{"id":10369,"date":"2025-06-27T12:12:00","date_gmt":"2025-06-27T11:12:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/weevilproxy\/"},"modified":"2025-06-27T12:12:00","modified_gmt":"2025-06-27T11:12:00","slug":"weevilproxy","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/weevilproxy\/","title":{"rendered":"WEEVILPROXY"},"content":{"rendered":"\n
\n
\n

\n WEEVIL PROXY<\/span><\/h1>
\n
\n \n \n Software Protection <\/span>\n \n Threat intelligence <\/span>\n <\/span>\n \n 27.06.2025 <\/span>\n <\/div>\n <\/div>\n <\/div>\n
\n
\n

\n Jaa t\u00e4m\u00e4 <\/p>\n

\n \n \n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n Authors <\/p>\n \n

\n
\n
\n \"\" <\/div>\n
\n

Mohammad Kazem Hassan Nejad<\/h3>\n \n

\n Senior Threat Intelligence Researcher, WithSecure <\/p>\n \n <\/div>\n\n<\/div>\n\n <\/div>\n\n <\/div>\n

\n

\n Download report <\/p>\n \n

\n
\n \n Download report
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n

An evasive and sophisticated malware campaign silently targeting crypto users across the globe.<\/h2>\n

WithSecure\u2122 has uncovered a highly sophisticated and evasive malware campaign that has flown under the radar since March 2024.<\/p>\n

The malware campaign targets cryptocurrency users, a user base estimated to be in the hundreds of millions which has emerged as a viable and effective lure to infect users and organizations across all sectors alike.<\/p>\n

The campaign targets victims globally, with infections observed across each continent. Although the campaign targets cryptocurrency users, WithSecure has observed non-cryptocurrency-related organizations in Europe being infected by the malware due to cross-contamination introduced by personal browsing of victims on their corporate machines.<\/p>\n

This is the latest campaign adopting the successful technique of propagating malware through large-scale pervasive ad campaigns displayed throughout the Internet in the form of images and videos using Google Display Network and social media platforms, such as Facebook and Twitter. These ads are estimated to have reached at least tens of thousands of users across the globe.<\/p>\n

The initial stage of infection is primarily masked as popular cryptocurrency-related software and platforms, such as Binance, ByBit, TradingView, and more. However, business-oriented themes have also been deployed through Google ads.<\/p>\n

Since its inception, the malware has been in constant and iterative development by the threat actor. Likely driven by its success so far, the threat actor has put in concerted effort to develop the malware\u2019s breadth of capabilities, including novel techniques not observed in any prior malware campaigns – to our knowledge. These new TTPs include methods to modify Windows Setup and Windows Recovery to enable long-term persistence, as well as methods to patch browser extensions \u2018on the fly\u2019.<\/p>\n

The extensive user tracking, the breadth of capabilities, the levels of obfuscation, and the sophistication of the campaign indicate a level of professionalism and innovation that\u2019s often not observed in other equivalent malware campaigns, especially from a non-state actor. This is further emphasized by the usage of modern technologies, frameworks, and libraries by the threat actor throughout the campaign, including its usage of PostHog, Grafana, LevelDB, and tRPC, which are often observed in enterprise-level software and not leveraged by threat actors.<\/p>\n

While the threat actor\u2019s primary goal with the malware is to target cryptocurrency users, the malware\u2019s extensive capabilities and threat actor\u2019s skillset do not limit the threat actor to a specific goal for financial gain and pose a real threat to organizations and users across the globe alike. Furthermore, the lucrative nature of cryptocurrency continues to drive advancements and innovation of ever more professional adversaries as noted by the set of novel features implemented in this campaign.<\/p>\n

In this report, we provide a detailed breakdown of the delivery vector, the initial stage of the attack chain, and functionalities we have noted during our analysis of the main payload. MITRE ATT&CK TTP mapping and a full list of Indicators of Compromise (IOCs) can be found in the appendices.<\/p>\n

\"\"<\/p>\n<\/div>\n

\n

\n Download report <\/p>\n \n

\n
\n \n Download report
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n
\n
\n

\n What next?<\/span><\/h2>
\n
\n

Discover WithSecure\u2122 Elements Exposure Management.
\n– No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n Contact us<\/a> <\/div>\n <\/div> <\/div>\n <\/div>\n<\/section>\n\n\n\n\n\n
\n
\n

\n Related Labs content<\/span><\/h2>
\n
\n
\n

Find related content relating to this topic.<\/span><\/p>\n<\/div>\n <\/div>\n <\/div>\n <\/div> \n

\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n

On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

Reverse engineering a Lumma infection<\/h3>\n

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n AI security<\/span>\n Attack Detection<\/span>\n Software Protection<\/span>\n <\/div>\n <\/div>\n

Machine learning-driven malware analysis<\/h3>\n

With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n <\/div>\n
\n
\n <\/div>\n
\n
\n

WithSecure\u2122 has uncovered a highly sophisticated and evasive malware campaign that has flown under the radar since March 2024.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[303,304],"labs_content_type":[346],"class_list":["post-10369","lab_item","type-lab_item","status-publish","hentry","category-software-protection","category-threat-intelligence"],"acf":[],"card":"

\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

WEEVILPROXY<\/h3>\n

WithSecure\u2122 has uncovered a highly sophisticated and evasive malware campaign that has flown under the radar since March 2024.<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item\/10369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=10369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=10369"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/labs_content_type?post=10369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}