Hackers Exploit Russian Hosting Provider Proton66 for Malware, Trustwave SpiderLabs Finds

A Russian hosting service provider known as Proton66 is at the center of widespread cyberattacks and malware campaigns targeting organizations and users worldwide, according to findings cited by eSecurity Planet.

“The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February”

BleepingComputer

The report says researchers at Trustwave SpiderLabs linked Proton66 to a surge in activity ranging from “credential brute-forcing and mass vulnerability scanning” to the delivery of ransomware, infostealers, and “Android-targeted phishing campaigns.”

BleepingComputer

eSecurity Planet describes Proton66 as “a bulletproof playground for hackers,” part of an underground network of “bulletproof hosting” providers that “intentionally allow or ignore criminal activity on their servers.”

The infrastructure, it adds, was “openly advertised on Russian-speaking forums under the names UNDERGROUND and BEARHOST,” according to Intrinsec, a French cybersecurity firm.

On Jan. 8, 2025, the report says researchers began noticing a sharp increase in unauthorized scanning, credential harvesting, and exploitation attempts tied to IP addresses registered under Proton66’s Autonomous System Number (ASN198953).

Trustwave researchers Pawel Knapczyk and Dawid Nesterowicz wrote that “Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute-force attempts,” and that “Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years.”

The same analysis notes that one IP, 45.134.26.8, “hadn’t been flagged for malicious activity since November 2021,” but was later used in what SpiderLabs describes as “an aggressive and coordinated wave of cyber offensives.”

Beyond scanning, eSecurity Planet says Proton66 resources were used to exploit high-profile vulnerabilities, including “the recently disclosed CVE-2025-0108 in Palo Alto Networks PAN-OS and CVE-2024-10914, a critical flaw in legacy D-Link NAS devices.”

The report adds that “One IP in particular, 193.143.1.65, was observed in February 2025 launching exploit attempts for these and other bugs,” and that SpiderLabs links the same IP to a threat actor group dubbed “Mora_001,” described as “believed to be an initial access broker.”

eSecurity Planet

After initial access, eSecurity Planet says the actor deploys a ransomware strain named “SuperBlack,” described as “similar to LockBit 3.0, but with a customized ransom note and data theft tool.”

The report also describes malware distribution through compromised WordPress websites, saying that in February researchers observed Android users being redirected to phishing pages impersonating the Google Play Store.

It names fake app marketplaces “us-playmarket.com and playstors-france.com” and says the “redirector scripts are obfuscated and perform several checks against the victim, such as excluding crawlers and VPN or proxy users.”

SpiderLabs, as quoted by eSecurity Planet, explained that “User IP is obtained through a query to ipify.org, then the presence of a VPN on the proxy is verified through a subsequent query to ipinfo.io.”

Despite the elaborate setup, eSecurity Planet says SpiderLabs confirmed that “none of the redirection attempts were successful,” adding that this was “likely because no Android users visited the compromised pages during the observation period.”

The same report expands the malware list, describing “XWorm” targeting Korean-speaking investment chat rooms, “Strela Stealer” credential-stealing phishing aimed at German-speaking users, and “WeaXor,” a ransomware variant related to Mallox that “encrypts files and demands $2,000 in Bitcoin or USDT for decryption.”

eSecurity Planet portrays Proton66’s ecosystem as shifting over time, describing how bulletproof hosting brands linked to the service were advertised on darknet forums but later vanished from public listings.

“Web hosting administrators must take immediate action, as cPanel has rolled out an emergency security update to address a critical vulnerability”

GBHackers News

It says that “since December 2024, those offers vanished from public listings,” replaced by “a more private sales model.”

The report includes a forum response from a user named “Voodo_servers,” who claimed, “the services are now offered through a private company,” and that this “remov[ed] the need for open forum promotions.”

It also says Intrinsec had already tied these services to a Hong Kong-based provider, “Chang Way Technologies,” and that Trustwave researchers later noticed campaigns shifting IPs from Proton66 to Chang Way-owned networks.

The report frames this as an operational handoff or partnership, stating that “Trustwave researchers later noticed multiple campaigns shifting IPs from Proton66 to Chang Way-owned networks.”

In response to the breadth of attacks, eSecurity Planet says SpiderLabs recommends blocking specific IP ranges tied to Proton66 ASN (AS198953) and to Chang Way Technologies ASN.

The Proton66 block list includes “45.134.26.0/24,” “45.135.232.0/24,” “45.140.17.0/24,” “91.212.166.0/24,” and “193.143.1.0/24.”

For Chang Way Technologies, the report lists “45.93.20.0/24,” “91.240.118.0/24,” and “185.11.61.0/24.”

A separate wave of risk in technology and science centers on a critical cPanel and WebHost Manager authentication bypass vulnerability tracked as CVE-2026-41940, described by TechRadar as putting “tens of millions of websites at risk of total compromise.”

TechRadar says researchers at watchTowr Labs dissected a flaw in cPanel and WHM that “allows remote attackers to gain full admin access over servers upon which much of the internet relies,” and that the vulnerability has a near-top severity score of 9.8.

NetCost & Security

The article states the vulnerability “has been exploited in the wild, as confirmed by KnownHost,” and it says “A patch for the vulnerability has been released and administrators are urged to apply the patch immediately.”

TechRadar explains that the crux of the issue is that an attacker can “forge an authenticated session without requiring a password,” which “provides the attacker with root level access to WHM.”

It describes the mechanism as “the attacker using CRLF (Carriage Return Line Feed) to inject a new line of code into the cPanel Logbook,” bypassing “session file encryption” and establishing the attacker as “the root administrator.”

The patching guidance in TechRadar lists specific fixed versions, including “cPanel & WHM 110.0.x - patched in 11.110.0.97 (was 11.110.0.96)” and “cPanel & WHM 118.0.x - patched in 11.118.0.63 (was 11.118.0.61).”

TechRadar also says the patch “has also added a new ‘sanitization’ function that scrubs any data you send to the server, preventing new lines of code from being snuck in.”

In parallel, SQ Magazine frames the same bug as “Severe cPanel Flaw Allows Login Bypass Attacks” and says it is “now tracked as CVE-2026-41940 (CVSS 9.8)—an auth bypass granting unauthenticated admin access.”

Multiple outlets describe active exploitation and rapid mitigation steps around CVE-2026-41940, with details that vary on timing and scope.

“Copy Fail: New Linux bug enables Root via page‑cache corruption Agent’s claims on WhatsApp access spark security concerns Meta accused of violating DSA by failing to safeguard minors Large-scale Roblox hacking operation shut down by Ukrainian authorities CVE-2026-42208: LiteLLM bug exploited 36 hours after its disclosure Internet censorship index reveals Russia’s lead and widespread content blocking All supported cPanel versions hit by critical auth bug, now patched U”

Security Affairs

BleepingComputer says the critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is “being actively exploited in the wild,” and that it “has been leveraged in attempts since late February,” while also noting it is “unclear when exploitation started.”

Security Affairs

It adds that KnownHost said on the day of disclosure that “successful exploits have been seen in the wild” before a fix became available, and that KnownHost CEO Daniel Pearson stated the company has “seen execution attempts as early as 2/23/2026.”

BleepingComputer reports that cPanel released a fix on April 28, and that Namecheap temporarily blocked connections to cPanel and WHM ports “2083 and 2087 until patches became available.”

The same article says watchTowr explains the flaw is caused by “a ‘Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM,’” and that Rapid7 warns “Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages.”

SecurityWeek similarly describes the bug as “being exploited as a zero-day for months,” and it cites Rapid7’s Shodan search showing “around 1.5 million internet-accessible cPanel instances.”

The Register emphasizes the scale by stating cPanel and WHM control panel help manage properties for “70 million domains,” and it quotes watchTowr’s analogy: “Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom.”

In addition to patching, BleepingComputer says the vendor recommends blocking ports “2083, 2087, 2095, and 2096” or stopping “cpsrvd and cpdavd,” and it reports cPanel also provided a detection script and watchTowr a “Detection Artifact Generator script.”