Hackers are exploiting Proton66 servers to carry out attacks worldwide
Overview
In the past two weeks, researchers from Trustwave SpiderLabs have detected suspicious connections to Proton66 servers located in Russia, indicating an expansion of attacks. Initially, they conducted large-scale scanning and exploited vulnerabilities, with some IP addresses linked to the activities of the SuperBlack ransomware. Then, these hackers delved into malware campaigns associated with Proton66, including attacks on websites using WordPress to redirect Android devices to fake Google Play, the XWorm campaign targeting chat rooms, and spreading the WeaXor ransomware.
Detailed investigation
In November 2024, the cybersecurity company Intrinsec identified a connection between the provider PROSPERO (AS200593) and Proton66 (AS198953), linked to underground groups named UNDERGROUND and BEARHOST. Many malware campaigns had IP addresses switching between these networks. Researchers from SpiderLabs also noted some IP address shifts from Proton66 ASN to Chang Way Technologies ASN in campaigns targeting WordPress websites.
Since January 2025, SpiderLabs has recorded a large number of scanning activities, brute force attacks, and attempts to exploit vulnerabilities originating from Proton66 ASN globally. AS198953, belonging to Proton66 OOO, contains 5 net blocks and is on blocklists like Spamhaus due to suspicious activities. The 2 net blocks 45.135.232.0/24 and 45.140.17.0/24 are involved in scanning and brute force activities.
Related to the Superback ransomware campaign, suspicious requests from IP 193.143.1.65 investigated by SpiderLabs in February 2025 show they are exploiting several recent critical vulnerabilities such as:
CVE-2025-0108 is an authentication bypass vulnerability on the web management interface of Palo Alto Network.
CVE-2024-41713 is a vulnerability in Mitel MiCollab 9.8 SP1 FP2 (9.8.1.201) that allows path traversal attacks.
CVE-2024-10914 is a command injection vulnerability on D-Link NAS that allows unauthenticated attackers to inject commands by exploiting the name parameter of the cgi_user_add command.
In a study by Forescout last March, activities from IP 193.143.1.65 were found to indicate a new malware attack campaign exploiting vulnerabilities on Fortinet's FortiOS devices using CVE-2024-55591 and CVE-2025-24472. The attack exploiting vulnerabilities on FortiOS led to the creation of a new ransomware called SuperBlack, similar to LockBit 3.0.
Recommendations
FPT Threat Intelligence recommends:
Monitor and track unusual connection activities from the IPs in the IOC list.
Regularly update suspicious IP addresses.
Frequently check for vulnerabilities on current network devices and apply patches for existing vulnerabilities.
IOC
| Type | Value | Description |
| IP | 45.134.26.38 | Proton66 |
| IP | 45.140.17.21 | Proton66 |
| IP | 45.140.17.98 | Proton66 |
| IP | 45.135.232.108 | Proton66 |
| IP | 45.135.232.171 | Proton66 |
| IP | 45.135.232.174 | Proton66 |
| IP | 45.135.232.103 | Proton66 |
| IP | 45.135.232.24 | Proton66 |
| IP | 45.134.26.80 | Proton66 |
| IP | 45.134.26.81 | Proton66 |
| IP | 45.134.26.104 | Proton66 |
| IP | 45.134.26.124 | Proton66 |
| IP | 45.134.26.199 | Proton66 |
| IP | 45.134.26.8 | Proton66 |
| IP | 91.212.166.65 | Proton66 |
| IP | 91.212.166.62 | Proton66 |
| IP | 91.212.166.60 | Proton66 |
| IP | 91.212.166.27 | Proton66 |
| IP | 193.143.1.78 | Proton66 |
| IP | 193.143.1.33 | Proton66 |
| IP | 193.143.1.64 | Proton66 |
| IP | 193.143.1.65 | Proton66 |
