The Russian autonomous system Proton66 is linked to bulletproof services that support a variety of malicious campaigns, security researchers warn.
Proton66 (AS198953) is an anonymous autonomous system number (ASN) that has been linked to a bigger infrastructure operated by a Russian national promoting bulletproof hosting services for cybercriminals.
Since January 2025, Trustwave’s SpiderLabs has noticed a surge in malicious attacks originating from this ASN, including “mass scanning, credential brute forcing, and exploitation attempts” targeting organizations worldwide, mainly in the technology and financial sectors.
One IP address associated with the ASN was used in numerous attacks leading to SuperBlack ransomware infections, and it targeted non-profit, engineering, and financial organizations.
The threat actors behind the ransomware exploited vulnerabilities in D-Link NAS devices (CVE-2024-10914), Fortinet FortiOS (CVE-2024-55591 and CVE-2025-24472), Mitel MiCollab (CVE-2024-41713), and Palo Alto Networks PAN-OS (CVE-2025-0108).
Other campaigns linked to Proton66 leveraged compromised WordPress websites that redirected Android users to phishing pages mimicking Google Play. The fake sites were in English, French, Greek, and Spanish.
The compromised websites were injected with malicious scripts served from two domains hosted under a Proton66-linked IP address. Recently, the domains were moved to an IP address belonging to Chang Way Technologies.
In early March, a web service hosted on the Proton66 network was serving payloads used in the XWorm infection chain, along with Excel spreadsheets containing personal information belonging to Korean-speaking users.
SpiderLabs’ analysis revealed that chat rooms and channels sharing investment information were likely used to spread malicious links as part of social engineering schemes targeting Korean users with XWorm.
Proton66 hosting services were also used to distribute Strela Stealer, an information stealer malware family targeting the Thunderbird and Outlook email clients of users in Austria, Germany, Liechtenstein, Luxembourg, and Switzerland.
The Proton66 network, SpiderLabs says, also hosted multiple command-and-control (C&C) servers, some of which were associated with the WeaXor ransomware (a variant of the Mallox malware).
Related: 127 Servers of Bulletproof Hosting Service Zservers Seized by Dutch Police
Related: US, Allies Warn of Threat Actors Using ‘Fast Flux’ to Hide Server Locations
Related: Hackers Looking for Vulnerable Palo Alto Networks GlobalProtect Portals
Related: US Shuts Down Bulletproof Hosting Service LolekHosted, Charges Its Polish Operator