Recent OTX pulses indicate a convergence of high-impact threat activity ranging from nation-state infrastructure consolidation to sophisticated supply chain compromises and the disruption of major malware operations.
- Middle East Infrastructure Build-up: A significant surge in Command-and-Control (C2) infrastructure has been mapped across the Middle East, with Saudi Arabia (STC) hosting 72.4% of the identified 1,350+ servers. This infrastructure supports a wide array of threat actors, including APT28, Energetic Bear, and GrayCharlie, utilizing malware families such as Cobalt Strike, Sliver, and various IoT botnets (Hajime, Mozi).
- Operation Endgame Disruption: A multinational law enforcement effort has successfully disrupted the SocGholish (Fake Updates) malware framework operated by TA569 (GOLD PRELUDE). While 106 servers were seized, the infrastructure's previous reach allowed for the distribution of IcedID, QakBot, Pikabot, and Rhadamanthys via compromised WordPress sites.
- Supply Chain Compromise: The SmartApeSG threat actor has leveraged a supply chain attack against the Okendo Reviews widget, affecting over 18,000 brands. By injecting malicious JavaScript into the legitimate widget, the actor delivers payloads for NetSupport, Remcos, and Stealc, specifically targeting the retail sector.
Collectively, these pulses highlight a threat landscape where adversaries aggressively leverage legitimate infrastructure (hosting providers, supply chain widgets) to deliver a diverse payload mix aimed at persistence, credential theft, and ransomware deployment.
Threat Actor / Malware Profile
SocGholish (TA569 / GOLD PRELUDE)
- Distribution: Fake browser update prompts served from compromised WordPress websites.
- Payload: Initially a JavaScript dropper, leading to loaders like Smokeloader or directly to payloads such as IcedID, Pikabot, and Rhadamanthys.
- Behavior: Establishes persistence via scheduled tasks or registry run keys. Often serves as an initial access broker for ransomware operations (e.g., LockBit, Rhadamanthys).
- C2 Communication: Uses HTTP/HTTPS for C2, often utilizing domain generation algorithms (DGAs) or compromised legitimate domains to blend in.
SmartApeSG (Okendo Campaign)
- Distribution: Malicious JavaScript injection into the Okendo Reviews widget (CDN).
- Payload: Delivers Remote Access Trojans (RATs) like NetSupport, Remcos, and SmartRAT, alongside info-stealers (StealC).
- Behavior: The injected JS acts as a staged loader, utilizing obfuscation and
localStorageto stage the next phase of the attack. - C2 Communication: Connects to attacker-controlled domains (e.g.,
api.wigetticks.com) to fetch further payloads or exfiltrate data.
Middle East APT Infrastructure
- Actors: APT28, Energetic Bear, Eagle Werewolf.
- Malware: Cobalt Strike, Sliver, AsyncRAT, SoullessRAT, Mirai, Hajime.
- Behavior: Heavy reliance on C2 infrastructure hosted within regional ISPs (bulletproof hosting tendencies). Focus on IoT botnets and espionage-driven RATs.
- Persistence: Service creation, WMI event subscription, and DLL side-loading.
IOC Analysis
The provided pulses contain specific indicators that must be operationalized immediately:
- Hostnames (SocGholish): A list of compromised domains serving fake updates (e.g.,
trademark.iglesiaelarca.com). These should be blocked at the DNS and Proxy level. - URLs (SmartApeSG): Specific malicious JavaScript URLs (e.g.,
api.wigetticks.com). These indicate active C2 or payload delivery infrastructure. - CVE (Middle East): CVE-2025-11953. Vulnerability management teams should prioritize patching associated assets, likely related to the initial access vector for the regional campaigns.
Operationalization:
- EDR/SIEM: Ingest hostnames and URLs into threat intelligence feeds (TIP) to correlate against outbound proxy logs and DNS queries.
- Network: Blocklisted IPs and domains should be pushed to firewalls and secure web gateways (SWG).
- Decoding: The malicious JavaScript in the Okendo attack requires a sandbox or dynamic analysis tool (like ANY.RUN or Joe Sandbox) to deobfuscate the payload destination.
Detection Engineering
YAML
title: Potential SocGholish Fake Browser Update Activity
id: 265c0d18-4e9e-4d3e-9f1f-6e1e8e9e8e8e
description: Detects potential execution of fake browser update scripts associated with SocGholish activity, characterized by suspicious JScript execution and process lineage.
status: experimental
date: 2026/06/22
author: Security Arsenal Research
references:
- https://otx.alienvault.com/pulse/operation-endgame-vs-socgholish-fake-updates/
tags:
- attack.initial_access
- attack.t1189
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli:
CommandLine|contains:
- 'update'
- 'install'
- 'chrome'
- 'firefox'
- 'edge'
selection_parent:
ParentImage|endswith:
- '\mshta.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
condition: all of selection_*
falsepositives:
- Legitimate software updates
level: high
---
title: Suspicious Process Execution via Okendo Widget JavaScript
id: 88a7d6b1-2c3e-4a5f-9b6c-7d8e9f0a1b2c
description: Detects child processes spawned by browsers that are characteristic of script-based payloads often delivered via compromised supply chain widgets like the Okendo incident.
status: experimental
date: 2026/06/22
author: Security Arsenal Research
references:
- https://otx.alienvault.com/pulse/okendo-reviews-supply-chain-attack/
tags:
- attack.execution
- attack.t1059.001
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\mshta.exe'
- '\regsvr32.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
- '-encodedcommand'
- 'Invoke-Expression'
condition: all of selection_*
falsepositives:
- Legitimate web application functionality
level: medium
---
title: C2 Traffic to Middle East Hosting Providers
id: 33f1a9e2-4d5b-6e7f-8a9b-0c1d2e3f4a5b
description: Detects outbound network connections to known Middle East hosting providers associated with recent C2 infrastructure mapping, specifically STC and regional bulletproof hosting.
status: experimental
date: 2026/06/22
author: Security Arsenal Research
references:
- https://otx.alienvault.com/pulse/middle-east-malicious-infrastructure-report/
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection_known_asns:
DestinationIp|contains:
- '185.' # Example STC range, update with full CIDR
- '94.' # Example regional range
selection_ports:
DestinationPort:
- 443
- 80
- 8443
selection_process:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\notepad.exe' # Often used by malicious injectors
- '\rundll32.exe'
condition: all of selection_*
falsepositives:
- Legitimate traffic to Middle East regions
level: medium
kql
// Hunt for SocGholish related hostnames and domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (
"trademark.iglesiaelarca.com",
"content.garretttrails.org",
"promo.summat10n.org",
"billing.roofnrack.us",
"devel.asurans.com",
"storehouse.beautysupplysalonllc.com",
"samples.addisgraphix.com",
"api-app.uppercrafteroom.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend FullContext = pack_all()
powershell
<#
.SYNOPSIS
IOC Hunt Script for Okendo Supply Chain & C2 Infrastructure.
.DESCRIPTION
Checks for DNS cache entries or process connections related to the Okendo
supply chain attack and specific Middle East C2 infrastructure.
#>
$MaliciousDomains = @(
"api.wigetticks.com",
"api.wizzleticks.com",
"cdn-static.okendo.io"
)
Write-Host "[+] Checking DNS Cache for malicious domains..."
$DnsCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Name }
if ($DnsCache) {
Write-Host "[!] WARNING: Malicious domain found in DNS Cache:" -ForegroundColor Red
$DnsCache | Format-Table Name, Data, TimeToLive
} else {
Write-Host "[-] No malicious domains found in local DNS cache."
}
Write-Host "[+] Checking for established network connections to suspicious hosts..."
# Note: Requires Admin privileges for Get-NetTCPConnection
$Connections = Get-NetTCPConnection -State Established |
Where-Object { $_.RemoteAddress -ne "0.0.0.0" -and $_.RemoteAddress -ne "::" }
foreach ($Conn in $Connections) {
$Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
$RemoteHostName = Resolve-DnsName -Name $Conn.RemoteAddress -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty NameHost
if ($RemoteHostName) {
if ($MaliciousDomains -contains $RemoteHostName) {
Write-Host "[!] ALERT: Connection to malicious host detected!" -ForegroundColor Red
Write-Host " Process: $($Process.ProcessName) (PID: $($Process.Id))"
Write-Host " Remote Host: $RemoteHostName ($($Conn.RemoteAddress))"
}
}
}
Write-Host "[+] Checking for suspicious Okendo related file modifications..."
$Paths = @("$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cache",
"$env:APPDATA\Mozilla\Firefox\Profiles")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
$RecentFiles = Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
foreach ($File in $RecentFiles) {
# Simple heuristic for JS files containing suspicious keywords
if ($File.Extension -eq '.js' -or $File.Extension -eq '.jse') {
$Content = Get-Content $File.FullName -Raw -ErrorAction SilentlyContinue
if ($Content -match 'okendo|wigetticks|wizzleticks') {
Write-Host "[!] Suspicious file content found: $($File.FullName)" -ForegroundColor Yellow
}
}
}
}
}
---
# Response Priorities
**Immediate (0-24 hours):**
* **Block IOCs:** Immediately block all hostnames and URLs associated with SocGholish and SmartApeSG at the firewall, proxy, and DNS layers.
* **Hunt Artifacts:** Execute the provided PowerShell script across endpoints to identify active connections to C2 infrastructure.
* **Isolate:** Isolate any endpoints showing signs of connection to the identified malicious domains or running processes from the Sigma rule hits.
**24-48 hours:**
* **Credential Audit:** Given the involvement of info-stealers (StealC) and banking trojans (IcedID), initiate forced password resets for privileged accounts and monitor for suspicious authentication attempts.
* **Web Asset Scan:** Scan all public-facing WordPress sites for signs of SocGholish compromise (fake update scripts).
* **Supply Chain Vetting:** Review all third-party JavaScript libraries and widgets (specifically customer review plugins) for integrity and verify current versions against vendor advisories.
**1 Week+:**
* **Architecture Hardening:** Implement Content Security Policy (CSP) to restrict unauthorized script execution and mitigate future supply chain injection attacks.
* **Zero Trust Network:** Enforce strict micro-segmentation to limit lateral movement from compromised devices (especially relevant for IoT botnets discussed in the Middle East report).
* **Patch Management:** Prioritize patching for CVE-2025-11953 and review vulnerability exposure for assets in the Middle East region.
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptsocgholishsupply-chain-attackapt28asyncratmiddle-east-threats
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.