- Trustwave finds several C2 Malware servers hosted on Proton66
- Ransomware is also hosted there
- Some pages of phishing targeting Android users are from Proton66
Proton66, a Russian accommodation service provider to the ball test, is used to spread malware, ransomware, phishing attacks, and even more, have warned experts. It is according to
Trustwave researchers have warned that malicious activity has folded in recent weeks, indicating how “from January 8, 2025, Spiderlabs observed an increase in mass digitization, raw forcing identification information and operating attempts from ASN Proton66 targeting organizations in the world.
“Although malicious activity was observed in the past, the sudden point and decline later observed in February 2025 were notable, and the offensive IP addresses were studied.”
Get in touch
Whoever is behind these activities seeks to exploit a certain number of vulnerabilities, in particular an authentication defect in the Palo Alto Networks (CVE-2025-0108 (, an insufficient component of validation of inputs in the Nupoint Unified Messaging (NPM) of Mitel Micollab (CVE-2024-41713) Vulnerability injunits (CVE-2024-10914), and an authentication of Fortios de Fortinet (CVE-2024-55591 and CVE-2025-24472).
The two fortios defects were previously used by the initial access broker Mora_001, which was also seen abandoning a new variant of Ransomware called Superblack.
The same publication also indicated that several families of malicious software have hosted their C2 servers on Proton66, including Gootloader and Spynote.
In addition, Trustwave said that Xworm, Strelasealer and Ransomware named Weaxor were all distributed via Proton66.
Finally, crooks will use WordPress Compromise sites linked to an IP address linked to Proton66 to redirect Android users to phishing pages that upole Google Play applies and try to deceive users to download malware.
To mitigate the risk against threats linked to Proton66, users must block all the inter-domains without class (CIDR) associated with company technologies and Chang Way. The latter is a supplier based in Hong Kong which is “likely” linked to Proton66.
The so-called “ball” accommodation is a type of accommodation service which is announced as being sheltered from withdrawals and legal actions, but there have been examples in the past when the accommodation in the ball test ends up giving in to the end.
Currently, the fact that Proton66 is a Russian service probably makes it somewhat to the test of Western users. However, politics changes as a wind and what Russia protected yesterday could be exchanged tomorrow.
Via The Hacker News
