{
	"id": "8816a55f-f2ae-4fd0-9d73-b901b006a695",
	"created_at": "2026-04-06T00:07:18.840153Z",
	"updated_at": "2026-04-10T03:21:39.881187Z",
	"deleted_at": null,
	"sha1_hash": "1ae25f3125c4374412d8359172ba67cdd7eebf61",
	"title": "Increase In Drive-by Attack: SocGholish Malware Downloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1647547,
	"plain_text": "Increase In Drive-by Attack: SocGholish Malware Downloads\r\nBy Krishnan Subramanian\r\nPublished: 2020-12-15 · Archived: 2026-04-05 21:20:46 UTC\r\nMenlo Labs has uncovered a increase in a drive-by attack that impersonates legitimate browser, Flash, and\r\nMicrosoft Teams updatesIn the last two months, the Menlo Labs team has witnessed a surge in drive-by download\r\nattacks that use the “SocGholish” framework to infect victims. This particular framework is known to be widely\r\nused to deliver malicious payloads by masquerading as a legitimate software update. Isolation prevents this type\r\nof attack from delivering its payload to the endpoint. Here’s what we know.\r\nWhat Is a Drive-by Attack?\r\nA drive-by attack is when a user visits an infected website and the website triggers a malicious download without\r\nuser intervention.\r\nWhat Is SocGholish?\r\nThe term “Soc'' in the “SocGholish” framework refers to the attack’s use of social engineering toolkits\r\nmasquerading as a software update. Thus far, Menlo has observed this particular framework using several social\r\nengineering themes that impersonate browser updates (Chrome/Firefox), Flash Player updates, and more recently,\r\nMicrosoft Teams updates.\r\nMenlo Labs has also detected a fake Google Drive share link site that is served from an iframe on a malicious\r\nwebsite, although the malicious ZIP file is hosted on Google Drive. The ZIP file has an embedded JScript file that,\r\nupon execution, downloads additional malware.\r\nhttps://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nPage 1 of 8\n\nHow Does SocGholish Operate in the Wild?\r\nThe following diagram depicts the typical kill chain used by the SocGholish framework:\r\nTwo key observations about the SocGholish framework within the browser context:\r\nAttackers choose a way to host and serve the compromised website—usually using a combination of a\r\nlegitimate website that served the compromised website via an iframe.\r\nThe drive-by download mechanism is used to trigger the download of the malicious ZIP file to the\r\nendpoint. In the next section, we will delve into specific mechanisms used by this framework in detail.\r\nUser interaction is still required to extract and execute the contents inside the malicious ZIP file, but this is where\r\nsocial engineering and trust from the source of the file comes in. Because the file is hosted in an iframe within a\r\nhttps://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nPage 2 of 8\n\nlegitimate site, users are tricked into thinking the file is from a legitimate source and encouraged to download and\r\nexecute the file.The malicious ZIP file has an embedded JScript file that, upon execution, uses living-off-the-land\r\nbinaries (PowerShell/CMD, etc.) to fetch a malicious download—providing additional command and control\r\ncommunication to download the final malware.This framework is used to gain initial access to an endpoint. From\r\npast research, we’ve seen this framework distribute the Dridex Banking Trojan and variations of the\r\nWastedLocker ransomware family.\r\nWhy Doesn’t Categorization Block SocGholish?\r\nThe iframes that are used to serve content from malicious sites are hosted on sites that have been categorized as\r\nlegitimate categories, such as download sites or other categories in which reasonably popular websites are often\r\nhosted.\r\nThe malicious ZIP file is usually delivered from popular cloud hosting providers. The following chart shows a\r\nbreakdown of the specific service providers that were used to host these malicious ZIP files.\r\nhttps://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nPage 3 of 8\n\nWhat Attack Vectors Are Being Used?\r\nFrom our analysis, we know that the drive-by download mechanisms used by the SocGholish framework did not\r\ninvolve any browser exploitation or exploit kits to deliver malicious payloads. Depending on the social\r\nengineering theme used, we have observed the following mechanisms used to trigger the drive-by download:\r\nhttps://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nPage 4 of 8\n\n1) Using a watering hole:\r\nVictims are lured into visiting a reasonably popular website within the Alexa top ~100K ranking, where the\r\nattackers plant an iframe that sends users through a series of redirections to trigger the malicious download.\r\nThese redirections are usually from commonly used cloud hosting services (Bitbucket in the above\r\nexample).\r\nThe final URL to deliver the malicious ZIP file is served from Amazon S3.\r\nAny approach that relies on website categorization to inspect downloads is tricked to believe that the ZIP\r\nfile is downloaded from Amazon S3.\r\n2) Using JavaScript to trigger a blob download:\r\nThe attackers pick compromised sites that are hosted on content management systems such as WordPress to inject\r\niframes that use JavaScript blobs to automatically trigger the ZIP file download.\r\nhttps://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nPage 5 of 8\n\nThis mechanism is very similar to the DURI campaign we wrote about recently. Since the entire payload is\r\nconstructed within the endpoint, this method is commonly used to smuggle payloads and bypass legacy network\r\nproxies and sandboxes.\r\n3) Using JavaScript to dynamically generate the link to trigger the download:\r\nThis is the mechanism we observed in the sites.google.com fake share theme.\r\nAttackers use sites.google.com to deliver the malicious site via an iframe.\r\nThe iframe loads a JavaScript that dynamically creates a download link element and simulates a click to\r\ntrigger the malicious ZIP download.\r\nThe download link dynamically points to the ZIP file that is hosted on a legitimate Google Drive link.\r\nhttps://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nPage 6 of 8\n\nA Note on Browser Security Controls around iframes\r\nRecently, Chrome and Firefox developers have added a security feature that automatically blocks downloads from\r\nsandboxed iframes. In the above techniques, downloads were allowed from iframes specified by the following\r\nsettings:\r\nInjected iframe without the “sandbox” attribute specified, which would just allow downloads from iframe.\r\nThe sites.google.com example has an iframe with the “sandbox” attribute, but also has the “allow-downloads”, “allow-scripts”, “allow-forms”, etc. set.\r\nBe Sure, Be Safe, Be Secure\r\nAs we head into the holiday season and 2020 winds down, it’s important to be vigilant against these types of\r\nsophisticated attacks that impersonate legitimate software updates to deliver their malicious payload. Remember\r\nthat many browsers, including Chrome, have automated patching and updates—eliminating the kind of prompt\r\nthat SocGholish requires.Alternatively, it may be time to think about implementing isolation—the only security\r\ntechnology that prevents all web-based attacks by preventing any content (risky or not) from executing on the\r\nendpoint, without impacting the native user experience. It’s simple: Malicious actors can’t infect something they\r\ncan’t access. Learn more about isolation at menlosecurity.com.\r\nhttps://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nPage 7 of 8\n\nSource: https://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nhttps://www.menlosecurity.com/blog/increase-in-attack-socgholish\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.menlosecurity.com/blog/increase-in-attack-socgholish"
	],
	"report_names": [
		"increase-in-attack-socgholish"
	],
	"threat_actors": [],
	"ts_created_at": 1775434038,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ae25f3125c4374412d8359172ba67cdd7eebf61.pdf",
		"text": "https://archive.orkl.eu/1ae25f3125c4374412d8359172ba67cdd7eebf61.txt",
		"img": "https://archive.orkl.eu/1ae25f3125c4374412d8359172ba67cdd7eebf61.jpg"
	}
}