Part 2: Compromised WordPress Pages and Malware Campaigns
Essential information
- Published
- 16/05/2025 08:51
- Modified
- 21/05/2025 21:24
- Tags
- 2025-05-16 android credential-theft phishing proton66 ransomware remcos strela stealer weaxor wordpress xworm
- Related entities
- 45 observables, 11 techniques (mitre), 4 malware, 12 others
Description
This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.