SocGholish Disruption, INC RaaS Evolution, and Okendo Supply Chain Compromise: OTX Pulse Analysis

Threat Summary

The current threat landscape is characterized by three distinct but high-impact vectors: the successful law enforcement disruption of the SocGholish malware framework (Operation Endgame), the aggressive evolution of the INC Ransomware-as-a-Service (RaaS) operation leveraging Rust-based encryptors, and a novel supply chain attack targeting the Okendo Reviews widget. Collectively, these campaigns demonstrate the resilience of Traffic Distribution Systems (TDS), the rapid migration of threat actors to cross-platform RaaS models following LockBit/BlackCat takedowns, and the increasing exploitation of trusted third-party e-commerce scripts to deliver Remote Access Trojans (RATs).

Threat Actor / Malware Profile

GOLD PRELUDE (SocGholish)

• Profile: A threat actor operating since 2017, recently disrupted by Operation Endgame. They utilized a vast network of compromised WordPress sites to drive traffic to malicious payloads.
• Distribution: Compromised legitimate websites displaying fake browser update prompts (e.g., "Chrome Update Required").
• Payload Behavior: Initial access is gained via JScript download. The payload acts as a loader for major botnets and banking trojans, including IcedID, QakBot, Pikabot, and Bumblebee.
• C2 Communication: Uses compromised hostnames for C2 check-ins and payload staging.

INC Ransomware

• Profile: A top-tier RaaS group that evolved from an emerging threat to a dominant player in 2026, capitalizing on the void left by disrupted cartels.
• Distribution: Double-extortion model. Affiliates exploit vulnerabilities like CVE-2023-3519 and CVE-2024-57727 for initial access.
• Payload Behavior: Uses Rust-based encryptors for Windows and Linux/ESXi, complicating analysis and detection. Utilizes Cobalt Strike for lateral movement.
• Persistence: Modifies boot configurations to ensure execution on startup; deletes shadow copies to prevent recovery.

SmartApeSG (Okendo Campaign)

• Profile: Threat actor targeting the retail sector via supply chain compromise.
• Distribution: Injection of malicious JavaScript into the widely-used Okendo Reviews widget (loaded via cdn-static.okendo.io).
• Payload Behavior: The injected JS acts as a staged loader, utilizing localStorage for obfuscation. It ultimately loads payloads for NetSupport, Remcos, StealC, and Sectop RAT.
• C2 Communication: Connects to domains spoofing legitimate API services (api.wigetticks.com, api.wizzleticks.com).

IOC Analysis

The provided IOCs include:

• Hostnames: A list of compromised infrastructure used by SocGholish (e.g., trademark.iglesiaelarca.com). These should be blocked at the DNS layer.
• CVEs: Specific vulnerabilities exploited by INC Ransomware (CVE-2023-3519, CVE-2024-57727, CVE-2025-5777). Vulnerability scanning is required to identify exposure.
• Onion/Domains: Tor hidden services and clear-web domains used by INC for leak sites and C2.
• File Hash-SHA256: A specific hash for an INC ransomware sample (6cd349eda0...). This is a high-fidelity indicator for endpoint detection.
• URLs: Malicious endpoints used in the Okendo supply chain attack. SOCs should inspect proxy logs for connections to these specific API paths.

Detection Engineering

Sigma Rules

---
title: Potential SocGholish Fake Browser Update Activity
id: 4e92f4a5-9b23-4c8c-9e6b-0a1b2c3d4e5f
description: Detects potential SocGholish activity where a browser launches a script interpreter to download fake updates.
status: experimental
author: Security Arsenal
date: 2026/06/20
references:
    - https://otx.alienvault.com/pulse/6671a6b6d9f8e8e8e8e8e8e8
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        CommandLine|contains:
            - '.js'
    condition: selection
falsepositives:
    - Legitimate software updates via web scripts
level: high
---
title: Okendo Supply Chain Malicious Domain Connection
id: 5a83f5b6-0c34-5d9d-0f7c-1b2c3d4e5f60
description: Detects network connections to malicious domains associated with the Okendo Reviews widget supply chain attack (SmartApeSG).
status: experimental
author: Security Arsenal
date: 2026/06/20
references:
    - https://otx.alienvault.com/pulse/6671a6b6d9f8e8e8e8e8e8e8
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'wigetticks.com'
            - 'wizzleticks.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: INC Ransomware Known Malicious File Hash
id: 6b94g6c7-1d45-6e0e-1g8d-2c3d4e5f6071
description: Detects the execution of a known INC Ransomware binary based on the SHA256 hash provided in OTX Pulse.
status: experimental
author: Security Arsenal
date: 2026/06/20
references:
    - https://otx.alienvault.com/pulse/6671a6b6d9f8e8e8e8e8e8e8
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Hashes|contains:
            - 'SHA256=6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141'
    condition: selection
falsepositives:
    - None
level: critical


**KQL (Microsoft Sentinel)**

kql
// Hunt for connections to known SocGholish and Okendo C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("trademark.iglesiaelarca.com", "content.garretttrails.org", "promo.summat10n.org", "billing.roofnrack.us", "devel.asurans.com", "storehouse.beautysupplysalonllc.com", "samples.addisgraphix.com", "api-app.uppercrafteroom.com", "api.wigetticks.com", "api.wizzleticks.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| summarize Count = count() by DeviceName, RemoteUrl
| order by Count desc


**PowerShell Hunt Script**

powershell
# Hunt for INC Ransomware File Hash
$targetHash = "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
Write-Host "Scanning for INC Ransomware Hash..."
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll | ForEach-Object {
    $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
    if ($hash.Hash -eq $targetHash) {
        Write-Host "MATCH FOUND: $($_.FullName)" -ForegroundColor Red
    }
}

# Check DNS Cache for Okendo Malicious Domains
Write-Host "Checking DNS Cache for Okendo Malicious Domains..."
$maliciousDomains = @("wigetticks.com", "wizzleticks.com")
Get-DnsClientCache | Where-Object { $maliciousDomains -contains $_.Entry.Split('.')[-2..-1] -join '.' } | Format-Table Entry, Data, Type

Response Priorities

• Immediate:

  • Block all hostnames and URLs listed in the IOCs at the perimeter proxy and DNS firewall.
  • Scan endpoints for the specific SHA256 hash associated with INC Ransomware.
  • Identify and isolate any systems that have recently executed wscript.exe or cscript.exe spawned by web browsers.

• 24 Hours:

  • Initiate credential resets for accounts logged into devices exhibiting signs of malware infection (credential theft is a primary objective of SocGholish and SmartApeSG payloads).
  • Audit e-commerce platforms for the presence of the Okendo Reviews widget and verify the integrity of the loaded JavaScript.

• 1 Week:

  • Patch systems against CVE-2023-3519, CVE-2023-48788, CVE-2024-57727, and CVE-2025-5777 to mitigate INC Ransomware initial access vectors.
  • Implement application control policies to block unsigned scripts (JS/VBS) downloaded from the internet.
  • Review third-party JavaScript dependencies in the web supply chain for unauthorized modifications.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub