{
	"id": "722dcb83-a91a-4710-a875-1d70825380d4",
	"created_at": "2026-04-06T00:21:19.699971Z",
	"updated_at": "2026-04-10T13:12:53.647544Z",
	"deleted_at": null,
	"sha1_hash": "629a32d8d8a4ed75ecb0365bc9e4d395f1dbc431",
	"title": "PROSPERO \u0026 Proton66: Uncovering the links between bulletproof networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63979,
	"plain_text": "PROSPERO \u0026 Proton66: Uncovering the links between\r\nbulletproof networks\r\nBy David Sardinha\r\nPublished: 2024-11-20 · Archived: 2026-04-05 15:05:23 UTC\r\nKey findings\r\nThis report presents:\r\nThe Russian autonomous system PROSPERO (AS200593) could be linked with a high level of confidence\r\nto Proton66 (AS198953), another Russian AS, that we believe to be connected to the bulletproof services\r\nnamed ‘SecureHost‘ and ‘BEARHOST‘. We notably observed that both network’s configurations are\r\nalmost identical in terms of peering agreements and their respective share of loads throughout time.\r\nAmongst the activities shared by the two networks, we noticed that both GootLoader and SpyNote\r\nmalwares recently changed their infrastructure of command-and-control servers and phishing pages\r\nfrom to Proton66. Additionally, the domains hosting the phishing pages deploying SpyNote were hosted on\r\neither one of the two AS and had already been used in previous campaigns delivering revoked AnyDesk\r\nand LiveChat versions for both Windows and Mac.\r\nRegarding the other malicious activities found on PROSPERO’s IPs, we found that throughout September,\r\nmultiple SMS spam campaigns targeting citizens from various countries were leading to phishing\r\ndomains hosted on PROSPERO and Proton66. While most phishing templates were usurping bank login\r\npages to steal credit card details, we also noticed that some of them were used to deploy android\r\nspywares such as Coper (a.k.a. Octo).\r\nSocGholish, another initial access broker (IAB) that we found to be hosting a major part of its\r\ninfrastructure on Proton66, continues to leverage this autonomous system to host fingerprinting scripts\r\ncontained on the websites it infects. Along SocGholish, we found out that FakeBat, another loader that\r\ninfects systems through compromised websites, was using the same IPs to host both screening and\r\nredirection scripts.\r\nIntroduction\r\nIn the continuity of our constant monitoring of bulletproof networks, we discovered an autonomous system\r\nnamed PROSPERO OOO (AS200593) based in Russia. We believe that it could be linked to Proton66 OOO\r\n(AS198953), another Russian and anonymous autonomous system that we previously found to be connected to a\r\nbigger infrastructure composed of multiple AS and offshore companies all operated by a common Russian\r\nnational. This individual notably promotes its bulletproof hosting businesses named ‘UNDERGROUND‘ and\r\n‘BEARHOST‘ on various Russian-speaking underground marketplaces stating that the service is “100%\r\nbulletproof […] we completely ignore all abuses and complaints, including Spamhaus”. He notably used to work\r\nhttps://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/\r\nPage 1 of 3\n\nwith another bulletproof provider named ‘SecureHost‘, advertised on the same underground platforms that we\r\nbelieve with a high level of confidence to be the present operator of both PROSPERO OOO and Proton66 OOO.\r\nBulletproof hosting\r\nA bulletproof hosting service is a type of web hosting service known for offering high levels of privacy, security,\r\nand leniency regarding the content and activities allowed on their servers. These services typically provide robust\r\nprotection against takedown requests, legal actions, and law enforcement investigations, often by locating their\r\nservers in jurisdictions with minimal regulations or weak enforcement of international laws. Bulletproof hosting\r\nis often associated with hosting illicit content or activities, such as malware distribution, spam operations, or\r\ncopyright-infringing materials, due to its permissive stance and commitment to client confidentiality. However,\r\nit’s important to note that not all uses of such services are illegal, as some users may seek such hosting for\r\nlegitimate privacy concerns.\r\nThe connection between PROSPERO and Proton66 could be made through similarities in the way both networks\r\nare operated, notably in their respective peering agreements shared with other Russian networks. Additionally, we\r\nnoticed that botnets operated by GootLoader, an initial access broker, and SpyNote, an android RAT, had moved\r\ntheir infrastructure from PROSPERO to Proton66, or would sometimes host their command-and-control servers\r\non both AS. Along those finds, this report aims to provide an overview of all the malicious activities that are\r\nhosted on PROSPERO OOO.\r\nLegal format of Russian companies\r\nAs a reminder, the Russian format “OOO” stands for “Obschestvo s Ogranichennoy Otvetstvennostyu” which\r\ncorresponds to the Anglo-Saxon format “LLC” or “limited liability company”.\r\nIntrinsec’s CTI services\r\nOrganisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving\r\nthreats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed\r\nmalicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the\r\ncompromises they face.\r\nFor this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service,\r\nwhich provides its customers with high value-added, contextualized and actionable intelligence to understand and\r\ncontain cyber threats. Our CTI team consolidates data \u0026 information gathered from our security monitoring\r\nservices (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated\r\nby our analysts using custom heuristics, honeypots, hunting, reverse-engineering \u0026 pivots.\r\nIntrinsec also offers various services around Cyber Threat Intelligence:\r\nRisk anticipation: which can be leveraged to continuously adapt the detection \u0026 response capabilities of\r\nour clients’ existing tools (EDR, XDR, SIEM, …) through:\r\nan operational feed of IOCs based on our exclusive activities.\r\nthreat intel notes \u0026 reports, TIP-compliant.\r\nDigital risk monitoring:\r\nhttps://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/\r\nPage 2 of 3\n\ndata leak detection \u0026 remediation\r\nexternal asset security monitoring (EASM)\r\nbrand protection\r\nFor more information, go to our CTI’s website\r\nFollow us on Linkedin and X]\r\nSource: https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/\r\nhttps://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/"
	],
	"report_names": [
		"prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434879,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/629a32d8d8a4ed75ecb0365bc9e4d395f1dbc431.pdf",
		"text": "https://archive.orkl.eu/629a32d8d8a4ed75ecb0365bc9e4d395f1dbc431.txt",
		"img": "https://archive.orkl.eu/629a32d8d8a4ed75ecb0365bc9e4d395f1dbc431.jpg"
	}
}