Trustwave SpiderLabs has been tracking malicious activities from Proton66 ASN, ranging from vulnerability scanning to phishing campaigns. This series examines the extent of such attacks, which include exploitation attempts tied to SuperBlack ransomware and various malware campaigns. Affected: Proton66 ASN, technological and financial sectors, non-profit sector, engineering sector.
Keypoints :
- Proton66 ASN involved in mass scanning, exploit attempts, and phishing campaigns.
- IP address associated with SuperBlack ransomware linked to the latest critical exploits.
- Malware campaigns included fake Google Play store redirects from compromised WordPress sites.
- Initial access broker “Mora_001” exploiting critical vulnerabilities for ransomware deployment.
- Mass scanning activity noted from Proton66 targeting organizations globally starting January 2025.
MITRE Techniques :
- Reconnaissance (T1087): Mass scanning for vulnerabilities observed through multiple IPs linked to Proton66 ASN.
- Exploitation for Client Execution (T1203): Exploitation attempts against vulnerabilities like CVE-2025-0108.
- Credential Dumping (T1003): Credential brute-forcing attempts noticed from Proton66 ASN.
- Data Encrypted for Impact (T1486): Deployment of SuperBlack ransomware indicates data encryption for extortion.
- Initial Access (T1078): Activities linked to “Mora_001” suggest network infiltration for attack execution.
Indicator of Compromise :
- [IP] 45.134.26.38
- [IP] 45.140.17.21
- [IP] 45.135.232.24
- [IP] 193.143.1.65 (Actor: Mora_001)
- [IP] 91.212.166.65