Socgholish

Malware updated a month ago (2024-11-29T14:51:55.543Z)
Download STIX
Preview STIX
SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsoft identified SocGholish as part of an interconnected malware ecosystem, acting as a precursor to various other malware families including Cobalt Strike, IcedID, BumbleBee, and Truebot. The attack chain of SocGholish typically involves a malicious JavaScript file that downloads further stages of the malware. In 2023, SocGholish accounted for over 17.66% of malware injections, making it one of the most widely spread malwares. It was employed in several distinct website malware campaigns, causing massive website infections. Notably, SocGholish was not only used to compromise systems but also as a delivery mechanism for other malwares like AsyncRAT. Huntress researchers observed this JavaScript downloader malware, also known as FakeUpdates, being used to deliver the remote access trojan AsyncRAT and even legitimate open-source projects like BOINC (Berkeley Open Infrastructure Network Computing Client). As of mid-2024, SocGholish continues to be a significant threat in the cyber landscape. According to a report by Red Canary, it was ranked as the sixth most prevalent malware in the wild, tied with Lumma and the ubiquitous Cobalt Strike. This highlights the ongoing risk posed by SocGholish and its adaptability to serve as a vehicle for delivering other harmful software, demonstrating the importance of robust cybersecurity measures to protect against such threats.
Description last updated: 2024-08-22T21:15:59.570Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Fakeupdates is a possible alias for Socgholish. FakeUpdates, a malicious software (malware), has become increasingly prevalent in recent years. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can disrupt operations, steal personal information, or hold data hostage for ransom. In 2022, a
5
Evil Corp is a possible alias for Socgholish. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybe
4
Clearfake is a possible alias for Socgholish. ClearFake is a malicious software, or malware, that has been identified as a significant threat to cybersecurity. Its primary method of propagation is through fake browser updates, encouraging users to copy and execute harmful PowerShell commands. This deceptive approach enables cybercriminals to in
3
Ta569 is a possible alias for Socgholish. TA569 is a malware distributor that has been utilizing fake browser updates for over five years to deliver the SocGholish malware, according to cybersecurity firm Proofpoint. The threat actor has employed various methods to direct traffic from compromised websites to their controlled domains. In one
3
EXOTIC LILY is a possible alias for Socgholish. Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m
2
Fakesg is a possible alias for Socgholish. FakeSG is a recently identified malware that uses sophisticated obfuscation and delivery techniques, making it a serious threat. The malware mimics the notorious SocGholish distribution campaign, hence its name - "FakeSG". It has different browser templates, altering its appearance based on the vict
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Ransomware
Downloader
Cybercrime
Payload
Trojan
Phishing
Malware Loader
JavaScript
Malwarebytes
Wordpress
Loader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The WastedLocker Malware is associated with Socgholish. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utiliUnspecified
3
The Raspberry Robin Malware is associated with Socgholish. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by stUnspecified
3
The Netsupport Rat Malware is associated with Socgholish. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operationsUnspecified
3
The AsyncRAT Malware is associated with Socgholish. AsyncRAT is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. It has recently risen to prominence, raUnspecified
2
The QakBot Malware is associated with Socgholish. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
2
The Netsupport Malware is associated with Socgholish. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate systemUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Vextrio Threat Actor is associated with Socgholish. Vextrio, a significant threat actor in the cybercrime landscape, has been uncovered as a major traffic broker for cybercriminals by Check Point Research's January 2024 Most Wanted Malware report. The group operates Vextrio Viper, a Traffic Distribution System (TDS) network established in 2020, whichUnspecified
2
Source Document References
Information about the Socgholish Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Malwarebytes
5 days ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
DARKReading
a year ago
Securityaffairs
5 months ago
BankInfoSecurity
8 months ago
CERT-EU
9 months ago
Checkpoint
10 months ago
CERT-EU
10 months ago
Malware-traffic-analysis.net
10 months ago
CERT-EU
10 months ago
BankInfoSecurity
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago