- Trustwave finds multiple malware C2 servers hosted on Proton66
- Ransomware is hosted there, too
- Some phishing pages targeting Android users originated from Proton66
Proton66, a Russian bulletproof hosting service provider, is being used to spread malware, ransomware, mount phishing attacks, and more, experts have warned. This is according to
Researchers from Trustwave warned the malicious activity has picked up in recent weeks, stating how, “Starting from January 8, 2025, SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide.
“Although malicious activity was seen in the past, the spike and sudden decline observed later in February 2025 were notable, and offending IP addresses were investigated.”
Getting in touch
Whoever is behind these activities is looking to exploit a number of vulnerabilities, including an authentication bypass flaw in Palo Alto Networks’ PAN-OS (CVE-2025-0108(, an insufficient input validation flaw in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab (CVE-2024-41713), a command injection vulnerability in D-LINK’s NAS (CVE-2024-10914), and an authentication bypass in Fortinet’s FortiOS (CVE-2024-55591 and CVE-2025-24472).
The two FortiOS flaws were previously exploited by the initial access broker Mora_001, which has also been seen dropping a new ransomware variant called SuperBlack.
The same publication also said that several malware families hosted their C2 servers on Proton66, including GootLoader and SpyNote.
Furthermore, Trustwave said XWorm, StrelaStealer, and a ransomware named WeaXor were all being distributed through Proton66.
Finally, crooks are allegedly using compromised WordPress sites related to a Proton66-linked IP address to redirect Android users to phishing pages that spoof Google Play app listings and try to trick users into downloading malware.
To mitigate the risk against Proton66-linked threats, users should block all the Classless Inter-Domain Routing (CIDR) rangers associated with the company and Chang Way Technologies. The latter is a Hong Kong-based provider that is “likely” related to Proton66.
So-called “bulletproof” hosting is a type of hosting service that is advertised as being immune to takedowns and legal action, but there have been examples in the past when bulletproof hosting ends up yielding in the end.
At this time, the fact that Proton66 is a Russian service probably makes it somewhat bulletproof for Western users. However, politics change as the wind, and what Russia protected yesterday could be traded tomorrow.
Via The Hacker News
You might also like
- US, UK crack down on Russian bulletproof hosting service ZServers for LockBit partnership
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
