One of Russia’s most notorious “bulletproof” web hosting providers, Prospero OOO, has come under scrutiny after reportedly routing its operations through networks managed by the cybersecurity giant Kaspersky Lab. Prospero OOO (the Russian equivalent of LLC) has a longstanding reputation for hosting malware operations, phishing schemes, and cybercrime groups.
Security experts have repeatedly identified Prospero as a significant hub for malicious software distribution, botnet control servers, and phishing scams. According to Intrinsec, a French cybersecurity firm, Prospero OOO has openly marketed its “bulletproof” hosting services on Russian cybercrime forums under brands like Securehost and BEARHOST since at least 2019.
“Bulletproof” hosting services deliberately ignore legal notices and complaints, allowing cybercriminals to operate freely. BEARHOST has publicly advertised its services with audacious statements such as, “If you need servers for malware, phishing, bots, or any other malicious activities, contact us—we completely ignore all abuse reports, including Spamhaus.”
Intrinsec’s investigations revealed Prospero has hosted servers used by high-profile ransomware groups and malware operations, notably SocGholish and GootLoader. Both malware variants frequently exploit fake browser update notifications on compromised websites, paving the way for severe cyberattacks, including ransomware.
Spamhaus Raises Alarms: Prospero’s Traffic Routed Through Kaspersky
Spamhaus, an international organization known for tracking and blocking spam sources, recently detected Prospero traffic being routed through Kaspersky-operated networks. This unusual discovery immediately drew attention, sparking questions about the relationship between Prospero and Kaspersky.
Kaspersky quickly addressed these concerns in an official statement:
“Kaspersky firmly denies claims of working with the mentioned bulletproof hosting provider. Traffic routing through Kaspersky’s network does not imply collaboration. Our autonomous systems occasionally appear as technical prefixes through telecom partners that use our DDoS protection services.”
The cybersecurity firm emphasized its commitment to ethical operations and announced an internal investigation to identify and resolve potential misuse of its network.
Past Controversies Shadow Kaspersky
Kaspersky, globally recognized for its antivirus solutions, has previously faced controversy, notably when the U.S. Department of Homeland Security banned the company’s software in federal agencies in 2017. Concerns included accusations—strongly denied by Kaspersky—that the antivirus software inadvertently extracted sensitive NSA hacking tools from a contractor’s personal computer. Additionally, anonymous sources claimed Israeli intelligence observed Russian operatives leveraging Kaspersky software to search client computers for confidential U.S. government data.
Although CEO Eugene Kaspersky stated that the extraction of NSA code was a routine antivirus detection later rectified, mistrust lingered. Consequently, the U.S. Commerce Department announced a full ban on Kaspersky software sales starting July 20, 2024, citing risks due to Russia’s mandatory corporate cooperation with government investigations.
Interisle Consulting Group’s recent analysis highlighted Prospero’s disturbing prominence in phishing operations, ranking it as the world’s top hosting provider in terms of spam volume and cybercrime hosting concentration.
The reason behind Prospero’s sudden routing through Kaspersky networks remains unclear. Doug Madory, Kentik’s Director of Internet Analysis, noted that the routing arrangement began in early December 2024. Madory pointed out Kaspersky’s client list includes prominent Russian financial institutions like Alfa-Bank, suggesting Prospero might simply be using Kaspersky’s DDoS protection services.
However, Zach Edwards, Senior Threat Researcher at Silent Push, argues this possibility raises more serious ethical concerns:
“Providing DDoS protection services to notorious bulletproof hosts may be even worse ethically than simply allowing them to access the internet through your networks.”
The cybersecurity community will closely watch this unfolding situation, demanding transparency from Kaspersky and clarity about the extent of its involvement with Prospero OOO.
