Proton

Malware Profile Updated 19 days ago

Download STIX

Preview STIX

Proton is a malicious software, or malware, that has been found to exploit and damage computer systems. It can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Proton has the capability to steal personal information, disrupt operations, or even hold data hostage for ransom. The malware has been associated with several system files related to ProtonVPN, including "ProtonVPN.CalloutDriver.sys", "ProtonVPNService.exe", "ProtonVPN.WireGuardService.exe", and "ProtonVPN.UpdateService.exe". These were discovered in the Program Files directory of infected devices. The impact of Proton has been significant, leading to the removal of popular VPN apps like Proton VPN, Red Shield VPN, NordVPN, and Le VPN. Encrypted services like Apple, Proton, and Wire have been implicated in aiding Spanish police identify an activist, indicating that Proton's reach extends beyond individual devices and into larger networks. Moreover, the latest version of Proton VPN (version 4.3.0) has displayed issues during configuration, suggesting that the malware may be interfering with the operation of legitimate software. The response to the Proton threat has seen endorsements for draft legislation from various tech companies and organizations, including Accountable Tech, Demand Progress, Fight for the Future, Proton, Nym, and the Matrix.org Foundation. A Security Risk and Governance Manager at Proton, the Swiss-based company behind Proton VPN, Proton Mail, Proton Pass, and Proton Drive, is now working on mitigating the risks posed by the malware. This comes after evidence presented at trial demonstrated misuse of Proton-related services, such as the fraudulent billing of Medicaid for a certain type of proton pump inhibitor.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Protonvpncallout	1	None
Protonvpn Service	1	None
Protonvpn Wireguard	1	None
Protonvpn Update Service	1	None

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vpn

Malware

Ransom

Bitcoin

Windows

Outlook

Signal

Cybercrime

Youtube

Android

Ubuntu

Rat

Encryption

Phishing

Spam

Ransomware

Encrypt

Fortiguard

Firefox

Expressvpn

Vulnerability

Exploit

European

Bot

British

Microsoft

Chromium

Blizzard

Sandbox

Google

1password

Data Leak

Government

Macos

Azure

Korean

Chrome

Github

XSS (Cross S...

Linux

Red Hat

Healthcare

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Headcrab	Unspecified	2	HeadCrab is a sophisticated malware that targets Redis servers, a popular in-memory data structure store often used as a database or cache. First detected by Aqua Security in September 2021, HeadCrab has evolved to operate in memory, making it harder for antivirus systems to detect. It is estimated
Omg	Unspecified	1	OMG is a variant of the Mirai malware, designed to exploit Internet of Things (IoT) devices by turning them into proxy servers for cryptomining. This malicious software operates covertly, typically entering systems through suspicious downloads, emails, or websites, and once inside, it can disrupt op
Phobos	Unspecified	1	Phobos is a type of malware, specifically a ransomware, that has been a significant cause for concern in the cyber security world. This malicious software infiltrates systems through dubious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting opera
Keydnap	Unspecified	1	Keydnap is a form of malware that has been used in various attacks to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt operations, or hold

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Star Blizzard	Unspecified	1	Star Blizzard, also known as Seaborgium or the Callisto Group, is a threat actor linked to Russia's intelligence service, the FSB. The group has been involved in sophisticated cyber-attacks worldwide, primarily using spear-phishing campaigns to steal account credentials and data. Microsoft, which tr
Calisto	Unspecified	1	Calisto, also known as BlueCharlie, Blue Callisto, TAG-53, COLDRIVER, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a threat actor that has been active since 2019. This group targets a wide range of sectors and is particularly focused on individuals and organizations involved in intern
Cold River	Unspecified	1	Cold River, a sophisticated threat actor linked to the Kremlin, has been engaging in malicious cyber activities for several years. The group, also known as Star Blizzard, Callisto, and UNC4057, is attributed to Center 18 of the FSB, one of Russia's security services sponsoring global cyber espionage
COLDRIVER	Unspecified	1	Coldriver, also known as Callisto Group and Star Blizzard, is a threat actor believed to originate from Russia. This entity is recognized for its malicious activities including disinformation campaigns, spear-phishing attacks, and the use of custom malware. The group has been associated with the Rus
Tick	Unspecified	1	Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Proton Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	12 days ago	Security Affairs newsletter Round 480 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	19 days ago	Apple removed 25 VPN apps from the App Store in Russia
Securityaffairs	2 months ago	Security Affairs newsletter Round 471 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	3 months ago	Ransomware Victims Who Pay a Ransom Drops to Record Low
SANS ISC	3 months ago	Rolling Back Packages on Ubuntu/Debian - SANS Internet Storm Center
DARKReading	4 months ago	Wyden Releases Draft Legislation to End Federal Dependence on Insecure, Proprietary Software
CERT-EU	4 months ago	Small-business owners and activists who rely on TikTok say the US House measure forcing a sale or ban would damage their livelihoods and harm their communities
CERT-EU	4 months ago	US cybersecurity company Zscaler acquires Israel-based cybersecurity startup Avalor for $350M; Avalor was founded in 2022 and has raised just $30M to date
SANS ISC	5 months ago	What happens when you accidentally leak your AWS API keys? [Guest Diary] - SANS Internet Storm Center
CERT-EU	5 months ago	9 women in cybersecurity you may not know but you should follow in 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	5 months ago	Investigations Newsletter: Department of Justice Designates First Chief AI Officer
BankInfoSecurity	5 months ago	Breach Roundup: More Fallout From the LockBit Takedown
CERT-EU	5 months ago	How to protect your accounts - consider this for safer logins \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Malwarebytes	6 months ago	Coldriver threat group targets high-ranking officials to obtain credentials \| Malwarebytes
CERT-EU	6 months ago	Google: Russian state hackers deploying malware in espionage attacks around Europe
CERT-EU	6 months ago	Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
CERT-EU	6 months ago	BT chargers good but, UK EV gloom, cybersecurity - the week \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	6 months ago	Top 10 web hacking techniques of 2023 - nominations open \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	6 months ago	6 Best Anonymous (No-Log) VPNs for 2024
CERT-EU	8 months ago	The Russians are coming! Err, they've already infiltrated