Excerpt
OTX pulses reveal widespread C2 infrastructure in the Middle East, the disruption of SocGholish fake updates, and a new Okendo supply chain attack delivering RATs.
Threat Summary
Recent intelligence highlights a surge in malicious infrastructure activity, specifically concentrating on the Middle East with over 1,350 C2 servers linked to actors like APT28 and ENERGETIC BEAR. Parallel to this infrastructure growth, threat actors are leveraging supply chain and web-compromise vectors. The SocGholish campaign (TA569), recently disrupted by Operation Endgame, utilized fake browser updates on WordPress sites to deliver payloads like IcedID and SocGholish itself. Simultaneously, a new supply chain attack targets the Okendo Reviews widget, injecting malicious JavaScript to deliver NetSupport RAT and Remcos. Collectively, these pulses indicate a heavy reliance on web compromise and supply chain attacks to distribute remote access trojans (RATs) and initial access brokers.
Threat Actor / Malware Profile
SocGholish (TA569 / GOLD PRELUDE)
- Distribution: Fake browser update popups on compromised WordPress sites.
- Behavior: Downloads malicious JScript payloads which serve as loaders for secondary payloads like IcedID, Bumblebee, and Pikabot.
- Persistence: Scheduled tasks and registry run keys.
SmartApeSG
- Distribution: Malicious JavaScript injection into the Okendo Reviews widget.
- Behavior: The compromised widget acts as a loader, using obfuscation and localStorage to stage and download payloads like StealC, NetSupport, and Remcos.
- Objective: Initial access via trusted e-commerce components.
Middle East Clusters (APT28, Energetic Bear, etc.)
- Malware: Heavy usage of AsyncRAT, NetSupport RAT, and Cobalt Strike.
- Infrastructure: High concentration of C2 servers on Saudi Arabia's STC network.
IOC Analysis
- Hostnames: Several dozen compromised domains were identified hosting SocGholish payloads (e.g.,
trademark.iglesiaelarca.com). These should be blocked at the proxy/DNS level. - URLs: Specific URLs associated with the Okendo attack (e.g.,
api.wigetticks.com) indicate the C2 or staging infrastructure. Look for traffic to non-standard TLDs or subdomains mimicking legitimate services (e.g., "api-app", "content"). - CVE: CVE-2025-11953 is noted in the context of the infrastructure report; patching associated software is critical.
- Operationalization: SOC teams should ingest these IoCs into SIEM correlation rules to flag outbound connections to these hostnames/URLs immediately.
Detection Engineering
Sigma Rules
YAML
---
title: Potential SocGholish Fake Browser Update Script Execution
id: 98b8a8a4-1234-5678-9abc-def123456789
description: Detects execution of JScript files often associated with SocGholish fake browser update campaigns, typically executed via wscript.exe or cscript.exe.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6186a1234567890abcdef1
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\\wscript.exe'
- '\\cscript.exe'
CommandLine|contains:
- '.js'
condition: selection
falsepositives:
- Legitimate system administration scripts
level: high
tags:
- attack.initial_access
- attack.t1189
---
title: Suspicious Okendo Widget or Staging Connection
id: 8a7b6c5d-4321-8765-fedc-ba9876543210
description: Detects network connections to known malicious Okendo-related staging domains or suspicious API endpoints mimicking widget infrastructure.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6186a1234567890abcdef3
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'wigetticks.com'
- 'wizzleticks.com'
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.command_and_control
- attack.t1071
---
title: AsyncRAT or NetSupport RAT Process Creation
id: 1a2b3c4d-5678-90ab-cdef-1234567890ab
description: Detects suspicious process execution patterns associated with AsyncRAT and NetSupport RAT payloads often seen in Middle East C2 campaigns.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6186a1234567890abcdef1
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\\AsyncRAT.exe'
- '\\Client32.exe'
- '\\net_support_manager.exe'
selection_cli:
CommandLine|contains:
- '-connect'
- '127.0.0.1' # Local tunneling often used
condition: 1 of selection_*
falsepositives:
- Legitimate remote administration usage
level: high
tags:
- attack.execution
- attack.t1059
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for connections to SocGholish and Okendo related IoCs
DeviceNetworkEvents
| where RemoteUrl in~ (
"trademark.iglesiaelarca.com",
"content.garretttrails.org",
"promo.summat10n.org",
"billing.roofnrack.us",
"devel.asurans.com",
"storehouse.beautysupplysalonllc.com",
"samples.addisgraphix.com",
"api-app.uppercrafteroom.com",
"cdn-static.okendo.io",
"api.wigetticks.com",
"api.wizzleticks.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IoC_Type = "Hostname/URL"
| order by Timestamp desc
kql
// Hunt for process execution associated with RAT payloads
DeviceProcessEvents
| where ProcessCommandLine has_any ("-connect", "inject", "regsvr32") or FileName in~ ("AsyncRAT.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has @".js" or ProcessCommandLine has @".vbs"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
# IOC Hunter for Okendo Supply Chain and RAT Artifacts
$MaliciousHashes = @(
# Insert specific file hashes if available, currently hunting for paths/registry
)
$SuspiciousPaths = @(
"$env:APPDATA\AsyncRAT",
"$env:TEMP\Client32.exe",
"$env:LOCALAPPDATA\Microsoft\Windows\inetcache\*")
$MaliciousHosts = @(
"trademark.iglesiaelarca.com",
"api.wigetticks.com",
"api.wizzleticks.com"
)
Write-Host "[*] Checking for Suspicious File Paths..."
foreach ($path in $SuspiciousPaths) {
if (Test-Path $path) {
Write-Host "[!] ALERT: Found suspicious path: $path" -ForegroundColor Red
Get-Item -Path $path -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime, Length
}
}
Write-Host "[*] Checking DNS Cache for Malicious Hosts..."
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($hostEntry in $MaliciousHosts) {
if ($DnsCache.Entry -contains $hostEntry) {
Write-Host "[!] ALERT: Found malicious host in DNS Cache: $hostEntry" -ForegroundColor Red
$DnsCache | Where-Object { $_.Entry -eq $hostEntry }
}
}
Write-Host "[*] Checking for NetSupport Manager processes..."
$RatProcesses = Get-Process | Where-Object { $_.ProcessName -like "*net*support*" -or $_.ProcessName -like "*async*rat*" }
if ($RatProcesses) {
Write-Host "[!] ALERT: Found potential RAT process running." -ForegroundColor Red
$RatProcesses | Select-Object ProcessName, Id, Path
}
Response Priorities
- Immediate: Block identified hostnames and URLs (SocGholish/Okendo IoCs) at the edge and proxy. Scan web servers for the Okendo malicious JS injection.
- 24h: Hunt for signs of SocGholish execution (JS files in user folders) and NetSupport/Remcos processes. Initiate credential reset if StealC or similar info-stealers are suspected.
- 1 week: Review CMS patch levels for WordPress (SocGholish vector) and implement integrity checks for third-party JavaScript widgets (Okendo vector) to prevent future supply chain compromises.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptsocgholishokendonetsupport-ratsupply-chain-attackasyncrat
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.