Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
5 malware families

SocGholish

Also known asFakeUpdatessocgholish

SocGholish, also known as FakeUpdates, DEV-0206, GOLD PRELUDE, Mustard Tempest, TA569, and UNC1543, is an e-crime threat actor and malware/service cluster centered on compromising legitimate WordPress sites and using Traffic Direction/Distribution Systems (TDS) to redirect visitors to attacker-controlled web injects that impersonate browser updates. Victims are tricked into downloading and executing malicious JavaScript or ZIP-delivered JavaScript under fake update themes such as Update.js, download.js, AutoUpdater.js, and homoglyph-based filenames including Сhrome.Updаte.zip, UрdateInstаller.zip, and Uрdate.js. The actor is consistently described as a major initial access vector. After execution, the JavaScript payload connects to SocGholish infrastructure, reports host details, performs reconnaissance, and can retrieve additional malware. Reporting notes that many infections do not progress beyond reconnaissance, indicating selective follow-on activity, while second-stage payloads were observed in roughly one quarter of incidents in 2024. SocGholish has delivered or facilitated delivery of multiple follow-on payloads and tools, including NetSupport RAT/NetSupport Manager, Cobalt Strike, Mimikatz, Blister, RomCom payloads, MintsLoader, StealC, modified BOINC clients, Python-based backdoors, and in some cases ransomware. Reporting states SocGholish has allegedly provided initial access to other cybercriminal groups since at least 2018, including Evil Corp, and that RansomHub partnered with SocGholish in Q1 2025 to deliver ransomware attacks against U.S. government organizations and some banking and consulting organizations, with additional attacks reported in Japan and Taiwan. Observed tradecraft includes use of compromised WordPress credentials, modification of legitimate WordPress instances to include criminal infrastructure, abuse of domain shadowing through malicious subdomains, fake browser update lures, JavaScript-based downloaders, drive-by compromise, host reconnaissance, occasional Active Directory and domain enumeration, and filename masquerading with homoglyphs to evade detection. SocGholish operators were also reported as early adopters of MintsLoader around July 2024 as an alternative delivery chain. As of June 2026, law-enforcement and private-sector reporting described a major disruption under Operation Endgame targeting SocGholish infrastructure, including remediation of compromised WordPress sites and takedown of servers and domains.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

25 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics35 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
1 technique
T1584
Compromise Infrastructure
T1584.001
Domains
TA0001
Initial Access
4 techniques
T1078×2
Valid Accounts
T1189×6
Drive-by Compromise
T1190×2
Exploit Public-Facing Application
T1566
Phishing
T1566.001
Spearphishing Attachment
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.007
JavaScript
T1204×2
User Execution
T1204.002
Malicious File
TA0003
Persistence
2 techniques
T1078×2
Valid Accounts
T1205
Traffic Signaling
TA0004
Privilege Escalation
1 technique
T1078×2
Valid Accounts
TA0005
Stealth
4 techniques
T1036
Masquerading
T1078×2
Valid Accounts
T1205
Traffic Signaling
T1480
Execution Guardrails
T1480.001
Environmental Keying
TA0006
Credential Access
3 techniques
T1110
Brute Force
T1110.003
Password Spraying
T1187
Forced Authentication
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0007
Discovery
2 techniques
T1082
System Information Discovery
T1087
Account Discovery
TA0008
Lateral Movement
1 technique
T1210
Exploitation of Remote Services
TA0009
Collection
1 technique
T1560
Archive Collected Data
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1105×2
Ingress Tool Transfer
T1205
Traffic Signaling
T1219
Remote Access Tools
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SocGholishThe threat actors SocGholish ... compromise legitimate WordPress sites and use Traffic Direction/Distribution Systems (TDS) to redirect visitors to webinjects hosted there ... and trick end users into drive by downloading of malware.2Jun 19, 2026
MintsLoaderMintsLoader (TAG-124 / LandUpdate808 / UNC4108) Type: Malware Loader - PowerShell-based, multi-stage delivery platform1May 24, 2026
NetSupport RATScarlet Goldfinch is a cluster of activity that Red Canary first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is an RMM tool that provides the adversary remote control over a system.1Jun 14, 2026
RansomHub"RansomHub is a RaaS operation that was first observed in February 2024."1Mar 18, 2026
WarmCookie"...a new backdoor “BadSpace”..."; "...the malware’s alias name WarmCookie."1Mar 18, 2026
IOCS

Observables

4 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

4 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app
shadowserver newsNews
Jun 18, 2026
SocGholish Compromised WordPress Sites Special Report | The Shadowserver Foundation

Compromises legitimate WordPress sites, uses TDS and fake browser/software update lures to redirect visitors to malicious webinjects, and provides initial access that can be used by other cybercriminal groups.

Read more
shroudcloudNews
Apr 14, 2026
MintsLoader - ShroudCloud

Early adopter of MintsLoader, using drive-by compromise via fake browser update overlays on compromised websites to deliver MintsLoader instead of its native payload chain.

Read more
red canary blogNews
Mar 26, 2026
Scarlet Goldfinch’s year in ClickFix | Red Canary

Referenced as a threat whose fake update lures served as a model or precursor for later activity clusters such as Scarlet Goldfinch.

Read more
breakglass intelNews
Mar 12, 2026
KongTuke Investigation Report - Breakglass Intelligence - Breakglass Intelligence

Referenced as another initial access broker/customer receiving infections from KongTuke.

Read more
+13 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping25

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables4

Domains, IPs, and hashes tied to this actor, refreshed continuously.