SocGholish Takedown, Okendo Supply Chain, and Middle East C2 Surge: OTX Pulse Analysis

Threat Summary

Recent OTX pulses reveal a volatile threat landscape characterized by three distinct but interconnected vectors: large-scale nation-state infrastructure hosting, the disruption of a major malware distribution network, and a high-impact supply chain compromise targeting e-commerce.

Middle East Infrastructure Consolidation: A significant concentration of Command and Control (C2) infrastructure has been mapped across the Middle East, specifically within Saudi Arabia's STC network. Over 1,350 C2 servers are facilitating operations for APT groups (APT28, Energetic Bear) and cybercriminals alike. The infrastructure heavily supports RATs (AsyncRAT, NetSupport, Remcos) and IoT botnets (Hajime, Mozi).

Operation Endgame Impact: The multinational law enforcement operation "Endgame" has successfully disrupted the SocGholish (Fake Browser Update) malware framework. While this dismantles 106 servers and 15,000 compromised WordPress sites, threat actors like GOLD PRELUDE are actively pivoting to maintain persistence using secondary loaders like IcedID and Pikabot.

Supply Chain Compromise: Simultaneously, a new supply chain attack targeting the "Okendo Reviews" widget (used by 18,000+ brands) has emerged. The actor SmartApeSG is injecting malicious JavaScript to deliver NetSupport, Remcos, and StealC, bypassing traditional network defenses by leveraging trusted e-commerce domains.

Threat Actor / Malware Profile

SmartApeSG (Okendo Campaign)

Objective: Initial access via trusted third-party components to deploy Remote Access Trojans (RATs) and infostealers.
Distribution: Malicious JavaScript injection into the legitimate okendo-reviews.js library. The script acts as a staged loader, utilizing obfuscation and localStorage to evade detection.
Payload Behavior: The injected JS reaches out to C2 domains (wigletticks.com, wizzleticks.com) to fetch secondary payloads. It ultimately drops NetSupport Manager, Remcos, and StealC.
Persistence: RATs establish persistence via scheduled tasks or registry run keys, allowing for long-term remote control and data exfiltration.

GOLD PRELUDE / TA569 (SocGholish)

Objective: Initial access leading to ransomware deployment (LockBit, Rhadamanthys).
Distribution: Compromised WordPress sites displaying fake "Chrome/Firefox Update" prompts.
Current Status: Infrastructure disrupted by Operation Endgame, but underlying TTPs (fake updates) remain a high-risk vector as copycats emerge.

Notable Malware Families

NetSupport RAT / Remcos: Legitimate tools weaponized for remote access. Frequently used in the Middle East campaigns and the Okendo attack.
AsyncRAT: A .NET-based RAT popular in the crimeware ecosystem, communicating via HTTP/HTTPS.
SocGholish: JavaScript-based malware loader serving as an entry point for banking trojans and ransomware.

IOC Analysis

The indicators provided highlight a blend of infrastructure takeover and legitimate abuse:

Hostnames (SocGholish): A list of compromised WordPress domains (e.g., trademark.iglesiaelarca.com, storehouse.beautysupplysalonllc.com). These domains serve the malicious JScript payloads.
URLs (Okendo): The specific path to the compromised widget (cdn-static.okendo.io/...) and the C2 endpoints (api.wigletticks.com, api.wizzleticks.com). The C2 domains use TLS to blend in with normal web traffic.
CVE (Pulse 1): CVE-2025-11953 is referenced in the context of the Middle East infrastructure mapping, likely associated with the initial exploitation of the servers hosting the C2 nodes.

Operational Guidance: SOC teams should immediately block the listed hostnames and URLs at the proxy. The domains in Pulse 2 should be added to DNS sinkholes. Due to the supply chain nature of Pulse 3, network detection requires deep packet inspection (DPI) of JavaScript content loaded from okendo.io or blocking the specific C2 hostnames if the widget cannot be temporarily disabled.

Detection Engineering

Sigma Rules

YAML

---
title: Potential SocGholish Fake Browser Update Execution
id: 8f452c62-8f1a-4884-8e3b-123456789012
description: Detects execution of JScript or VBScript initiated by a browser, typical of Fake Browser Update campaigns like SocGholish.
status: experimental
date: 2026/06/23
author: Security Arsenal
tags:
  - attack.initial_access
  - attack.t1189
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - \chrome.exe
      - \firefox.exe
      - \msedge.exe
      - \opera.exe
    Image|endswith:
      - \wscript.exe
      - \cscript.exe
      - \mshta.exe
    CommandLine|contains:
      - '.js'
      - '.vbs'
  condition: selection
falsepositives:
  - Legitimate web-based administration tools
level: high
---
title: Okendo Reviews Malicious JS Injection C2 Traffic
id: b391d4e5-6a7b-4c8d-9e0f-987654321098
description: Detects network connections to known malicious C2 domains associated with the Okendo Reviews supply chain attack.
status: experimental
date: 2026/06/23
author: Security Arsenal
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationHostname|endswith:
      - wigletticks.com
      - wizzleticks.com
  condition: selection
falsepositives:
  - Unknown
level: critical
---
title: Suspicious AsyncRAT or NetSupport Process Activity
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects execution patterns consistent with AsyncRAT or NetSupport RAT loaders and C2 beacons observed in Middle East campaigns.
status: experimental
date: 2026/06/23
author: Security Arsenal
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - \powershell.exe
      - \cmd.exe
    CommandLine|contains:
      - 'DownloadString'
      - 'iex'
      - 'Invoke-Expression'
    CommandLine|contains:
      - 'asyncrat'
      - 'netsupport'
      - 'remcos'
  condition: selection
falsepositives:
  - Legitimate admin scripting
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for SocGholish related process execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('chrome.exe', 'firefox.exe', 'msedge.exe')
| where FileName in~ ('wscript.exe', 'cscript.exe', 'mshta.exe')
| where ProcessCommandLine has '.js' or ProcessCommandLine has '.vbs'
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine

// Hunt for Okendo C2 Network Traffic
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any ('wigletticks.com', 'wizzleticks.com')
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName

// Hunt for RAT C2 connections (AsyncRAT/NetSupport commonly use specific ports)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080)
| where InitiatingProcessFileName in~ ('client32.exe', 'client.exe', 'Remcos.exe', 'python.exe') // Common RAT binaries
| summarize count() by DeviceName, RemoteUrl, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    Hunts for artifacts associated with OTX Pulses: Okendo (SmartApeSG), SocGholish, and Middle East RATs.
.DESCRIPTION
    Checks for running processes of NetSupport/Remcos/AsyncRAT and suspicious scheduled tasks.
#>

Write-Host "[+] Starting Hunt for OTX Pulse Indicators..." -ForegroundColor Cyan

# 1. Check for Malicious Processes (RATs)
$MaliciousProcesses = @("client32.exe", "Remcos.exe", "AsyncRAT.exe", "NetSupport Manager")
$RunningProcesses = Get-Process | Where-Object { $MaliciousProcesses -contains $_.ProcessName }

if ($RunningProcesses) {
    Write-Host "[!] ALERT: Found suspicious RAT processes running:" -ForegroundColor Red
    $RunningProcesses | Select-Object ProcessName, Id, Path
} else {
    Write-Host "[-] No malicious RAT processes found." -ForegroundColor Green
}

# 2. Check for Scheduled Tasks (Common Persistence)
$SuspiciousTasks = Get-ScheduledTask | Where-Object {
    $_.TaskName -like "*Update*" -or 
    $_.TaskName -like "*Chrome*" -or 
    $_.TaskName -like "*Flash*" -or
    $_.Actions.Execute -like "*wscript*" -or
    $_.Actions.Execute -like "*powershell*"
}

if ($SuspiciousTasks) {
    Write-Host "[!] ALERT: Found suspicious scheduled tasks:" -ForegroundColor Yellow
    $SuspiciousTasks | Select-Object TaskName, State, Actions
} else {
    Write-Host "[-] No suspicious scheduled tasks found." -ForegroundColor Green
}

# 3. Check Browser Cache for Okendo/SocGholish domains
$Domains = @("wigletticks.com", "wizzleticks.com", "trademark.iglesiaelarca.com")
Write-Host "[+] Checking DNS Cache for malicious domains..."
$DnsCache = Get-DnsClientCache | Where-Object { $Domains -contains $_.Entry }

if ($DnsCache) {
    Write-Host "[!] ALERT: Found DNS cache entries for malicious domains:" -ForegroundColor Red
    $DnsCache
} else {
    Write-Host "[-] No malicious DNS cache entries found." -ForegroundColor Green
}

Write-Host "[+] Hunt complete."

Response Priorities

Immediate:
- Block all hostnames listed in the "Operation Endgame" pulse and the C2 URLs from the "Okendo" pulse at the proxy and firewall.
- Identify all systems running the Okendo Reviews widget and temporarily disable the plugin pending a version update or integrity check.
24 Hours:
- Credential Audit: Since NetSupport, Remcos, and IcedID are stealer-capable, initiate password resets for privileged accounts on machines identified as potentially infected.
- Isolate hosts where the PowerShell or Sigma hunts triggered positive alerts.
1 Week:
- Architecture Hardening: Implement strict allow-listing for browser-installed extensions and JavaScript execution.
- Patching: Verify patching for CVE-2025-11953 on all internet-facing servers.
- Supply Chain Review: Audit all third-party JavaScript libraries loaded on public-facing web properties for integrity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub