SocGholish Disruption & Okendo Supply Chain: Fake Updates and Third-Party Widget Compromise

Threat Summary

Recent OTX Pulse data highlights a convergence of web-based initial access vectors utilizing trusted infrastructure to distribute a cocktail of Remote Access Trojans (RATs) and information stealers. The landscape is dominated by two distinct campaigns: a massive supply chain compromise targeting the Okendo Reviews widget (affecting over 18,000 brands) and the persistent "SocGholish" fake browser update campaign operated by TA569 (GOLD PRELUDE).

While Operation Endgame disrupted a portion of the SocGholish infrastructure, the underlying techniques remain potent, and the threat actors are actively migrating to new infrastructure. The Okendo campaign, attributed to SmartApeSG, exemplifies the growing risk of third-party JavaScript supply chain attacks. Furthermore, threat actors such as Eagle Werewolf and APT28 are leveraging a massive concentration of C2 infrastructure (1,350+ servers) across the Middle East, specifically utilizing STC hosting, to facilitate these operations. The primary objective across these vectors is initial access followed by credential theft (via StealC) and establishment of persistence (via NetSupport, Remcos, and AsyncRAT).

Threat Actor / Malware Profile

SmartApeSG (Okendo Supply Chain)

Target: Retail and E-commerce.
Distribution Method: Supply chain compromise via the Okendo Reviews widget. Malicious JavaScript is injected into okendo-reviews.js.
Payload Behavior: The compromised JS acts as a staged loader, utilizing localStorage and obfuscation to fetch secondary payloads.
Malware Families: NetSupport RAT, Remcos, StealC, Sectop RAT, SmartRAT.
C2 Communication: Uses HTTP/HTTPS to domains like api.wiggettiks.com and api.wizzleticks.com with specific query parameters for C2 check-in.

TA569 / GOLD PRELUDE (SocGholish)

Target: Government, Education, Finance, Healthcare, Hospitality.
Distribution Method: SEO poisoning and compromised WordPress sites displaying fake "Browser Update" prompts.
Payload Behavior: Downloads malicious JScript payloads which serve as loaders for banking trojans and ransomware.
Malware Families: SocGholish, IcedID, Smokeloader, Pikabot, Bumblebee, QakBot, DanaBot, TrickBot, Rhadamanthys, VenomRAT.
Infrastructure: Historically relies on a Traffic Distribution System (TDS); recent pulses show infrastructure migration post-Operation Endgame takedowns.

APT & Nation-State Context

Infrastructure: Significant C2 concentration (981 servers) hosted by Saudi Telecom (STC), utilized by actors like APT28, Energetic Bear, and Eagle Werewolf.
Malware Families: Cobalt Strike, Sliver, SoullessRAT, Mirai, Phorpiex.

IOC Analysis

The provided IOCs focus on network infrastructure, specifically hostnames and URLs rather than file hashes, indicating a need for network-based controls.

Types: Hostnames (C2/Distribution), URLs (Payload delivery).
Operational Guidance:
- Blocking: Immediate ingestion of the hostnames (e.g., trademark.iglesiaelarca.com) into DNS Firewall and Secure Web Gateways (SWG).
- Decoding: The Okendo URLs suggest a parameterized C2 channel (?8D1V4th3). SOCs should configure IDS rules to alert on HTTP GET requests to these specific domains with long, randomized query strings.
- Triage: Investigate web proxy logs for any successful connections to the Okendo-related domains (wiggettiks.com, wizzleticks.com) immediately.

Detection Engineering

YAML

---
title: Suspicious Browser Update Script Download
description: Detects the download of JS files often used in SocGholish fake update campaigns.
references:
    - https://otx.alienvault.com/pulse/6243829123472000/
author: Security Arsenal
date: 2026/06/22
status: stable
logsource:
    category: proxy
definition: 'Requirements: Proxy logs must include URLs and file extensions'
detection:
    selection:
        cs-method: 'GET'
        c-uri|contains:
            - '.js'
            - '.jse'
        c-uri|contains:
            - 'update'
            - 'chrome'
            - 'firefox'
            - 'edge'
    filter:
        c-uri|contains:
            - 'google.com'
            - 'mozilla.org'
            - 'microsoft.com'
    condition: selection and not filter
falsepositives:
    - Legitimate browser update checks (rarely triggered via .js download directly)
level: high
tags:
    - attack.initial_access
    - attack.t1189
    - socgholish
---
title: NetSupport RAT Execution via Client32
id: 2b745194-7a25-4b5d-8c4f-5d1c9b9e1d0a
description: Detects execution of NetSupport Manager client, often used in Okendo supply chain and other campaigns.
references:
    - https://otx.alienvault.com/pulse/6243829123472001/
author: Security Arsenal
date: 2026/06/22
status: stable
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\client32.exe'
            - '\pcui.exe'
            - '\nco_ras.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use of NetSupport Manager
level: high
tags:
    - attack.command_and_control
    - attack.t1219
    - netsupport
---
title: Obfuscated JavaScript Loader Activity
description: Detects execution of heavily obfuscated JScript, common in SocGholish and SmartApeSG loaders.
references:
    - https://otx.alienvault.com/pulse/6243829123472001/
author: Security Arsenal
date: 2026/06/22
status: stable
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    selection_cli:
        CommandLine|contains:
            - 'eval('
            - 'String.fromCharCode'
            - 'WScript.Shell'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration scripts (rarely use high obfuscation)
level: medium
tags:
    - attack.defense_evasion
    - attack.t1027
    - obfuscation


kql
// Hunt for connections to known malicious hostnames from SOC Pulse data
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'trademark.iglesiaelarca.com',
    'content.garretttrails.org',
    'promo.summat10n.org',
    'billing.roofnrack.us',
    'devel.asurans.com',
    'storehouse.beautysupplysalonllc.com',
    'samples.addisgraphix.com',
    'api-app.uppercrafteroom.com',
    'api.wiggettiks.com',
    'api.wizzleticks.com'
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend Host = DeviceName
| summarize count() by RemoteUrl, Host
| order by count_ desc


powershell
# IOC Hunt Script for NetSupport RAT and Persistence Mechanisms
# Checks for specific registry keys and processes associated with Pulse malware families

Write-Host "[*] Scanning for NetSupport RAT Persistence Keys..." -ForegroundColor Cyan

$paths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

$maliciousKeys = @(
    "Client32",
    "pcui",
    "NetSupport Manager"
)

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-Item $path | ForEach-Object {
            $_.Property | ForEach-Object {
                $prop = $_
                if ($maliciousKeys -like "*$prop*") {
                    Write-Host "[!] Suspicious persistence key found: $path\$prop" -ForegroundColor Red
                }
            }
        }
    }
}

Write-Host "[*] Checking for Active Malicious Processes..." -ForegroundColor Cyan

$processList = @("client32.exe", "nco_ras.exe", "remcos.exe", "stealc.exe")

Get-Process | Where-Object { $processList -contains $_.ProcessName } | ForEach-Object {
    Write-Host "[!] Suspicious process detected: $($_.ProcessName) (PID: $($_.Id))" -ForegroundColor Red
    Write-Host "    Path: $($_.Path)"
}

Write-Host "[*] Hunt Complete."

Response Priorities

Immediate: Block all listed hostnames and URLs at the perimeter (Firewall/DNS). Specifically, block connections to api.wiggettiks.com and api.wizzleticks.com due to the active Okendo supply chain compromise.
24h: Hunt for execution artifacts related to NetSupport RAT (client32.exe) and IcedID. Verify the integrity of Okendo widgets on public-facing e-commerce properties; update to the latest sanitized version immediately.
1 week: Conduct an audit of third-party JavaScript dependencies on external websites. Review web filtering policies to block categories commonly associated with TDS (Traffic Distribution Systems) and reduce the attack surface for fake browser updates.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub