Back to Intelligence

Operation Endgame & SmartApeSG: SocGholish Takedown, Okendo Supply Chain Attack, and FortiBleed Credential Harvesting — Intel Brief

SA
Security Arsenal Team
June 23, 2026
6 min read

This briefing synthesizes five OTX pulses highlighting a turbulent week for credential theft infrastructure. While "Operation Endgame" successfully disrupted the SocGholish (TA569) malware framework—taking down 100+ servers and remediating ~15,000 compromised WordPress sites—threat actors are actively pivoting.

Simultaneously, a new supply chain attack by SmartApeSG targets the Okendo Reviews widget, injecting malicious JavaScript to deliver NetSupport, Remcos, and StealC. Additionally, commodity infostealers (LummaC2, Vidar, AgentTesla) are surging via software cracks, while the FortiBleed campaign continues harvesting credentials from Fortinet SSL VPN gateways using distributed GPU cracking. The collective objective is clear: bypass perimeter defenses and harvest credentials for initial access and ransomware deployment.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569) / SocGholish

  • Status: Disrupted (Operation Endgame).
  • Method: Compromised WordPress sites hosting Fake Browser Update scripts.
  • Payload: JScript droppers leading to banking trojans (IcedID, QakBot) and loaders (Bumblebee, Smokeloader).
  • Persistence: Scheduled tasks or registry run keys established by the initial dropper.

SmartApeSG / Okendo Supply Chain

  • Method: Malicious JavaScript injection into okendo-reviews.js.
  • Behavior: Acts as a staged loader, obfuscating traffic to C2 servers (api.wigetticks.com, api.wizzleticks.com).
  • Payload: StealC (infostealer), Remcos (RAT), Sectop RAT.
  • Goal: High-volume credential harvesting from e-commerce customers and admin sessions.

FortiBleed Campaign

  • Method: Credential harvesting and brute-forcing against Fortinet FortiGate SSL VPNs.
  • Infrastructure: Uses exposed attacker directories and Hashtopolis (GPU cracking).
  • Goal: Obtain valid VPN credentials to sell as Initial Access Brokers (IAB).

IOC Analysis

The provided intelligence contains specific operational indicators:

  • Hostnames (SocGholish): 10+ indicators (e.g., trademark.iglesiaelarca.com) representing compromised WordPress sites serving fake updates. These should be blocked at the DNS layer.
  • URLs (SmartApeSG): Malicious scripts and API endpoints (api.wizzleticks.com). Block these HTTPS connections immediately.
  • Domains (Infostealers): Distribution domains (e.g., comples.biz, dafkov.shop) hosting cracked software. Block access to prevent drive-by downloads.
  • File Hashes (Infostealers): Specific SHA256/MD5 hashes for droppers. EDR solutions should block these on sight.
  • IPv4 (FortiBleed): 7 IPs associated with the cracking infrastructure. Block inbound/outbound traffic to these ranges.

Detection Engineering

YAML
---
title: Potential SocGholish Fake Browser Update Execution
id: b3c9f7e1-6d8f-4a9e-b5c0-1a2b3c4d5e6f
status: experimental
description: Detects execution of JScript files spawned by web browsers, a common tactic of SocGholish fake browser updates.
references:
    - https://www.infoblox.com/blog/threat-intelligence/hot-take-operation-endgame-vs-socgholish/
author: Security Arsenal
date: 2026/06/23
tags:
    - attack.defense_evasion
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\brave.exe'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        CommandLine|contains: '.js'
    condition: selection
falsepositives:
    - Legitimate web-based tools using local scripts
level: high
---
title: Connection to SmartApeSG Malicious C2 Infrastructure
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects network connections to known malicious domains used in the Okendo Reviews supply chain attack.
references:
    - https://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack
author: Security Arsenal
date: 2026/06/23
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'wigetticks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - None
level: critical
---
title: FortiBleed Infrastructure Connection
id: 11223344-5566-7788-99aa-bbccddeeff00
status: experimental
description: Detects outbound connections to IP addresses identified in the FortiBleed credential harvesting campaign.
references:
    - https://www.cloudsek.com/blog/inside-the-fortibleed-open-directory-a-technical-analysis-of-what-the-attacker-left-behind
author: Security Arsenal
date: 2026/06/23
tags:
    - attack.initial_access
    - attack.t1078
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|in:
            - '85.11.187.8'
            - '175.155.64.221'
            - '185.229.26.83'
            - '198.53.64.194'
            - '213.169.49.142'
            - '38.117.87.37'
            - '85.11.187.28'
    condition: selection
falsepositives:
    - Unlikely
level: critical


kql
// Hunt for SocGholish and Infostealer Domains/Hostnames
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (
    "trademark.iglesiaelarca.com", 
    "content.garretttrails.org",
    "promo.summat10n.org",
    "billing.roofnrack.us",
    "devel.asurans.com",
    "storehouse.beautysupplysalonllc.com",
    "samples.addisgraphix.com",
    "api-app.uppercrafteroom.com",
    "platform.exathomeswebuyarizona.com",
    "js-new.newtoyourgame.com",
    "comples.biz",
    "dafkov.shop",
    "ciuzdaw.shop",
    "ablackb.shop",
    "cloxaa.shop"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| summarize count() by RemoteUrl, DeviceName;

// Hunt for FortiBleed IP Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in~ ("85.11.187.8", "175.155.64.221", "185.229.26.83", "198.53.64.194", "213.169.49.142", "38.117.87.37", "85.11.187.28")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort;

// Hunt for Infostealer File Hashes (from Pulse 3)
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in~ ("46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c") or 
          MD5 in~ ("0d1f6685b4e284f92ef25c0f9358bcdc") or
          SHA1 in~ ("7d5c1d672d6e4bef1a7ca4ca9849db74e8690213")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5;


powershell
# IOC Hunt Script for SocGholish, SmartApeSG, and FortiBleed
# Run as Administrator

Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan

# 1. Check DNS Resolution for Malicious Domains (SocGholish & Infostealers)
$domains = @(
    "trademark.iglesiaelarca.com", "content.garretttrails.org", "promo.summat10n.org",
    "billing.roofnrack.us", "devel.asurans.com", "storehouse.beautysupplysalonllc.com",
    "samples.addisgraphix.com", "api-app.uppercrafteroom.com", "platform.exathomeswebuyarizona.com",
    "js-new.newtoyourgame.com", "comples.biz", "dafkov.shop", "ciuzdaw.shop",
    "ablackb.shop", "cloxaa.shop", "api.wiggettcks.com", "api.wizzleticks.com"
)

Write-Host "`n[+] Checking DNS resolution for malicious domains..." -ForegroundColor Yellow
$foundDomains = @()
foreach ($domain in $domains) {
    try {
        $result = Resolve-DnsName -Name $domain -ErrorAction Stop
        if ($result) {
            Write-Host "RESOLVED: $domain -> $($result.IPAddress)" -ForegroundColor Red
            $foundDomains += $domain
        }
    } catch {
        # Domain not resolving - expected for blocked/IOCs
    }
}

# 2. Scan for Malicious File Hashes (Infostealers)
$maliciousHashes = @{
    "46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c" = "SHA256"
    "0d1f6685b4e284f92ef25c0f9358bcdc" = "MD5"
    "7d5c1d672d6e4bef1a7ca4ca9849db74e8690213" = "SHA1"
}

Write-Host "`n[+] Scanning common download directories for malicious file hashes..." -ForegroundColor Yellow
$paths = @("$env:USERPROFILE\Downloads", "$env:PUBLIC\Downloads", "C:\Temp")
$foundFiles = @()

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            foreach ($hash in $maliciousHashes.Keys) {
                $algo = $maliciousHashes[$hash]
                try {
                    $fileHash = (Get-FileHash -Path $_.FullName -Algorithm $algo -ErrorAction Stop).Hash.ToLower()
                    if ($fileHash -eq $hash.ToLower()) {
                        Write-Host "MATCH FOUND: $($_.FullName) ($algo)" -ForegroundColor Red
                        $foundFiles += $_.FullName
                    }
                } catch {
                    # Error reading file (locked or in use)
                }
            }
        }
    }
}

# 3. Check for Network Connections to FortiBleed IPs
$fortiBleedIPs = @("85.11.187.8", "175.155.64.221", "185.229.26.83", "198.53.64.194", "213.169.49.142", "38.117.87.37", "85.11.187.28")
Write-Host "`n[+] Checking active connections for FortiBleed IPs..." -ForegroundColor Yellow
$activeConnections = Get-NetTCPConnection | Where-Object { $fortiBleedIPs -contains $_.RemoteAddress }
if ($activeConnections) {
    $activeConnections | ForEach-Object {
        $process = Get-Process -Id $_.OwningProcess
        Write-Host "CONNECTION DETECTED: IP $($_.RemoteAddress) PID $($_.OwningProcess) ($($process.ProcessName))" -ForegroundColor Red
    }
} else {
    Write-Host "No active connections to FortiBleed infrastructure found." -ForegroundColor Green
}

if ($foundDomains.Count -eq 0 -and $foundFiles.Count -eq 0 -and $activeConnections.Count -eq 0) {
    Write-Host "`n[+] No immediate IOCs found on this host." -ForegroundColor Green
} else {
    Write-Host "`n[!] ALERT: IOC artifacts detected. Investigate immediately." -ForegroundColor Magenta
}

Response Priorities

  • Immediate (Block & Contain):
    • Block all hostnames and domains listed in the IOC Analysis at the DNS/Web Proxy level.
    • Block the 7 IPv4 addresses associated with FortiBleed on perimeter firewalls.
    • Update EDR signatures to block the specific file hashes provided.
  • 24 Hours (Hunt & Verify):
    • Web Forensics: Identify if internal users visited the compromised WordPress sites or downloaded malicious JS related to Okendo.
    • Identity Check: If FortiBleed IPs were contacted, audit VPN logs for concurrent failed/successful authentications. Reset credentials for affected accounts.
    • Supply Chain: E-commerce teams must audit the integrity of the Okendo Reviews widget implementation and check for malicious script injection.
  • 1 Week (Harden & Prevent):
    • WordPress Hygiene: Patch all WordPress instances and plugins used in marketing/satellite sites to prevent SocGholish reinfection.
    • VPN Security: Enforce strict MFA and limit VPN access to specific source IPs to mitigate brute-force risks like FortiBleed.
    • Application Control: Block execution of unauthorized installers and crack tools (primary vector for May 2026 infostealers).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssocgholishfortibleedsupply-chainsmartratinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action