Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns

Earlier this year SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide that we are discussing in a two-part series.

In the first part of this blog series, we investigated the malicious traffic associated with Proton66, revealing the extent of the mass scanning and exploit activities run by the SuperBlack ransomware-associated threat actors such as Mora_001.

In Part 2, we shift our focus to the malware campaigns linked to Proton66, exploring how SpiderLabs found multiple specific instances where compromised WordPress websites were leveraged to target Android devices. We will also examine the XWorm campaign, which specifically targeted Korean-speaking chat room users, and go over other notable threats, including the StrelaStealer credential stealer and the WeaXor ransomware.

Campaigns Targeting Android Devices Using Compromised WordPress Pages

In February 2025, SpiderLabs observed malicious campaigns leveraging compromised WordPress websites related to the Proton66-linked IP address 91.212.166.21. Vulnerable WordPress pages were injected with malicious scripts redirecting Android device users to phishing pages imitating the Google Play Store. We uncovered several fake Play Store domains and found that the naming convention used by the threat actors suggested that they may have intended to target English (us-playmarket.com), French (playstors-france.com), Spanish (updatestore-spain.com), and Greek speaking users (playstors-gr.com).

Figure 1. Campaign leveraging compromised WordPress pages to serve redirector scripts. Source SpiderLabs.

Figure 2. Compromised WordPress webpages serving redirector scripts. Source: SpiderLabs.

SpiderLabs did not observe any successful redirections or infections related to these campaigns, as none of the potential victims visiting these compromised pages were Android users.

The redirector scripts are obfuscated and perform several checks against the victim, such as excluding crawlers and VPN or proxy users. User IP is obtained through a query to ipify.org, then the presence of a VPN on the proxy is verified through a subsequent query to ipinfo.io. The threat actor used a specific API token for the ipinfo.io service: 3afcf479c3f3e0, which appeared in all versions of the redirector script. Ultimately, the redirection occurs only if an Android browser is found.

Figure 3. Redirector script served through a compromised WordPress website. Source: SpiderLabs.

When checked against VirusTotal, the redirector scripts are still undetected by all vendors.

Figure 4. getupd.js undetected by all vendors on VirusTotal. Source: SpiderLabs.

Two domains serving script injects were identified, www-kodi.com and my-tasjeel-ae.com, both hosted under Proton66: 91.212.166.21. However, we recently observed that both were pointed toward a new address: 45.93.20.58. This IP address belongs to Chang Way Technologies, suggesting a relation between both providers.

Interestingly, www-kodi.com was set up as a phishing domain as well, mimicking the known home theater software Kodi. Upon clicking the download button, users would be redirected to another malicious domain controlled by the threat actor, www-wpx.net, where a malicious installer ‘kodi-21.1-Omega-x64.msi‘ would be served. Unfortunately, at the time of research, the installer was no longer available, thus, SpiderLabs was unable to analyze it.

Figure 5. Phishing website imitating Kodi used to serve redirector injects. Source: SpiderLabs.

XWorm Campaign Targeting Korean-Speaking Users

In early March, a ZIP archive containing resources of an unidentified threat actor was publicly accessible at a web service in the Proton66 network at the IP address hxxp://91.212.166.86/htdocs.zip. The archive included payloads used at different stages of the XWorm infection chain, and Excel spreadsheets containing personal data of Korean-speaking userscontaining details such as first names, surnames, account numbers, and banking information. Other documents found in the archive were deposit and loan lists and investment portfolios. Additionally, one of the folders contained a legitimate GoTo Meeting executable together with a modified g2m.dll, which is used to sideload the Remcos remote access trojan (RAT).

Figure 6. A database labeled ’coin21’ (redacted). Source: SpiderLabs.

An analysis of the whole package and numerous folders suggests the intended initial compromise mechanism likely involved the use of chat rooms and channels sharing investment information, where users are prone to being subjected to social engineering schemes and presented with malicious shortcut files, leading to XWorm infection. There are numerous fake chat channels in Korea claiming to share investment information and attract investors. Many of these channels are designed to launch social engineering attacks and steal users’ funds either directly or by using malware.

Figure 7. XWorm infection chain. Source: SpiderLabs.

The first stage in the infection chain is a shortcut file executing a PowerShell command, which in turn, runs a script (win64.vbs) that isalso found in the archive. The script is designed to download a Base64-encoded .NET DLL from a specified URL (hxxp://91.212.166.16/DLLl.txt), load it into memory, and invoke a chosen class method. The DLL downloads and loads the XWorm binary (91.212.166.16/base64.txt) and adds persistence.

Figure 8. Vbs loader script invoking PowerShell downloader. Source: SpiderLabs.

Figure 9. XWorm configuration. Source: SpiderLabs.

Strela Stealer Targeting German Speaking Countries

Strela Stealer is yet another type of malware threat actors use to leverage Proton66 hosting services. Strela Stealer (rus. Cтрела, lit. 'Arrow') is an infostealer that exfiltrates email log-in credentials and has been in the wild since late 2022. From January to February 2025, SpiderLabs observed targeted email phishing campaigns delivering Strela Stealer and communicating with a command-and-control (C2) server (193.143.1.205).

Strela Stealer targets the Mozilla Thunderbird and Microsoft Outlook email clients on systems located in selected European countries: Germany, Austria, Liechtenstein, Luxembourg, and Switzerland.

SpiderLabs observed targeted email phishing campaigns delivering Strela Stealer with a payload and C2 server hosted under 193.143.1.205.

Figure 10. Strela Stealer infection chain. Source: SpiderLabs.

Detailed information about this Strela Stealer malware campaign can be found in a previously published SpiderLabs blog, “A Deep Dive into Strela Stealer and how it Targets European Countries”.

WeaXor Ransomware

SpiderLabs identified multiple C2 servers in the Proton66 network. A part of them were used in certain instances by a recently discovered malware family, WeaXor. WeaXor is a revised version of the Mallox malware that appends the “.wex” suffix to encrypted files. The collected WeaXor samples communicate with the C2 server at hxxp://193.143.1[.]139/Ujdu8jjooue/biweax.php.

Figure 11. WeaXor ransom note. Source: SpiderLabs.

Upon completion of execution, the ransomware drops a “RECOVERY INFO” file into each directory with encrypted files. The note contains a unique victim key ID, the address of a webchat, and an email address to obtain additional instructions on how to pay the ransom. At the time of writing, the WeaXor group demanded $2,000, transferred in BTC or USDT, for a decryptor.

Figure 12. WeaXor .onion webchat for victim communication. Source: SpiderLabs.

Conclusions

Trustwave SpiderLabs recommends blocking all the CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate the risk of compromise resulting from exploit attempts and phishing activities:

Proton66 ASN:

• 45.134.26.0/24
• 45.135.232.0/24
• 45.140.17.0/24
• 91.212.166.0/24
• 193.143.1.0/24
  
  

Chang Way Technologies ASN:

• 45.93.20.0/24
• 91.240.118.0/24
• 185.11.61.0/24
  
  

IOCs Observed (Campaigns Targeting Android Devices):

IOCs Observed (Campaigns Targeting Android Devices):

Compromised WordPress Websites:

IOCs Observed (XWorm Campaign Targeting Korean Users):

IOCs Observed (WeaXor Ransomware):