{
	"id": "2fb91b32-99d4-4633-ac4a-c04cee8ed529",
	"created_at": "2026-04-06T00:12:55.155295Z",
	"updated_at": "2026-04-10T03:20:59.303234Z",
	"deleted_at": null,
	"sha1_hash": "c33a8eae9787ea27364b179942d756fca5752348",
	"title": "Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 418678,
	"plain_text": "Notorious Malware, Spam Host “Prospero” Moves to Kaspersky\r\nLab\r\nPublished: 2025-02-28 · Archived: 2026-04-02 12:41:01 UTC\r\nOne of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started\r\nrouting its operations through networks run by the Russian antivirus and security firm Kaspersky Lab,\r\nKrebsOnSecurity has learned.\r\nSecurity experts say the Russia-based service provider Prospero OOO (the triple O is the Russian version of\r\n“LLC”) has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing\r\nwebsites. Last year, the French security firm Intrinsec detailed Prospero’s connections to bulletproof services\r\nadvertised on Russian cybercrime forums under the names Securehost and BEARHOST.\r\nThe bulletproof hosting provider BEARHOST. This screenshot has been machine-translated from Russian. Image:\r\nKe-la.com.\r\nBulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse\r\ncomplaints. And BEARHOST has been cultivating its reputation since at least 2019.\r\n“If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,”\r\nBEARHOST’s ad on one forum advises. “We completely ignore all abuses without exception, including\r\nhttps://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/\r\nPage 1 of 4\n\nSPAMHAUS and other organizations.”\r\nIntrinsec found Prospero has courted some of Russia’s nastiest cybercrime groups, hosting control servers for\r\nmultiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts\r\nmalware operations such as SocGholish and GootLoader, which are spread primarily via fake browser updates on\r\nhacked websites and often lay the groundwork for more serious cyber intrusions — including ransomware.\r\nA fake browser update page pushing mobile malware. Image: Intrinsec.\r\nBEARHOST prides itself on the ability to evade blocking by Spamhaus, an organization that many Internet\r\nservice providers around the world rely on to help identify and block sources of malware and spam. Earlier this\r\nweek, Spamhaus said it noticed that Prospero was suddenly connecting to the Internet by routing through\r\nnetworks operated by Kaspersky Lab in Moscow.\r\nUpdate, March 1, 9:43 a.m. ET: In a written statement, Kaspersky said it is aware of the public claim about the\r\ncompany allegedly providing services to a “bulletproof” web hosting provider. Here is their full statement:\r\n“Kaspersky denies these claims as the company does not work and has never worked with the service\r\nprovider in question. The routing through networks operated by Kaspersky doesn’t by default mean\r\nprovision of the company’s services, as Kaspersky’s automatic system (AS) path might appear as a\r\ntechnical prefix in the network of telecom providers the company works with and provides its DDoS\r\nservices.”\r\n“Kaspersky pays great attention to conducting business ethically and ensuring that its solutions are used\r\nfor their original purpose of providing cybersecurity protection. The company is currently investigating\r\nthe situation to inform the company whose network could have served as a transit for a “bulletproof”\r\nweb hosting provider so that the former takes the necessary measures.”\r\nKaspersky began selling antivirus and security software in the United States in 2005, and the company’s malware\r\nresearchers have earned accolades from the security community for many important discoveries over the years.\r\nhttps://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/\r\nPage 2 of 4\n\nBut in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using\r\nKaspersky software, mandating its removal within 90 days.\r\nCybersecurity reporter Kim Zetter notes that DHS didn’t cite any specific justification for its ban in 2017, but\r\nmedia reports quoting anonymous government officials referenced two incidents. Zetter wrote:\r\nAccording to one story, an NSA contractor developing offensive hacking tools for the spy agency had\r\nKaspersky software installed on his home computer where he was developing the tools, and the\r\nsoftware detected the source code as malicious code and extracted it from his computer, as antivirus\r\nsoftware is designed to do. A second story claimed that Israeli spies caught Russian government hackers\r\nusing Kaspersky software to search customer systems for files containing U.S. secrets.\r\nKaspersky denied that anyone used its software to search for secret information on customer machines\r\nand said that the tools on the NSA worker’s machine were detected in the same way that all antivirus\r\nsoftware detects files it deems suspicious and then quarantines or extracts them for analysis. Once\r\nKaspersky discovered that the code its antivirus software detected on the NSA worker’s machine were\r\nnot malicious programs but source code in development by the U.S. government for its hacking\r\noperations, CEO Eugene Kaspersky says he ordered workers to delete the code.\r\nLast year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S. effective July 20,\r\n2024. U.S. officials argued the ban was needed because Russian law requires domestic companies to cooperate in\r\nall official investigations, and thus the Russian government could force Kaspersky to secretly gather intelligence\r\non its behalf.\r\nPhishing data gathered last year by the Interisle Consulting Group ranked hosting networks by their size and\r\nconcentration of spambot hosts, and found Prospero had a higher spam score than any other provider by far.\r\nhttps://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/\r\nPage 3 of 4\n\nAS209030, owned by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593).\r\nImage: cidr-report.org.\r\nIt remains unclear why Kaspersky is providing transit to Prospero. Doug Madory, director of Internet analysis at\r\nKentik, said routing records show the relationship between Prospero and Kaspersky started at the beginning of\r\nDecember 2024.\r\nMadory said Kaspersky’s network appears to be hosting several financial institutions, including Russia’s largest\r\n— Alfa-Bank. Kaspersky sells services to help protect customers from distributed denial-of-service (DDoS)\r\nattacks, and Madory said it could be that Prospero is simply purchasing that protection from Kaspersky.\r\nBut if that is the case, it doesn’t make the situation any better, said Zach Edwards, a senior threat researcher at\r\nthe security firm Silent Push.\r\n“In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than\r\njust allowing them to connect to the rest of the Internet over your infrastructure,” Edwards said.\r\nSource: https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/\r\nhttps://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/"
	],
	"report_names": [
		"notorious-malware-spam-host-prospero-moves-to-kaspersky-lab"
	],
	"threat_actors": [],
	"ts_created_at": 1775434375,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c33a8eae9787ea27364b179942d756fca5752348.pdf",
		"text": "https://archive.orkl.eu/c33a8eae9787ea27364b179942d756fca5752348.txt",
		"img": "https://archive.orkl.eu/c33a8eae9787ea27364b179942d756fca5752348.jpg"
	}
}