Fakeupdates

Malware updated a month ago (2024-11-29T14:35:19.109Z)

Download STIX

Preview STIX

FakeUpdates, a malicious software (malware), has become increasingly prevalent in recent years. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can disrupt operations, steal personal information, or hold data hostage for ransom. In 2022, an investigation by Sucuri and Avast observed compromised websites delivering the FakeUpdates downloader (also known as SocGholish) to unsuspecting visitors. This JavaScript-based loader primarily targets Microsoft Windows-based environments and has been used to deliver the AsyncRAT and the legitimate open-source project BOINC. The malware's impact has been significant. As of last month, it was reported that FakeUpdates affected 3% of organizations worldwide, making it one of the top three most prevalent malwares, following Qbot and Formbook. However, at certain points, its impact rose to as high as 8%, surpassing other malware families such as Androxgh0st and Phorpiex. The education sector has been particularly hard-hit, reflecting the broad reach and destructive potential of this malware. Moreover, FakeUpdates has been implicated in complex cyberattacks. Microsoft reported instances where RansomHub was deployed in post-compromise activity by threat actors tracked as Manatee Tempest, who gained initial access via Mustard Tempest using FakeUpdates/SocGholish infections. Similarly, Huntress researchers observed the use of the JavaScript downloader malware SocGholish (aka FakeUpdates) to deliver the remote access trojan AsyncRAT and the legitimate open-source project BOINC. These incidents underscore the sophisticated tactics employed by cybercriminals and the critical need for robust cybersecurity measures.

Description last updated: 2024-10-17T11:57:11.921Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Socgholish is a possible alias for Fakeupdates. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof	5

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Downloader

Malware

JavaScript

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Qbot Malware is associated with Fakeupdates. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23	Unspecified	2
The AsyncRAT Malware is associated with Fakeupdates. AsyncRAT is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. It has recently risen to prominence, ra	Unspecified	2

Source Document References

Information about the Fakeupdates Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	3 months ago	16th September – Threat Intelligence Report - Check Point Research
Securityaffairs	3 months ago	RansomHub ransomware gang relies on TDSKiller to disable EDR
Securityaffairs	4 months ago	A group linked to RansomHub operation employs EDR-killing tool EDRKillShifter
DARKReading	a year ago	Millions at Risk As 'Parrot' Web Server Compromises Take Flight
Securityaffairs	5 months ago	SocGholish malware used to spread AsyncRAT malware
Securityaffairs	5 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
Checkpoint	6 months ago	17th June – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	15th January – Threat Intelligence Report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Checkpoint	a year ago	15th January – Threat Intelligence Report - Check Point Research
CERT-EU	9 months ago	18th March – Threat Intelligence Report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	18th March – Threat Intelligence Report - Check Point Research
CERT-EU	9 months ago	FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk
CERT-EU	a year ago	Qbot Malware Via FakeUpdates Leads the Race of Malware Attacks
CERT-EU	a year ago	December 2023's Most Wanted Malware : The Resurgence of Qbot and FakeUpdates – Global Security Mag Online
Checkpoint	a year ago	18th December – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Increasingly prevalent NetSupport RAT infections reported
CERT-EU	a year ago	NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors
CERT-EU	a year ago	August 2023's Most Wanted Malware : New ChromeLoader Campaign Spreads Malicious Browser Extensions while QBot is Shut Down by FBI – Global Security Mag Online
CERT-EU	a year ago	FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT – Cyber Security Review
CERT-EU	2 years ago	GootLoader and FakeUpdates Malware Campaign Targets Law Firms