Back to Intelligence

SocGholish Disruption, SmartApeSG Supply Chain, and FortiBleed: Credential Theft & RAT Analysis

SA
Security Arsenal Team
June 23, 2026
5 min read

Recent OTX pulses indicate a highly active threat landscape focused on initial access and credential theft. While law enforcement (Operation Endgame) has disrupted the GOLD PRELUDE actor's SocGholish infrastructure, residual domains remain active. Threat actors are rapidly pivoting to supply chain attacks, specifically targeting the Okendo Reviews platform (SmartApeSG) to deliver Remcos and NetSupport RATs to the retail sector. Concurrently, a sophisticated steganographic loader campaign is targeting the Finance sector in India to deploy Agent Tesla and Formbook. Additionally, the "FortiBleed" infrastructure has been exposed, revealing a large-scale credential cracking operation against Fortinet VPN gateways.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569):

  • Distribution: Compromised WordPress sites serving fake browser update prompts.
  • Payload: SocGholish (JScript loader) leading to banking trojans (IcedID, QakBot) and ransomware.
  • Persistence: Scheduled tasks, Registry Run keys.

SmartApeSG:

  • Distribution: Supply chain compromise of the Okendo Reviews JavaScript widget.
  • Payload: Obfuscated JS loader downloading StealC, Remcos, or Sectop RAT.
  • Persistence: Windows Startup folders, WMI event subscriptions.

Steganographic Loader Actor:

  • Distribution: Phishing emails with archive attachments containing images with embedded payloads.
  • Payload: Agent Tesla, Formbook, Red Line Stealer.
  • Persistence: Registry Run keys (often hiding in HKCU\Software\Microsoft\Windows\CurrentVersion\Run).

IOC Analysis

This intelligence drop contains actionable IOCs across multiple vectors:

  • Hostnames (8): SocGholish C2 and distribution points (e.g., trademark.iglesiaelarca.com). Operationalize via DNS Firewall and Proxy blocklists.
  • URLs (3): Malicious Okendo widget endpoints and payload drop zones (e.g., api.wiggettcks.com). Block in Secure Web Gateways.
  • File Hashes (25+): MD5, SHA1, and SHA256 hashes for the Steganographic loaders and malicious NPM packages. Use EDR historical search to find execution artifacts.
  • IPv4 (7): IP addresses associated with the FortiBleed cracking infrastructure. Block on perimeter firewalls and investigate logs for prior connections.

Detection Engineering

YAML
---
title: Potential Fake Browser Update Activity
id: d63e8f0e-7c0e-4b0f-9a3b-1c0e4b0f9a3b
description: Detects potential fake browser update activity often associated with SocGholish and other drive-by download campaigns. Tracks browser processes spawning script interpreters or making suspicious network connections.
status: experimental
author: Security Arsenal
date: 2026/06/23
references:
    - https://www.infoblox.com/blog/threat-intelligence/hot-take-operation-endgame-vs-socgholish/
tags:
    - attack.t1203
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    filter:
        CommandLine|contains:
            - 'MicrosoftEdge' 
            - 'SoftwareDistribution'
    condition: selection and not filter
falsepositives:
    - Legitimate browser updates or extensions running scripts
level: high
---
title: Suspicious PowerShell Execution from Node.js
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects Node.js (npm) spawning PowerShell, indicative of the postcss typosquatting attack delivering RATs.
status: experimental
author: Security Arsenal
date: 2026/06/23
references:
    - https://research.jfrog.com/post/from-postcss-typosquat-to-windows-rat
tags:
    - attack.t1059.001
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith: '\powershell.exe'
    condition: selection
falsepositives:
    - Legitimate build scripts requiring PowerShell
level: high
---
title: FortiBleed Infrastructure Connection
id: b2c3d4e5-f6a7-4b5c-9d0e-1f2a3b4c5d6e
description: Detects network connections to known IP addresses associated with the FortiBleed credential harvesting operation.
status: experimental
author: Security Arsenal
date: 2026/06/23
references:
    - https://www.cloudsek.com/blog/inside-the-fortibleed-open-directory-a-technical-analysis-of-what-the-attacker-left-behind
tags:
    - attack.t1078
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|contains:
            - '85.11.187.8'
            - '175.155.64.221'
            - '185.229.26.83'
            - '198.53.64.194'
            - '213.169.49.142'
            - '38.117.87.37'
            - '85.11.187.28'
    condition: selection
falsepositives:
    - Unlikely, these are attacker IPs
level: critical


**KQL (Microsoft Sentinel)**

kql
// Hunt for File Hashes from Steganographic and NPM Supply Chain Pulses
let Hashes = dynamic([
    "372f19a45d0eb4c8c52117c6ae2bb8040a91bc72be8670623f957a18c2166985",
    "897abf678edad72998554ec18675092f",
    "afe085b7324d72673eef749ff5f21a49",
    "c2e25aba8e2ad4cafdd6c633b8ca0906",
    "be36ef651eed6808760153200a3a2a2b7060cce5",
    "4924369c0bdaf73b21eb992eb9db4dea",
    "f3626a38fcf488c9eed54beb8c7c116f",
    "208166120775a11cb6680139ea0f3372",
    "4c1bdb2b045debf5b25e5be540ef99f0",
    "c2875e2f45e5f1dfa04463de53b3fa5a",
    "c5207f87b9103634b4db6f120eb6172a",
    "f189c338a5f2bc3cce06cee37c0b7522",
    "2890d90edfc08fb4cfafe0d5fa2a9fb6800dedf5",
    "71c6cd37ddc0e5899174c72eefee8b224fd1f4bb",
    "7b1919c35da92cf5fd2583783dc9364fd11b69d2"
]);
DeviceProcessEvents
| where SHA256 in~ Hashes or MD5 in~ Hashes or SHA1 in~ Hashes
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, SHA256, MD5, InitiatingProcessFileName
| extend Alert = "Malicious File Execution Detected"


**PowerShell Hunt Script**

powershell
<#
.SYNOPSIS
    Hunt for indicators associated with Steganographic Loader and PostCSS campaigns.
.DESCRIPTION
    Scans the file system for specific MD5 and SHA256 hashes identified in OTX pulses.
#>

$TargetHashes = @(
    "372f19a45d0eb4c8c52117c6ae2bb8040a91bc72be8670623f957a18c2166985",
    "897abf678edad72998554ec18675092f",
    "208166120775a11cb6680139ea0f3372",
    "4c1bdb2b045debf5b25e5be540ef99f0"
)

Write-Host "[*] Starting hunt for Steganographic/NPM Payloads..." -ForegroundColor Cyan

# Search common directories
$Paths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp\")

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $File = $_
            try {
                $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
                if ($TargetHashes -contains $Hash) {
                    Write-Host "[!] MATCH FOUND: $($File.FullName)" -ForegroundColor Red
                    Write-Host "    Hash: $Hash"
                }
            } catch {
                # Ignore errors (access denied, etc.)
            }
        }
    }
}

Write-Host "[*] Scan complete. Checking for suspicious persistence..." -ForegroundColor Cyan

# Check for Run Keys often used by Agent Tesla/Formbook
$RunKeys = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue | 
        Get-Member -MemberType NoteProperty | 
        Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" -and $_.Name -ne "PSChildName" } | 
        ForEach-Object {
            $Value = (Get-ItemProperty -Path $Key).$_
            if ($Value -match "\.js|\.vbs|\.jse") {
                Write-Host "[!] Suspicious Persistence in $Key" -ForegroundColor Yellow
                Write-Host "    Name: $($_.Name)"
                Write-Host "    Value: $Value"
            }
        }
    }
}

Response Priorities

Immediate (0-12 hours):

  • Block IOCs: Immediately block all hostnames, URLs, and IPv4 addresses listed in the IOC Analysis section on perimeter firewalls, proxies, and EDR systems.
  • FortiGate Audit: If using Fortinet SSL VPNs, review authentication logs for successful logins originating from the FortiBleed IP addresses (e.g., 85.11.187.x).

24 Hours:

  • Identity Verification: Due to the prevalence of infostealers (Agent Tesla, RedLine) in these pulses, initiate forced password resets and MFA re-enrollment for accounts associated with devices that triggered the file hash or process alerts.
  • Supply Chain Check: E-commerce teams must verify the integrity of the Okendo Reviews widget implementation and ensure no unauthorized script modifications are present.

1 Week:

  • Architecture Hardening: Enforce strict application control policies to prevent node.exe from spawning powershell.exe outside of known build pipelines.
  • VPN Security: Review VPN security posture; ensure brute-force protection and multi-factor authentication are enforced for all remote access.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialscredential-theftsupply-chain-attacksocgholishagent-teslafortibleed

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action