Back to Intelligence

SocGholish Fake Updates & Okendo Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 21, 2026
6 min read

Recent OTX pulses indicate a convergence of high-volume initial access vectors targeting enterprise sectors. The primary threats identified are Operation Endgame's disruption of SocGholish (TA569), which utilized fake browser updates to deliver loaders like IcedID and Pikabot, and a supply chain attack on the Okendo Reviews widget by SmartApeSG injecting malicious JavaScript to drop NetSupport RAT and Remcos.

These attacks feed into a vast, mapped ecosystem of Command and Control (C2) infrastructure heavily concentrated in the Middle East. Pulse data reveals over 1,350 active C2 servers hosted by Saudi Telecom (STC), associated with nation-state actors like APT28 (Fancy Bear) and ENERGETIC BEAR, as well as commodity malware operators. The objective spans credential harvesting (via StealC), ransomware delivery (LockBit), and long-term espionage via RATs.

Threat Actor / Malware Profile

Threat Actors:

  • GOLD PRELUDE (TA569): Historically operates the SocGholish malware framework, utilizing compromised WordPress sites to distribute fake browser update prompts.
  • SmartApeSG: Identified as the actor behind the Okendo Reviews supply chain attack, utilizing JavaScript injection to serve malware.
  • Nation-State Overlay: Infrastructure overlaps with APT28 and ENERGETIC BEAR, suggesting potential shared hosting or "parking" of C2 servers within bulletproof hosting environments in the Middle East.

Malware Families & Behaviors:

  • SocGholish: JavaScript-based dropper masquerading as a browser update (Chrome/Firefox). Establishes persistence by scheduling tasks or Registry run keys, ultimately downloading secondary payloads like Cobalt Strike, Smokeloader, or QakBot.
  • NetSupport Manager / Remcos: Legitimate remote administration tools weaponized in these campaigns. They provide full remote control, file transfer, and screen capture capabilities. Often delivered via obfuscated JavaScript loaders.
  • Payloads: IcedID (Bokbot), Pikabot, and QakBot are banking trojans that act as loaders for ransomware (e.g., LockBit Black, DoppelPaymer). StealC is an information stealer targeting browser data and crypto wallets.

Attack Chain:

  1. Initial Access: User visits compromised WordPress site (SocGholish) or legitimate e-commerce site with injected widget (Okendo/SmartApeSG).
  2. Execution: User triggers "Fake Browser Update" or malicious JS auto-executes.
  3. Delivery: Heavy obfuscation (Hex/Base64) leads to PowerShell or MShta execution.
  4. C2 Beaconing: Payload connects to Middle East infrastructure (STC hosted IPs) or specific delivery domains (e.g., api.wigletticks.com).

IOC Analysis

The provided IOCs are critical for detection but require contextualization due to the high volume of C2 infrastructure (1,350+ servers).

  • Hostnames (SocGholish): Includes trademark.iglesiaelarca.com and billing.roofnrack.us. These are compromised WordPress domains used as Traffic Distribution Systems (TDS). SOC teams should block these at the DNS layer and hunt for historical HTTP connections to these FQDNs.
  • URLs (Supply Chain): The URL http://cdn-static.okendo.io/... is the legitimate delivery mechanism, but the subsequent calls to api.wigletticks.com are malicious. Blocking the domain wigletticks.com is high priority.
  • CVE: CVE-2025-11953 is referenced in the infrastructure report. While details in the pulse are sparse, patching against this specific vulnerability should be prioritized if it affects the enterprise edge.

Operationalization:

  • EDR: Load hostnames into watchlists for network connection alerts.
  • SIEM: Correlate web proxy logs with process creation events (browser spawning mshta.exe or powershell.exe).

Detection Engineering

YAML
---
title: Potential SocGholish Fake Browser Update Activity
id: 4f01e4b8-5a7b-4c8e-9d2f-1b3c5d6e7f8a
description: Detects execution patterns associated with SocGholish fake browser updates, typically involving a browser process launching script interpreters like mshta or powershell to download JS files.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/operation-endgame-vs-socgholish-fake-updates/
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
        Image|endswith:
            - '\mshta.exe'
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - '.js'
            - 'jscript'
            - 'update'
            - 'browser'
    condition: selection
falsepositives:
    - Legitimate software updates executed via browser
level: high
---
title: NetSupport RAT C2 Communication
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects network connections indicative of NetSupport Manager or NetSupport RAT, often seen in SocGholish and SmartApeSG campaigns.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/okendo-reviews-supply-chain-attack/
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
        DestinationHostname|contains:
            - 'netsupport'
            - 'api.wigletticks'
            - 'api.wizzleticks'
    condition: selection
falsepositives:
    - Legitimate remote administration usage
level: critical
---
title: Suspicious Process Injection via Obfuscated PowerShell
id: b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e
description: Detects PowerShell processes with high entropy arguments commonly used by loaders like IcedID, QakBot, or Smokeloader delivered via these campaigns.
status: experimental
date: 2026/06/21
author: Security Arsenal
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'EncodedCommand'
            - 'FromBase64String'
            - 'IEX'
            - 'Invoke-Expression'
        CommandLine|re: '[a-zA-Z0-9+/]{50,}={0,2}'
    condition: selection
falsepositives:
    - System administration scripts
level: high


kql
// Hunt for connections to known SocGholish and Okendo compromise domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "promo.summat10n.org",
    "billing.roofnrack.us",
    "devel.asurans.com",
    "api.wigletticks.com",
    "api.wizzleticks.com"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| summarize Count=count() by DeviceName, RemoteUrl
| order by Count desc


powershell
# IOC Hunt Script: Checks for processes and network indicators associated with the threat brief

$MaliciousHosts = @(
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "promo.summat10n.org",
    "billing.roofnrack.us",
    "api.wigletticks.com",
    "api.wizzleticks.com"
)

$SuspiciousProcesses = @(
    "client32.exe",  # NetSupport Manager
    "remcos.exe",
    "pythonw.exe",   # Often used for Python RATs/Stealers
    "mshta.exe"
)

Write-Host "[+] Checking for Suspicious Process Executions..." -ForegroundColor Cyan
Get-Process | Where-Object { $SuspiciousProcesses -contains $_.ProcessName } | Select-Object ProcessName, Id, Path

Write-Host "[+] Checking DNS Cache for Malicious Hosts..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache | Where-Object { $MaliciousHosts -contains $_.Entry }
if ($DnsCache) {
    $DnsCache | Format-Table Entry, Data, Type
} else {
    Write-Host "No malicious entries found in DNS Cache." -ForegroundColor Green
}

Write-Host "[+] Checking for Established Connections to suspicious IPs (filtering common ports)..." -ForegroundColor Cyan
Get-NetTCPConnection -State Established | Where-Object {
    ($_.RemotePort -eq 80 -or $_.RemotePort -eq 443) -and 
    ($_.OwningProcess -in (Get-Process | Where-Object { $SuspiciousProcesses -contains $_.ProcessName }).Id)
} | Select-Object OwningProcess, RemoteAddress, RemotePort


# Response Priorities

*   **Immediate (0-4h):**
    *   Block all listed IOCs (hostnames and URLs) at the proxy, firewall, and DNS levels.
    *   Isolate endpoints exhibiting process chains of `browser -> mshta/powershell`.
    *   Inspect web servers for compromise (WordPress sites checking for SocGholish injections).

*   **24 Hours:**
    *   Initiate credential resets for accounts accessed from devices that connected to `api.wigletticks.com` or similar C2 domains (potential credential theft via StealC).
    *   Verify the integrity of Okendo Reviews widgets on external-facing e-commerce properties.

*   **1 Week:**
    *   Patch CVE-2025-11953 if applicable.
    *   Implement application control to block `mshta.exe` and Internet-facing PowerShell instances.
    *   Review network traffic logs for connections to the Saudi Telecom (STC) IP ranges associated with the 981 identified C2 servers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptsocgholishsupply-chainnetsupport-ratenergetic-bearfake-updates

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action