Recent OTX pulses highlight a convergence of supply chain compromises and persistent credential-harvesting operations. The SmartApeSG threat actor has weaponized the Okendo Reviews widget (used by 18,000+ brands) to inject malicious JavaScript, serving as a loader for RATs like NetSupport and Remcos. Simultaneously, the disruption of SocGholish (Fake Browser Updates) via Operation Endgame reveals the massive scale of SEO-poisoned WordPress sites used to distribute IcedID and QakBot. Separately, intelligence indicates a massive concentration of C2 infrastructure (1,350+ servers) in the Middle East (primarily STC), attributed to nation-state actors like APT28 and Energetic Bear leveraging tools such as Sliver and Cobalt Strike. The collective objective spans initial access via trusted web vectors to establish long-term persistence in Government, Energy, and Retail sectors.

Threat Actor / Malware Profile

SmartApeSG (Okendo Supply Chain)

Distribution Method: Supply chain compromise via JavaScript injection into the okendo-reviews.js file hosted on high-traffic e-commerce sites.
Payload Behavior: The injected JS acts as a staged loader, utilizing localStorage for obfuscation and redirecting victims to malicious domains (e.g., api.wigletticks.com) to download payloads.
Families: NetSupport, Remcos, StealC, Sectop RAT, SmartRAT.

GOLD PRELUDE / TA569 (SocGholish)

Distribution Method: Compromised WordPress sites displaying fake browser update alerts ("Chrome Failed to Update").
Payload Behavior: Malicious JScript payloads download secondary loaders like IcedID or Pikabot.
C2 Communication: HTTP/HTTPS beaconing to compromised infrastructure.

Nation-State APTs (Middle East Infrastructure)

Actors: APT28, Energetic Bear, Eagle Werewolf.
Infrastructure: Heavy reliance on regional hosting providers (STC) to host C2 servers, evading some traditional geoblocking.
Tools: Cobalt Strike, Sliver, Mirai (for DDoS), and bespoke RATs.

IOC Analysis

The provided indicators consist primarily of Network artifacts:

Hostnames: SocGholish utilizes a network of compromised legitimate domains (e.g., trademark.iglesiaelarca.com) to bypass reputation filters. SOC teams should prioritize these for DNS sinkholing.
URLs: The Okendo attack leverages specific malicious endpoints (api.wigletticks.com, api.wizzleticks.com) mimicking legitimate API structures.
CVEs: CVE-2025-11953 is associated with the Middle East infrastructure campaign, likely an exploitation vector for initial access.

Operationalization:

Tooling: Feed IOCs into EDR alerting (for network connections) and SIEM correlation rules. Use passive DNS to identify historical resolution of the malicious hostnames.
Decoding: The Okendo JS is obfuscated; analysts should use browser developer tools or console.log debugging hooks on the localStorage objects to de-obfuscate the loader logic.

Detection Engineering

Sigma rules detecting the specific behaviors observed in these pulses: malicious Okendo API calls, SocGholish fake update patterns, and C2 beaconing associated with the identified infrastructure.

YAML

title: Potential Okendo Supply Chain Malicious API Call
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects network connections to known malicious domains associated with the SmartApeSG Okendo Reviews supply chain attack.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6700000000000000
logsource:
    category: network_connection
detection:
    selection:
        destination.hostname|contains:
            - 'wigletticks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.supply_chain
    - attack.t1195
    - cve.2025.11953
---
title: SocGholish Fake Browser Update Pattern
id: 2a3b4c5d-6e7f-8a9b-0c1d-2e3f4a5b6c7d
description: Detects potential execution of scripts or binaries associated with SocGholish fake browser updates, often named 'update'.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6700000000000001
logsource:
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\mshta.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\regsvr32.exe'
    selection_cli:
        CommandLine|contains:
            - 'update'
            - 'chrome'
            - 'setup'
    selection_network:
        InitiatingProcessImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate browser updates (rarely spawned via these child processes)
level: high
tags:
    - attack.initial_access
    - attack.t1189
---
title: APT C2 Infrastructure Beaconing Anomaly
id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
description: Detects long-duration connections and high-frequency beaconing to Middle East based infrastructure associated with APT28/Energetic Bear C2 servers.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6700000000000002
logsource:
    category: network_connection
detection:
    selection_duration:
        Duration|gt: 300
    selection_port:
        DestinationPort:
            - 443
            - 80
    selection_geo:
        DestinationGeo|contains:
            - 'SA'
            - 'AE'
            - 'QA'
    filter_legit:
        DestinationHostname|endswith:
            - '.microsoft.com'
            - '.google.com'
            - '.amazon.com'
    condition: selection_duration and selection_port and selection_geo and not filter_legit
falsepositives:
    - Legitimate traffic to Middle East CDNs
level: medium
tags:
    - attack.command_and_control
    - attack.t1071

KQL (Microsoft Sentinel)

Hunt for connections to the identified malicious hostnames and suspicious Okendo-related network activity.

KQL — Microsoft Sentinel / Defender

// Hunt for SocGholish and Okendo Malicious Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "wigletticks" 
   or RemoteUrl has "wizzleticks"
   or RemoteUrl has "iglesiaelarca.com"
   or RemoteUrl has "garretttrails.org"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatContext = case(
    RemoteUrl has "wigletticks", "Okendo Supply Chain",
    RemoteUrl has "iglesiaelarca", "SocGholish Fake Update",
    "Other Suspicious"
)

PowerShell Hunt Script

Checks for the presence of malicious hostnames in the local hosts file (common tactic for blocking detection or redirecting) and scans for process memory artifacts of the specific RATs mentioned.

PowerShell

# IOC Hunt for Okendo/SocGholish Indicators
$MaliciousHosts = @(
    "trademark.iglesiaelarca.com",
    "api.wigletticks.com",
    "api.wizzleticks.com",
    "promo.summat10n.org"
)

$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"

Write-Host "[+] Checking Hosts file for malicious entries..."
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Host in $MaliciousHosts) {
        if ($HostsContent -match [regex]::Escape($Host)) {
            Write-Host "[!] ALERT: Malicious host found in hosts file: $Host" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Scanning for NetSupport/Remcos/Sectop RAT processes..."
$RatProcesses = @("NetSupport Manager", "Remcos", "Sectop", "SmartRAT", "stealc")
$RunningProcs = Get-Process -IncludeUserName -ErrorAction SilentlyContinue

foreach ($Proc in $RunningProcs) {
    if ($RatProcesses -like "*$($Proc.ProcessName)*") {
        Write-Host "[!] ALERT: Suspicious RAT process detected: $($Proc.ProcessName) (PID: $($Proc.Id))" -ForegroundColor Red
    }
}

# Check for browser localStorage persistence (Simulated check)
Write-Host "[+] Checking browser local storage for suspicious keys (requires user context)"
# Note: Actual browser storage requires parsing specific SQLite files or Registry keys for Edge/Chrome
$ChromeHistory = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History"
if (Test-Path $ChromeHistory) {
    # Copy file to temp to read (Chrome locks it)
    $TempPath = "$env:TEMP\chrome_history_temp.db"
    Copy-Item $ChromeHistory $TempPath -Force
    Write-Host "[+] Chrome History copied to $TempPath for manual forensic review of 'okendo' or 'update' keywords."
}


# Response Priorities

*   **Immediate**:
    *   **Block IOCs**: Immediately block all hostnames and domains listed in the IOC Sample section at the perimeter firewall and proxy.
    *   **Hunt Artifacts**: Use the PowerShell script to scan endpoints for the presence of NetSupport, Remcos, or the specific host entries.
    *   **Supply Chain Audit**: If using Okendo, inspect the version of the `reviews-widget-plus/js/okendo-reviews.js` file currently deployed. Compare hash against vendor-released safe versions.

*   **24 Hours**:
    *   **Identity Verification**: Given the presence of **StealC** and **IcedID**, assume credential exposure. Reset passwords for accounts with high privileges or recent logins from affected regions.
    *   **Web Gateway**: Ensure URL filtering blocks "parked domains" or categories associated with the compromised WordPress infrastructure.

*   **1 Week**:
    *   **Architecture Hardening**: Implement strict Content Security Policy (CSP) headers to prevent unauthorized JavaScript loading from third-party domains.
    *   **Geo-fencing**: Review traffic logs for Middle East regions (SA, AE, QA) where not required by business operations, correlating with the C2 infrastructure pulse.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Okendo Supply Chain & SocGholish Fake Updates: OTX Pulse Analysis — Enterprise Detection Pack