Back to Intelligence

Operation Endgame: SocGholish Disruption, Okendo Supply Chain Attack & FortiBleed Credential Harvesting — OTX Pulse Analysis

SA
Security Arsenal Team
June 22, 2026
6 min read

The current threat landscape is characterized by high-activity supply chain compromises and significant law enforcement disruption operations. Operation Endgame has successfully dismantled the infrastructure of TA569 (GOLD PRELUDE), the threat actor behind the SocGholish malware framework, taking down 100+ servers and remediating nearly 15,000 compromised WordPress sites. While this is a major victory, secondary payloads like IcedID, Pikabot, and Bumblebee remain a threat as actors shift tactics.

Concurrently, the SmartApeSG threat actor has launched a sophisticated supply chain attack targeting the Okendo Reviews widget. By injecting malicious JavaScript into the legitimate widget code used by over 18,000 brands, they are distributing NetSupport, Remcos, and StealC directly to e-commerce consumers.

In the credential theft space, FortiBleed has emerged as a large-scale campaign targeting Fortinet FortiGate SSL VPNs, utilizing GPU-accelerated hash cracking to harvest credentials. Additionally, infostealers like LummaC2, ACRStealer, and Vidar continue to proliferate via cracked software and keygens.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569) / SocGholish

  • Distribution: Compromised WordPress sites delivering fake browser update prompts (FakeUpdates).
  • Payload: Acts as a dropper for major loaders (Smokeloader, Bumblebee) and banking trojans (QakBot, IcedID).
  • Behavior: SocGholish uses JavaScript to download a JScript payload, which then fetches the next-stage malware.

SmartApeSG / Okendo Campaign

  • Distribution: Supply chain compromise via the Okendo Reviews widget (JavaScript injection).
  • Payload: NetSupport RAT, Remcos RAT, StealC.
  • Behavior: The malicious JS acts as a staged loader, using obfuscation and localStorage to fingerprint victims before delivering the final payload.

Infostealers (LummaC2, Vidar, ACRStealer)

  • Distribution: Illegal software cracks/keygens hosted on Mediafire and AWS S3 buckets.
  • Behavior: Exfiltrates browser cookies, passwords, and cryptocurrency wallets. Often uses DLL side-loading for persistence.

FortiBleed Actors

  • Target: Internet-facing Fortinet FortiGate firewalls and SSL VPN gateways.
  • Behavior: Credential harvesting via brute force, password reuse, and hash cracking using distributed GPU infrastructure.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple infrastructure types utilized by these campaigns:

  • Hostnames/Domains: A large list of compromised WordPress domains (e.g., trademark.iglesiaelarca.com) associated with SocGholish C2, and suspicious domains related to infostealers (e.g., comples.biz). The Okendo campaign uses specific URLs for malicious payloads.
  • IP Addresses: Specific IPv4 addresses (e.g., 85.11.187.8) linked to the FortiBleed credential harvesting infrastructure.
  • File Hashes: SHA256, MD5, and SHA1 hashes for infostealer variants (LummaC2, AgentTesla).

SOC Operationalization:

  1. Blocklists: Immediately block the listed hostnames and IPs at the firewall and proxy level.
  2. EDR Correlation: Search endpoints for the provided file hashes and process executions involving wscript.exe or powershell.exe interacting with the listed domains.
  3. Web Gateway: Configure secure web gateways to block access to the specific Okendo payload URLs and the "Fake Update" JS patterns.

Detection Engineering

YAML
title: Potential SocGholish Fake Browser Update Activity
id: 48c202e6-8ff3-4c3c-9e5d-9e1c1f5c1c1d
description: Detects potential execution of malicious JScript files often associated with SocGholish fake browser updates.
status: experimental
date: 2026/06/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/623412345678
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        CommandLine|contains:
            - '.js'
            - '.jse'
    selection_filter:
        ParentImage|contains:
            - '\browser'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: selection and selection_filter
falsepositives:
    - Legitimate system administration scripts
level: high
---
title: Okendo Reviews Malicious JS Injection Connection
id: 9a1b2c3d-4e5f-6789-0abc-1d2e3f4a5b6c
description: Detects network connections to known malicious domains associated with the Okendo Reviews supply chain attack.
status: experimental
date: 2026/06/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/623412345679
tags:
    - attack.supply_chain
    - attack.t1195
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'wigletticks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: InfoStealer Suspicious Process Patterns
id: b1c2d3e4-f5a6-7890-1234-56789abcdef0
description: Detects suspicious command line arguments used by common infostealers like LummaC2 and Vidar to steal browser data.
status: experimental
date: 2026/06/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/623412345680
tags:
    - attack.credential_access
    - attack.t1056
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    selection_cli:
        CommandLine|contains:
            - 'Get-Content $env:APPDATA\Google\Chrome\User Data'
            - 'type %APPDATA%\Mozilla\Firefox\Profiles'
            - 'cookies.sqlite'
            - 'Login Data'
    condition: selection_img and selection_cli
falsepositives:
    - Legitimate backup or debugging of browser data
level: medium


kql
// Hunt for connections to malicious domains and IPs identified in pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("wigletticks.com", "wizzleticks.com", "okendo.io") 
   or RemoteIP in ("85.11.187.8", "175.155.64.221", "185.229.26.83", "198.53.64.194", "213.169.49.142", "38.117.87.37", "85.11.187.28")
   or RemoteHost has_any ("trademark.iglesiaelarca.com", "content.garretttrails.org", "promo.summat10n.org", "comples.biz", "dafkov.shop")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend FullUrl = iff(RemoteUrl != "", RemoteUrl, RemoteHost)
| order by Timestamp desc


powershell
# IOC Hunt Script - Checks for DNS resolution of malicious domains
# Requires administrative privileges to check DNS cache accurately if needed, otherwise resolves live.

$maliciousDomains = @(
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "promo.summat10n.org",
    "billing.roofnrack.us",
    "devel.asurans.com",
    "storehouse.beautysupplysalonllc.com",
    "samples.addisgraphix.com",
    "api-app.uppercrafteroom.com",
    "platform.exathomeswebuyarizona.com",
    "js-new.newtoyourgame.com",
    "comples.biz",
    "dafkov.shop",
    "ciuzdaw.shop",
    "ablackb.shop",
    "cloxaa.shop"

Write-Host "[+] Starting IOC Resolution Check..." -ForegroundColor Cyan

foreach ($domain in $maliciousDomains) {
    try {
        $result = Resolve-DnsName -Name $domain -ErrorAction Stop | Select-Object -First 1
        if ($result) {
            Write-Host "[!] THREAT DETECTED: Resolved $domain to $($result.IPAddress)" -ForegroundColor Red
        }
    }
    catch {
        # If resolution fails, domain might be blocked or offline - this is good
        Write-Host "[OK] No resolution for $domain" -ForegroundColor Green
    }
}

Write-Host "[+] Check complete. Investigate any RED outputs immediately." -ForegroundColor Cyan

Response Priorities

  • Immediate:

    • Block all IOCs (IPs, Domains, URLs) at perimeter firewalls and proxies.
    • Identify and block the specific Okendo Reviews JavaScript version referenced in the supply chain alert.
    • audit Fortinet VPN logs for brute force indicators or successful logins from the FortiBleed IP list.

  • 24 Hours:

    • Initiate credential resets for any accounts suspected of being compromised by Infostealers (LummaC2/Vidar) or VPN credential harvesting.
    • Scan endpoints for the file hashes provided in the "May 2026 Infostealer Trend Report".
    • Hunt for SocGholish artifacts (fake update JS files) on web servers within the organization.

  • 1 Week:

    • Review WordPress hosting infrastructure for signs of compromise (TA569) if the organization hosts public-facing WP sites.
    • Implement strict allow-listing for browser extensions and supply chain scripts (like widgets) used in e-commerce environments.
    • Enforce MFA for all VPN access and review VPN security policies to mitigate FortiBleed-style attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssocgholishlummac2fortibleedokendosupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action