TZUTC: -0500
MSGID: 1053.consprcy@1:2320/105 2c6b782c
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
Russian bulletproof hosting system targeted by hackers to spread malware

Date:
Mon, 21 Apr 2025 11:01:00 +0000

Description:
Cybercriminals are using Proton66 for a range of activities, researchers say.

FULL STORY

Proton66, a Russian bulletproof hosting service provider, is being used to
spread malware, ransomware , mount phishing attacks, and more, experts have
warned.

Researchers from Trustwave warned the malicious activity has picked up in
recent weeks, stating how, Starting from January 8, 2025, SpiderLabs observed
an increase in mass scanning, credential brute forcing, and exploitation
attempts originating from Proton66 ASN targeting organizations worldwide. 

Although malicious activity was seen in the past, the spike and sudden 
decline observed later in February 2025 were notable, and offending IP
addresses were investigated. 

Whoever is behind these activities is looking to exploit a number of
vulnerabilities, including an authentication bypass flaw in Palo Alto 
Networks PAN-OS (CVE-2025-0108(, an insufficient input validation flaw in the
NuPoint Unified Messaging (NPM) component of Mitel MiCollab (CVE-2024-41713),
a command injection vulnerability in D-LINKs NAS (CVE-2024-10914), and an
authentication bypass in Fortinets FortiOS (CVE-2024-55591 and
CVE-2025-24472). 

The two FortiOS flaws were previously exploited by the initial access broker
Mora_001, which has also been seen dropping a new ransomware variant called
SuperBlack. 

The same publication also said that several malware families hosted their C2
servers on Proton66, including GootLoader and SpyNote. 

Furthermore, Trustwave said XWorm, StrelaStealer, and a ransomware named
WeaXor were all being distributed through Proton66. 

Finally, crooks are allegedly using compromised WordPress sites related to a
Proton66-linked IP address to redirect Android users to phishing pages that
spoof Google Play app listings and try to trick users into downloading
malware. 

To mitigate the risk against Proton66-linked threats, users should block all
the Classless Inter-Domain Routing (CIDR) rangers associated with the company
and Chang Way Technologies. The latter is a Hong Kong-based provider that is
likely related to Proton66. 

So-called bulletproof hosting is a type of hosting service that is advertised
as being immune to takedowns and legal action, but there have been examples 
in the past when bulletproof hosting ends up yielding in the end. 

At this time, the fact that Proton66 is a Russian service probably makes it
somewhat bulletproof for Western users. However, politics change as the wind,
and what Russia protected yesterday could be traded tomorrow. 

 Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/russian-bulletproof-hosting-system-targ
eted-by-hackers-to-spread-malware

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30
SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35
PATH: 2320/105 229/426