{ "id": "d82cc006-50ea-49ce-9deb-08aa7a1ad206", "created_at": "2026-04-06T00:19:26.293994Z", "updated_at": "2026-04-10T13:13:07.111045Z", "deleted_at": null, "sha1_hash": "3b90654e61d1029918b3a6654f5b74117796b107", "title": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2497046, "plain_text": "Unmasking SocGholish: Silent Push Untangles the Malware Web\r\nBehind the “Pioneer of Fake Updates” and Its Operator, TA569\r\nBy Peggy Kelly\r\nPublished: 2025-08-06 · Archived: 2026-04-05 12:41:26 UTC\r\nKey Findings\r\nSocGholish, operated by TA569, actually functions as a Malware-as-a-Service (MaaS) vendor, selling\r\naccess to compromised systems to various financially motivated cybercriminal clients.\r\nThe primary tactic used involves deceptive “fake browser update” lures, often initiated by JavaScript\r\ninjections on compromised websites, which lead to drive-by malware downloads.\r\nSocGholish leverages Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS (the latter\r\nnotably used in Russian disinformation campaigns) to filter and redirect victims to malicious content.\r\nThus, TA569 acts as a vendor, or an Initial Access Broker (IAB), enabling other notorious groups and even\r\nthe Russian GRU’s Unit 29155 (via Raspberry Robin) to conduct follow-on attacks, including ransomware\r\ndeployments.\r\nSocGholish also utilizes domain shadowing and rotates its active domains frequently in order to evade\r\ndetection, making proactive threat intelligence crucial for a reliable defense.\r\nExecutive Summary\r\nSilent Push Threat Analysts have been rigorously tracking SocGholish and its operators, TA569, since 2024. This\r\nevolving threat most commonly masquerades as legitimate software updates, fooling users into unknowingly\r\ncompromising their systems. The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model,\r\nwhere infected systems are sold as initial access points to other cybercriminal organizations.\r\nAs referenced above, TA569 serves as a vendor for the malware, selling infections to various clients for\r\nexploitation, including many advanced persistent threat (APT) groups, such as LockBit and Evil Corp. They also\r\nsell to threat actors using information stealers and remote access Trojans (RATs), including WastedLocker,\r\nNetSupportRAT, Hades, and Dridex, which remain a concern despite some successful global takedown efforts.\r\nThe widespread nature of SocGholish attacks, affecting countless individuals and enterprises, underscores the\r\nurgent need for better intelligence to defend against this pervasive threat.\r\nOur ongoing research here at Silent Push provides critical insights into SocGholish/TA569’s tactics, techniques,\r\nand procedures (TTPs) as well as Indicators of Future Attack (IOFA) feeds to block at the gate. This public report,\r\na condensed and operational security-minimized version of our internal customer reports, covers everything from\r\nSocGholish’s use of obscure domain names and fast-flux infrastructure to its strategic deployment of Traffic\r\nDistribution Systems (TDSs).\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 1 of 18\n\nFor access to our unredacted report on SocGholish, please contact our team @ info@silentpush.com or book a\r\ndemo with our experts right here to get the very latest in pre-emptive threat intelligence.\r\nTable of Contents\r\nKey Findings\r\nExecutive Summary\r\nSocGholish Webinar: “From Fake Updates to Real Breaches”\r\nBackground\r\nBehind the Threat: The Business of Cybercrime\r\nA Visual Representation of SocGholish/TA569’s Infection Chain\r\nA High-Level SocGholish Infection Chain Rundown\r\nPowerful Traffic Distribution System Techniques\r\nParrot TDS\r\nKeitaro TDS\r\nDefenders and the Media Question Keitaro’s Legitimacy\r\nThe SocGholish Inject\r\nThe On-Device SocGholish Windows Agent\r\nThe Raspberry Robin Connection\r\nCustomers of TA569\r\nMintsLoader\r\nSign Up for a Free Silent Push Community Edition Account\r\nMitigation\r\nSample SocGholish Indicators of Future Attack™ (IOFA™) List\r\nContinuing to Track SocGholish/TA569\r\nJoin Silent Push August 21, 2025, for a SocGholish/TA569 deep dive and learn proactive techniques for detecting\r\nmalicious activity before a breach occurs.\r\nWhether you’re triaging alerts, responding to incidents in real time, or tracking threat actor infrastructure and\r\nTTPs, this webinar will better equip you to preemptively mitigate one of the internet’s longest-running and most\r\nsuccessful deception-based threats.\r\nRegister to attend one of three sessions: North America (12:00PM ET), EMEA (12:00PM CET), or APJ (10:00AM\r\nSGT).\r\nBackground\r\nGiven its prevalence, Silent Push Threat Analysts refer to SocGholish as the “Pioneer of Fake Updates.” It began\r\nas a relatively straightforward malware family that has since evolved into a sophisticated Initial Access Broker\r\n(IAB), operating as a crucial stepping stone for cyber criminals.\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 2 of 18\n\nWhile there is some disparity among multiple cybersecurity reporters, the first public mentions of SocGholish\r\nmalware date somewhere between the end of 2017 and mid-2018. Aliases associated with SocGholish include\r\n“FakeUpdates” and the notorious fake update framework’s operator, “TA569.”\r\nThe group behind SocGholish, TA569, is also referred to as “Mustard Tempest,” “DEV-0206,” and “UNC1543.”\r\nMeticulously crafting its lures, primarily disguised as urgent browser updates for Chrome or Firefox, and other\r\nsoftware like Adobe Flash Player or Microsoft Teams, TA569’s deceptive approach capitalizes on a lack of end-user education and the perceived necessity of software updates, turning a routine security practice into a vector for\r\ncompromise.\r\nEvidence obtained by Silent Push points to significant connections between SocGholish and Russia, with affiliates\r\nlike Keitaro TDS having Russian ties and some infrastructure hosted in Russia. In this report, our team also\r\nexamines other connections to Russia via DEV-0243, Raspberry Robin, Dridex, LockBit, and Evil Corp.\r\nBehind the Threat: The Business of Cybercrime\r\nSocGholish isn’t just a piece of malware; it’s a business model. With TA569 operating as a MaaS provider\r\nbrokering compromised system access to a diverse clientele, threat actors purchasing SocGholish malware kits\r\nand services are able to launch their cyberattacks with little to no technical expertise. This specialized role as an\r\nIAB helps to support an ecosystem where different criminal groups collaborate for mutual gain.\r\nThese threat actor clients are often financially motivated APT groups, including some of the most notorious in the\r\ncybercriminal underworld:\r\nEvil Corp (DEV-0243): A prominent Russian cybercrime actor, known for ransomware deployment,\r\nparticularly Lockbit Ransomware, post-2019 sanctions.\r\nLockBit and Dridex: Malware families frequently linked to Russian cybercrime, benefiting from\r\nSocGholish-provided access.\r\nRaspberry Robin: A complex worm, initially spread via “Bad USB” attacks, which Microsoft observed\r\npushing the SocGholish on-device agent. Interestingly, Raspberry Robin itself has ties to the Russian\r\nGRU’s Unit 29155.\r\nA single initial infection can lead to multiple, cascading threats orchestrated by different, specialized actors.\r\nSocGholish’s filtering mechanisms, described in greater depth below, indicate a strategy to maximize profit by\r\nselling the most lucrative access only to those cybercriminals willing and able to pay.\r\nA Visual Representation of SocGholish/TA569’s Infection Chain\r\nTo enhance public understanding of the complex SocGholish/TA569 threat landscape, our team is providing a\r\nconcise overview of the SocGholish cluster and its operators’ role as an IAB, drawing on multiple sources of\r\npublic research and our collective expertise researching all of the parts involved behind these interconnected\r\nthreats.\r\nA High-Level SocGholish Infection Chain Rundown\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 3 of 18\n\nTo support that effort, our team has crafted the following infographic (found below) to outline the complex global\r\nframework of SocGholish’s malicious activity, how it routes across various providers, and to display both where\r\nand how different payloads are delivered to potential targets.\r\nThis graphic displays the entire chain: from the initial victim’s visit to an infected website, including the various\r\nstages, until the final on-device payload implant.\r\nAside from the Raspberry Robin campaign noted in 2022, which we will discuss in more detail later in the blog,\r\nour team has observed that SocGholish infections typically originate from compromised websites that have been\r\ninfected in multiple different ways.\r\nWebsite infections can involve direct injections, where the SocGholish payload delivery injects JS directly loaded\r\nfrom an infected webpage or via a version of the direct injection that uses an intermediate JS file to load the\r\nrelated injection.\r\nInfographic of SocGholish/TA569’s infection chain\r\nPowerful Traffic Distribution System Techniques\r\nThe primary sources of traffic for the SocGholish affiliate network framework, aside from direct injection of\r\nSocGholish domains into compromised websites, are traffic distribution systems (TDSs). More specifically: Parrot\r\nTDS and Keitaro TDS, which TA2726 operates.\r\nTypically part of online advertising infrastructure, the primary function of these systems is to direct web traffic to\r\nspecific websites or to landing pages.\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 4 of 18\n\nIn online advertising, TDSs are used to present targeted advertisements to the website visitor. To accomplish this,\r\na TDS uses extensive fingerprinting of the website visitor, gathering information such as the user’s IP Address,\r\nbrowser name, type, version, various browser configurations, the source of the traffic, and more to determine what\r\nad to present. It also allows advertisers to track the performance of their ads by presenting statistics on the number\r\nof visitors coming from a specific source and how many visitors who saw a particular ad also clicked on it.\r\nThis can be extended further via custom URL parameters that allow tracking of additional statistics, such as\r\n“which ad campaign directed the user to the TDS link.”\r\nBy employing these methods, an advertiser can, for example, send a targeted ad for an Android application in\r\nSpanish to a user visiting the TDS link from Spain (based on their IP) with an Android device (based on the\r\nfingerprint of the browser, such as “UserAgent,” or “screen size,” etc).\r\nWhile some may see this as invasive, the technique itself is not inherently malicious.\r\nThreat actors, however, realized more than a decade ago that the same TDS technology used for Advertisement\r\nTraffic Direction (ATD) could also be used to redirect users to certain types of fraud. By setting up websites with a\r\nredirect via a TDS or by injecting links into compromised websites, an attacker using a TDS can present a visiting\r\nuser/victim with targeted malicious content of their choice.\r\nThis comes with immense advantages for threat actors, often enabling them to evade detection by network\r\ndefenders and cybersecurity researchers. It also allows threat actors to monetize traffic for devices they do not\r\ntarget directly by reselling that traffic to other actors who might have a use for it.\r\nFor example, early reported use cases of TDS in cybercrime were associated with exploit kits, which are web\r\nframeworks that attempt a series of exploits against a website visitor to achieve a drive-by compromise.\r\nCybercriminals use these malicious toolkits to automate the exploitation of software application vulnerabilities,\r\nwith the primary goal of delivering malware, such as ransomware, spyware, or Trojans, onto a victim’s device\r\nwithout their knowledge or consent. \r\nUsing a TDS, attackers can direct users to an exploit kit that targets a specific (and thus known-vulnerable)\r\nbrowser. This shielded their fraudulent efforts from the portion of the internet using updated software and only\r\ntargets those that an attacker has already identified as vulnerable. It is also an effective method to reduce the\r\nnumber of actual exploit attempts seen in the wild, as defenders may be unaware that an outdated browser is being\r\nsent to different websites via the injected TDS, rather than an updated browser.\r\nSocGholish’s infrastructure utilizes TDS techniques in nearly every step of the infection process. The injected\r\nSocGholish JS, which we detail later in the report, uses these methods to redirect users to next-stage JavaScript\r\nredirect scripts and browser-specific FakeUpdate templates. The on-device SocGholish stager then utilizes a TDS\r\nto differentiate between high-value, low-value, and “illegitimate” targets, whereupon it either delivers the payload\r\nor takes no action, as appropriate.\r\nAs referenced in the infographic (above), two specific TDSs are commonly observed in the attack chain before the\r\ninfection stage: Parrot TDS and Keitaro TDS. Both are used before redirecting to SocGholish injects and thus\r\ndon’t strictly need to be owned by SocGholish itself—further complicating attribution. To properly explain their\r\nrole, we will cover each TDS in depth below.\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 5 of 18\n\nParrot TDS\r\nFirst reported on by Avast in 2022, Parrot TDS is both the earliest and most well-known system referenced in\r\nassociation with SocGholish. Even in the earliest reports on Parrot TDS, SocGholish was identified as its primary\r\ncustomer.\r\nThis TDS can be distinguished from others in traffic by the unique form of its JavaScript injects, which contain a\r\ntechnical fingerprint that we are unfortunately unable to share publicly.\r\nThese injects also load an additional external JavaScript via three different methods. They either load the Parrot\r\nTDS URL directly or contact a proxy. This proxy is accessed via a .php file, which can be either locally hosted on\r\nthe infected domain or a remote domain. Internally, the proxy will then load the JS via the Parrot TDS URL and\r\nreturn the same response as a direct query.\r\nAn example of this can be seen using a local proxy’s .php file. One infected website in this case, as of this\r\nwriting, was balancedapproachk9[.]com, which had the proxy kept at the following path:\r\n/assets/bootstrap/fonts/getunwashed/admin/view/stylesheet/stylesheet.php\r\nOn a final note, there were a few more technical fingerprints of value to our researchers during this\r\ninvestigation, which we have shared with our customers in our internal reporting on the subject. Unfortunately,\r\nfor operational security reasons, we were unable to include them in this piece.\r\nKeitaro TDS\r\nKeitaro TDS is another TDS often seen used in conjunction with SocGholish infections. In contrast with Parrot\r\nTDS, however, this TDS is openly promoted as an advertising tool by a company that is legitimately registered. It\r\ncan even be licensed from: “hxxps[:]//keitaro[.]io/”\r\nDefenders and the Media Question Keitaro’s Legitimacy\r\nKeitaro’s parent company, Apliteni, is based in Delaware. However, its CEO previously lived in Russia (now\r\nSpain), and at least seven of Apliteni’s employees indicate they are based in Russia on LinkedIn. In the context of\r\nthe other ties back to Russia observed in the SocGholish infrastructure chain, this raises questions about the\r\ncompany’s otherwise serious public image. Another notable finding that draws the Russian connection yet closer\r\nis the observation that Keitaro TDS has been heavily used in Russian disinformation campaigns.\r\nTechTarget wrote about Keitaro TDS back in 2024, reporting that over the past eight years, “Despite being\r\ndescribed as a legitimate TDS by Microsoft and other security vendors, Keitaro has been referenced in numerous\r\nthreat reports from various cybersecurity vendors and researchers.” The article further notes, “Researchers say\r\nKeitaro is one of the most widely used TDSes in the threat landscape, with threat activity going beyond\r\nmalvertising schemes and tech support scams that infect consumer devices. Numerous threat reports have\r\ndocumented complex threat campaigns with some of the most notorious ransomware, malware, and exploit kits\r\nthat have long plagued enterprises.”\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 6 of 18\n\nA notable actor to consider in the context of Keitaro TDS is TA2726, which Proofpoint highlighted as a traffic\r\nprovider for both SocGholish and TA2727. The gist of the article states that TA2726 compromises webpages,\r\ninjects them with its own Keitaro TDS link, and then resells that traffic to SocGholish as well as TA2727 and\r\nother actors. For SocGholish, the payload is the usual injected JS, which ultimately leads to fake update pages and\r\na Windows-specific SocGholish agent.\r\nFor TA2727, payloads are tailored to match the potential victim’s operating system. Windows typically receives\r\nDoiLoader and LummaStealer, whereas macOS receives an information stealer known as FrigidStealer, and\r\nAndroid devices are redirected to a download page for the Marcher Banking Trojan.\r\nOne note of interest here is that SocGholish appears to be delivered exclusively to North American (USA and\r\nCanada) Windows devices. In contrast, TA2727 payloads are delivered mostly to other countries, with the U.K.\r\nand France both explicitly named in the Proofpoint piece. MacOS traffic from the US and Canada is also\r\nredirected to TA2727. This may indicate a preference in SocGholish targeting or attunement to the needs of a\r\nspecific SocGholish customer.\r\nIn an earlier iteration, an actor using Keitaro TDS redirected traffic from Windows devices to SocGholish TDS\r\nwhile redirecting all other traffic to the VexTrio malvertising framework.\r\nDue to the public availability of Keitaro TDS, we can’t fully confirm that this was the same actor as TA2726.\r\nHowever, technical evidence uncovered by the Silent Push threat team reveals a connection between these\r\nactivities.\r\nThe typical TA2726 inject looked like this, where the group redirects to VexTrio for all non-Windows clients:\r\nExample of a typical TA2726 inject\r\nAmong the many domains tracked using this inject in July 2024, Silent Push also monitored the following:\r\n1. bigbricks[.]org\r\n2. biggerfun[.]org\r\n3. cancelledfirestarter[.]org\r\n4. catsndogz[.]org\r\n5. climedballon[.]org\r\n6. cloudwebhub[.]pro\r\n7. codecruncher[.]pro\r\n8. daddygarages[.]org\r\n9. dailytickyclock[.]org\r\n10. deeptrickday[.]org\r\n11. searchgear[.]pro\r\n12. rapiddevapi[.]com\r\n13. cp[.]envisionfonddulac[.]biz\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 7 of 18\n\nThe injects from these domains can still be observed on many victim sites. One of which is the infected site:\r\nhxxps[:]//www[.]teatree[.]si, which at the time of this writing, (August 2025) had the following in its source\r\ncode:\r\nSource code example from the infected site: hxxps[:]//www[.]teatree[.]si\r\nWe can see the website has been hit several times by the “khutmhpx” inject. Yet, we can also see a second type of\r\ninjection:\r\nThe injection utilizes the same domain as one of the “khutmphx” injections, providing the hard technical\r\nevidence we were looking for that the same threat actor cluster has used both.\r\nA second inject that our team discovered recently begins with “function(f,b,n,x,e).” A variant of it can be\r\nobserved on the infected website: gitomer[.]com:\r\nScreenshot of the variant observed on gitomer[.]com\r\nNote that the domain used in the inject above is “rapiddevapi[.]com”. The same page contains two additional\r\ninjection types (Injection Type 3 and Injection Type 4).\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 8 of 18\n\nInject Type 3 appears as so:\r\nScreenshot of Inject Type 3\r\nDecoding the Base64 unveils:\r\nrapiddevapi[.]com/M3P2n8Uaz6wsh7s2fgSRwIiSadn4Wz1fNsRbVwXrW\r\nWe can observe two things here: First, that this third inject reuses the same domain as the second inject we just\r\nhighlighted. Second, it utilizes the “function(f,b,n,j,x,e)” identifier. Knowing this, we can now tie these two\r\ninjects together, creating a connection between injects 1, 2, and 3.\r\nHowever, this page also provides evidence linking these injections to yet another inject type. On closer\r\nexamination, we can identify the following lines spread throughout the page source code, where we can see the\r\ndomain “rapiddevapi” being used in a fourth inject variant:\r\nScreenshot of the domain “rapiddevapi” being used in a fourth inject variant\r\nThis fourth inject is highlighted as a TA2726 inject by Proofpoint (who originally assigned that name to this threat\r\ncluster). Furthermore, from this, we were able to confirm overlaps between Inject 3 and 4 across four additional\r\ndomains:\r\n1. hxxps[:]//leatherbook[.]org/\r\n2. hxxps[:]//webapiintegration[.]cloud/\r\n3. hxxps[:]//blacksaltys[.]com/\r\n4. hxxps[:]//packedbrick[.]com/\r\nThree of the domains are known indicators for TA2726. This allowed us to trace TA2726’s activity back to at least\r\nMarch 2024 and tie it to the VexTrio campaign redirects from the same period.\r\nBased on this, it is likely that VexTrio was a client of TA2726, just as TA2727 is now, with SocGholish being a\r\nconstant client of theirs for over a year.\r\nExample of all three injection types using the domain rapiddevapi[.]com, seen on the infected site\r\ngitomer[.]com\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 9 of 18\n\nAs seen from the example screenshot above, a typical TA2726 inject currently appears like this:\n// potentially other website content\nThis variety of injection utilizes a DNS-prefetch statement to the injection domain, typically located near the top\nof an infected page. This leads to a DNS resolution upon page load, followed by the actual resolution of the full\nURL in a separate script tag at a later point.\nThe SocGholish Inject\nRegardless of which of the previously described paths a victim takes, if SocGholish is delivered, the victim will be\npresented with specific details (which we currently cannot share publicly).\nHowever, given the reuse of those details, once they are observed, our team is then able to assess with high\nconfidence that we are examining domains controlled and operated by SocGholish/TA569.\nEarly versions of SocGholish-related domains used a CID parameter, which was likely associated with different\ncampaigns (or traffic providers). After several updates in which this parameter became increasingly obfuscated,\nhowever, its use has tapered off and has not been seen recently. However, we are including that detail as the\ninformation may still be encoded in the first-stage parameter.\nThe domains in this stage also seem to vary by traffic source. For example, the URL store[.]alignfrisco[.]com is\nthe current domain/hostname related to the Parrot TDS chain.\nSeparately, a direct inject, which does not rely on a TDS and can also be found directly in the HTTP body of an\ninfected site (as seen in the example below), would have a different domain such as cp[.]envisionfonddulac[.]biz,\nfrom a set of domains for direct injects and injects via TA2726.\nExample of a direct inject that doesn’t rely on a TDS:\n\nThese domains are occasionally rotated, though not as often as the C2 server proxies we will cover later in the\nreport.\nWe have assessed with low confidence that these URLs were created for each traffic source provider, allowing\nSocGholish to track their performance. However, it could also have been an evasion technique used to avoid\nrelying on a single domain.\nIt is essential to note that significant care has been taken to ensure proper victim identification here. This can be\nseen at this stage, which filters out users once again, even if previous stages have already done so via the TDS\nsetup. The SocGholish framework also considers several code-based aspects at this stage, each of which is listed\nbelow.\nSocGholish makes sure to filter the following in this stage:\nhttps://www.silentpush.com/blog/socgholish/\nPage 10 of 18\n\n1. WordPress admin users do not get a payload\r\n2. Users who have already executed the payload do not get served again\r\n3. Users who use an automated web browser (using webdriver) get redirected to the first type of payload\r\n4. Users who have an unusually small screen size (mobile phones and some sandbox solutions) get redirected\r\nto another payload\r\n5. Users who already have the adViewEnabledKey set to true do not get a payload because the script uses this\r\nvariable to ensure the inject is only executed once.\r\n6. Users who have passed all these checks get served the main payload\r\nNote: This script has an additional feature that activates the real payload only when the victim moves their mouse.\r\nThis feature is also notably deactivated in the previous payload.\r\nThe main execution flow then continues with the third payload URL.\r\nIf a victim “passes” this screening, they are presented with a fake update script that is extensively highlighted.\r\nFortunately, our team was able to log payload 3 and determine that it is the final malicious update page. As such, it\r\nhas many HTML elements.\r\nUsing some formatting, we can create an image of the code:\r\nAn image of the code for the third payload\r\nThe general functionality of the code is explained in the following six steps:\r\n1. Set windowObj.localStorage[windowObj.location.hostname] to True (Prevent reload of script, see previous\r\nstage)\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 11 of 18\n\n2. Defines a send statistics function that loads an “image” based on type (this image load is a method to track\r\na user’s activity on the page)\r\nThe returned HTML document also contains some interesting strings worth examining here, among them is:\r\n\"\u003ctitle\u003eUpdate Chrome\u003c/title\u003e\"\r\nThis line instructs your browser to display the specified text in the tab at the top of your screen – in this case,\r\n“Update Chrome” would appear as the tab’s name.\r\nAdditionally, it contains images such as the icon below (loaded from Base64):\r\nScreenshot of the Google Chrome icon in question, loaded from Base64\r\nThis hints at what we are looking at. Among other things, the document.body.innerHTML also contains the\r\nfollowing strings:\r\nA German message (adapting to the geographic region of the intended victim here) tells the user they are using an\r\noutdated version of Chrome and to please click a dynamically generated button to download the update:\r\nSie benutzen eine alte Version von Chrome \u003c /h1\u003e' + ' \u003cp class=\"browser-promo\"\u003e\u003cnobr\u003eFühren Sie ein\r\nUpdate jetzt durch, um ihr Chrome reibungslos und sicher laufen zu lassen.\u003c/nobr \u003e \u003c /p\u003e' + ' \u003cp\r\nclass=\"browser-promo\"\u003eIhr Download wird automatisch gestartet. Wenn nicht, dann klicken Sie hier:\u003c/p \u003e\r\n' + ' \u003c a class = \"button eula-download-button download-button desktop-only hide-cros\"\r\nhref = \"javascript:void(0)\" \u003e Update Chrome \u003c /a\u003e' + ' \u003cimg class=\"hi-dpi empty-area section-hero\"\r\nsrc=\"data:image/jpg;\r\nbase64, /9j/\r\n3. The third step of this script is to render an update page that mimics a “Chrome Browser Update,” featuring\r\na button to download a file.\r\n4. We then see functionality that attempts to aggressively remove the current page’s content, except for the\r\ndynamically rendered update page. Essentially, the outcome is a complete visual redesign of the website to\r\nrender the update page without ever redirecting the user anywhere else.\r\n4.1 | The script clones the entire body of the current page, then replaces the old body with the new copy.\r\nThis removes all active JavaScript event listeners attached to the DOM without changing the visual layout.\r\n4.2 | Then, it does a check every 500 ms on all body elements. If they do not have a className or the\r\nclassName does not contain “fatnav-header” or “browser-landing”, it removes those elements (fatnav-header and browser-landing are the classnames used in the dynamic update page).\r\n4.3 | The script then overwrites the Google Tag Manager autoEventsSettings. This prevents Google Tag\r\nManager from performing automated tracking. Likely an attempt to prevent Google from logging the\r\ninfection changes, thereby potentially alerting admins.\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 12 of 18\n\n4.4 | The script also disables the F5 button’s functionality. This button would normally cause a reload of the\r\npage, potentially destroying the fake update page.\r\n5. The next three functions define an interesting tracking mechanism. The script creates three flags related to\r\ntracking three different interactions of a Victim:\r\nvar mouseMove = false;\r\nvar buttonOver = false;\r\nvar buttonClick = false;\r\nAs soon as the template is rendered, if the victim moves the mouse, the first event is fired. It sends a string\r\nto the JavaScript C2.\r\nThen, if the victim’s mouse hovers over the download button, a second event is fired, again being tracked\r\nvia loading an “image” from the C2.\r\nIf the victim then clicks the button, a third event is fired, marking the final “image” load from the C2.\r\nNote: All Events fire only once.\r\nNote 2: What we have detailed here is a fascinating mechanism to confirm the user is alive and clicking the\r\npayload. It is likely to be part of the TDS, filtering out real users from fake ones who might be researchers.\r\nWe believe that if these three image loads are not executed (in order), no payload or a low-value payload is\r\nsent to the victim after infection.\r\n6. The script then creates an iframe that is attached to the button of the previously rendered “browser-landing” page. It is the same button previously pointed out above.\r\nThe flow of this code:\r\n6.1 | The page loads and sets up an invisible iframe.\r\n6.2 | User clicks the button.\r\n6.3 | Two things happen: btnClickStat() and btnClickAction() are triggered.\r\n6.4 | btnClickAction() sends a ‘download’ message to the iframe immediately and sets btnActionClicked =\r\ntrue.\r\n6.5 | If the iframe isn’t ready yet, it might respond later with a ‘loaded’ message.\r\n6.6 | When “loaded” is received, if the user had clicked “download,” it is sent again.\r\nExamining this iframe, we see the .src argument is obfuscated with Base64.\r\nIn the end, if all additional checks described in this section of our analysis are passed, the victim will receive a\r\ndownloadable payload when they click a button.\r\nThe On-Device SocGholish Windows Agent\r\nThe intermediate C2 framework dynamically generates payloads that victims download at runtime. These\r\nintermediate C2 servers are associated with the same SocGholish inject domain pattern we referenced previously:\r\n\u003csubdomain\u003e.\u003cdomain\u003e.\u003ctld\u003e/randomchars.\r\nIt is essential to note that across the execution framework, from the initial SocGholish injection to the on-device\r\nexecution of the Windows implant, the entire process is continuously tracked by SocGholish’s C2 framework. If,\r\nat any time, the framework determines that a given victim is not “legitimate,” it will stop the serving of a payload.\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 13 of 18\n\nAdditionally, links are likely to be bound to the IP of the victim and have a set “expiry time.” As such, all links\r\nassociated with these stages are useless for third-party researchers attempting to track this threat. To receive all\r\nstages, one must either monitor a live infection or emulate the entire chain from start to finish.\r\nThe SocGholish Agent, which is downloaded to the device, can appear in multiple formats. Most of the time, it is\r\neither a .zip file containing a .js file (whereby .js stands for JScript, a Windows version of JavaScript) or the .js\r\nfile itself.\r\nThe names of these payloads also vary and often include the browser name, alongside certain keywords intended\r\nto obscure their intended purpose, i.e., words like “installer” or “update.”\r\nIn the most recent iteration (as of July 2025), TA569 has changed the name of this JScript payload to\r\n“LatestVersion.js.”\r\nSocGholish actors tend to also mix in non-standard encodings for different letters, such as a Unicode character\r\nencoding of a single character in the word “update,” which then makes detection by standard anti-virus solutions\r\nmore difficult.\r\nAn example iframe for a payload targeting a user running the Firefox web browser is shown here:\r\nScreenshot example iframe for a payload targeting a user running Firefox\r\nThis will download the .zip file contained in base64 and store it as “UpdateInstaller[.]zip”.\r\nInside the file, “Version[.]139[.]3195[.]25[.]js” is designed to appear like a standard Firefox update file, giving an\r\napparent Firefox version in the filename. The deobfuscation of which can be seen below, with some variables\r\nrenamed and code reformatted for legibility:\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 14 of 18\n\nSocGholish’s initial implant is a relatively simple JavaScript stager with only two functions\r\nHere we can see that this initial implant of SocGholish is a relatively simple JS stager that has only two functions:\r\nFirst, using an ActiveXObject, it creates a POST request to a SocGholish Implant C2, sending along the tracking\r\nID associated with the previous attack chain:\r\ncpanel[.]santechplumbing[.]com/profileLayout\r\nSecond, it starts a loop, waiting briefly before checking whether the C2 returned any data. If so, then the response\r\ntext is executed and the loop stops. Otherwise, it continues infinitely.\r\nThis stage contains a preventive measure. Since the payload is still being associated with the previous infection\r\nchain, if the IP suddenly changes, the C2 will not follow up with a payload.\r\nIn earlier campaigns, SocGholish was observed setting up wildcard subdomains (where any subdomain attempted\r\nwould resolve); however, it appears that they have since switched to using static subdomains over the last year or\r\nso.\r\nAn important note here is that the domains being used are set up using Domain Shadowing*.\r\nWhat is Domain Shadowing?*\r\nThe technique of Domain Shadowing involves compromising hosting or registry accounts of legitimate domains\r\nwith a “known good” or benign reputation and using them to set up new subdomains that then point to malicious\r\ninfrastructure. The effect of this is that the subdomains often appear less suspicious, as the domain itself has often\r\nexisted for a long time, appears to be a legitimate business or organization, and thus has a greater chance of\r\noperating without issues or discovery for an extended period.\r\nIn addition to Domain Shadowing, SocGholish rotates its domains every two to three days, making indicators\r\nhighly volatile and time-restricted in utility for defenders.\r\nAdditionally, the servers used as C2 servers for the implant are themselves proxies. The real C2 panel is hosted on\r\nTor, and all requests are routed via a Tor proxy.*\r\n*Note: Our team has not seen this detail being publicly discussed beyond an interesting graphic by Proofpoint in\r\na 2023 blog (Figure 14: SocGholish Overview).\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 15 of 18\n\nTA569 occasionally rotates the C2 path for the on-device JScript stager. Besides the /profileLayout path observed\r\nin the previous code example, recent C2 paths observed are “/merchantServices”, “/checkAjax”, and\r\n“/viewDashboard”. Silent Push researchers believe this to be an attempt to evade the detection of C2 traffic via\r\nknown paths in monitored networks.\r\nThe Raspberry Robin Connection\r\nSilent Push Threat Analysts have reported before on our observations of Raspberry Robin’s connections to Russia\r\nand in 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA released a joint\r\nadvisory linking Raspberry Robin to actors associated with Russia’s GRU, and the 161st Specialist Training\r\nCenter (Unit 29155), underscoring its role in state-sponsored cyber operations. Their advisory can be accessed\r\nhere: “Russian Military Cyber Actors Target US and Global Critical Infrastructure.”\r\nIn 2022, Microsoft also highlighted that they observed the SocGholish on-device agent being pushed via the\r\nRaspberry Pi Worm, which led to ransomware activity related to Dev-0243, including pre-ransomware behavior.\r\nThis likely indicates that SocGholish bought traffic from Raspberry Robin and then sold the high-value infections\r\nto DEV-0243.\r\nWhere it becomes more interesting is when we highlight the fact that Microsoft, in another post about Raspberry\r\nRobin, concludes that there is code overlap between Raspberry Robin and Dridex, with Dridex being one of the\r\nearliest malware types that made DEV-0243 a notorious actor in the Russian Cybercrime Landscape.\r\nNot only is DEV-0243 one of the main (if not the exclusive) customers for high-value SocGholish infections, but\r\nit’s also possible that DEV-0243 is to some degree involved in spreading SocGholish directly via Raspberry\r\nRobin, as discussed by an IBM post, accessed via the Wayback Machine, titled: “Raspberry Robin and Dridex:\r\nTwo Birds of a Feather.” Thus, we assess it is at least possible that there are former members of these groups\r\ninvolved in all three malware families.\r\nCustomers of TA569\r\nThe most well-known customer of TA569 is identified as UNC2165 ((also known as DEV-0243, as mentioned\r\nabove and tracked as Manatee Tempest, SilverFish, GoldDrake, and Indrik Spider), which are all aliases likely\r\nreferring to Evil Corp), one of the most notorious Russian cybercrime actors.\r\nThis group is known to use SocGholish as an initial infection vector for ransomware deployment. Following the\r\npublic indictment of several members of Evil Corp in 2019, the group transitioned from using proprietary\r\nransomware variants to Ransomware-as-a-Service (RaaS) offerings, such as Lockbit Ransomware.\r\nThe prevailing assumption is that Evil Corp made this decision due to sanctions against its core members,\r\nrendering it illegal for most organizations to pay their ransom demands. By hiding behind RaaS operations,\r\nvictims of Evil Corp are more likely to pay the ransoms since they do not need to fear knowingly breaking\r\nsanctions by doing so.\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 16 of 18\n\nThis change in tactics also makes it harder to determine which ransomware attacks related to SocGholish are\r\nexecuted by Evil Corp members and which others (if any) are not.\r\nMintsLoader\r\nAnother recently observed customer of TA569 is the MintsLoader malware family. Also of note is an activity\r\ncluster named UNC4108, which appears to be directly related. UNC4108 utilizes MintsLoader to deploy various\r\npayloads, including info stealers, form grabber plugins, NetSupport RAT, and a backdoored BOINC client.\r\nThe primary function of loaders such as MintsLoader is to download and execute other malicious payloads,\r\nincluding RATs, infostealers, and modified BOINC* clients used for unauthorized computing.\r\nWhat is BOINC?*\r\n“Berkeley Open Infrastructure for Network Computing,” or BOINC, is a software platform that enables volunteer\r\ncomputing by permitting individuals to donate their computer’s idle processing time to scientific research projects.\r\nServing as a bridge to connect scientists with the vast, distributed computing power of volunteers’ personal\r\ncomputers, BOINC is a legitimate open-source platform that malicious actors have also abused. \r\nSilent Push Threat Analysts are currently investigating MintsLoader to a greater degree than the scope of this\r\nreport and will release our findings once the research is complete for our customers and, if possible, to the public.\r\nRegister now for our free Community Edition to use all the tools and queries highlighted in this blog.\r\nMitigation\r\nSilent Push believes all domains associated with SocGholish and TA569 present a significant level of risk.\r\nProactive measures are essential to defend against this evolving threat.\r\nOur analysts construct Silent Push Indicators Of Future Attack™ (IOFA™) Feeds, which provide a growing list of\r\ndata focused on scams supported by this technique. These feeds include:\r\nFakeUpdates – TA569/SocGholish Domains\r\nFakeUpdates – TA2726 Domains\r\nLoader – Mintsloader Domains and IP addresses\r\nKeitaro C2 Domains and IP addresses\r\nBulk Data Feeds for compromised domains.\r\nThe IOFA™ Feeds are available as part of a Silent Push Enterprise subscription. Enterprise users can ingest this\r\ndata into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure\r\nusing the Silent Push Console and Feed Analytics screen.\r\nSample SocGholish Indicators of Future Attack™ (IOFA™) List\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 17 of 18\n\nBelow is a sample list of Silent Push IOFA™ associated with SocGholish. Our complete list is available for\r\nenterprise users.\r\ndocs[.]nynovation[.]com\r\ndownload[.]romeropizza[.]com\r\npublication[.]garyjobeferguson[.]com\r\nimages[.]therunningink[.]com\r\ntrust[.]scriptobject[.]com\r\nsource[.]scriptsafedata[.]com\r\nmgmt[.]studerandson[.]us\r\nvirtual[.]urban-orthodontics[.]com\r\nbilling[.]roofnrack[.]us\r\ncustomer[.]thewayofmoney[.]us\r\nsearchgear[.]pro\r\nrapiddevapi[.]com\r\ncp[.]envisionfonddulac[.]biz\r\nContinuing to Track SocGholish/TA569\r\nOur team continues to investigate and track the SocGholish family of malware, its operator TA569, and all related\r\nactors, TDSs, and payloads involved in the complex infrastructure tied to this advanced threat.\r\nSilent Push Enterprise customers enjoy customer-only reporting streams on this threat and many others. Where\r\npossible, we will share the details that can be made public here with our readers.\r\nSource: https://www.silentpush.com/blog/socgholish/\r\nhttps://www.silentpush.com/blog/socgholish/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "report_names": [ "socgholish" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "821d8858-a784-4ab2-9ecb-56c7afeed7d7", "created_at": "2023-11-21T02:00:07.403629Z", "updated_at": "2026-04-10T02:00:03.479942Z", "deleted_at": null, "main_name": "SilverFish", "aliases": [], "source_name": "MISPGALAXY:SilverFish", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434766, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b90654e61d1029918b3a6654f5b74117796b107.pdf", "text": "https://archive.orkl.eu/3b90654e61d1029918b3a6654f5b74117796b107.txt", "img": "https://archive.orkl.eu/3b90654e61d1029918b3a6654f5b74117796b107.jpg" } }