Part 2: Compromised WordPress Pages and Malware Campaigns
This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.
AI Analysis
Technical Summary
This threat analysis focuses on a series of malware campaigns linked to the Proton66 group, which primarily target Android devices via compromised WordPress websites. The attackers leverage redirector scripts embedded in these compromised sites to funnel unsuspecting visitors to malicious payloads that mimic legitimate services such as the Google Play Store, thereby increasing the likelihood of successful infection. The campaigns are multi-faceted, including the XWorm malware targeting Korean-speaking users through fake investment chat rooms, the Strela Stealer focusing on email clients predominantly in German-speaking countries, and the WeaXor ransomware, a newer iteration of the Mallox ransomware family. The infection chains typically begin with exploitation of vulnerable WordPress sites, which are widely used content management systems, making them attractive targets. The redirector scripts serve as an initial infection vector, directing victims to download malware disguised as legitimate applications. The XWorm campaign employs social engineering tactics tailored to Korean-speaking victims, leveraging fake investment chat rooms to distribute malware. Strela Stealer is designed to harvest credentials from email clients, posing a significant risk to confidentiality, especially in German-speaking regions where it has been observed. The WeaXor ransomware encrypts victim data, demanding ransom payments, and represents a direct threat to availability and data integrity. The report also highlights recommended mitigation strategies, including blocking CIDR IP ranges associated with Proton66 and Chang Way Technologies, which are linked to the infrastructure used in these campaigns. The campaigns utilize a variety of tactics, techniques, and procedures (TTPs) such as phishing (T1566), credential theft (T1552), persistence mechanisms (T1547), exploitation of public-facing applications (T1190), and execution of malicious scripts (T1059). This multi-vector approach increases the complexity and potential impact of the threat.
Potential Impact
For European organizations, this threat poses several significant risks. The use of compromised WordPress sites as infection vectors is particularly concerning given the widespread adoption of WordPress across Europe, including many corporate and governmental websites. The Strela Stealer's focus on German-speaking countries indicates a targeted effort to compromise email credentials, which could lead to unauthorized access to sensitive communications and data breaches. The presence of ransomware like WeaXor threatens operational continuity by encrypting critical data and demanding ransom payments, potentially causing financial losses and reputational damage. Furthermore, the phishing and social engineering components of these campaigns increase the likelihood of successful infections, especially in organizations with less mature cybersecurity awareness programs. The targeting of Android devices expands the attack surface, as mobile devices are often less protected and used for both personal and professional purposes. This could facilitate lateral movement within networks or exfiltration of sensitive information. Overall, the threat could disrupt business operations, compromise confidential data, and impose significant recovery costs on affected European entities.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to the specific tactics observed in these campaigns: 1. Harden WordPress Installations: Regularly update WordPress core, plugins, and themes to patch known vulnerabilities. Employ security plugins that monitor for unauthorized changes and block malicious scripts. 2. Network Controls: Block CIDR ranges associated with Proton66 and Chang Way Technologies at the firewall and intrusion prevention system (IPS) levels to disrupt command and control (C2) communications. 3. Email Security: Deploy advanced email filtering solutions to detect and quarantine phishing attempts, especially those mimicking investment opportunities or other social engineering lures. 4. Endpoint Protection: Use mobile device management (MDM) solutions to enforce security policies on Android devices, including restricting installation of apps from untrusted sources and enabling real-time malware scanning. 5. User Awareness Training: Conduct targeted training focusing on recognizing phishing campaigns, suspicious redirects, and the risks of installing applications from unofficial sources. 6. Incident Response Preparedness: Develop and regularly test incident response plans that include procedures for ransomware containment and recovery, credential theft incidents, and malware eradication. 7. Credential Hygiene: Enforce multi-factor authentication (MFA) across email and critical systems to mitigate the impact of stolen credentials. 8. Monitoring and Threat Intelligence: Continuously monitor network traffic and logs for indicators of compromise (IOCs) related to Proton66 campaigns and integrate threat intelligence feeds to stay updated on emerging tactics.
Affected Countries
Germany, Austria, Switzerland, South Korea
Indicators of Compromise
- hash: 0cb49433d809d0738efbd0d6e6503e07
- hash: 3f39ad87cdaa2cc3008ed7c9ecd71cfe
- hash: 47c4054cc953fd522b684fc5890c435c
- hash: 4c74caa9c0eeb2c7637da9bbde9535d7
- hash: 7f8b7e1869410ed52db910b107b41306
- hash: 981073dbfb524b68c4602ccdd301a543
- hash: 99fe3fa20b470b2f634fd609a1921c77
- hash: a087e994db776a0c657e45d315851186
- hash: a3c0caca7cb6667a9feb37442da3d322
- hash: a74ee50d2f91f77f010ecb154aa6b30b
- hash: af2fe7b209912ec3a345fd8169fde338
- hash: 18f7fbc6f67def0d1357f079c3424ff16657e08f
- hash: 311430643672431045288a21fc6c666f09359bbf
- hash: 61bff81cd5475552c73e0745d629b9265b84cb8c
- hash: 776e7064d6f340044ad6e275dda1479ec12c0ffa
- hash: 90138ac54f4002803b7a88137da5ed2c5e46460c
- hash: a10d8e59c8ea698349c073df06d509e958cd3333
- hash: b4d09f9cea1a6c6d19f1ad3782e613a61f77c0e8
- hash: c7207893a06a56f8f682e33fd32dc04700885317
- hash: d16df3e7ad37dea197fcba1b1cbeeae1a76fb988
- hash: f461f2a79b37c9f56d420633eaf69999d4e4c2d1
- hash: fef6c84b1fd15f6e8c3a867dabf60a14d477f246
- hash: 2d2bc95183f58a5e7fe9997b092120d6bfa18ed7ccb4f70b1af1b066ea16a1c3
- hash: 40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38
- hash: 4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e
- hash: 7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab
- hash: 7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7
- hash: 91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb
- hash: 956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570
- hash: 99016e8ca8a72da67264019970ab831064ecc1f10591c90ea3a2e1db530188ee
- hash: 9b93daf047b9010bf4e87ca71ae5aefae660820833c15877a9105215af0745cd
- hash: a2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147
- hash: d682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd
- hash: e55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d
- hash: e780d314ae6f9bf9d227df004a3c19ab7f3042e583d333f12022ef777ba9600a
- ip: 193.143.1.139
- ip: 193.143.1.205
- ip: 45.93.20.58
- ip: 91.212.166.146
- ip: 91.212.166.16
- ip: 91.212.166.86
- url: http://193.143.1.139/Ujdu8jjooue/biweax.php
- url: http://193.143.1.139/Ujdu8jjooue/biweax.php.
- url: http://91.212.166.86/htdocs.zip.
- url: http://my-tasjeel-ae.com/droid.js
- url: http://my-tasjeel-ae.com/getfr.js
- url: http://my-tasjeel-ae.com/getid.js
- url: http://updatestore-spain.com/new/landing
- url: http://www-kodi.com/download.php
- url: http://www-kodi.com/droid.js
- url: http://www-kodi.com/getfr.js
- url: http://www-kodi.com/getgr.js
- url: http://www-kodi.com/getupd.js
- url: http://www-wpx.net/assets/core.js
- url: http://www-wpx.net/kodi-21.1-Omega-x64.msi
- domain: playstore-fr.com
- domain: playstore-spain.com
- domain: playstores-france.com
- domain: playstors-france.com
- domain: playstors-gr.com
- domain: spain-playmarket.com
- domain: spain-playstores.com
- domain: updatestore-spain.com
- domain: us-playmarket.com
- domain: weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion
- domain: www-kodi.com
- domain: www-wpx.net
Part 2: Compromised WordPress Pages and Malware Campaigns
Description
This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.
AI-Powered Analysis
Technical Analysis
This threat analysis focuses on a series of malware campaigns linked to the Proton66 group, which primarily target Android devices via compromised WordPress websites. The attackers leverage redirector scripts embedded in these compromised sites to funnel unsuspecting visitors to malicious payloads that mimic legitimate services such as the Google Play Store, thereby increasing the likelihood of successful infection. The campaigns are multi-faceted, including the XWorm malware targeting Korean-speaking users through fake investment chat rooms, the Strela Stealer focusing on email clients predominantly in German-speaking countries, and the WeaXor ransomware, a newer iteration of the Mallox ransomware family. The infection chains typically begin with exploitation of vulnerable WordPress sites, which are widely used content management systems, making them attractive targets. The redirector scripts serve as an initial infection vector, directing victims to download malware disguised as legitimate applications. The XWorm campaign employs social engineering tactics tailored to Korean-speaking victims, leveraging fake investment chat rooms to distribute malware. Strela Stealer is designed to harvest credentials from email clients, posing a significant risk to confidentiality, especially in German-speaking regions where it has been observed. The WeaXor ransomware encrypts victim data, demanding ransom payments, and represents a direct threat to availability and data integrity. The report also highlights recommended mitigation strategies, including blocking CIDR IP ranges associated with Proton66 and Chang Way Technologies, which are linked to the infrastructure used in these campaigns. The campaigns utilize a variety of tactics, techniques, and procedures (TTPs) such as phishing (T1566), credential theft (T1552), persistence mechanisms (T1547), exploitation of public-facing applications (T1190), and execution of malicious scripts (T1059). This multi-vector approach increases the complexity and potential impact of the threat.
Potential Impact
For European organizations, this threat poses several significant risks. The use of compromised WordPress sites as infection vectors is particularly concerning given the widespread adoption of WordPress across Europe, including many corporate and governmental websites. The Strela Stealer's focus on German-speaking countries indicates a targeted effort to compromise email credentials, which could lead to unauthorized access to sensitive communications and data breaches. The presence of ransomware like WeaXor threatens operational continuity by encrypting critical data and demanding ransom payments, potentially causing financial losses and reputational damage. Furthermore, the phishing and social engineering components of these campaigns increase the likelihood of successful infections, especially in organizations with less mature cybersecurity awareness programs. The targeting of Android devices expands the attack surface, as mobile devices are often less protected and used for both personal and professional purposes. This could facilitate lateral movement within networks or exfiltration of sensitive information. Overall, the threat could disrupt business operations, compromise confidential data, and impose significant recovery costs on affected European entities.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to the specific tactics observed in these campaigns: 1. Harden WordPress Installations: Regularly update WordPress core, plugins, and themes to patch known vulnerabilities. Employ security plugins that monitor for unauthorized changes and block malicious scripts. 2. Network Controls: Block CIDR ranges associated with Proton66 and Chang Way Technologies at the firewall and intrusion prevention system (IPS) levels to disrupt command and control (C2) communications. 3. Email Security: Deploy advanced email filtering solutions to detect and quarantine phishing attempts, especially those mimicking investment opportunities or other social engineering lures. 4. Endpoint Protection: Use mobile device management (MDM) solutions to enforce security policies on Android devices, including restricting installation of apps from untrusted sources and enabling real-time malware scanning. 5. User Awareness Training: Conduct targeted training focusing on recognizing phishing campaigns, suspicious redirects, and the risks of installing applications from unofficial sources. 6. Incident Response Preparedness: Develop and regularly test incident response plans that include procedures for ransomware containment and recovery, credential theft incidents, and malware eradication. 7. Credential Hygiene: Enforce multi-factor authentication (MFA) across email and critical systems to mitigate the impact of stolen credentials. 8. Monitoring and Threat Intelligence: Continuously monitor network traffic and logs for indicators of compromise (IOCs) related to Proton66 campaigns and integrate threat intelligence feeds to stay updated on emerging tactics.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/"]
- Adversary
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash0cb49433d809d0738efbd0d6e6503e07 | — | |
hash3f39ad87cdaa2cc3008ed7c9ecd71cfe | — | |
hash47c4054cc953fd522b684fc5890c435c | — | |
hash4c74caa9c0eeb2c7637da9bbde9535d7 | — | |
hash7f8b7e1869410ed52db910b107b41306 | — | |
hash981073dbfb524b68c4602ccdd301a543 | — | |
hash99fe3fa20b470b2f634fd609a1921c77 | — | |
hasha087e994db776a0c657e45d315851186 | — | |
hasha3c0caca7cb6667a9feb37442da3d322 | — | |
hasha74ee50d2f91f77f010ecb154aa6b30b | — | |
hashaf2fe7b209912ec3a345fd8169fde338 | — | |
hash18f7fbc6f67def0d1357f079c3424ff16657e08f | — | |
hash311430643672431045288a21fc6c666f09359bbf | — | |
hash61bff81cd5475552c73e0745d629b9265b84cb8c | — | |
hash776e7064d6f340044ad6e275dda1479ec12c0ffa | — | |
hash90138ac54f4002803b7a88137da5ed2c5e46460c | — | |
hasha10d8e59c8ea698349c073df06d509e958cd3333 | — | |
hashb4d09f9cea1a6c6d19f1ad3782e613a61f77c0e8 | — | |
hashc7207893a06a56f8f682e33fd32dc04700885317 | — | |
hashd16df3e7ad37dea197fcba1b1cbeeae1a76fb988 | — | |
hashf461f2a79b37c9f56d420633eaf69999d4e4c2d1 | — | |
hashfef6c84b1fd15f6e8c3a867dabf60a14d477f246 | — | |
hash2d2bc95183f58a5e7fe9997b092120d6bfa18ed7ccb4f70b1af1b066ea16a1c3 | — | |
hash40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38 | — | |
hash4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e | — | |
hash7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab | — | |
hash7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7 | — | |
hash91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb | — | |
hash956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570 | — | |
hash99016e8ca8a72da67264019970ab831064ecc1f10591c90ea3a2e1db530188ee | — | |
hash9b93daf047b9010bf4e87ca71ae5aefae660820833c15877a9105215af0745cd | — | |
hasha2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147 | — | |
hashd682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd | — | |
hashe55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d | — | |
hashe780d314ae6f9bf9d227df004a3c19ab7f3042e583d333f12022ef777ba9600a | — |
Ip
Value | Description | Copy |
---|---|---|
ip193.143.1.139 | — | |
ip193.143.1.205 | — | |
ip45.93.20.58 | — | |
ip91.212.166.146 | — | |
ip91.212.166.16 | — | |
ip91.212.166.86 | — |
Url
Value | Description | Copy |
---|---|---|
urlhttp://193.143.1.139/Ujdu8jjooue/biweax.php | — | |
urlhttp://193.143.1.139/Ujdu8jjooue/biweax.php. | — | |
urlhttp://91.212.166.86/htdocs.zip. | — | |
urlhttp://my-tasjeel-ae.com/droid.js | — | |
urlhttp://my-tasjeel-ae.com/getfr.js | — | |
urlhttp://my-tasjeel-ae.com/getid.js | — | |
urlhttp://updatestore-spain.com/new/landing | — | |
urlhttp://www-kodi.com/download.php | — | |
urlhttp://www-kodi.com/droid.js | — | |
urlhttp://www-kodi.com/getfr.js | — | |
urlhttp://www-kodi.com/getgr.js | — | |
urlhttp://www-kodi.com/getupd.js | — | |
urlhttp://www-wpx.net/assets/core.js | — | |
urlhttp://www-wpx.net/kodi-21.1-Omega-x64.msi | — |
Domain
Value | Description | Copy |
---|---|---|
domainplaystore-fr.com | — | |
domainplaystore-spain.com | — | |
domainplaystores-france.com | — | |
domainplaystors-france.com | — | |
domainplaystors-gr.com | — | |
domainspain-playmarket.com | — | |
domainspain-playstores.com | — | |
domainupdatestore-spain.com | — | |
domainus-playmarket.com | — | |
domainweaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion | — | |
domainwww-kodi.com | — | |
domainwww-wpx.net | — |
Threat ID: 682c992c7960f6956616a2b7
Added to database: 5/20/2025, 3:01:00 PM
Last enriched: 7/2/2025, 4:10:29 AM
Last updated: 8/18/2025, 1:43:49 PM
Views: 19
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumWarLock Ransomware group Claims Breach at Colt Telecom and Hitachi
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.