Skip to content

Russian hosting provider abused for malware delivery

  • by
  • 3 min read

Security researchers have discovered a spike in vulnerability scanning, credential brute-forcing, and exploitation attempts originating from Russian IP addresses. The IP addresses are held by Proton 66, a supposedly bulletproof hosting service based in Russia.

Bulletproof hosting services offer better protection from law enforcement takedown requests, allowing hackers to host malicious or illicit content online without fear of being taken down. Security firm Intrinsec claimed that Proton66 and Prospero were linked to underground hosting services under the names Bearhost and Underground, respectively, in November 2024. The activity originating from Proton66 has been detected since January 8, 2025, and targets organisations around the world.

Trustwave reports that it caught malicious requests from a Proton66 IP address in February 2025 attempting to exploit the following vulnerabilities:

  • CVE-2025-0108: Authentication bypass vulnerability in Palo Alto Networks PAN-OS software.
  • CVE-2024-55591 and CVE-2025-24472: Authentication bypass vulnerabilities in Fortinet FortiOS.
  • CVE-2024-41713: Insufficient input validation bug in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab.
  • CVE-2024-10914: Command injection vulnerability in D-Link NAS.
This is an image of malicious hosting russian
Malicious websites hosted on Proton66 servers. | Source: Trustwave

All five of the vulnerabilities above were disclosed and patched as recently as November 2024, according to CISA’s database of security vulnerabilities. The two Fortinet vulnerabilities have been exploited by Mora_001, which has been spotted distributing a novel ransomware strain called SuperBlack.

Several malware families, such as GootLoader and SpyNote, are currently hosting their Command and Control (C2) servers with the service. Other observed campaigns originating from Proton66 are distributing malware like XWorm, StrelaStealer, and a ransomware called WeaXor.

Another campaign uses compromised WordPress websites originating from Proton66 IP 91.212.166.21 to redirect Android users to phishing pages that impersonate Google Play Store listings, prompting them to download malicious APK files.

Proton66 is also reportedly linked to another system dubbed Prospero. Earlier in February 2025, cybersecurity journalist Brian Krebs discovered that Prospero had been routing its operations via networks run by Kaspersky, a popular Russian cybersecurity vendor that had recently had to shut down in the US. However, Kaspersky denied any allegations of partnership with Prospero, claiming that just because its traffic is routed through Kaspersky networks, it doesn’t mean the cybersecurity firm is providing its services.

In the News: Kimsuky-linked APT campaign exploits RDP and MS Office flaws

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of data breach featured cybersecurity 113 e1666861228304

Sensitive information of over 5.5 million patients stolen from Yale Health

This is an image of data breach cyber security 239847238978

Lazarus threat actors breach six South Korean companies

This is an image of cyber security hacked breach

“Educational” toolkit for evading Microsoft Office 365 MFA being sold online

This is an image of dark web hacker security

Cybercriminals are using the Pope’s death to preach malware

This is an image of phishing featured storyblocks

North Korean IT workers are using deepfakes to get jobs

This is an image of cisco 3289sd

Cisco confirms several products affected by RCE flaw

>