A sharp increase in cyberattacks, including large-scale scanning, credential brute-forcing, and exploitation of critical software vulnerabilities, has been traced back to IP ranges associated with the Russian bulletproof hosting service Proton66, cybersecurity researchers from Trustwave SpiderLabs revealed in a recent report.
The malicious activity, which has been ongoing since January 8, 2025, has affected organizations globally. According to researchers Pawel Knapczyk and Dawid Nesterowicz, the most aggressive actions were observed from IP blocks 45.135.232.0/24 and 45.140.17.0/24, many of which were previously inactive or not flagged for suspicious activity.
Proton66 and Its Shadowy Network
Proton66 is closely linked to another Russian network known as PROSPERO, previously identified by French security firm Intrinsec as a distributor of bulletproof hosting services under aliases like Securehost and BEARHOST on underground forums. Several well-known malware families—including GootLoader and SpyNote—have been seen using Proton66 infrastructure for hosting command-and-control (C2) servers and phishing content.
Adding to the concern, cybersecurity journalist Brian Krebs reported that PROSPERO’s operations may be routing through networks belonging to Kaspersky Lab in Moscow. Kaspersky has denied any involvement, stating that the technical appearance of its network in routing paths does not imply direct collaboration or service provision.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
Exploiting the Latest Critical Vulnerabilities
Trustwave identified that IP address 193.143.1[.]65 from Proton66 was actively involved in exploiting several high-severity vulnerabilities in February 2025:
CVE-2025-0108 – Authentication bypass in Palo Alto Networks PAN-OS
CVE-2024-41713 – Input validation flaw in Mitel’s NuPoint Messaging
CVE-2024-10914 – Command injection issue in D-Link NAS
CVE-2024-55591 & CVE-2025-24472 – Authentication bypass flaws in Fortinet FortiOS
The Fortinet flaws were linked to an initial access broker known as Mora_001, believed to be distributing a new ransomware variant called SuperBlack.
Malware Campaigns and Regional Targeting
Trustwave also uncovered multiple malware campaigns tied to Proton66’s infrastructure:
XWorm was delivered via .zip files hosted on Proton66 IPs, with a PowerShell-triggered infection chain. This campaign targeted Korean-speaking chat users.
StrelaStealer, an information-stealing malware, was deployed in phishing emails aimed at German-speaking targets, connecting to 193.143.1[.]205.
A WeaXor ransomware variant, a reworked version of Mallox, was traced back to 193.143.1[.]139, also under Proton66.
ALSO READ: Call for Chapters: Contribute to the Book “Cyber Crime – From Theory to Practice”
Another major threat vector involves fake Google Play Store pages, designed to trick Android users from France, Spain, and Greece into downloading malware-laced APKs. These pages were delivered through compromised WordPress sites and redirector scripts hosted on 91.212.166[.]21. These scripts actively check whether the user is on an Android device, using a VPN, or a bot before redirecting.
Defensive Measures
Given the widespread and varied threat activity, Trustwave recommends blocking all CIDR ranges linked to Proton66 and potentially associated providers like Chang Way Technologies, a Hong Kong-based company believed to be connected to the infrastructure.
These findings highlight the evolving tactics of state-aligned and financially motivated threat groups that continue to exploit poorly monitored internet infrastructure to orchestrate global cyberattacks.