Back to Intelligence

Operation Endgame Disrupts SocGholish: Emerging INC Ransomware & Multi-Vector Infostealer Campaigns — Enterprise Detection Pack

SA
Security Arsenal Team
June 20, 2026
10 min read

Threat Summary

The OTX pulse data from June 2026 reveals a complex threat landscape where traditional malware frameworks like SocGholish are being disrupted by law enforcement operations, while ransomware-as-a-service operators like INC ransomware are expanding their footprint following the disruption of competitors like LockBit and BlackCat. Simultaneously, supply chain attacks targeting popular review widgets and AI-generated ClickFix campaigns are emerging as sophisticated delivery mechanisms for various RATs and infostealers. The collective objectives of these campaigns range from credential theft and financial fraud to double-extortion ransomware operations targeting critical infrastructure across government, finance, healthcare, and retail sectors.

Threat Actor / Malware Profile

Key Malware Families Identified:

  1. SocGholish: A JavaScript-based malware framework using fake browser updates on compromised WordPress sites to deliver secondary payloads including IcedID, Smokeloader, and Pikabot. The operation has been disrupted by law enforcement, but residual infrastructure may remain active.

  2. INC Ransomware: Evolved from an emerging threat to a top-tier RaaS operation with Rust-based encryptors for both Windows and Linux/ESXi platforms. Leveraging CVE-2023-3519, CVE-2023-48788, CVE-2024-57727, and CVE-2025-5777, it employs Cobalt Strike for initial access and conducts double-extortion attacks.

  3. SmartRAT and Banana RAT: PowerShell-based banking trojans delivered through AI-generated ClickFix campaigns using fake CAPTCHA and BSOD screens. These RATs feature encrypted C2 communication and QR code interception capabilities.

  4. Infostealers (ACRStealer, Remus, LummaC2, AgentTesla, DarkCloud, Vidar): Distributed primarily through cracked software, keygens, and email campaigns, often using Mediafire and AWS S3 buckets. These stealers target credentials, cookies, and browser data.

  5. Supply Chain Attack Vectors (NetSupport, Remcos, StealC, Sectop RAT): Delivered through malicious JavaScript injection into legitimate widgets like Okendo Reviews, affecting over 18,000 brands and enabling staged payload delivery.

Common Attack Chain: Initial access via compromised websites, typosquatting, or supply chain attacks → Fake browser updates or CAPTCHA prompts → PowerShell command execution → Malware payload delivery → C2 communication → Data exfiltration or ransomware deployment.

C2 Communication: Various protocols including HTTPS, DNS tunneling, and encrypted channels to evade detection.

Persistence Mechanisms: Scheduled tasks, registry run keys, DLL side-loading, and browser extension injection.

Anti-Analysis Techniques: Code obfuscation, legitimate process hollowing, anti-debugging checks, and encryption.

IOC Analysis

The indicators across these pulses include:

  1. Hostnames: Compromised WordPress domains used for SocGholish distribution and C2 infrastructure.
  2. Domains: Typosquatting domains for ClickFix campaigns (e.g., crefisa.online), RaaS sites (incblog.su), and Tor hidden services for ransomware operations.
  3. IP Addresses: Limited IPv4 indicators (162.141.111.227) for direct infrastructure.
  4. File Hashes: MD5, SHA1, and SHA256 hashes for malware payloads including SmartRAT and infostealers.
  5. URLs: Specific endpoints for malicious JavaScript delivery and C2 communication.
  6. CVE Identifiers: Vulnerability exploits used for initial access and privilege escalation.

SOC teams should operationalize these indicators by:

  • Blocking identified domains and hostnames at the perimeter and DNS level
  • Implementing file hash reputation checks in EDR solutions
  • Creating firewall rules to block connections to known C2 infrastructure
  • Configuring web proxies to block URLs associated with malicious campaigns
  • Using SIEM solutions like Microsoft Sentinel to correlate network traffic with these IOCs
  • Deploying YARA rules for detecting known malware signatures in file systems

Tooling Recommendations:

  • MISP or OpenCTI for IOC management and sharing
  • CrowdStrike Falcon or SentinelOne for endpoint detection
  • Splunk or Microsoft Sentinel for log analysis and correlation
  • Censys or Shodan for infrastructure analysis
  • VirusTotal or Hybrid Analysis for file analysis

Detection Engineering

YAML
---
title: Fake Browser Update - SocGholish JavaScript Execution
id: 48f3e6ac-4a7c-4e6f-9f1d-3c6a5b7d8e9f
description: Detects potential SocGholish fake browser update activity via suspicious JavaScript execution patterns
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/633789d981d3d70d05d55a2e
date: 2026/06/20
modified: 2026/06/20
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: proxy
    product: zeek
detection:
    selection:
        uri|contains:
            - 'browser-update'
            - 'chrome-update'
            - 'firefox-update'
            - 'edge-update'
        uri|contains:
            - '.js'
            - '.jse'
            - '.wsf'
    filter:
        uri|contains:
            - 'google.com'
            - 'mozilla.org'
            - 'microsoft.com'
    condition: selection and not filter
falsepositives:
    - Legitimate browser updates
level: high

---
title: PowerShell Base64 Encoded Command - ClickFix Campaign Pattern
id: 5a9e7b3c-2d4f-4e5a-9b8d-7c6e5f4a3b2c
description: Detects PowerShell base64 encoded commands associated with ClickFix campaigns and RAT delivery
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/633789d981d3d70d05d55a2e
date: 2026/06/20
modified: 2026/06/20
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - ' -EncodedCommand '
            - ' -enc '
            - ' -e '
        CommandLine|contains:
            - 'FromBase64String'
            - 'IEX '
    suspicious_keywords:
        CommandLine|contains:
            - 'captcha'
            - 'browser update'
            - 'windowsupdate-cdn'
            - 'bsod'
            - 'smart RAT'
    condition: selection and suspicious_keywords
falsepositives:
    - Legitimate administrative scripts
level: high

---
title: Ransomware Rust-Based Encryptor - INC Ransomware Pattern
id: 6f4a8d2e-5b3c-4f6a-8d9e-7c6e5f4a3b2c
description: Detects file encryption patterns consistent with INC ransomware Rust-based encryptors
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/633789d981d3d70d05d55a2e
date: 2026/06/20
modified: 2026/06/20
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '.inc'
            - '.INC'
        TargetFilename|endswith:
            - '.locked'
            - '.enc'
            - '.crypt'
    process_creation:
        Image|contains:
            - 'rust'
            - 'unknown'
        Image|endswith:
            - '.exe'
    condition: selection or process_creation
falsepositives:
    - Legitimate file operations
level: critical


kql
// Hunt for ClickFix and RAT-related PowerShell activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoProductName contains "PowerShell"
| where ProcessCommandLine has "-EncodedCommand" or ProcessCommandLine has "-enc" 
| where ProcessCommandLine has "captcha" or ProcessCommandLine has "browser update" 
   or ProcessCommandLine has "windowsupdate-cdn" or ProcessCommandLine has "bsod"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for connections to known malicious domains from Okendo supply chain attack
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "okendo.io" 
   or RemoteUrl contains "wiggett icks.com" 
   or RemoteUrl contains "wizzleticks.com"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for SocGholish-related file activity
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName contains ".jse" or FileName contains ".wsf"
| where InitiatingProcessFileName has "browser" 
   or InitiatingProcessFileName has "chrome" 
   or InitiatingProcessFileName has "firefox"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName
| order by Timestamp desc


powershell
# Infostealer and RAT IOC Hunt Script
# Run as Administrator

# Check for suspicious scheduled tasks
Write-Host "Checking for suspicious scheduled tasks..."
$Tasks = Get-ScheduledTask | Where-Object {$_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*"}
$Tasks | Where-Object {$_.Actions.Arguments -like "*-enc*" -or $_.Actions.Arguments -like "*EncodedCommand*"} | 
    Select-Object TaskName, State, Actions | Format-Table -AutoSize

# Check for suspicious registry run keys
Write-Host "Checking for suspicious registry run keys..."
$RunKeys = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        $Items = Get-ItemProperty -Path $Key
        foreach ($Item in $Items.PSObject.Properties) {
            if ($Item.Name -ne "PSPath" -and $Item.Name -ne "PSParentPath" -and $Item.Name -ne "PSChildName" -and 
                $Item.Name -ne "PSDrive" -and $Item.Name -ne "PSProvider") {
                $Value = $Item.Value
                if ($Value -like "*powershell*" -and ($Value -like "*-enc*" -or $Value -like "*-EncodedCommand*")) {
                    Write-Host "Suspicious entry found in $Key:" -ForegroundColor Yellow
                    Write-Host "Name: $($Item.Name)" -ForegroundColor Yellow
                    Write-Host "Value: $Value" -ForegroundColor Yellow
                }
            }
        }
    }
}

# Check for suspicious network connections to known IOCs
Write-Host "Checking for suspicious network connections..."
$MaliciousDomains = @(
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "promo.summat10n.org",
    "billing.roofnrack.us",
    "devel.asurans.com",
    "storehouse.beautysupplysalonllc.com",
    "samples.addisgraphix.com",
    "api-app.uppercrafteroom.com",
    "incblog.su",
    "crefisa.online",
    "windowsupdate-cdn.com",
    "comples.biz",
    "dafkov.shop",
    "ciuzdaw.shop",
    "ablackb.shop",
    "cloxaa.shop"
)

$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
$Processes = Get-Process -IncludeUserName

foreach ($Domain in $MaliciousDomains) {
    try {
        $IPs = [System.Net.Dns]::GetHostAddresses($Domain)
        foreach ($IP in $IPs) {
            $MatchingConnections = $Connections | Where-Object {$_.RemoteAddress -eq $IP.IPAddressToString}
            if ($MatchingConnections) {
                foreach ($Conn in $MatchingConnections) {
                    $Process = $Processes | Where-Object {$_.Id -eq $Conn.OwningProcess}
                    Write-Host "Connection to malicious domain detected!" -ForegroundColor Red
                    Write-Host "Domain: $Domain" -ForegroundColor Red
                    Write-Host "IP: $($IP.IPAddressToString)" -ForegroundColor Red
                    Write-Host "PID: $($Conn.OwningProcess)" -ForegroundColor Red
                    Write-Host "Process: $($Process.ProcessName)" -ForegroundColor Red
                    Write-Host "User: $($Process.UserName)" -ForegroundColor Red
                }
            }
        }
    } catch {
        # DNS resolution failed, ignoring
    }
}

# Check for suspicious files in common download directories
Write-Host "Checking for suspicious files in common download directories..."
$DownloadDirs = @(
    "$env:USERPROFILE\Downloads",
    "$env:USERPROFILE\Desktop",
    "$env:PUBLIC\Downloads"
)

$SuspiciousExtensions = @(".jse", ".wsf", ".exe", ".bat", ".cmd", ".ps1", ".vbs")
$MaliciousHashes = @(
    "297eb45f028d44d750297d2f932b9c91",
    "3c72e1f37f115b00c3ad6ed31bacfe8a",
    "6bf4d4c62b5138ace281ce3d08297787",
    "b17ccdb5531555e43f082d6e77c07227",
    "0d1f6685b4e284f92ef25c0f9358bcdc"
)

foreach ($Dir in $DownloadDirs) {
    if (Test-Path $Dir) {
        Get-ChildItem -Path $Dir -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $File = $_
            $Extension = [System.IO.Path]::GetExtension($File.FullName)
            if ($SuspiciousExtensions -contains $Extension) {
                $Hash = (Get-FileHash -Path $File.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
                if ($MaliciousHashes -contains $Hash) {
                    Write-Host "Malicious file detected!" -ForegroundColor Red
                    Write-Host "Path: $($File.FullName)" -ForegroundColor Red
                    Write-Host "Hash: $Hash" -ForegroundColor Red
                }
            }
        }
    }
}

# Check for suspicious browser extensions
Write-Host "Checking for suspicious browser extensions..."
$ChromeExtensionsPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
$FirefoxExtensionsPath = "$env:APPDATA\Mozilla\Firefox\Profiles"
$EdgeExtensionsPath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions"

if (Test-Path $ChromeExtensionsPath) {
    Write-Host "Checking Chrome extensions..."
    Get-ChildItem -Path $ChromeExtensionsPath -ErrorAction SilentlyContinue | ForEach-Object {
        $ExtensionPath = $_.FullName
        $ManifestPath = "$ExtensionPath\manifest."
        if (Test-Path $ManifestPath) {
            $Manifest = Get-Content $ManifestPath | ConvertFrom-Json
            if ($Manifest.permissions -like "*<all_urls>*" -or $Manifest.permissions -like "*tabs*" -or 
                $Manifest.permissions -like "*cookies*" -or $Manifest.permissions -like "*history*") {
                Write-Host "Potentially suspicious Chrome extension: $($_.Name)" -ForegroundColor Yellow
            }
        }
    }
}

if (Test-Path $FirefoxExtensionsPath) {
    Write-Host "Checking Firefox extensions..."
    Get-ChildItem -Path $FirefoxExtensionsPath -ErrorAction SilentlyContinue | ForEach-Object {
        $ExtensionsPath = "$($_.FullName)\extensions"
        if (Test-Path $ExtensionsPath) {
            Get-ChildItem -Path $ExtensionsPath -ErrorAction SilentlyContinue | ForEach-Object {
                Write-Host "Firefox extension: $($_.Name)" -ForegroundColor Yellow
            }
        }
    }
}

if (Test-Path $EdgeExtensionsPath) {
    Write-Host "Checking Edge extensions..."
    Get-ChildItem -Path $EdgeExtensionsPath -ErrorAction SilentlyContinue | ForEach-Object {
        $ExtensionPath = $_.FullName
        $ManifestPath = "$ExtensionPath\manifest."
        if (Test-Path $ManifestPath) {
            $Manifest = Get-Content $ManifestPath | ConvertFrom-Json
            if ($Manifest.permissions -like "*<all_urls>*" -or $Manifest.permissions -like "*tabs*" -or 
                $Manifest.permissions -like "*cookies*" -or $Manifest.permissions -like "*history*") {
                Write-Host "Potentially suspicious Edge extension: $($_.Name)" -ForegroundColor Yellow
            }
        }
    }
}

Write-Host "Hunt complete." -ForegroundColor Green

Response Priorities

Immediate Actions:

  • Block all IOCs at perimeter devices (firewalls, proxies, DNS sinks)
  • Deploy updated signatures for SOCgholish, INC ransomware, and identified infostealers
  • Scan all systems for suspicious browser extensions and remove any not authorized
  • Reset credentials for accounts that may have been exposed to supply chain attacks
  • Isolate any systems exhibiting ClickFix or fake browser update behavior
  • Conduct forensic analysis of systems showing signs of SmartRAT or Banana RAT activity
  • Review and block any PowerShell base64 encoded commands that match identified patterns

24-Hour Actions:

  • Perform identity verification for users potentially affected by credential-stealing malware
  • Review and audit all accounts with elevated privileges for suspicious activity
  • Conduct a thorough scan of all e-commerce platforms using the Okendo Reviews widget
  • Implement network segmentation to limit lateral movement
  • Configure EDR solutions to alert on patterns associated with the identified malware families
  • Review remote access logs for any unauthorized connections

1-Week Actions:

  • Harden web server security, particularly for WordPress installations, to prevent SocGholish compromises
  • Implement application allowlisting to restrict execution of unauthorized scripts
  • Conduct awareness training focusing on recognizing fake browser updates and CAPTCHA scams
  • Review and restrict PowerShell execution policies across the organization
  • Implement more rigorous supply chain security practices for third-party integrations
  • Enhance monitoring of DNS queries and SSL certificate validation
  • Conduct a tabletop exercise focused on ransomware response scenarios

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssocgholishinc-ransomwaresmartratsupply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action