Tracing Blind Eagle to Proton66

Trustwave SpiderLabs, which has been tracking Proton66 for the last several months, was able to make this connection by pivoting from Proton66-linked assets, which led to the identification of another active threat cluster relying on the same ASN infrastructure.

Pivoting identified what is assessed to be one of its most recent and operationally active infrastructure clusters, characterized by strong interconnections across multiple domains and IP address clusters. This infrastructure exclusively leverages Visual Basic Script (VBS) files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys readily available Remote Access Trojans (RATs) as a second-stage malware.

As for the starting pivot point of this analysis from Proton66 OOO infrastructure, one notable case involved a set of domains following a certain naming pattern that began appearing in summer 2024. These domains all resolved to the IP address 45.135.232[.]38, which is part of a netblock associated with Proton66 OOO.

To read the complete article see: Read More