{
	"id": "449cf682-2785-4ef8-806b-65554f9bb4c5",
	"created_at": "2026-04-06T01:30:05.814215Z",
	"updated_at": "2026-04-10T13:12:35.272218Z",
	"deleted_at": null,
	"sha1_hash": "99f78815741c76b079bd8f772ec6f61b0e9cd354",
	"title": "Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1603583,
	"plain_text": "Proton66 Part 2: Compromised WordPress Pages and Malware\r\nCampaigns\r\nBy Pawel Knapczyk, Dawid Nesterowicz\r\nPublished: 2025-04-17 · Archived: 2026-04-06 01:25:02 UTC\r\nApril 17, 2025 5 Minute Read by Pawel Knapczyk, Dawid Nesterowicz\r\nEarlier this year SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation\r\nattempts originating from Proton66 ASN targeting organizations worldwide that we are discussing in a two-part\r\nseries.\r\nIn the first part of this blog series, we investigated the malicious traffic associated with Proton66, revealing the\r\nextent of the mass scanning and exploit activities run by the SuperBlack ransomware-associated threat actors such\r\nas Mora_001.\r\nIn Part 2, we shift our focus to the malware campaigns linked to Proton66, exploring how SpiderLabs found\r\nmultiple specific instances where compromised WordPress websites were leveraged to target Android devices. We\r\nwill also examine the XWorm campaign, which specifically targeted Korean-speaking chat room users, and go\r\nover other notable threats, including the StrelaStealer credential stealer and the WeaXor ransomware.\r\nCampaigns Targeting Android Devices Using Compromised WordPress Pages\r\nIn February 2025, SpiderLabs observed malicious campaigns leveraging compromised WordPress websites related\r\nto the Proton66-linked IP address 91.212.166.21. Vulnerable WordPress pages were injected with malicious scripts\r\nredirecting Android device users to phishing pages imitating the Google Play Store. We uncovered several fake\r\nPlay Store domains and found that the naming convention used by the threat actors suggested that they may have\r\nintended to target English (us-playmarket.com), French (playstors-france.com), Spanish (updatestore-spain.com),\r\nand Greek speaking users (playstors-gr.com).\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 1 of 13\n\nFigure 1. Campaign leveraging compromised WordPress pages to serve redirector scripts. Source SpiderLabs.\r\nFigure 2. Compromised WordPress webpages serving redirector scripts. Source: SpiderLabs.\r\nSpiderLabs did not observe any successful redirections or infections related to these campaigns, as none of the\r\npotential victims visiting these compromised pages were Android users.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 2 of 13\n\nThe redirector scripts are obfuscated and perform several checks against the victim, such as excluding crawlers\r\nand VPN or proxy users. User IP is obtained through a query to ipify.org, then the presence of a VPN on the proxy\r\nis verified through a subsequent query to ipinfo.io. The threat actor used a specific API token for the ipinfo.io\r\nservice: 3afcf479c3f3e0, which appeared in all versions of the redirector script. Ultimately, the redirection occurs\r\nonly if an Android browser is found.\r\nFigure 3. Redirector script served through a compromised WordPress website. Source: SpiderLabs.\r\nWhen checked against VirusTotal, the redirector scripts are still undetected by all vendors.\r\nFigure 4. getupd.js undetected by all vendors on VirusTotal. Source: SpiderLabs.\r\nTwo domains serving script injects were identified, www-kodi.com and my-tasjeel-ae.com, both hosted under\r\nProton66: 91.212.166.21. However, we recently observed that both were pointed toward a new address:\r\n45.93.20.58. This IP address belongs to Chang Way Technologies, suggesting a relation between both providers.\r\nInterestingly, www-kodi.com was set up as a phishing domain as well, mimicking the known home theater\r\nsoftware Kodi. Upon clicking the download button, users would be redirected to another malicious domain\r\ncontrolled by the threat actor, www-wpx.net, where a malicious installer ‘kodi-21.1-Omega-x64.msi‘ would be\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 3 of 13\n\nserved. Unfortunately, at the time of research, the installer was no longer available, thus, SpiderLabs was unable to\r\nanalyze it.\r\nFigure 5. Phishing website imitating Kodi used to serve redirector injects. Source: SpiderLabs.\r\nXWorm Campaign Targeting Korean-Speaking Users\r\nIn early March, a ZIP archive containing resources of an unidentified threat actor was publicly accessible at a web\r\nservice in the Proton66 network at the IP address hxxp://91.212.166.86/htdocs.zip. The archive included payloads\r\nused at different stages of the XWorm infection chain, and Excel spreadsheets containing personal data of Korean-speaking userscontaining details such as first names, surnames, account numbers, and banking information. Other\r\ndocuments found in the archive were deposit and loan lists and investment portfolios. Additionally, one of the\r\nfolders contained a legitimate GoTo Meeting executable together with a modified g2m.dll, which is used to\r\nsideload the Remcos remote access trojan (RAT).\r\nFigure 6. A database labeled ’coin21’ (redacted). Source: SpiderLabs.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 4 of 13\n\nAn analysis of the whole package and numerous folders suggests the intended initial compromise mechanism\r\nlikely involved the use of chat rooms and channels sharing investment information, where users are prone to being\r\nsubjected to social engineering schemes and presented with malicious shortcut files, leading to XWorm infection.\r\nThere are numerous fake chat channels in Korea claiming to share investment information and attract investors.\r\nMany of these channels are designed to launch social engineering attacks and steal users’ funds either directly or\r\nby using malware.\r\nFigure 7. XWorm infection chain. Source: SpiderLabs.\r\nThe first stage in the infection chain is a shortcut file executing a PowerShell command, which in turn, runs a\r\nscript (win64.vbs) that isalso found in the archive. The script is designed to download a Base64-encoded .NET\r\nDLL from a specified URL (hxxp://91.212.166.16/DLLl.txt), load it into memory, and invoke a chosen class\r\nmethod. The DLL downloads and loads the XWorm binary (91.212.166.16/base64.txt) and adds persistence.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 5 of 13\n\nFigure 8. Vbs loader script invoking PowerShell downloader. Source: SpiderLabs.\r\nFigure 9. XWorm configuration. Source: SpiderLabs.\r\nStrela Stealer Targeting German Speaking Countries\r\nStrela Stealer is yet another type of malware threat actors use to leverage Proton66 hosting services. Strela Stealer\r\n(rus. Cтрела, lit. 'Arrow') is an infostealer that exfiltrates email log-in credentials and has been in the wild since\r\nlate 2022. From January to February 2025, SpiderLabs observed targeted email phishing campaigns delivering\r\nStrela Stealer and communicating with a command-and-control (C2) server (193.143.1.205).\r\nStrela Stealer targets the Mozilla Thunderbird and Microsoft Outlook email clients on systems located in selected\r\nEuropean countries: Germany, Austria, Liechtenstein, Luxembourg, and Switzerland.\r\nSpiderLabs observed targeted email phishing campaigns delivering Strela Stealer with a payload and C2 server\r\nhosted under 193.143.1.205.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 6 of 13\n\nFigure 10. Strela Stealer infection chain. Source: SpiderLabs.\r\nDetailed information about this Strela Stealer malware campaign can be found in a previously published\r\nSpiderLabs blog, “A Deep Dive into Strela Stealer and how it Targets European Countries”.\r\nWeaXor Ransomware\r\nSpiderLabs identified multiple C2 servers in the Proton66 network. A part of them were used in certain instances\r\nby a recently discovered malware family, WeaXor. WeaXor is a revised version of the Mallox malware that\r\nappends the “.wex” suffix to encrypted files. The collected WeaXor samples communicate with the C2 server at\r\nhxxp://193.143.1[.]139/Ujdu8jjooue/biweax.php.\r\nFigure 11. WeaXor ransom note. Source: SpiderLabs.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 7 of 13\n\nUpon completion of execution, the ransomware drops a “RECOVERY INFO” file into each directory with\r\nencrypted files. The note contains a unique victim key ID, the address of a webchat, and an email address to\r\nobtain additional instructions on how to pay the ransom. At the time of writing, the WeaXor group demanded\r\n$2,000, transferred in BTC or USDT, for a decryptor.\r\nFigure 12. WeaXor .onion webchat for victim communication. Source: SpiderLabs.\r\nConclusions\r\nTrustwave SpiderLabs recommends blocking all the CIDR ranges associated with Proton66 and Chang Way\r\nTechnologies to mitigate the risk of compromise resulting from exploit attempts and phishing activities:\r\nProton66 ASN:\r\n45.134.26.0/24\r\n45.135.232.0/24\r\n45.140.17.0/24\r\n91.212.166.0/24\r\n193.143.1.0/24\r\nChang Way Technologies ASN:\r\n45.93.20.0/24\r\n91.240.118.0/24\r\n185.11.61.0/24\r\nIOCs Observed (Campaigns Targeting Android Devices):\r\nType Value\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 8 of 13\n\nIP 91.212.166.21\r\nIP 91.212.166.146\r\nIP 45.93.20.58\r\nDomain www-kodi.com\r\nURL www-kodi.com/download.php\r\nURL www-kodi.com/getupd.js\r\nSHA256 e55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d\r\nURL www-kodi.com/droid.js\r\nSHA256 99016e8ca8a72da67264019970ab831064ecc1f10591c90ea3a2e1db530188ee\r\nURL www-kodi.com/getfr.js\r\nSHA256 9b93daf047b9010bf4e87ca71ae5aefae660820833c15877a9105215af0745cd\r\nURL www-kodi.com/getgr.js\r\nSHA256 e780d314ae6f9bf9d227df004a3c19ab7f3042e583d333f12022ef777ba9600a\r\nDomain my-tasjeel-ae.com\r\nURL my-tasjeel-ae.com/getid.js\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 9 of 13\n\nSHA256 2d2bc95183f58a5e7fe9997b092120d6bfa18ed7ccb4f70b1af1b066ea16a1c3\r\nURL my-tasjeel-ae.com/getfr.js\r\nURL my-tasjeel-ae.com/droid.js\r\nDomain spain-playstores.com\r\nDomain playstore-spain.com\r\nDomain spain-playmarket.com\r\nDomain updatestore-spain.com\r\nURL updatestore-spain.com/new/landing\r\nDomain playstors-france.com\r\nDomain playstore-fr.com\r\nDomain playstores-france.com\r\nDomain playstors-gr.com\r\nDomain gr-playmarkets.com\r\nDomain us-playmarket.com\r\nDomain www-wpx.net\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 10 of 13\n\nURL www-wpx.net/kodi-21.1-Omega-x64.msi\r\nURL www-wpx.net/assets/core.js\r\nIOCs Observed (Campaigns Targeting Android Devices):\r\nType Value\r\nIPInfo API Token 3afcf479c3f3e0\r\nCompromised WordPress Websites:\r\nType Value\r\nCompromised Website competitivewindscreens.com.au/\r\nCompromised Website www.cbua.es/\r\nCompromised Website mikkiwaxbar.co.uk/\r\nCompromised Website embajadaguatemala.es/\r\nCompromised Website lemasdessalettes.com/\r\nCompromised Website education-ethologique.fr/\r\nCompromised Website iconichomestudios.com/\r\nCompromised Website whitelabeliq.com/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 11 of 13\n\nIOCs Observed (XWorm Campaign Targeting Korean Users):\r\nType Value\r\nIP 91.212.166.86\r\nURL 91.212.166.86/htdocs.zip\r\nSHA256 91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb\r\nURL 91.212.166.16/DLLl.txt\r\nSHA256 4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e\r\nURL 91.212.166.16/base64.txt\r\nSHA256 956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570\r\nURL 91.212.166.16/Pe.txt\r\nSHA256 a2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147\r\nIOCs Observed (WeaXor Ransomware):\r\nType Value\r\nIP 193.143.1.139\r\nURL 193.143.1.139/Ujdu8jjooue/biweax.php\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 12 of 13\n\nDomain weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion\r\nSHA256 7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab\r\nSHA256 d682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd\r\nSHA256 40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38\r\nSHA256 7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-camp\r\naigns/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/"
	],
	"report_names": [
		"proton66-part-2-compromised-wordpress-pages-and-malware-campaigns"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "353d3a83-ce02-44a2-a663-dafdbbb617a0",
			"created_at": "2025-03-21T02:00:03.842688Z",
			"updated_at": "2026-04-10T02:00:03.83742Z",
			"deleted_at": null,
			"main_name": "Mora_001",
			"aliases": [],
			"source_name": "MISPGALAXY:Mora_001",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439005,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99f78815741c76b079bd8f772ec6f61b0e9cd354.pdf",
		"text": "https://archive.orkl.eu/99f78815741c76b079bd8f772ec6f61b0e9cd354.txt",
		"img": "https://archive.orkl.eu/99f78815741c76b079bd8f772ec6f61b0e9cd354.jpg"
	}
}