Proton66 Bulletproof Hosting Leveraged in Global Malware & Ransomware Wave (CVE‑2024‑55591, CVE‑2025‑24472)

Cybersecurity researchers have identified Proton66, a Russian bulletproof hosting provider, as a critical enabler in a surge of global cyberattacks since January 2025.

The service has been used to host command-and-control (C2) servers for malware, deliver ransomware payloads, and launch phishing campaigns targeting organizations and individuals worldwide.¹

Surge in Attacks Linked to Proton66

Trustwave SpiderLabs observed a sharp increase in mass scanning, credential brute-forcing, and exploitation attempts originating from Proton66’s infrastructure.²

Notably, attackers have exploited critical vulnerabilities such as Fortinet FortiOS authentication bypass flaws (CVE-2024-55591, CVE-2025-24472) to gain initial access, deploy ransomware (including SuperBlack and WeaXor/Mallox), and facilitate data theft.³,⁴

Multi-Malware Environment and Sophisticated Tactics

Proton66’s servers have been used for a wide variety of threats: from phishing emails impersonating the Google Play Store to deliver Android malware, to ZIP-based social engineering attacks targeting Korean users, and StrelaStealer campaigns against German-speaking victims.⁵

Attackers employ advanced, multi-stage infection chains—often involving malicious LNK files, PowerShell loaders, and commodity malware like XWorm—demonstrating a high level of technical sophistication.²

Geopolitical Shielding and Attribution Challenges

Proton66 operates from Russia, complicating international law enforcement efforts.

Researchers note that the service benefits from geopolitical shielding and legal grey zones, making takedown and attribution difficult.⁵

Dormant IP addresses are sometimes reactivated after years of inactivity, further aiding attackers’ operational security (OPSEC).⁵

Security Recommendations

Trustwave and other experts recommend blocking all Proton66-related CIDRs and associated IP ranges as a mitigation step.²

However, they emphasize that true prevention requires infrastructure-level detection, behavioral baselining, and international cooperation to disrupt such bulletproof hosting providers.²

Mitigation

To reduce the risk posed by Proton66‑facilitated attacks, security teams should consider the following measures:

1. Update FortiOS and FortiProxy:
   • FortiOS: Upgrade to 7.0.17 or later, 7.2.13 or later
   • FortiProxy: Upgrade to 7.0.20 or later, 7.2.13 or later.³
2. Review CVSS Scores:
   • CVE-2024-55591: CVSS 9.8 (Critical).
   • CVE-2025-24472: CVSS 9.8 (Critical).⁴
3. Block Malicious CIDRs/IPs:
   • Block Proton66 ASN CIDR ranges:
     • 193.143.0.0/22
     • 45.155.204.0/22
     • 185.234.72.0/22
   • Sample Proton66 IPs observed in attacks:
     • 193.143.1.139
     • 45.155.204.10
     • 185.234.72.5
4. Monitor for IOC Activity:
   • Watch for suspicious admin creation, login events, and C2 traffic as detailed in Fortinet’s advisory.³

Final Thoughts

Proton66 remains a critical enabler for global cybercrime, capitalizing on high‑severity vulnerabilities and resilient bulletproof hosting infrastructure.

Timely patching, proactive network monitoring, and blocking of known malicious infrastructure are essential steps to reduce risk. As threat actors adapt, ongoing awareness and collaboration within the security community remain vital for effective defense.

Security teams should also track Proton66 IP reallocations and stay informed about potential coordinated takedown operations led by law‑enforcement agencies.

Related Articles

• XorDDoS Linux DDoS Malware Global Campaign
• CrushFTP Vulnerability
• Microsoft Zero-Day Under Active Exploitation