Executive Summary and Provider Overview
Quick-Reference Attributes
| Common Names | Bearhost; BEARHOST; Underground; UNDERGROUND; Voodoo Servers |
|---|---|
| Node Type | Bulletproof Hosting Provider |
| Status | Active — underlying infrastructure active; Bearhost/Voodoo brand in assessed transition to Securehost |
| Entity Registration Jurisdiction | Russia — PROSPERO OOO (AS200593); PROTON66 OOO (AS198953). Both registered as Russian limited liability companies ("OOO"). |
| Infrastructure Hosting Jurisdiction | Russia (primary, assessed); possible Hong Kong component via Chang Way Technologies (Trustwave, credible) |
| Operator Location | Unknown — Russia assessed based on entity registration and Russian-language forum advertising. No confirmed name, address, or DOB in open sources. |
| Active Period | ~2019 to present (Bearhost brand confirmed visible since at least 2019 per Krebs / Intrinsec); PROTON66 OOO active from at least 2023 per Intrinsec internal research |
| Primary ASNs | AS200593 — PROSPERO OOO (Russia); AS198953 — PROTON66 OOO (Russia) |
| Documented PROTON66 IP Ranges | 45.135.232.0/24; 45.140.17.0/24; 193.143.1.0/24 (Trustwave SpiderLabs, April 2025) |
| Upstream Transit (PROSPERO) | Kaspersky Lab (AS209030) since December 2024 — Kaspersky denies intentional relationship |
| Abuse Contact | Not publicly disclosed in open sources |
| Sanctions | None confirmed against entity or operators as of June 2026 |
| Sanctions Against Named Operators | None — human operators not named or sanctioned in open sources |
| Primary Clients | Qilin ransomware (confirmed); SocGholish, GootLoader (IABs, confirmed); SpyNote, XWorm, StrelaStealer, WeaXor/Mallox (confirmed via Trustwave) |
| Blocklist Status | Spamhaus recommends blocking PROSPERO AS entirely; BEARHOST explicitly advertises ignoring Spamhaus |
| State Nexus Tier | Tolerated Safe Harbor (Tier 2 of 4) |
| Brand Succession | Bearhost / Underground / Voodoo Servers assessed as single operator brand family; Securehost assessed as separate entity that acquired Bearhost assets from Voodoo operator per analyst assessment [Internal] |
Overall Assessment
Bearhost (operating also as Underground and Voodoo Servers) is a Russia-linked bulletproof hosting (BPH) brand cluster that has advertised abuse-tolerant infrastructure on Russian-language cybercrime forums since at least 2019, with its operational backbone residing in two Russian autonomous systems: PROSPERO OOO (AS200593) and PROTON66 OOO (AS198953). The French firm Intrinsec, in research shared internally in July 2023 and published in November 2024, assessed these two ASNs to be operated by a common Russian national who promotes services under the names "UNDERGROUND" and "BEARHOST" on underground forums.
The provider's core value proposition is total non-cooperation with law enforcement and abuse reporters, including explicit claims to ignore Spamhaus. This posture has attracted a broad clientele spanning ransomware operators (Qilin), initial access brokers (SocGholish, GootLoader, FakeBat), and a range of malware families using PROTON66 and PROSPERO IP space for command-and-control, phishing, and payload distribution. Trustwave SpiderLabs documented a surge in mass scanning, credential brute-forcing, and critical CVE exploitation from PROTON66 IP ranges beginning January 2025, including exploitation of Palo Alto, Fortinet, D-Link, and Mitel vulnerabilities.
As of June 2026, no arrests, indictments, or sanctions have been imposed against the Bearhost/PROSPERO/PROTON66 operator cluster. The brand has undergone assessed transition: the Bearhost and Underground identities were followed by a Voodoo Servers rebrand, and a separate entity (Securehost) is assessed to have acquired the Bearhost brand and assets from the Voodoo operator. The underlying ASNs remain active. A notable 2025 development is PROSPERO's routing through Kaspersky Lab (AS209030), which drew public scrutiny from Krebs on Security, Spamhaus, and Silent Push, though Kaspersky denied an intentional service relationship.
Lineage and Organizational Heritage
Brand and Entity Structure
| Brand / Entity | Type | Role | Active Window | Confidence |
|---|---|---|---|---|
| Bearhost / BEARHOST | BPH brand (underground forums) | Primary commercial brand; forum-advertised BPH service for botnets, malware, scanning, phishing | ~2019 to present (brand may be in transition; confirmed since ~2019) | Confirmed |
| Underground / UNDERGROUND | Brand alias | Concurrent or alternate brand name used by same operator on underground forums; "UNDERGROUND" appears alongside "BEARHOST" in Intrinsec attribution | Overlap with Bearhost period; exact dates not publicly documented | Confirmed |
| Voodoo Servers | Rebrand | Later brand iteration; Resecurity and g0njxa (X) independently describe Bearhost/Underground as "recently" becoming Voodoo Servers | Post-Underground; exact date not publicly documented; g0njxa post May 2025 describes exit scam after "several years of service" | Credible |
| PROSPERO OOO (AS200593) | Russian LLC; Autonomous System | Primary network backbone for Bearhost/Underground advertising; associated with BPH activity, malware C2, phishing since at least July 2023 (Intrinsec internal research) | Active | Confirmed |
| PROTON66 OOO (AS198953) | Russian LLC; Autonomous System | Sibling or successor network to PROSPERO; same operator assessed; hosting C2, phishing, exploit activity; actively used for campaigns as of April 2025 | Active | Confirmed |
Predecessor Lineage
Analyst Inference No public evidence ties Bearhost/PROSPERO/PROTON66 to prior-generation BPH brands such as Maxided, Yalishanda, or McColo. The earliest confirmed visibility for the Bearhost brand is approximately 2019 (Krebs on Security / Intrinsec). PROSPERO OOO's RIPE WHOIS registration timeline is not publicly enumerated in available open sources. Founding circa 2019 or earlier is consistent with available evidence; earlier activity cannot be excluded.
Evidence Pillars
Confirmed Intrinsec's November 2024 report assesses PROSPERO (AS200593) and PROTON66 (AS198953) to be operated by a common Russian national, based on near-identical network configurations, shared peering agreements, and behavioral overlap in malicious hosting. Both ASNs' IP space has been used interchangeably by the same malware operators (GootLoader C2, SpyNote C2) migrating between them. [2]
Confirmed Multiple independent sources (Intrinsec, Resecurity, Krebs on Security, Trustwave, g0njxa on X) converge on the linkage between PROSPERO/PROTON66 infrastructure and the Bearhost/Underground/Voodoo Servers brand cluster. Intrinsec explicitly states the common operator "promotes its bulletproof hosting businesses named 'UNDERGROUND' and 'BEARHOST' on various Russian-speaking underground marketplaces." Resecurity explicitly describes "BEARHOST Servers, also known as Underground and Voodoo Servers." [2][1][4]
Confirmed Verbatim advertising copy recovered from Russian underground forums (Krebs on Security, February 2025; Intrinsec, November 2024): "If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us. We completely ignore all abuses without exception, including SPAMHAUS and other organizations." Active since at least 2019 per Krebs / Coastline. [4][2]
Operator Profiles
No named individual has been publicly identified, sanctioned, or indicted in connection with Bearhost, PROSPERO OOO, or PROTON66 OOO as of June 2026. Intrinsec's public-facing report describes the operator as "a common Russian national" and "a common individual" but does not provide a real name, handle history, date of birth, or verified location in publicly available text. Intelligence Gap Operator identity represents the most significant open intelligence gap in this profile. All below is attributed to an unknown Russian national.
2.1 Assessed Operator (Identity Unknown)
| Handle(s) | Unknown — Intrinsec references forum activity but does not publicly name a handle in available text |
|---|---|
| Nationality | Russian (assessed, per entity registration and Russian-language forum activity) |
| Assessed Location | Russia (assessed; not confirmed; not arrested) |
| Role | Operator of PROSPERO OOO (AS200593) and PROTON66 OOO (AS198953); promoter of Bearhost/Underground BPH services on Russian underground forums |
| Forum Activity | Active on Russian-speaking underground marketplaces advertising Bearhost/Underground services with explicit abuse-ignore guarantee; active since at least 2019 |
| Sanctions | None confirmed |
| Legal Status | At large; no public arrest, indictment, or criminal charges |
Securehost Relationship and Brand Transition
Credible Securehost is assessed as a separate entity, not a self-rebrand of the Bearhost operator. Per analyst assessment [Internal], Securehost acquired the Bearhost brand and associated assets from the Voodoo Servers operator in a transactional transfer. This is consistent with Intrinsec's framing, which states the Bearhost/Underground operator "used to work with" Securehost and that Intrinsec believes Securehost to be "the present operator of both PROSPERO OOO and Proton66 OOO." [2]
A Russian-language Telegra.ph forum post (July 2024) describes dispute threads on Exploit and WWH-Club accusing Securehost of hijacking Bearhost brand elements (including a Telegram channel), posing as a continuation of Bearhost, and scamming clients. This forum drama corroborates an adversarial or competitive relationship between the original Bearhost operator and Securehost, which is more consistent with an imperfect acquisition or brand-squatting scenario than a clean self-rebrand. [8]
Intrinsec's public-facing text states that Securehost is assessed to be "the present operator" of PROSPERO and PROTON66. Analyst assessment [Internal] holds that Securehost is a separate entity that acquired the Bearhost operation, not the same individual operating under a new brand. These are not necessarily contradictory: if the sale transferred operational control of the ASNs to the Securehost operator, Intrinsec's "present operator" framing and the analyst's "acquisition" framing can both be correct. The degree of continuity vs. independence between the Voodoo/Bearhost operator and the Securehost operator is an intelligence gap.
Disputed Assessments
No vendor disputes the core linkage between PROSPERO/PROTON66 and the Bearhost/Underground brand cluster. The primary disputed area is the Securehost relationship: Intrinsec frames Securehost as closely tied to or operating PROSPERO/PROTON66; analyst assessment frames Securehost as a separate acquirer of the Bearhost brand. These reflect different visibility into closed-source forum data and may not be in direct conflict.
Operational and Business Model
Service Model
Bearhost/Underground operated as a full-service bulletproof hosting provider, offering dedicated servers and virtual private servers to cybercriminal clients on an anonymous basis with explicit guarantees of non-cooperation with law enforcement and abuse reporters. The service model centers on three elements: total abuse immunity, anonymous access, and reliable uptime. Advertised bandwidth of 10 Gbps per server. Services explicitly include command-and-control server hosting for botnets and malware, brute-force and scanning infrastructure, phishing hosting, and "fakes" (fraudulent content). Ransomware infrastructure is accommodated as part of the general client base, as confirmed by Qilin's use of the service. [1][2][4]
Verbatim Advertising Copy
Onboarding and Vetting
Forum-based advertising on Russian-language criminal underground marketplaces constitutes the primary onboarding channel. Prospective clients self-select from established underground forums (Exploit, WWH-Club, and similar platforms per sourcing). No invitation-only or referral requirement confirmed in open sources. Client anonymity enforced through cryptocurrency-only payment. Full onboarding workflow, ticket system, and communication channels are an intelligence gap.
Pricing and Packages
No confirmed public price list documented in open sources. Advertised bandwidth of 10 Gbps suggests dedicated server offerings at the higher end of the BPH spectrum. Monthly subscription model is standard BPH practice and is inferred but not confirmed with specific pricing. Package names, geographic pricing variations, and minimum order requirements are an intelligence gap.
Reseller Chain and Associated Infrastructure
Credible Trustwave SpiderLabs (April 2025) identifies Chang Way Technologies, a Hong Kong-based provider, as a "likely related" entity and recommends blocking its CIDR ranges alongside PROTON66. The exact commercial relationship (customer, partner, front company, or infrastructure reseller) between PROTON66 and Chang Way Technologies is not established in open sources. [3]
Analyst Inference The PROSPERO/PROTON66 network pair itself functions as the hosting backbone, suggesting that the advertised "Bearhost" service is a commercial front for leased capacity within these ASNs rather than a separate physical infrastructure stack.
Abuse-Handling and LE Posture
Total non-cooperation is the explicit operating posture. Forum advertising explicitly names Spamhaus as an organization whose requests are ignored. No documented instances of Bearhost/PROSPERO/PROTON66 responding to abuse complaints or cooperating with law enforcement. Spamhaus has publicly recommended blocking the entire PROSPERO AS, and the Interisle Consulting Group's 2024 analysis ranked PROSPERO as having the highest spam score of any hosting provider surveyed. [4]
Unlike ZServers (which documented a deceptive IP-reassignment response in 2023), no analogous deceptive-compliance episode has been documented for Bearhost/PROSPERO in open sources. This may reflect better OPSEC or simply a gap in available reporting.
OPSEC Posture
The operator relies on: Russian OOO entity structure to limit foreign legal access; pseudonymous forum advertising without confirmed real-world identity; cryptocurrency-only payments; dual ASN architecture (PROSPERO and PROTON66) for infrastructure redundancy; and brand fluidity to shift reputational burden across multiple identities (Bearhost, Underground, Voodoo Servers). No major data breach or identity exposure comparable to the 2024 ZServers leak has been documented for this cluster. OPSEC has remained more robust than many peer BPH providers. No specific panel domains, Telegram channels, or Jabber handles attributed to the Bearhost operator are confirmed in open sources.
Technical Capabilities and Infrastructure Footprint
ASN Registration
| ASN | Registered Name | Entity Type | Jurisdiction | Status (June 2026) |
|---|---|---|---|---|
AS200593 | PROSPERO OOO | Russian LLC (OOO) | Russia | Confirmed Active |
AS198953 | PROTON66 OOO | Russian LLC (OOO) | Russia | Confirmed Active |
Analyst Inference RIPE REST API queries timed out during research; ASN registration details above are drawn from Intrinsec (November 2024) and derivative reporting. Registered names, abuse contacts, and technical contact organizations could not be independently verified via RIPE WHOIS during this research cycle. This is a follow-up verification gap. [2]
Documented IP Ranges
| CIDR Block | ASN | Activity Documented | Source | Period |
|---|---|---|---|---|
45.135.232.0/24 | AS198953 (PROTON66) | Mass scanning, credential brute-forcing | Trustwave SpiderLabs | Jan 2025 onward |
45.140.17.0/24 | AS198953 (PROTON66) | Mass scanning, credential brute-forcing | Trustwave SpiderLabs | Jan 2025 onward |
193.143.1.0/24 | AS198953 (PROTON66) | CVE exploitation (PAN-OS, FortiOS, D-Link, Mitel); XWorm C2 (193.143.1.x); StrelaStealer C2 (193.143.1.205); WeaXor/Mallox C2 (193.143.1.139) | Trustwave SpiderLabs | Jan–Apr 2025 |
91.212.166.0/24 (91.212.166.21) | AS198953 (PROTON66) | Compromised WordPress redirect scripts; Android phishing pages mimicking Google Play | Trustwave SpiderLabs | Early 2025 |
Note: Trustwave documented "several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years" at time of discovery (January 2025), indicating deliberate cycling of clean or dormant IP space into active abuse. This is a resilience tactic distinct from simply registering new ranges.
Physical Infrastructure
No public disclosure of specific data center locations for PROSPERO or PROTON66 in open sources. Both are Russian OOO entities, suggesting at least some physical presence or point of control in Russia. Trustwave's identification of Chang Way Technologies (Hong Kong) as a likely related provider suggests possible offshored or transit infrastructure in Asia Pacific. Specific colocation facilities, city-level locations, and rack/server counts are an intelligence gap.
Upstream Transit Provider Chain
Confirmed PROSPERO (AS200593) began routing through Kaspersky Lab (AS209030) in approximately December 2024. This was first documented publicly by Krebs on Security on February 28, 2025, citing Spamhaus and cidr-report.org data, and corroborated by Doug Madory (Kentik). Kaspersky denied providing services to PROSPERO, stating the AS path relationship "doesn't by default mean provision of the company's services, as Kaspersky's automatic system path might appear as a technical prefix in the network of telecom providers the company works with." [4]
Silent Push researcher Zach Edwards noted that "providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure," suggesting the relationship may involve Kaspersky's DDoS protection services. Kaspersky's client list via AS209030 includes Alfa-Bank, Russia's largest private bank, indicating a legitimate commercial ISP role for Kaspersky's network. [4]
No documented upstream de-peering events for PROSPERO or PROTON66 prior to the Kaspersky routing episode. The Kaspersky episode represents reputational pressure (public reporting, Spamhaus scrutiny) rather than a formal de-peering action. PROTON66 upstream transit chain is not documented in available open sources.
Resilience Features
The PROSPERO/PROTON66 dual-ASN architecture provides redundancy: operators can migrate client infrastructure between the two ASNs as one comes under increased scrutiny. Trustwave explicitly observed C2 operators (GootLoader, SpyNote) migrating between the two ASNs or simultaneously using both. Cycling of dormant or previously-clean IP addresses within existing ranges extends the useful life of the IP pool without requiring new allocations. Brand fluidity (Bearhost, Underground, Voodoo Servers) allows shedding reputational baggage while preserving the underlying client base and infrastructure. No fast-flux or anycast operations documented in available sources.
Hosted Activity Types
| Activity Type | Named Instance / Evidence | Confidence |
|---|---|---|
| Ransomware infrastructure (Qilin) | Qilin's WikiLeaksV2 data-leak site; BPH branding visible on Qilin infrastructure; Resecurity identifies Bearhost/Underground/Voodoo as ghost BPH conglomerate node | Confirmed |
| Initial access broker C2 (SocGholish) | SocGholish fingerprinting scripts and C2 infrastructure hosted on PROTON66 (Intrinsec, 2023-2024) | Confirmed |
| Initial access broker C2 (GootLoader) | GootLoader C2 migrated from PROSPERO to PROTON66; observed on both ASNs (Intrinsec; Trustwave) | Confirmed |
| Loader infrastructure (FakeBat) | FakeBat screening and redirection scripts on same IPs as SocGholish (Intrinsec, 2024) | Confirmed |
| Android RAT C2 (SpyNote) | SpyNote C2 servers and phishing pages migrated from PROSPERO to PROTON66 (Intrinsec; Trustwave) | Confirmed |
| RAT C2 (XWorm) | XWorm binary hosting and C2 on 193.143.1.x (PROTON66); delivered via ZIP archive to Korean-speaking targets (Trustwave, April 2025) | Confirmed |
| Information stealer C2 (StrelaStealer) | StrelaStealer C2 at 193.143.1.205 (PROTON66); German-language phishing campaign (Trustwave, April 2025) | Confirmed |
| Ransomware C2 (WeaXor / Mallox variant) | WeaXor C2 at 193.143.1.139 (PROTON66); WeaXor is a revised Mallox variant (Trustwave, April 2025) | Confirmed |
| Android phishing (Google Play impersonation) | Compromised WordPress sites on 91.212.166.21 redirecting Android users to fake Google Play pages targeting French, Spanish, and Greek speakers (Trustwave, April 2025) | Confirmed |
| SMS spam / bank phishing | Multiple SMS campaigns leading to bank login phishing domains on PROSPERO and PROTON66; Coper/Octo Android spyware deployment via some campaigns (Intrinsec, 2023-2024) | Confirmed |
| CVE exploitation campaigns | PROTON66 (193.143.1.65) exploiting CVE-2025-0108 (Palo Alto PAN-OS), CVE-2024-41713 (Mitel MiCollab), CVE-2024-10914 (D-Link NAS), CVE-2024-55591 and CVE-2025-24472 (Fortinet FortiOS); Fortinet flaws linked to IAB "Mora_001" delivering SuperBlack ransomware (Trustwave, April 2025) | Confirmed |
Blocklist Standing
| Source / List | Status | Notes |
|---|---|---|
| Spamhaus SBL/XBL | Listed (Confirmed) | Spamhaus publicly recommended blocking the entire PROSPERO AS network (February 2025, cited by Krebs). The Interisle Consulting Group's analysis ranked PROSPERO as having the highest spam score of any hosting provider in their dataset. Bearhost explicitly advertises ignoring Spamhaus in forum ads. |
| Spamhaus DROP / eDROP | Probable | AS200593 and AS198953 meet DROP criteria (criminal-leased netblocks with documented BPH activity). Specific DROP list entries not confirmed in open sources. |
| abuse.ch Feodo Tracker | Probable | Documented botnet and ransomware C2 activity (WeaXor, XWorm, StrelaStealer) on 193.143.1.x and other PROTON66 ranges makes Feodo Tracker entries highly likely. Specific first-listing dates and entry IDs not publicly enumerated for this cluster. |
| abuse.ch URLhaus | Probable | Malware delivery and phishing URL distribution on PROTON66/PROSPERO ranges. abuse.ch's LinkedIn post referencing Kaspersky-PROSPERO routing confirms abuse.ch monitors and documents this infrastructure. |
| abuse.ch MalwareBazaar | Probable | XWorm and WeaXor samples served from PROTON66 IPs documented by Trustwave suggest MalwareBazaar entries exist for associated hashes. |
| Firehol Level 1/2 | Probable | Firehol as an aggregator would include PROTON66/PROSPERO IP ranges given documented activity and Spamhaus listing. Not specifically confirmed in reporting. |
Summary: PROSPERO's blocklist status is the most explicitly documented: Spamhaus has publicly recommended AS-level blocking, and the operator explicitly advertises ignoring Spamhaus. PROTON66's documented malware C2 and exploitation activity makes abuse.ch and Firehol listings highly probable. The provider's explicit business model is predicated on immunity from blocklist pressure.
Known Weaknesses
The dual-ASN architecture concentrates reputation risk across two named Russian entities, both of which are now widely known to the security community. The Kaspersky routing episode (December 2024) suggests PROSPERO may be seeking transit options to reduce visibility, potentially indicating pressure from prior transit providers. Chang Way Technologies (HK) as a probable affiliated provider represents a possible Western-reachable enforcement point if the relationship can be confirmed and documented. The operator's reliance on forum advertising creates documented evidence trails even without infrastructure seizures.
Financial Infrastructure
Payment Methods
Cryptocurrency-only payments are standard for BPH services of this type and are consistent with the operator's anonymous onboarding model. Specific accepted cryptocurrencies (Bitcoin, Monero, USDT, etc.) are not enumerated in available open sources. The forum advertising posture strongly implies anonymity-preserving payment channels. No fiat, wire transfer, or e-money options documented.
Wallet Clusters and Designated Addresses
Intelligence Gap No on-chain addresses attributed to Bearhost, PROSPERO OOO, PROTON66 OOO, or the Bearhost operator are confirmed in open sources as of June 2026. No OFAC, UK FCDO, or other sanctions authority has designated cryptocurrency addresses associated with this cluster. TRM Labs, Chainalysis, and Elliptic have not published entity-specific on-chain analyses for this cluster in available public reporting.
On-Chain Activity: Three-Phase Model (Inferred)
Phase 1 — Acquisition (Service Fees Inbound)
Analyst Inference Bearhost/PROSPERO/PROTON66 receives hosting service payments from ransomware operators, malware C2 operators, and other criminal clients via cryptocurrency. Confirmed client base (Qilin, SocGholish, GootLoader, XWorm, WeaXor operators) implies a recurring fee structure. Specific inbound wallet addresses and transaction volumes are unknown.
Phase 2 — Layering
Analyst Inference Funds are presumed to move through intermediary wallets and potentially mixing services consistent with standard cybercriminal money handling. No on-chain analysis published for this cluster.
Phase 3 — Extraction
Analyst Inference Cash-out methodology unknown. Unlike ZServers, no financial institution or exchange has been documented as a cash-out vehicle for this operator. The absence of OFAC or financial intelligence designation as of June 2026 limits the available evidence base.
Sanctions and Risk Designations
| Authority | Status | Notes |
|---|---|---|
| OFAC (US) SDN | No designation | Neither PROSPERO OOO, PROTON66 OOO, nor any associated individual appears on the SDN list as of June 2026 |
| UK FCDO Cyber Sanctions | No designation | Neither entity nor operators designated |
| EU Official Journal | No designation | Not designated |
| AU DFAT | No designation | Not designated |
| TRM Labs / Chainalysis / Elliptic | No published analysis | No entity-specific risk ratings or on-chain reports identified in open sources |
The absence of sanctions against PROSPERO/PROTON66 operators, despite documented multi-year service to ransomware and criminal clients, represents a significant gap relative to the ZServers/XHost precedent (OFAC CYBER3, February 2025). This absence limits financial-channel disruption options and makes the operator harder to pursue through Western legal mechanisms.
Client Profile and Hosted Operations
Crimeware Verticals by Evidence Tier
| Category | Named Clients / Malware | Evidence Basis | Classification |
|---|---|---|---|
| Ransomware (Qilin) | Qilin ("Agenda" variant) | Resecurity: WikiLeaksV2 leak site hosted on infrastructure in Bearhost conglomerate; Bearhost BPH branding visible on Qilin's data-leak site. Multiple outlets corroborate via Resecurity. | Confirmed |
| Initial access broker (SocGholish) | SocGholish | Intrinsec: SocGholish fingerprinting scripts hosted on PROTON66; "hosts a major part of its infrastructure on Proton66" | Confirmed |
| Initial access broker (GootLoader) | GootLoader | Intrinsec: GootLoader C2 servers moved from PROSPERO to PROTON66; Trustwave corroborates | Confirmed |
| Loader (FakeBat) | FakeBat | Intrinsec: FakeBat screening/redirection scripts on same IPs as SocGholish | Confirmed |
| Android RAT (SpyNote) | SpyNote | Intrinsec: SpyNote C2 and phishing pages; Trustwave corroborates | Confirmed |
| RAT (XWorm) | XWorm | Trustwave SpiderLabs: XWorm C2 on 193.143.1.x; multi-stage delivery chain documented | Confirmed |
| Information stealer (StrelaStealer) | StrelaStealer | Trustwave SpiderLabs: StrelaStealer C2 at 193.143.1.205; German-language phishing | Confirmed |
| Ransomware / RaaS variant (WeaXor) | WeaXor (Mallox variant) | Trustwave SpiderLabs: WeaXor C2 at 193.143.1.139; WeaXor is a revised version of Mallox ransomware | Confirmed |
| Android spyware (Coper/Octo) | Coper (a.k.a. Octo) | Intrinsec: SMS spam phishing campaigns on PROTON66 deploying Coper/Octo via Android spyware pages | Confirmed |
| IAB (Mora_001 / SuperBlack) | Mora_001 IAB; SuperBlack ransomware | Trustwave: Fortinet CVE exploitation from PROTON66 attributed to IAB Mora_001 delivering SuperBlack ransomware Single Source | Credible |
| Ransomware (Mallox broader family) | Mallox affiliates | Indirect: WeaXor is a Mallox variant; Intrinsec notes multiple ransomware gangs over two years on PROSPERO; Trustwave documents Mallox-family activity | Credible |
| Phishing / fraud (multi-target) | Multiple unnamed actors | Intrinsec: SMS bank-phishing targeting citizens of multiple countries; fake bank login templates; Trustwave: fake Google Play pages (French, Spanish, Greek speakers) | Confirmed |
Client Geography
Targets are global with no documented CIS exclusion clause. Confirmed victim-country targeting includes: Germany (StrelaStealer campaign), Korea (XWorm delivery chain), France, Spain, and Greece (Android Google Play phishing), and multiple unspecified countries (bank SMS phishing, Qilin victims). No geographic restriction on clients or victims is documented.
Asahi Group Holdings (Japan) was explicitly named as a Qilin victim in Resecurity reporting on the ghost BPH conglomerate, providing a confirmed example of a Fortune 500-scale organization targeted via infrastructure hosted in this cluster. [1]
Notable Hosted Cases
Resecurity documented that Qilin ransomware's data-leak site ("WikiLeaksV2") was hosted on IP 31.41.244.100, associated with Red Bytes LLC (a Russian provider linked to St. Petersburg) under domain networkmaze[.]hk. Bearhost branding was visible on the same infrastructure. Resecurity describes Bearhost (as Underground and Voodoo Servers) as part of the "ghost BPH conglomerate" supporting Qilin, which attacked Asahi Group Holdings among other targets. [1]
Trustwave SpiderLabs documented a sustained surge of mass scanning, brute-forcing, and critical CVE exploitation originating from PROTON66 IP ranges beginning January 8, 2025. Exploited vulnerabilities included authentication bypasses in Palo Alto PAN-OS and Fortinet FortiOS, a command injection in D-Link NAS, and input validation bypass in Mitel MiCollab. The Fortinet FortiOS exploitation was attributed to IAB Mora_001, delivering SuperBlack ransomware. [3]
State Nexus Assessment
Assessment: Tier 2 — Tolerated Safe Harbor
The Russian state is assessed to be aware of PROSPERO/PROTON66 operations and to refrain from enforcement or prosecution of their operators, despite years of documented criminal hosting activity and significant international scrutiny. This constitutes tolerated safe harbor. No public evidence supports active operational cooperation, tasking, or direct protection beyond passive non-enforcement.
Both PROSPERO OOO and PROTON66 OOO are registered Russian legal entities. Their operators are assessed as Russian nationals operating from Russia. No Russian criminal proceedings against the operators appear in open sources despite documented multi-year ransomware, malware C2, and phishing hosting. The broader pattern of Russian tolerance for cybercrime infrastructure operators (ZServers, Aeza Group, and others) is well-documented in Western government statements and supports the Tier 2 assessment for this cluster. [2][4]
The Kaspersky routing episode (December 2024 onward) may represent a deliberate effort by PROSPERO to obtain transit through a Russian entity with implicit state protection, rather than a coincidence. However, this remains speculative absent evidence of coordination or state involvement in the routing arrangement. Analyst Inference
Negative Evidence (Tier 3/4 Not Supported)
- No documented use of PROSPERO/PROTON66 for Russian state espionage (GRU/FSB/SVR) campaigns in open sources
- No leaked communications showing direct tasking from Russian security services
- No attribution of PROSPERO/PROTON66 to named state-sponsored threat actor groups (APT28, APT29, Sandworm, Cozy Bear, etc.)
- Client base (Qilin, SocGholish, GootLoader, WeaXor) is consistent with financially motivated cybercrime, not state intelligence operations
- No explicit legal immunity, government contracts, or protection agreements documented
Analyst Inference The possibility that classified IC holdings contain Tier 3/4 evidence cannot be excluded. The Kaspersky routing arrangement warrants monitoring as a potential indicator of elevated state protection if it proves durable and intentional.
Jurisdictional Separation
Compared to ZServers, Bearhost/PROSPERO/PROTON66 presents a less favorable target for Western LE action: no confirmed Western infrastructure (no EU data centers to seize), no UK front company, and no named/identified operators. The entirely Russian jurisdictional footprint concentrates enforcement friction in a non-cooperating jurisdiction.
Law Enforcement and Regulatory Response
Arrests, Indictments, and Criminal Charges
As of June 2026, no US DOJ indictment, UK CPS charges, EU member-state charges, or Russian criminal proceedings against operators of Bearhost, PROSPERO OOO, or PROTON66 OOO are confirmed in open sources. No public arrests. No sealed indictments confirmed (though cannot be excluded). This represents a significant contrast to ZServers/XHost, which was sanctioned and had servers seized in February 2025.
Infrastructure Seizures
No seizures confirmed as of June 2026. Unlike ZServers' Amsterdam infrastructure (concentrated in a Dutch data center), PROSPERO/PROTON66's physical infrastructure has not been publicly located in a Western-accessible jurisdiction. The absence of a known colocation facility in a cooperative country has prevented the type of server seizure executed against ZServers.
Sanctions Actions
No OFAC, UK FCDO, EU, or AU DFAT sanctions against PROSPERO OOO, PROTON66 OOO, or any named associated individuals. The gap between documented criminal activity and absence of sanctions may reflect: (1) ongoing law enforcement investigation with sanctions pending; (2) insufficient attribution to named/identifiable individuals; or (3) lower perceived priority relative to other targets. The ZServers OFAC action (February 2025) demonstrates that Russian BPH providers can be sanctioned under CYBER3; the absence here is analytically notable.
Informal Pressure and Reputational Actions
Spamhaus publicly recommended blocking the entire PROSPERO (AS200593) network, representing the most aggressive informal blocklist posture short of law enforcement action. Krebs on Security covered this as part of the Kaspersky-PROSPERO routing story, amplifying reputational pressure on both PROSPERO and Kaspersky Lab. [4]
PROSPERO's routing through Kaspersky Lab (AS209030) drew scrutiny from Krebs on Security, Spamhaus, and Silent Push. Kaspersky issued a public denial. The episode created reputational risk for Kaspersky and highlighted PROSPERO's infrastructure positioning, but did not result in de-peering or other operational disruption as of June 2026. [4]
Post-Disruption Client Migration
No disruption has occurred. The "exit scam" associated with the Bearhost/Voodoo brand (g0njxa X post, May 2025) represents a voluntary brand transition by the operator, not a forced disruption. Clients appear to have migrated toward Securehost (assessed acquirer) or other available BPH providers. The underlying infrastructure (PROSPERO/PROTON66) continues to serve new clients independently of the Bearhost brand transition.
Connected Groups and Ecosystem Relationships
Each entity carries two independent confidence assessments: Tier 1 (infrastructure relationship) and Tier 2 (operational relationship). These are analytically distinct claims requiring separate evidence bases and are never collapsed into a single label.
Tier 2: Resecurity's framing of a "ghost BPH conglomerate" with Qilin implies at minimum awareness and coordination at the infrastructure-booking level. Bearhost branding on Qilin's leak site goes beyond passive hosting and suggests a commercial relationship acknowledged by Qilin. However, no evidence of joint operational planning, shared personnel, or deeper coordination is documented.
Tier 2: No evidence of operational coordination between SocGholish operators and Bearhost/PROSPERO/PROTON66 operator beyond a standard BPH client-provider relationship.
Tier 2: No evidence of operational coordination beyond hosting.
Tier 2: No evidence beyond hosting relationship.
Tier 2: No evidence of operational coordination with Bearhost operator beyond standard client-provider relationship.
Tier 2: No evidence beyond hosting.
Tier 2: Analyst assessment [Internal] holds that Securehost acquired the Bearhost operation from the Voodoo operator. If confirmed, this constitutes a transactional operational relationship extending beyond passive co-hosting. The forum drama (Telegra.ph) supports a business dispute, consistent with a contested or adversarial acquisition.
Tier 2: No evidence of operational coordination beyond assessed infrastructure relationship. HK jurisdiction would provide a non-Russian enforcement jurisdiction if connection is confirmed and legally actionable.
Trajectory Assessment
Historical Market Position
Bearhost/Underground/Voodoo Servers occupies a meaningful structural position in the Russia/CIS-linked ransomware and cybercrime ecosystem, primarily as the commercial brand layer over the PROSPERO/PROTON66 infrastructure backbone. Resecurity's "ghost BPH conglomerate" framing and the Qilin hosting relationship indicate the service attracts high-value ransomware clients. The Intrinsec research (shared internally in July 2023, published November 2024) indicates at least two years of sustained analyst visibility, and the PROTON66 CVE exploitation surge in early 2025 confirms the infrastructure remains actively weaponized. Unlike ZServers, Bearhost/PROSPERO/PROTON66 has not attracted a coordinated multilateral sanctions response.
Infrastructure Churn and Brand Fluidity
The Bearhost cluster demonstrates above-average resilience through: (1) dual-ASN architecture providing IP-pool redundancy; (2) brand cycling (Bearhost, Underground, Voodoo Servers) to manage reputational pressure; (3) deliberate cycling of dormant or previously-clean IP space documented by Trustwave (January 2025); and (4) brand asset transfer to Securehost to preserve client continuity while the original operator reduces exposure. The Kaspersky routing arrangement may represent a further resilience play, obtaining transit through an entity with implicit Russian state protection.
Disruption History and Timeline
Current Market Position
PROSPERO/PROTON66 remains one of the more durable BPH infrastructure clusters in the Russian cybercrime ecosystem, having survived public exposure (Intrinsec 2024), sustained scrutiny (Krebs, Spamhaus, Trustwave, Resecurity), and a brand-level disruption (Bearhost/Voodoo exit scam) without incurring law enforcement action. Its entirely Russian jurisdictional footprint, lack of named/sanctioned operators, and the Kaspersky routing arrangement combine to make near-term coordinated disruption less likely than it was for ZServers.
Trajectory Direction
Active — Moderate Disruption Risk: Elevated but Not Imminent. The infrastructure cluster is resilient and continues to operate. The brand transition to Securehost does not represent a disruption; it represents client and brand continuity. The most plausible disruption vectors in the near-to-medium term are: (1) OFAC CYBER3 designation once operators are identified; (2) coordinated Europol/Spamhaus/transit-provider de-peering action; or (3) Russian law enforcement action in the context of bilateral arrangements unlikely without significant geopolitical change. Probability of LE action without prior identification of the operator is very low. The Intrinsec attribution of a "common Russian national" as operator — without a full public dox — limits the available pressure levers.
Intelligence Gaps
No public name, handle, date of birth, or verified location for the Russian national Intrinsec identifies as the PROSPERO/PROTON66 operator. This is the most critical gap: without operator attribution, OFAC designation and criminal indictment are impractical. Close with: forum archive analysis, passive DNS pivots, RIPE historical registration data, vendor intelligence on registered Bearhost-era Telegram/Jabber accounts.
PROTON66 IP ranges documented by Trustwave (45.135.232.0/24, 45.140.17.0/24, 193.143.1.0/24, 91.212.166.0/24) may not represent the full allocation. PROSPERO IP ranges not enumerated in available open sources. Close with: RIPE WHOIS full allocation history; BGP routing feeds; abuse.ch dataset correlation.
Nature of the PROTON66-Chang Way Technologies relationship (customer, reseller, front entity) not established. HK jurisdiction provides a potential non-Russian enforcement hook if the relationship is documented. Close with: Hong Kong company registry lookup for Chang Way Technologies; RIPE WHOIS for their ASN; BGP peering data; vendor infrastructure mapping.
No cryptocurrency wallets or on-chain flows attributed to Bearhost, PROSPERO OOO, or PROTON66 OOO in available open sources. Without this, the financial disruption lever (OFAC designation of wallets, tracking client payments) is unavailable. Close with: TRM Labs or Chainalysis entity-specific analysis; blockchain tracing from known Qilin payment flows back through hosting service fees.
Transaction details of the Bearhost brand/asset sale to Securehost: dates, consideration, specific assets transferred, legal entities involved. Close with: closed-source forum data; analyst insight [Internal]; law enforcement access to forum operator records.
No confirmed price lists, payment wallet addresses, client portal URLs, or panel domains. Close with: forum archive scraping; vendor underground monitoring; honeypot engagement.
These brands are cited as possible related entities or successors but lack confirmed linkage to PROSPERO/PROTON66 in open sources. Confidence: Low. Close with: forum co-mentions, domain/IP overlap analysis, wallet reuse correlation.
Registered name, abuse contact, technical contact organization, and full RIPE allocation history for AS200593 and AS198953. Could not be independently verified during this research cycle due to API timeouts. Close with: direct RIPE WHOIS query; NTT RADB lookup.
Whether the PROSPERO-Kaspersky transit relationship is intentional (DDoS protection contract, deliberate business arrangement) or incidental (BGP leak, transit transit). Resolving this is material to state nexus assessment. Close with: Kaspersky customer disclosures; BGP monitoring over time; RIPE routing data.
Intrinsec notes "multiple ransomware gangs over the past two years" on PROSPERO without naming them beyond Qilin. The WeaXor/Mallox connection and the Mora_001/SuperBlack CVE exploitation expand the known set but do not enumerate it. Close with: Intrinsec full dataset access; law enforcement technical annexes; extended Trustwave campaign analysis.