Intelligence Brief: Operation Endgame Disruption, Okendo Supply Chain & ClickFix AI Campaigns

Threat Summary

The current threat landscape is defined by a significant shift in Initial Access vectors following Operation Endgame's disruption of the TA569 (GOLD PRELUDE) SocGholish infrastructure. While law enforcement actions have successfully dismantled 100+ servers and 15,000 compromised WordPress sites distributing fake browser updates, threat actors have rapidly adapted.

Active OTX pulses indicate a pivot toward two sophisticated vectors:

Supply Chain Compromise: The malicious injection of JavaScript into the "Okendo Reviews" widget (affecting 18,000+ brands) to deliver NetSupport, Remcos, and StealC.
AI-Generated Social Engineering: The "ClickFix" campaign utilizing AI-generated typosquatting domains targeting Brazilian banks, employing fake CAPTCHAs and BSOD screens to trick users into executing PowerShell scripts that deploy SmartRAT and Banana RAT.

Concurrently, general infostealer trends remain high with ACRStealer, Remus, and LummaC2 being distributed via cracked software hosted on cloud storage. The collective objective across these campaigns is credential harvesting, banking trojan deployment, and establishing persistent C2 channels for data exfiltration.

Threat Actor / Malware Profile

Adversaries

SmartApeSG: Active in supply chain attacks. Leverages legitimate JavaScript widgets (Okendo) to inject malicious loaders targeting the retail sector.
GOLD PRELUDE (TA569): Historically utilized SocGholish for fake browser updates. While infrastructure is disrupted by Operation Endgame, remnants and copycat techniques persist.
Unknown (ClickFix Actor): Utilizing AI to create high-fidelity typosquatting domains and fake error pages (CAPTCHA/BSOD) targeting financial sectors in Brazil.

Malware Families

SmartRAT: PowerShell-based banking trojan delivered via ClickFix. Features encrypted C2, clipboard hijacking, and interception of 2FA codes (including QR code interception).
StealC / LummaC2 / ACRStealer: Information stealers targeting browser credentials, cookies, and cryptocurrency wallets. Often distributed via DLL side-loading or malicious JS loaders.
SocGholish: A malware framework (JScript based) historically used as a loader for payloads like IcedID, Pikabot, and Bumblebee. Relies on compromised WordPress sites.

TTPs

Distribution: Fake Browser Updates, Compromised JS Widgets (Supply Chain), Typosquatting, Cracked Software.
Execution: PowerShell commands triggered by user interaction (fake captchas), JScript loaders, DLL side-loading.
C2: Encrypted HTTP/HTTPS communication; domains often spoofing legitimate services (e.g., windowsupdate-cdn.com).
Persistence: Scheduled tasks, Registry Run keys, and DLL side-loading.

IOC Analysis

Indicator Types & Operationalization:

Hostnames (e.g., trademark.iglesiaelarca.com): Remnants of the SocGholish network. SOC teams should block these at the perimeter and DNS layer. These are historically high-fidelity for C2 or distribution nodes.
URLs (e.g., http://cdn-static.okendo.io/...): The Okendo supply chain pulse indicates a compromised legitimate script. While the base domain is legitimate, the specific script path or subsequent C2 calls (api.wiggettix.com) must be blocked.
Domains (e.g., crefisa.online, windowsupdate-cdn.com): Typosquatting indicators from the ClickFix campaign. High priority for DNS Sinkholing.
File Hashes (MD5/SHA1/SHA256): Payloads for SmartRAT and Infostealers. Use EDR correlation hunts to find these files on disk or in memory.

Tooling:

Decode: Use VirusTotal, Hybrid Analysis, or ANY.RUN for file analysis.
Network: MISP or Splunk for correlating the hostnames with outbound proxy logs.

Detection Engineering

YAML

---
title: Potential ClickFix Fake Browser Update PowerShell Execution
id: 483b1a2e-6d4f-4a9c-b5d0-8c7e9f1a2b3c
description: Detects PowerShell execution spawned by a browser process, a common pattern in ClickFix and Fake Browser Update campaigns leading to SmartRAT or SocGholish execution.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6267c3d1e67b1c4a6b1c3d1a
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administrative scripts launched from web interfaces
level: high
tags:
    - attack.execution
    - attack.t1059.001
    - attack.initial_access
    - attack.t1189
---
title: SmartRAT and Infostealer Suspicious PowerShell Encoded Command
description: Detects the use of EncodedCommand in PowerShell, often used by GhostLoader and SmartRAT to obfuscate payloads delivered via ClickFix.
id: d4e5f6a7-8b9c-4d5e-8f9a-1b2c3d4e5f6g
status: experimental
date: 2026/06/21
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith:
            - '\powershell.exe'
        CommandLine|contains: ' -EncodedCommand '
    selection_suspicious_keywords:
        CommandLine|contains:
            - 'DownloadString'
            - 'IEX'
            - 'Invoke-Expression'
    condition: all of selection_*
falsepositives:
    - System management scripts
level: high
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
---
title: Okendo Supply Chain Malicious JS Injection Network Connection
description: Detects network connections to known malicious domains associated with the Okendo Reviews supply chain compromise delivering Sectop RAT and StealC.
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6267c3d1e67b1c4a6b1c3d1b
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'wiggettix.com'
            - 'wizzleticks.com'
            - 'okendo.io' # Baseline alerting on high frequency non-standard calls
    condition: selection
falsepositives:
    - Legitimate Okendo widget traffic (verify against IP reputation)
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001
    - attack.initial_access
    - attack.t1195.002


kql
// Hunt for ClickFix and Typosquatting Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("crefisa.online", "windowsupdate-cdn.com", "wiggettix.com", "wizzleticks.com") 
   or RemoteUrl contains "okendo-reviews.js"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend FullUrl = strcat("https://", RemoteUrl, RequestUrl)
| order by Timestamp desc

// Hunt for Browser spawning PowerShell (ClickFix behavior)
DeviceProcessEvents  
| where Timestamp > ago(3d)
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe")
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc


powershell
# IOC Hunt Script: SocGholish Remnants & SmartRAT Artifacts
# Requires Admin Privileges

Write-Host "[*] Scanning for ClickFix/SocGholish Artifacts and Persistence..." -ForegroundColor Cyan

# Check for Suspicious Scheduled Tasks (Common in SmartRAT/Infostealers)
$suspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*powershell*" -or 
    $_.Actions.Execute -like "*cmd.exe*" -or
    $_.TaskName -match "Update|Chrome|Edge|Flash" -and $_.Author -eq ""
}

if ($suspiciousTasks) {
    Write-Host "[!] Suspicious Scheduled Tasks Found:" -ForegroundColor Red
    $suspiciousTasks | Format-List TaskName, Author, Actions
} else {
    Write-Host "[-] No suspicious scheduled tasks detected." -ForegroundColor Green
}

# Check Hosts File for Typosquatting Domains (ClickFix indicators)
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$maliciousDomains = @("crefisa.online", "windowsupdate-cdn.com")
$hostsContent = Get-Content $hostsPath

foreach ($domain in $maliciousDomains) {
    if ($hostsContent -match $domain) {
        Write-Host "[!] Malicious domain found in hosts file: $domain" -ForegroundColor Red
    }
}

# Scan User Directories for Suspicious ISO/ZIP/JS files (Infostealer vectors)
$paths = @("C:\Users\", "C:\ProgramData\")
$extensions = @(".iso", ".zip", ".js", ".jse")
Write-Host "[*] Scanning common drop locations for suspicious payloads..." -ForegroundColor Cyan

Get-ChildItem -Path $paths -Include $extensions -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -lt 5MB -and $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
    Select-Object FullName, LastWriteTime, Length

Response Priorities

Immediate:
- Block all listed IOCs (Hostnames, Domains, URLs) at the proxy, firewall, and DNS sinkhole.
- Quarantine endpoints matching the PowerShell execution patterns (Browser -> PowerShell).
- Identify and block the malicious okendo-reviews.js script or block requests to api.wiggettix.com.
24 Hours:
- Initiate credential reset for users who may have interacted with the Okendo widget or visited the typosquatting domains (specifically in Finance/Retail sectors).
- Hunt for the specific MD5/SHA hashes provided in the pulses across the environment.
1 Week:
- Review supply chain security: Implement strict allow-listing for third-party JavaScript widgets (e.g., Subresource Integrity checks).
- Harden browser policies to restrict arbitrary PowerShell execution via EMET or Application Control.
- Conduct user awareness training specifically targeting "Fake Browser Updates" and "Fake CAPTCHA" social engineering.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub