Cybersecurity researchers at Trustwave SpiderLabs have identified a significant increase in malicious activity, including mass scanning, credential brute-forcing, and exploitation attempts, originating from IP addresses associated with the Russian bulletproof hosting service provider Proton66.

This surge in activity, detected since January 8, 2025, has targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs. The research highlights the involvement of Proton66’s net blocks, particularly 45.135.232.0/24 and 45.140.17.0/24, in mass scanning and brute-force attempts.

Security researchers Pawel Knapczyk and Dawid Nesterowicz noted that several of the offending IP addresses were previously inactive or had not been involved in malicious activity for over two years. The Russian autonomous system Proton66 is believed to be linked to another autonomous system named PROSPERO, which has been connected to bulletproof services marketed on Russian cybercrime forums under the names Securehost and BEARHOST.

Proton66 has hosted command-and-control (C2) servers and phishing pages for several malware families, including GootLoader and SpyNote. In February 2025, security journalist Brian Krebs revealed that Prospero had begun routing its operations through networks run by Russian antivirus vendor Kaspersky Lab in Moscow. However, Kaspersky denied any involvement with Prospero, stating that the routing of operations through their networks does not imply provision of services.

Trustwave’s analysis revealed that malicious requests from one of Proton66’s net blocks attempted to exploit critical vulnerabilities, including:

• CVE-2025-0108: An authentication bypass vulnerability in the Palo Alto Networks PAN-OS software
• CVE-2024-41713: An insufficient input validation vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab
• CVE-2024-10914: A command injection vulnerability in D-Link NAS
• CVE-2024-55591 & CVE-2025-24472: Authentication bypass vulnerabilities in Fortinet FortiOS

The exploitation of the two Fortinet FortiOS flaws has been attributed to an initial access broker dubbed Mora_001, which has been observed delivering a new ransomware strain called SuperBlack.

Trustwave’s analysis also revealed that Proton66 has been involved in several malware campaigns, including the distribution of malware families like XWorm, StrelaStealer, and a ransomware named WeaXor. Compromised WordPress websites related to Proton66 have been used to redirect Android device users to phishing pages that mimic Google Play app listings, tricking users into downloading malicious APK files.

Source Link