Back to Intelligence

Operation Endgame Aftermath, Okendo Supply Chain & FortiBleed: Credential Theft Intel

SA
Security Arsenal Team
June 22, 2026
6 min read

Recent OTX Pulse data highlights a significant shift in the threat landscape following the multinational Operation Endgame, which successfully disrupted the TA569 (GOLD PRELUDE) "SocGholish" malware distribution network. While law enforcement actions remediated nearly 15,000 compromised WordPress sites and seized 100+ servers used for fake browser updates, threat actors are rapidly pivoting to alternative initial access vectors.

Concurrently, a new supply chain attack targeting the Okendo Reviews widget (active May 2026) illustrates the move toward compromising trusted third-party JavaScript to deliver payloads like Remcos, StealC, and Sectop RAT. Separately, the FortiBleed campaign has exposed a large-scale credential harvesting operation against Fortinet FortiGate VPNs, utilizing GPU-accelerated hash cracking to breach global organizations.

Collectively, these pulses indicate a dual focus: 1) filling the void left by the takedown of fake-update Traffic Distribution Systems (TDS) with supply chain compromise, and 2) aggressive credential theft against network perimeter devices to facilitate lateral movement and ransomware deployment.

Threat Actor / Malware Profile

TA569 (GOLD PRELUDE) & SocGholish

  • Status: Heavily Disrupted (Operation Endgame).
  • Malware Families: SocGholish (Loader), IcedID, QakBot, Pikabot, Smokeloader.
  • Distribution Method: Compromised WordPress sites delivering fake browser update prompts ("ClickFix").
  • Payload Behavior: SocGholish acts as a loader, downloading second-stage payloads like VenomRAT or DanaBot.
  • Persistence: Scheduled tasks and Registry run keys established by the initial JScript payload.
  • C2 Communication: HTTP/HTTPS to compromised hostnames acting as proxy nodes.

SmartApeSG (Okendo Campaign)

  • Malware Families: NetSupport, Remcos, StealC, Sectop RAT.
  • Distribution Method: Supply chain compromise via malicious JavaScript injection into the Okendo Reviews widget.
  • Payload Behavior: Obfuscated JS acts as a staged loader, utilizing localStorage to evade detection and fetch RAT binaries.
  • Target: Retail and E-commerce sectors relying on customer review plugins.

FortiBleed Actor

  • Target: Internet-facing Fortinet FortiGate firewalls and SSL VPN gateways.
  • Methodology: Credential harvesting, brute-force, and hash cracking using distributed GPU infrastructure (Hashtopolis).
  • Objective: Initial access brokerage and credential theft for VPN tunnels.

Infostealers (May 2026 Trends)

  • Malware Families: ACRStealer, Remus, LummaC2, AgentTesla, Vidar.
  • Distribution: Cracked software (keygens), email campaigns, and cloud storage (AWS S3).

IOC Analysis

The provided IOCs span multiple infrastructure types utilized by these campaigns:

  • Hostnames/Domains (SocGholish/Infostealers): Indicators such as trademark.iglesiaelarca.com and comples.biz represent compromised infrastructure or C2 domains. SOC Action: Block DNS resolution and investigate historical HTTP logs for connections to these hosts.
  • URLs (Supply Chain): The Okendo campaign utilizes specific delivery URLs like https://api.wiggettiks.com/.... SOC Action: These are high-fidelity indicators for web proxy logs and SIEM alerts.
  • IPv4 (FortiBleed): IPs like 85.11.187.8 and 198.53.64.194 are linked to attacker infrastructure and hash-cracking clusters. SOC Action: Immediate block on perimeter firewalls; review VPN logs for successful authentication attempts originating from these IPs.
  • File Hashes (Infostealers): SHA256/MD5 hashes for ACRStealer and LummaC2 samples. SOC Action: Endpoint detection (EDR) scans and quarantine.

Tooling: IOCs can be operationalized via MISP, Splunk, CrowdStrike Falcon, or Microsoft Sentinel. The domains and URLs should be fed into SWG/DNS filtering solutions.

Detection Engineering

Sigma Rules

YAML
title: Potential SocGholish Fake Browser Update Activity
id: 5e0f8c1e-3a4b-4c5d-9e6f-1a2b3c4d5e6f
description: Detects potential execution of malicious JScript files often used by SocGholish fake browser update campaigns, initiated by browser processes.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/operation-endgame-vs-socgholish/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
    selection_child:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
    selection_cli:
        CommandLine|contains:
            - '.js'
            - 'jscript'
    condition: all of selection_
falsepositives:
    - Legitimate administrative scripts launched from browser downloads
level: high
---
title: Okendo Supply Chain Malicious JS Connection
id: 9f1g2h3i-4j5k-6l7m-8n9o-0p1q2r3s4t5u
description: Detects network connections to known malicious domains associated with the Okendo Reviews supply chain compromise (SmartApeSG).
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/okendo-reviews-supply-chain-attack/
tags:
    - attack.supply_chain
    - attack.t1195
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'wigettiks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown (Domain is malicious)
level: critical
---
title: FortiBleed Attacker IP Connection Attempt
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects inbound or outbound connections to known IP addresses associated with the FortiBleed credential harvesting campaign.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/fortibleed-open-directory/
tags:
    - attack.credential_access
    - attack.t1110
logsource:
    category: network_connection
    product: windows
detection:
    selection_ips:
        DestinationIp|in:
            - '85.11.187.8'
            - '175.155.64.221'
            - '185.229.26.83'
            - '198.53.64.194'
            - '213.169.49.142'
            - '38.117.87.37'
            - '85.11.187.28'
    condition: selection_ips
falsepositives:
    - Legitimate traffic to these IPs if re-allocated (unlikely given specific threat intel)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Okendo Malicious Domains and FortiBleed IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| extend Domain = tostring(RemoteUrl)
| where Domain has "wigettiks.com" 
   or Domain has "wizzleticks.com"
   or RemoteIP in ("85.11.187.8", "175.155.64.221", "185.229.26.83", "198.53.64.194", "213.169.49.142", "38.117.87.37", "85.11.187.28")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

PowerShell (IOC Hunt)

PowerShell
# Hunt for SocGholish/Infostealer Registry Persistence and Suspicious Connections

# Define FortiBleed IPs
$MaliciousIPs = @("85.11.187.8","175.155.64.221","185.229.26.83","198.53.64.194","213.169.49.142","38.117.87.37","85.11.187.28")

# Check Active Network Connections
Write-Host "Checking for active connections to known malicious IPs..."
Get-NetTCPConnection -State Established | 
    Where-Object { $MaliciousIPs -contains $_.RemoteAddress } | 
    Select-Object LocalAddress, RemoteAddress, State, OwningProcess | 
    Format-Table -AutoSize

# Check for suspicious Run Keys (Common with SocGholish/JS loaders)
Write-Host "Checking Run Keys for suspicious wscript/cscript execution..."
$RunPaths = @("HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", 
              "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run")

foreach ($Path in $RunPaths) {
    if (Test-Path $Path) {
        Get-ItemProperty $Path -EA SilentlyContinue | 
        Where-Object { $_.PSObject.Properties -match 'wscript|cscript|js' } | 
        Select-Object PSPath, * | Format-List
    }
}

Response Priorities

Immediate (0-24h)

  1. Block IOCs: Immediately block all listed hostnames, domains, and IP ranges on perimeter firewalls, proxies, and endpoints.
  2. Supply Chain Audit: If using Okendo Reviews, audit the specific JS versions loaded and search logs for connections to api.wiggletiks.com or api.wizzleticks.com. Remove or update compromised widgets.
  3. Fortinet Audit: Review FortiGate SSL VPN logs for any successful authentication attempts originating from the FortiBleed IP list.

24h

  1. Credential Reset: If infostealers (LummaC2, ACRStealer) or credential theft (FortiBleed) are suspected, force a password reset for privileged accounts and implement MFA challenge.
  2. Endpoint Sweep: Scan endpoints for the file hashes provided in the "May 2026 Infostealer Trend Report" pulse.

1 Week

  1. Architecture Hardening: Reduce reliance on third-party JavaScript widgets where possible. Implement Subresource Integrity (SRI) checks.
  2. Perimeter Hygiene: Ensure all internet-facing FortiGate devices are patched and enforce strict anti-brute-force policies (ban after X failures).
  3. WordPress Hygiene: Continue remediation of any remaining compromised WordPress sites that may be remnants of the TA569 infrastructure.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssocgholishfortibleedokendo-supply-chaininfostealercredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action