{
	"id": "6e4b707c-8a39-4dc6-b1c7-211362309dc9",
	"created_at": "2026-04-06T00:16:43.081643Z",
	"updated_at": "2026-04-10T13:12:13.852242Z",
	"deleted_at": null,
	"sha1_hash": "37c868873c5b1b4d54419f3639c920c7da9c0c7f",
	"title": "WEEVILPROXY: An evasive and sophisticated malware campaign silently targeting crypto users across the globe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35785,
	"plain_text": "WEEVILPROXY: An evasive and sophisticated malware\r\ncampaign silently targeting crypto users across the globe\r\nBy Mohammad Kazem Hassan Nejad 27.06.2025 Mohammad: LinkedIn Share\r\nArchived: 2026-04-05 13:21:28 UTC\r\nWithSecure™ has uncovered a highly sophisticated and evasive malware campaign that has flown under the radar\r\nsince March 2024.\r\nThe malware campaign targets cryptocurrency users, a user base estimated to be in the hundreds of millions which\r\nhas emerged as a viable and effective lure to infect users and organizations across all sectors alike.\r\nThe campaign targets victims globally, with infections observed across each continent. Although the campaign\r\ntargets cryptocurrency users, WithSecure has observed non-cryptocurrency-related organizations in Europe being\r\ninfected by the malware due to cross-contamination introduced by personal browsing of victims on their corporate\r\nmachines.\r\nThis is the latest campaign adopting the successful technique of propagating malware through large-scale\r\npervasive ad campaigns displayed throughout the Internet in the form of images and videos using Google Display\r\nNetwork and social media platforms, such as Facebook and Twitter. These ads are estimated to have reached at\r\nleast tens of thousands of users across the globe.\r\nThe initial stage of infection is primarily masked as popular cryptocurrency-related software and platforms, such\r\nas Binance, ByBit, TradingView, and more. However, business-oriented themes have also been deployed through\r\nGoogle ads.\r\nSince its inception, the malware has been in constant and iterative development by the threat actor. Likely driven\r\nby its success so far, the threat actor has put in concerted effort to develop the malware’s breadth of capabilities,\r\nincluding novel techniques not observed in any prior malware campaigns - to our knowledge. These new TTPs\r\ninclude methods to modify Windows Setup and Windows Recovery to enable long-term persistence, as well as\r\nmethods to patch browser extensions ‘on the fly’.\r\nThe extensive user tracking, the breadth of capabilities, the levels of obfuscation, and the sophistication of the\r\ncampaign indicate a level of professionalism and innovation that’s often not observed in other equivalent malware\r\ncampaigns, especially from a non-state actor. This is further emphasized by the usage of modern technologies,\r\nframeworks, and libraries by the threat actor throughout the campaign, including its usage of PostHog, Grafana,\r\nLevelDB, and tRPC, which are often observed in enterprise-level software and not leveraged by threat actors.\r\nWhile the threat actor’s primary goal with the malware is to target cryptocurrency users, the malware’s extensive\r\ncapabilities and threat actor’s skillset do not limit the threat actor to a specific goal for financial gain and pose a\r\nreal threat to organizations and users across the globe alike. Furthermore, the lucrative nature of cryptocurrency\r\nhttps://labs.withsecure.com/publications/weevilproxy\r\nPage 1 of 2\n\ncontinues to drive advancements and innovation of ever more professional adversaries as noted by the set of novel\r\nfeatures implemented in this campaign.\r\nIn this report, we provide a detailed breakdown of the delivery vector, the initial stage of the attack chain, and\r\nfunctionalities we have noted during our analysis of the main payload. MITRE ATT\u0026CK TTP mapping and a full\r\nlist of Indicators of Compromise (IOCs) can be found in the appendices.\r\nSource: https://labs.withsecure.com/publications/weevilproxy\r\nhttps://labs.withsecure.com/publications/weevilproxy\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.withsecure.com/publications/weevilproxy"
	],
	"report_names": [
		"weevilproxy"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434603,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/37c868873c5b1b4d54419f3639c920c7da9c0c7f.pdf",
		"text": "https://archive.orkl.eu/37c868873c5b1b4d54419f3639c920c7da9c0c7f.txt",
		"img": "https://archive.orkl.eu/37c868873c5b1b4d54419f3639c920c7da9c0c7f.jpg"
	}
}