Recent OTX Pulse data for June 2026 indicates a volatile shift in the threat landscape. While the multinational "Operation Endgame" successfully disrupted the long-standing TA569 (Gold Prelude) SocGholish infrastructure—taking down 106 servers and remediating 15,000 WordPress sites—threat actors are rapidly pivoting to more sophisticated and automated delivery methods.
We are observing the immediate emergence of two distinct high-risk campaigns filling the void:
- Supply Chain Compromise: SmartApeSG is leveraging the Okendo Reviews widget (used by 18,000+ brands) to inject malicious JavaScript, delivering NetSupport, Remcos, and SmartRAT.
- AI-Generated Typosquatting: Unknown actors are utilizing AI to create deceptive domains targeting Brazilian finance, employing "ClickFix" fake CAPTCHA/BSOD techniques to distribute SmartRAT and Banana RAT.
Concurrently, INC Ransomware has solidified its position as a top-tier RaaS following the disruption of LockBit, utilizing Rust-based cross-platform encryptors and double-extortion tactics. These campaigns share a common objective: credential theft and initial access for either immediate financial fraud (banking trojans) or high-value ransomware deployment.
Threat Actor / Malware Profile
Adversaries
- TA569 (GOLD PRELUDE): Historically relied on SEO poisoning and fake browser updates. Recently disrupted via Operation Endgame but likely to reconstitute using new infrastructure.
- SmartApeSG: A threat group focusing on supply chain attacks via third-party e-commerce widgets (e.g., Okendo). They utilize JavaScript injection to stage loaders.
- INC Ransomware: A sophisticated RaaS operation that has aggressively recruited former affiliates of dismantled cartels. Known for rewriting payloads in Rust to evade analysis.
Malware Families
- SmartRAT / Banana RAT: PowerShell-based trojans often delivered via social engineering (ClickFix). They feature encrypted C2, clipboard interception (for cryptocurrency/banking), and persistence via scheduled tasks or registry run keys.
- SocGholish: A malware framework (JScript) acting as a loader for families like IcedID, Pikabot, and Rhadamanthys. It relies heavily on compromised legitimate websites serving fake update prompts.
- INC Ransomware: Rust-based encryptor targeting Windows and Linux/ESXi. Uses Cobalt Strike for lateral movement.
- Infostealers (LummaC2, ACRStealer, Vidar): Distributed via cracks/keygens. Primary goal is harvesting browser cookies, passwords, and crypto-wallets to sell on dark web forums.
Techniques
- Fake Browser Updates: HTML/JS overlays prompting "Chrome/Firefox Update".
- ClickFix: Fake browser errors or CAPTCHAs that trick users into copying and running malicious PowerShell commands.
- DLL Side-loading: Used by loaders like Smokeloader and Pikabot to bypass security controls.
IOC Analysis
The provided indicators reveal a multi-vector approach requiring distinct defensive postures:
- Hostnames (e.g.,
trademark.iglesiaelarca.com): Legitimate-looking domains compromised to host SocGholish loaders. Operationalization involves inspecting DNS logs for resolutions to these specific FQDNs and checking SSL certificate validity for anomalies. - Onion/Dark Web Domains (e.g.,
incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion): Used by INC Ransomware for leak site operations. While direct blocking is difficult via corporate DNS, awareness of victim naming is crucial for threat hunting. - File Hashes (MD5/SHA256): Variants of SmartRAT, Banana RAT, and INC ransomware payloads. SOC teams should immediately upload these to EDR quarantine lists and scan historical VDI/S3 backups.
- Typosquatting Domains (e.g.,
crefisa.online,windowsupdate-cdn.com): AI-generated lookalikes targeting specific regions (Brazil) or mimicking tech vendors. Requires regex-based blocking rules in secure web gateways. - URLs (e.g.,
cdn-static.okendo.io/...): The specific compromised endpoint in the Okendo supply chain. Blocking this URL may break legitimate review functionality; instead, inspect the JS content for the specific obfuscated loader signature referenced in the pulse.
Detection Engineering
Sigma Rules
YAML
title: Potential Fake Browser Update or SocGholish Activity
description: Detects execution of script files often associated with fake browser updates leading to malware loaders like IcedID or Pikabot.
references:
- https://otx.alienvault.com/pulse/operation-endgame-vs-socgholish-fake-updates/
author: Security Arsenal
date: 2026/06/19
tags:
- attack.initial_access
- attack.t1189
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
CommandLine|contains:
- '.js'
- '.jse'
- 'update.js'
- 'chrome_update'
- 'firefox_update'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: high
---
title: Potential ClickFix Fake CAPTCHA Execution
description: Detects suspicious PowerShell commands often copy-pasted by victims tricked by fake CAPTCHAs or browser errors.
references:
- https://otx.alienvault.com/pulse/clickfix-campaign-generated-via-ai-delivers-smartrat/
author: Security Arsenal
date: 2026/06/19
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
Image|endswith: '\powershell.exe'
ParentImage|contains:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
selection_cli:
CommandLine|contains:
- 'clipboard'
- 'Get-WinUserLanguageList'
- 'FromBase64String'
- 'iex'
condition: all of selection_*
falsepositives:
- Low
level: critical
---
title: Okendo Reviews Compromise - Suspicious Outbound Connection
description: Detects potential C2 callbacks associated with the SmartApeSG Okendo supply chain attack.
references:
- https://otx.alienvault.com/pulse/okendo-reviews-supply-chain-attack/
author: Security Arsenal
date: 2026/06/19
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'wigetticks.com'
- 'wizzleticks.com'
condition: selection
falsepositives:
- None
level: critical
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for suspicious PowerShell execution patterns associated with ClickFix/SmartRAT
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("clipboard", "iex", "FromBase64String")
| where InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend FullURL = extract(@'(https?://[\w.-]+)', 1, ProcessCommandLine)
| distinct Timestamp, DeviceName, FullURL
// Hunt for network connections to IOCs related to INC Ransomware and SocGholish
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any ("incblog.su", "windowsupdate-cdn.com", "crefisa.online", "wiggett", "wizzle")
or RemoteIP in ("162.141.111.227")
| summarize count() by DeviceName, RemoteUrl, RemoteIP
| order by count_ desc
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
Hunt script for indicators associated with June 2026 OTX Pulses.
.DESCRIPTION
Checks for file presence of known SmartRAT/INC hashes and registry keys for persistence.
#>
$IOC_Hashes = @(
"6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141", # INC Ransomware
"297eb45f028d44d750297d2f932b9c91", # SmartRAT variant
"3c72e1f37f115b00c3ad6ed31bacfe8a",
"6bf4d4c62b5138ace281ce3d08297787",
"b17ccdb5531555e43f082d6e77c07227",
"46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c" # ACRStealer/LummaC2
)
$SearchPaths = @("C:\Windows\Temp", "$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:LOCALAPPDATA")
Write-Host "[+] Hunting for malicious file hashes..." -ForegroundColor Cyan
foreach ($Path in $SearchPaths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $IOC_Hashes) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (SHA256: $hash)" -ForegroundColor Red
}
}
}
}
Write-Host "[+] Checking for suspicious Scheduled Tasks (SmartRAT/ClickFix persistence)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.State -eq 'Ready' -and $_.Actions.Execute -like '*powershell*' } | ForEach-Object {
$taskAction = $_.Actions.Execute + " " + $_.Actions.Arguments
if ($taskAction -match 'clipboard|FromBase64String|iex') {
Write-Host "[!] SUSPICIOUS TASK FOUND: $($_.TaskName)" -ForegroundColor Yellow
Write-Host " Action: $taskAction" -ForegroundColor Gray
}
}
Write-Host "[+] Hunt complete."
# Response Priorities
* **Immediate:**
* Block all listed IOCs (domains, IPs, hashes) at the firewall, proxy, and EDR levels.
* Isolate endpoints exhibiting PowerShell execution chains spawned from web browsers (ClickFix behavior).
* Review e-commerce platforms for the `okendo-reviews.js` file version; roll back to a clean version if compromised.
* **24 Hours:**
* Initiate credential resets for accounts accessible from endpoints where SmartRAT or Infostealers (LummaC2, ACRStealer) were detected.
* Conduct forensic analysis on the specific file hashes identified in the "May 2026 Infostealer Trend" pulse to determine data exfiltration scope.
* **1 Week:**
* Update script blocking policies (CSP) to prevent unauthorized JavaScript loading on external customer-facing sites.
* Implement browser isolation or strict URL filtering for typosquatting domains targeting financial institutions.
* Review vendor access and supply chain security for third-party widgets like Okendo.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinc-ransomwaresocgholishsmartratclickfixsupply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.