Back to Intelligence

Operation Endgame Aftermath & INC RaaS: SocGholish, SmartRAT, and Infostealer Surge

SA
Security Arsenal Team
June 18, 2026
6 min read

The latest OTX pulses paint a volatile threat landscape for June 2026. While "Operation Endgame" successfully disrupted the SocGholish (TA569) infrastructure—taking down 106 servers and 15,000 compromised WordPress sites—adversaries are rapidly adapting. We observe a shift toward AI-generated ClickFix campaigns delivering SmartRAT and a concerning supply chain compromise via the Okendo Reviews widget affecting over 18,000 brands.

Simultaneously, INC Ransomware has aggressively filled the void left by LockBit and BlackCat, utilizing Rust-based cross-platform encryptors and exploiting CVEs like CVE-2025-5777. Infostealers such as LummaC2, AgentTesla, and Vidar remain the primary initial access vectors, often distributed via cracks/keygens, feeding credentials to these ransomware operations. The collective objective remains credential theft for financial fraud, followed by system encryption for double extortion.

Threat Actor / Malware Profile

INC Ransomware (Adversary)

  • Profile: A top-tier RaaS operation that evolved in 2026, absorbing affiliates from disrupted cartels.
  • Malware: Rust-based encryptors for Windows and Linux/ESXi (Lynx, Sinobi).
  • Capabilities: Double extortion, large-scale data exfiltration, exploitation of CVE-2023-3519 and CVE-2025-5777.
  • Persistence: Uses Cobalt Strike Beacons for lateral movement before deployment.

SmartApeSG / SmartRAT

  • Profile: Actor leveraging AI for typosquatting and ClickFix campaigns.
  • Distribution: Fake CAPTCHA/BSOD screens prompting PowerShell execution.
  • Payload: SmartRAT (PowerShell-based), Banana RAT, GhostLoader.
  • Capabilities: Banking trojan functionality, encrypted C2, QR code interception.

Infostealers (LummaC2, Vidar, AgentTesla)

  • Profile: Distributed via illegal software cracks and email attachments.
  • Persistence: DLL side-loading, scheduled tasks.
  • Objective: Harvesting browser cookies, passwords, and cryptocurrency wallets to sell on dark web forums or use for ransomware access.

IOC Analysis

The provided IOCs include:

  • Domains/Hostnames: Typosquatted banking domains (e.g., crefisa.online), C2 infrastructure (e.g., incblog.su), and compromised legit sites hosting malicious JS (e.g., trademark.iglesiaelarca.com).
  • URLs: Malicious payload endpoints mimicking legitimate API calls (e.g., api.wiggettcks.com).
  • File Hashes: MD5 and SHA256 hashes for loaders and droppers (e.g., 6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141).
  • CVEs: Specific vulnerabilities exploited by INC ransomware.

Operational Guidance: SOC teams should immediately import these hashes into EDR solutions for isolation. Domains must be added to DNS blocklists (RPZ). The URLs should be blocked at the proxy layer. Analysts should use threat intelligence platforms (TIPs) like Cortex or MISP to correlate these hashes with historical sandbox detonations to understand post-exploitation behavior.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Fake Browser Update or ClickFix Execution
id: 8e4b0c12-1a23-4b5c-8d6e-7f8a9b0c1d2e
description: Detects suspicious script execution often associated with fake browser updates or ClickFix campaigns (SocGholish/SmartRAT patterns).
author: Security Arsenal
status: stable
date: 2026/06/18
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\mshta.exe'
      - '\wscript.exe'
    CommandLine|contains:
      - 'downloadString'
      - 'IEX'
      - 'Invoke-Expression'
      - 'FromBase64String'
  condition: selection
falsepositives:
  - Legitimate IT management tools
level: high

---
title: Okendo Reviews Supply Chain Compromise
id: f3d9e8a1-2b3c-4d5e-6f7a-8b9c0d1e2f3a
description: Detects network connections to known malicious endpoints associated with the Okendo Reviews widget compromise (SmartApeSG).
author: Security Arsenal
status: stable
date: 2026/06/18
tags:
  - attack.supply_chain
  - attack.initial_access
  - attack.t1195
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationHostname|contains:
      - 'wiggettcks.com'
      - 'wizzleticks.com'
  condition: selection
falsepositives:
  - None (Known malicious domains)
level: critical

---
title: Suspicious Process Injection via Cobalt Strike or RATs
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects potential remote thread creation or hollowing indicative of Cobalt Strike, SmartRAT, or AgentTesla activity observed in INC/Infostealer campaigns.
author: Security Arsenal
status: stable
date: 2026/06/18
tags:
  - attack.defense_evasion
  - attack.privilege_escalation
  - attack.t1055
logsource:
  category: process_creation
  product: windows
detection:
  selection_api:
    CommandLine|contains:
      - 'VirtualAlloc'
      - 'CreateRemoteThread'
      - 'WriteProcessMemory'
  selection_img:
    Image|endswith:
      - '\powershell.exe'
      - '\rundll32.exe'
      - '\regsvr32.exe'
  filter:
    ParentImage|contains:
      - '\Program Files\'
      - '\Windows\System32\'
  condition: all of selection_* and not filter
falsepositives:
  - Legitimate software installers
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for typosquatting domains and malicious C2 connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "wiggettcks.com", 
    "wizzleticks.com", 
    "crefisa.online", 
    "windowsupdate-cdn.com",
    "incblog.su"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, Action
| summarize count() by RemoteUrl, DeviceName
| order by count_ desc

// Hunt for suspicious PowerShell activity related to ClickFix
DeviceProcessEvents 
| where Timestamp > ago(3d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has "IEX" or ProcessCommandLine has "downloadString" 
| where InitiatingProcessFileName in ("chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for Operation Endgame, INC Ransomware, and SmartApeSG IOCs.
.DESCRIPTION
    Checks DNS cache, recent file modifications, and running processes for specific IOCs.
#>

$MaliciousDomains = @(
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "incblog.su",
    "crefisa.online",
    "windowsupdate-cdn.com",
    "wiggettcks.com",
    "wizzleticks.com"
)

$MaliciousHashes = @(
    "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141",
    "297eb45f028d44d750297d2f932b9c91",
    "46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c"
)

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry } | Select-Object Entry, Data

Write-Host "[+] Scanning recent files in C:\Users\Public for malicious hashes..." -ForegroundColor Cyan
$PathsToScan = @("C:\Users\Public\", "$env:TEMP", "$env:APPDATA")
foreach ($path in $PathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue -File | 
        Where-Object { $_.Length -lt 50MB -and $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[ALERT] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking Hosts file for entries..." -ForegroundColor Cyan
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    Select-String -Path $HostsPath -Pattern $MaliciousDomains | Select-Object Path, LineNumber, Line
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all listed domains and URLs at the firewall and proxy level. Isolate any endpoints that have communicated with the Okendo malicious endpoints (wiggettcks.com). Hunt for the file hashes provided in the Pulse data.
  • 24h: Initiate credential resets for users who may have interacted with the "Okendo Reviews" widget or the "ClickFix" fake CAPTCHA pages. Review browser history and session tokens on endpoints in the Retail and Finance sectors.
  • 1 week: Conduct a supply chain audit of all third-party JavaScript widgets (especially customer review plugins). Harden browser policies to restrict unsigned script execution and update awareness training regarding "fake browser updates" and AI-generated typosquatting sites.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinc-ransomwaresmartratlummac2socgholishsupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action