Socgholish

Malware updated 2 months ago (2024-08-22T21:18:29.381Z)
Download STIX
Preview STIX
SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsoft identified SocGholish as part of an interconnected malware ecosystem, acting as a precursor to various other malware families including Cobalt Strike, IcedID, BumbleBee, and Truebot. The attack chain of SocGholish typically involves a malicious JavaScript file that downloads further stages of the malware. In 2023, SocGholish accounted for over 17.66% of malware injections, making it one of the most widely spread malwares. It was employed in several distinct website malware campaigns, causing massive website infections. Notably, SocGholish was not only used to compromise systems but also as a delivery mechanism for other malwares like AsyncRAT. Huntress researchers observed this JavaScript downloader malware, also known as FakeUpdates, being used to deliver the remote access trojan AsyncRAT and even legitimate open-source projects like BOINC (Berkeley Open Infrastructure Network Computing Client). As of mid-2024, SocGholish continues to be a significant threat in the cyber landscape. According to a report by Red Canary, it was ranked as the sixth most prevalent malware in the wild, tied with Lumma and the ubiquitous Cobalt Strike. This highlights the ongoing risk posed by SocGholish and its adaptability to serve as a vehicle for delivering other harmful software, demonstrating the importance of robust cybersecurity measures to protect against such threats.
Description last updated: 2024-08-22T21:15:59.570Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Fakeupdates is a possible alias for Socgholish. FakeUpdates, a malicious software (malware), has become increasingly prevalent in recent years. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can disrupt operations, steal personal information, or hold data hostage for ransom. In 2022, a
5
Evil Corp is a possible alias for Socgholish. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybe
4
Clearfake is a possible alias for Socgholish. ClearFake is a malicious software (malware) that has been identified as a significant threat to computer systems, specifically targeting macOS through an information stealer known as AMOS. This malware operates by compromising legitimate websites with harmful HTML and JavaScript, masquerading as a f
3
Ta569 is a possible alias for Socgholish. TA569 is a malware distributor that has been utilizing fake browser updates for over five years to deliver the SocGholish malware, according to cybersecurity firm Proofpoint. The threat actor has employed various methods to direct traffic from compromised websites to their controlled domains. In one
3
EXOTIC LILY is a possible alias for Socgholish. Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m
2
Fakesg is a possible alias for Socgholish. FakeSG is a recently identified malware that uses sophisticated obfuscation and delivery techniques, making it a serious threat. The malware mimics the notorious SocGholish distribution campaign, hence its name - "FakeSG". It has different browser templates, altering its appearance based on the vict
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Ransomware
Payload
Downloader
Cybercrime
Trojan
Loader
Malware Loader
Malwarebytes
Wordpress
JavaScript
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Netsupport Rat Malware is associated with Socgholish. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operationsUnspecified
3
The Raspberry Robin Malware is associated with Socgholish. Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obsUnspecified
3
The WastedLocker Malware is associated with Socgholish. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utiliUnspecified
3
The Netsupport Malware is associated with Socgholish. NetSupport is a legitimate remote access software that has been exploited as a malware tool by various threat actors. It's often used in combination with other malicious software like BlackBasta Ransomware, IcedID, and occasionally Lumma Stealer, the most common infostealer in the world today. The mUnspecified
2
The QakBot Malware is associated with Socgholish. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includinUnspecified
2
The AsyncRAT Malware is associated with Socgholish. AsyncRAT is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. It has recently risen to prominence, raUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Vextrio Threat Actor is associated with Socgholish. VexTrio, a large cyber threat distributor, has been identified as a significant traffic broker for cybercriminals, according to Check Point Research's January 2024 Most Wanted Malware report. The entity operates one of the most extensive HTTP-based Traffic Direction System (TDS) networks, with an inUnspecified
2
Source Document References
Information about the Socgholish Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
DARKReading
9 months ago
Securityaffairs
3 months ago
BankInfoSecurity
6 months ago
CERT-EU
7 months ago
Checkpoint
7 months ago
CERT-EU
8 months ago
Malware-traffic-analysis.net
8 months ago
CERT-EU
8 months ago
BankInfoSecurity
9 months ago
DARKReading
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago