Operation Endgame, SocGholish Takedowns, and FortiBleed Credential Harvesting: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Recent OTX pulses highlight a significant shift in the threat landscape, dominated by two major themes: large-scale infrastructure disruption and the emergence of highly specialized credential-harvesting campaigns. The coordinated law enforcement action known as Operation Endgame has struck a critical blow against the SocGholish (Fake Updates) malware ecosystem, dismantling a key initial access vector (IAV) used by multiple threat actors to distribute payloads like IcedID, Pikabot, and Bumblebee. Concurrently, threat actors are pivoting to more elusive supply chain compromises, evidenced by the Okendo Reviews widget attack, which injected malicious JavaScript to deliver loaders for NetSupport and Remcos RAT. Furthermore, a new, large-scale credential-harvesting campaign dubbed FortiBleed has been uncovered, specifically targeting internet-facing Fortinet FortiGate VPN gateways. The collective objective of these campaigns remains consistent: establishing initial access for ransomware deployment (e.g., LockBit, RansomHub) or selling stolen credentials on the dark web for further exploitation.

Threat Actor / Malware Profile

Threat Actor: GOLD PRELUDE / TA569
- Malware: SocGholish (Fake Browser Updates)
- Distribution: Primarily via compromised WordPress websites delivering fake browser update prompts (JavaScript-based dropper).
- Payload Behavior: The SocGholish dropper downloads and executes second-stage payloads, often targeting Windows systems. It acts as a loader, handing off to more sophisticated malware.
- Persistence: SocGholish itself does not maintain persistence; its role is to execute a payload. The payloads it delivers (e.g., IcedID, Bumblebee) use scheduled tasks, registry run keys, or service creation for persistence.
- C2 Communication: Uses HTTPS for command-and-control (C2), often blending in with legitimate web traffic. C2 domains are frequently registered to mimic legitimate services.
- Anti-Analysis: Employs obfuscation in its JavaScript and payloads to evade detection.
Threat Actor: SmartApeSG
- Malware: NetSupport RAT, Remcos RAT, StealC
- Distribution: Supply chain attack via the compromised Okendo Reviews JavaScript widget, deployed on thousands of e-commerce sites.
- Payload Behavior: The injected JavaScript acts as a staged loader, potentially fingerprinting the victim and delivering a final payload of a Remote Access Trojan (RAT).
- Persistence: A typical RAT payload will establish persistence via scheduled tasks or other autorun methods.
- C2 Communication: RATs use standard TCP/HTTP protocols to connect to their C2 servers, allowing remote control and data exfiltration.
- Anti-Analysis: Uses code obfuscation and potentially environment checks to avoid analysis.
Threat Actor: Unknown (FortiBleed Operator)
- Malware: N/A (Credential Harvesting)
- Distribution: Targets exposed Fortinet FortiGate VPN portals. Uses brute-force attacks and credential stuffing.
- Payload Behavior: No malware is deployed on the victim's network. The attacker's goal is to harvest valid VPN credentials from the FortiGate device.
- C2 Communication: The attacker's infrastructure is used for the credential harvesting and cracking (hash cracking via Hashtopolis), not for communicating with a malware payload on the victim's side.
- Persistence: N/A (Initial Access)
- Anti-Analysis: N/A

IOC Analysis

The provided indicators of compromise (IOCs) are critical for detection and hunting:

Hostnames and Domains (e.g., trademark.iglesiaelarca.com, comples.biz): These are indicators of compromised infrastructure used for malware distribution (C2, payload hosting). SOC teams should immediately block these at the network perimeter (DNS sinkhole, firewall blocklist).
URLs (e.g., http://cdn-static.okendo.io/...): This specific URL is part of a malicious supply chain attack. Blocking this URL can prevent the malicious JavaScript from loading, but also note that the domain itself is legitimate (okendo.io). Precision is key; block the full path or use a web proxy with deep content inspection to detect the malicious injection.
File Hashes (e.g., SHA256, MD5): These are definitive fingerprints for malicious executables or scripts. SOC tools like EDR and SIEM should be configured to alert on any process execution or file creation matching these hashes.
IPv4 Addresses (e.g., 85.11.187.8): These are likely IPs associated with the FortiBleed attacker's infrastructure or VPN access attempts. Blocking these IPs at the firewall is an immediate priority. Analyze firewall and VPN logs for any connection attempts from these IPs.

To operationalize these IOCs, SOC teams should:

Feed all hashes and domains/hosts into their SIEM for real-time correlation.
Block all hostnames/domains and IPs on perimeter firewalls, DNS resolvers, and proxy servers.
Hunt across endpoints for files matching the provided hashes and network connections to the listed domains/IPs.
For the supply chain URL, use a web proxy with advanced threat protection to inspect and block the specific malicious JavaScript payload without blocking the entire okendo.io domain if possible.

Detection Engineering

Sigma Rules

YAML

---
title: Potential SocGholish Fake Browser Update Activity
id: 663dafe3-5975-4cb5-9d0d-c8d1d2c0f7e6
description: Detects potential SocGholish activity by identifying processes launched from a parent process that is a web browser and the child process is a scripting host like wscript.exe or cscript.exe, a common pattern for its JScript dropper.
status: stable
author: Security Arsenal Research
date: 2026/06/22
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\brave.exe'
            - '\opera.exe'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        CommandLine|contains: '.js'
    condition: selection
falsepositives:
    - Legitimate administrative scripts launched from a browser download.
level: high
---
title: Suspicious Process Created by Office Word
id: d12e45d8-8c5f-46b3-8294-914b9ec2e72a
description: Detects when Microsoft Word (winword.exe) creates a child process like powershell.exe or cmd.exe, a common technique used in maldoc campaigns to download and execute payloads, potentially related to infostealers like LummaC2 or Vidar.
status: stable
author: Security Arsenal Research
date: 2026/06/22
references:
    - https://otx.alienvault.com/
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\winword.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    condition: selection
falsepositives:
    - Macros used for legitimate automation purposes.
level: high
---
title: FortiGate SSL VPN Brute Force Login Activity
id: 7f2a5cde-8c6e-4f8d-9d3b-a7b5c9d0e1f2
description: Detects multiple failed login attempts on FortiGate SSL VPN within a short time window, indicative of a credential harvesting or brute force attack like FortiBleed.
status: stable
author: Security Arsenal Research
date: 2026/06/22
references:
    - https://otx.alienvault.com/
tags:
    - attack.credential_access
    - attack.t1110.003
logsource:
    product: fortigate
    service: vpn
detection:
    selection:
        action|contains: 'sslvpn-login'
        status|contains: 'failure'
    timeframe: 5m
    condition: selection | count() > 10
falsepositives:
    - Users genuinely forgetting their password.
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for connections to known malicious hostnames/domains from pulses
DeviceNetworkEvents
| where RemoteUrl has_any (
    "trademark.iglesiaelarca.com", "content.garretttrails.org", "promo.summat10n.org", "billing.roofnrack.us",
    "devel.asurans.com", "storehouse.beautysupplysalonllc.com", "samples.addisgraphix.com", "api-app.uppercrafteroom.com",
    "comples.biz", "dafkov.shop", "ciuzdaw.shop", "ablackb.shop", "cloxaa.shop"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend Message = strcat('Device ', DeviceName, ' connected to malicious domain: ', RemoteUrl)


kql
// Hunt for processes with known malicious file hashes from pulses
DeviceProcessEvents
| where SHA256 has_any (
    "46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c"
) or MD5 has_any (
    "0d1f6685b4e284f92ef25c0f9358bcdc"
) or SHA1 has_any (
    "7d5c1d672d6e4bef1a7ca4ca9849db74e8690213"
)
| project Timestamp, DeviceName, AccountName, FileName,FolderPath, SHA256, MD5, SHA1, InitiatingProcessFileName, InitiatingProcessAccountName
| extend Message = strcat('Malicious process execution detected on ', DeviceName, ' by ', AccountName, ': ', FileName)

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunt Script for SocGholish and FortiBleed Indicators.
.DESCRIPTION
    This script checks a Windows endpoint for file artifacts associated with the
    provided malicious file hashes and checks for any recent network connections
    to the provided IOCs. Note: Direct network connection hunting is limited on
    an endpoint; this script focuses on local artifacts.
.NOTES
    File Name      : Hunt-IOC.ps1
    Author         : Security Arsenal Research
    Prerequisite   : PowerShell 5.1 or later, Administrator privileges for some checks.
#>

# Malicious File Hashes from Pulse 3 (May 2026 Infostealer Trend Report)
$MaliciousHashes = @(
    "46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c", # SHA256
    "0d1f6685b4e284f92ef25c0f9358bcdc",       # MD5
    "7d5c1d672d6e4bef1a7ca4ca9849db74e8690213"        # SHA1
)

Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan

# Function to calculate file hash
function Get-FileHashLocal {
    param ([string]$FilePath)
    $fileStream = [System.IO.File]::OpenRead($FilePath)
    $sha256 = [System.Security.Cryptography.SHA256]::Create()
    $md5 = [System.Security.Cryptography.MD5]::Create()
    $sha1 = [System.Security.Cryptography.SHA1]::Create()
    $hashBytes256 = $sha256.ComputeHash($fileStream)
    $fileStream.Position = 0
    $hashBytesMD5 = $md5.ComputeHash($fileStream)
    $fileStream.Position = 0
    $hashBytesSHA1 = $sha1.ComputeHash($fileStream)
    $fileStream.Close()
    
    $hash256 = [System.BitConverter]::ToString($hashBytes256).Replace("-", "").ToLower()
    $hashMD5 = [System.BitConverter]::ToString($hashBytesMD5).Replace("-", "").ToLower()
    $hashSHA1 = [System.BitConverter]::ToString($hashBytesSHA1).Replace("-", "").ToLower()

    return @{ SHA256 = $hash256; MD5 = $hashMD5; SHA1 = $hashSHA1 }
}

# Search for files matching the malicious hashes
$DrivesToScan = @("C:") # Add more drives as needed
$MatchingFiles = @()

foreach ($drive in $DrivesToScan) {
    if (Test-Path $drive) {
        Write-Host "Scanning drive $drive for malicious file hashes..." -ForegroundColor Yellow
        Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            try {
                $hashes = Get-FileHashLocal -FilePath $_.FullName
                if ($MaliciousHashes -contains $hashes.SHA256 -or $MaliciousHashes -contains $hashes.MD5 -or $MaliciousHashes -contains $hashes.SHA1) {
                    $MatchingFiles += [PSCustomObject]@{
                        FilePath = $_.FullName
                        SHA256   = $hashes.SHA256
                        MD5      = $hashes.MD5
                        SHA1     = $hashes.SHA1
                    }
                }
            } catch {
                # Ignore errors (e.g., permission denied, in-use files)
            }
        }
    }
}

if ($MatchingFiles.Count -gt 0) {
    Write-Host "[CRITICAL] Found $($MatchingFiles.Count) file(s) matching malicious hashes:" -ForegroundColor Red
    $MatchingFiles | Format-Table -AutoSize
} else {
    Write-Host "No files matching malicious hashes were found." -ForegroundColor Green
}

Write-Host "IOC Hunt complete." -ForegroundColor Cyan

Response Priorities

Immediate:
- Block all domains, hostnames, and IPs listed in the IOC Analysis section at the network perimeter (firewalls, proxies, DNS servers).
- Deploy the provided Sigma rules to your SIEM/EDR to detect ongoing infection attempts.
- Review FortiGate VPN logs for any connection attempts from the listed FortiBleed IPs and block them immediately.
24h:
- Initiate an identity verification process (e.g., multi-factor authentication challenges, password resets) for all accounts that may have been exposed to credential-stealing malware (e.g., infostealers) or that have shown activity from the FortiBleed IPs.
- Conduct a thorough hunt for malicious processes or files matching the provided hashes across your enterprise endpoints.
- Inspect web proxy logs for any internal systems that may have loaded the malicious Okendo Reviews JavaScript.
1 week:
- Review and harden your web-facing infrastructure, especially WordPress sites, against compromise, given the SocGholish disruption and the risk of copycat attacks.
- Evaluate your supply chain risk for third-party JavaScript widgets and implement a Content Security Policy (CSP) to mitigate the impact of compromised scripts.
- Enforce MFA for all VPN access and review Fortinet FortiGate configurations for best practices to prevent brute-force attacks (e.g., Geo-blocking, strict password policies).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Operation Endgame, SocGholish Takedowns, and FortiBleed Credential Harvesting: OTX Pulse Analysis — Enterprise Detection Pack