{
  "name": "Proton66: Compromised WordPress Pages and Malware Campaigns",
  "slug": "proton66-compromised-wordpress-pages-and-malware-campaigns",
  "description": "This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also covers the XWorm campaign targeting Korean-speaking users, the Strela Stealer targeting German-speaking countries, and the WeaXor ransomware. The analysis provides insights into the infection chains, malware configurations, and command-and-control servers used in these campaigns. Additionally, it offers recommendations for blocking associated IP ranges and lists numerous indicators of compromise (IOCs) for each campaign.",
  "published": "2025-04-18T06:11:58+00:00",
  "created_at": "2025-04-18T06:11:58+00:00",
  "modified_at": "2025-04-18T12:14:38+00:00",
  "created_at_opencti": "2025-04-18T06:11:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-18",
    "android",
    "germany",
    "korea",
    "phishing",
    "ransomware",
    "remcos",
    "strela stealer",
    "weaxor",
    "wordpress",
    "xworm"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "91.212.166.16"
      },
      {
        "id": "",
        "name": "91.212.166.146"
      },
      {
        "id": "",
        "name": "193.143.1.205"
      },
      {
        "id": "",
        "name": "193.143.1.139"
      },
      {
        "id": "",
        "name": "91.212.166.86"
      },
      {
        "id": "",
        "name": "91.212.166.21"
      },
      {
        "id": "",
        "name": "http://www-wpx.net/kodi-21.1-Omega-x64.msi"
      },
      {
        "id": "",
        "name": "http://www-wpx.net/assets/core.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/getgr.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/getupd.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/getfr.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/droid.js"
      },
      {
        "id": "",
        "name": "http://www-kodi.com/download.php"
      },
      {
        "id": "",
        "name": "http://whitelabeliq.com/"
      },
      {
        "id": "",
        "name": "http://my-tasjeel-ae.com/getid.js"
      },
      {
        "id": "",
        "name": "http://my-tasjeel-ae.com/getfr.js"
      },
      {
        "id": "",
        "name": "http://my-tasjeel-ae.com/droid.js"
      },
      {
        "id": "",
        "name": "http://193.143.1.139/Ujdu8jjooue/biweax.php"
      },
      {
        "id": "",
        "name": "us-playmarket.com"
      },
      {
        "id": "",
        "name": "updatestore-spain.com"
      },
      {
        "id": "",
        "name": "spain-playstores.com"
      },
      {
        "id": "",
        "name": "spain-playmarket.com"
      },
      {
        "id": "",
        "name": "playstors-gr.com"
      },
      {
        "id": "",
        "name": "playstors-france.com"
      },
      {
        "id": "",
        "name": "playstores-france.com"
      },
      {
        "id": "",
        "name": "playstore-spain.com"
      },
      {
        "id": "",
        "name": "playstore-fr.com"
      },
      {
        "id": "",
        "name": "my-tasjeel-ae.com"
      },
      {
        "id": "",
        "name": "mikkiwaxbar.co.uk"
      },
      {
        "id": "",
        "name": "lemasdessalettes.com"
      },
      {
        "id": "",
        "name": "iconichomestudios.com"
      },
      {
        "id": "",
        "name": "embajadaguatemala.es"
      },
      {
        "id": "",
        "name": "gr-playmarkets.com"
      },
      {
        "id": "",
        "name": "education-ethologique.fr"
      },
      {
        "id": "",
        "name": "competitivewindscreens.com.au"
      },
      {
        "id": "",
        "name": "e780d314ae6f9bf9d227df004a3c19ab7f3042e583d333f12022ef777ba9600a"
      },
      {
        "id": "",
        "name": "e55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d"
      },
      {
        "id": "",
        "name": "d682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd"
      },
      {
        "id": "",
        "name": "a2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147"
      },
      {
        "id": "",
        "name": "9b93daf047b9010bf4e87ca71ae5aefae660820833c15877a9105215af0745cd"
      },
      {
        "id": "",
        "name": "99016e8ca8a72da67264019970ab831064ecc1f10591c90ea3a2e1db530188ee"
      },
      {
        "id": "",
        "name": "91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb"
      },
      {
        "id": "",
        "name": "956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570"
      },
      {
        "id": "",
        "name": "7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7"
      },
      {
        "id": "",
        "name": "4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e"
      },
      {
        "id": "",
        "name": "7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab"
      },
      {
        "id": "",
        "name": "40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38"
      },
      {
        "id": "",
        "name": "2d2bc95183f58a5e7fe9997b092120d6bfa18ed7ccb4f70b1af1b066ea16a1c3"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:458012d96edcaafe",
        "name": "WeaXor",
        "slug": "weaxor"
      },
      {
        "id": "36b29df4-6012-4cee-bbff-00a72f9b5715",
        "name": "Strela Stealer",
        "slug": "strela-stealer"
      },
      {
        "id": "legacy:malware:196436899fefaba3",
        "name": "Remcos",
        "slug": "remcos"
      },
      {
        "id": "82e2ea8e-729a-4648-ba23-3a792f53fa15",
        "name": "XWorm",
        "slug": "xworm"
      }
    ],
    "intrusion_sets": [
      {
        "id": "353e76bf-55c1-4534-909b-6536cb7ec72f",
        "name": "Proton66",
        "slug": "proton66"
      }
    ],
    "attack_patterns": [
      {
        "id": "8c79f5d6-60f2-4b5c-9b44-3e00ce9294d0",
        "name": "T1074.001"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "2c3d4267-2bae-41ae-8486-5876953a1748",
        "name": "T1129"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Liechtenstein"
      },
      {
        "id": "",
        "name": "Luxembourg"
      },
      {
        "id": "",
        "name": "Greece"
      },
      {
        "id": "",
        "name": "Austria"
      },
      {
        "id": "",
        "name": "Switzerland"
      },
      {
        "id": "",
        "name": "Spain"
      },
      {
        "id": "",
        "name": "France"
      },
      {
        "id": "",
        "name": "Germany"
      },
      {
        "id": "",
        "name": "United States of America"
      }
    ]
  },
  "external_refs": [
    "https://trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns",
    "https://otx.alienvault.com/pulse/6802094e89f266c72f83bda4"
  ]
}