Menace actors are exploiting bulletproof internet hosting service Proton66 for malicious actions, together with campaigns from SuperBlack ransomware operators, Android malware distribution through hacked WordPress, focused assaults utilizing XWorm and Strela Stealer, and potential connections to Chang Approach Applied sciences.
Cybersecurity specialists at Trustwave’s SpiderLabs have found a rise in malicious on-line actions originating from a Russian “bulletproof” internet hosting supplier referred to as Proton66. These companies, usually favoured by cybercriminals on account of their relaxed insurance policies, have been linked to a wave of assaults concentrating on organizations worldwide since January 8, 2025.
Researchers have detailed their findings in a two-part sequence. The primary half highlights a serious enhance in “mass scanning, credential brute-forcing, and exploitation makes an attempt” coming from Proton66’s community (ASN 198953). This implies attackers had been actively probing for weaknesses in methods and making an attempt to guess login particulars on a big scale.
SpiderLabs has additionally observed a rise in scanning and exploiting visitors from Proton66’s community from January 8, 2025, with a pointy decline in February. The assaults focused particular community blocks, probably the most energetic being 45.135.232.0/24 and 45.140.17.0/24, whereas some had been inactive for a big interval, with the final reported malicious exercise courting again to July and November 2021.
Notably, the deal with 193.143.1.65, was noticed related to the operators of a brand new ransomware pressure referred to as SuperBlack, and its operators had been distributing “among the newest vital precedence exploits,” researchers famous within the weblog submit.
The second half discusses malware campaigns linked to Proton66, together with compromised WordPress web sites redirecting Android customers to faux Google Play Retailer pages prone to steal their data or set up malicious apps.
The area naming conventions used recommend targets talking English (“us-playmarket.com“), French (“playstors-france.com“), Spanish (“updatestore-spain.com“), and Greek (“playstors-gr.com“).
SpiderLabs additionally found operators deploying Strela Stealer, an information-stealing software that extracts e-mail login credentials from focused methods, between January and February 2025.
One other marketing campaign concerned XWorm malware concentrating on customers of Korean-speaking chat rooms. Moreover, connections to WeaXor ransomware, a modified model of Mallox that encrypts recordsdata and calls for a ransom for restoration, had been detected. On the time of the report, the WeaXor group was asking for “$2,000, transferred in BTC or USDT.”
Curiously, SpiderLabs’ investigation reveals a possible rebranding or connection between Proton66 and Hong Kong-based firm, Chang Approach Applied sciences Co. Restricted. In November 2024, safety agency Intrinsec linked Proton66 and PROSPERO to bulletproof internet hosting companies marketed on underground boards as UNDERGROUND and BEARHOST.
SpiderLabs’s investigation revealed that whereas the Russian management panel for UNDERGROUND/BEARHOST prospects remained at my.31337.ru, the my.31337.hk web page was up to date with a “CHANGWAY / HOSTWAY” theme. Nonetheless, technical connections between the infrastructures remained, suggesting an underlying hyperlink.
Know-how and monetary organizations are the prime targets of this marketing campaign. Nonetheless, the SuperBlack ransomware group most popular concentrating on non-profit, engineering, and monetary sectors. Analysis by Forescout linked this IP deal with to the Mora_001 risk actor who exploited vulnerabilities in Fortinet FortiOS gadgets, resulting in the deployment of the SuperBlack ransomware.
It’s price noting that hackers have exploited vulnerabilities in Palo Alto Networks’ PAN-OS software program (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Hyperlink NAS gadgets (CVE-2024-10914). D-Hyperlink has introduced that the affected gadgets have reached their end-of-life, subsequently, no safety updates shall be supplied.
However, researchers strongly suggest that organizations block all of the web deal with ranges related to each Proton66 and Chang Approach Applied sciences to guard themselves from potential compromise.
Trey Ford, Chief Data Safety Officer at Bugcrowd, a San Francisco, Calif.-based chief in crowdsourced cybersecurity, commented on the event, stating that whereas IPs aren’t dependable indicators of risk actors, since altering scan sources is affordable, patterns like constant brute-force makes an attempt nonetheless matter. “It’s a reminder to watch login velocity, harden uncovered companies, and make assaults pricey for low-effort actors,” he mentioned.
