Operation Endgame Disruption, INC Ransomware Evolution, and Okendo Supply Chain Compromise: OTX Pulse Analysis

The latest OTX Pulse data reveals a shifting landscape in the cybercriminal ecosystem driven by law enforcement disruption and emerging technical trends. The "Operation Endgame" initiative has successfully degraded the infrastructure of GOLD PRELUDE (TA569), the operator behind the SocGholish malware framework, resulting in the takedown of 106 servers and 15,000 compromised WordPress sites. However, the vacuum created by the disruption of legacy loaders (QakBot, TrickBot) and recent takedowns (LockBit, BlackCat) is being aggressively filled by INC Ransomware, which has matured into a top-tier RaaS operation utilizing Rust-based cross-platform encryptors. Simultaneously, the retail sector faces a sophisticated supply chain attack via the compromised Okendo Reviews widget, orchestrated by SmartApeSG to inject malicious JavaScript loaders (NetSupport, Remcos, StealC) into high-traffic e-commerce storefronts. The collective objective of these campaigns is initial access via web compromise (TDS or Supply Chain), leading to credential theft, deployment of banking trojans, or outright ransomware encryption for financial extortion.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569) / SocGholish

• Distribution Method: Traffic Distribution System (TDS) via compromised WordPress websites delivering fake browser update prompts ("Chrome Update Required").
• Payload Behavior: Acts as a dropper for secondary payloads such as IcedID, Smokeloader, and Pikabot.
• C2 Communication: Uses HTTP/HTTPS to compromised legitimate hostnames to blend in with normal traffic.
• Persistence: Scheduled tasks or registry run keys established by the initial JScript dropper.
• Anti-Analysis: Heavy obfuscation within the JScript payloads and domain generation algorithms.

INC Ransomware

• Distribution Method: Initial access often achieved via exploitation of vulnerabilities (e.g., Citrix ADC CVE-2023-3519) and phishing. Operates as a RaaS.
• Payload Behavior: Rust-based encryptors for both Windows and Linux/ESXi platforms. Performs double-extortion (encryption + data theft).
• C2 Communication: Uses Tor .onion domains for negotiation and leak sites (e.g., incblog...onion).
• Persistence: Uses tools like Cobalt Strike and custom PowerShell scripts for lateral movement.
• Anti-Analysis: Rust-based code increases reverse engineering complexity and alters entropy signatures.

SmartApeSG / Okendo Supply Chain

• Distribution Method: Supply chain compromise. Malicious JavaScript injected into the legitimate Okendo Reviews widget script (okendo-reviews.js).
• Payload Behavior: The JS acts as a staged loader, utilizing obfuscation and localStorage to profile the victim before dropping payloads like NetSupport RAT, Remcos, or StealC.
• C2 Communication: Connects to actor-controlled domains (e.g., api.wigetticks.com) for command and control.
• Persistence: Browser-based persistence or execution of downloaded binaries.
• Anti-Analysis: JavaScript obfuscation and dynamic loading mechanisms to evade static signature detection.

IOC Analysis

The current IOCs present a mix of infrastructure and vulnerability indicators:

• Hostnames & Domains: Over 15 hostnames associated with the SocGholish TDS infrastructure (e.g., trademark.iglesiaelarca.com) and specific C2 domains for the Okendo attack (api.wigetticks.com). SOC teams should immediately block these at the DNS layer and review proxy logs for historical connections.
• CVEs: INC Ransomware activity references specific vulnerabilities including CVE-2023-3519, CVE-2023-48788, CVE-2024-57727, and CVE-2025-5777. These should be prioritized for vulnerability scanning.
• File Hashes: A SHA256 hash for the INC ransomware payload (6cd349eda...) is provided. EDR solutions should be configured to alert on execution of this hash.
• URLs: Specific URLs for the Okendo compromised script and its C2 callbacks. Web content filtering (WCG) should block requests to these endpoints.

SOC teams can operationalize these by ingesting the STIX data into their SIEM, configuring firewall rules to block the listed domains, and using YARA rules to scan endpoints for the INC ransomware hash.

Detection Engineering

The following detection logic targets the specific behaviors observed in these pulses: fake browser updates (SocGholish), Citrix ADC exploitation (INC), and malicious supply chain C2 connections (SmartApeSG).

---
title: Fake Browser Update Script Execution
id: a1b2c3d4-5e6f-7890-g1h2-i3j4k5l6m7n8
description: Detects execution of JScript or VBScript via wscript.exe/cscript.exe with arguments resembling fake browser updates, associated with SocGholish and TA569.
status: experimental
date: 2026/06/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/operation-endgame-vs-socgholish/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    selection_cli:
        CommandLine|contains:
            - 'update'
            - 'install'
            - 'chrome'
            - 'firefox'
            - 'edge'
    condition: selection_img and selection_cli
falsepositives:
    - Legitimate software update scripts
level: high
---
title: Potential Citrix ADC CVE-2023-3519 Exploitation Attempt
id: b2c3d4e5-6f7g-8901-h2i3-j4k5l6m7n8o9
description: Detects suspicious HTTP requests targeting Citrix ADC vulnerability paths associated with INC Ransomware initial access.
status: experimental
date: 2026/06/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/inc-ransomware-evolution/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection_uri:
        Uri|contains:
            - '/oauth/idp/.well-known/openid-configuration'
            - '/api/v1/logout'
    selection_method:
        HttpMethod: 'GET'
    condition: selection_uri and selection_method
falsepositives:
    - Legitimate Citrix management access
level: high
---
title: SmartApeSG Okendo Supply Chain C2 Traffic
id: c3d4e5f6-7g8h-9012-i3j4-k5l6m7n8o9p0
description: Detects network connections to known command and control domains associated with the Okendo Reviews supply chain attack.
status: experimental
date: 2026/06/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/okendo-reviews-supply-chain/
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
detection:
    selection_domains:
        DestinationHostname|contains:
            - 'wigetticks.com'
            - 'wizzleticks.com'
    condition: selection_domains
falsepositives:
    - Unknown
level: critical


kql
// Hunt for INC Ransomware related Citrix exploitation attempts in DeviceNetworkEvents
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("/oauth/idp/.well-known/openid-configuration", "/api/v1/logout") 
| where InitiatingProcessFileName in~ ("ns", "netscaler", "httpd") or RemotePort == 443
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for Fake Update script execution (SocGholish)
DeviceProcessEvents  
| where Timestamp > ago(7d)
| where FileName in~ ("wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any ("update", "install", "chrome", "firefox") and ProcessCommandLine has @".js"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName


powershell
# IOC Hunt Script for SocGholish Hostnames and INC Ransomware File Hash
# Requires Administrative Privileges

$SocGholishHosts = @(
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "promo.summat10n.org",
    "billing.roofnrack.us",
    "devel.asurans.com",
    "storehouse.beautysupplysalonllc.com",
    "samples.addisgraphix.com",
    "api-app.uppercrafteroom.com"
)

$INC_RansomwareHash = "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"

# Check DNS Cache for SocGholish Infrastructure
Write-Host "Checking DNS Cache for SocGholish Hosts..."
$DNSCache = Get-DnsClientCache
foreach ($Host in $SocGholishHosts) {
    $Entry = $DNSCache | Where-Object { $_.Entry -like "*$Host*" }
    if ($Entry) {
        Write-Host "[ALERT] Found DNS cache entry for: $Host" -ForegroundColor Red
    }
}

# Check for INC Ransomware Hash on C: drive
Write-Host "Scanning for INC Ransomware Hash..."
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
    try {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $_.Length -gt 0 } | 
        ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hash -eq $INC_RansomwareHash) {
                Write-Host "[CRITICAL] INC Ransomware file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
    catch {
        # Ignore access errors
    }
}

Response Priorities

• Immediate: Block all SocGholish hostnames and SmartApeSG C2 domains (wigetticks.com, wizzleticks.com) at the perimeter firewall and DNS resolver. Scan web assets for the specific Okendo Reviews script URL provided in the IOCs.
• 24h: Conduct credential auditing and identity verification for users who may have interacted with the fake browser updates or compromised Okendo widgets, as the payloads (StealC, info-stealers) target session data.
• 1 Week: Patch critical vulnerabilities associated with INC Ransomware initial access, specifically CVE-2023-3519 and CVE-2025-5777, on all external-facing infrastructure. Implement web integrity monitoring for e-commerce platforms to detect future supply chain script injections.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub