• Home
  • |
  • Blog
  • |
  • WildPressure APT Malware Campaign Targets Windows And MacOS
WildPressure APT Malware campaign

Researchers have observed a new WildPressure APT malware campaign by threat actors aka WildPressure distributing C++ Trojan dubbed as “Milum”, a VBScript variant with the version (1.6.1) and a set of modules that include an Orchestrator, Fingerprint, Keylogging, & Screenshot plugins. And a Python script dubbed “Guard” enables the threat actor to gain remote control of the compromised system. Python version of this malware is designed and developed to target both Windows as well as macOS operating systems.

Look at the Version system. It has been said that the malware is still under active development. This time WildPressure APT malware campaign has started using compromised WordPress websites along with commercial VPS (Virtual Private Servers) to carry out the campaign.

The analysis found that the Python malware is developed based on publicly available third-party codes. On top of that, the malware uses standard Python libraries for fingerprinting both Windows and macOS operating systems.

Both the malware are capable of doing silently execute the command, file downloads, update scripts, cleaning and remove the scripts after execution, file uploads, OS fingerprinting, and the malware can also gather applications installed on the host.

Targets Of WildPressure APT Malware Campaign:

The primary targets of this campaign are mostly oil and gas industries from middle east Asian countries. There are no insights available on other targets in the research.

Indicators Of Compromise (IOCs) To Detect WildPressure APT Malware:

Python multi-OS Trojan:

File typePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size3.3 MB
File namesvchost.exe

VBScript self-decrypted variant:

File typeSelf-decrypting VBScript
File size51 KB
File namel2dIIYKCQw.vbs


File typePE32 executable (console) Intel 80386, for MS Windows
File size87 KB
File namewinloud.exe

Fingerprinting plugin:

File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size194 KB
File nameGetClientInfo.dll

Keylogging plugin:

File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size90.5 KB
File nameKeylogger.dll

Screenshot plugin:

File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size78 KB
File nameScreenShot.dll

IP Addresses:


File Hashes:

Milum version 1.6.10efd03fb65c3f92d9af87e4caf667f8e
PyInstaller with Guard92A11F0DCB973D1A58D45C995993D854 (svchost.exe)
Self-decrypting Tandis VBScript861655D8DCA82391530F9D406C31EEE1 (l2dIIYKCQw.vbs)
OrchestratorC116B3F75E12AD3555E762C7208F17B8 (winloud.exe)
PluginsF2F6604EB9100F58E21C449AC4CC4249 (ScreenShot.dll)D322FAA64F750380DE45F518CA77CA43 (Keylogger.dll)9F8D77ECE0FF897FDFD8B00042F51A41 (GetClientInfo.dll)

File paths

macOS .plist files$HOME/Library/LaunchAgents/com.apple.pyapple.plist $HOME/Library/LaunchAgents/apple.scriptzxy.plist
Config files under Windows%APPDATA%\Microsoft\grconf.dat%APPDATA%\Microsoft\vsdb.dat%ALLUSERSPROFILE%\system\thumbnail.dat%ALLUSERSPROFILE%\Application Data\system\Windows\thumbnail.dat
Config files under macOS$HOME/.appdata/grconf.dat
Registry valuesSoftware\Microsoft\Windows\CurrentVersion\RunOnce\gd_system
WQL queries examplesSELECT * FROM Win32_Process WHERE Name = ‘<all enumerated names here>’ Select * from Win32_ComputerSystemSelect * From AntiVirusProduct Select * From Win32_Process Where ParentProcessId = ‘<all enumerated ids here>’
Milum C2hxxp://107.158.154[.]66/core/main.phphxxp://185.177.59[.]234/core/main.phphxxp://37.59.87[.]172/page/view.phphxxp://80.255.3[.]86/page/view.phphxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php

Recommendation To Be Protected From WildPressure APT Malware Campaign

  • Analyze Firewall and Internet proxy logs for the presence of mentioned IOCs.
  • Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
  • Provide phishing awareness training to your employees/contractors.
  • Keep Anti-malware solutions at the endpoint and network-level updated at all times.
  • Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.
See Also  4 Types of Attacks on the Tor Network to De-Anonymize Tor Users:

Thanks for reading the post. Read more such interesting articles If you find this post interesting.

Recommend Products for You

We have some computer accessory recommendations that we think you’ll find useful. These are products we’ve personally selected that we believe are must-haves for any computer. Take a moment to look through the list – you can click on any item to view more details or purchase it directly from Amazon. Whether you’re just getting started with your computer or looking to expand its capabilities, we’re confident you’ll find something helpful among our top picks. Let us know if you have any other questions!

Declaimer: The below products contain affiliate links. We may receive a small commission if you purchase through these links at no additional cost to you. You can read our full affiliate disclosure here.

Read More:

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.