Operation Endgame Aftermath: SocGholish, INC Ransomware, and Okendo Supply Chain Analysis

Threat Summary

Recent OTX pulses highlight a complex and evolving threat landscape involving three distinct but significant campaigns. Law enforcement's "Operation Endgame" has successfully disrupted the GOLD PRELUDE (TA569) infrastructure responsible for the SocGholish malware framework, taking down over 100 servers. However, the tactic of fake browser updates remains a potent threat vector. Concurrently, INC Ransomware has evolved into a top-tier RaaS operation, filling the void left by LockBit and BlackCat by utilizing Rust-based encryptors for cross-platform attacks (Windows and Linux/ESXi). Separately, the SmartApeSG group has launched a supply chain attack targeting the Okendo Reviews widget, injecting malicious JavaScript to deliver RATs like NetSupport and Remcos. Collectively, these events underscore the persistence of web-based initial access vectors and the increasing sophistication of ransomware payloads.

Threat Actor / Malware Profile

GOLD PRELUDE (SocGholish)

Distribution Method: Compromised WordPress websites serving fake browser update prompts (e.g., Chrome/Firefox updates).
Payload Behavior: The initial JScript payload acts as a loader for various secondary payloads including IcedID, QakBot, Pikabot, and Smokeloader.
C2 Communication: Uses HTTP/HTTPS to compromised legitimate domains to blend in with traffic.
Persistence: Established via scheduled tasks or registry run keys set by the loader payloads.
Anti-Analysis: Uses obfuscated JScript and heavy traffic redirection through Traffic Distribution Systems (TDS).

INC Ransomware

Distribution Method: Exploitation of critical vulnerabilities (e.g., CVE-2023-3519, CVE-2025-5777) and initial access brokers.
Payload Behavior: Rust-based encryptors targeting both Windows file systems and Linux ESXi hypervisors. Utilizes Cobalt Strike for lateral movement.
C2 Communication: Communicates over .onion (Tor) domains for anonymity and negotiation sites.
Persistence: Uses WMI event subscriptions and service creation.
Anti-Analysis: Rust programming language increases complexity and hinders reverse engineering; employs double-extortion tactics.

SmartApeSG (Okendo Supply Chain)

Distribution Method: Supply chain compromise via the Okendo Reviews widget, injecting malicious JS into high-traffic e-commerce sites.
Payload Behavior: The injected JS acts as a staged loader, using obfuscation and localStorage to drop payloads for NetSupport, Remcos, and StealC.
C2 Communication: Connects to malicious command and control domains (api.wigetticks.com, api.wizzleticks.com) often using HTTPS to appear legitimate.
Persistence: Browser-based persistence via injected scripts; malware establishes system-level persistence via standard mechanisms.
Anti-Analysis: Heavy JavaScript obfuscation and dynamic loading to evade static signature detection.

IOC Analysis

The provided indicators span multiple categories requiring varied response actions:

Hostnames (SocGholish): A list of compromised WordPress domains. These should be blocked at the DNS and Proxy level.
CVEs (INC Ransomware): Specific vulnerabilities (CVE-2023-3519, CVE-2023-48788, CVE-2024-57727, CVE-2025-5777) used for initial access. Prioritize patching for these specific IDs.
Domains/Onion (INC Ransomware): Tor negotiation and clearweb blog domains. Block .onion resolution and clearweb domains.
FileHash-SHA256 (INC Ransomware): 6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141. Use EDR to hunt for this specific hash.
URLs (Okendo Attack): Malicious endpoints (api.wigetticks.com, api.wizzleticks.com). Block outbound connections to these specific API paths.

SOC Operationalization:

DNS/Gateway: Block all listed hostnames and domains.
Vulnerability Management: Flag assets vulnerable to the listed CVEs.
EDR: Scan endpoints for the specific SHA256 hash and behavioral indicators of fake update scripts.
Web Logs: Search proxy logs for connections to the Okendo malicious URLs.

Detection Engineering

Sigma Rules

YAML

---
title: Potential SocGholish Fake Browser Update Execution
id: 8b6e36e7-6c7f-4a6b-9e5f-3c8b1a2d3e4f
description: Detects execution of JScript files often associated with fake browser update campaigns dropped by SocGholish.
status: experimental
date: 2026/06/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/operation-endgame-vs-socgholish/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        CommandLine|contains:
            - '.js'
            - 'jscript'
    selection_keywords:
        CommandLine|contains:
            - 'update'
            - 'chrome'
            - 'firefox'
            - 'browser'
    condition: selection and selection_keywords
falsepositives:
    - Legitimate software updates running via scripts (rare)
level: high
---
title: INC Ransomware Related CVE Exploitation Attempt
date: 2026/06/19
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential exploitation attempts of vulnerabilities associated with INC Ransomware activity.
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/inc-ransomware-evolution/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: web
    product: proxy
detection:
    selection_cve_1:
        c-uri|contains:
            - '/cgi-mod/index.py'
            - '/oauth/idp/.well-known/openid-configuration' # Generic patterns often associated with Citrix/ADCS vulns
    selection_cve_2:
        cs-uri-query|contains:
            - ' exploits'
            - 'shell'
    filter:
        sc-status:
            - 200
            - 404
    condition: selection_cve_1 or selection_cve_2
falsepositives:
    - Vulnerability scanners
level: medium
---
title: Okendo Supply Chain Malicious Connection
date: 2026/06/19
id: f1e2d3c4-b5a6-7890-cdef-1234567890ab
description: Detects outbound connections to known malicious domains used in the Okendo Reviews supply chain attack.
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/okendo-reviews-supply-chain-attack/
tags:
    - attack.initial_access
    - attack.t1195
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'wigetticks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for connections to compromised SocGholish hostnames
DeviceNetworkEvents
| where RemoteUrl in~ ("trademark.iglesiaelarca.com", "content.garretttrails.org", "promo.summat10n.org", "billing.roofnrack.us", "devel.asurans.com", "storehouse.beautysupplysalonllc.com", "samples.addisgraphix.com", "api-app.uppercrafteroom.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
;
// Hunt for connections to SmartApeSG C2 domains
DeviceNetworkEvents
| where RemoteUrl has_any ("wigetticks.com", "wizzleticks.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort
;
// Hunt for INC Ransomware related file hash
DeviceFileEvents
| where SHA256 == "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
   IOC Hunt for SocGholish, INC Ransomware, and Okendo Supply Chain Indicators.
#>

# IOC Lists
$SocGholishHosts = @("trademark.iglesiaelarca.com", "content.garretttrails.org", "promo.summat10n.org", "billing.roofnrack.us", "devel.asurans.com", "storehouse.beautysupplysalonllc.com", "samples.addisgraphix.com", "api-app.uppercrafteroom.com")
$MaliciousHash = "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
$MaliciousDomains = @("wigetticks.com", "wizzleticks.com")

Write-Host "[+] Hunting for INC Ransomware File Hash..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Length -gt 0 } | ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($hash -eq $MaliciousHash) {
        Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
    }
}

Write-Host "[+] Checking DNS Cache for Malicious Domains..." -ForegroundColor Cyan
$dnsCache = Get-DnsClientCache | Where-Object { $SocGholishHosts -contains $_.Entry -or $MaliciousDomains -contains $_.Entry }
if ($dnsCache) {
    Write-Host "[!] Suspicious DNS Cache Entries found:" -ForegroundColor Red
    $dnsCache | Format-Table Entry, Data, Type
}

Write-Host "[+] Checking Browser History for Okendo Malicious URLs..." -ForegroundColor Cyan
# Note: Accessing browser history usually requires parsing specific database files (SQLite). This is a placeholder for path checks.
$UserProfiles = Get-ChildItem "C:\Users"
foreach ($profile in $UserProfiles) {
    $chromePath = Join-Path $profile.FullName "AppData\Local\Google\Chrome\User Data\Default\History"
    if (Test-Path $chromePath) {
        Write-Host "[INFO] Chrome History found for $($profile.Name). Manual forensic review required for 'wigetticks.com' or 'wizzleticks.com'." -ForegroundColor Yellow
    }
}

Response Priorities

Immediate:
- Block all IOCs (hostnames, domains, URLs) at the network perimeter (firewall, proxy, DNS sinkhole).
- Isolate any endpoints returning hits for the INC Ransomware SHA256 hash.
- Inspect web proxy logs for successful connections to api.wigetticks.com or api.wizzleticks.com to identify victims of the Okendo attack.
24h:
- Identify and credential reset for users on devices that may have interacted with the SocGholish fake updates or Okendo malicious scripts (credential theft risk with StealC/InfoStealers).
- Scan the WordPress environment (if applicable) for the SocGholish compromise patterns to prevent internal hosting of malicious payloads.
1 Week:
- Patch systems against the specific CVEs associated with INC Ransomware (CVE-2023-3519, CVE-2025-5777).
- Audit all third-party JavaScript libraries and widgets (Supply Chain) for integrity, specifically focusing on e-commerce platforms.
- Update endpoint detection rules to include behavioral signatures for "Fake Browser Update" prompts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub