SocGholish Disruption & Okendo Supply Chain: C2 Infrastructure and RAT Loader Analysis

OTX pulses reveal massive Middle East C2 expansion, SocGholish fake updates, and Okendo widget compromise delivering NetSupport RAT.

Threat Summary

Recent OTX pulses highlight a convergence of large-scale infrastructure abuse and sophisticated supply chain operations. In the Middle East, threat actors including APT28 and ENERGETIC BEAR have mobilized over 1,350 C2 servers, heavily utilizing Saudi Telecom (STC) infrastructure to deploy malware ranging from Phorpiex to AsyncRAT. Simultaneously, while law enforcement disrupted the SocGholish (Fake Updates) campaign, associated infrastructure remains a critical vector for loaders like IcedID and Pikabot. Most critically, a new supply chain attack targeting the Okendo Reviews widget allows the SmartApeSG actor to inject malicious JavaScript, serving as a loader for NetSupport RAT and Remcos onto high-traffic e-commerce sites.

Threat Actor / Malware Profile

SocGholish (TA569 / GOLD PRELUDE)

Distribution: Compromised WordPress sites displaying fake browser update prompts (e.g., "Chrome Update Required").
Payload Behavior: Drops JScript payloads leading to secondary infections like IcedID, Pikabot, and Rhadamanthys.
C2 Communication: Uses HTTP/HTTPS to compromised hostnames acting as redirectors.

SmartApeSG (Okendo Campaign)

Distribution: Supply chain compromise via the Okendo Reviews widget (okendo-reviews.js).
Payload Behavior: Malicious JavaScript utilizing obfuscation and localStorage to stage payloads. Ultimately delivers NetSupport RAT, Remcos, and StealC.
C2 Communication: Connects to api.wigetticks.com and api.wizzleticks.com for payload retrieval.

Middle East APTs (APT28, ENERGETIC BEAR)

Distribution: Direct exploitation (CVE-2025-11953) and widespread botnet propagation (Mirai, Mozi).
Malware: Heavy usage of AsyncRAT and NetSupport RAT for persistence alongside cryptominers (XMRig).

IOC Analysis

The provided indicators consist primarily of network artifacts:

Hostnames: Over 12 compromised WordPress domains associated with SocGholish (e.g., trademark.iglesiaelarca.com). These serve as traffic distribution systems (TDS).
URLs: Specific endpoints used in the Okendo supply chain attack (api.wigetticks.com, api.wizzleticks.com). These are high-fidelity C2/Loader indicators.
CVE: CVE-2025-11953 indicates a specific vulnerability likely used for initial access in the Middle East campaigns.

SOC Operationalization: Teams should block all listed hostnames and URLs at the perimeter. The specific Okendo URLs should be added to blocklists with high priority as they indicate active supply chain exploitation. The SocGholish hostnames should be used to hunt for successful DNS resolution or HTTP connections, indicating users fell for the fake update prompt.

Detection Engineering

YAML

---
title: Potential SocGholish Fake Browser Update Activity
id: 0e7b3b1e-8c5a-4a6b-9f1c-3d2e5f6a7b8c
description: Detects potential execution of SocGholish fake browser update scripts often delivered via compromised WordPress sites.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://www.infoblox.com/blog/threat-intelligence/hot-take-operation-endgame-vs-socgholish/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
        Image|endswith:
            - '\mshta.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - 'update'
            - 'chrome_installer'
            - 'software_update'
    condition: selection
falsepositives:
    - Legitimate software updates initiated by browser
level: high
---
title: Okendo Reviews Malicious Script Connection
id: f1c2d3e4-5678-90ab-cdef-1234567890ab
description: Detects network connections to known malicious domains used in the Okendo Reviews supply chain attack.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'wigetticks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: NetSupport RAT Installation
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects installation of NetSupport Manager, often used as a RAT in the Okendo and Middle East campaigns.
status: experimental
date: 2026/06/21
author: Security Arsenal
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\client32.exe'
            - '\pcsu.exe'
            - '\NetSupport Manager'
    condition: selection
falsepositives:
    - Legitimate administrative software installation
level: medium


kql
// Hunt for SocGholish related domain connections
DeviceNetworkEvents
| where RemoteUrl has_any ("trademark.iglesiaelarca.com", "content.garretttrails.org", "promo.summat10n.org", "billing.roofnrack.us", "devel.asurans.com", "storehouse.beautysupplysalonllc.com", "samples.addisgraphix.com", "api-app.uppercrafteroom.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP

// Hunt for Okendo Supply Chain C2 connections
DeviceNetworkEvents
| where RemoteUrl contains "wigetticks.com" or RemoteUrl contains "wizzleticks.com"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP

// Hunt for NetSupport RAT process execution
DeviceProcessEvents
| where ProcessName in~ ("client32.exe", "pcsu.exe") or FolderPath contains "NetSupport"
| project Timestamp, DeviceName, ProcessName, FolderPath, InitiatingProcessFileName, SHA256


powershell
# IOC Hunt Script: Okendo & NetSupport Check
# Check for NetSupport RAT Installation Paths
$paths = @(
    "C:\Program Files\NetSupport\NetSupport Manager\",
    "C:\Program Files (x86)\NetSupport\NetSupport Manager\",
    "$env:APPDATA\NetSupport",
    "$env:TEMP\client32.exe"
)

foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "[!] Potential NetSupport RAT found at: $path" -ForegroundColor Red
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime
    }
}

# Check DNS Cache for SocGholish Domains
$domains = @(
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "promo.summat10n.org",
    "api.wigetticks.com",
    "api.wizzleticks.com"
)

Write-Host "Checking DNS Cache for malicious domains..."
$dnsEntries = Get-DnsClientCache
foreach ($domain in $domains) {
    $found = $dnsEntries | Where-Object { $_.Entry -like "*$domain*" }
    if ($found) {
        Write-Host "[!] Malicious domain found in DNS Cache: $domain" -ForegroundColor Yellow
    }
}

Response Priorities

Immediate:
- Block all IOCs (Hostnames and URLs) at the web proxy and firewall.
- Scan web proxies for successful connections to wigetticks.com or wizzleticks.com to identify infected retail endpoints.
24h:
- Isolate hosts with detected client32.exe (NetSupport) processes.
- Initiate credential reset for accounts accessed from infected endpoints due to presence of StealC.
1 Week:
- Review third-party JavaScript widgets (e.g., Okendo) for integrity and source code validation.
- Implement strict application control to prevent unsigned mshta.exe or wscript.exe executions from browsers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub