Cybersecurity experts have raised alarms over a significant increase in cyber attacks linked to Proton66, a Russian bulletproof hosting service. Since early January 2025, malicious activities such as mass scanning and credential brute-forcing have been traced back to this provider, impacting organizations worldwide.

Key Takeaways

• Proton66 has been linked to a surge in global cyber attacks since January 2025.

• The attacks involve various malware families and exploit critical vulnerabilities.

• Security researchers recommend blocking all IP ranges associated with Proton66 to mitigate risks.

Overview of Proton66's Malicious Activities

Proton66 has emerged as a central player in a series of cyber attacks, with researchers from Trustwave SpiderLabs identifying specific IP addresses associated with the service that have been particularly active in malicious activities. The analysis revealed that:

• Mass Scanning and Brute-Force Attempts: The IP blocks 45.135.232.0/24 and 45.140.17.0/24 have been involved in extensive scanning and brute-force attempts against various organizations.

• Malware Hosting: Several malware families, including GootLoader and SpyNote, have been hosted on Proton66, utilizing its infrastructure for command-and-control operations.

Exploited Vulnerabilities

The attacks have targeted critical vulnerabilities, including:

1. CVE-2025-0108: An authentication bypass in Palo Alto Networks PAN-OS.

2. CVE-2024-41713: Insufficient input validation in Mitel MiCollab.

3. CVE-2024-10914: Command injection vulnerability in D-Link NAS.

4. CVE-2024-55591 & CVE-2025-24472: Authentication bypass vulnerabilities in Fortinet FortiOS.

These vulnerabilities have been exploited by various threat actors, including an initial access broker known as Mora_001, which has been linked to a new ransomware strain called SuperBlack.

Phishing and Malware Campaigns

In addition to exploiting vulnerabilities, Proton66 has been used to facilitate phishing campaigns and distribute malware:

• Phishing Pages: Compromised WordPress sites have redirected users to fake Google Play listings, tricking them into downloading malicious APK files.

• XWorm Malware: A ZIP archive hosted on Proton66 has been used to deploy XWorm, targeting Korean-speaking users through social engineering tactics.

• StrelaStealer: This information-stealing malware has been linked to phishing emails targeting German-speaking users.

Recommendations for Organizations

Given the ongoing threat posed by Proton66, cybersecurity experts recommend that organizations take immediate action:

• Block IP Ranges: Organizations should block all CIDR ranges associated with Proton66 and related providers to prevent potential attacks.

• Monitor for Malicious Activity: Continuous monitoring for unusual activity and implementing robust security measures can help mitigate risks.

The exploitation of Proton66 hosting services highlights the evolving landscape of cyber threats. As attackers increasingly leverage bulletproof hosting to launch global cyber attacks, organizations must remain vigilant and proactive in their cybersecurity strategies to protect against these sophisticated threats.

As cyber threats grow more sophisticated, staying informed is more important than ever. BetterWorld Technology delivers advanced cybersecurity solutions designed to adapt with the threat landscape—ensuring your business stays protected while continuing to innovate. Take the first step toward stronger security—contact us today for a consultation!

Sources

• Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery, The Hacker News.

• U.S. Govt. Funding for MITRE's CVE Ends April 16, Cybersecurity Community on Alert, The Hacker News.