#socgholish — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #socgholish, aggregated by home.social.
-
Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine
#RomComGroup #SocGholish #TA569
https://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/ -
SocGholish Malware Using Compromised Sites to Deliver Ransomware https://hackread.com/socgholish-malware-compromised-sites-ransomware/ #Cybersecurity #CyberAttack #FakeUpdates #SocGholish #Security #Malware #TA569 #MaaS #RAT
-
Watch out as new research shows SocGholish Malware as Service (MaaS) is exploiting compromised websites and fake software updates to push ransomware and infostealers worldwide.
Read: https://hackread.com/socgholish-malware-compromised-sites-ransomware/
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/
#InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/ #InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
-
Sometimes people ask us to remove a domain from our blocklists that are part of a malicious traffic distribution system (TDS) because they "visited the url" and didn't get malware. This is like saying "I walked past the armed robber and didn't get robbed." Count yourself lucky. Say no to TDS. #dns #threatintel #cybercrime #malware #phishing #scam #infoblox #cybersecurity #infosec #tds #vextrio #socgholish #clearfake #404tds #adware
-
#SocGholish (AKA FakeUpdates) landing page localized in French, Spanish and German.
Payload is #FakeBat.
This campaign is also known as 'doggygangers' based on network traffic.
-
#FakeSG seems a bit quiet lately so digging around I stumbled into yet another site with multiple fakeupdates. At this site the #ParrotTDS is still operational and sent the potential user to #SocGholish
Does make you wonder if it's all the same actor just trying out very different approaches? They got a new employee who was tasked with trying something different.
¯_(ツ)_/¯
-
I made this page to track current fake browser updates campaigns:
-
Good day everyone! The ReliaQuest Threat Research team recently provided a wrap up of the most commonly used loaders, the top 80% which comprised of only three different malware! These big three are #QBot, #SocGholish, and #RaspberryRobin. THEN, they not only provided the data sheet to provide to your management or C-suite, they broke them down even further to include technical details as well! Thank you to the Threat Research team for such a great report, I hope you enjoy it as much as I did, and Happy Hunting!
The 3 Malware Loaders Behind 80% of Incidents
https://www.reliaquest.com/blog/the-3-malware-loaders-behind-80-of-incidents/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
@defender @jeromesegura @terribleplan Possibly. The #SocGholish TA still first lands a JS that collects info about the victim. Up until July 17th I saw them switching to PS after that JS collection. But I haven't seen them do anything more than collect the info. Looks like this.
(Compromised site)
-->
greedyfines[.]org/GRzk7JSP (Keitaro)
-->
sandwiches.tropipackfood[.]com/I9tOCVj5LWBH+XQ7FehiK1H5dCtHvjhxUqlsdA== (SocGholish TDS)
-->
lmd.plan.gemmadeealexander[.]com/editContent (SocGholish JS C2)Going direct to the PS hop still works for me. For example just now it does this chain.
hXXp://asfgze[.]fun/f23.svg
-->
hXXp://kedkejehiciellf[.]top/1.php (DGA)
-->
hXXp://kedkejehiciellf[.]top/2.php (DGA)
-->
hXXps://dprn0jmb1nag5t9[.]top:14235 (PowerShell C2)The #FakeSG TA doesn't do JS or PS. They simply land NetSupport. The chain from a few minutes ago.
(Compromised site)
-->
google-analytiks[.]com/sBY76j (Keitaro)
-->
alexiakombou[.]com/wp-content/uploads/2022/01/downloader(updchr(V104.215.214)silent.url ()
-->
hXXp://185[.]252.179.64@80/Downloads/silentupdater-chr(v105).lnk ()
-->
alexiakombou[.]com/wp-content/uploads/2021/12/EN-localer.hta (HTA)
-->
hxxps://94[.]158.244.41:443 (NetSupport)I'm wondering if the SocGholish TA is on vacation. They usually rotate parts of the chain at least once a week and I haven't seen a change since July 20th. That and the JS to PS hasn't worked since July 17th, at least not for me.
-
Anybody ever try reporting the various #KeitaroTDS used by #SocGholish and others?
-
There's a new player in the 'fake updates' arena. Thanks to @rmceoin for initially posting about it here.
-
Completed Part 3 of my personal #SocGholish series.
The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.
Interestingly, I saw #NetSupport RAT and an unknown (to me) PowerShell C2 beacon be delivered together.
If anyone can shed more light on what the PowerShell beacon may be, it would be much appreciated! Seems to be inspired by #AsyncRAT, though.
Big thanks to @rmceoin for help along the way.
https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3
-
After a break, a new #KeitaroTDS domain appeared on 47.91.94[.]97: libertader[.]org.
The associated #SocGholish TDS is specific.autonerdmobilerepairs[.]com hosted on 35.176.231[.]198 (previously #SocGholish C2 *.reseller.wonderfulworldblog[.]com)
-
#SocGholish leads to #NetSupport RAT downloaded from --> http://wudugf[.]top/f23.svg
Credit to @rmceoin for the help getting the SocGholish C2 to respond.
C2: *.nodes.gammalambdalambda.org
-
New second stage TDS and C2 for #SocGholish coming from #KeitaroTDS
TDS stage 2
static.laytonroadconstruction[.]comC2
*.nodes.gammalambdalambda[.]org
102.223.180[.]164There appears to be a new KetiaroTDS host as well, but haven't seen it show up yet.
-
New second stage TDS for #SocGholish coming from #KeitaroTDS.
masterclass.teamupnetwork[.]org
Infection path observed:
{compromised site}
KeitaroTDS
cancelledfirestarter[.]org
dailytickyclock[.]org
deeptrickday[.]orgSecond stage TDS
masterclass.teamupnetwork[.]orgC2
cywu.offer.rpacxtaxappeal[.]com -
So the #KeitaroTDS offers up at least two paths. One is #SocGholish that I've been tracking and the other is some notification malware that I've seen before but didn't realize they're connected.
When I go to an infected site, I only get served SocGholish. But I see when urlscan goes to it, they get this other scam. What's handy is I can go directly to the KeitaroTDS URLs associated with those scams and see that other path.
backendjs[.]org/kb3xCR3d
cancelledfirestarter[.]org/Qw6YdVL
dailytickyclock[.]org/H9nZW3yw
deeptrickday[.]org/xTHcrXYN
devqeury[.]org/XdQJSbwV
devqeury[.]org/VjCTRDTQ
jqscr[.]com/GPfymwFy
jqscr[.]com/MFkkBGCh
jqueryns[.]com/jbMbKDPn
jsqur[.]com/97rmMy8VAnybody have a name for this notification scam?
-
New #KeitaroTDS domain used for #SocGholish.
cancelledfirestarter[.]org/tT2NCZN5
🚫🔥@threatcat_ch I see that the domains_count from the API now shows 19. 👀
-
While poking at the #KeitaroTDS used by #SocGholish I noticed a different path. Using torsocks in the hopes of getting different responses, this known #KeitaroTDS URL
dailytickyclock[.]org/Rz7kFbxJ
would return a redirect I haven't noticed.
dailytickyclock[.]org/H9nZW3yw
That in turn was redirecting to here.
greatbonushere[.]life/?u=4dkpaew&o=81yk607&cid=vi0n933mcrfi
That led to a couple of scams. Mostly I got a fake iPhone prize scam that tries to dup you into providing your address and CC info.
Pivoting off the IP for the domain out popped 78 more domains. Block them nasties! 🚫
https://gist.github.com/rmceoin/9e3fb77686a660374409df467d9711ca
-
New #SocGholish TDS on 91.208.184[.]14 (ALEXHOST) is archives.finanpress[.]com, found referenced by #KeitaroTDS dailytickyclock[.]org . SocGholish C2 still on *.offer.rpacxtaxappeal[.]com / 190.211.254[.]31 (Private Layer)
-
Now also on 88.119.169[.]146 (IST) we have new #SocGholish TDS booty.midatlanticlaw[.]org witnessed in #KeitaroTDS redirects.
-
#TA569 #KeitaroTDS TDS domain are now on 91.203.193[.]124, including new domain dailytickyclock[.]org (inject seen in the wild: hXXps://dailytickyclock[.]org/Rz7kFbxJ ) redirecting to #SocGholish TDS commercial.tedgorka[.]com hosted on 88.119.169[.]146 as already noticed by @rmceoin
-
sync[.]webappclick[.]net is a new #SocGholish / #FakeUpdates "ndsj" TDS. It joins on 45.130.201[.]24 its friend cachespace[.]net still found in the wild from time to time.
-
The latest Technique Set added to Tidal’s free Community Edition summarizes the TTPs observed in recent #SocGholish campaigns according to public threat reporting https://app.tidalcyber.com/share/4b901fc2-d021-4eff-bd53-0c9fa0259ecf
SocGholish is a highly active, JavaScript-based loader #malware used to deliver a wide variety of impactful threats (summarized in the original visual attached here). Many #ransomware families, the #CobaltStrike post-exploit framework, other remote access trojans (#RAT) and loaders, and tools for #ActiveDirectory enumeration, #detection evasion, and #credential theft have been linked to recent SocGholish campaigns
SocGholish appears on multiple security and #CTI vendors' top priority threat lists. Active since 2017, SentinelLabs researchers observed a 330%+ increase in SocGholish malware-staging servers between the first and second halves of 2022, and Sucuri researchers detected more than 25,000 websites newly compromised by the malware's operators through July 2022 alone. Initial infections predominantly come via file downloads from sites hosting fake web browser updates, although operators use some non-traditional email delivery techniques to drive compromised content towards potential victims. Like many of today's top #initialaccess threats, SocGholish victimology involves a wide range of industries
Consider layering the new set with other recent Community Edition content from @tidalcyber's Adversary Intelligence team, including our recent #Gootloader set (https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2) or the set of techniques most recently associated with the ever-evolving #QakBot #trojan (https://app.tidalcyber.com/share/aef0f0c6-5212-4abf-9a24-3c81f518c59f), into one view to compare & contrast initial access techniques (https://app.tidalcyber.com/share/adb9581e-3318-4bc7-8d23-145891bf1ca4). Then take it a step further by layering mappings from your own defensive stack with the list of capabilities available in the Product Registry (https://app.tidalcyber.com/vendors). And stay tuned for our soon-to-be published overview matrix on the broad initial access/malware delivery ecosystem in today’s threat landscape, featuring more threats like the ones seen here
-
This week's wrap-up of infosec news is out, just in time for your morning commute: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4af
#Qakbot have gotten in on the #OneNote action - turns out so too has every other threat actor under the sun.
Iran's #OilRig/#APT34 has been caught in the act, abusing the legitimate Password Filters feature to siphon creds, and exfiltrating them via compromised mail channels.
Some interesting techniques were observed in a recent #SocGholish campaign, including passively enumerating usera through event logs and disabling Restricted Admin mode to enable the theft of creds from memory.
A series of vulnerabilities in the Fortran GoAnywhere MFT file transfer application, QNAP NAS appliances, and VMWare ESXi servers should be top of your list this morning - make sure you're not exposed!
All that and much more, to help you shake off the cobwebs this Monday morning: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4af
#infosec #CyberAttack #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #vmware #poc
-
I've published the second in a series of blog posts on SocGholish related activity. The latest installment focuses on breaking down the fake update payload itself.
https://rerednawyerg.github.io/malware-analysis/socgholish_part2/
-
I've been wanting to start a malware analysis/RE blog as I improve my skills. I published my first analysis a few days ago. Started out by analyzing a site with a malicious JavaScript inject leading to a SocGholish payload.
-
#SocGholish #malware #reverseengineering #fakeupdates
This code is a mess! Does anyone have any tips on decoding javascript like this?