Table of Contents
  • Home
  • /
  • Blog
  • /
  • WildPressure APT Malware Campaign Targets Windows And MacOS
July 8, 2021

WildPressure APT Malware Campaign Targets Windows And MacOS

Wildpressure Apt Malware Campaign Targets Windows And Macos

Researchers have observed a new WildPressure APT malware campaign by threat actors aka WildPressure distributing C++ Trojan dubbed as Milum, a VBScript variant with the version (1.6.1) and a set of modules that include an Orchestrator, Fingerprint, Keylogging, & Screenshot plugins. And a Python script dubbed Guard enables the threat actor to gain remote control of the compromised system. Python version of this malware is designed and developed to target both Windows as well as macOS operating systems.

Look at the Version system. It has been said that the malware is still under active development. This time WildPressure APT malware campaign has started using compromised WordPress websites along with commercial VPS (Virtual Private Servers) to carry out the campaign.

The analysis found that the Python malware is developed based on publicly available third-party codes. On top of that, the malware uses standard Python libraries for fingerprinting both Windows and macOS operating systems.

Both the malware are capable of doing silently execute the command, file downloads, update scripts, cleaning and remove the scripts after execution, file uploads, OS fingerprinting, and the malware can also gather applications installed on the host.

Targets Of WildPressure APT Malware Campaign:

The primary targets of this campaign are mostly oil and gas industries from middle east Asian countries. There are no insights available on other targets in the research.

Indicators Of Compromise (IOCs) To Detect WildPressure APT Malware:

Python multi-OS Trojan:

File typePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size3.3 MB
File namesvchost.exe

VBScript self-decrypted variant:

File typeSelf-decrypting VBScript
File size51 KB
File namel2dIIYKCQw.vbs


File typePE32 executable (console) Intel 80386, for MS Windows
File size87 KB
File namewinloud.exe

Fingerprinting plugin:

File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size194 KB
File nameGetClientInfo.dll

Keylogging plugin:

File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size90.5 KB
File nameKeylogger.dll

Screenshot plugin:

File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size78 KB
File nameScreenShot.dll

IP Addresses:


File Hashes:

Milum version 1.6.10efd03fb65c3f92d9af87e4caf667f8e
PyInstaller with Guard92A11F0DCB973D1A58D45C995993D854 (svchost.exe)
Self-decrypting Tandis VBScript861655D8DCA82391530F9D406C31EEE1 (l2dIIYKCQw.vbs)
OrchestratorC116B3F75E12AD3555E762C7208F17B8 (winloud.exe)
PluginsF2F6604EB9100F58E21C449AC4CC4249 (ScreenShot.dll)D322FAA64F750380DE45F518CA77CA43 (Keylogger.dll)9F8D77ECE0FF897FDFD8B00042F51A41 (GetClientInfo.dll)

File paths

macOS .plist files$HOME/Library/LaunchAgents/ $HOME/Library/LaunchAgents/apple.scriptzxy.plist
Config files under Windows%APPDATA%\Microsoft\grconf.dat%APPDATA%\Microsoft\vsdb.dat%ALLUSERSPROFILE%\system\thumbnail.dat%ALLUSERSPROFILE%\Application Data\system\Windows\thumbnail.dat
Config files under macOS$HOME/.appdata/grconf.dat
Registry valuesSoftware\Microsoft\Windows\CurrentVersion\RunOnce\gd_system
WQL queries examplesSELECT * FROM Win32_Process WHERE Name = <all enumerated names here> Select * from Win32_ComputerSystemSelect * From AntiVirusProduct Select * From Win32_Process Where ParentProcessId = <all enumerated ids here>
Milum C2hxxp://107.158.154[.]66/core/main.phphxxp://185.177.59[.]234/core/main.phphxxp://37.59.87[.]172/page/view.phphxxp://80.255.3[.]86/page/view.phphxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php

Recommendation To Be Protected From WildPressure APT Malware Campaign

  • Analyze Firewall and Internet proxy logs for the presence of mentioned IOCs.

  • Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.

  • Provide phishing awareness training to your employees/contractors.

  • Keep Anti-malware solutions at the endpoint and network-level updated at all times.

  • Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.

Thanks for reading the post. Read more such interesting articles If you find this post interesting.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Cloud & OS Platforms

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription