- Trustwave finds multiple malware C2 servers that are hosted on Proton66
- Ransomware is also host there
- Some phishing -sides that are targeted at Android users come from Proton66
Proton66, a Russian bulletproof hosting service provider, used to spread malware, ransomware, phishing -attack mounting and more experts have warned. This is according to
Researchers from Trustwave warned that the malicious activity has been picked up in recent weeks, saying, “From January 8, 2025, Spiderlabs observed an increase in mass scanning, legitimation brutation and exploitation attempts derived from Proton66 ASN, targeting organizations around the world.
“Although malicious activity was seen in the past, the tip and sudden decline, which was observed later in February 2025, was remarkable, and insulting IP addresses were investigated.”
To get in touch
Whoever is behind these activities is looking to exploit a number of vulnerabilities, including an authentication bypass flaw in palo alto networks’ Pan-OS (CVE-2025-0108 (, an insufficient input validation flaw in the nupoint unified message (npm) component of mitel micollab (CVE-2024-41713), A Command Injection Vulnerability in D-Link’s NAS (CVE-2024-10914) and an approval round in Fortinet’s Fortios (CVE-2024-55591 and CVE-20125-24472).
The two Fortios deficiencies were previously exploited by the initial access broker Mora_001, which has also been seen losing a new ransomware variant called SuperBlack.
The same publication also said that more malware families hosted their C2 servers on Proton66, including Gootloader and Spynote.
Furthermore, Trustwave said that Xworm, Strelasteals and a Ransomware named Weaxor were all distributed through Proton66.
Finally, Crooks allegedly uses compromised WordPress sites related to a Proton66-bound IP address to redirect Android users to phishing sites that forged Google Play app lists and try to fool users to download malware.
To mitigate the risk against Proton66-connected threats, users must block all classless inter-domain Routing (CIDR) Rangers, associated with the company and Chang Way Technologies. The latter is a Hong Kong-based provider that is “probably” related to Proton66.
So -called “Bulletproof” hosting is a type of hosting service that is advertised as being immune to dismantling and litigation, but there have been examples in the past when hosting ends up giving in the end.
At this point, the fact that Proton66 is a Russian service, it is probably somewhat bulletproof for Western users. However, politics is changing like the wind and what Russia protected yesterday could be traded tomorrow.
Via Hacker the news
