The latest OTX pulse data reveals a concerning convergence of supply chain compromises and web infrastructure exploitation. While Operation Endgame has disrupted the SOCgholish (GOLD PRELUDE) infrastructure, residual domains and copycat techniques remain active. Simultaneously, a new supply chain campaign targeting the Okendo Reviews widget (SmartApeSG) is actively injecting malicious JavaScript into e-commerce platforms to deliver Remote Access Trojans (RATs) like NetSupport and Remcos.
Collectively, these campaigns utilize a "Fake Update" and "Malicious Loader" attack chain. Actors are compromising high-traffic WordPress sites and legitimate SaaS widgets to serve malicious JavaScript. This script acts as a loader, fetching second-stage payloads (IcedID, Pikabot, NetSupport) from C2 infrastructure that is heavily concentrated in the Middle East, specifically leveraging bulletproof hosting providers like STC in Saudi Arabia. The objective is initial access banking for ransomware deployment (e.g., LockBit Black) and credential harvesting.
Threat Actor / Malware Profile
Adversaries: SmartApeSG, GOLD PRELUDE (TA569), APT28 (associated infrastructure).
Key Malware Families:
- SocGholish (FakeUpdates): A malware framework that uses fake browser update prompts. It historically acted as a loader for IcedID, TrickBot, and Cobalt Strike.
- NetSupport RAT: A legitimate remote administration tool frequently abused by attackers for lateral movement and data theft.
- Remcos: A sophisticated RAT offering robust features, often spread via malicious documents or script loaders.
- StealC: An information stealer targeting browser data, cryptocurrency wallets, and system information.
Distribution Method:
- Supply Chain (Okendo): Compromise of the
okendo-reviews.jsfile. The injected JS obfuscates a call toapi.wigetticks.comorapi.wizzleticks.com. - SEO Poisoning / Compromised WP (SocGholish): Compromised legitimate websites redirecting to fake browser update landing pages.
Payload Behavior:
- Execution: The malicious JavaScript creates a loader (often PowerShell or Mshta) to fetch and execute the RAT.
- C2 Communication: Connects to the C2 servers via HTTP/HTTPS using custom user-agents or standard browser mimicking to blend in.
- Persistence: Utilizes Registry Run keys (
HKCU\Software\Microsoft\Windows\CurrentVersion\Run) or Scheduled Tasks.
Anti-Analysis: Heavily obfuscated JavaScript layers and Base64 encoded PowerShell commands are used to bypass static analysis filters.
IOC Analysis
The intelligence dump provides critical indicators across three categories:
- Hostnames (SocGholish Infrastructure): A list of 12 hostnames (e.g.,
trademark.iglesiaelarca.com) representing compromised WordPress sites serving as the initial entry point or redirectors. SOC Action: Add these to DNS blocklists and web proxy categories. - URLs (Okendo Supply Chain): Specific URLs including
api.wigetticks.comandapi.wizzleticks.com. These are the active C2/download endpoints for the malicious JS payload. SOC Action: Block outbound connections to these specific FQDNs immediately. - CVE (Middle East Infrastructure): CVE-2025-11953 is associated with the vast C2 network mapped in the Middle East. SOC Action: Prioritize patching for this specific vulnerability if it affects assets in the environment.
Operational Tooling:
- SIEM: Ingest IOCs into threat intelligence platforms (e.g., Microsoft Sentinel, Splunk) to correlate against
DeviceNetworkEventsandDeviceProcessEvents. - EDR: Use the file hashes and domain lists to create exclusions or hunting queries.
Detection Engineering
Sigma Rules
YAML
---
title: Potential SocGholish Fake Update Execution
id: 8a4c1f2e-9b3c-4d2e-8a1b-3c5d6e7f8a9b
description: Detects execution patterns associated with SocGholish fake browser updates, typically involving scripts downloaded from the web.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
- https://www.infoblox.com/blog/threat-intelligence/hot-take-operation-endgame-vs-socgholish/
tags:
- attack.initial_access
- attack.t1189
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\mshta.exe'
CommandLine|contains:
- 'update'
- 'chrome_update'
- 'firefox_update'
condition: selection
falsepositives:
- Legitimate software updates initiated by browser (rare)
level: high
---
title: Okendo Supply Chain Malicious Domain Connection
id: b5d3e2f1-4c6a-8b9d-0e1f-2a3b4c5d6e7f
description: Detects network connections to known malicious domains associated with the Okendo Reviews widget supply chain attack.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
- https://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'wigetticks.com'
- 'wizzleticks.com'
condition: selection
falsepositives:
- None (Known malicious domains)
level: critical
---
title: NetSupport or Remcos RAT Persistence
id: c6e4f3a2-5d7b-9c0e-1f2a-3b4c5d6e7f8a
description: Detects persistence mechanisms often used by NetSupport RAT and Remcos via Registry Run keys.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6675b1c2d1b0e8f5c9a1b2c3
tags:
- attack.persistence
- attack.t1547
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
Details|contains:
- 'NetSupport Manager'
- 'client32.exe'
- 'Remcos'
condition: selection
falsepositives:
- Legitimate remote administration software installation
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for connections to SocGholish and Okendo related infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
"trademark.iglesiaelarca.com",
"content.garretttrails.org",
"promo.summat10n.org",
"billing.roofnrack.us",
"devel.asurans.com",
"storehouse.beautysupplysalonllc.com",
"samples.addisgraphix.com",
"api-app.uppercrafteroom.com",
"api.wigetticks.com",
"api.wizzleticks.com"
)
| summarize count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteUrl, InitiatingProcessFileName
// Hunt for suspicious PowerShell execution potentially related to JS loaders
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("chrome.exe", "firefox.exe", "msedge.exe")
| where FileName =~ "powershell.exe" or FileName =~ "cmd.exe"
| where ProcessCommandLine has "http" or ProcessCommandLine has ".js"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
Hunt script for indicators related to Okendo and SocGholish campaigns.
.DESCRIPTION
Checks for Registry persistence, suspicious file paths, and recent network connections.
#>
# Check Registry for NetSupport / Remcos Persistence
$paths = @(
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)
Write-Host "[*] Checking Registry Persistence..." -ForegroundColor Cyan
foreach ($path in $paths) {
if (Test-Path $path) {
Get-ItemProperty $path -ErrorAction SilentlyContinue |
Where-Object { $_.PSObject.Properties.Value -match "NetSupport|Remcos|client32" } |
ForEach-Object {
Write-Host "[!] Suspicious Persistence found in $path" -ForegroundColor Red
Write-Host $_ | Format-List
}
}
}
# Check for recent file modifications in common temp paths (where JS loaders drop payloads)
$tempDirs = @("$env:TEMP", "$env:APPDATA")
$ cutoffTime = (Get-Date).AddDays(-7)
Write-Host "[*] Checking for suspicious files in Temp/AppData..." -ForegroundColor Cyan
foreach ($dir in $tempDirs) {
if (Test-Path $dir) {
Get-ChildItem -Path $dir -Recurse -Include "*.js", "*.exe", "*.vbs" -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $cutoffTime -and $_.Length -gt 0kb } |
ForEach-Object {
# Basic heuristic for suspicious names (obfuscation often uses random chars)
if ($_.Name -match "^[a-z]{5,10}\.(js|exe)$" -or $_.Name -match "update") {
Write-Host "[!] Suspicious file found: $($_.FullName)" -ForegroundColor Yellow
}
}
}
}
Write-Host "[*] Hunt complete. Please review findings."
# Response Priorities
* **Immediate:**
* Block all hostnames and URLs listed in the IOC Analysis section at the perimeter firewall and proxy.
* Kill any active processes connecting to `wigetticks.com` or `wizzleticks.com`.
* **24 Hours:**
* Conduct credential resets for accounts used on devices that triggered the "SocGholish" or "Okendo" detection rules, as StealC and IcedID are information stealers.
* Review web server logs for traces of the Okendo widget compromise (`/reviews-widget-plus/js/okendo-reviews.js`).
* **1 Week:**
* Implement strict allow-listing for JavaScript widgets and third-party SaaS dependencies on e-commerce platforms.
* Review network segmentation to limit C2 communication potential for IoT and user segments.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptsupply-chainnetsupport-ratfake-updatesokendosocgholish
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.