel, D-Link, and Fortinet.
  • Malware Campaigns: Involvement of malware families XWorm, StrelaStealer, and ransomware (SuperBlack, WeaXor).
  • Phishing and Redirects: Compromised WordPress sites redirect Android users to malicious APK downloads.
  • Mitigation Advice: Block Proton66-associated CIDR ranges to neutralize threats.

This summary contextualizes the evolving threat landscape and highlights the need for organizations to reinforce their defensive strategies against sophisticated cyberattacks.

See Other Related News

New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organizations


AI Adoption in the Enterprise: Breaking Through the Security and Compliance Gridlock


Majority of Browser Extensions Can Access Sensitive Enterprise Data, New Report Finds