Malware & Threats

Many Malware Campaigns Linked to Proton66 Network

Security researchers detail various malware campaigns that use bulletproof services linked to Proton66 ASN.

Security researchers detail various malware campaigns that use bulletproof services linked to Proton66 ASN.

The Russian autonomous system Proton66 is linked to bulletproof services that support a variety of malicious campaigns, security researchers warn.

Proton66 (AS198953) is an anonymous autonomous system number (ASN) that has been linked to a bigger infrastructure operated by a Russian national promoting bulletproof hosting services for cybercriminals.

Since January 2025, Trustwave’s SpiderLabs has noticed a surge in malicious attacks originating from this ASN, including “mass scanning, credential brute forcing, and exploitation attempts” targeting organizations worldwide, mainly in the technology and financial sectors.

One IP address associated with the ASN was used in numerous attacks leading to SuperBlack ransomware infections, and it targeted non-profit, engineering, and financial organizations.

The threat actors behind the ransomware exploited vulnerabilities in D-Link NAS devices (CVE-2024-10914), Fortinet FortiOS (CVE-2024-55591 and CVE-2025-24472), Mitel MiCollab (CVE-2024-41713), and Palo Alto Networks PAN-OS (CVE-2025-0108).

Other campaigns linked to Proton66 leveraged compromised WordPress websites that redirected Android users to phishing pages mimicking Google Play. The fake sites were in English, French, Greek, and Spanish.

Advertisement. Scroll to continue reading.

The compromised websites were injected with malicious scripts served from two domains hosted under a Proton66-linked IP address. Recently, the domains were moved to an IP address belonging to Chang Way Technologies.

In early March, a web service hosted on the Proton66 network was serving payloads used in the XWorm infection chain, along with Excel spreadsheets containing personal information belonging to Korean-speaking users.

SpiderLabs’ analysis revealed that chat rooms and channels sharing investment information were likely used to spread malicious links as part of social engineering schemes targeting Korean users with XWorm.

Proton66 hosting services were also used to distribute Strela Stealer, an information stealer malware family targeting the Thunderbird and Outlook email clients of users in Austria, Germany, Liechtenstein, Luxembourg, and Switzerland.

The Proton66 network, SpiderLabs says, also hosted multiple command-and-control (C&C) servers, some of which were associated with the WeaXor ransomware (a variant of the Mallox malware).

Related: 127 Servers of Bulletproof Hosting Service Zservers Seized by Dutch Police

Related: US, Allies Warn of Threat Actors Using ‘Fast Flux’ to Hide Server Locations

Related: Hackers Looking for Vulnerable Palo Alto Networks GlobalProtect Portals

Related: US Shuts Down Bulletproof Hosting Service LolekHosted, Charges Its Polish Operator

Related Content

Endpoint Security

Bitdefender researchers show how Windows bind links can create conflicting filesystem views to hide malware from endpoint security products.

Cybercrime

The suspects and their companies were previously sanctioned by the United States and its allies.

Malware & Threats

The backdoor’s destructive capabilities include a standalone wiper, ransomware encryption, and a multi-pass wiping command.

Malware & Threats

A Go module is used to load PowerShell code that fetches a resolver from public dead drops to execute Windows malware.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Malware & Threats

Turla has been using the backdoor against government and military organizations in Ukraine for espionage.

Cybercrime

Hundreds of C&C servers were disrupted in an operation involving law enforcement and several cybersecurity companies.

Malware & Threats

Mistic is used by Woodgnat, an initial access broker working with Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version