-
@ BrianKrebs
2025-02-26 00:11:24
I'm trying to understand why one of the worst bulletproof hosting providers out there today -- Russia-based Prospero OOO -- is now getting transit to the larger internet via the antivirus and security firm Kaspersky Lab?
https://www.cidr-report.org/cgi-bin/as-report?as=AS200593
Prospero (AS200593) has been tied to multiple bulletproof hosting providers advertising on Russian cybercrime forums that say they will ignore all abuse complaints. It operates an insane amount of phishing domains at any given time, and it's been connected with ransomware C2s and distribution of ransom-adjacent malware operations like SocGholish and GootLoader. But don't take my word for it. Have a look at just the recent stuff:
https://urlscan.io/search/#page.asn%3Aas200593
https://www.virustotal.com/gui/search/as200593
https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/
I understand that Kaspersky Lab (AS209030) provides DDoS protection as one of its services, and its networks do indeed seem to include several large banks (Alfa Bank, and the Russian police, e.g.). But if that's really what this is, that's almost worse than Kaspersky just letting these providers transit their network.
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/067/278/914/606/081/original/47b4c83c445e5d7d.png