{
  "name": "Part 2: Compromised WordPress Pages and Malware Campaigns",
  "slug": "part-2-compromised-wordpress-pages-and-malware-campaigns",
  "description": "This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.",
  "published": "2025-05-16T06:51:12+00:00",
  "created_at": "2025-05-16T06:51:12+00:00",
  "modified_at": "2025-05-21T19:24:43+00:00",
  "created_at_opencti": "2025-05-16T06:51:12+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-16",
    "android",
    "credential-theft",
    "phishing",
    "proton66",
    "ransomware",
    "remcos",
    "strela stealer",
    "weaxor",
    "wordpress",
    "xworm"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "45.93.20.58"
      },
      {
        "id": "",
        "name": "91.212.166.16"
      },
      {
        "id": "",
        "name": "91.212.166.146"
      },
      {
        "id": "",
        "name": "193.143.1.205"
      },
      {
        "id": "",
        "name": "193.143.1.139"
      },
      {
        "id": "",
        "name": "91.212.166.86"
      },
      {
        "id": "",
        "name": "www-wpx.net"
      },
      {
        "id": "",
        "name": "www-kodi.com"
      },
      {
        "id": "",
        "name": "http://updatestore-spain.com/new/landing"
      },
      {
        "id": "",
        "name": "http://91.212.166.86/htdocs.zip."
      },
      {
        "id": "",
        "name": "http://193.143.1.139/Ujdu8jjooue/biweax.php."
      },
      {
        "id": "",
        "name": "http://www-wpx.net/kodi-21.1-Omega-x64.msi"
      },
      {
        "id": "",
        "name": "http://www-wpx.net/assets/core.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/getgr.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/getupd.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/getfr.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/droid.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/download.php"
      },
      {
        "id": "",
        "name": "http://my-tasjeel-ae.com/getid.js"
      },
      {
        "id": "",
        "name": "http://my-tasjeel-ae.com/getfr.js"
      },
      {
        "id": "",
        "name": "http://my-tasjeel-ae.com/droid.js"
      },
      {
        "id": "",
        "name": "http://193.143.1.139/Ujdu8jjooue/biweax.php"
      },
      {
        "id": "",
        "name": "weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion"
      },
      {
        "id": "",
        "name": "us-playmarket.com"
      },
      {
        "id": "",
        "name": "updatestore-spain.com"
      },
      {
        "id": "",
        "name": "spain-playstores.com"
      },
      {
        "id": "",
        "name": "spain-playmarket.com"
      },
      {
        "id": "",
        "name": "playstors-gr.com"
      },
      {
        "id": "",
        "name": "playstors-france.com"
      },
      {
        "id": "",
        "name": "playstores-france.com"
      },
      {
        "id": "",
        "name": "playstore-spain.com"
      },
      {
        "id": "",
        "name": "playstore-fr.com"
      },
      {
        "id": "",
        "name": "e780d314ae6f9bf9d227df004a3c19ab7f3042e583d333f12022ef777ba9600a"
      },
      {
        "id": "",
        "name": "e55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d"
      },
      {
        "id": "",
        "name": "d682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd"
      },
      {
        "id": "",
        "name": "a2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147"
      },
      {
        "id": "",
        "name": "9b93daf047b9010bf4e87ca71ae5aefae660820833c15877a9105215af0745cd"
      },
      {
        "id": "",
        "name": "99016e8ca8a72da67264019970ab831064ecc1f10591c90ea3a2e1db530188ee"
      },
      {
        "id": "",
        "name": "91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb"
      },
      {
        "id": "",
        "name": "956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570"
      },
      {
        "id": "",
        "name": "7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7"
      },
      {
        "id": "",
        "name": "4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e"
      },
      {
        "id": "",
        "name": "7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab"
      },
      {
        "id": "",
        "name": "40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38"
      },
      {
        "id": "",
        "name": "2d2bc95183f58a5e7fe9997b092120d6bfa18ed7ccb4f70b1af1b066ea16a1c3"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:458012d96edcaafe",
        "name": "WeaXor",
        "slug": "weaxor"
      },
      {
        "id": "36b29df4-6012-4cee-bbff-00a72f9b5715",
        "name": "Strela Stealer",
        "slug": "strela-stealer"
      },
      {
        "id": "legacy:malware:196436899fefaba3",
        "name": "Remcos",
        "slug": "remcos"
      },
      {
        "id": "82e2ea8e-729a-4648-ba23-3a792f53fa15",
        "name": "XWorm",
        "slug": "xworm"
      }
    ],
    "attack_patterns": [
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "3245033a-53c4-454c-873a-fb653af0bf8a",
        "name": "T1552"
      },
      {
        "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7",
        "name": "T1199"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Liechtenstein"
      },
      {
        "id": "",
        "name": "Luxembourg"
      },
      {
        "id": "",
        "name": "Greece"
      },
      {
        "id": "",
        "name": "Austria"
      },
      {
        "id": "",
        "name": "Korea, Democratic People's Republic of"
      },
      {
        "id": "",
        "name": "Korea, Republic of"
      },
      {
        "id": "",
        "name": "Switzerland"
      },
      {
        "id": "",
        "name": "Spain"
      },
      {
        "id": "",
        "name": "France"
      },
      {
        "id": "",
        "name": "Germany"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/",
    "https://otx.alienvault.com/pulse/6826fc8026d322f4d963e574"
  ]
}