Cybersecurity experts have uncovered a wave of malicious activities originating from a Russian bulletproof hosting provider, Proton66. Since early January 2025, attackers have used Proton66 IP addresses to launch widespread cyberattacks targeting organizations across the globe. These attacks involve aggressive scanning, brute-force login attempts, and exploitation of critical software vulnerabilities, according to a detailed two-part report by a prominent cybersecurity firm.
The report highlights that specific IP ranges, including 45.135.232.0/24 and 45.140.17.0/24, were heavily involved in scanning and brute-forcing efforts. Many of these IPs were either previously dormant for over two years or had no prior record of malicious activity, making their sudden use particularly notable. Proton66 is believed to be connected to another autonomous system, “ProsperoNet,” which has ties to bulletproof hosting services advertised on underground cyber crime forums.
In February 2025, one of Proton66’s IP blocks (193.143.1.65) were observed attempting to exploit recently disclosed vulnerabilities, including:
- An authentication bypass flaw in Palo Alto Networks’ PAN-OS software (CVE-2025-0108).
- An input validation issue in Mitel MiCollab’s NuPoint Unified Messaging component (CVE-2024-41713).
- A command injection vulnerability in D-Link NAS devices (CVE-2024-10914).
- Authentication bypass vulnerabilities in Fortinet FortiOS (CVE-2024-55591 and CVE-2025-24472).
Notably, the exploitation of the Fortinet flaws has been linked to an initial access broker known as “Mora_001,” who is associated with deploying a new ransomware variant called SuperBlack. The cybersecurity firm also identified multiple malware campaigns tied to Proton66, distributing malicious software such as XWorm, StrelaStealer, and a ransomware strain dubbed WeaXor.
Bulletproof hosting services like HostX are designed to provide a safe haven for cyber criminals, offering lenient policies and anonymity to facilitate malicious activities. The surge in attacks from Proton66 underscores the ongoing challenge of combating cyber crime infrastructure that operates beyond the reach of traditional law enforcement.
Organizations who utilize the above systems are urged to update or patch known vulnerabilities, monitor network traffic for suspicious activity, and implement robust security measures to defend against these evolving threats.
