Malware Surge via Proton66

Trustwave SpiderLabs observed that Proton66, a Russian bulletproof hosting provider, has been abused since January 2025 to host C2 servers, phishing pages and multi-stage malware delivery chains that distribute GootLoader, SpyNote, XWorm, StrelaStealer and the WeaXor ransomware; attacks include mass scanning, credential brute-forcing and exploitation of vulnerabilities in PAN-OS, FortiOS, D-Link NAS and Mitel MiCollab, and use compromised WordPress sites to redirect Android users to fake Google Play phishing pages — organizations are advised to block Proton66 and affiliated CIDR ranges to reduce exposure.