Back to Intelligence

INC RaaS Rust Encryption, SocGholish Disruption, and Okendo Supply Chain Attack: OTX Pulse Analysis

SA
Security Arsenal Team
June 18, 2026
5 min read

The latest OTX pulses highlight a complex threat landscape involving major law enforcement disruption, the rapid evolution of ransomware, and sophisticated supply chain compromises. Operation Endgame has successfully disrupted the SocGholish (TA569) malware infrastructure, taking down 106 servers and 15,000 compromised WordPress sites used for fake browser updates. Concurrently, INC Ransomware has filled the void left by LockBit and BlackCat, evolving into a top-tier Rust-based RaaS operation targeting cross-platform environments. Separately, a supply chain attack by SmartApeSG has compromised the Okendo Reviews widget, injecting malicious JavaScript to deliver RATs like NetSupport and Remcos to retail targets.

Threat Actor / Malware Profile

INC Ransomware (RaaS)

  • Adversary: INC
  • Malware Families: Brave Prince (Lynx/Sinobi), Cobalt Strike
  • Behavior: INC has rewritten encryptors for Windows and Linux/ESXi in Rust, increasing cross-platform capabilities and analysis difficulty. They utilize double-extortion tactics and have claimed over 800 victims by exploiting affiliates migrating from disrupted cartels.
  • Initial Access: Leverages CVE-2023-3519, CVE-2023-48788, CVE-2024-57727, and the critical CVE-2025-5777.

GOLD PRELUDE / TA569 (SocGholish)

  • Adversary: GOLD PRELUDE
  • Malware Families: SocGholish, IcedID, Smokeloader, Pikabot, Bumblebee, QakBot
  • Behavior: Historically used fake browser update prompts on compromised WordPress sites to distribute loaders. While Operation Endgame decimated their C2, indicators suggest the actors are pivoting or remnants remain active.

SmartApeSG

  • Adversary: SmartApeSG
  • Malware Families: NetSupport, Remcos, StealC, Sectop RAT, SmartRAT
  • Behavior: Executes a supply chain attack by injecting obfuscated JavaScript into the legitimate Okendo Reviews widget. The script uses localStorage as a staging loader to fetch final payloads.

IOC Analysis

  • Hostnames: SocGholish indicators include compromised WordPress domains (e.g., trademark.iglesiaelarca.com, billing.roofnrack.us) serving malicious JScript. These should be blocked immediately.
  • Onion/Domains: INC Ransomware utilizes .onion sites for leak sites (e.g., incblog6qu4y4...onion) and clear-web domains (e.g., incblog.su). The Okendo attack utilizes suspicious C2 domains like api.wigletticks.com.
  • File Hash (SHA256): 6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141 (Associated with INC/Brave Prince).
  • CVEs: INC actively exploits 2023 and 2025 vulnerabilities (CVE-2025-5777).

Operationalization: SOC teams should import these IOCs into EDR alerting (file hashes) and firewall/proxy blocklists (domains and hostnames). The Okendo URLs require specific web-proxy inspection rules to detect the malicious JS injection.

Detection Engineering

Sigma Rules

YAML
title: Potential SmartApeSG Okendo C2 Connection
id: 4f2b9c8d-1a3e-4b5c-8d6e-7f8a9b0c1d2e
description: Detects network connections to known SmartApeSG C2 domains associated with the Okendo Reviews supply chain attack.
status: experimental
date: 2026/06/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'api.wigletticks.com'
            - 'api.wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: SocGholish Fake Browser Update Pattern
description: Detects execution of wscript.exe or cscript.exe with arguments typical of SocGholish fake browser update payloads.
id: 3e1d2c9b-4a5f-6e7d-8b9c-0a1b2c3d4e5f
status: experimental
date: 2026/06/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
product: windows
detection:
    selection_img:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    selection_cli:
        CommandLine|contains:
            - '.js'
            - 'jscript'
    selection_update_keywords:
        CommandLine|contains:
            - 'update'
            - 'chrome'
            - 'browser'
    condition: all of selection_
falsepositives:
    - Legitimate system administration scripts
level: high
---
title: INC Ransomware Cobalt Strike Spawn Pattern
description: Detects suspicious process execution patterns often associated with Cobalt Strike beacons used by INC Ransomware (Brave Prince).
id: 5f6e7d8c-9b0a-1b2c-3d4e-5f6a7b8c9d0e
status: experimental
date: 2026/06/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\svchost.exe'
            - '\explorer.exe'
            - '\cmd.exe'
    selection_child:
        Image|endswith:
            - '\rundll32.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
            - 'Invoke-'
    condition: all of selection_
falsepositives:
    - Legitimate software updates
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to known SocGholish compromised hostnames and Okendo C2
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'trademark.iglesiaelarca.com', 
    'content.garretttrails.org', 
    'promo.summat10n.org', 
    'billing.roofnrack.us', 
    'api.wigletticks.com', 
    'api.wizzleticks.com'
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort
;

// Hunt for INC Ransomware associated file hash
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 == '6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141'
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for INC Ransomware IOCs and SmartApeSG C2 domains.
.DESCRIPTION
    Checks the file system for the specific INC SHA256 hash and DNS cache for C2 domains.
#>

$IncHash = "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
$SuspiciousDomains = @(
    "api.wigletticks.com",
    "api.wizzleticks.com",
    "trademark.iglesiaelarca.com",
    "billing.roofnrack.us"
)

Write-Host "[+] Hunting for INC Ransomware Hash..."
# Search C: drive for the hash (restricts to common executable extensions for performance)
Get-ChildItem -Path "C:\" -Recurse -Include *.exe, *.dll -ErrorAction SilentlyContinue | 
    ForEach-Object { 
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hash -eq $IncHash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

Write-Host "[+] Checking DNS Cache for C2 Domains..."
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $SuspiciousDomains) {
    if ($DnsCache | Where-Object { $_.Entry -like "*$domain*" }) {
        Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND: $domain" -ForegroundColor Yellow
    }
}

Write-Host "[+] Hunt Complete."


# Response Priorities

*   **Immediate:**
    *   Block all IOCs listed in the "IOC Analysis" section at the perimeter firewall and proxy.
    *   Inspect web traffic for the Okendo widget URL `cdn-static.okendo.io` and block requests to `api.wigletticks.com` and `api.wizzleticks.com`.
    *   Scan endpoints for the SHA256 hash `6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141`.

*   **24 Hours:**
    *   Initiate credential rotation for accounts active on devices where suspicious browser activity (fake updates) or RAT processes (NetSupport, Remcos) were detected.
    *   Patch systems against CVE-2023-3519, CVE-2023-48788, CVE-2024-57727, and CVE-2025-5777 to prevent INC Ransomware initial access.

*   **1 Week:**
    *   Audit all third-party JavaScript libraries and widgets (supply chain) on public-facing e-commerce properties.
    *   Implement strict allow-listing for software updates to prevent fake update infections.
    *   Review backup integrity for Linux/ESXi systems given INC's Rust-based cross-platform encryptors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptinc-ransomwaresocgholishsupply-chain-attacksmartratrust-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action