A recent surge in cyber threats originating from IP addresses associated with a Russian bulletproof hosting service provider known as Proton66 has raised concerns among cybersecurity researchers. These threats include mass scanning, credential brute-forcing, and exploitation attempts targeting organizations worldwide, as highlighted in a detailed analysis published by Trustwave SpiderLabs.
The malicious activity, which has been ongoing since January 8, 2025, is particularly notable for its use of net blocks 45.135.232.0/24 and 45.140.17.0/24 for mass scanning and brute-force attacks. Security researchers Pawel Knapczyk and Dawid Nesterowicz noted that several of the offending IP addresses had not previously been associated with such malicious activities, some of them remaining inactive for over two years.
Proton66, the Russian autonomous system linked to these threats, has been identified as having connections to another autonomous system named PROSPERO. In the past, it has been documented that Proton66 has hosted malware families like GootLoader and SpyNote on its servers. Additionally, there have been reports of Proton66 routing its operations through networks run by Russian antivirus vendor Kaspersky Lab in Moscow, although the latter has denied any collaboration with Proton66.
Trustwave’s analysis also highlighted recent malicious requests originating from Proton66 net blocks attempting to exploit critical vulnerabilities in various software and systems, including Palo Alto Networks PAN-OS, Mitel MiCollab, D-Link NAS, and Fortinet FortiOS. Notably, the exploitation of Fortinet FortiOS flaws has been linked to the distribution of a new ransomware strain called SuperBlack by an initial access broker known as Mora_001.
Furthermore, Proton66 has been associated with malware campaigns targeting the distribution of XWorm, StrelaStealer, and the WeaXor ransomware. Compromised WordPress websites linked to Proton66 IP addresses have also been used to redirect Android users to phishing pages mimicking Google Play app listings, with a focus on French, Spanish, and Greek-speaking users.
The researchers also discovered obfuscated redirector scripts hosted on Proton66 IP addresses, which are designed to exclude certain users (such as crawlers, VPN, or proxy users) and only redirect Android browsers to malicious pages. Additionally, the deployment of XWorm malware through a ZIP archive targeting Korean-speaking chat room users has been attributed to Proton66 infrastructure.
A phishing email campaign targeting German-speaking users with StrelaStealer and the presence of WeaXor ransomware contacting a C2 server in the Proton66 network further highlight the diverse range of threats associated with this hosting provider. Organizations are strongly advised to block all CIDR ranges associated with Proton66 and related providers to mitigate potential risks.
In light of these developments, it becomes crucial for organizations to remain vigilant and implement robust cybersecurity measures to defend against evolving cyber threats emanating from entities like Proton66. By staying informed and proactive, businesses can better protect their digital assets and safeguard against potential data breaches and financial losses.