Part 2: Compromised WordPress Pages and Malware Campaigns

May 21, 2025, 9:24 p.m.

Description

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.

External References

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/
https://otx.alienvault.com/pulse/6826fc8026d322f4d963e574
Tags
xworm
phishing
ransomware
android
remcos
wordpress
credential theft
strela stealer
proton66
weaxor
2025-05-16

Date

  • Created: May 16, 2025, 8:51 a.m.
  • Published: May 16, 2025, 8:51 a.m.
  • Modified: May 21, 2025, 9:24 p.m.

Indicators

  • e780d314ae6f9bf9d227df004a3c19ab7f3042e583d333f12022ef777ba9600a
  • e55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d
  • d682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd
  • a2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147
  • 9b93daf047b9010bf4e87ca71ae5aefae660820833c15877a9105215af0745cd
  • 99016e8ca8a72da67264019970ab831064ecc1f10591c90ea3a2e1db530188ee
  • 91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb
  • 956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570
  • 7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7
  • 4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e
  • 7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab
  • 40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38
  • 2d2bc95183f58a5e7fe9997b092120d6bfa18ed7ccb4f70b1af1b066ea16a1c3
  • 45.93.20.58
  • 91.212.166.16
  • 91.212.166.146
  • 193.143.1.205
  • 193.143.1.139
  • 91.212.166.86
  • www-wpx.net
  • www-kodi.com
  • http://updatestore-spain.com/new/landing
  • http://91.212.166.86/htdocs.zip.
  • http://193.143.1.139/Ujdu8jjooue/biweax.php.
  • http://www-wpx.net/kodi-21.1-Omega-x64.msi
  • http://www-wpx.net/assets/core.js
  • http://www-kodi.com/getgr.js
  • http://www-kodi.com/getupd.js
  • http://www-kodi.com/getfr.js
  • http://www-kodi.com/droid.js
  • http://www-kodi.com/download.php
  • http://my-tasjeel-ae.com/getid.js
  • http://my-tasjeel-ae.com/getfr.js
  • http://my-tasjeel-ae.com/droid.js
  • http://193.143.1.139/Ujdu8jjooue/biweax.php
  • weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion
  • us-playmarket.com
  • updatestore-spain.com
  • spain-playstores.com
  • spain-playmarket.com
  • playstors-gr.com
  • playstors-france.com
  • playstores-france.com
  • playstore-spain.com
  • playstore-fr.com
Download all indicators here!

Attack Patterns

  • WeaXor
  • Strela Stealer
  • Remcos
  • XWorm

Additional Informations

  • Finance
  • Liechtenstein
  • Luxembourg
  • Greece
  • Austria
  • Korea, Democratic People's Republic of
  • Korea, Republic of
  • Switzerland
  • Spain
  • France
  • Germany
  • United States of America