Executive Summary
This week (June 8-15, 2026), 10 of the 26 monitored bulletproof hosting ASNs showed observable scanning or attack activity, down slightly from 11 the prior week. Total observed event volume increased dramatically, driven primarily by a single IP (37.77.150.67) from Proton66 OOO (AS198953), which alone generated 42,057 events — more than the combined total of all monitored ASNs from the previous week.
The most notable event was the global traffic spike on June 14, when the Honeylabs network observed 1.1 million events in a single day, compared to the weekly average of approximately 200,000-260,000 per day. This 4x increase was largely driven by a coordinated burst of Google Cloud-hosted scanners, but our monitored BP ASNs also showed elevated activity.
The FlokiNET SPARK C2 beacon (185.100.87.136) remains active, continuing its HTTPS beaconing pattern observed since last week. Pfcloud (AS51396) scanning activity shifted from dense port spraying to more targeted scans, though the provider’s riptide scanning framework remains operational. A new ASN appeared in our dataset: QWINS LTD (AS213702) probing X11 port 6000 from German infrastructure.
By the Numbers
| ASN | Provider | IPs Observed | Events | Top Port(s) | Change vs Prior Week |
|---|---|---|---|---|---|
| AS198953 | Proton66 OOO | 3 | 42,937 | 1433, 6358, 5776, 8534 | +1,860% |
| AS51396 | Pfcloud UG | 30+ | 4,000+ | 8888, 8080, 80, 443, 8006 | -60% |
| AS14956 | RouterHosting LLC | 10+ | 1,500+ | 5555, 8081, 445 | -55% |
| AS51852 | Private Layer INC | 3 | 3,800 | 87, 443, 1174, 3128 | Stable |
| AS214940 | Kprohost LLC | 3 | 300+ | 443 | +310% |
| AS210644 | Aeza International | 3 | 3 | 22 (SSH) | -94% |
| AS200651 | FlokiNET ehf | 1 | 8 | 443, 80, 8080 | -47% |
| AS138915 | Kaopu Cloud HK | 1 | 6 | 2375, 2376, 4243 | +50% |
| AS209847 | WorkTitans (THE) | 1 | 3 | 30443, 50443, 3389 | -25% |
| AS213702 | QWINS LTD | 1 | 2 | 6000 (X11) | NEW |
10 ASNs showed no observable activity this week (including AS57043 HOSTKEY-AS and AS200593 PROSPERO-AS, which had low activity last week and dropped to zero this week).
Top ASN Deep Dives
AS198953 (Proton66 OOO) — Activity Spikes
The headline this week is Proton66. The Russian provider was the single most active monitored entity by a wide margin, with 42,937 events across 3 source IPs. This represents an approximately 1,860% increase over last week’s 2,189 events from 9 IPs.
The primary actor, 37.77.150.67, generated 42,057 of those events between June 8-12. Its targeting profile is notably different from the broad port spraying typical of auto-scanners: it focused on specific services including MSSQL (1433), along with ports 6358, 5776, 8534, and 234. This suggests a targeted reconnaissance campaign rather than blanket scanning — possibly looking for specific applications or vulnerable service versions.
Two additional IPs (176.120.22.147 and 176.120.22.240) showed different behavior. The former probed high ports in the 44xxx range using varied browser user agents (Firefox 102, Chrome 141, Safari 14, various ChromeOS, Linux, and Mac UA strings) — a classic evasion technique to blend in with legitimate traffic. The latter showed minimal activity targeting ports 5678 and 7547 (TR-069/TR-064 router management protocols), suggesting CPE/router exploitation scanning.
Censys profiles only 62 hosts in AS198953, all carrying the BULLETPROOF label. Open ports include SSH (22), DNS (53), RDP (3389), HTTPS (443), and SMTP (25).
Change Detection: Volume spike of +1,860% vs prior week. New targeted MSSQL scanning from the primary IP. The 44xxx port scanning is a new pattern not observed last week.
AS51396 (Pfcloud UG) — Declining Volume
Pfcloud remains active but total observed event volume appears to have decreased approximately 60% compared to last week. The top 20 IPs in our dataset show per-IP counts ranging from 51 to 480 events, whereas last week’s top IPs each generated 1,700-1,900 events. Activity is still broadly distributed across German (176.65.139.0/24, 45.135.193.0/24) and Dutch (204.76.203.0/24) infrastructure.
The most active IP this week was 45.135.193.193 (Germany, 480 events), targeting ports 8888, 8080, 443, 80, and 8000. The IPs 204.76.203.206 and 204.76.203.219 (Netherlands) showed web-focused scanning targeting ports 80-83, 8080, and 8081.
The ProxmoxChecker/1.0 scanner (176.65.139.103, 322 events, port 8006) remains active this week. Cam-scanner (port 554/RSTP scanning) continues on 3 Dutch IPs with 80 events. The Go-http-client tooling is distributed across 11 IPs targeting varied ports.
User agent diversity continues to be a hallmark of this provider’s scanning operations, with 16 distinct UA strings observed across the Pfcloud ASN, including Go-http-client, ProxmoxChecker, cam-scanner, Shodan-Pull, zgrab, and multiple browser-masquerading agents.
Censys profiles 3,424 hosts in AS51396 (all BULLETPROOF), with a software stack dominated by wg-easy (779), OpenSSH (737), Python/Werkzeug (715), and nginx (413). The presence of wg-easy (WireGuard VPN management) continues to confirm this provider’s VPN service offerings.
Change Detection: Per-IP event counts dropped sharply compared to last week. The riptide scanning framework (previously identified via exposed pprof endpoint on 204.76.203.213) may have been reconfigured or taken offline — the pprof endpoint was not detected this week.
AS51852 (Private Layer INC / PLI-AS) — Stable Proxy Infrastructure
Private Layer showed stable activity this week with approximately 3,800 events from observed IPs. The most active IPs were 179.43.134.114 and 179.43.146.227 (Switzerland), continuing the pattern from last week.
Censys reveals 11,259 hosts in this ASN (BULLETPROOF), with the dominant software being Squid proxy (16,288 instances). This is a remarkably high proxy concentration — more than all other software combined. The heavy Squid presence, paired with nginx (4,734), OpenSSH (4,484), Dovecot/Exim (mail services), cPanel (649) and Ceph (603 distributed storage), suggests this provider markets both residential-style proxies and traditional hosting.
Port 161 (SNMP, 3,436 hosts) and port 3128 (Squid proxy, 2,227 hosts) are characteristic signatures of this provider’s infrastructure. The heavy SNMP exposure represents a potential attack surface for targeting the provider itself.
Change Detection: Activity level and profile are broadly stable compared to last week.
AS210644 (Aeza International Ltd) — Dormant Giant
Aeza International is the largest ASN in our monitored set with 76,683 Censys hosts (all BULLETPROOF), yet showed only 3 SSH scan events this week. All three events originated from Finnish IPs (Helsinki) using SSH client library libssh 0.9.6 with an identical HASSH fingerprint (f555226df1963d1d3c09daf865abdc9a). This suggests a single scanning campaign or operator.
Censys software profile is dominated by OpenSSH (65,501), nginx (29,046), and notable concentrations of Ghost CMS (8,024), App & API Protector (8,024), Cloudflare load balancer (2,688), and WAF (2,883) — suggesting many hosts in this ASN sit behind reverse proxy infrastructure. The presence of wg-easy (1,286) also indicates WireGuard VPN services.
Change Detection: AEZA activity continues to be minimal in our honeypot telemetry, consistent with prior weeks. The scale of Censys-visible infrastructure (76K+ hosts, the largest in our set) suggests this provider’s value to threat actors lies in hosting infrastructure rather than active scanning.
Infrastructure Correlation
Shared Fingerprints: The AEZA SSH scans all used the same HASSH fingerprint (f555226df1963d1d3c09daf865abdc9a), indicating identical SSH client configuration across three distinct IPs — likely the same operator or toolchain. The HASSH corresponds to libssh 0.9.6 with a standard KEX algorithm suite.
BULLETPROOF Labeling: All monitored ASNs that were checked carry the Censys BULLETPROOF label. The BULLETPROOF label on AS14956 (RouterHosting) covers all 25,869 visible hosts, consistent with its well-documented role as a bulletproof provider.
Proxy Infrastructure Concentration: The dominant Squid proxy fingerprint in AS51852 (Private Layer) — 16,288 instances versus 4,734 for the next most common software (nginx) — represents an unusually high service concentration. This is a distinctive infrastructure fingerprint that could enable network-level detection of traffic transiting this provider.
Fleet Observations
Scan-Only Nodes: A subset of the most active scanning IPs from Honeylabs data showed minimal to no Censys-visible services, consistent with ephemeral scan nodes being spun up for specific campaigns and deprovisioned after use. The Proton66 IP 37.77.150.67, despite generating 42,057 events over 4 days, shows only standard ports in Censys data.
Censys Host Counts: Two monitored ASNs dominate the host count: AEZA (76,683) and KAOPU-HK (35,900). Combined, these two providers account for over 112,000 hosts — nearly half of the total visible infrastructure across all monitored ASNs. Their relatively low scanning activity in our telemetry suggests these providers’ role is primarily hosting rather than active scanning.
New Service Observations: AS209847 (WorkTitans B.V.) showed probing of non-standard SSL ports 30443 and 50443 this week — a pattern not observed last week. This could indicate reconnaissance for web services running on alternative SSL ports, or testing for hidden administrative interfaces.
IoCs and Detection Guidance
Notable IPs:
- 37.77.150.67 (Proton66) — Heavy MSSQL/custom port scanner. 42,057 events this week.
- 176.120.22.147 (Proton66) — 44xxx port scanner with varied browser user agents.
- 185.100.87.136 (FlokiNET) — Active SPARK C2 beacon. JA4: t13i1909h2. Continues from prior week.
- 45.83.20.230 (WorkTitans) — SSL port probing (30443, 50443) and RDP scanning.
- 194.238.57.3 (QWINS) — X11 port 6000 probing. New entrant in BP dataset.
- 154.205.145.161 (Kaopu HK) — Docker API scanning (ports 2375, 2376, 4243). Persistent across multiple weeks.
- 138.124.99.219, 109.172.95.248, 85.192.31.14 (Aeza) — SSH scanners using libssh 0.9.6, same HASSH fingerprint.
Fingerprints:
- HASSH: f555226df1963d1d3c09daf865abdc9a — libssh 0.9.6 (AEZA SSH scanning campaign)
- JA4: t13i1909h2_9dc949149365_97f8aa674fd9 — TLSv1.3 CHACHA20_POLY1305 (SPARK C2 beacon)
- JA4H: ge11nn0400_88d30a62b7ad — HTTP client fingerprint for SPARK beacon
- JA4: t13i1310h1_f57a46bbacb6_e7c285222651 — TLSv1.3 AES_128_GCM (WorkTitans HTTPS probing)
- JA4H: ge11nn0400_9c3956fad5da — Docker API client (go-dockerclient)
Detection Rules:
- Proton66 Custom Port Scan: Monitor for connections from 176.120.22.147 or the 37.77.150.67 IP to MSSQL (1433) or high ports in the 44xxx range.
- AEZA SSH HASSH: Network monitoring for HASSH f555226df1963d1d3c09daf865abdc9a combined with AEZA IP ranges.
- Private Layer Squid Proxy Traffic: Traffic transiting port 3128 from AS51852 IP ranges may indicate proxy abuse.
- Docker API Scanning: JA4H ge11nn0400_9c3956fad5da on ports 2375/2376/4243 indicates Docker daemon reconnaissance.
Full data archive available at: https://git.sr.ht/~hrbrmstr/gists/tree/main/item/kevlar/2026-06-15/