Cybersecurity researchers have observed a significant increase in malicious activities linked to a Russian bulletproof hosting service provider known as Proton66. This rise in threats has been especially prominent since January 8, 2025, and has included mass scanning, brute-force attempts, and exploitation efforts targeting various organizations globally.

According to Trustwave SpiderLabs’ analysis, two specific IP ranges, 45.135.232.0/24 and 45.140.17.0/24, were notably active in these criminal endeavors. Alarmingly, many of these IPs were previously inactive or had not been identified with malicious behavior for over two years.

Proton66 is connected to another service known as PROSPERO that was linked to various bulletproof services marketed on Russian cybercrime forums under names like Securehost and BEARHOST. Various strains of malware, including GootLoader and SpyNote, have been hosted via Proton66’s infrastructure, indicating its use for significant cybercriminal operations.

The analysis included details of recent attempts to exploit critical vulnerabilities, such as:

• An authentication bypass in Palo Alto Networks’ PAN-OS (CVE-2025-0108).
• An insufficient input validation vulnerability in Mitel MiCollab (CVE-2024-41713).
• A command injection vulnerability impacting D-Link NAS devices (CVE-2024-10914).
• Multiple authentication bypass vulnerabilities in Fortinet’s FortiOS (CVE-2024-55591 & CVE-2025-24472).

These Fortinet vulnerabilities have been associated with an initial access broker identified as Mora_001, which is known to distribute a new strain of ransomware called SuperBlack.

Malware campaigns tied to Proton66 also included operations targeting Android users through compromised WordPress sites, redirecting them to phishing pages resembling legitimate Google Play listings to trick users into downloading harmful APK files. The attackers employed javascripts to ensure redirection only occurs for non-VPN users with Android devices.

Further exploitation methods involved leveraging a ZIP archive linked to Proton66 to distribute XWorm malware, specifically aimed at Korean-speaking chat room users, using social engineering tactics. The attack begins with a Windows Shortcut (LNK file) executing a PowerShell command that subsequently downloads a malicious .NET DLL from the same infrastructure.

A notable phishing email campaign has also been detected, aimed at German-speaking users, distributing StrelaStealer malware. Additionally, WeaXor ransomware artifacts linked to Proton66 have been found, emphasizing the extensive role this hosting provider plays in facilitating various cyber threats.

In light of these findings, cybersecurity professionals are urged to block all CIDR ranges associated with Proton66 and any related providers to mitigate potential security threats.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.