Proton66: Compromised WordPress Pages and Malware Campaigns
Essential information
- Published
- 18/04/2025 08:11
- Modified
- 18/04/2025 14:14
- Tags
- 2025-04-18 android germany korea phishing ransomware remcos strela stealer weaxor wordpress xworm
- Related entities
- 48 observables, 1 intrusion sets (apt), 15 techniques (mitre), 4 malware, 9 others
Description
This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also covers the XWorm campaign targeting Korean-speaking users, the Strela Stealer targeting German-speaking countries, and the WeaXor ransomware. The analysis provides insights into the infection chains, malware configurations, and command-and-control servers used in these campaigns. Additionally, it offers recommendations for blocking associated IP ranges and lists numerous indicators of compromise (IOCs) for each campaign.