SocGholish
SocGholish, also known as FakeUpdates, is a malware dropper/loader and initial-access service distributed via fake browser or software update prompts served from compromised websites, especially compromised WordPress sites. The malware is used to gain unauthorized access to victim systems and deliver next-stage malware, supporting downstream ransomware, data theft, financial fraud, and attacks on critical infrastructure. Multiple sources in the content describe large-scale remediation of SocGholish-infected WordPress sites, including nearly 15,000 compromised websites, and note that the malware was offered as cybercrime-as-a-service. The content links SocGholish to the Russian cybercriminal group Evil Corp and states it has been associated with ransomware and money-laundering operations. Reported infrastructure actions tied to Operation Endgame included disruption of SocGholish infrastructure, seizure of domains and servers, and victim notification efforts. High-confidence infection behavior in the content includes fake browser-update scams on compromised websites and use of compromised WordPress sites as the primary delivery vector.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-41940, the cPanel authentication bypass, illustrates the opportunistic mass-exploitation pattern most clearly. What began as exploratory probing evolved into a multi-actor campaign combining ransomware deployment, website defacement, and — in at least one documented case — targeted cyber-espionage. | We also now increasingly observe this vulnerability within attack chains of threat actors that rely on compromising legitimate websites via web inject, such as TA569 (SocGholish).
Groups observed using it
16 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Recorded Future exploits TDS to demonstrate a high-level activity strategy that includes regularly updating URLs embedded in WordPress sites, adding additional servers, and improving TDS logic to evade detection, and has been linked to SocGholish and D3F@ck Loader malware, as well as the Rhysida and Interlock ransomware groups.
Europol has taken down the criminal networks behind the SocGholish, Amadey, and StealC malware strains... SocGholish, a so-called dropper/loader, helped criminals gain access to computer systems by distributing fake browser updates via compromised websites.
Active since 2017 and also known as FakeUpdates, SocGholish is a JavaScript (JS)-based downloader malware that typically serves as a conduit for next-stage malware from various threat actors like Evil Corp, LockBit, RansomHub, Dridex, and Raspberry Robin.
Active since 2017 and also known as FakeUpdates, SocGholish is a JavaScript (JS)-based downloader malware that typically serves as a conduit for next-stage malware from various threat actors like Evil Corp, LockBit, RansomHub, Dridex, and Raspberry Robin.
The threat actors SocGholish ... compromise legitimate WordPress sites and use Traffic Direction/Distribution Systems (TDS) to redirect visitors to webinjects hosted there ... and trick end users into drive by downloading of malware.
TAG-124 has also been associated with SocGholish and D3F@ck loader malware, which provide remote access and malware delivery for financially motivated activity.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniques
Resource Development
The abuse also includes the use of a process known as 'Domain Shadowing,' ... a threat actor gains access to the authoritative DNS provider or registrar account panel for a legitimate domain, and uses their access to quietly create additional subdomains beneath the main ('apex') domain.
The chain begins with compromising legitimate websites, often hosted on WordPress, through password-spraying attacks or leaked credentials.
Initial Access
5 techniques
Initial Access
The chain begins with compromising legitimate websites, often hosted on WordPress, through password-spraying attacks or leaked credentials.
SocGholish/FakeUpdates: Spread through fake browser or software updates on compromised websites.
Обычно атаки с использованием этого вредоноса выглядят следующим образом: злоумышленники взламывают сайты (чаще всего работающие под управлением WordPress) и внедряют в их код вредоносный JavaScript.
Execution
3 techniques
Execution
the FBI urged enterprise organizations to take precautions against malicious TDSs, including changing default file associations for JavaScript so that attacks can't execute malicious payloads delivered through a TDS; monitor endpoints for suspicious execution of files and PowerShell scripts
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
4 techniques
Stealth
Visitors to compromised sites "are tricked into installing trojanized apps posing as browser extensions or other legitimate software."
The chain begins with compromising legitimate websites, often hosted on WordPress, through password-spraying attacks or leaked credentials.
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
Command and Control
4 techniques
Command and Control
The court approved, allowing Microsoft's Digital Crimes Unit to disrupt over 200 malicious command-and-control domains and IP addresses tied to the malware, and "to shut them down through a mix of court orders, domain seizures, registrations and provider notifications," he said.
Via deze malware kan aanvullende malware, zoals bijvoorbeeld ransomware, op de geïnfecteerde systemen geïnstalleerd worden.
IOCs tracked for this family
99 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
149 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Dropper malware included in the broader criminal infrastructure dismantled by Europol.
Malware distributed via fake browser or software update prompts on compromised websites to trick users into infecting their devices.
Named malware referenced as part of related Operation Endgame takedowns.
A dropper/loader used for initial infection that distributes fake browser updates via compromised WordPress websites to gain access to systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.