SocGholish Takedown, INC Ransomware Evolution & Okendo Supply Chain Attack: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Threat Summary

The OTX pulses reveal a complex threat landscape with three major concurrent campaigns. First, Operation Endgame has successfully disrupted the SocGholish (Fake Browser Update) infrastructure operated by GOLD PRELUDE (TA569), which has been active since 2017. This operation remediated nearly 15,000 compromised WordPress sites but is only a temporary setback as the infrastructure was heavily used to distribute multiple malware families including IcedID, QakBot, TrickBot, and Bumblebee.

Second, INC ransomware has rapidly evolved into a top-tier RaaS operation, capitalizing on the disruption of LockBit and BlackCat to claim over 800 victims since 2023. Their use of Rust-based cross-platform encryptors and CVE exploits (CVE-2023-3519, CVE-2023-48788, CVE-2024-57727, CVE-2025-5777) makes them particularly dangerous.

Third, a supply chain attack targeting the Okendo Reviews widget by SmartApeSG has injected malicious JavaScript into over 18,000 e-commerce sites, delivering NetSupport, Remcos, StealC, and Sectop RAT payloads.

The common theme is sophisticated distribution mechanisms - compromised websites for initial access, supply chain compromises for broad reach, and leveraging established botnets for payload delivery.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569)

Distribution: Compromised WordPress sites delivering fake browser update prompts
Payload Behavior: Initial dropper loads secondary malware families
C2 Communication: HTTP/HTTPS to compromised domains
Persistence: Registry run keys, scheduled tasks
Anti-Analysis: Code obfuscation, environment checks

INC Ransomware

Distribution: CVE exploitation, phishing, affiliate network
Payload Behavior: Rust-based encryptors for Windows and Linux/ESXi
C2 Communication: Tor-based onion sites for victim negotiations
Persistence: Service creation, WMI event consumers
Anti-Analysis: Anti-debugging, anti-VM techniques

SmartApeSG

Distribution: Compromised third-party JavaScript widgets (Okendo Reviews)
Payload Behavior: Staged loader with localStorage-based C2
C2 Communication: HTTPS to domains like wigletticks.com
Persistence: Web-based infection, no system persistence
Anti-Analysis: JavaScript obfuscation, encrypted payloads

IOC Analysis

The indicators include:

Hostnames (12): Compromised WordPress domains used by SocGholish
Domains (2): Tor onion sites for INC ransomware operations
CVEs (3): Vulnerabilities exploited by INC affiliates
FileHash-SHA256 (1): INC ransomware sample
URLs (3): Malicious JavaScript endpoints for Okendo attack

SOC teams should immediately block all hostnames and domains at the perimeter and inspect network logs for connections to these endpoints. File hashes should be checked against SIEM alerts and endpoint detection systems. CVEs should be prioritized for patching. URLs should be blocked in web proxies and inspected in proxy logs.

Tooling for decoding:

Suricata/Snort for network detection
YARA for file analysis
Sigma/SIEM for log analysis
Threat intelligence platforms for IOC enrichment

Detection Engineering

YAML

---
title: Potential SocGholish Fake Browser Update Execution
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential execution of SocGholish fake browser update scripts which are often distributed via compromised WordPress sites
references:
    - https://otx.alienvault.com/pulse/6265b7e4a5a5e74b6715c3f4/
author: Security Arsenal
date: 2026/06/20
tags:
    - attack.initial_access
    - attack.t1190
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'browser_update.js'
            - 'chrome_update.js'
            - 'firefox_update.js'
            - 'edge_update.js'
            - 'browser_upgrade.js'
    condition: selection
falsepositives:
    - Legitimate browser update processes
level: high
---
title: Okendo Reviews Widget Malicious JavaScript Injection
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects connections to suspicious domains associated with the Okendo Reviews supply chain attack delivering Remote Access Trojans
references:
    - https://otx.alienvault.com/pulse/6265b7e4a5a5e74b6715c3f5/
author: Security Arsenal
date: 2026/06/20
tags:
    - attack.supply_chain
    - attack.t1195.002
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'wigletticks.com'
            - 'wizzleticks.com'
            - 'okendo.io'
    condition: selection
falsepositives:
    - Legitimate connections to okendo.io (verify with security team)
level: high
---
title: Potential INC Ransomware Activity
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects potential INC ransomware activity including process execution patterns and known ransomware behavior
references:
    - https://otx.alienvault.com/pulse/6265b7e4a5a5e74b6715c3f6/
author: Security Arsenal
date: 2026/06/20
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\inc.exe'
            - '\inc_enc.exe'
            - '\decryptor.exe'
    selection_2:
        CommandLine|contains:
            - '-encrypt'
            - '-enc'
            - '--encryption'
            - '-lock'
    condition: 1 of selection*
falsepositives:
    - Legitimate encryption utilities
level: critical


kql
// Hunt for connections to known malicious domains from OTX pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "promo.summat10n.org",
    "billing.roofnrack.us",
    "devel.asurans.com",
    "storehouse.beautysupplysalonllc.com",
    "samples.addisgraphix.com",
    "api-app.uppercrafteroom.com",
    "incblog.su",
    "wigletticks.com",
    "wizzleticks.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| sort by Timestamp desc

// Hunt for potential CVE exploitation related to INC ransomware
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
    "CVE-2023-3519",
    "CVE-2023-48788", 
    "CVE-2024-57727",
    "CVE-2025-5777"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| sort by Timestamp desc


powershell
# IOC Hunt Script for SocGholish, INC Ransomware, and Okendo Supply Chain Attack
# Run with elevated privileges
param(
    [switch]$Detailed
)

# Malicious hostnames from OTX pulses
$MaliciousHosts = @(
    "trademark.iglesiaelarca.com",
    "content.garretttrails.org",
    "promo.summat10n.org",
    "billing.roofnrack.us",
    "devel.asurans.com",
    "storehouse.beautysupplysalonllc.com",
    "samples.addisgraphix.com",
    "api-app.uppercrafteroom.com",
    "incblog.su",
    "wigletticks.com",
    "wizzleticks.com"
)

# Known malicious file hashes
$MaliciousHashes = @(
    "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
)

Write-Host "Starting IOC Hunt based on OTX Pulses from 2026-06-20" -ForegroundColor Cyan

# Check for malicious processes
Write-Host "`n[+] Checking for suspicious processes..." -ForegroundColor Yellow
$SuspiciousProcesses = Get-Process | Where-Object {
    $_.ProcessName -match "browser_update|chrome_update|firefox_update|edge_update" -or
    $_.Path -match "inc\.exe|inc_enc\.exe|decryptor\.exe"
}

if ($SuspiciousProcesses) {
    Write-Host "Found suspicious processes:" -ForegroundColor Red
    $SuspiciousProcesses | Select-Object ProcessName, Id, Path | Format-Table
} else {
    Write-Host "No suspicious processes found." -ForegroundColor Green
}

# Check for network connections to malicious hosts
Write-Host "`n[+] Checking for network connections to malicious hosts..." -ForegroundColor Yellow
$MaliciousConnections = Get-NetTCPConnection | ForEach-Object {
    $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    $RemoteAddress = $_.RemoteAddress
    try {
        $RemoteHost = [System.Net.Dns]::GetHostEntry($RemoteAddress).HostName
    } catch {
        $RemoteHost = $RemoteAddress
    }
    
    if ($MaliciousHosts -contains $RemoteHost) {
        [PSCustomObject]@{
            ProcessName = $Process.ProcessName
            ProcessId = $_.OwningProcess
            RemoteAddress = $RemoteAddress
            RemoteHost = $RemoteHost
            RemotePort = $_.RemotePort
            State = $_.State
        }
    }
}

if ($MaliciousConnections) {
    Write-Host "Found connections to malicious hosts:" -ForegroundColor Red
    $MaliciousConnections | Format-Table
} else {
    Write-Host "No connections to malicious hosts found." -ForegroundColor Green
}

# Check browser cache for fake update pages
Write-Host "`n[+] Checking browser cache for fake update pages..." -ForegroundColor Yellow
$BrowserPaths = @(
    "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cache",
    "$env:LOCALAPPDATA\Mozilla\Firefox\Profiles",
    "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Cache"
)

$FakeUpdateFiles = @()
foreach ($Path in $BrowserPaths) {
    if (Test-Path $Path) {
        $FakeUpdateFiles += Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
            Where-Object { $_.Name -match "browser_update|chrome_update|firefox_update|edge_update" }
    }
}

if ($FakeUpdateFiles) {
    Write-Host "Found potentially fake update files:" -ForegroundColor Red
    $FakeUpdateFiles | Select-Object FullName, Length, LastWriteTime | Format-Table
} else {
    Write-Host "No fake update files found." -ForegroundColor Green
}

# Check for scheduled tasks with suspicious names
Write-Host "`n[+] Checking for suspicious scheduled tasks..." -ForegroundColor Yellow
$SuspiciousTasks = Get-ScheduledTask | Where-Object {
    $_.TaskName -match "browser_update|chrome_update|firefox_update|edge_update" -or
    $_.Actions.Execute -match "inc\.exe|inc_enc\.exe"
}

if ($SuspiciousTasks) {
    Write-Host "Found suspicious scheduled tasks:" -ForegroundColor Red
    $SuspiciousTasks | Select-Object TaskName, State | Format-Table
} else {
    Write-Host "No suspicious scheduled tasks found." -ForegroundColor Green
}

# Check for files with known malicious hashes
Write-Host "`n[+] Checking for files with known malicious hashes..." -ForegroundColor Yellow
$SystemDrives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Root -ne "\" }

$MaliciousFiles = @()
foreach ($Drive in $SystemDrives) {
    $MaliciousFiles += Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | 
        ForEach-Object {
            $Hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($Hash -and $MaliciousHashes -contains $Hash.Hash) {
                [PSCustomObject]@{
                    Path = $_.FullName
                    Hash = $Hash.Hash
                }
            }
        }
}

if ($MaliciousFiles) {
    Write-Host "Found files with known malicious hashes:" -ForegroundColor Red
    $MaliciousFiles | Format-Table
} else {
    Write-Host "No files with known malicious hashes found." -ForegroundColor Green
}

# Check for registry persistence mechanisms
Write-Host "`n[+] Checking for suspicious registry persistence..." -ForegroundColor Yellow
$PersistenceKeys = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

$SuspiciousRegistryEntries = @()
foreach ($Key in $PersistenceKeys) {
    if (Test-Path $Key) {
        $SuspiciousRegistryEntries += Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue | 
            Get-Member -MemberType NoteProperty | 
            Where-Object { 
                $Name = $_.Name
                $Value = (Get-ItemProperty -Path $Key).$Name
                $Name -match "browser_update|chrome_update|firefox_update|edge_update" -or
                $Value -match "inc\.exe|inc_enc\.exe|browser_update"
            } | 
            ForEach-Object {
                [PSCustomObject]@{
                    Key = $Key
                    Name = $_.Name
                    Value = (Get-ItemProperty -Path $Key).$($_.Name)
                }
            }
    }
}

if ($SuspiciousRegistryEntries) {
    Write-Host "Found suspicious registry entries:" -ForegroundColor Red
    $SuspiciousRegistryEntries | Format-Table
} else {
    Write-Host "No suspicious registry entries found." -ForegroundColor Green
}

Write-Host "`n[+] IOC hunt completed." -ForegroundColor Cyan

Response Priorities

Immediate (0-12 hours)

Block all hostnames and domains from OTX pulses at perimeter defenses
Deploy Sigma rules across SIEM/EDR platforms
Execute hunt scripts across critical endpoints
Update web proxy filters to block malicious URLs
Review recent web logs for connections to compromised Okendo widget domains

24 Hours

Conduct identity verification for users with potential credential-stealing malware exposure
Prioritize patching of CVE-2023-3519, CVE-2023-48788, CVE-2024-57727, and CVE-2025-5777
Hunt for evidence of persistence mechanisms (scheduled tasks, registry keys)
Review browser extension installations for malicious components

1 Week

Implement application whitelisting for browser update mechanisms
Enhance monitoring for third-party JavaScript components
Conduct vulnerability assessment of WordPress installations
Review and harden supply chain security for third-party components
Establish dedicated monitoring for ransomware precursors

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

SocGholish Takedown, INC Ransomware Evolution & Okendo Supply Chain Attack: OTX Pulse Analysis — Enterprise Detection Pack