Full Report
Cybersecurity researchers have disclosed a surge in "mass scanning, credential brute-forcing, and exploitation attempts" originating from IP addresses associated with a Russian bulletproof hosting service provider named Proton66. The activity, detected since January 8, 2025, targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs last week. "Net
Analysis Summary
# Incident Report: Mass Scanning and Exploitation via Russian Bulletproof Hosting Network
## Executive Summary
Between January 8, 2025, and April 21, 2025, security researchers observed a significant surge in global malicious activity—including mass scanning, credential brute-forcing, and zero-day exploitation attempts—originating from IP addresses linked to the Russian bulletproof hosting provider, Proton66. The attackers leveraged this infrastructure to host C2 servers and deploy various malware strains (GootLoader, XWorm, StrelaStealer, WeaXor ransomware) against international targets. Response recommendations center on blocking known associated IP ranges to contain widespread threats.
## Incident Details
- **Discovery Date:** January 8, 2025 (Activity detection began)
- **Incident Date:** Activity observed starting January 08, 2025, ongoing through April 2025.
- **Affected Organization:** Organizations worldwide (no specific victim disclosed, activity is broad scanning/exploitation).
- **Sector:** Global Organizations (All sectors targeted by generalized scanning and specific malware campaigns).
- **Geography:** Activity originates from Russian infrastructure (Proton66/PROSPERO network); targets are international (France, Spain, Greece, Korea, Germany mentioned).
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning January 08, 2025
- **Vector:** Mass scanning, credential brute-forcing, and direct exploitation of known vulnerabilities.
- **Details:** Active scanning noticed from net blocks `45.135.232.0/24` and `45.140.17.0/24`. Specific exploitation attempts observed in February 2025 from IP `193.143.1[.]65` targeting CVEs in Palo Alto PAN-OS, Mitel MiCollab, D-Link NAS, and Fortinet FortiOS.
### Lateral Movement
- **Details:** Not explicitly detailed, but the discovery, exploitation, and malware distribution suggest successful internal proliferation or setup of C2 infrastructure for sustained access.
### Data Exfiltration/Impact
- **Details:**
* Distribution of information stealer **StrelaStealer** targeting German-speaking users.
* Distribution of **XWorm** malware targeting Korean-speaking chat room users via LNK file execution.
* Distribution of **WeaXor** ransomware (variant of Mallox) contacting C2 at `193.143.1[.]139`.
* **Mobile Phishing:** Compromised WordPress sites linked to `91.212.166[.]21` redirecting Android users to fake Google Play pages to download malicious APKs.
### Detection & Response
- **Details:**
* Threat activity detected by Trustwave SpiderLabs starting January 8, 2025.
* Public analysis and disclosure published by Trustwave SpiderLabs in April 2025.
* **Response Action:** Organizations advised to immediately block all CIDR ranges associated with Proton66 and potentially related provider Chang Way Technologies.
## Attack Methodology
| Category | Method |
| :--- | :--- |
| **Initial Access** | Mass scanning, brute-forcing, and exploitation of critical vulnerabilities (CVE-2025-0108, CVE-2024-41713, CVE-2024-10914, CVE-2024-55591, CVE-2025-24472). Social engineering via LNK files targeting specific language groups. |
| **Persistence** | Use of malware families (XWorm, StrelaStealer) known to establish persistence mechanisms. |
| **Privilege Escalation** | Not explicitly detailed, but often inherent in successful exploitation of the noted critical vulnerabilities. |
| **Defense Evasion** | Redirector scripts obfuscated; checks performed to exclude crawlers, VPNs, and proxies using `ipify.org` and `ipinfo.io` lookups before delivering payloads to Android users. |
| **Credential Access** | Credential brute-forcing observed globally across the scanned network space. |
| **Discovery** | Mass scanning across IP ranges to identify vulnerable targets. |
| **Lateral Movement** | Implied by the deployment of malware like XWorm, though specific paths were not detailed. |
| **Collection** | Information gathering via StrelaStealer. Collection of user IPs via external services for targeted redirection. |
| **Exfiltration** | Use of C2 infrastructure hosted on Proton66 for malware communications and payload hosting. |
| **Impact** | Ransomware deployment (WeaXor), information theft (StrelaStealer), and delivery of remote access tools (XWorm). Mobile application compromise via malicious redirects. |
## Impact Assessment
- **Financial:** Unknown, but the scope suggests potential costs associated with remediation from malware infections (ransomware, stealers) and addressing exploited zero/n-day vulnerabilities.
- **Data Breach:** High risk due to the deployment of **StrelaStealer**. Sensitive personal data or organizational credentials potentially compromised.
- **Operational:** Risk of significant disruption due to **WeaXor ransomware** attacks and widespread malware infection.
- **Reputational:** High potential impact due to the association with high-profile infrastructure linked to known cybercrime forums and previous associations with PROSPERO infrastructure.
## Indicators of Compromise
- **Network Indicators (Defanged):**
* Malicious C2 IP communicating with WeaXor: `193.143.1[.]139` (Proton66)
* Malicious C2 IP communicating with StrelaStealer: `193.143.1[.]205` (Proton66)
* Highly active scanning/brute-force ranges: `45.135.232.0/24`, `45.140.17.0/24`
* WordPress redirector IP: `91.212.166[.]21`
- **File Indicators:**
* Windows Shortcut (.LNK) files leading to PowerShell execution chains.
* Malicious ZIP archives hosting LNK files.
* Base64-encoded .NET DLL used for XWorm loading.
* Malicious APK files distributed via fake Google Play listings.
- **Behavioral Indicators:**
* Redirection scripts performing VPN/proxy checks before payload delivery.
* PowerShell execution chains initiated from LNK files leading to multi-stage download/execution.
## Response Actions
- **Containment:** Organizations are advised to immediately implement firewall rules (ACLs) and security policy updates to **block all traffic to and from IP ranges associated with Proton66** and Chang Way Technologies.
- **Eradication:** If infection is confirmed, standard procedures for eradicating C2 communications, removing known malware families (XWorm, StrelaStealer, WeaXor), and resetting compromised credentials must be initiated.
- **Recovery:** Patching and hardening of identified vulnerable systems (Palo Alto PAN-OS, Mitel MiCollab, D-Link NAS, Fortinet FortiOS) is critical. MDM remediation for targeted Android users if phishing compromise is identified.
## Lessons Learned
- **Reliance on Bulletproof Hosting:** State-sponsored or crime-affiliated infrastructure (like Proton66, linked to PROSPERO) continues to be a major source of global mass-scanning and exploitation efforts, often operating outside jurisdictional reach.
- **Multi-Vector Campaign Complexity:** The attackers successfully used traditional infrastructure exploitation alongside sophisticated social engineering (LNK files) and mobile targeting (Android APKs) simultaneously.
- **OpSec Failure:** Links between major service providers (like Kaspersky Lab networks in the PROSPERO case) and illicit hosting services create opportunities for threat actors, even if the provider denies service provision.
## Recommendations
- **Network Segmentation:** Implement strict egress filtering to prevent command-and-control callbacks to known or suspected bulletproof hosting providers.
- **Vulnerability Management:** Prioritize patching for externally facing services targeted in this campaign (Palo Alto, Fortinet, Mitel).
- **Endpoint Protection:** Deploy advanced Endpoint Detection and Response (EDR) capable of detecting obfuscated PowerShell execution chains originating from LNK files.
- **Mobile Security:** Enhance user training regarding downloading applications outside official, verified app stores, especially for users located in French, Spanish, Greek, or Korean linguistic regions targeted by APK campaigns.