A notorious Russian hosting service provider known as Proton66 is at the center of a series of widespread cyberattacks and malware campaigns targeting organizations and users worldwide, according to fresh findings from cybersecurity experts.
Researchers at Trustwave SpiderLabs have linked the provider to a surge in dangerous activities — from credential brute-forcing and mass vulnerability scanning to the delivery of ransomware, infostealers, and Android-targeted phishing campaigns.
A bulletproof playground for hackers
Proton66 is part of a larger underground network of “bulletproof hosting” providers — services that intentionally allow or ignore criminal activity on their servers. The infrastructure has been openly advertised on Russian-speaking forums under the names UNDERGROUND and BEARHOST, according to Intrinsec, a French cybersecurity firm.
On Jan. 8, 2025, researchers began noticing a sharp increase in unauthorized scanning, credential harvesting, and exploitation attempts linked to IP addresses registered under Proton66’s Autonomous System Number (ASN198953).
“Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute-force attempts,” Trustwave researchers Pawel Knapczyk and Dawid Nesterowicz said in a report published last week. “Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years.”
Interestingly, some of the IPs being used were dormant for years. One such address, 45.134.26.8, hadn’t been flagged for malicious activity since November 2021. Yet, now, it’s part of what SpiderLabs describes as an aggressive and coordinated wave of cyber offensives, many of which were blocked before causing significant damage.
Weaponizing the latest vulnerabilities
Among the most concerning discoveries was the use of Proton66 resources to exploit high-profile vulnerabilities. This includes the recently disclosed CVE-2025-0108 in Palo Alto Networks PAN-OS and CVE-2024-10914, a critical flaw in legacy D-Link NAS devices.
One IP in particular, 193.143.1.65, was observed in February 2025 launching exploit attempts for these and other bugs. According to SpiderLabs, this same IP is linked to a threat actor group dubbed “Mora_001,” believed to be an initial access broker. Once inside, they deploy a ransomware strain named “SuperBlack”, similar to LockBit 3.0, but with a customized ransom note and data theft tool.
Fake apps, phishing, and Android Malware
Beyond ransomware, Proton66 also plays a key role in distributing malware via compromised WordPress websites.
In February, researchers observed Android users being redirected from these sites to phishing pages impersonating the Google Play Store. Fake app marketplaces like us-playmarket.com and playstors-france.com were designed to trick users into downloading malicious apps.
“The redirector scripts are obfuscated and perform several checks against the victim, such as excluding crawlers and VPN or proxy users,” the SpiderLabs team explained. They added, “User IP is obtained through a query to ipify.org, then the presence of a VPN on the proxy is verified through a subsequent query to ipinfo.io.”
Despite the elaborate setup, SpiderLabs confirmed that none of the redirection attempts were successful, likely because no Android users visited the compromised pages during the observation period.
A malware buffet: XWorm, Strela Stealer, and WeaXor
SpiderLabs’ second report dives deeper into Proton66’s ties to multiple malware campaigns:
- XWorm targets Korean-speaking investment chat rooms. Victims receive ZIP files that execute scripts and download encoded .NET payloads, leading to full infection.
- Strela Stealer is a credential-stealing malware that targets German-speaking users through phishing emails. This strain communicates with C2 servers hosted on 193.143.1.205, another Proton66 IP.
- WeaXor, a ransomware variant related to Mallox, encrypts files and demands $2,000 in Bitcoin or USDT for decryption. The malware connects to a C2 server at 193.143.1.139.
Underground roots and shifting infrastructure
The criminal ecosystem behind Proton66 is linked to shady bulletproof hosting brands like UNDERGROUND and BEARHOST, which were previously advertised on darknet forums. But since December 2024, those offers vanished from public listings, replaced by a more private sales model.
A user named “Voodo_servers” responded to forum questions by claiming, “the services are now offered through a private company,” removing the need for open forum promotions.
Security firm Intrinsec had already tied these services to a Hong Kong-based provider, Chang Way Technologies. Trustwave researchers later noticed multiple campaigns shifting IPs from Proton66 to Chang Way-owned networks, indicating a likely operational handoff or partnership.
What organizations can do
Given the depth and range of attacks, SpiderLabs strongly recommends blocking the following IP ranges:
Proton66 ASN (AS198953)
- 45.134.26.0/24
- 45.135.232.0/24
- 45.140.17.0/24
- 91.212.166.0/24
- 193.143.1.0/24
Chang Way Technologies ASN
- 45.93.20.0/24
- 91.240.118.0/24
- 185.11.61.0/24
While many attacks have been thwarted before causing significant harm, the sheer volume of activity and the use of newly discovered exploits point to a persistent and evolving threat.
Cyber defenders are urged to remain vigilant, update security tools, and take proactive measures to shield their networks from the next wave of attacks coming from these malicious infrastructures.
