Back to Intelligence

Operation Endgame Disruption & SmartRAT Credential Theft: OTX Pulse Analysis

SA
Security Arsenal Team
June 21, 2026
6 min read

Excerpt

Credential theft via SmartRAT & supply chain attacks rises as SocGholish falls. Detection engineering guide included.

Threat Summary

Recent OTX pulses indicate a significant shift in the threat landscape following "Operation Endgame," a multinational law enforcement effort that successfully disrupted the SocGholish (FAKEUPDATES) infrastructure operated by GOLD PRELUDE (TA569). While over 100 servers and 15,000 compromised WordPress sites were remediated, threat actors are rapidly pivoting to alternative initial access vectors. Intelligence suggests a surge in AI-generated ClickFix campaigns delivering SmartRAT via fake CAPTCHAs and typosquatting (e.g., crefisa.online, windowsupdate-cdn.com). Concurrently, a sophisticated supply chain attack targeting the Okendo Reviews widget has injected malicious JavaScript into e-commerce platforms, delivering payloads like Remcos and StealC. Collectively, these campaigns maintain the objective of credential theft and initial access for ransomware distribution, utilizing Traffic Distribution Systems (TDS) and obfuscated loaders to bypass defenses.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569) & SocGholish

  • Status: Disrupted/Diminishing.
  • Distribution: Compromised WordPress sites delivering fake browser update prompts (JS).
  • Behavior: Acts as a loader for secondary payloads like IcedID, Pikabot, and Rhadamanthys.
  • Persistence: Scheduled tasks and registry modifications via the initial JScript payload.

SmartApeSG & Unknown Actor (SmartRAT Campaigns)

  • Malware: SmartRAT, Remcos, StealC.
  • Distribution: Supply chain compromise (Okendo Reviews widget) and AI-generated ClickFix campaigns (fake CAPTCHA/BSOD).
  • Behavior: SmartRAT utilizes PowerShell for execution, focusing on banking trojan functionality and credential interception. The Okendo injection uses localStorage for staging and obfuscation to evade static analysis.
  • C2: Encrypted HTTPS communication to distinct domains (e.g., api.wiggett icks.com).

Infostealer Ecosystem (ACRStealer, LummaC2, Vidar)

  • Distribution: Cracks/Keygens hosted on Mediafire and AWS S3.
  • Behavior: Standard infostealer capabilities (cookies, passwords, wallet data), often utilizing DLL side-loading.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple infrastructure types:

  • Hostnames & Domains: A high volume of compromised legitimate hostnames (e.g., trademark.iglesiaelarca.com) associated with the SocGholish disruption, and typosquatted domains (e.g., crefisa.online) for the SmartRAT campaign.
  • File Hashes: Numerous MD5 and SHA256 hashes corresponding to loaders and droppers (e.g., 297eb45f028d44d750297d2f932b9c91). These should be blocked at the perimeter and endpoint.
  • URLs: Specific URLs related to the malicious Okendo widget injection.

SOC Operationalization: SOC teams should immediately import the hostnames and domains into network blocklists (EDR/Firewall/DNS). File hashes must be added to allow/block lists. Given the use of compromised WordPress sites, purely IP/Domain blocking may generate false positives; prioritize blocking the specific paths associated with fake updates and the suspicious JS files.

Detection Engineering

The following detection logic targets the specific behaviors identified in the pulses: PowerShell execution via ClickFix, Fake Browser Update patterns, and suspicious process lineage.

YAML
title: Potential SmartRAT ClickFix PowerShell Execution
id: 6a5e1f2a-8b4c-4f3a-9c1d-2e3f4a5b6c7d
description: Detects PowerShell commands often used in ClickFix campaigns (Fake BSOD/Captcha) that decode and execute payloads, specifically targeting patterns observed in SmartRAT distribution.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_cli:
        CommandLine|contains:
            - 'FromBase64String'
            - 'IEX'
            - 'Invoke-Expression'
    condition: selection and selection_cli
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: Suspicious Fake Browser Update Pattern
id: 7b6f2g3b-9c5d-5g4b-0d2e-3f4g5a6c7d8e
description: Detects potential execution of fake browser update scripts often delivered by SocGholish or similar loaders, characterized by specific JScript or wscript execution patterns.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
    selection_cli:
        CommandLine|contains:
            - 'software_update'
            - 'browser_update'
            - 'chrome_installer'
            - '.js'
    condition: selection_img and selection_cli
falsepositives:
    - Legitimate system updates (rare for wscript)
level: high
---
title: Okendo Reviews Malicious JS Injection
id: 8c7g3h4c-0d6e-6h5c-1e3f-4g5h6a7b8c9d
description: Detects potential network connections to domains associated with the Okendo Reviews supply chain attack or unusual parent-child process relationships involving browsers spawning shells.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.supply_chain
    - attack.t1195.002
logsource:
    product: windows
    category: network_connection
detection:
    selection_domains:
        InitiatingProcessName|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
        DestinationHostname|contains:
            - 'wiggett icks.com'
            - 'wizzleticks.com'
    condition: selection_domains
falsepositives:
    - Unknown
level: critical


kql
// Hunt for SmartRAT and ClickFix related network activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("windowsupdate-cdn.com", "crefisa.online", "wiggett icks.com", "wizzleticks.com")
  or RemoteIP == "162.141.111.227"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for suspicious PowerShell execution patterns (ClickFix)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "FromBase64String" and ProcessCommandLine has_any ("IEX", "Invoke-Expression")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

// Hunt for SocGholish Fake Update loader execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("wscript.exe", "cscript.exe")
| where ProcessCommandLine matches regex @".*(software_update|browser_update|chrome_installer).*\.js.*"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine


powershell
# IOC Hunt Script for SocGholish and SmartRAT Indicators
# Requires administrative privileges

$MaliciousHashes = @(
    "297eb45f028d44d750297d2f932b9c91",
    "3c72e1f37f115b00c3ad6ed31bacfe8a",
    "6bf4d4c62b5138ace281ce3d08297787",
    "b17ccdb5531555e43f082d6e77c07227",
    "0d1f6685b4e284f92ef25c0f9358bcdc"
)

$MaliciousHosts = @(
    "trademark.iglesiaelarca.com",
    "crefisa.online",
    "windowsupdate-cdn.com",
    "api.wiggett icks.com",
    "api.wizzleticks.com"
)

Write-Host "[+] Scanning for file hashes..." -ForegroundColor Cyan
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
            if ($MaliciousHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (MD5: $Hash)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($Host in $MaliciousHosts) {
    if ($DnsCache.Entry -like "*$Host*") {
        Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND: $Host" -ForegroundColor Red
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all identified IOCs (Domains, IPs, Hashes) at the firewall, proxy, and EDR levels. Specifically target the okendo.io related URLs and the windowsupdate-cdn.com typosquat domain.
  • 24h: Hunt for signs of SmartRAT or Remcos execution using the provided PowerShell script. Identify and quarantine systems with suspected SocGholish JScript downloads. Initiate credential resets for users who may have interacted with the "Okendo Reviews" widget or fake browser updates.
  • 1 Week: Review supply chain security for third-party JavaScript widgets. Harden browser policies to restrict unsigned code execution and prevent users from accepting fake browser updates. Conduct a review of software cracking/keygen usage on endpoints (LummaC2 vector).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssmartratsocgholishclickfixsupply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action