MalwareRansomwareUsed by 1 actor

Gholoader

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Indrik Spider

Typically, a TA569 attack chain consists of three parts: the malicious SocGholish injects served to website visitors; a traffic distribution service (TDS) responsible for determining which user receives which payload based on a variety of filtering options; and the ultimate payload, GhoLoader.

via proofpointproofpoint.com

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1189Drive-by CompromiseEvidence3

The SocGholish JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017, and it works by hijacking legitimate websites (primarily WordPress sites) and tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates.

T1566.002Spearphishing LinkEvidence1

From Proofpoint’s visibility, we see legitimate email traffic that contain URLs that link to compromised websites. The compromised domains redirect traffic to actor-controlled domains to deliver a malicious payload.

Execution

2 techniques

T1059.007JavaScriptEvidence1

The downloaded file is GhoLoader Stage 1 — a WSH JScript that POSTs to its C2 via “ActiveXObject('MSXML2.XMLHTTP')” and executes the response.

T1204User ExecutionEvidence2

When a user installs the malicious update, the malware opens a connection to the attackers, giving them access to the infected system.

Persistence

1 technique

T1205Traffic SignalingEvidence1

Stealth

2 techniques

T1036MasqueradingEvidence1

...tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates.

T1205Traffic SignalingEvidence1

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

The downloaded file is GhoLoader Stage 1 — a WSH JScript that POSTs to its C2 via “ActiveXObject('MSXML2.XMLHTTP')” and executes the response.

T1105Ingress Tool TransferEvidence1

That iframe fetches a script from the TA569 C2 which contains the file "Google Launcher.js" (GhoLoader Stage 1, C2: “js-new[.]newtoyourgame[.]com”) as an embedded base64 blob... and triggers the download.

T1205Traffic SignalingEvidence1

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

proofpointNews

Jun 17, 2026

Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation | Proofpoint US

GhoLoader is the payload delivered by SocGholish. In the described chain, it is downloaded as a staged WSH JScript that communicates with C2 over MSXML2.XMLHTTP and executes the returned response, enabling further compromise that can lead to ransomware activity.

proofpointNews

Feb 14, 2025

An Update on Fake Updates: Two New Actors, and New Mac Malware | Proofpoint US

A JavaScript-based loader served by SocGholish that facilitates follow-on malware installation.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.