A Russian-controlled internet network, Proton66, is now at the center of a growing wave of malware attacks. Security analysts say the network, registered as AS198953, provides bulletproof hosting that helps hackers stay online—even when they’re exposed.
Since January 2025, researchers at Trustwave’s SpiderLabs have seen a sharp rise in threats coming from this infrastructure. Most of the attacks target tech and financial firms. The tactics include brute-force logins, mass scanning, and exploiting software flaws.
One IP address linked to Proton66 was behind several SuperBlack ransomware attacks. Victims included nonprofits, engineering firms, and financial organizations. In each case, hackers took advantage of well-known security holes in devices and platforms. These included D-Link NAS (CVE-2024-10914), Fortinet FortiOS (CVE-2024-55591 and CVE-2025-24472), Mitel MiCollab (CVE-2024-41713), and Palo Alto PAN-OS (CVE-2025-0108).
But that’s not all. Hackers also hijacked WordPress sites to trick Android users. They injected scripts that redirected visitors to fake Google Play pages. These sites looked real and appeared in several languages, including English, French, Greek, and Spanish. The goal was to convince users to download malware. Recently, the attackers moved these operations to another hosting provider, Chang Way Technologies.
In March, Proton66 hosted files used in the XWorm malware chain. These included Excel documents containing personal data tied to Korean-speaking users. Cybercriminals pushed these files through online groups that shared investment tips. It was a classic bait-and-switch move—lure the user with financial info, then infect their device.
Proton66 was also the launchpad for Strela Stealer. This malware targets email programs like Thunderbird and Outlook. Victims lived in Austria, Germany, Liechtenstein, Luxembourg, and Switzerland. Once installed, the malware stole sensitive data quietly.
Finally, some servers inside the Proton66 network acted as control centers for WeaXor, a newer version of the Mallox ransomware. This setup allowed attackers to manage infected machines remotely and launch follow-up attacks.
According to SpiderLabs, networks like Proton66 are changing the cybercrime landscape. By offering bulletproof hosting, they give hackers the tools to operate in plain sight. As a result, shutting down these malware campaigns becomes much harder for global authorities.
