{
	"id": "7d3f603c-2b75-4104-9890-73faa9db9090",
	"created_at": "2026-04-06T00:07:02.528224Z",
	"updated_at": "2026-04-10T13:12:13.872987Z",
	"deleted_at": null,
	"sha1_hash": "0ee2df3404c2553119e040d1eeea44314249a45c",
	"title": "THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3027706,
	"plain_text": "THREAT ANALYSIS REPORT: SocGholish and Zloader – From\r\nFake Updates and Installers to Owning Your Systems\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 14:34:33 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) Team issues Cybereason Threat Analysis reports to\r\ninform on impacting threats. The Threat Analysis reports investigate these threats and provide practical\r\nrecommendations for protecting against them.\r\nThis Threat Analysis report provides insight into three selected attacks, which involve the SocGholish and Zloader\r\nmalware masquerading as legitimate software updates and installers of popular applications. We present the\r\ndeployment of the malware on compromised systems and the activities of the malware operators, including an\r\nactivity timeline.\r\nKey Points\r\nMasquerading malware: Infections with SocGholish start by end-users executing JavaScript scripts with\r\nfilenames that relate to known browsers and browser updates, such as Opera.Update.js and Firefox.js.\r\nInfections with Zloader start by end-users executing a fake installer of a popular application, such as\r\nTeamViewer.\r\nIntensive reconnaissance and data exfiltration: SocGholish operators conduct intensive reconnaissance\r\nactivities and redirect the output of executed commands to files with the filename extension .tmp for\r\nexfiltration.\r\nDetected and prevented: The Cybereason XDR Platform effectively detects and prevents infections with\r\nSocGholish and Zloader.\r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC team has a zero-tolerance\r\npolicy towards attacks involving SocGholish and Zloader, and categorizes such attacks as critical, high-severity incidents. The Cybereason GSOC MDR team issues a comprehensive report to customers when\r\nsuch an incident occurs. The report provides an in-depth overview of the incident, which helps to\r\nunderstand the scope of the compromise and the impact on the customer’s environment. The report also\r\nprovides attribution information whenever possible, as well as recommendations for threat mitigation and\r\nisolation. \r\nIntroduction\r\nSocGholish is an attack framework that malicious actors have used since at least 2020. The term Soc refers to the\r\nuse of social engineering to deploy malware on systems. SocGholish operators host a malicious website that\r\nimplements a drive-by-download mechanism, such as JavaScript code or uniform resource locator (URL)\r\nredirections, to trigger the download of an archive file that contains malware.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 1 of 24\n\nThe website displays content that might lure end-users, such as critical browser updates. To infect the system, an\r\nend-user has to first manually decompress the archive file and then execute the malware by double-clicking. An\r\ninfection with SocGholish may result in the deployment of the Cobalt Strike framework and ransomware.\r\nZloader is a malware primarily designed to steal credentials and sensitive data, but it also has backdoor capabilities\r\nand it can act as a malware loader to deliver further malware on compromised systems. For example, in the past,\r\nZloader has distributed the destructive Egregor and Ryuk ransomware.\r\nFirst discovered in 2016, Zloader is under continuous development with more recent versions featuring detection\r\nevasion capabilities, such as disabling Windows Defender and using living-off-the-land executables to conduct\r\nmalicious activities. In the past, malicious actors have distributed the Zloader malware as malicious attachments to\r\nemails.\r\nIn the period between December 2021 and the time of writing, the Cybereason MDR team has observed an\r\nincrease in the number of attacks involving SocGholish and Zloader. In the attacks involving Zloader, malicious\r\nactors had distributed Zloader to systems through malicious websites that have the malware masquerading as an\r\ninstaller of popular applications, such as TeamViewer.\r\nThe figure below depicts the number of SocGholish-related sample submissions to VirusTotal between November\r\n2021 and March 2022. The global trend of increase in the number of infections with SocGholish starting in\r\nDecember 2021 aligns with the increase in the number of infections with SocGholish that the Cybereason MDR\r\nhas observed:\r\nNumber of SocGholish-related sample submissions to VirusTotal between November 2021 and March 2022\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 2 of 24\n\nThis report provides a unique insight into real infections with SocGholish and Zloader that the Cybereason MDR\r\nteam has recently observed. We present the deployment of the malware on compromised systems and the activities\r\nof the malware operators in three selected attacks. For the attacks that involve SocGholish, this report documents\r\nthe timelines of the malware operator’s activities and provides an overview of the common tactics and techniques\r\nin SocGholish infections.\r\nAnalysis of SocGholish and Zloader\r\nSocGholish\r\nInfection\r\nThe flowchart below depicts a typical system infection with the SocGholish framework: \r\nInfection with the SocGholish framework\r\nSocGholish operators host a malicious website that implements a drive-by-download mechanism. Previous\r\nresearch shows that the SocGholish operators use a legitimate website and host another, malicious website in its\r\ncontext, for example, in an inline frame (iframe) object. The legitimate website displays content to which end-users\r\nmay be lured, such as critical browser updates. The malicious website may implement, for example, JavaScript\r\ncode, or conduct URL redirections to trigger the download of an archive file that stores a malicious JavaScript\r\nscript. \r\nTo infect the system, an end-user has to first manually decompress the JavaScript script, for example, by using the\r\nWindows built-in archive utility or third-party utilities such as WinRAR, and then execute the script. If the\r\nMicrosoft Windows Script Host (WSH) mechanism is not disabled on the system, WSH executes the script using\r\nthe wscript or the cscript utility and the WSH JavaScript/JScript execution engine:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 3 of 24\n\nAn end-user decompresses and executes a JavaScript script that SocGholish operators distribute (as seen in the\r\nCybereason XDR Platform)\r\nThe figure below depicts a typical JavaScript script (Chrome.Update.d37fc6.js) that a malicious website with a\r\nbrowser update theme has been distributing to end-users:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 4 of 24\n\nContent of the Chrome.Update.d37fc6.js script (excerpt) \r\nWe emphasize that the Chrome.Update.d37fc6.js script is representative of many other scripts that malicious\r\nwebsites with browser update themes have been distributing to end-users: \r\nThe scripts have filenames that relate to known browsers and browser updates, such as\r\nOpera.Update.a99283.js and Firefox.js.\r\nThe scripts establish connections to attacker-controlled endpoints, for example, by using ActiveX\r\nXMLHTTP objects, and issue POST requests to download and execute further content using the eval\r\nJavaScript function. In the SocGholish infections that we have analyzed, the JavaScript scripts download\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 5 of 24\n\nand execute content after issuing a POST request to a resource named pixel.png. The scripts communicate\r\nwith the endpoints with the following IP addresses:\r\n87.249.50[.]201, located in Russia (known associated host domain names: xen.hill-family[.]us,\r\napps.weightlossihp[.]com, and upstream.fishslayerjigco[.]com).\r\n91.219.236[.]202, located in Hungary (known associated host domain names:\r\nhost.integrativehealthpartners[.]com, platform.windsorbongvape[.]ca,\r\nwidget.windsorbongvape[.]com).\r\nThe JavaScript code of the scripts is obfuscated by using random variable names and string manipulation,\r\nsuch as string reversal and encoding. For example, the script authors have obfuscated the host domain\r\nnames of the attacker-controlled endpoints by reversing them and placing the individual string characters at\r\nthe odd index positions in the obfuscated string:\r\nAn obfuscated host domain name in Chrome.Update.d37fc6.js and the domain name’s deobfuscated form\r\nPost Infection: First Attack\r\nThe flowchart below depicts an overview of the activities that SocGholish operators have conducted on an infected\r\nsystem:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 6 of 24\n\nSocGholish: An attack overview (1)\r\nAs we have seen in the Infection Section, the wscript.exe utility first executed a JavaScript script named\r\nChrome.Update.fd1967.js that resided in an archive file. Soon after the script executed and until approximately 57\r\nminutes later, wscript.exe conducted information gathering activities and stored the gathered information in the\r\nfiles radF9A4F.tmp and rad994D1.tmp, placed in the end-user’s AppData folder, for potential future exfiltration:\r\nwhoami /all \u003e\u003e \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\radF9A4F.tmp\r\n\"systeminfo|findstr Registered\u0026nltest /dclist:\u0026nltest /domain_trusts\u0026cmdkey /list\u0026net group \"Domain Admins\"\r\n/domain\u0026net group \"Enterprise Admins\" /domain\u0026net localgroup Administrators /domain\u0026net localgroup\r\nAdministrators\" \u003e\u003e\"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\rad994D1.tmp\"\r\nApproximately one hour and 27 minutes later, wscript.exe first renamed a file with the .tmp file extension,\r\nrad63F7D.tmp, to ef32e4cf.js and then executed the JavaScript script ef32e4cf.js using the wscript.exe utility.\r\nApproximately 9 minutes later, the wscript.exe instance that had executed the ef32e4cf.js script obtained user and\r\nfilesystem information by executing the following commands: \r\nwhoami /all \u003e\u003e \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\rad2AC3D.tmp\"\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 7 of 24\n\ndir C:\\programdata\\ \u003e\u003e \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\radB9CD4.tmp\"\r\nwscript.exe also renamed a file with the .tmp file extension, radCC48D.tmp, to the Windows dynamic-link library\r\n(DLL) file wimgapi.dll and then executed the DLL through the WIMDeleteImageMounts entry point by capturing\r\nthe output in the C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\rad5FAF1.tmp file. wscript.exe also copied the\r\nrundll32.exe executable to the wim.exe file in the %ProgramData%\\wim folder:\r\nwscript.exe executes wimgapi.dll (as seen in the Cybereason XDR Platform)\r\nDuring the execution of the wscript.exe instances that had executed the Chrome.Update.fd1967.js and the\r\nef32e4cf.js scripts, the wscript.exe instances communicated with the attacker-controlled endpoint with an IP\r\naddress of 91.219.236[.]202 (domain name:\r\n0bfd796f.host.integrativehealthpartners[.]com), located in Hungary.\r\nApproximately 12 minutes after the wimgapi.dll DLL was executed, the DLL injected code into the following\r\nlegitimate Windows processes: werfault.exe, explorer.exe, outlook.exe, svchost.exe, and taskhostw.exe.\r\nOver a period of 8 hours and 30 minutes:\r\nwimgapi.dll injected the SharpView Tool  into an instance of the werfault.exe process. SharpView can\r\nconduct reconnaissance activities and gather information about Active Directory (AD) deployments:\r\nwimgapi.dll injects the SharpView tool into an instance of the werfault.exe process (as seen in the Cybereason XDR\r\nPlatform)\r\nwimgapi.dll injected code into outlook.exe. The code gathered AD-related information by executing the\r\ncommand net group \"domain admins\" /domain:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 8 of 24\n\nThe code that outlook.exe hosts conducts reconnaissance activities (as seen in the Cybereason XDR Platform)\r\nwimgapi.dll injected malicious code into svchost.exe. The code conducted targeted reconnaissance activities\r\nby executing the whoami, ping, nltest, and net commands using target-specific configurations, such as\r\nhostnames and usernames.\r\nwimgapi.dll injected code into taskhostw.exe. The code searched for the cpassword field in Group Policy\r\nfiles stored in the Policies folder in shared system volume folders (SYSVOL) by executing the command\r\nfindstr /s /i /m \"cpassword\" \\\\\u003cdomain\u003e\\sysvol\\\u003cdomain\u003e\\Policies\\*.*, where \u003cdomain\u003e is the domain\r\nname of an AD domain controller. In AD infrastructures, the SYSVOL folders are present on domain\r\ncontrollers and the domain controllers share the folders with domain members to deliver domain\r\nconfiguration data, such as policy settings. The cpassword field stores a valid credential required to\r\nconfigure certain Group Policy preference settings at domain members - settings that system users can\r\nchange. In certain Windows versions, the cpassword field stores the password in an Advanced Encryption\r\nStandard (AES) encrypted form that malicious actors can decrypt using a publicly disclosed encryption key.\r\nIn addition to the activities above, the code that ran in explorer.exe, outlook.exe, svchost.exe, and taskhostw.exe\r\nexecuted instances of the werfault.exe process and injected the following tools into the instances:\r\nSharpView and Rubeus, a tool for attacking Kerberos deployments.\r\nStracciatella: a tool for executing PowerShell commands with detection evasion capabilities.\r\nSeatbelt: a tool that enumerates the security posture of systems.\r\nPowerShellRunner: a tool that is capable of executing PowerShell commands using Windows Defender\r\nevasive techniques.\r\nSharpChromium: a tool for stealing browser data, such as cookies, saved logins, and browsing history. \r\nApproximately 7 hours after wimgapi.dll DLL was executed, over a period of approximately 24 minutes, the\r\noperators conducted further reconnaissance activities by executing the commands ipconfig and nltest. The\r\noperators also searched for the cpassword field in Group Policy files stored in the Policies folder in SYSVOL\r\nfolders by executing the command findstr /s /i /m \"cpassword\" \\\\\u003cdomain\u003e\\sysvol\\\u003cdomain\u003e\\Policies\\*.*, where\r\n\u003cdomain\u003e is the domain name of an AD domain controller.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 9 of 24\n\nIn addition to searching for the cpassword field, the operators copied the files Centrifydc_settings.xml, Groups.xml,\r\nand ScheduledTasks.xml from shared SYSVOL folders to the ProgramData folder. These files may contain\r\ncpassword fields, which store passwords that the malicious actors can decrypt, as well as additional settings data\r\nthat is relevant from an information-gathering perspective.\r\nApproximately 23 hours after wimgapi.dll was executed, the %ProgramData%\\wim\\wim.exe executable, that is,\r\nrundll32.exe, executed the wimgapi.dll DLL through the WIMDeleteImageMounts entry point again to conduct\r\nfurther reconnaissance activities by executing the net and ping commands.\r\nDuring their operation, the wimgapi.dll DLL as well as the injected code into svchost.exe and taskhostw.exe\r\ntransferred over 30 MB of data to an endpoint with the IP address 5.53.125[.]173 (domain name:\r\nsikescomposites[.]com), which is located in Russia.\r\nPost Infection: Second Attack\r\nThe flowchart below depicts an overview of the activities that SocGholish operators have conducted on an infected\r\nsystem:\r\nSocGholish: An attack overview (2)\r\nAs we have seen in the Infection section, the wscript.exe utility first executed a JavaScript script named\r\nChrome.Update.2022d8.js that resided in an archive file. Soon after the script was executed and until\r\napproximately 10 minutes later, wscript.exe gathered current user information and stored the gathered information\r\nin the file radFFBA5.tmp, placed in the user’s AppData folder, for potential future exfiltration:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 10 of 24\n\nwhoami /all \u003e\u003e \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\radFFBA5.tmp\r\nwscript.exe gathers current user information as seen (in the Cybereason XDR Platform)\r\nApproximately 3 days and 10 minutes after wscript.exe gathered user information, wscript.exe enumerated the\r\nservices that ran on the compromised machine using a PowerShell command that invoked Windows Management\r\nInstrumentation (WMI) functionalities and stored the output in the file radD4878.tmp:\r\nwscript.exe enumerates services (as seen in the Cybereason XDR Platform)\r\nApproximately 3 days and 1 hour after wscript.exe gathered user information, wscript.exe gathered AD-related\r\ninformation, including credentials, by executing the following commands: systeminfo|findstr Registered; nltest\r\n/dclist:; nltest /domain_trusts; cmdkey /list; net group \"Domain Admins\" /domain; net group \"Enterprise Admins\"\r\n/domain; net localgroup Administrators /domain; and net localgroup Administrators/:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 11 of 24\n\nwscript.exe gathers AD-related information (as seen in the Cybereason XDR Platform)\r\nApproximately 3 days and 2 hours after wscript.exe gathered user information, wscript.exe first renamed a file with\r\nthe .tmp file extension, rad0C41E.tmp, to vgauthservice.exe and then executed vgauthservice.exe.\r\nDuring the execution of wscript.exe, wscript.exe communicated with the attacker-controlled endpoint with an IP\r\naddress of 87.249.50[.]201 (domain name: [random hexadecimal value].xen.hill-family[.]us), located in Russia.\r\nApproximately 1 hour after vgauthservice.exe was executed, over a period of approximately 4 hours,\r\nvgauthservice.exe created 11 werfault.exe processes and injected code into them, such as the TruffleSnout tool.\r\nTruffleSnout is a tool for gathering AD-related information to support offensive operations:\r\nvgauthservice.exe creates werfault.exe processes and injects code into them (in the Cybereason XDR Platform)\r\nDuring its operation, the vgauthservice.exe process transferred over 9 MB of data to an endpoint with the IP\r\naddress 77.223.98[.]12 over TCP port 443 (domain name: pastorq[.]com), which is located in Russia.\r\nSummary\r\nThe table below summarizes the activities that are most prevalent across all infections with SocGholish that the\r\nCybereason MDR team has observed:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 12 of 24\n\nArchive file and\r\nJavaScript script\r\nTo infect the system, an end-user has to download an archive file that stores a malicious\r\nJavaScript script. The script has a filename that relates to known browsers and browser\r\nupdates, such as Opera.Update.a99283.js and Firefox.js. The end-user then has to\r\nmanually decompress and execute the JavaScript script to infect the system.\r\nIntensive\r\nreconnaissance\r\nSocGholish operators conduct intensive reconnaissance activities and gather AD-related\r\ninformation by executing the commands whoami, systeminfo, nltest, net, and cmdkey.\r\nOutput redirection\r\nThe SocGholish operators redirect the output of executed commands to files with the\r\nfilename extension .tmp, placed in the end-user’s AppData folder, for potential future\r\nexfiltration, such as C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\radF9A4F.tmp.\r\nInjection of code\r\ninto werfault.exe\r\nInfections with SocGholish involve an injection of code into multiple instances of the\r\nwerfault.exe process. The injected code typically implements tools with offensive\r\ncapabilities.\r\nTwo attacker-controlled\r\nendpoints per\r\ninfection\r\nOver the course of an infection with SocGholish, the infected system communicates\r\nwith two separate attacker-controlled endpoints, located in Hungary and/or Russia. \r\nZloader\r\nThe Cybereason MDR team observed malicious actors distributing Zloader to systems through malicious websites\r\nthat have masqueraded the malware as an installer of popular applications, such as TeamViewer. When an end-user\r\ndownloads and executes a malicious software installer that delivers Zloader – an executable in Microsoft Installer\r\n(msi) format, for example, TeamViewer.msi – the installer writes a Windows executable file named internal.exe on\r\nthe hard disk and executes it.\r\ninternal.exe establishes a connection to an attacker-controlled endpoint to download further malware, a script\r\ncalled launch.bat. launch.bat downloads a Windows Batch (.bat) script from the attacker-controlled endpoint\r\nclouds222[.]com – flash.bat, which conducts the following activities:\r\nflash.bat evaluates whether the malware executes with administrative privileges by executing the command\r\n%SYSTEMROOT%\\system32\\cacls.exe %SYSTEMROOT%\\system32\\config\\system.\r\nIf the malware does not execute with administrative privileges, the malware executes a VisualBasic\r\nscript (.vbs) named getadmin.vbs. The getadmin.vbs script attempts to elevate the malware’s\r\nprivileges.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 13 of 24\n\nflash.bat establishes connection to the attacker-controlled endpoint clouds222[.]com to download three files\r\n– apiicontrast.dll (in Windows Portable Executable format) , appContast.dll (in Windows Portable\r\nExecutable format), and flashupdate.ps1 (a PowerShell script) – and executes flashupdate.ps1.\r\nflash.bat deletes the file that implements the flash.bat script from the filesystem.\r\nflashupdate.ps1 executes the command wmic.exe computersystem get domain to determine whether it executes in\r\nan Active Directory (AD) environment.\r\nIf flashupdate.ps1 does not execute in an AD environment, the script downloads a GNU Privacy Guard (gpg)-\r\nencrypted file that implements Zloader (filename: zoom.dll). Otherwise, the script downloads gpg-encrypted files\r\nthat implement a CobaltStrike module and an Atera remote access component (filenames: zoom1.msi and\r\nzoom2.dll). The PowerShell script then downloads the gpg4win tool for decryption purposes and runs a Windows\r\nBatch script named ais.bat.\r\nais.bat downloads the NSudo tool (executable: adminpriv.exe) from the attacker-controlled endpoint\r\ncommandaadmin[.]com and uses the tool to conduct a variety of activities with administrative privileges, such as\r\ndisabling the Windows Defender security solution. \r\nais.bat also executes the apiicontrast.dll and appContast.dll files. Note that apiicontrast.dll and appContast.dll are\r\ndigitally signed by Microsoft and are therefore masquerading as legitimate files – the vulnerability CVE-2013-\r\n3900 allows for malicious actors to append malicious script content to the digital signature section of legitimate\r\nWindows Portable Executable files without invalidating the digital signature.\r\napiicontrast.dll and appContast.dll store malicious scripts that execute when the mshta.exe Windows utility\r\nexecutes apiicontrast.dll and appContast.dll as follows:\r\ncmd /c C:\\Windows\\System32\\mshta.exe C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\appContast.dll\r\ncmd /c C:\\Windows\\System32\\mshta.exe C:\\Users\\\u003cuser\u003eAppData\\Roaming\\apiicontrast.dll\r\nThe malicious script in appContast.dll modifies Windows Defender settings, such as excluding processes from\r\nWindows Defender scans. The table below lists the commands that the malicious script in appContast.dll executes:\r\npowershell.exe -Command Add-MpPreference -ExclusionExtension '.exe'\r\npowershell.exe -Command Add-MpPreference -ExclusionProcess '*.dll'\r\npowershell.exe -Command Add-MpPreference -ExclusionProcess '*.exe'\r\npowershell.exe -Command Add-MpPreference -ExclusionProcess '.dll'\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 14 of 24\n\npowershell.exe -Command Add-MpPreference -ExclusionProcess '.exe'\r\npowershell.exe -Command Add-MpPreference -ExclusionProcess 'explorer.exe'\r\npowershell.exe -Command Set-MpPreference -DisableBehaviorMonitoring $true\r\npowershell.exe -Command Set-MpPreference -Disable IOAVProtection $true\r\npowershell.exe -Command Set-MpPreference -DisableIntrusionPreventionSystem $true\r\npowershell.exe -Command Set-MpPreference -DisablePrivacyMode $true\r\npowershell.exe -Command Set-MpPreference -DisableRealTimeMonitoring $true\r\npowershell.exe -Command Set-MpPreference -DisableScriptScanning $true\r\npowershell.exe -Command Set-MpPreference -EnableControlledFolderAccess Disabled\r\npowershell.exe -Command Set-MpPreference -HighThreatDefaultAction 6 -Force\r\npowershell.exe -Command Set-MpPreference -LowThreatDefaultAction 6\r\npowershell.exe -Command Set-MpPreference -MAPSReporting 0\r\npowershell.exe -Command Set-MpPreference -ModerateThreatDefaultAction 6\r\npowershell.exe -Command Set-MpPreference -PUAProtection disable\r\npowershell.exe -Command Set-MpPreference -ScanScheduleDay 8\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 15 of 24\n\npowershell.exe -Command Set-MpPreference -SevereThreatDefaultAction 6\r\npowershell.exe -Command Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true\r\npowershell.exe -Command Set-MpPreference -SubmitSamplesConsent 2\r\npowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath 'C:\\Users\\\u003cuser\u003e'\r\npowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath 'C:\\Users\\\u003cuser\u003e\\*'\r\npowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath 'C:\\Users\\\u003cuser\u003e\\AppData\\Roaming'\r\npowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath 'C:\\Users\\\u003cuser\u003e\\AppData\\Roaming*'\r\npowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath 'C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\*'\r\npowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath 'C:\\Windows\\System32\\WindowsPowerShell\\'\r\npowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath 'C:\\Windows\\System32\\WindowsPowerShell\\*'\r\nCommands that modify Windows Defender settings\r\nAfter a sleeping phase, the malicious script in apiicontrast.dll decrypts the gpg-encrypted files zoom1.msi, \r\nzoom.dll, and/or zoom2.dll (i.e., a Cobalt Strike module, an Atera remote access component, and the Zloader\r\nmalware) using gpg4win, and executes the executables:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 16 of 24\n\nThe malicious script in apiicontrast.dll decrypts and executes zoom1.msi, zoom.dll, and zoom2.dll (as seen in the\r\nCybereason XDR Platform)\r\nDetection and Prevention\r\nCybereason XDR Platform\r\nThe Cybereason XDR Platform is able to detect and prevent infections with SocGholish and Zloader using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and Next-Gen\r\nAntivirus (NGAV) capabilities:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 17 of 24\n\nThe Cybereason XDR Platform labels as suspicious the execution of a malicious SocGholish JavaScript script\r\nusing the wscript utility\r\nThe Cybereason XDR Platform detects SocGholish injecting code into werfault.exe instances\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 18 of 24\n\nThe Cybereason XDR Platform detects the deployment of the Zloader malware\r\nCybereason GSOC MDR\r\nThe Cybereason GSOC recommends the following:\r\nEnable the Anti-Malware feature on the Cybereason NGAV and enable the Detect and Prevent modes of this\r\nfeature.\r\nSecurely handle files downloaded from the Internet and email messages that originate from external\r\nsources.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting\r\nqueries for detecting specific threats - to find out more about threat hunting and Managed Detection and\r\nResponse with the Cybereason Defense Platform, contact a Cybereason Defender here.\r\nFor Cybereason customers: More details available on the NEST including custom threat hunting\r\nqueries for detecting this threat.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric approach\r\nto security.\r\nIndicators of Compromise\r\nExecutables SHA-1 hash:\r\n3918a9ebe88ba272718a14c02eae148eaafbe51b\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 19 of 24\n\nSHA-1 hash: \r\ndb6e1a1dbb0e351c44b49db79b8bad3321d673a1\r\nSHA-1 hash:\r\n57d0c737686cf01bd6aa0ef206d3f81aee93cbbd\r\nSHA-1 hash:\r\n0cdaee46f8d898c253ba3427256d430de3ff7791\r\nSHA-1 hash:\r\n3e481043bc981eae8f0b977477024abb6e1e132e\r\nSHA-1 hash:\r\na187d9c0b4bdb4d0b5c1d2bdbcb65090dcee5d8c\r\nSHA-1 hash:\r\n41e99216782434354a16015c33dcd6550bff0a35\r\nSHA-1 hash:\r\n7150a4c32f401a7d924083094c3c3796a392556f\r\nDomains\r\n.xen.hill-family[.]us\r\napps.weightlossihp[.]com\r\nupstream.fishslayerjigco[.]com\r\n.host.integrativehealthpartners[.]com\r\nplatform.windsorbongvape[.]ca\r\nwidget.windsorbongvape[.]com\r\nsikescomposites[.]com\r\npastorq[.]com\r\nclouds222[.]com\r\ncommandaadmin[.]com\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 20 of 24\n\nIP addresses\r\n87.249.50[.]201\r\n91.219.236[.]202\r\n77.223.98[.]12\r\n5.53.125[.]173\r\n178.21.11[.]77\r\n193.124.18[.]128\r\nMITRE ATT\u0026CK Techniques\r\nInitial Access Execution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection Exfiltration\r\nDrive-by\r\nCompromise\r\nUser\r\nExecution:\r\nMalicious Link\r\nMasquerading:\r\nMasquerade\r\nTask or\r\nService\r\nCredentials\r\nfrom\r\nPassword\r\nStores:\r\nCredentials\r\nfrom Web\r\nBrowsers\r\nRemote\r\nSystem\r\nDiscovery\r\nData from\r\nLocal\r\nSystem\r\nExfiltration\r\nOver\r\nAlternative\r\nProtocol\r\nPhishing:\r\nSpearphishing\r\nLink\r\nUser\r\nExecution:\r\nMalicious File\r\nMasquerading:\r\nMatch\r\nLegitimate\r\nName or\r\nLocation\r\nSteal or\r\nForge\r\nKerberos\r\nTickets\r\nSystem\r\nOwner/User\r\nDiscovery\r\n   \r\n \r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nProcess\r\nInjection\r\nSteal Web\r\nSession\r\nCookie\r\nProcess\r\nDiscovery\r\n   \r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 21 of 24\n\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows\r\nCommand\r\nShell\r\nSigned Binary\r\nProxy\r\nExecution:\r\nRundll32\r\nUnsecured\r\nCredentials:\r\nCredentials\r\nIn Files\r\nSystem\r\nInformation\r\nDiscovery\r\n   \r\n \r\nCommand and\r\nScripting\r\nInterpreter:\r\nJavaScript\r\nReflective\r\nCode Loading\r\n \r\nAccount\r\nDiscovery\r\n   \r\n \r\nWindows\r\nManagement\r\nInstrumentation\r\n   \r\nDomain\r\nTrust\r\nDiscovery\r\n   \r\n       \r\nGroup\r\nPolicy\r\nDiscovery\r\n   \r\nAbout the Researchers\r\nAleksandar Milenkoski, Senior Malware and Threat Analyst, Cybereason\r\nGlobal SOC\r\nAleksandar Milenkoski is a Senior Malware and Threat Analyst with the Cybereason Global SOC team. He is\r\ninvolved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security.\r\nFor his research activities, he has been awarded by SPEC (Standard Performance Evaluation Corporation), the\r\nBavarian Foundation for Science, and the University of Würzburg, Germany. Prior to Cybereason, his work\r\nfocussed on research in intrusion detection and reverse engineering security mechanisms of the Windows operating\r\nsystem.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 22 of 24\n\nLoïc Castel, Senior Security Analyst, Cybereason Global SOC\r\nLoïc Castel is a Senior Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches\r\ncritical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security\r\nauditor in well-known organizations such as ANSSI (French National Agency for the Security of Information\r\nSystems) and as Lead Digital Forensics \u0026 Incident Response at Atos. Loïc loves digital forensics and incident\r\nresponse, but is also interested in offensive aspects such as vulnerability research.\r\nYonatan Gidnian, Senior Security Analyst and Threat Hunter, Cybereason Global\r\nSOC\r\nYonatan Gidnian is a Senior Security Analyst and Threat Hunter with the Cybereason Global SOC team. Yonatan\r\nanalyses critical incidents and hunts for novel threats in order to build new detections. He began his career in the\r\nIsraeli Air Force where he was responsible for protecting and maintaining critical infrastructures. Yonatan is\r\npassionate about malware analysis, digital forensics, and incident response.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 23 of 24\n\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every\r\ncontinent. Led by cybersecurity experts with experience working for government, the military and multiple\r\nindustry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive\r\nthreats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle\r\nmoves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-syste\r\nms\r\nhttps://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems"
	],
	"report_names": [
		"threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems"
	],
	"threat_actors": [],
	"ts_created_at": 1775434022,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ee2df3404c2553119e040d1eeea44314249a45c.pdf",
		"text": "https://archive.orkl.eu/0ee2df3404c2553119e040d1eeea44314249a45c.txt",
		"img": "https://archive.orkl.eu/0ee2df3404c2553119e040d1eeea44314249a45c.jpg"
	}
}