Proton66: Compromised WordPress Pages and Malware Campaigns

April 18, 2025, 2:14 p.m.

Description

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also covers the XWorm campaign targeting Korean-speaking users, the Strela Stealer targeting German-speaking countries, and the WeaXor ransomware. The analysis provides insights into the infection chains, malware configurations, and command-and-control servers used in these campaigns. Additionally, it offers recommendations for blocking associated IP ranges and lists numerous indicators of compromise (IOCs) for each campaign.

External References

https://trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns
https://otx.alienvault.com/pulse/6802094e89f266c72f83bda4
Tags
xworm
phishing
ransomware
android
korea
remcos
wordpress
strela stealer
2025-04-18
germany
weaxor

Date

  • Created: April 18, 2025, 8:11 a.m.
  • Published: April 18, 2025, 8:11 a.m.
  • Modified: April 18, 2025, 2:14 p.m.

Indicators

  • e780d314ae6f9bf9d227df004a3c19ab7f3042e583d333f12022ef777ba9600a
  • e55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d
  • d682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd
  • a2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147
  • 9b93daf047b9010bf4e87ca71ae5aefae660820833c15877a9105215af0745cd
  • 99016e8ca8a72da67264019970ab831064ecc1f10591c90ea3a2e1db530188ee
  • 91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb
  • 956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570
  • 7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7
  • 4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e
  • 7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab
  • 40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38
  • 2d2bc95183f58a5e7fe9997b092120d6bfa18ed7ccb4f70b1af1b066ea16a1c3
  • 91.212.166.16
  • 91.212.166.146
  • 193.143.1.205
  • 193.143.1.139
  • 91.212.166.86
  • 91.212.166.21
  • http://www-wpx.net/kodi-21.1-Omega-x64.msi
  • http://www-wpx.net/assets/core.js
  • http://www-kodi.com/getgr.js
  • http://www-kodi.com/getupd.js
  • http://www-kodi.com/getfr.js
  • http://www-kodi.com/droid.js
  • http://www-kodi.com/download.php
  • http://whitelabeliq.com/
  • http://my-tasjeel-ae.com/getid.js
  • http://my-tasjeel-ae.com/getfr.js
  • http://my-tasjeel-ae.com/droid.js
  • http://193.143.1.139/Ujdu8jjooue/biweax.php
  • us-playmarket.com
  • updatestore-spain.com
  • spain-playstores.com
  • spain-playmarket.com
  • playstors-gr.com
  • playstors-france.com
  • playstores-france.com
  • playstore-spain.com
  • playstore-fr.com
  • my-tasjeel-ae.com
  • mikkiwaxbar.co.uk
  • lemasdessalettes.com
  • iconichomestudios.com
  • embajadaguatemala.es
  • gr-playmarkets.com
  • education-ethologique.fr
  • competitivewindscreens.com.au
Download all indicators here!

Attack Patterns

  • WeaXor
  • Strela Stealer
  • Remcos
  • XWorm
  • Proton66

Additional Informations

  • Liechtenstein
  • Luxembourg
  • Greece
  • Austria
  • Switzerland
  • Spain
  • France
  • Germany
  • United States of America