One of the most notorious providers of abuse-friendly \u201cbulletproof\u201d web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab<\/strong>, KrebsOnSecurity has learned.<\/p>\n Security experts say the Russia-based service provider Prospero OOO <\/strong>(the triple O is the Russian version of \u201cLLC\u201d) has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing websites<\/a>. Last year, the French security firm Intrinsec<\/strong> detailed<\/a> Prospero\u2019s connections to bulletproof services advertised on Russian cybercrime forums under the names Securehost<\/strong> and BEARHOST<\/strong>.<\/p>\n The bulletproof hosting provider BEARHOST. This screenshot has been machine-translated from Russian. Image: Ke-la.com.<\/p>\n<\/div>\n Bulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse complaints. And BEARHOST has been cultivating its reputation since at least 2019.<\/p>\n \u201cIf you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,\u201d BEARHOST\u2019s ad on one forum advises. \u201cWe completely ignore all abuses without exception, including SPAMHAUS and other organizations.\u201d<\/p>\n Intrinsec found Prospero has courted some of Russia\u2019s nastiest cybercrime groups, hosting control servers for multiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts malware operations such as SocGholish<\/a> and GootLoader<\/a>, which are spread primarily via fake browser updates on hacked websites and often lay the groundwork for more serious cyber intrusions \u2014 including ransomware.<\/p>\n A fake browser update page pushing mobile malware. Image: Intrinsec.<\/p>\n<\/div>\n BEARHOST prides itself on the ability to evade blocking by Spamhaus<\/a>, an organization that many Internet service providers around the world rely on to help identify and block sources of malware and spam. Earlier this week, Spamhaus said it noticed<\/a> that Prospero was suddenly connecting to the Internet by routing through networks operated by Kaspersky Lab in Moscow.<\/p>\n Kaspersky did not respond to repeated requests for comment.<\/p>\n Kaspersky began selling antivirus and security software in the United States in 2005, and the company\u2019s malware researchers have earned accolades from the security community for many important discoveries over the years. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days.<\/span><\/p>\n Cybersecurity reporter Kim Zetter<\/strong> notes that DHS didn\u2019t cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. Zetter wrote:<\/p>\n According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets.<\/p>\n Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker\u2019s machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker\u2019s machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code.<\/p>\n<\/blockquote>\n Last year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S.<\/a> effective July 20, 2024. U.S. officials argued the ban was needed because Russian law requires domestic companies to cooperate in all official investigations, and thus the Russian government could force Kaspersky to secretly gather intelligence on its behalf.<\/p>\n Phishing data gathered last year by the Interisle Consulting Group<\/strong> ranked hosting networks by their size and concentration of spambot hosts, and found<\/a> Prospero had a higher spam score than any other provider by far.<\/p>\n AS209030, owned by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org.<\/p>\n<\/div>\n It remains unclear why Kaspersky is providing transit to Prospero. Doug Madory<\/strong>, director of Internet analysis at Kentik<\/strong>, said routing records show the relationship between Prospero and Kaspersky started at the beginning of December 2024.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/02\/bearhost.png?resize=749%2C492&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/02\/fakeupdates.png?resize=749%2C361&ssl=1\")
<\/p>\n\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/02\/cidr-as200593.png?resize=748%2C483&ssl=1\")
<\/p>\n