Excerpt: OTX pulses reveal SocGholish disruption by Op Endgame, Okendo supply chain attacks, and AI-driven ClickFix campaigns delivering SmartRAT.
Threat Summary
Recent OTX pulses highlight a volatile threat landscape characterized by major law enforcement disruption, sophisticated supply chain compromises, and AI-enhanced social engineering. Operation Endgame has successfully dismantled significant infrastructure for GOLD PRELUDE's SocGholish (Fake Browser Updates) operation, removing over 100 servers. However, threat actors continue to innovate. SmartApeSG has compromised the Okendo Reviews widget, injecting malicious JavaScript to deliver NetSupport and StealC directly to e-commerce customers. Concurrently, a ClickFix campaign utilizing AI-generated typosquatting targets Brazilian banks with SmartRAT via fake CAPTCHAs. Infostealer trends further emphasize the risk of "cracked" software distributing ACRStealer and LummaC2 via cloud storage.
Threat Actor / Malware Profile
GOLD PRELUDE (TA569) & SocGholish
- Profile: A prominent cybercrime group active since 2017, recently disrupted by Operation Endgame.
- Malware: SocGholish (Initial Access), IcedID, Pikabot, QakBot.
- Distribution: Compromised WordPress sites delivering fake browser update prompts (HTML/JS).
- Behavior: JScript payloads act as loaders for secondary payloads like Smokeloader or Bumblebee.
- Objective: Initial access leading to ransomware deployment (LockBit, WastedLocker) or credential theft.
SmartApeSG
- Profile: Threat actor targeting the retail sector via supply chain.
- Malware: NetSupport RAT, Remcos, StealC, Sectop RAT.
- Distribution: Malicious JavaScript injection into the Okendo Reviews widget (
okendo-reviews.js). - Behavior: Staged loader using localStorage obfuscation to fetch RAT payloads.
- Objective: Remote access control and credential harvesting from e-commerce sessions.
SmartRAT / ClickFix (Unknown Actor)
- Profile: AI-leveraging threat actor focusing on financial sectors in Brazil.
- Malware: SmartRAT, GhostLoader.
- Distribution: Typosquatting domains (e.g.,
crefisa.online,windowsupdate-cdn.com) built with AI tools. - Behavior: Fake CAPTCHA and BSOD screens trick users into running PowerShell commands (
cmd.exe /c powershell ...). - Objective: Banking trojan deployment and credential interception.
IOC Analysis
The provided IOCs span multiple vectors indicative of multi-stage attacks:
- Hostnames (e.g.,
trademark.iglesiaelarca.com): Likely compromised WordPress sites serving as SocGholish droppers. SOC teams should block these at the web proxy and inspect historical DNS logs for resolutions. - Domains (e.g.,
crefisa.online,comples.biz): C2 infrastructure for SmartRAT and Infostealers. These should be sinkholed or blocked on firewalls. - File Hashes (MD5/SHA256): Payloads for SmartRAT, GhostLoader, and InfoStealers. These should be uploaded to EDR exclusion lists for immediate isolation/quarantine.
- URLs (e.g.,
api.wiggettcks.com): Call-home domains for the Okendo supply chain attack. Specific attention is needed for outbound HTTPS connections to these non-standard domains from retail endpoints.
Detection Engineering
YAML
---
title: Potential SocGholish Fake Browser Update Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential execution of SocGholish fake browser update scripts, often involving JS files downloaded from compromised sites or wscript.exe execution.
references:
- https://otx.alienvault.com/pulse/operation-endgame
author: Security Arsenal
date: 2026/06/22
tags:
- attack.initial_access
- attack.t1189
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli:
CommandLine|contains:
- '.js'
- 'jscript'
- 'download'
condition: all of selection_*
falsepositives:
- Legitimate system administration scripts
level: high
---
title: Suspicious PowerShell Execution via ClickFix Pattern
id: b2c3d4e5-6789-01bc-def2-345678901234
status: experimental
description: Detects PowerShell commands often used in ClickFix campaigns (fake captchas) involving base64 encoded commands or specific download patterns.
references:
- https://otx.alienvault.com/pulse/clickfix-smartrat
author: Security Arsenal
date: 2026/06/22
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_ps:
Image|endswith: '\powershell.exe'
selection_enc:
CommandLine|contains:
- 'FromBase64String'
- 'DownloadString'
selection_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\mshta.exe'
condition: all of selection_*
falsepositives:
- Administrative scripting
level: high
---
title: Okendo Reviews Supply Chain Suspicious Network Connection
id: c3d4e5f6-7890-12cd-ef34-567890123456
status: experimental
description: Detects network connections to known suspicious domains associated with the Okendo Reviews supply chain compromise.
references:
- https://otx.alienvault.com/pulse/okendo-reviews
author: Security Arsenal
date: 2026/06/22
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'wiggettcks.com'
- 'wizzleticks.com'
condition: selection
falsepositives:
- Unknown
level: critical
kql
// Hunt for connections to domains identified in OTX pulses (SocGholish, SmartRAT, Infostealers)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("trademark.iglesiaelarca.com", "content.garretttrails.org", "crefisa.online", "windowsupdate-cdn.com", "comples.biz", "dafkov.shop")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| order by Timestamp desc
powershell
# PowerShell Hunt Script for SmartRAT and SocGholish Indicators
# Checks for recent file creations matching specific hash patterns or process connections
$TargetDomains = @("crefisa.online", "windowsupdate-cdn.com", "api.wiggettcks.com", "trademark.iglesiaelarca.com")
$SuspiciousProcesses = @("powershell.exe", "wscript.exe", "mshta.exe")
Write-Host "Checking for suspicious network connections..."
Get-NetTCPConnection | Where-Object {
$TargetDomains -contains $_.RemoteAddress -or
($_.OwningProcess -in (Get-Process | Where-Object {$SuspiciousProcesses -contains $_.ProcessName}).Id)
} | Select-Object LocalAddress, RemoteAddress, State, OwningProcess
Write-Host "Checking for recent suspicious script execution in Event Logs..."
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 1000 -ErrorAction SilentlyContinue
if ($Events) {
$Events | Where-Object { $_.Message -match "(wscript|cscript|powershell)" -and $_.Message -match "(\.js|\.jse|\.vbe)" } | Select-Object TimeCreated, Message
} else {
Write-Host "No security events found."
}
Response Priorities
- Immediate:
- Block all hostnames and domains listed in the IOC Analysis at the perimeter (Firewall/DNS).
- Quarantine endpoints identified connecting to
api.wiggettcks.comorwindowsupdate-cdn.com. - Implement strict Application Control policies blocking
wscript.exeandcscript.exefor non-admin users.
- 24 Hours:
- Force password reset for credentials entered on e-commerce sites utilizing the Okendo Reviews widget (if applicable to the organization).
- Hunt for file hashes associated with SmartRAT and GhostLoader on endpoints.
- 1 Week:
- Audit all WordPress instances for unauthorized plugin modifications or suspicious admin activity (Op Endgame context).
- Review third-party JavaScript dependencies on public-facing websites (Supply Chain context).
- Conduct security awareness training focusing on Fake Browser Updates and Fake Captchas.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialssocgholishsmartratclickfixokendoinfostealer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.