Cybersecurity researchers have disclosed a surge in “mass scanning, credential brute-forcing, and exploitation makes an attempt” originating from IP addresses related to a Russian bulletproof internet hosting service supplier named Proton66.
The exercise, detected since January 8, 2025, focused organizations worldwide, in keeping with a two-part evaluation printed by Trustwave SpiderLabs final week.
“Internet blocks 45.135.232.0/24 and 45.140.17.0/24 have been notably energetic when it comes to mass scanning and brute-force makes an attempt,” safety researchers Pawel Knapczyk and Dawid Nesterowicz said. “A number of of the offending IP addresses weren’t beforehand seen to be concerned in malicious exercise or have been inactive for over two years.”
The Russian autonomous system Proton66 is assessed to be linked to a different autonomous system named PROSPERO. Final yr, French safety agency Intrinsec detailed their connections to bulletproof companies marketed on Russian cybercrime boards underneath the names Securehost and BEARHOST.
A number of malware households, together with GootLoader and SpyNote, have hosted their command-and-control (C2) servers and phishing pages on Proton66. Earlier this February, safety journalist Brian Krebs revealed that Prospero has begun routing its operations by means of networks run by Russian antivirus vendor Kaspersky Lab in Moscow.
Nonetheless, Kaspersky denied it has labored with Prospero and that the “routing by means of networks operated by Kaspersky does not by default imply provision of the corporate’s companies, as Kaspersky’s automated system (AS) path would possibly seem as a technical prefix within the community of telecom suppliers the corporate works with and supplies its DDoS companies.”
Trustwave’s newest evaluation has revealed that the malicious requests originating from certainly one of Proton66 web blocks (193.143.1[.]65) in February 2025 tried to take advantage of a number of the most up-to-date essential vulnerabilities –
- CVE-2025-0108 – An authentication bypass vulnerability within the Palo Alto Networks PAN-OS software program
- CVE-2024-41713 – An inadequate enter validation vulnerability within the NuPoint Unified Messaging (NPM) element of Mitel MiCollab
- CVE-2024-10914 – A command injection vulnerability D-Hyperlink NAS
- CVE-2024-55591 & CVE-2025-24472 – Authentication bypass vulnerabilities in Fortinet FortiOS
It is value noting that the exploitation of the 2 Fortinet FortiOS flaws has been attributed to an preliminary entry dealer dubbed Mora_001, which has been noticed delivering a brand new ransomware pressure known as SuperBlack.
The cybersecurity agency mentioned it additionally noticed a number of malware campaigns linked to Proton66 which might be designed to distribute malware households like XWorm, StrelaStealer, and a ransomware named WeaXor.
One other notable exercise issues the usage of compromised WordPress web sites associated to the Proton66-linked IP handle “91.212.166[.]21” to redirect Android system customers to phishing pages that mimic Google Play app listings and trick customers into downloading malicious APK information.
The redirections are facilitated by way of malicious JavaScript hosted on the Proton66 IP handle. Evaluation of the faux Play Retailer domains point out that the marketing campaign is designed to focus on French, Spanish, and Greek talking customers.
“The redirector scripts are obfuscated and carry out a number of checks in opposition to the sufferer, akin to excluding crawlers and VPN or proxy customers,” the researchers explained. “Consumer IP is obtained by means of a question to ipify.org, then the presence of a VPN on the proxy is verified by means of a subsequent question to ipinfo.io. Finally, the redirection happens provided that an Android browser is discovered.”
Additionally hosted in one of many Proton66 IP addresses is a ZIP archive that results in the deployment of the XWorm malware, particularly singling out Korean-speaking chat room customers utilizing social engineering schemes.
The primary stage of the assault is a Home windows Shortcut (LNK) that executes a PowerShell command, which then runs a Visible Fundamental Script that, in flip, downloads a Base64-encoded .NET DLL from the identical IP handle. The DLL proceeds to obtain and cargo the XWorm binary.
Proton66-linked infrastructure has additionally been used to facilitate a phishing electronic mail marketing campaign focusing on German talking customers with StrelaStealer, an info stealer that communicates with an IP handle (193.143.1[.]205) for C2.
Final however not least, WeaXor ransomware artifacts – a revised model of Mallox – have been discovered contacting a C2 server within the Proton66 community (“193.143.1[.]139”).
Organizations are suggested to dam all of the Classless Inter-Area Routing (CIDR) ranges related to Proton66 and Chang Means Applied sciences, a possible associated Hong Kong-based supplier, to neutralize potential threats.
Source link