CyberWire Daily: Proton66’s Malware Highway - Episode Summary

Release Date: April 22, 2025
Host/Author: N2K Networks

1. Overview

In this episode of CyberWire Daily, host Dave Bittner, powered by N2K Networks, delves deep into the intricate landscape of contemporary cyber threats. The episode, titled "Proton66’s Malware Highway," explores various facets of cybercrime, from sophisticated botnets to ransomware attacks on critical sectors. Additionally, the episode features insightful discussions with industry experts, shedding light on the evolving challenges in cybersecurity.

2. Russian Proton66 and Cybercriminal Hosting Services

The episode opens with an analysis of the Proton66 autonomous system, a Russian entity heavily involved in cybercriminal activities. According to Trustwave Spider Labs, Proton66 has been a linchpin in global cyber attacks since January 2025, primarily targeting the technology and financial sectors. Their methods include brute-force logins and exploiting vulnerabilities in networked devices.

Key Points:

• Proton66 supports phishing campaigns via hacked WordPress sites, distributing the Xworm malware to Korean-speaking users through sophisticated social engineering techniques.
• The infrastructure of Proton66 was instrumental in spreading the Strela stealer malware across Central Europe and managing command and control (C2) servers used in ransomware operations.
• Recent shifts have seen malicious domains associated with Proton66 being migrated to infrastructure linked to Changwe Technologies.

Notable Quote:
“At its peak, Proton66 has been linked to multiple ransomware hits, showing the adaptability and resilience of their infrastructure,” says Dave Bittner at [05:30].

3. Rustobot: A New Rust-Based Botnet Targeting Routers

A significant focus is placed on Rustobot, a newly identified botnet developed using the Rust programming language. Rustobot aggressively targets vulnerable routers globally, exploiting known command injection flaws in Totolink and Draytek devices.

Key Points:

• Rustobot infects routers in regions including Japan, Taiwan, Vietnam, and Mexico.
• The botnet employs advanced techniques such as XOR encryption and system API retrieval via the global offset table to evade detection.
• Once compromised, routers connect to C2 domains to orchestrate large-scale Distributed Denial of Service (DDoS) attacks, notably UDP floods.
• Fortinet researchers highlight the persistent risks to IoT devices and the increasing utilization of modern programming languages like Rust for developing resilient malware.

Notable Quote:
“Rustobot is a testament to the evolving sophistication of botnets, leveraging modern languages to enhance their persistence and effectiveness,” explains Dave Bittner at [10:15].

4. CISA Budget Cuts and Operational Impacts

The episode addresses the ramifications of budget cuts at the Cybersecurity and Infrastructure Security Agency (CISA), which have curtailed the use of pivotal analysis tools like Census and VirusTotal. These changes are attributed to financial constraints and political pressures, potentially diminishing CISA’s capacity to monitor and respond to cyber threats effectively.

Key Points:

• Census usage ceased in March, and VirusTotal support ended by April 20, 2025.
• The agency is actively seeking alternatives but warns of possible operational disruptions.
• Ongoing layoffs and downsizing within CISA could further impair threat tracking amidst escalating cyber attacks.

Notable Quote:
“Budget cuts at CISA may severely weaken our national defense against the rising tide of cyber threats,” states Dave Bittner at [12:50].

5. Ransomware Attacks on Healthcare Providers

Two prominent healthcare providers, Bell Ambulance in Milwaukee and Alabama Ophthalmology Associates, have fallen victim to ransomware attacks, compromising sensitive data of over 231,000 individuals. Both incidents highlight the vulnerability of the healthcare sector to cyber extortion.

Key Points:

• Bell Ambulance detected the breach in February 2025, with Medusa ransomware implicated, affecting approximately 114,000 individuals.
• Alabama Ophthalmology Associates experienced a breach in January 2025 via Bien Lian ransomware, impacting over 131,000 people.
• The compromised data includes personal, financial, and medical information, contributing to a surge in healthcare data breaches, numbering over 700 in the US in 2024 alone.

Notable Quote:
“These attacks underscore the critical need for enhanced cybersecurity measures in the healthcare sector,” remarks Dave Bittner at [14:00].

6. Scallywag Ad Fraud Network Uncovered

Researchers at security vendor Human have exposed the Scallywag ad fraud network, which manipulates ad traffic through compromised WordPress plugins. The scheme redirects users through ad-laden cashout pages embedded with captchas and forced interactions to inflate ad views.

Key Points:

• Scallywag employs four WordPress plugins: Soralink, Uidea, WP SafeLink, and DropLink, which are either sold to threat actors or freely available.
• At its zenith, Scallywag generated 1.4 billion daily ad requests, though this figure briefly plummeted by 95% before rebounding through new site deployments.
• The network leverages deep linking to disguise malicious pages as benign blogs, revealing their true nature only after specific user interactions.

Notable Quote:
“Scallywag’s exploitation of WordPress plugins illustrates the sophisticated tactics used to bypass traditional ad fraud detection methods,” says Dave Bittner at [16:30].

7. UN Warns of Industrial-Scale Cyber Enabled Fraud in Southeast Asia

The United Nations Office on Drugs and Crime (UNODC) has issued a stark warning about the exponential growth of cyber-enabled fraud in Southeast Asia, attributing it to transnational crime syndicates operating out of Myanmar and Cambodia.

Key Points:

• Fraud operations are entrenched in vulnerable border regions, masquerading as legitimate establishments like tech parks, casinos, and hotels.
• These syndicates encompass traffickers, launderers, and data brokers, leveraging encrypted platforms, cryptocurrency, and generative AI to scale their fraudulent activities.
• The crisis, which grossed $37 billion in 2023, is now expanding globally, affecting Africa, South America, and the Pacific regions.
• UNODC advocates for urgent measures including better regulations, enhanced international cooperation, and fortified law enforcement to combat this pervasive threat.

Notable Quote:
“Cyber-enabled fraud in Southeast Asia has become an industrial-scale crisis, undermining governance and state sovereignty on a global scale,” states Dave Bittner at [18:00].

8. Resurgence of Fog Ransomware

The Fog Ransomware family has reemerged with a new variant incorporating a ransom note that references the U.S. Department of Government Efficiency, urging victims to disseminate the malware further.

Key Points:

• Distributed via phishing emails containing malicious ZIP files disguised as PDFs, the malware executes a PowerShell script that downloads various payloads including the ransomware loader and exfiltration scripts.
• Victims encounter QR codes for Monero payments and odd political references within the script.
• Since January 2025, Fog has targeted 100 victims across multiple sectors.
• Trend Micro suspects the latest wave may involve impersonators utilizing Fog’s existing tools, recommending enhanced vigilance through updated backups, network segmentation, and active monitoring.

Notable Quote:
“Fog Ransomware’s latest iteration demonstrates the persistent evolution of ransomware tactics, blending social engineering with advanced malware deployment,” explains Dave Bittner at [19:45].

9. Cracked Cybercrime Marketplace Relaunches

The notorious cybercrime marketplace Cracked has resurfaced under the new domain CrackedCrackedSh following a takedown operation in January that seized 12 domains and a payment processor. Despite law enforcement efforts, no arrests have been made, and the site’s new administrator claims encrypted servers have thwarted further investigations.

Key Points:

• Researchers verified login access using old credentials, indicating potential authenticity of the relaunched site.
• Breach Forums, another platform previously targeted for leaking data, claims a return through a new site under the name Breach Fi, though its legitimacy remains uncertain.
• Cybersecurity experts caution that such platforms often reappear under false pretenses or serve as law enforcement traps, urging skepticism among users.

Notable Quote:
“The relaunch of Cracked signifies the resilience of cybercrime marketplaces, often morphing to evade law enforcement and maintain illicit operations,” notes Dave Bittner at [21:00].

10. Industry Voices: Bob Maley on Third-Party Cyber Incidents

In the Industry Voices segment, Bob Maley, Chief Security Officer at Black Kite, discusses the escalating risk of third-party cyber incidents and the complexities of managing third-party risk within Europe’s digital landscape.

Key Insights:

• Third-Party Breaches: Maley emphasizes that breaches often occur gradually, with attackers conducting reconnaissance to identify valuable assets before initiating exfiltration or deploying ransomware.
• Ripple Effect: A single third-party breach can cascade, affecting thousands of dependent organizations, as evidenced by the CrowdStrike breach impacting numerous companies.
• Risk Management: Traditional questionnaire-based assessments are outdated. Maley advocates for attack path management and real-time risk assessments to stay ahead of sophisticated threat actors.
• AI Integration: While AI presents opportunities for automating data processing and risk assessments, Maley warns against overreliance, highlighting that AI tools are not a panacea and must be strategically integrated.

Notable Quotes:
“Attackers don’t break in; they log in,” Maley asserts at [14:04].
“Risk management involving third parties should focus on the reduction of risk, not just compliance checkboxes,” he adds at [21:27].

11. Industry Voices: Kim Jones on Cybersecurity as a Trade or Profession

In another Industry Voices segment, Kim Jones, host of the CISO Perspectives podcast, explores whether cybersecurity should be classified as a trade or a profession, highlighting the implications of each classification on career development and industry standards.

Key Insights:

• Trade Attributes: Jones compares cybersecurity to traditional trades like plumbing and electrical work, emphasizing the need for defined entry standards, structured apprenticeships, and clear advancement pathways.
• Professional Attributes: She notes the absence of an overarching code of ethics and standardized certification bodies in cybersecurity, which are hallmarks of professions like law and medicine.
• Career Pathing: The duality of cybersecurity being both a trade and a profession creates challenges in talent acquisition and skill development. Jones advocates for establishing clearer frameworks to guide career progression and ensure the industry evolves to meet modern cybersecurity demands.

Notable Quote:
“If we believe cybersecurity is a trade, then we ought to start instituting formal apprenticeships and advancement structures,” Jones states at [28:19].
“Cybersecurity is neither solely a trade nor a profession; it encompasses elements of both, necessitating a hybrid approach to career development,” she concludes at [31:55].

12. Conclusion

The episode of CyberWire Daily titled "Proton66’s Malware Highway" offers an extensive examination of the current cyber threat landscape, underscored by expert analyses and real-world case studies. From the sophisticated operations of Proton66 to the emerging threats posed by Rustobot, the discussion underscores the dynamic and ever-evolving nature of cyber threats. Additionally, insights from industry leaders like Bob Maley and Kim Jones provide valuable perspectives on managing third-party risks and defining the professional standards within cybersecurity.

Notable Quotes Recap:

• [05:30] “At its peak, Proton66 has been linked to multiple ransomware hits, showing the adaptability and resilience of their infrastructure.”
• [10:15] “Rustobot is a testament to the evolving sophistication of botnets, leveraging modern languages to enhance their persistence and effectiveness.”
• [14:00] “These attacks underscore the critical need for enhanced cybersecurity measures in the healthcare sector.”
• [16:30] “Scallywag’s exploitation of WordPress plugins illustrates the sophisticated tactics used to bypass traditional ad fraud detection methods.”
• [18:00] “Cyber-enabled fraud in Southeast Asia has become an industrial-scale crisis, undermining governance and state sovereignty on a global scale.”
• [19:45] “Fog Ransomware’s latest iteration demonstrates the persistent evolution of ransomware tactics, blending social engineering with advanced malware deployment.”
• [21:00] “The relaunch of Cracked signifies the resilience of cybercrime marketplaces, often morphing to evade law enforcement and maintain illicit operations.”
• [21:27] “Risk management involving third parties should focus on the reduction of risk, not just compliance checkboxes.”
• [28:19] “If we believe cybersecurity is a trade, then we ought to start instituting formal apprenticeships and advancement structures.”
• [31:55] “Cybersecurity is neither solely a trade nor a profession; it encompasses elements of both, necessitating a hybrid approach to career development.”

This comprehensive summary encapsulates the critical discussions and insights presented in the "Proton66’s Malware Highway" episode of CyberWire Daily, providing listeners and non-listeners alike with a thorough understanding of the evolving cybersecurity landscape.