PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks

www.intrinsec.com · Equipe CTI · 1 year ago · research
quality 7/10 · good
0 net
Tags
networks security
PROSPERO & Proton66: Uncovering the links between bulletproof networks - INTRINSEC New release : CTI Report - Pharmaceutical and drug manufacturing Download now PROSPERO & Proton66: Uncovering the links between bulletproof networks Key findings This report presents: The Russian autonomous system PROSPERO (AS200593) could be linked with a high level of confidence to Proton66 (AS198953) , another Russian AS, that we believe to be connected to the bulletproof services named ‘ SecureHost ‘ and ‘ BEARHOST ‘. We notably observed that both network’s configurations are almost identical in terms of peering agreements and their respective share of loads throughout time. Amongst the activities shared by the two networks, we noticed that both GootLoader and SpyNote malwares recently changed their infrastructure of command-and-control servers and phishing pages from to Proton66 . Additionally, the domains hosting the phishing pages deploying SpyNote were hosted on either one of the two AS and had already been used in previous campaigns delivering revoked AnyDesk and LiveChat versions for both Windows and Mac . Regarding the other malicious activities found on PROSPERO ’s IPs, we found that throughout September, multiple SMS spam campaigns targeting citizens from various countries were leading to phishing domains hosted on PROSPERO and Proton66 . While most phishing templates were usurping bank login pages to steal credit card details, we also noticed that some of them were used to deploy android spywares such as Coper (a.k.a. Octo ). SocGholish , another initial access broker (IAB) that we found to be hosting a major part of its infrastructure on Proton66 , continues to leverage this autonomous system to host fingerprinting scripts contained on the websites it infects. Along SocGholish, we found out that FakeBat , another loader that infects systems through compromised websites, was using the same IPs to host both screening and redirection scripts. Introduction In the continuity of our constant monitoring of bulletproof networks, we discovered a n autonomous system named PROSPERO OOO (AS200593) based in Russia . We believe that it could be linked to Proton66 OOO (AS198953) , another Russian and anonymous autonomous system that we previously found to be connected to a bigger infrastructure composed of multiple AS and offshore companies all operated by a common Russian national. This individual notably promotes its bulletproof hosting businesses named ‘ UNDERGROUND ‘ and ‘ BEARHOST ‘ on various Russian-speaking underground marketplaces stating that the service is “ 100% bulletproof […] we completely ignore all abuses and complaints, including Spamhaus ”. He notably used to work with another bulletproof provider named ‘ SecureHost ‘, advertised on the same underground platforms that we believe with a high level of confidence to be the present operator of both PROSPERO OOO and Proton66 OOO . Bulletproof hosting A bulletproof hosting service is a type of web hosting service known for offering high levels of privacy , security, and leniency regarding the content and activities allowed on their servers. These services typically provide robust protection against takedown requests , legal actions , and law enforcement investigations , often by locating their servers in jurisdictions with minimal regulations or weak enforcement of international laws. Bulletproof hosting is often associated with hosting illicit content or activities, such as malware distribution , spam operations , or copyright-infringing materials , due to its permissive stance and commitment to client confidentiality. However, it’s important to note that not all uses of such services are illegal, as some users may seek such hosting for legitimate privacy concerns . The connection between PROSPERO and Proton66 could be made through similarities in the way both networks are operated, notably in their respective peering agreements shared with other Russian networks. Additionally, we noticed that botnets operated by GootLoader , an initial access broker, and SpyNote , an android RAT, had moved their infrastructure from PROSPERO to Proton66 , or would sometimes host their command-and-control servers on both AS. Along those finds, this report aims to provide an overview of all the malicious activities that are hosted on PROSPERO OOO . Legal format of Russian companies As a reminder, the Russian format “ OOO ” stands for “ Obschestvo s Ogranichennoy Otvetstvennostyu ” which corresponds to the Anglo-Saxon format “ LLC ” or “ limited liability company ”. Intrinsec’s CTI services Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face. For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots. Intrinsec also offers various services around Cyber Threat Intelligence: Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through: an operational feed of IOCs based on our exclusive activities. threat intel notes & reports, TIP-compliant. Digital risk monitoring: data leak detection & remediation external asset security monitoring (EASM) brand protection For more information, go to our CTI’s website Follow us on Linkedin and X ] Télécharger le rapport Articles par catégorie Sélectionner une catégorie Actualités Avis de vulnérabilité Bulletin d’analyse CERT Conseil SSI Cyber Threat Intelligence Engineering Évaluation Sécurité Événement Partenariat Recherche et Développement Red Teaming RSSI à temps partagé Soc as a Service SOC Sécurité Opérationnelle Témoignages Test d’intrusion Threat Intelligence Report Veille Sécurité Inscrivez-vous a notre Newsletter S'inscrire Rewinding the Breach: a CSIRT-CTI-Investigation mars 26, 2026 Aucun commentaire Key findingsThe 12-month intrusion involved at least three distinct activity clusters operating sequentially on the Lire Analysis of AuraStealer, an emerging infostealer mars 11, 2026 Aucun commentaire Since the takedown of the Lumma stealer infrastructure in 2025, the infostealer landscape is undergoing Lire Intrinsec x NODAL Avocats : faire du LegalOps un levier de résilience face aux crises cyber mars 9, 2026 Aucun commentaire Face à la multiplication des cyberattaques, la question n’est plus de savoir si une organisation Lire CERT Intrinsec Incidents Report 2025 février 24, 2026 Aucun commentaire CERT Intrinsec is a French Incident Response team providing incident response and crisis management services to organizations across multiple sectors. Certified PRIS (Prestataire de Réponse aux Incidents de Sécurité) by ANSSI since 2022, the team has been operating since 2013 and has handled hundreds of engagements, gaining firsthand insight into the evolution of threat actor tradecraft. In 2025, CERT Intrinsec was engaged in approximately sixty significant incidents involving ransomware operators, Initial Access Brokers (IABs), insider threats, and suspected state-sponsored actors conducting intelligence operations. These incidents spanned a wide range of environments, from legacy on-premise infrastructure to cloud-native Microsoft 365 tenants. This report synthesizes our observations from these engagements with a focus on actionable findings. Rather than presenting descriptive statistics alone, we examine intrusion mechanisms, attacker dwell time, targeted assets, and defensive gaps — with the explicit goal of informing detection strategies and hardening priorities for security practitioners. Lire TLPT / TIBER : transformer les exigences DORA en levier de résilience cyber février 10, 2026 Aucun commentaire Avec l’entrée en application de DORA, les Threat-Led Penetration Tests (TLPT) s’inscrivent désormais parmi les Lire Auditer la sécurité des LLM janvier 28, 2026 Aucun commentaire Les LLM (Large Language Models) ou modèles de langage de grande taille sont en train Lire Services & Produits Services Conseils SSI Diagnostic de Maturité CISO as a Service Analyse de Risque Résilience d’activité Gouvernance SSI Audit & Conformité Sensibilisation Sécurité offensive & Audit Test d’Intrusion Red Team Purple Team TIBER-EU / DORA TLPT Audit technique Architecture de sécurité et intégration Architecture de sécurité et intégration Cyber Threat Intelligence CTI - Renseignement sur les menaces cyber TIS - Threat Intelligence Services DRPS - Digital Risk Protection Services EASM – External Attack Surface Management Détection des fuites de données Protection de la marque Security Operations Center MDR For Cloud MDR For Endpoint SOC - Security Operations Center VOC - Vulnerability Operations Center Réponse à incident & gestion de crise Abonnement CERT Gestion de Crise Cyber Réponse à Incident Threat Hunting Incident Response Academy Produits Cyboard Phish Trackr Vuln Trackr Extended Threat Intelligence Platform CTI Feeds Expertise Métiers Stratégie & Gouvernance Identification des risques & conformité Architecture sécurité & Expertise Cyber Defense Operations Résilience & Continuité d'activité Gestion des incidents & Crise Sensibilisation & Cuture cybersécurité défis Conformité & Alignement réglementaire Résilience d'activité & Gestion de Crise Cyber Clients Trust & Crédibilité cybersécurité Efficiency & Performance Sécurité enjeux Sécurité du Cloud Zero Trust & Sécurité des Accès Directive NIS2 Conformité DORA Gestion des données Sécurité des IOTs Patch Management Sensibilisation Cybersécurité Risques Disponibilité & Intégrité des systèmes Conformité & Gouvernance Données & Identités Financiers & Fraude numérique Infrastructures & Fournisseurs Menaces avancées & émergentes Secteur & Maturité Secteurs d’activité Industriel Santé Banque & Finance Public Tech Retail Niveaux de maturité Startup & Scaleups PME & ETI Entité publique Groupes & Multinationales OIV & Ministères L’entreprise Qui sommes nous ? Découvrez notre histoire et notre expertise en cybersécurité. Nos engagements Nous défendons l’intégrité et la sécurité de vos systèmes d’information. Recrutement Envie de relever des défis passionnants ? Rejoignez nos équipes. Partenaires Des alliances stratégiques avec des acteurs référents pour une protection optimale. Actualités Évènements Participez à nos prochains événements, conférences et webinaires autour de la cybersécurité. Blog Découvrez nos analyses sur l’actualité cyber, les tendances et nos conseils d’experts. Contact A propos des cookies Avec votre accord, Intrinsec utilise des cookies ou technologies similaires et traite des données personnelles sur la base d'intérêts légitimes, pour optimiser les campagnes publicitaires que nous menons sur des sites tiers (comme Linkedin), mais également pour suivre nos audiences (Umami) En cliquant sur "Je choisis" vous accéderez à la liste détaillée de ces cookies. Vous pouvez modifier et personnaliser les paramètres des finalités de traitement de cookies et traceurs pour lesquels vous avez donné votre accord. Vous pouvez également vous opposer à l'ensemble de ces traitements. Votre choix sera enregistré pour une durée de 6 mois. Stockage d'analyse Stockage d'analyse Toujours activé Autoriser Google Analytics à mesurer comment j’utilise le site pour améliorer les fonctionnalités et le service. Preferences Preferences The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. Stockage de publicité Stockage de publicité The technical storage or access that is used exclusively for statistical purposes. Autoriser Google à sauvegarder des informations publicitaires sur mon appareil pour une meilleure pertinence des publicités. Données utilisateur de publicité Données utilisateur de publicité Partager mes données d’activité avec Google pour des publicités ciblées. Gérer les options Gérer les services Gérer {vendor_count} fournisseurs En savoir plus sur ces finalités Accepter Refuser Choisir mes préférences Sauvegarder les préférences Choisir mes préférences {title} {title} {title} Consentements aux cookies
← Back to stories