EDP / BPH Providers / Bearhost / Underground / Voodoo Servers
Bearhost / Underground / Voodoo Servers
Russia-linked bulletproof hosting brand cluster // PROSPERO (AS200593) and PROTON66 (AS198953) // Active ~2019 to present; brand in transition
Active

Executive Summary and Provider Overview

Active
Operational Status
AS200593
PROSPERO ASN
AS198953
PROTON66 ASN
~2019
Confirmed Active Since
3
Brand Identities
10+
Documented Malware Families
None
Sanctions / LE Actions
Listed
Spamhaus Status

Quick-Reference Attributes

Common NamesBearhost; BEARHOST; Underground; UNDERGROUND; Voodoo Servers
Node TypeBulletproof Hosting Provider
StatusActive — underlying infrastructure active; Bearhost/Voodoo brand in assessed transition to Securehost
Entity Registration JurisdictionRussia — PROSPERO OOO (AS200593); PROTON66 OOO (AS198953). Both registered as Russian limited liability companies ("OOO").
Infrastructure Hosting JurisdictionRussia (primary, assessed); possible Hong Kong component via Chang Way Technologies (Trustwave, credible)
Operator LocationUnknown — Russia assessed based on entity registration and Russian-language forum advertising. No confirmed name, address, or DOB in open sources.
Active Period~2019 to present (Bearhost brand confirmed visible since at least 2019 per Krebs / Intrinsec); PROTON66 OOO active from at least 2023 per Intrinsec internal research
Primary ASNsAS200593 — PROSPERO OOO (Russia); AS198953 — PROTON66 OOO (Russia)
Documented PROTON66 IP Ranges45.135.232.0/24; 45.140.17.0/24; 193.143.1.0/24 (Trustwave SpiderLabs, April 2025)
Upstream Transit (PROSPERO)Kaspersky Lab (AS209030) since December 2024 — Kaspersky denies intentional relationship
Abuse ContactNot publicly disclosed in open sources
SanctionsNone confirmed against entity or operators as of June 2026
Sanctions Against Named OperatorsNone — human operators not named or sanctioned in open sources
Primary ClientsQilin ransomware (confirmed); SocGholish, GootLoader (IABs, confirmed); SpyNote, XWorm, StrelaStealer, WeaXor/Mallox (confirmed via Trustwave)
Blocklist StatusSpamhaus recommends blocking PROSPERO AS entirely; BEARHOST explicitly advertises ignoring Spamhaus
State Nexus TierTolerated Safe Harbor (Tier 2 of 4)
Brand SuccessionBearhost / Underground / Voodoo Servers assessed as single operator brand family; Securehost assessed as separate entity that acquired Bearhost assets from Voodoo operator per analyst assessment [Internal]

Overall Assessment

Bearhost (operating also as Underground and Voodoo Servers) is a Russia-linked bulletproof hosting (BPH) brand cluster that has advertised abuse-tolerant infrastructure on Russian-language cybercrime forums since at least 2019, with its operational backbone residing in two Russian autonomous systems: PROSPERO OOO (AS200593) and PROTON66 OOO (AS198953). The French firm Intrinsec, in research shared internally in July 2023 and published in November 2024, assessed these two ASNs to be operated by a common Russian national who promotes services under the names "UNDERGROUND" and "BEARHOST" on underground forums.

The provider's core value proposition is total non-cooperation with law enforcement and abuse reporters, including explicit claims to ignore Spamhaus. This posture has attracted a broad clientele spanning ransomware operators (Qilin), initial access brokers (SocGholish, GootLoader, FakeBat), and a range of malware families using PROTON66 and PROSPERO IP space for command-and-control, phishing, and payload distribution. Trustwave SpiderLabs documented a surge in mass scanning, credential brute-forcing, and critical CVE exploitation from PROTON66 IP ranges beginning January 2025, including exploitation of Palo Alto, Fortinet, D-Link, and Mitel vulnerabilities.

As of June 2026, no arrests, indictments, or sanctions have been imposed against the Bearhost/PROSPERO/PROTON66 operator cluster. The brand has undergone assessed transition: the Bearhost and Underground identities were followed by a Voodoo Servers rebrand, and a separate entity (Securehost) is assessed to have acquired the Bearhost brand and assets from the Voodoo operator. The underlying ASNs remain active. A notable 2025 development is PROSPERO's routing through Kaspersky Lab (AS209030), which drew public scrutiny from Krebs on Security, Spamhaus, and Silent Push, though Kaspersky denied an intentional service relationship.

Lineage and Organizational Heritage

Brand and Entity Structure

Brand / EntityTypeRoleActive WindowConfidence
Bearhost / BEARHOSTBPH brand (underground forums)Primary commercial brand; forum-advertised BPH service for botnets, malware, scanning, phishing~2019 to present (brand may be in transition; confirmed since ~2019)Confirmed
Underground / UNDERGROUNDBrand aliasConcurrent or alternate brand name used by same operator on underground forums; "UNDERGROUND" appears alongside "BEARHOST" in Intrinsec attributionOverlap with Bearhost period; exact dates not publicly documentedConfirmed
Voodoo ServersRebrandLater brand iteration; Resecurity and g0njxa (X) independently describe Bearhost/Underground as "recently" becoming Voodoo ServersPost-Underground; exact date not publicly documented; g0njxa post May 2025 describes exit scam after "several years of service"Credible
PROSPERO OOO (AS200593)Russian LLC; Autonomous SystemPrimary network backbone for Bearhost/Underground advertising; associated with BPH activity, malware C2, phishing since at least July 2023 (Intrinsec internal research)ActiveConfirmed
PROTON66 OOO (AS198953)Russian LLC; Autonomous SystemSibling or successor network to PROSPERO; same operator assessed; hosting C2, phishing, exploit activity; actively used for campaigns as of April 2025ActiveConfirmed

Predecessor Lineage

Analyst Inference No public evidence ties Bearhost/PROSPERO/PROTON66 to prior-generation BPH brands such as Maxided, Yalishanda, or McColo. The earliest confirmed visibility for the Bearhost brand is approximately 2019 (Krebs on Security / Intrinsec). PROSPERO OOO's RIPE WHOIS registration timeline is not publicly enumerated in available open sources. Founding circa 2019 or earlier is consistent with available evidence; earlier activity cannot be excluded.

Evidence Pillars

Infrastructure Continuity

Confirmed Intrinsec's November 2024 report assesses PROSPERO (AS200593) and PROTON66 (AS198953) to be operated by a common Russian national, based on near-identical network configurations, shared peering agreements, and behavioral overlap in malicious hosting. Both ASNs' IP space has been used interchangeably by the same malware operators (GootLoader C2, SpyNote C2) migrating between them. [2]

Brand Attribution

Confirmed Multiple independent sources (Intrinsec, Resecurity, Krebs on Security, Trustwave, g0njxa on X) converge on the linkage between PROSPERO/PROTON66 infrastructure and the Bearhost/Underground/Voodoo Servers brand cluster. Intrinsec explicitly states the common operator "promotes its bulletproof hosting businesses named 'UNDERGROUND' and 'BEARHOST' on various Russian-speaking underground marketplaces." Resecurity explicitly describes "BEARHOST Servers, also known as Underground and Voodoo Servers." [2][1][4]

Forum Advertising Evidence

Confirmed Verbatim advertising copy recovered from Russian underground forums (Krebs on Security, February 2025; Intrinsec, November 2024): "If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us. We completely ignore all abuses without exception, including SPAMHAUS and other organizations." Active since at least 2019 per Krebs / Coastline. [4][2]

Operator Profiles

No named individual has been publicly identified, sanctioned, or indicted in connection with Bearhost, PROSPERO OOO, or PROTON66 OOO as of June 2026. Intrinsec's public-facing report describes the operator as "a common Russian national" and "a common individual" but does not provide a real name, handle history, date of birth, or verified location in publicly available text. Intelligence Gap Operator identity represents the most significant open intelligence gap in this profile. All below is attributed to an unknown Russian national.

2.1 Assessed Operator (Identity Unknown)

Handle(s)Unknown — Intrinsec references forum activity but does not publicly name a handle in available text
NationalityRussian (assessed, per entity registration and Russian-language forum activity)
Assessed LocationRussia (assessed; not confirmed; not arrested)
RoleOperator of PROSPERO OOO (AS200593) and PROTON66 OOO (AS198953); promoter of Bearhost/Underground BPH services on Russian underground forums
Forum ActivityActive on Russian-speaking underground marketplaces advertising Bearhost/Underground services with explicit abuse-ignore guarantee; active since at least 2019
SanctionsNone confirmed
Legal StatusAt large; no public arrest, indictment, or criminal charges

Securehost Relationship and Brand Transition

Credible Securehost is assessed as a separate entity, not a self-rebrand of the Bearhost operator. Per analyst assessment [Internal], Securehost acquired the Bearhost brand and associated assets from the Voodoo Servers operator in a transactional transfer. This is consistent with Intrinsec's framing, which states the Bearhost/Underground operator "used to work with" Securehost and that Intrinsec believes Securehost to be "the present operator of both PROSPERO OOO and Proton66 OOO." [2]

A Russian-language Telegra.ph forum post (July 2024) describes dispute threads on Exploit and WWH-Club accusing Securehost of hijacking Bearhost brand elements (including a Telegram channel), posing as a continuation of Bearhost, and scamming clients. This forum drama corroborates an adversarial or competitive relationship between the original Bearhost operator and Securehost, which is more consistent with an imperfect acquisition or brand-squatting scenario than a clean self-rebrand. [8]

Disputed Claim: Intrinsec Attribution of Securehost

Intrinsec's public-facing text states that Securehost is assessed to be "the present operator" of PROSPERO and PROTON66. Analyst assessment [Internal] holds that Securehost is a separate entity that acquired the Bearhost operation, not the same individual operating under a new brand. These are not necessarily contradictory: if the sale transferred operational control of the ASNs to the Securehost operator, Intrinsec's "present operator" framing and the analyst's "acquisition" framing can both be correct. The degree of continuity vs. independence between the Voodoo/Bearhost operator and the Securehost operator is an intelligence gap.

Disputed Assessments

No vendor disputes the core linkage between PROSPERO/PROTON66 and the Bearhost/Underground brand cluster. The primary disputed area is the Securehost relationship: Intrinsec frames Securehost as closely tied to or operating PROSPERO/PROTON66; analyst assessment frames Securehost as a separate acquirer of the Bearhost brand. These reflect different visibility into closed-source forum data and may not be in direct conflict.

Operational and Business Model

Service Model

Bearhost/Underground operated as a full-service bulletproof hosting provider, offering dedicated servers and virtual private servers to cybercriminal clients on an anonymous basis with explicit guarantees of non-cooperation with law enforcement and abuse reporters. The service model centers on three elements: total abuse immunity, anonymous access, and reliable uptime. Advertised bandwidth of 10 Gbps per server. Services explicitly include command-and-control server hosting for botnets and malware, brute-force and scanning infrastructure, phishing hosting, and "fakes" (fraudulent content). Ransomware infrastructure is accommodated as part of the general client base, as confirmed by Qilin's use of the service. [1][2][4]

Verbatim Advertising Copy

Bearhost underground forum advertisement — recovered by Krebs on Security / Ke-la.com, as of February 2025 (machine-translated from Russian)
"If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us. We completely ignore all abuses without exception, including SPAMHAUS and other organizations."
Intrinsec paraphrase of Bearhost forum advertising copy — November 2024 report
"100% bulletproof [...] we completely ignore all abuses and complaints, including Spamhaus"
Bearhost forum advertisement — Coastline/Krebs sourcing (active since ~2019)
"If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us. We completely ignore all abuses without exception, including SPAMHAUS and other organizations."

Onboarding and Vetting

Forum-based advertising on Russian-language criminal underground marketplaces constitutes the primary onboarding channel. Prospective clients self-select from established underground forums (Exploit, WWH-Club, and similar platforms per sourcing). No invitation-only or referral requirement confirmed in open sources. Client anonymity enforced through cryptocurrency-only payment. Full onboarding workflow, ticket system, and communication channels are an intelligence gap.

Pricing and Packages

No confirmed public price list documented in open sources. Advertised bandwidth of 10 Gbps suggests dedicated server offerings at the higher end of the BPH spectrum. Monthly subscription model is standard BPH practice and is inferred but not confirmed with specific pricing. Package names, geographic pricing variations, and minimum order requirements are an intelligence gap.

Reseller Chain and Associated Infrastructure

Credible Trustwave SpiderLabs (April 2025) identifies Chang Way Technologies, a Hong Kong-based provider, as a "likely related" entity and recommends blocking its CIDR ranges alongside PROTON66. The exact commercial relationship (customer, partner, front company, or infrastructure reseller) between PROTON66 and Chang Way Technologies is not established in open sources. [3]

Analyst Inference The PROSPERO/PROTON66 network pair itself functions as the hosting backbone, suggesting that the advertised "Bearhost" service is a commercial front for leased capacity within these ASNs rather than a separate physical infrastructure stack.

Abuse-Handling and LE Posture

Total non-cooperation is the explicit operating posture. Forum advertising explicitly names Spamhaus as an organization whose requests are ignored. No documented instances of Bearhost/PROSPERO/PROTON66 responding to abuse complaints or cooperating with law enforcement. Spamhaus has publicly recommended blocking the entire PROSPERO AS, and the Interisle Consulting Group's 2024 analysis ranked PROSPERO as having the highest spam score of any hosting provider surveyed. [4]

Unlike ZServers (which documented a deceptive IP-reassignment response in 2023), no analogous deceptive-compliance episode has been documented for Bearhost/PROSPERO in open sources. This may reflect better OPSEC or simply a gap in available reporting.

OPSEC Posture

The operator relies on: Russian OOO entity structure to limit foreign legal access; pseudonymous forum advertising without confirmed real-world identity; cryptocurrency-only payments; dual ASN architecture (PROSPERO and PROTON66) for infrastructure redundancy; and brand fluidity to shift reputational burden across multiple identities (Bearhost, Underground, Voodoo Servers). No major data breach or identity exposure comparable to the 2024 ZServers leak has been documented for this cluster. OPSEC has remained more robust than many peer BPH providers. No specific panel domains, Telegram channels, or Jabber handles attributed to the Bearhost operator are confirmed in open sources.

Technical Capabilities and Infrastructure Footprint

ASN Registration

ASNRegistered NameEntity TypeJurisdictionStatus (June 2026)
AS200593PROSPERO OOORussian LLC (OOO)RussiaConfirmed Active
AS198953PROTON66 OOORussian LLC (OOO)RussiaConfirmed Active

Analyst Inference RIPE REST API queries timed out during research; ASN registration details above are drawn from Intrinsec (November 2024) and derivative reporting. Registered names, abuse contacts, and technical contact organizations could not be independently verified via RIPE WHOIS during this research cycle. This is a follow-up verification gap. [2]

Documented IP Ranges

CIDR BlockASNActivity DocumentedSourcePeriod
45.135.232.0/24AS198953 (PROTON66)Mass scanning, credential brute-forcingTrustwave SpiderLabsJan 2025 onward
45.140.17.0/24AS198953 (PROTON66)Mass scanning, credential brute-forcingTrustwave SpiderLabsJan 2025 onward
193.143.1.0/24AS198953 (PROTON66)CVE exploitation (PAN-OS, FortiOS, D-Link, Mitel); XWorm C2 (193.143.1.x); StrelaStealer C2 (193.143.1.205); WeaXor/Mallox C2 (193.143.1.139)Trustwave SpiderLabsJan–Apr 2025
91.212.166.0/24 (91.212.166.21)AS198953 (PROTON66)Compromised WordPress redirect scripts; Android phishing pages mimicking Google PlayTrustwave SpiderLabsEarly 2025

Note: Trustwave documented "several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years" at time of discovery (January 2025), indicating deliberate cycling of clean or dormant IP space into active abuse. This is a resilience tactic distinct from simply registering new ranges.

Physical Infrastructure

No public disclosure of specific data center locations for PROSPERO or PROTON66 in open sources. Both are Russian OOO entities, suggesting at least some physical presence or point of control in Russia. Trustwave's identification of Chang Way Technologies (Hong Kong) as a likely related provider suggests possible offshored or transit infrastructure in Asia Pacific. Specific colocation facilities, city-level locations, and rack/server counts are an intelligence gap.

Upstream Transit Provider Chain

Confirmed PROSPERO (AS200593) began routing through Kaspersky Lab (AS209030) in approximately December 2024. This was first documented publicly by Krebs on Security on February 28, 2025, citing Spamhaus and cidr-report.org data, and corroborated by Doug Madory (Kentik). Kaspersky denied providing services to PROSPERO, stating the AS path relationship "doesn't by default mean provision of the company's services, as Kaspersky's automatic system path might appear as a technical prefix in the network of telecom providers the company works with." [4]

Silent Push researcher Zach Edwards noted that "providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure," suggesting the relationship may involve Kaspersky's DDoS protection services. Kaspersky's client list via AS209030 includes Alfa-Bank, Russia's largest private bank, indicating a legitimate commercial ISP role for Kaspersky's network. [4]

No documented upstream de-peering events for PROSPERO or PROTON66 prior to the Kaspersky routing episode. The Kaspersky episode represents reputational pressure (public reporting, Spamhaus scrutiny) rather than a formal de-peering action. PROTON66 upstream transit chain is not documented in available open sources.

Resilience Features

The PROSPERO/PROTON66 dual-ASN architecture provides redundancy: operators can migrate client infrastructure between the two ASNs as one comes under increased scrutiny. Trustwave explicitly observed C2 operators (GootLoader, SpyNote) migrating between the two ASNs or simultaneously using both. Cycling of dormant or previously-clean IP addresses within existing ranges extends the useful life of the IP pool without requiring new allocations. Brand fluidity (Bearhost, Underground, Voodoo Servers) allows shedding reputational baggage while preserving the underlying client base and infrastructure. No fast-flux or anycast operations documented in available sources.

Hosted Activity Types

Activity TypeNamed Instance / EvidenceConfidence
Ransomware infrastructure (Qilin)Qilin's WikiLeaksV2 data-leak site; BPH branding visible on Qilin infrastructure; Resecurity identifies Bearhost/Underground/Voodoo as ghost BPH conglomerate nodeConfirmed
Initial access broker C2 (SocGholish)SocGholish fingerprinting scripts and C2 infrastructure hosted on PROTON66 (Intrinsec, 2023-2024)Confirmed
Initial access broker C2 (GootLoader)GootLoader C2 migrated from PROSPERO to PROTON66; observed on both ASNs (Intrinsec; Trustwave)Confirmed
Loader infrastructure (FakeBat)FakeBat screening and redirection scripts on same IPs as SocGholish (Intrinsec, 2024)Confirmed
Android RAT C2 (SpyNote)SpyNote C2 servers and phishing pages migrated from PROSPERO to PROTON66 (Intrinsec; Trustwave)Confirmed
RAT C2 (XWorm)XWorm binary hosting and C2 on 193.143.1.x (PROTON66); delivered via ZIP archive to Korean-speaking targets (Trustwave, April 2025)Confirmed
Information stealer C2 (StrelaStealer)StrelaStealer C2 at 193.143.1.205 (PROTON66); German-language phishing campaign (Trustwave, April 2025)Confirmed
Ransomware C2 (WeaXor / Mallox variant)WeaXor C2 at 193.143.1.139 (PROTON66); WeaXor is a revised Mallox variant (Trustwave, April 2025)Confirmed
Android phishing (Google Play impersonation)Compromised WordPress sites on 91.212.166.21 redirecting Android users to fake Google Play pages targeting French, Spanish, and Greek speakers (Trustwave, April 2025)Confirmed
SMS spam / bank phishingMultiple SMS campaigns leading to bank login phishing domains on PROSPERO and PROTON66; Coper/Octo Android spyware deployment via some campaigns (Intrinsec, 2023-2024)Confirmed
CVE exploitation campaignsPROTON66 (193.143.1.65) exploiting CVE-2025-0108 (Palo Alto PAN-OS), CVE-2024-41713 (Mitel MiCollab), CVE-2024-10914 (D-Link NAS), CVE-2024-55591 and CVE-2025-24472 (Fortinet FortiOS); Fortinet flaws linked to IAB "Mora_001" delivering SuperBlack ransomware (Trustwave, April 2025)Confirmed

Blocklist Standing

Source / ListStatusNotes
Spamhaus SBL/XBLListed (Confirmed)Spamhaus publicly recommended blocking the entire PROSPERO AS network (February 2025, cited by Krebs). The Interisle Consulting Group's analysis ranked PROSPERO as having the highest spam score of any hosting provider in their dataset. Bearhost explicitly advertises ignoring Spamhaus in forum ads.
Spamhaus DROP / eDROPProbableAS200593 and AS198953 meet DROP criteria (criminal-leased netblocks with documented BPH activity). Specific DROP list entries not confirmed in open sources.
abuse.ch Feodo TrackerProbableDocumented botnet and ransomware C2 activity (WeaXor, XWorm, StrelaStealer) on 193.143.1.x and other PROTON66 ranges makes Feodo Tracker entries highly likely. Specific first-listing dates and entry IDs not publicly enumerated for this cluster.
abuse.ch URLhausProbableMalware delivery and phishing URL distribution on PROTON66/PROSPERO ranges. abuse.ch's LinkedIn post referencing Kaspersky-PROSPERO routing confirms abuse.ch monitors and documents this infrastructure.
abuse.ch MalwareBazaarProbableXWorm and WeaXor samples served from PROTON66 IPs documented by Trustwave suggest MalwareBazaar entries exist for associated hashes.
Firehol Level 1/2ProbableFirehol as an aggregator would include PROTON66/PROSPERO IP ranges given documented activity and Spamhaus listing. Not specifically confirmed in reporting.

Summary: PROSPERO's blocklist status is the most explicitly documented: Spamhaus has publicly recommended AS-level blocking, and the operator explicitly advertises ignoring Spamhaus. PROTON66's documented malware C2 and exploitation activity makes abuse.ch and Firehol listings highly probable. The provider's explicit business model is predicated on immunity from blocklist pressure.

Known Weaknesses

The dual-ASN architecture concentrates reputation risk across two named Russian entities, both of which are now widely known to the security community. The Kaspersky routing episode (December 2024) suggests PROSPERO may be seeking transit options to reduce visibility, potentially indicating pressure from prior transit providers. Chang Way Technologies (HK) as a probable affiliated provider represents a possible Western-reachable enforcement point if the relationship can be confirmed and documented. The operator's reliance on forum advertising creates documented evidence trails even without infrastructure seizures.

Financial Infrastructure

Payment Methods

Cryptocurrency-only payments are standard for BPH services of this type and are consistent with the operator's anonymous onboarding model. Specific accepted cryptocurrencies (Bitcoin, Monero, USDT, etc.) are not enumerated in available open sources. The forum advertising posture strongly implies anonymity-preserving payment channels. No fiat, wire transfer, or e-money options documented.

Wallet Clusters and Designated Addresses

Intelligence Gap No on-chain addresses attributed to Bearhost, PROSPERO OOO, PROTON66 OOO, or the Bearhost operator are confirmed in open sources as of June 2026. No OFAC, UK FCDO, or other sanctions authority has designated cryptocurrency addresses associated with this cluster. TRM Labs, Chainalysis, and Elliptic have not published entity-specific on-chain analyses for this cluster in available public reporting.

On-Chain Activity: Three-Phase Model (Inferred)

Phase 1 — Acquisition (Service Fees Inbound)

Analyst Inference Bearhost/PROSPERO/PROTON66 receives hosting service payments from ransomware operators, malware C2 operators, and other criminal clients via cryptocurrency. Confirmed client base (Qilin, SocGholish, GootLoader, XWorm, WeaXor operators) implies a recurring fee structure. Specific inbound wallet addresses and transaction volumes are unknown.

Phase 2 — Layering

Analyst Inference Funds are presumed to move through intermediary wallets and potentially mixing services consistent with standard cybercriminal money handling. No on-chain analysis published for this cluster.

Phase 3 — Extraction

Analyst Inference Cash-out methodology unknown. Unlike ZServers, no financial institution or exchange has been documented as a cash-out vehicle for this operator. The absence of OFAC or financial intelligence designation as of June 2026 limits the available evidence base.

Sanctions and Risk Designations

AuthorityStatusNotes
OFAC (US) SDNNo designationNeither PROSPERO OOO, PROTON66 OOO, nor any associated individual appears on the SDN list as of June 2026
UK FCDO Cyber SanctionsNo designationNeither entity nor operators designated
EU Official JournalNo designationNot designated
AU DFATNo designationNot designated
TRM Labs / Chainalysis / EllipticNo published analysisNo entity-specific risk ratings or on-chain reports identified in open sources

The absence of sanctions against PROSPERO/PROTON66 operators, despite documented multi-year service to ransomware and criminal clients, represents a significant gap relative to the ZServers/XHost precedent (OFAC CYBER3, February 2025). This absence limits financial-channel disruption options and makes the operator harder to pursue through Western legal mechanisms.

Client Profile and Hosted Operations

Crimeware Verticals by Evidence Tier

CategoryNamed Clients / MalwareEvidence BasisClassification
Ransomware (Qilin)Qilin ("Agenda" variant)Resecurity: WikiLeaksV2 leak site hosted on infrastructure in Bearhost conglomerate; Bearhost BPH branding visible on Qilin's data-leak site. Multiple outlets corroborate via Resecurity.Confirmed
Initial access broker (SocGholish)SocGholishIntrinsec: SocGholish fingerprinting scripts hosted on PROTON66; "hosts a major part of its infrastructure on Proton66"Confirmed
Initial access broker (GootLoader)GootLoaderIntrinsec: GootLoader C2 servers moved from PROSPERO to PROTON66; Trustwave corroboratesConfirmed
Loader (FakeBat)FakeBatIntrinsec: FakeBat screening/redirection scripts on same IPs as SocGholishConfirmed
Android RAT (SpyNote)SpyNoteIntrinsec: SpyNote C2 and phishing pages; Trustwave corroboratesConfirmed
RAT (XWorm)XWormTrustwave SpiderLabs: XWorm C2 on 193.143.1.x; multi-stage delivery chain documentedConfirmed
Information stealer (StrelaStealer)StrelaStealerTrustwave SpiderLabs: StrelaStealer C2 at 193.143.1.205; German-language phishingConfirmed
Ransomware / RaaS variant (WeaXor)WeaXor (Mallox variant)Trustwave SpiderLabs: WeaXor C2 at 193.143.1.139; WeaXor is a revised version of Mallox ransomwareConfirmed
Android spyware (Coper/Octo)Coper (a.k.a. Octo)Intrinsec: SMS spam phishing campaigns on PROTON66 deploying Coper/Octo via Android spyware pagesConfirmed
IAB (Mora_001 / SuperBlack)Mora_001 IAB; SuperBlack ransomwareTrustwave: Fortinet CVE exploitation from PROTON66 attributed to IAB Mora_001 delivering SuperBlack ransomware Single SourceCredible
Ransomware (Mallox broader family)Mallox affiliatesIndirect: WeaXor is a Mallox variant; Intrinsec notes multiple ransomware gangs over two years on PROSPERO; Trustwave documents Mallox-family activityCredible
Phishing / fraud (multi-target)Multiple unnamed actorsIntrinsec: SMS bank-phishing targeting citizens of multiple countries; fake bank login templates; Trustwave: fake Google Play pages (French, Spanish, Greek speakers)Confirmed

Client Geography

Targets are global with no documented CIS exclusion clause. Confirmed victim-country targeting includes: Germany (StrelaStealer campaign), Korea (XWorm delivery chain), France, Spain, and Greece (Android Google Play phishing), and multiple unspecified countries (bank SMS phishing, Qilin victims). No geographic restriction on clients or victims is documented.

Asahi Group Holdings (Japan) was explicitly named as a Qilin victim in Resecurity reporting on the ghost BPH conglomerate, providing a confirmed example of a Fortune 500-scale organization targeted via infrastructure hosted in this cluster. [1]

Notable Hosted Cases

Qilin Ransomware — WikiLeaksV2 Leak Site (Confirmed)

Resecurity documented that Qilin ransomware's data-leak site ("WikiLeaksV2") was hosted on IP 31.41.244.100, associated with Red Bytes LLC (a Russian provider linked to St. Petersburg) under domain networkmaze[.]hk. Bearhost branding was visible on the same infrastructure. Resecurity describes Bearhost (as Underground and Voodoo Servers) as part of the "ghost BPH conglomerate" supporting Qilin, which attacked Asahi Group Holdings among other targets. [1]

PROTON66 CVE Exploitation Surge — January 2025 Onward (Confirmed)

Trustwave SpiderLabs documented a sustained surge of mass scanning, brute-forcing, and critical CVE exploitation originating from PROTON66 IP ranges beginning January 8, 2025. Exploited vulnerabilities included authentication bypasses in Palo Alto PAN-OS and Fortinet FortiOS, a command injection in D-Link NAS, and input validation bypass in Mitel MiCollab. The Fortinet FortiOS exploitation was attributed to IAB Mora_001, delivering SuperBlack ransomware. [3]

State Nexus Assessment

Assessment: Tier 2 — Tolerated Safe Harbor

Tier 2 Assessment Basis

The Russian state is assessed to be aware of PROSPERO/PROTON66 operations and to refrain from enforcement or prosecution of their operators, despite years of documented criminal hosting activity and significant international scrutiny. This constitutes tolerated safe harbor. No public evidence supports active operational cooperation, tasking, or direct protection beyond passive non-enforcement.

Both PROSPERO OOO and PROTON66 OOO are registered Russian legal entities. Their operators are assessed as Russian nationals operating from Russia. No Russian criminal proceedings against the operators appear in open sources despite documented multi-year ransomware, malware C2, and phishing hosting. The broader pattern of Russian tolerance for cybercrime infrastructure operators (ZServers, Aeza Group, and others) is well-documented in Western government statements and supports the Tier 2 assessment for this cluster. [2][4]

The Kaspersky routing episode (December 2024 onward) may represent a deliberate effort by PROSPERO to obtain transit through a Russian entity with implicit state protection, rather than a coincidence. However, this remains speculative absent evidence of coordination or state involvement in the routing arrangement. Analyst Inference

Negative Evidence (Tier 3/4 Not Supported)

Analyst Inference The possibility that classified IC holdings contain Tier 3/4 evidence cannot be excluded. The Kaspersky routing arrangement warrants monitoring as a potential indicator of elevated state protection if it proves durable and intentional.

Jurisdictional Separation

Entity Registration
Russia
PROSPERO OOO — Russian LLC (AS200593)
Russia
PROTON66 OOO — Russian LLC (AS198953)
Infrastructure Hosting
Russia (Assessed)
Primary hosting jurisdiction inferred from OOO entity structure; no specific data center locations confirmed
Hong Kong (Possible)
Chang Way Technologies identified by Trustwave as likely related HK provider (credible, single source)
Operator Location
Unknown
Russia assessed based on entity registration, Russian-language forum activity, and regional peering structure
No confirmed name, address, or DOB for operator in open sources

Compared to ZServers, Bearhost/PROSPERO/PROTON66 presents a less favorable target for Western LE action: no confirmed Western infrastructure (no EU data centers to seize), no UK front company, and no named/identified operators. The entirely Russian jurisdictional footprint concentrates enforcement friction in a non-cooperating jurisdiction.

Law Enforcement and Regulatory Response

Arrests, Indictments, and Criminal Charges

As of June 2026, no US DOJ indictment, UK CPS charges, EU member-state charges, or Russian criminal proceedings against operators of Bearhost, PROSPERO OOO, or PROTON66 OOO are confirmed in open sources. No public arrests. No sealed indictments confirmed (though cannot be excluded). This represents a significant contrast to ZServers/XHost, which was sanctioned and had servers seized in February 2025.

Infrastructure Seizures

No seizures confirmed as of June 2026. Unlike ZServers' Amsterdam infrastructure (concentrated in a Dutch data center), PROSPERO/PROTON66's physical infrastructure has not been publicly located in a Western-accessible jurisdiction. The absence of a known colocation facility in a cooperative country has prevented the type of server seizure executed against ZServers.

Sanctions Actions

No OFAC, UK FCDO, EU, or AU DFAT sanctions against PROSPERO OOO, PROTON66 OOO, or any named associated individuals. The gap between documented criminal activity and absence of sanctions may reflect: (1) ongoing law enforcement investigation with sanctions pending; (2) insufficient attribution to named/identifiable individuals; or (3) lower perceived priority relative to other targets. The ZServers OFAC action (February 2025) demonstrates that Russian BPH providers can be sanctioned under CYBER3; the absence here is analytically notable.

Informal Pressure and Reputational Actions

Spamhaus AS-Level Block Recommendation (February 2025)

Spamhaus publicly recommended blocking the entire PROSPERO (AS200593) network, representing the most aggressive informal blocklist posture short of law enforcement action. Krebs on Security covered this as part of the Kaspersky-PROSPERO routing story, amplifying reputational pressure on both PROSPERO and Kaspersky Lab. [4]

Kaspersky Routing Controversy (December 2024 onward)

PROSPERO's routing through Kaspersky Lab (AS209030) drew scrutiny from Krebs on Security, Spamhaus, and Silent Push. Kaspersky issued a public denial. The episode created reputational risk for Kaspersky and highlighted PROSPERO's infrastructure positioning, but did not result in de-peering or other operational disruption as of June 2026. [4]

Post-Disruption Client Migration

No disruption has occurred. The "exit scam" associated with the Bearhost/Voodoo brand (g0njxa X post, May 2025) represents a voluntary brand transition by the operator, not a forced disruption. Clients appear to have migrated toward Securehost (assessed acquirer) or other available BPH providers. The underlying infrastructure (PROSPERO/PROTON66) continues to serve new clients independently of the Bearhost brand transition.

Connected Groups and Ecosystem Relationships

Each entity carries two independent confidence assessments: Tier 1 (infrastructure relationship) and Tier 2 (operational relationship). These are analytically distinct claims requiring separate evidence bases and are never collapsed into a single label.

Qilin Ransomware
Ransomware-as-a-Service // Russia-linked // Active as of mid-2026
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Confirmed
Tier 2 — Operational:Credible
Tier 1: Resecurity documented Qilin's WikiLeaksV2 data-leak site hosted on IP 31.41.244.100 (Red Bytes LLC, St. Petersburg) under domain networkmaze[.]hk. Bearhost branding was visible on the same infrastructure platform. Multiple outlets corroborate Resecurity's finding. Resecurity explicitly names "BEARHOST Servers, also known as Underground and Voodoo Servers" as part of the ghost BPH conglomerate supporting Qilin.

Tier 2: Resecurity's framing of a "ghost BPH conglomerate" with Qilin implies at minimum awareness and coordination at the infrastructure-booking level. Bearhost branding on Qilin's leak site goes beyond passive hosting and suggests a commercial relationship acknowledged by Qilin. However, no evidence of joint operational planning, shared personnel, or deeper coordination is documented.
Resecurity — Corroborates BankInfoSecurity — Corroborates CyberPress — Corroborates GBHackers — Corroborates
SocGholish
Initial Access Broker // Active // Fake browser update delivery mechanism
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Confirmed
Tier 2 — Operational:Analyst Inference
Tier 1: Intrinsec confirms SocGholish "hosts a major part of its infrastructure on Proton66," using PROTON66 for fingerprinting scripts embedded in compromised websites. Trustwave corroborates SocGholish activity on PROTON66. Multiple sources converge.

Tier 2: No evidence of operational coordination between SocGholish operators and Bearhost/PROSPERO/PROTON66 operator beyond a standard BPH client-provider relationship.
Intrinsec — Corroborates Trustwave — Corroborates
GootLoader
Initial Access Broker // Active // JavaScript-based loader via SEO poisoning
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Confirmed
Tier 2 — Operational:Analyst Inference
Tier 1: Intrinsec documents GootLoader migrating C2 servers from PROSPERO to PROTON66, and using both ASNs simultaneously. Trustwave corroborates GootLoader activity on PROTON66. The migration between the two ASNs confirms the operator's awareness of both networks as an interoperable infrastructure pool.

Tier 2: No evidence of operational coordination beyond hosting.
Intrinsec — Corroborates Trustwave — Corroborates Krebs on Security — Corroborates
FakeBat
Malware Loader // Active // Infected websites delivering via fake browser updates
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Confirmed
Tier 2 — Operational:Analyst Inference
Tier 1: Intrinsec documents FakeBat using the same PROTON66 IPs as SocGholish for screening and redirection scripts. The co-hosting with SocGholish on identical IPs confirms FakeBat's use of PROTON66 infrastructure.

Tier 2: No evidence beyond hosting relationship.
Intrinsec — Corroborates
XWorm, StrelaStealer, WeaXor (Mallox variant)
RAT, information stealer, and ransomware — documented on PROTON66 193.143.1.0/24 as of early 2025
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Confirmed
Tier 2 — Operational:Analyst Inference
Tier 1: Trustwave SpiderLabs documents all three on 193.143.1.x (PROTON66): XWorm C2 and payload delivery; StrelaStealer C2 at 193.143.1.205; WeaXor C2 at 193.143.1.139. Documented as active January through April 2025. Single vendor source but methodologically strong (network-level observation).

Tier 2: No evidence of operational coordination with Bearhost operator beyond standard client-provider relationship.
Trustwave — Single Source
SpyNote (Android RAT)
Android remote access trojan // Active // Deployed via phishing pages
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Confirmed
Tier 2 — Operational:Analyst Inference
Tier 1: Intrinsec documents SpyNote C2 servers and phishing pages migrating from PROSPERO to PROTON66, using both ASNs. Domains hosting SpyNote phishing pages had previously been used for revoked AnyDesk and LiveChat campaigns on both ASNs. Trustwave corroborates SpyNote activity on PROTON66.

Tier 2: No evidence beyond hosting.
Intrinsec — Corroborates Trustwave — Corroborates
Securehost
Bulletproof Hosting Provider // Assessed acquirer of Bearhost brand and assets
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:Credible
Tier 2 — Operational:Credible
Tier 1: Intrinsec assesses Securehost to be "the present operator of both PROSPERO OOO and Proton66 OOO," implying direct infrastructure overlap or takeover. Both Securehost and Bearhost were advertised on the same Russian underground forums and hosted on the same ASNs (PROSPERO, PROTON66). The Telegra.ph forum dispute thread alleges Securehost hijacked Bearhost's Telegram channel and brand elements, consistent with an acquisition scenario. Intrinsec — Single Source for 'present operator' claim

Tier 2: Analyst assessment [Internal] holds that Securehost acquired the Bearhost operation from the Voodoo operator. If confirmed, this constitutes a transactional operational relationship extending beyond passive co-hosting. The forum drama (Telegra.ph) supports a business dispute, consistent with a contested or adversarial acquisition.
Intrinsec — Primary Attribution Canary Trap — References tie Krebs on Security — References tie
Chang Way Technologies
Hong Kong-based hosting provider // Probable infrastructure affiliate
Two-Tier Confidence Assessment
Tier 1 — Infrastructure:CredibleSingle Source
Tier 2 — Operational:Analyst Inference
Tier 1: Trustwave SpiderLabs recommends blocking Chang Way Technologies CIDR ranges "alongside" PROTON66, describing it as a "likely related Hong Kong-based provider." The specific nature of the relationship (customer, reseller, partner, or front entity) is not documented. Single source. Single Source

Tier 2: No evidence of operational coordination beyond assessed infrastructure relationship. HK jurisdiction would provide a non-Russian enforcement jurisdiction if connection is confirmed and legally actionable.
Trustwave — Single Source

Trajectory Assessment

Historical Market Position

Bearhost/Underground/Voodoo Servers occupies a meaningful structural position in the Russia/CIS-linked ransomware and cybercrime ecosystem, primarily as the commercial brand layer over the PROSPERO/PROTON66 infrastructure backbone. Resecurity's "ghost BPH conglomerate" framing and the Qilin hosting relationship indicate the service attracts high-value ransomware clients. The Intrinsec research (shared internally in July 2023, published November 2024) indicates at least two years of sustained analyst visibility, and the PROTON66 CVE exploitation surge in early 2025 confirms the infrastructure remains actively weaponized. Unlike ZServers, Bearhost/PROSPERO/PROTON66 has not attracted a coordinated multilateral sanctions response.

Infrastructure Churn and Brand Fluidity

The Bearhost cluster demonstrates above-average resilience through: (1) dual-ASN architecture providing IP-pool redundancy; (2) brand cycling (Bearhost, Underground, Voodoo Servers) to manage reputational pressure; (3) deliberate cycling of dormant or previously-clean IP space documented by Trustwave (January 2025); and (4) brand asset transfer to Securehost to preserve client continuity while the original operator reduces exposure. The Kaspersky routing arrangement may represent a further resilience play, obtaining transit through an entity with implicit Russian state protection.

Disruption History and Timeline

~2019 (at latest)
Bearhost brand confirmed visible on Russian underground forums, advertising botnets, malware, brute-force, scanning, phishing, with explicit ignore-all-abuses posture including Spamhaus.
July 2023 (internal; public Nov 2024)
Intrinsec internally documents PROSPERO/PROTON66 linkage to Bearhost/Underground brand and assesses common Russian national operator. This research is shared with clients July 2023 and published publicly November 20, 2024.
November 20, 2024
Intrinsec publishes "PROSPERO and Proton66: Uncovering the links between bulletproof networks," publicly exposing the dual-ASN architecture, Bearhost/Underground branding, and Securehost connection.
December 2024
PROSPERO (AS200593) begins routing through Kaspersky Lab (AS209030). Relationship tracked by Doug Madory (Kentik) and later reported by Krebs on Security.
January 8, 2025
Surge in mass scanning, brute-forcing, and CVE exploitation from PROTON66 IP ranges first detected by Trustwave SpiderLabs. Multiple previously-dormant IPs activated for malicious use.
February 28, 2025
Krebs on Security / Coastline Cyber publish story on PROSPERO routing through Kaspersky Lab. Spamhaus confirms AS-level block recommendation for PROSPERO. Kaspersky denies intentional service relationship. abuse.ch corroborates.
April 2025
Trustwave SpiderLabs publishes two-part analysis of PROTON66 exploitation campaigns (January–April 2025), documenting XWorm, StrelaStealer, WeaXor, SpyNote, SocGholish, GootLoader, and Android phishing campaigns on 193.143.1.0/24 and other PROTON66 ranges.
~2025 (approx; Resecurity)
Resecurity publishes "Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate," explicitly naming Bearhost Servers (also known as Underground and Voodoo Servers) as a ghost BPH node supporting Qilin. Qilin's WikiLeaksV2 site traced to Red Bytes LLC infrastructure with Bearhost branding.
May 2025
g0njxa posts on X: "Bearhost (aka UNDERGROUND and recently VOODOO SERVERS)" conducted an exit scam after "several years of service." This post confirms the Underground/Voodoo Servers identity chain and the brand transition.
June 2026 (current)
PROSPERO (AS200593) and PROTON66 (AS198953) remain active. No sanctions, no seizures, no indictments confirmed. Bearhost brand assessed in transition to Securehost. Infrastructure continues serving criminal clients.

Current Market Position

PROSPERO/PROTON66 remains one of the more durable BPH infrastructure clusters in the Russian cybercrime ecosystem, having survived public exposure (Intrinsec 2024), sustained scrutiny (Krebs, Spamhaus, Trustwave, Resecurity), and a brand-level disruption (Bearhost/Voodoo exit scam) without incurring law enforcement action. Its entirely Russian jurisdictional footprint, lack of named/sanctioned operators, and the Kaspersky routing arrangement combine to make near-term coordinated disruption less likely than it was for ZServers.

Trajectory Direction

Active — Moderate Disruption Risk: Elevated but Not Imminent. The infrastructure cluster is resilient and continues to operate. The brand transition to Securehost does not represent a disruption; it represents client and brand continuity. The most plausible disruption vectors in the near-to-medium term are: (1) OFAC CYBER3 designation once operators are identified; (2) coordinated Europol/Spamhaus/transit-provider de-peering action; or (3) Russian law enforcement action in the context of bilateral arrangements unlikely without significant geopolitical change. Probability of LE action without prior identification of the operator is very low. The Intrinsec attribution of a "common Russian national" as operator — without a full public dox — limits the available pressure levers.

Intelligence Gaps

1. Human operator identity

No public name, handle, date of birth, or verified location for the Russian national Intrinsec identifies as the PROSPERO/PROTON66 operator. This is the most critical gap: without operator attribution, OFAC designation and criminal indictment are impractical. Close with: forum archive analysis, passive DNS pivots, RIPE historical registration data, vendor intelligence on registered Bearhost-era Telegram/Jabber accounts.

2. Full ASN and IP inventory

PROTON66 IP ranges documented by Trustwave (45.135.232.0/24, 45.140.17.0/24, 193.143.1.0/24, 91.212.166.0/24) may not represent the full allocation. PROSPERO IP ranges not enumerated in available open sources. Close with: RIPE WHOIS full allocation history; BGP routing feeds; abuse.ch dataset correlation.

3. Chang Way Technologies relationship

Nature of the PROTON66-Chang Way Technologies relationship (customer, reseller, front entity) not established. HK jurisdiction provides a potential non-Russian enforcement hook if the relationship is documented. Close with: Hong Kong company registry lookup for Chang Way Technologies; RIPE WHOIS for their ASN; BGP peering data; vendor infrastructure mapping.

4. On-chain financial data

No cryptocurrency wallets or on-chain flows attributed to Bearhost, PROSPERO OOO, or PROTON66 OOO in available open sources. Without this, the financial disruption lever (OFAC designation of wallets, tracking client payments) is unavailable. Close with: TRM Labs or Chainalysis entity-specific analysis; blockchain tracing from known Qilin payment flows back through hosting service fees.

5. Exact Bearhost/Securehost acquisition terms

Transaction details of the Bearhost brand/asset sale to Securehost: dates, consideration, specific assets transferred, legal entities involved. Close with: closed-source forum data; analyst insight [Internal]; law enforcement access to forum operator records.

6. Bearhost pricing, payment infrastructure, and client portal

No confirmed price lists, payment wallet addresses, client portal URLs, or panel domains. Close with: forum archive scraping; vendor underground monitoring; honeypot engagement.

7. Tunahost and Foxy Servers connection

These brands are cited as possible related entities or successors but lack confirmed linkage to PROSPERO/PROTON66 in open sources. Confidence: Low. Close with: forum co-mentions, domain/IP overlap analysis, wallet reuse correlation.

8. RIPE registration details for PROSPERO and PROTON66

Registered name, abuse contact, technical contact organization, and full RIPE allocation history for AS200593 and AS198953. Could not be independently verified during this research cycle due to API timeouts. Close with: direct RIPE WHOIS query; NTT RADB lookup.

9. Kaspersky routing arrangement intent

Whether the PROSPERO-Kaspersky transit relationship is intentional (DDoS protection contract, deliberate business arrangement) or incidental (BGP leak, transit transit). Resolving this is material to state nexus assessment. Close with: Kaspersky customer disclosures; BGP monitoring over time; RIPE routing data.

10. Full ransomware client roster beyond Qilin

Intrinsec notes "multiple ransomware gangs over the past two years" on PROSPERO without naming them beyond Qilin. The WeaXor/Mallox connection and the Mora_001/SuperBlack CVE exploitation expand the known set but do not enumerate it. Close with: Intrinsec full dataset access; law enforcement technical annexes; extended Trustwave campaign analysis.

Developments (2024–June 2026)

November 20, 2024
Intrinsec publishes "PROSPERO and Proton66: Uncovering the links between bulletproof networks" — the foundational public attribution document linking PROSPERO (AS200593) and PROTON66 (AS198953) to a common Russian operator promoting Bearhost and Underground brands. Research originally shared with clients July 2023.
February 28, 2025
Krebs on Security / Coastline Cyber publish "Notorious Malware, Spam Host 'Prospero' Moves to Kaspersky Lab," documenting PROSPERO's routing through Kaspersky Lab (AS209030) beginning December 2024. Spamhaus recommends AS-level block for PROSPERO. Kaspersky denies intentional relationship. Doug Madory (Kentik) confirms routing arrangement.
April 21, 2025
Trustwave SpiderLabs publishes two-part analysis: "Proton66 Part 1: Mass Scanning and Exploit Campaigns" and "Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns," documenting mass scanning, critical CVE exploitation, XWorm delivery to Korean speakers, StrelaStealer delivery to German speakers, WeaXor/Mallox C2, and Android phishing targeting French/Spanish/Greek speakers on PROTON66 infrastructure. Activity began January 8, 2025.
~April/May 2025
Resecurity publishes "Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate," naming Bearhost Servers (also known as Underground and Voodoo Servers) as part of a ghost BPH node network supporting Qilin ransomware operations. Qilin's WikiLeaksV2 leak site traced to Red Bytes LLC (St. Petersburg) hosting under domain networkmaze[.]hk with Bearhost branding.
May 10, 2025
g0njxa on X posts: "Bearhost (aka UNDERGROUND and recently VOODOO SERVERS)" conducted an exit scam after "several years of service." This is the primary public source for the Voodoo Servers identity and the exit scam narrative.
June 2026 (current)
PROSPERO (AS200593) and PROTON66 (AS198953) remain active with no confirmed sanctions, seizures, or indictments. Bearhost brand assessed in transition to Securehost. Intrinsec publishes follow-on research in May 2026 ("Pivoting on a malspam infrastructure delivering JS malware backed by bulletproof networks"), suggesting continued PROSPERO/PROTON66 activity into 2026.

Sources and Evidence Base

[1]Resecurity, "Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate," 2025. resecurity.com/blog/article/qilin-ransomware-and-the-ghost-bulletproof-hosting-conglomerate
[2]Intrinsec (David Sardinha), "PROSPERO and Proton66: Uncovering the links between bulletproof networks," November 20, 2024. intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/
[3]Trustwave SpiderLabs (Pawel Knapczyk, Dawid Nesterowicz), "Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery," The Hacker News, April 21, 2025. thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html
[4]Krebs on Security / Coastline Cyber, "Notorious Malware, Spam Host 'Prospero' Moves to Kaspersky Lab," February 28, 2025. coastlinecyber.com/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/
[5]SecurityOnline.info, "PROSPERO and Proton66: Unmasking the Bulletproof Hosting Connection" (derivative of Intrinsec report). securityonline.info
[6]Canary Trap, "Malware Surge via Proton66," April 28, 2025 (cites Trustwave). canarytrap.com/malware-surge-via-proton66/
[7]g0njxa on X, post describing "Bearhost (aka UNDERGROUND and recently VOODOO SERVERS)" exit scam, approximately May 10, 2025. x.com/g0njxa/status/1920911716986089603
[8]Telegra.ph (anonymous, Russian-language), "Servis Securehost obvinili v ugone brenda. Oni mogli slivat dannye o polzovatelyah Interpolu," July 14 [year not specified; contextually 2023-2024]. telegra.ph — Note: anonymous, unverified source; included for corroborative context on brand dispute only.
[9]SecurityOnline.info, "Qilin Ransomware's Resilience Exposed: Bulletproof Hosting Network Underpins Asahi Group Holdings Attack." securityonline.info
[10]BankInfoSecurity, "Key to Qilin's Ransomware Success: Bulletproof Hosting," 2025. bankinfosecurity.com
[11]Trustwave SpiderLabs (Part 1), "Proton66: Mass Scanning and Exploit Campaigns." trustwave.com
[12]Trustwave SpiderLabs (Part 2), "Proton66: Compromised WordPress Pages and Malware Campaigns." trustwave.com
[13]abuse.ch (LinkedIn / X), "Kaspersky denies providing services to Russian bulletproof hosting provider," 2025. linkedin.com (abuse.ch)
[14]Intrinsec, "Pivoting on a malspam infrastructure delivering JS malware backed by bulletproof networks," May 26, 2026. intrinsec.com — Indicates continued PROSPERO/PROTON66 activity into 2026.