Podcasts
CyberWire Daily
Ep 2292
The CyberWire Daily Podcast 4.22.25
Ep 2292 | 4.22.25

Proton66’s malware highway.

Show Notes
Transcript

The Russian Proton66 is tied to cybercriminal bulletproof hosting services. A new Rust-based botnet hijacks vulnerable routers. CISA budget cuts limit the use of popular analysis tools. A pair of healthcare providers confirm ransomware attacks. Researchers uncover the Scallywag ad fraud network. The UN warns of cyber-enabled fraud in Southeast Asia expanding at an industrial scale. Fog ransomware resurfaces and points a finger at DOGE. The cybercrime marketplace Cracked relaunches under a new domain. On our Industry Voices segment, Bob Maley, CSO of Black Kite, shares insights on the growing risk of third-party cyber incidents. Taking the scenic route through Europe's digital landscape. 

Today is Tuesday April 22nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Russian Proton66 is tied to cybercriminal bulletproof hosting services. 

The Russian autonomous system Proton66 (AS198953) is tied to bulletproof hosting services that enable cybercriminal operations, according to Trustwave SpiderLabs. Since January 2025, Proton66 has been linked to global attacks targeting tech and financial sectors, including brute-force logins and vulnerability exploits. One IP address was tied to SuperBlack ransomware, hitting nonprofits and engineering firms. Attackers exploited flaws in products from D-Link, Fortinet, Mitel, and Palo Alto Networks. Proton66 also powered phishing campaigns using hacked WordPress sites and served XWorm malware to Korean-speaking users via social engineering. Its infrastructure was used to spread Strela Stealer malware in central Europe and hosted C2 servers for WeaXor ransomware. Some malicious domains were recently moved to infrastructure linked to Chang Way Technologies.

A new Rust-based botnet hijacks vulnerable routers. 

A new Rust-based botnet called RustoBot is hijacking vulnerable routers globally to execute remote commands. It targets TOTOLINK and DrayTek devices using known command injection flaws, including CVE-2024-12987. Affected regions include Japan, Taiwan, Vietnam, and Mexico. The malware uses crafted payloads to download and run architecture-specific binaries on compromised routers, supporting arm and mips platforms. RustoBot features advanced techniques like XOR encryption and system API retrieval via the Global Offset Table (GOT). Once active, it connects to command-and-control domains and can launch large-scale DDoS attacks, such as UDP floods. Fortinet researchers stress that this threat highlights ongoing risks to IoT devices and the rising use of modern languages like Rust to build resilient and cross-platform malware.

CISA budget cuts limit the use of popular analysis tools. 

CISA has ordered its threat hunting teams to stop using Censys and VirusTotal, key tools for cyber threat analysis and malware detection. This shift, driven by budget cuts and political pressure, may disrupt operations. Censys use already ended in March, and VirusTotal use ceased by April 20. The agency is seeking alternatives but acknowledges potential operational impacts. Contractor layoffs and broader downsizing are also underway. Experts warn these changes could weaken CISA’s ability to track cyber threats amid rising attacks.

A pair of healthcare providers confirm ransomware attacks. 

Two healthcare providers—Bell Ambulance in Milwaukee and Alabama Ophthalmology Associates—have confirmed ransomware attacks that exposed sensitive data of over 100,000 individuals each. Bell Ambulance detected the breach in February, with Medusa ransomware claiming responsibility and HHS reporting 114,000 affected. Alabama Ophthalmology Associates’ breach began in January, with BianLian ransomware behind the attack, impacting over 131,000 people. Both incidents compromised personal, financial, and medical data. These breaches add to a troubling trend, with over 700 U.S. healthcare data breaches reported in 2024 alone.

Researchers uncover the Scallywag  ad fraud network. 

Researchers at security vendor Human have uncovered Scallywag, a large-scale ad fraud network using four WordPress plugins to drive illicit ad traffic through piracy and URL-shortening sites. The scheme reroutes users through “cashout” pages filled with ads before reaching their intended content. These intermediary sites slow users down with CAPTCHAs, forced scrolling, wait times, and extra page clicks to maximize ad views. Scallywag relies on “deep linking” to cloak ad-heavy pages as benign blogs, revealing content only after specific user actions. The four involved plugins—Soralink, Yu Idea, WPSafeLink, and Droplink—are either sold to threat actors or offered for free. At its peak, Scallywag generated 1.4 billion daily ad requests, though traffic briefly dropped 95% before rebounding with new sites. 

The UN warns of cyber-enabled fraud in Southeast Asia expanding at an industrial scale. 

Cyber-enabled fraud in Southeast Asia is expanding at an industrial scale, driven by transnational crime syndicates, warns the UN Office on Drugs and Crime (UNODC). These fraud operations—rooted in Myanmar and Cambodia—exploit vulnerable border regions, building scam hubs disguised as tech parks, casinos, and hotels. Syndicates include traffickers, launderers, and data brokers, with hundreds of thousands of trafficked victims supporting operations. Criminals leverage encrypted platforms, crypto, and even generative AI to scale their fraud, earning $37 billion in 2023. The crisis is spreading globally, reaching Africa, South America, and the Pacific. UNODC calls for urgent action: better regulations, international cooperation, and stronger law enforcement. The region now faces a deeply entrenched criminal ecosystem that undermines state sovereignty and governance, likened to a spreading cancer.

Fog ransomware resurfaces and points a finger at DOGE. 

Fog ransomware has resurfaced with a bizarre twist: a new ransom note referencing the “U.S. Department of Government Efficiency (DOGE)” and encouraging victims to spread the malware. Trend Micro reports the malware is distributed via phishing emails containing a ZIP file with a malicious LNK disguised as a PDF. Once clicked, a PowerShell script downloads various payloads including the ransomware loader, data exfiltration scripts, and a vulnerable driver for privilege escalation. Victims also see QR codes for Monero payments and strange political references embedded in the script. Since January 2025, Fog has claimed 100 victims across multiple sectors. While Trend Micro suspects this latest wave may involve an impersonator using Fog’s tools, they urge vigilance through updated backups, network segmentation, and monitoring for Fog-related indicators of compromise.

The cybercrime marketplace Cracked relaunches under a new domain. 

The cybercrime marketplace Cracked has relaunched under a new domain, Cracked.sh, after being taken offline in January during “Operation Talent.” Authorities had seized 12 domains and a payment processor linked to Cracked and Nulled, but no arrests were made in Cracked’s case. The site’s new admin claims servers were encrypted, preventing law enforcement from accessing user data. Researchers verified login access using old credentials, suggesting authenticity. Meanwhile, BreachForums, previously seized and known for leaking data, is also claiming a return, though its legitimacy is in question. A new site under the name Breached.fi appeared briefly, but confusion surrounds whether it’s authentic or a scam. Cybersecurity experts urge skepticism, noting such sites often return under false pretenses or become law enforcement traps. Nulled remains offline, with arrests made in that case.

Meanwhile, Iranian national Behrouz Parsarad has been indicted by the U.S. Justice Department for running Nemesis Market, a dark web marketplace active from 2021 to 2024. The site facilitated over 400,000 illegal transactions, including $30 million in drug sales and various cybercrimes like selling stolen financial data, fake IDs, and malware. At its peak, it had 150,000 users and 1,100 vendors. Parsarad also offered money laundering and crypto-mixing services. He faces up to life in prison if convicted.

 

Taking the scenic route through Europe's digital landscape. 

And finally, every time you check your email, map a route, search for a hotdog recipe, or stream a show, odds are your data packs its bags settles in the arms of American tech giants—Google, Apple, Meta, Amazon, Microsoft… you know the crew. The U.S. is basically the digital landlord of modern life. But what if you’d rather not have your online behavior monitored under the watchful eye of American data laws? Well, Europe has alternatives and Denmark’s Information publication has published a handy guide.

Privacy-respecting search engines like France’s Qwant, Britain’s Mojeek, or Germany’s Ecosia offer solid Google-free searching. The Vivaldi browser from Norway—built by ex-Opera devs—lets you surf ad-free with nerdy flair. Ditch Gmail for encrypted inboxes like ProtonMail (Switzerland) or Tutanota (Germany).

Navigating without Google Maps? Organic Maps, based on OpenStreetMap, works offline and doesn’t track your steps. Social media isn’t off-limits either—try Mastodon instead of X, Pixelfed over Instagram, and PeerTube for decentralized video sharing. Just don’t expect to find your grandma’s casserole recipe there (yet).

Streaming fans can dive into DRTV, MUBI, or Filmstriben for curated European content. And for cloud storage, Nextcloud and Tresorit are strong, privacy-focused contenders.

Even hardware isn’t out of reach. Fairphone (Netherlands) and Murena One (France) offer de-Googled smartphones, while Slimbook (Spain/France) and TUXEDO (Germany) make Linux-powered laptops.

Escaping the U.S. digital grip takes effort—and a bit of curiosity—but if you’re ready to explore tech without the stars and stripes, Europe’s got your back.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Black Kite
Sponsored by Black Kite

Black Kite is disrupting the security ratings services landscape by providing security experts with the industry’s most accurate and comprehensive third-party risk intelligence. Our award-winning platform pushes the limits on predictive insights, giving organizations unparalleled visibility into the risk that vendors introduce into the supply chain and their environment. Learn more.