SocGholish
FakeUpdates, also known as SocGholish, is a JavaScript-based malware family and initial-access malware framework delivered primarily through compromised legitimate websites using fake browser or software update lures. The malware is commonly executed as JavaScript, often delivered via drive-by compromise or web injects, and can lead to follow-on payloads such as Cobalt Strike, NetSupport RAT, Python-based backdoors, and other tooling. Reported delivery chains include ZIP archives containing the JavaScript payload, fake update pages that deliver ZIP files containing .js or .lnk files for execution via WScript, and infections distributed through compromised websites. SocGholish has been active since at least 2017.
The malware is strongly associated with financially motivated initial access activity. Reporting in the provided content links it to TA569/TA0569 (also referred to as GOLD PRELUDE) and to Microsoft-tracked DEV-0206, an access broker using SocGholish/FakeUpdates malvertising to deliver JavaScript loaders that commonly lead to Cobalt Strike deployment. The content also notes downstream relationships with Evil Corp-linked activity, including DEV-0243 and UNC2165, and states that UNC1543 has distributed the FAKEUPDATES JavaScript downloader through drive-by downloads. Existing Raspberry Robin infections were also observed being used to deploy FakeUpdates in one Microsoft-reported case.
Behavior described in the content includes browser fingerprinting and victim profiling prior to payload delivery, use of IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asia-Pacific nations, use of WMI calls for script execution and system profiling, and local staging of command output. One cited artifact is that SocGholish can send output from whoami to a local temp file using the naming convention rad<5-hex-chars>.tmp. ATT&CK-style mappings in the content associate SocGholish with JavaScript execution, drive-by compromise, spearphishing links, user execution via malicious links, local data staging, ingress tool transfer, exfiltration over unencrypted non-C2 protocols, discovery activity, masquerading, obfuscated or compressed files, web service usage, and Windows Management Instrumentation.
The malware is repeatedly described as a precursor to hands-on-keyboard intrusions and pre-ransomware staging. The content states that SocGholish intrusion chains commonly progress from social engineering delivery into reconnaissance and proxy-based access, and multiple reports compare newer intrusion chains such as ClickFix to SocGholish because of this pattern. Mandiant content cited here describes a case where UNC2165 began interactive activity about 70 minutes after a FAKEUPDATES infection and later destroyed backups and deployed RansomHub ransomware. Additional reporting in the content states that ViperTunnel, a Python-based backdoor intended to maintain long-term access for later sale to ransomware groups, is often deployed after FAKEUPDATES infections.
Targeting and victimology in the provided material indicate broad opportunistic targeting of Windows users visiting compromised websites, with particular relevance to enterprise environments because infections are sold or handed off to other actors. The content also notes increasing use of CVE-2026-41940 in attack chains involving compromised legitimate websites and web injects by TA569/SocGholish. Website compromises linked to SocGholish have also been associated with stolen admin credentials, malicious plugin uploads, hidden admin creation, and JavaScript-based backdoors or login stealers on compromised CMS platforms.
Infrastructure and hunting details in the content include a March 2026 coordinated campaign wave that deployed 11 stage-1 JavaScript injectors across six C2 domains and five identified IPs. The six domains were editions.seattlemysterylovers[.]com, clients.dedicatedservicesusa[.]com, circle.innovativecsportal[.]com, dashnex.plexusmarket[.]fund, static.twalls5280[.]com, and support.traininghub[.]world. The five IPs were 190.211.254.31, 141.193.213.10, 45.76.250.221, 45.32.199.48, and 170.75.160.84. The campaign used injected stage-1 JavaScript loaders with shared IIFE structure and reused base64 campaign tokens in URL paths. Additional hunting guidance in the content describes a FakeUpdates URL pattern consisting of a domain with alphabetical characters, any top-level domain, a /font/ folder, and an alphabetic .php filename, with HTML responses and low request counts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-41940, the cPanel authentication bypass, illustrates the opportunistic mass-exploitation pattern most clearly. What began as exploratory probing evolved into a multi-actor campaign combining ransomware deployment, website defacement, and — in at least one documented case — targeted cyber-espionage. | We also now increasingly observe this vulnerability within attack chains of threat actors that rely on compromising legitimate websites via web inject, such as TA569 (SocGholish).
Groups observed using it
14 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We also now increasingly observe this vulnerability within attack chains of threat actors that rely on compromising legitimate websites via web inject, such as TA569 (SocGholish).
A coordinated SocGholish (FakeUpdates) campaign wave launched 2026-03-02 deployed 11 stage-1 JavaScript injectors across 6 distinct C2 domains hosted by 4 providers spanning Panama, the United States, and Canada.
A coordinated SocGholish (FakeUpdates) campaign wave launched 2026-03-02 deployed 11 stage-1 JavaScript injectors across 6 distinct C2 domains hosted by 4 providers spanning Panama, the United States, and Canada.
"SocGholish, a malware delivery framework active since 2017... spreads through malicious JavaScript injected into compromised websites and uses fake browser-update prompts to trick users into downloading payloads."
The new RomCom campaign uses SocGholish fake update lures to deliver its Mythic Agent tool against US firms doing business with Ukraine.
"SocGholish, also called FakeUpdates, is a JavaScript loader malware that's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox..."
SocGholish, operated by TA569, actually functions as a Malware-as-a-Service (MaaS) vendor, selling access to compromised systems to various financially motivated cybercriminal clients. The primary tactic used involves deceptive “fake browser update” lures...
SocGholish, operated by TA569, actually functions as a Malware-as-a-Service (MaaS) vendor, selling access to compromised systems to various financially motivated cybercriminal clients. The primary tactic used involves deceptive “fake browser update” lures...
"SocGholish is the threat actor behind the FakeUpdates malware-as-a-service (MaaS) framework."
SocGholish, operated by TA569, actually functions as a Malware-as-a-Service (MaaS) vendor, selling access to compromised systems to various financially motivated cybercriminal clients. The primary tactic used involves deceptive “fake browser update” lures...
"Throughout 2024 we continued to observe a low volume of SocGholish infections... upon execution the JavaScript payload connects back to SocGholish infrastructure... and can retrieve additional malware."
“VexTrio Viper runs the largest and oldest known TDS with over 165 affiliates including SocGholish and ClearFake.”
…takes a page out of SocGholish's playbook, using multiple layers of Base64 encoding and XOR operations to conceal the next-stage malware…
Arctic Wolf Labs assesses with a medium-to-high confidence level that Russia’s GRU unit 29155 is utilizing SocGholish to target victims. .. Actor: TA569 is considered the primary threat actor deploying and maintaining SocGholish... The operator serves as an Initial Access Broker (IAB), selling access to compromised systems to ransomware affiliates.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueGootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea. SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.
Resource Development
3 techniquesResource Development Acquire Infrastructure: Domains T1583.001 Purpose-registered plexusmarket.fund, traininghub.world
Resource Development Compromise Infrastructure: Web Services T1584.006 Compromised WordPress/Alpha Five sites for JS injection
Resource Development Stage Capabilities: Upload Malware T1608.001 Stage-1 JS injector planted on compromised sites
Initial Access
3 techniquesOur incident response team has found SocGholish infections linked to compromised admin accounts, where attackers log in with stolen credentials, upload a malicious plugin, and quickly turn a real site into a malware source.
Initial access was gained via infection of SocGholish malware caused by a drive-by-download
the first path presents a highly convincing browser update screen to the user. This FakeUpdates layout accurately mimics popular software variants such as Google Chrome or Mozilla Firefox.
Execution
7 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked.
PowerShell commands were also executed by the SocGholish malware to gather system and domain information
Execution via WScript pulls a second-stage payload -- historically Cobalt Strike beacons, NetSupport RAT, or Python-based backdoors.
AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.
Clicking this interface element instantly downloaded a compressed folder containing a malicious executable file.
Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked.
Persistence
5 techniquesOur incident response team has found SocGholish infections linked to compromised admin accounts, where attackers log in with stolen credentials, upload a malicious plugin, and quickly turn a real site into a malware source.
Later, they may create hidden admin users with fake plugins...
...attackers log in with stolen credentials, upload a malicious plugin... Later, they may create hidden admin users with fake plugins, add auto-login backdoors disguised as JavaScript files...
A persistence mechanism was installed by SocGholish using the startup folder of the infected user to ensure execution at user logon.
Privilege Escalation
2 techniquesOur incident response team has found SocGholish infections linked to compromised admin accounts, where attackers log in with stolen credentials, upload a malicious plugin, and quickly turn a real site into a malware source.
Stealth
3 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Defense Impairment
1 techniqueCredential Access
4 techniques"procedures for harvesting NTLM hashes via Forced Authentication... used ... PowerShell ... search for Microsoft Outlook signature files and add HTML code ... link to an image file hosted remotely... recipient’s email client may attempt to authenticate ... enabling the adversary to harvest hashed credentials"
"harvesting credentials from Chrome and Edge browsers—by extracting keys from the Local State file and copying the Login Data for offline password extraction"
Discovery
4 techniquesThe content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
"Bazar can query the Registry for installed applications." / "BRONZE BUTLER has used tools to enumerate software installed on an infected host." / "LightSpy ... enumerate the Applications folder to collect the bundle name, bundle identifier, and version information..." / "Volt Typhoon has queried the Registry on compromised systems for information on installed software."
Collection
2 techniquesThe content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Command and Control
2 techniquesCommand and Control Application Layer Protocol: Web Protocols T1071.001 HTTPS communication with C2 domains
Command and Control Ingress Tool Transfer T1105 Stage-2 payload download from C2
Impact
1 technique"in some cases, reportedly led to RansomHub ransomware"
IOCs tracked for this family
97 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
98 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware operation associated here with web-inject-driven compromise of legitimate websites as part of attack chains leveraging the cPanel vulnerability.
SocGholish is described as infecting websites after attackers use compromised admin credentials to log in, upload a malicious plugin, and convert the site into a malware distribution source.
A malware family associated here with social-engineering-driven intrusions that progress into reconnaissance and proxy-based access, referenced as an operational comparison for pre-ransomware activity.
A malware/intrusion chain referenced for comparison, known for social-engineering delivery followed by reconnaissance, proxy-based access, and pre-ransomware staging.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.