Back to Intelligence

SocGholish Takedowns & FortiBleed Infrastructure: OTX Pulse Analysis — Credential Harvesting Campaign

SA
Security Arsenal Team
June 23, 2026
7 min read

Threat Summary

Recent OTX pulses reveal a volatile landscape for credential theft and initial access vectors. While Operation Endgame has successfully disrupted the SocGholish (TA569/GOLD PRELUDE) infrastructure—taking down 106 servers and 15,000 compromised WordPress sites—threat actors are rapidly adapting through supply chain compromises and targeted credential harvesting.

Simultaneously, a new critical threat named FortiBleed has emerged, utilizing exposed attacker infrastructure to harvest credentials from Fortinet SSL VPN gateways via brute force and hash cracking. Concurrently, the SmartApeSG group is leveraging a supply chain attack against the Okendo Reviews widget to deliver StealC and Remcos RAT, while an unidentified campaign uses steganography in financial documents to distribute Agent Tesla and RedLine Stealer.

The collective objective of these campaigns is the acquisition of valid credentials to facilitate initial access, followed by the deployment of information stealers and remote access trojans (RATs) to maintain persistence and enable secondary ransomware operations.

Threat Actor / Malware Profile

Adversaries: GOLD PRELUDE (TA569), SmartApeSG, Unknown (Steganographic Loader), Unknown (FortiBleed).

Key Malware Families:

  • SocGholish: A malware framework distributed via fake browser updates. It acts as a loader for major payloads like IcedID, Pikabot, and QakBot. Despite takedowns, remnants of the network (hostnames provided) may still be active or redirecting.
  • StealC / Remcos RAT: Delivered via the Okendo supply chain attack. These focus on exfiltrating browser data, system info, and providing remote control.
  • Agent Tesla / RedLine Stealer: Distributed via steganographic loaders hidden in fake financial documents. Highly effective at siphoning credentials and cryptocurrency wallets.
  • Windows RAT (PostCSS): A multi-stage RAT delivered via typosquatted npm packages (postcss-selector-parser), targeting developers and build pipelines.

TTPs & Behavior:

  • Distribution: Fake browser updates, compromised JS widgets (Okendo), malicious npm packages, and phishing attachments with steganography.
  • C2 Communication: HTTP/HTTPS to compromised domains or dedicated IPs; uses PowerShell for download stages.
  • Persistence: Scheduled tasks, Registry run keys (common for Agent Tesla/RedLine).
  • Anti-Analysis: Heavy use of obfuscation in JavaScript loaders, steganography to hide payloads in images, and fileless execution in memory.

IOC Analysis

The provided indicators span multiple infrastructure types:

  1. Hostnames (SocGholish): Indicators like trademark.iglesiaelarca.com and billing.roofnrack.us represent compromised WordPress sites used as Traffic Distribution Systems (TDS) or payload hosts. SOC teams should block these at the proxy/DNS level and hunt for historical DNS requests.
  2. URLs (Okendo/Supply Chain): The api.wigetticks.com and api.wizzleticks.com domains are malicious callback servers used by the injected JavaScript. Blocking these at the EGW is critical.
  3. File Hashes (Steganographic/PostCSS): Multiple MD5 and SHA256 hashes correspond to malicious payloads (loaders, RATs). These should be uploaded to EDR systems for automatic quarantine.
  4. IPv4 (FortiBleed): IPs such as 85.11.187.8 and 185.229.26.83 are part of the attacker's GPU cracking and harvesting infrastructure. These must be blocked immediately on firewalls.

Operationalization:

  • SIEM: Correlate endpoint process creation (MD5 hits) with network connections to the listed IPs/Domains.
  • EDR: Hunt for the specific file hashes and look for script processes (wscript.exe, powershell.exe) spawned by browsers or office apps.

Detection Engineering

YAML
title: Suspicious Browser Spawned Script - SocGholish Fake Update Pattern
id: 9be54b3c-6b6c-4b8f-9e1c-3d7b5f1a9e2d
description: Detects potential SocGholish activity where a browser process spawns wscript.exe or cscript.exe, indicative of a fake browser update execution.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/624567891234567890
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    filter:
        CommandLine|contains:
            - '.js'
            - '.jse'
    condition: selection and filter
falsepositives:
    - Legitimate web-based training tools
level: high
---
title: FortiBleed VPN Brute Force Activity
id: a1c2d3e4-5678-90ab-cdef-1234567890ab
description: Detects potential brute force activity targeting Fortinet SSL VPN gateways associated with the FortiBleed campaign, identified by high volume of auth failures or specific attacker IPs.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/624567891234567899
tags:
    - attack.credential_access
    - attack.t1110
logsource:
    product: firewall
detection:
    selection_ip:
    dst_ip:
        - '85.11.187.8'
        - '175.155.64.221'
        - '185.229.26.83'
        - '198.53.64.194'
        - '213.169.49.142'
        - '38.117.87.37'
        - '85.11.187.28'
    selection_port:
        dst_port: 443
    condition: selection_ip and selection_port
falsepositives:
    - Legitimate VPN connections from these rare IPs (unlikely)
level: critical
---
title: Malicious PowerShell Base64 Encoded Command - Steganographic Loader
id: b2c3d4e5-6789-01bc-def2-345678901234
description: Detects PowerShell commands commonly used in multi-stage loaders like those distributing Agent Tesla or RedLine, characterized by specific encoding flags and download patterns.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/624567891234567898
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'FromBase64String'
            - 'DownloadString'
            - 'IEX'
    condition: selection
falsepositives:
    - Administrative scripts
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to known FortiBleed Infrastructure
DeviceNetworkEvents
| where RemoteIP in ("85.11.187.8", "175.155.64.221", "185.229.26.83", "198.53.64.194", "213.169.49.142", "38.117.87.37", "85.11.187.28")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl

// Hunt for SocGholish Fake Update Execution Pattern
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("chrome.exe", "msedge.exe", "firefox.exe")
| where FileName in ("wscript.exe", "cscript.exe")
| extend CommandLineArgs = tostring(CommandLine)
| where CommandLineArgs contains ".js" 
| project Timestamp, DeviceName, AccountName, FileName, CommandLineArgs, InitiatingProcessFileName

// Hunt for specific file hashes from the Steganographic/PostCSS campaigns
DeviceFileEvents
| where SHA256 in ("372f19a45d0eb4c8c52117c6ae2bb8040a91bc72be8670623f957a18c2166985") or MD5 in ("897abf678edad72998554ec18675092f", "afe085b7324d72673eef749ff5f21a49", "c2e25aba8e2ad4cafdd6c633b8ca0906", "4924369c0bdaf73b21eb992eb9db4dea", "f3626a38fcf488c9eed54beb8c7c116f", "208166120775a11cb6680139ea0f3372", "4c1bdb2b045debf5b25e5be540ef99f0")
| project Timestamp, DeviceName, FileName,FolderPath, SHA256, MD5

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for Operation Endgame, FortiBleed, and Steganographic Loader.
.DESCRIPTION
    Checks running processes for known malicious MD5 hashes and network connections for FortiBleed IPs.
#>

# Malicious MD5 Hashes from OTX Pulses
$MaliciousHashes = @(
    "897abf678edad72998554ec18675092f",
    "afe085b7324d72673eef749ff5f21a49",
    "c2e25aba8e2ad4cafdd6c633b8ca0906",
    "4924369c0bdaf73b21eb992eb9db4dea",
    "f3626a38fcf488c9eed54beb8c7c116f",
    "208166120775a11cb6680139ea0f3372",
    "4c1bdb2b045debf5b25e5be540ef99f0"
)

# FortiBleed Attacker IPs
$AttackerIPs = @(
    "85.11.187.8", "175.155.64.221", "185.229.26.83",
    "198.53.64.194", "213.169.49.142", "38.117.87.37", "85.11.187.28"
)

Write-Host "[*] Hunting for running processes matching known malicious hashes..." -ForegroundColor Cyan

Get-Process | ForEach-Object {
    $process = $_
    try {
        $hash = (Get-FileHash -Path $process.Path -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($MaliciousHashes -contains $hash) {
            Write-Host "[!] MALICIOUS PROCESS DETECTED: $($process.ProcessName) (PID: $($process.Id))" -ForegroundColor Red
            Write-Host "    Path: $($process.Path)"
            Write-Host "    Hash: $hash"
        }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[*] Checking for established network connections to FortiBleed infrastructure..." -ForegroundColor Cyan

# Requires admin privileges for Get-NetTCPConnection
try {
    $connections = Get-NetTCPConnection -State Established -ErrorAction Stop
    foreach ($ip in $AttackerIPs) {
        $matches = $connections | Where-Object { $_.RemoteAddress -eq $ip }
        if ($matches) {
            foreach ($conn in $matches) {
                $proc = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
                Write-Host "[!] SUSPICIOUS CONNECTION DETECTED to $ip" -ForegroundColor Red
                Write-Host "    Local Port: $($conn.LocalPort) | Remote Port: $($conn.RemotePort)"
                Write-Host "    Owning Process: $($proc.ProcessName) (PID: $($proc.Id))"
            }
        }
    }
} catch {
    Write-Host "[-] Could not retrieve network connections. Run as Administrator." -ForegroundColor Yellow
}

Write-Host "[*] Hunt complete." -ForegroundColor Green

Response Priorities

Immediate Actions:

  • Block all IOCs (IPs, Domains, URLs) at the perimeter firewall, proxy, and EDR levels.
  • Isolate any endpoints triggering the "Malicious Process" Sigma rules.
  • Initiate a credential reset for any users who have successfully authenticated to the VPN from the FortiBleed IP ranges (if logs indicate success).

Within 24 Hours:

  • Conduct a credential audit for accounts associated with the Okendo Reviews compromise (retail/e-commerce users).
  • Hunt for the presence of the malicious npm packages (postcss-selector-parser typosquats) in developer build environments.
  • Scan internet-facing assets for WordPress vulnerabilities to prevent re-infection by residual SocGholish infrastructure.

Within 1 Week:

  • Implement Geo-blocking for VPN access where business logic permits.
  • Harden build pipelines to verify package integrity (SBOM validation).
  • Update security awareness training to highlight "Fake Browser Updates" and "Financial Document Phishing".

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssocgholishfortibleedsupply-chain-attackinfostealercredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
SocGholish Takedowns & FortiBleed Infrastructure: OTX Pulse Analysis — Credential Harvesting Campaign | Security Arsenal | Security Arsenal