Back to Intelligence

Operation Endgame Aftermath: SocGholish, NPM Shai-Hulud Worm, and ClickFix Fileless Attacks

SA
Security Arsenal Team
June 20, 2026
6 min read

Recent OTX Pulse data indicates a volatile threat landscape where while major infrastructure like TA569's SocGholish is being dismantled via Operation Endgame, threat actors are rapidly pivoting to software supply chain attacks (npm) and evolving social engineering campaigns (ClickFix). Enterprises face a multi-front threat from Traffic Distribution Systems (TDS) delivering ransomware loaders, wormable npm packages stealing crypto/credentials, and fileless PowerShell attacks deploying stealers like Vidar and DeerStealer.

Threat Summary

The intelligence highlights three distinct but overlapping campaigns:

  1. Operation Endgame Impact (SocGholish): Law enforcement has disrupted GOLD PRELUDE (TA569), dismantling over 100 servers used for SocGholish (Fake Browser Updates). While a victory, residual infrastructure and copycat TDS operations remain active.
  2. Supply Chain Compromise (Shai-Hulud): A copycat of the Shai-Hulud worm has infected the npm ecosystem. Malicious packages like chalk-tempalte and axios-util are being used to deploy infostealers and DDoS botnet capabilities, targeting developers and build pipelines.
  3. ClickFix Evolution: The "ClickFix" campaign has moved from simple batch scripts to server-side polymorphism and fileless execution. Fake CAPTCHA pages now trick users into running heavily obfuscated PowerShell commands to deploy DeerStealer and Vidar.

Objective: Initial access via web compromise or supply chain injection $ ightarrow$ Credential Theft/Crypto Mining $ ightarrow$ Lateral Movement/Ransomware deployment.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569) / SocGholish

  • Distribution: Compromised WordPress sites utilizing JavaScript web injects (TDS). Prompts "Fake Browser Updates".
  • Payload: Delivers GhoLoader, which subsequently drops FrigidStealer or ransomware (LockBit, WastedLocker).
  • Behavior: SocGholish acts as the initial downloader. It establishes persistence and communicates with C2 to receive subsequent payloads.

Shai-Hulud Copycat (NPM)

  • Distribution: Typosquatting on npm registry (e.g., chalk-tempalte vs chalk-template).
  • Payload: Infostealer and DDoS botnet code.
  • Behavior: Upon installation via npm install, the package executes scripts to harvest environment variables, SSH keys, and cryptocurrency wallets.

ClickFix (DeerStealer / Vidar)

  • Distribution: SEO poisoning and malicious sites hosting fake CAPTCHA pages.
  • Behavior: Triggers a PowerShell command via mshta or direct copy-paste. Uses XOR encryption and Base64 encoding to hide C2 URLs and payloads in memory (fileless).
  • Malware: Vidar and DeerStealer are information stealers targeting browser cookies, credentials, and 2FA sessions.

IOC Analysis

Indicator Types:

  • Hostnames/Domains: Predominantly C2 infrastructure and payload delivery servers (e.g., platform.exathomeswebuyarizona.com, 87e0bbc636999b.lhr.life).
  • Software Identifiers: Malicious npm package names (chalk-tempalte, axios-utils).

Operational Guidance:

  1. Network Blocking: Immediately block the listed domains and hostnames at the perimeter and proxy level.
  2. Package Governance: Block the specific npm package versions/names in internal registries or build pipelines.
  3. Decoding Tools: Use cybercheifs or static analysis tools (like JStub) to deobfuscate the PowerShell scripts found in ClickFix attacks to extract hidden C2 IPs.

Detection Engineering

Sigma Rules

YAML
title: Potential ClickFix Fake CAPTCHA PowerShell Execution
id: 4d8e4f2a-1b3c-4e8d-9f1a-2b3c4d5e6f7a
description: Detects suspicious PowerShell execution patterns often associated with ClickFix campaigns, specifically those involving Base64 or XOR obfuscation triggered by user interaction or mshta.
status: experimental
date: 2026/06/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66555b3c8c35e1d4c4a6e7b9
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\mshta.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\edge.exe'
        Image|endswith:
            - '\powershell.exe'
        CommandLine|contains:
            - 'FromBase64String'
            - 'Char['
            - 'Xor'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: Malicious NPM Package Installation (Shai-Hulud Copycat)
id: 5f9g5g3b-2c4d-5f9e-0g2b-3c4d5e6f7g8a
description: Detects the installation of known malicious npm packages associated with the Shai-Hulud copycat campaign or typosquatting attacks.
status: experimental
date: 2026/06/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66544a2b7b24e1d3c3b5d6a8
tags:
    - attack.initial_access
    - attack.t1195.001
logsource:
    category: process_creation
    product: windows
    definition: 'Requirements: Sysmon or EDR logging command lines'
detection:
    selection_npm:
        Image|endswith:
            - '\npm.cmd'
            - '\node.exe'
    selection_cli:
        CommandLine|contains:
            - 'chalk-tempalte'
            - '@deadcode09284814/axios-util'
            - 'axois-utils'
            - 'color-style-utils'
    condition: all of selection_*
falsepositives:
    - Legitimate development (unlikely given specific malicious package names)
level: critical
---
title: SocGholish Fake Browser Update Activity
id: 6a0h6h4c-3d5e-6g0f-1h3c-4d5e6f7g8h9b
description: Detects potential execution of payloads delivered via SocGholish fake browser updates, often characterized by specific DLL loading or JS execution patterns.
status: experimental
date: 2026/06/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66533a1a6a13d1c2c2b4c5a7
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\msiexec.exe'
            - '\rundll32.exe'
    selection_cli:
        CommandLine|contains:
            - '/update'
            - 'chrome_update'
            - 'firefox_update'
    selection_parent:
        ParentImage|endswith:
            - '\iexplore.exe'
            - '\chrome.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate software updates
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix PowerShell Obfuscation and Network Connections
let MaliciousDomains = pack_array("platform.exathomeswebuyarizona.com", "87e0bbc636999b.lhr.life", "edcf8b03c84634.lhr.life", "www.fidestrento.com", "kiitec.ac.tz");
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (MaliciousDomains) or RemoteUrl contains ".lhr.life"
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where ProcessName =~ "powershell.exe"
    | where ProcessCommandLine has "FromBase64String" or ProcessCommandLine has "Xor"
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, RemoteUrl, RemoteIP

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt for Shai-Hulud copycat artifacts and malicious npm packages.
.DESCRIPTION
    Scans common node_modules directories for the presence of specific malicious package names identified in OTX pulses.
#>

$MaliciousPackages = @(
    "chalk-tempalte",
    "@deadcode09284814/axios-util",
    "axois-utils",
    "color-style-utils"
)

$SearchPaths = @(
    "$env:USERPROFILE\node_modules",
    "$env:APPDATA\npm\node_modules",
    "C:\Program Files\nodejs\node_modules",
    # Add project roots as needed
    "C:\Projects"
)

Write-Host "[+] Starting scan for Shai-Hulud copycat packages..." -ForegroundColor Cyan

foreach ($path in $SearchPaths) {
    if (Test-Path $path) {
        Write-Host "[?] Scanning $path..." -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -Directory -ErrorAction SilentlyContinue | ForEach-Object {
            if ($_.Name -in $MaliciousPackages) {
                Write-Host "[!] MALICIOUS PACKAGE FOUND: $($_.FullName)" -ForegroundColor Red
                # Optional: Remove-Item -Path $_.FullName -Recurse -Force -WhatIf
            }
        }
    }
}

Write-Host "[+] Scan complete. Check for any RED alerts." -ForegroundColor Green


# Response Priorities

Immediate (0-24h)

  • Block IOCs: Implement blocks on all listed domains and hostnames on perimeter firewalls and secure web gateways.
  • Hunt PowerShell: Search endpoint logs for PowerShell processes containing Base64 or XOR strings initiated by browsers.
  • Software Supply Chain: Audit developer workstations and CI/CD pipelines for the presence of the listed malicious npm packages.

Short Term (24-48h)

  • Credential Audit: If DeerStealer or Vidar infection is suspected (ClickFix), force a password reset for privileged accounts used on potentially infected endpoints.
  • Web Isolation: Review web proxy logs for connections to the TDS domains associated with SocGholish.

Medium Term (1 Week)

  • Hardening: Enforce strict allow-listing for npm packages (using .npmrc or private registry).
  • User Awareness: Re-train staff on identifying "Fake Browser Updates" and "Fake CAPTCHA" pages.
  • ASR Rules: Enable Attack Surface Reduction (ASR) rules specifically "Block Office applications from creating child processes" and "Block JavaScript or VBScript from launching downloaded executable content".

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaresocgholishshai-huludclickfixnpm-supply-chainvidar

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action