Malware Surge via Proton66
Hackers are abusing the infrastructure of Russian bulletproof hosting provider Proton66 to launch global cyberattacks, including mass scanning, credential brute-forcing, and exploitation attempts. Trustwave SpiderLabs identified this surge in activity beginning in January 2025, noting that previously inactive IP addresses were involved in malicious activity. Ties between Proton66 and other bulletproof networks such as PROSPERO, Securehost, and BEARHOST have been established, with Proton66 infrastructure hosting command-and-control (C2) servers and phishing pages for malware families like GootLoader and SpyNote.
The malicious campaigns involve exploitation of recent vulnerabilities across major platforms. These include authentication bypasses in Palo Alto Networks PAN-OS and Fortinet FortiOS, and flaws in D-Link NAS and Mitel’s MiCollab systems. Other malware linked to Proton66 includes XWorm, StrelaStealer, and the ransomware strain WeaXor. Attackers have also leveraged compromised WordPress sites to redirect Android users to phishing pages mimicking Google Play, targeting French, Spanish, and Greek speakers.
Campaigns targeting Korean and German speakers via social engineering and phishing were also uncovered. In one case, Proton66-hosted scripts deployed XWorm through multi-stage malware delivery chains. In another, StrelaStealer was used to harvest information from German users. It is advised that organizations block all CIDR ranges tied to Proton66 and affiliated infrastructure, including Chang Way Technologies, to minimize exposure to these threats.
Lakshmanan, Ravie. 2025. “Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery.” The Hacker News. Apr. 21.
READ: https://bit.ly/42Y7tX1
