PROSPERO & Proton66: Unmasking the Bulletproof Hosting Connection
In a comprehensive report by Intrinsec, the cybersecurity community is presented with detailed insights into the connection between two Russian autonomous systems (ASNs), PROSPERO (AS200593) and Proton66 (AS198953). These networks are key players in the murky world of bulletproof hosting, serving as conduits for illicit online activities, including malware distribution and phishing campaigns.
Intrinsec’s analysis reveals operational similarities between PROSPERO and Proton66. Both systems share nearly identical peering agreements and are linked to the same internet exchange point in St. Petersburg. This resemblance extends to their hosting of command-and-control servers for malicious software such as GootLoader and SpyNote. According to the report, “both networks’ configurations are almost identical in terms of peering agreements and their respective share of loads throughout time.”
Bulletproof hosting providers are notorious for their lenient policies and resistance to takedown requests. They operate in jurisdictions with weak regulatory enforcement, offering cybercriminals a haven for activities like malware distribution, phishing, and ransomware deployment. While some users may employ these services for legitimate privacy concerns, the majority exploit the platform for illicit operations. Intrinsec highlights that such services “completely ignore all abuses and complaints, including Spamhaus.”
Intrinsec has mapped the malicious activities tied to these networks. Among the most notable:
- Phishing Campaigns: Both ASNs host domains used in phishing campaigns, targeting credentials and sensitive information from banking and cryptocurrency platforms. For example, domains spoofing Alpha Bank in Greece were used to distribute the Coper spyware
- Ransomware Operations: Groups such as Mallox and Buhti have leveraged these networks for ransomware campaigns, with PROSPERO facilitating command-and-control communication
- Android Spyware Distribution: SpyNote malware was distributed via phishing pages hosted on both ASNs, masquerading as legitimate Chrome updates
The report attributes the operations of these ASNs to a common individual who promotes their bulletproof services under the aliases “BEARHOST” and “SecureHost.” This operator, active on Russian-speaking underground forums, touts services as “100% bulletproof” while ensuring protection from takedown attempts by leveraging multiple offshore entities.
The operations of PROSPERO and Proton66 underscore the global impact of bulletproof networks. Their activities have targeted victims worldwide, from phishing campaigns in Australia to malware infections in Europe. Intrinsec’s findings highlight the need for international cooperation in dismantling such infrastructures. However, as the report notes, “political tensions can complicate or delay this process,” especially when such networks operate under the tacit protection of their host states.
