Ongoing “wp3[.]xyz” campaign activity

Intel Name: Ongoing “wp3[.]xyz” campaign activity

Date of Scan: January 24, 2025

Impact: High

Summary:
This campaign uses scripts linked to the domain wp3[.]xyz, injected into compromised WordPress sites to steal sensitive data, such as admin login credentials. Our telemetry shows activity beginning as early as October 2024, with over 10,000 websites compromised and infections peaking in December 2024. We identified more than a dozen polymorphic JavaScript samples, altering minor elements like log statements to evade detection by changing their hash. The domain wp3[.]xyz, re-registered on October 3, 2024, is hosted on 192.142.10[.]6 (Ultrahost, Inc., NL), an IP associated with other malicious .xyz domains.

More Details