A dramatic uptick in global cyberattacks has been traced back to a shadowy Russian-based bulletproof hosting provider known as Proton66, according to a new report by Trustwave SpiderLabs.

The malicious activity, which began on January 8, has been linked to a wave of credential brute-forcing, large-scale scanning, and the exploitation of critical software vulnerabilities across multiple sectors and regions.

Cybersecurity researchers Pawel Knapczyk and Dawid Nesterowicz pinpointed two particularly aggressive IP blocks—45.135.232.0/24 and 45.140.17.0/24—as primary sources of the attack traffic. Notably, many of these IP addresses had previously flown under the radar, with no prior record of suspicious behavior.

Proton66 is reportedly tied to another notorious Russian network, PROSPERO, previously flagged by French cybersecurity firm Intrinsec for offering bulletproof hosting services under aliases such as Securehost and BEARHOST. These services are commonly advertised on underground forums as safe havens for malicious operations.

The infrastructure has been used to host a variety of malware families, including the loader GootLoader and the Android spyware SpyNote. According to the report, these servers have supported phishing campaigns and served as command-and-control (C2) nodes for malware distribution.

Cybersecurity journalist Brian Krebs also raised concerns about potential ties between PROSPERO and Russian cybersecurity giant Kaspersky Lab. Krebs reported signs of network traffic being routed through Kaspersky-owned infrastructure, though the company firmly denied any involvement, stating that routing artifacts do not indicate active participation or support.

Trustwave’s analysis revealed that Proton66-linked IP address 193.143.1[.]65 was actively involved in exploiting a number of recently disclosed high-severity vulnerabilities, including:

– CVE-2025-0108 – Authentication bypass in Palo Alto Networks’ PAN-OS

– CVE-2024-41713 – Input validation flaw in Mitel’s NuPoint Messaging

– CVE-2024-10914 – Command injection issue in D-Link NAS devices

– CVE-2024-55591 and CVE-2025-24472 – Authentication bypass flaws in Fortinet FortiOS

The Fortinet vulnerabilities, in particular, appear to have been weaponized by an initial access broker known as Mora_001, suspected of facilitating deployment of a new ransomware strain dubbed SuperBlack.

Proton66 infrastructure has also been used to launch a variety of malware campaigns tailored to specific linguistic and regional targets:

– XWorm, delivered through .zip files and triggered via PowerShell, was aimed at Korean-speaking chat platform users.

– StrelaStealer, an info-stealer malware, was pushed via phishing emails to German-speaking users, communicating with IP 193.143.1[.]205.

– A WeaXor ransomware variant—an evolved form of the Mallox ransomware—was traced to IP 193.143.1[.]139.

In a separate campaign, attackers deployed fake Google Play Store pages to deceive Android users in France, Spain, and Greece into downloading malware-laced APKs. These spoofed pages were hosted on compromised WordPress sites and redirected through 91.212.166[.]21, using scripts that checked device type and VPN or bot detection before redirecting users to the malicious payloads.

In response to the escalating threat, Trustwave recommends that organizations globally block IP ranges associated with Proton66, as well as infrastructure linked to suspected partners such as Hong Kong-based Chang Way Technologies, which is believed to be indirectly supporting the network.

The findings underscore the growing complexity of global cyber threats, where state-aligned and profit-driven groups exploit permissive internet infrastructure to launch far-reaching attacks. As hosting services like Proton66 continue to serve as operational backbones for malicious actors, experts warn that proactive defensive measures are more critical than ever.