{ "type": "Domain", "indicator": "wpengina.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/wpengina.com", "alexa": "http://www.alexa.com/siteinfo/wpengina.com", "indicator": "wpengina.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4074226191, "indicator": "wpengina.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6846ac4df84821ab290af471", "name": "DarkEngine: Unmasking the Sophisticated WordPress Phishing Campaign", "description": "CyberCX has discovered a sophisticated phishing campaign named DarkEngine, which targets users of WP Engine, a managed WordPress hosting platform, and has been active since at least June 2024. The campaign employs SEO poisoning to lure victims to phishing sites mimicking the WP Engine login interface, enabling attackers to steal credentials and gain unauthorized access to WP Engine accounts and their associated WordPress sites. Once compromised, the attackers inject backdoors via malicious plugins and execute harmful JavaScript, affecting over 2,353 unique sites primarily in Australia and New Zealand, while also utilizing techniques like ClickFix to manipulate visitors into executing harmful commands. The operation employs a headless browser automation tool for exploitation, maintaining persistence through various backdoors and SFTP accounts..", "modified": "2025-07-09T09:00:16.142000", "created": "2025-06-09T09:41:33.230000", "tags": [ "injected link", "providers", "injected links", "solutions llp", "bl networks", "limited", "fornex hosting", "cgi global", "smartape ou", "proton66 ooo", "red bytes", "cloudflare", "llc bl", "networks", "prospero ooo", "cybercx", "public" ], "references": [ "https://connect.cybercx.com.au/dark-engine" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 55 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68445797edce3aedea6c7835", "name": "CyberCX & WP Engine Expose Active Exploits: Cloud, Ransomware, and Supply Chain Threats.", "description": "CyberCX and WP Engine\u2019s latest report reveals active cyber threats targeting cloud environments, ransomware operations, and software supply chains. Key findings include:\u2022Exploited Cloud Vulnerabilities: Attackers abusing misconfigurations in AWS, Azure, and SaaS platforms for initial access.\u2022Ransomware-as-a-Service (RaaS) Expansion: New affiliate tactics leading to faster encryption and double extortion.\u2022Software Supply Chain Compromises: Malicious code injections in third-party vendor updates, enabling silent backdoors.", "modified": "2025-07-07T15:00:14.692000", "created": "2025-06-07T15:15:35.855000", "tags": [], "references": [ "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 56, "hostname": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf", "https://connect.cybercx.com.au/dark-engine" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6846ac4df84821ab290af471", "name": "DarkEngine: Unmasking the Sophisticated WordPress Phishing Campaign", "description": "CyberCX has discovered a sophisticated phishing campaign named DarkEngine, which targets users of WP Engine, a managed WordPress hosting platform, and has been active since at least June 2024. The campaign employs SEO poisoning to lure victims to phishing sites mimicking the WP Engine login interface, enabling attackers to steal credentials and gain unauthorized access to WP Engine accounts and their associated WordPress sites. Once compromised, the attackers inject backdoors via malicious plugins and execute harmful JavaScript, affecting over 2,353 unique sites primarily in Australia and New Zealand, while also utilizing techniques like ClickFix to manipulate visitors into executing harmful commands. The operation employs a headless browser automation tool for exploitation, maintaining persistence through various backdoors and SFTP accounts..", "modified": "2025-07-09T09:00:16.142000", "created": "2025-06-09T09:41:33.230000", "tags": [ "injected link", "providers", "injected links", "solutions llp", "bl networks", "limited", "fornex hosting", "cgi global", "smartape ou", "proton66 ooo", "red bytes", "cloudflare", "llc bl", "networks", "prospero ooo", "cybercx", "public" ], "references": [ "https://connect.cybercx.com.au/dark-engine" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 55 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68445797edce3aedea6c7835", "name": "CyberCX & WP Engine Expose Active Exploits: Cloud, Ransomware, and Supply Chain Threats.", "description": "CyberCX and WP Engine\u2019s latest report reveals active cyber threats targeting cloud environments, ransomware operations, and software supply chains. Key findings include:\u2022Exploited Cloud Vulnerabilities: Attackers abusing misconfigurations in AWS, Azure, and SaaS platforms for initial access.\u2022Ransomware-as-a-Service (RaaS) Expansion: New affiliate tactics leading to faster encryption and double extortion.\u2022Software Supply Chain Compromises: Malicious code injections in third-party vendor updates, enabling silent backdoors.", "modified": "2025-07-07T15:00:14.692000", "created": "2025-06-07T15:15:35.855000", "tags": [], "references": [ "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 56, "hostname": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "wpengina.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "wpengina.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780468033.5802765 }