Researchers at Trustwave have uncovered a surge in malicious online activity traced to IP addresses belonging to a Russian bulletproof hosting provider dubbed Proton66.
Since 8 January this year, Trustwave’s SpiderLabs researchers have seen a steep increase in mass scanning, credential brute-forcing, and exploitation attempts targeting organizations around the world.
The detailed findings, including technical indicators of compromise and deeper forensic analysis, can be found here (Part 1) and here (Part 2). Both look at Proton66’s role in hosting malicious infrastructure used for launching widespread cyberattacks.
According to Trustwave, Proton66 is linked to another Russian autonomous system named PROSPERO. This connection was previously exposed by French cybersecurity firm Intrinsec, which found that both entities marketed bulletproof hosting services under the names Securehost and BEARHOST on Russian-speaking cybercrime forums.
A Hub for Malware Campaigns
Over the past year, Proton66 has been a known safe haven for malicious actors deploying malware families such as GootLoader and SpyNote.
These groups have used Proton66-hosted servers to manage command-and-control (C2) operations and phishing campaigns.
Adding to the controversy, investigative journalist Brian Krebs reported in February that PROSPERO has begun routing some of its activities through infrastructure operated by Russian antivirus company Kaspersky Lab.
Trustwave’s latest analysis paints an even more alarming picture. In February 2025, malicious traffic emanating from one of Proton66’s netblocks (193.143.1[.]65) was found attempting to exploit newly disclosed critical vulnerabilities, including:
- CVE-2025-0108 – An authentication bypass flaw in Palo Alto Networks’ PAN-OS software.
- CVE-2024-41713 – An insufficient input validation vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab.
- CVE-2024-10914 – A command injection vulnerability affecting D-Link NAS devices.
If successfully exploited, these vulnerabilities could allow malefactors to slip through security nets, inject malicious commands, or gain unauthorized access to sensitive systems.
Compromised WordPress Sites and Broader Implications
Over and above direct exploitation attempts, researchers also uncovered Proton66’s involvement in broader malware distribution campaigns. Compromised WordPress sites have been used to spread malware, with malefactors injecting malicious scripts into legitimate web pages to redirect users to harmful payloads.
It seems clear that bulletproof hosting providers are a critical pillar of the global cybercrime ecosystem, offering attackers a reliable, difficult-to-take-down platform for launching and sustaining malicious operations.
Security Recommendations
In light of this discovery, cybersecurity professionals are urged to review inbound traffic from known Proton66 IP ranges, strengthen authentication mechanisms, and apply patches for the listed vulnerabilities immediately. Entities are also advised to monitor for signs of compromise associated with the GootLoader and SpyNote malware families.
Layered Defenses Needed
The broad range and intensity of cyber attacks facilitated by Proton66, demonstrates why organizations need layered cybersecurity defenses, says Patrick Tiquet, Vice President, Security & Architecture at Keeper Security. “The activities stemming from Proton66 include vulnerability scanning, credential brute forcing, exploit attempts and phishing campaigns that mimic reputable WordPress sites, Google Play Store app listings and chat rooms.
Security and IT teams should view these threats as a stark reminder of the many methods by which attackers can target their organizations. Companies should also have security event monitoring in place to detect and analyze privilege escalations so that anomalous behavior can be detected and blocked. All organizations should take a proactive approach to regularly update all software and immediately patch vulnerabilities that are being actively exploited in the wild.”
Tiquet says strong identity management is key for defending against brute force attacks by enforcing strong, unique passwords and implementing MFA, which adds another vital layer of security, making it significantly harder for attackers to gain access even if they crack a password. “One of the most effective ways to protect sensitive systems is through Privileged Access Management (PAM), which ensures that high-risk accounts undergo regular password rotation. This reduces the window of opportunity for attackers to exploit stolen credentials.”
Entities should also ensure they have basic precautions including an endpoint protection platform, web filtering and email protection in place, Tiquet continues. “Best practices should also include regular employee education to limit the influence of human error. Employees should be trained to recognize phishing attempts, malicious attachments, suspicious links and other common threats.”
A Noisy Neighborhood
Trey Ford, Chief Information Security Officer at Bugcrowd adds that the internet can be a noisy neighborhood. “On occasion, we’ve found miscreants who do not care to vary their source IPs – for a variety of reasons. IP addresses are not durable indicators, as varying scan sources is inexpensive – so this may speak to the effort level, professionalism, or funding level of the actors.”
Ford says it’s obvious that internet exposed services need to be hardened and patched ruthlessly – they’re exposed and accepting requests from anywhere allowed… maintaining blocklists for IPs like this at scale is largely wasted energy.
“The account brute forcing reminds us of the importance of maintaining velocity checks monitoring attempted login activity from singular IP addresses, net blocks, and even user-agent strings. CAPTCHA tools vary in capability, so ultimately, we should be aiming to drive up the cost and complexity of attacker activity beyond the reach of lazy attack patterns like those being flagged here,” Ford ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.