- Trustwave finds multiple malware servers C2 housed in proton66
- Ransomware is also lodged there
- Some phishing pages aimed at Android users originated in proton66
Proton66, a supplier of Russian bullets accommodation services, is being used to spread malware, ransomware, phishing attacks and more, experts have warned. This is in accordance with
Trustwave researchers warned that the malicious activity has resumed in recent weeks, stating how, “as of January 8, 2025, Spiderlabs observed an increase in massive scan, the Brute forcing of credentials and exploitation attempts originated from the organizations of ASN Proton66 of ASN worldwide.
“Although malicious activity was observed in the past, the peak and the sudden decrease observed later in February 2025, and the IP offensive directions were investigated.”
Get in touch
WHOEVER IS BEHINDSE ACTIVITIES IS LOOKING TO EXPLOIT A NUMBER OF VULNEABILITIES, BY AUTHENCATION BYPAS FLAW IN PALO HIGH NETWORKS ‘PAN-OS (CVE-2025-0108 (AN INSUFFICIENT INPUT VALIDATION FLAW IN THE NUPOINT UNIFIED MESSAGING (NPM) (CVE-2024-41713), A Command Injection Vulnerability in D-Link’s Nas (CVE-2024-10914), and a authentication bypass in Fortinet’s Fortios (CVE-2024-55591 and CVE-2025-24472).
The two forty failures were previously exploited by the initial access corridor Mora_001, which has also been seen dropping a new ransomware variant called Superblack.
The same publication also said that several malware families organized their C2 servers in Proton66, including Gootloader and Spynote.
In addition, Trustwave said that Xworm, Strelastealer and a ransomware called Weaxor were distributed through Proton66.
Finally, criminals supposedly use committed wordpress sites related to an IP address linked to proton66 to redirect Android users to phishing pages that falsify the listings of Google Play applications and try to deceive users to download malware.
To mitigate the risk against threats linked to proton66, users must block all routing rings between domains (CIDR) without classes associated with company technologies and Chang Way. The latter is a Hong Kong -based provider that is “probably” related to proton66.
The so -called “bulletproof” accommodation is a type of accommodation service that is announced as immune to demolition and legal actions, but there have been examples in the past when bulletproof accommodation ends at the end.
At this time, the fact that Proton66 is a Russian service probably does it bulletproof for Western users. However, politics changes as the wind, and what Russia protected yesterday could be exchanged tomorrow.
Through The hacker news
