{
	"id": "254191c4-290a-477e-982f-3e05d531433c",
	"created_at": "2026-04-10T03:21:51.645142Z",
	"updated_at": "2026-04-10T03:22:19.400019Z",
	"deleted_at": null,
	"sha1_hash": "3c24e4426b95f2809df7bbdd83bfb414220efedb",
	"title": "Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 752848,
	"plain_text": "Thwarting Loaders: From SocGholish to BLISTER’s LockBit\r\nPayload\r\nBy Earle Maui Earnshaw, Abdelrhman Sharshar ( words)\r\nPublished: 2022-04-05 · Archived: 2026-04-10 03:02:45 UTC\r\nCyber Threats\r\nBoth BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders\r\nare capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.\r\nBy: Earle Maui Earnshaw, Abdelrhman Sharshar Apr 05, 2022 Read time: 7 min (1852 words)\r\nSave to Folio\r\nThe Trend MicroTM Managed XDR team has made a series of discoveries involving the BLISTER loader and\r\nSocGholish. We observed SocGholish’s discreet activity despite its low detections and a BLISTER loader sample\r\nused by threat actors to drop a LockBit payload. Close monitoring of and prompt response to both cases prevented\r\ntheir respective payloads from being delivered.\r\nBoth BLISTERopen on a new tab and SocGholishopen on a new tab are known for their stealth and evasion\r\ntactics in order to deliver damaging payloads. Notably, these two have been used in campaigns togetheropen on a\r\nnew tab, with SocGholish dropping BLISTER as a second-stage loader. Combined, these two loaders aim to evade\r\ndetection and suspicion to drop and execute payloads, specifically LockBit in this case. Our investigation follows\r\nwhat these loaders are capable of if they not stopped from the outset.\r\nSocGholish infrastructure\r\nSocGholish has been around longer than BLISTER, having already established itself well among threat actors for\r\nits advanced delivery framework. Reports showopen on a new tab that its framework of attack has previously been\r\nused by threat actors from as early as 2020.\r\nOur investigation began when the Trend Micro Managed XDR threat hunting team flagged activity from one\r\nendpoint. Further investigation uncovered more beneath the surface.\r\nIn this case, the user had unknowingly accessed a compromised legitimate website, which prompted a drive-by\r\ndownload of a malicious file into their system. This method of distributing malicious files is a distinct marker of\r\nSocGholish.\r\nThe download zip file (C:\\Users\\victim\\Downloads\\download.1313a9.zip) contained the malicious JavaScript\r\nChrome.Update.1313a9.js, which masquerades as an update for the browser. The contained script here is\r\nobfuscated. Thankfully, user execution is still required for this threat to proceed.\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 1 of 11\n\nFigure 1. Code snippet of the JavaScript\r\nWe investigated what would happen if the script were executed and learned that this allows the malware to\r\nproceed with connecting to its command-and-control (C\u0026C) domain and deploy several discovery commands to\r\ngather information regarding the system. Afterward, it logs the information into to files with .tmp extensions.\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 2 of 11\n\nFigure 2. PRCA of the discovery commands execution as seen in Trend Micro Vision One™\r\nThe executed commands as seen in Figure 2 are as follows:\r\n\"C:\\Windows\\System32\\cmd.exe\" /C net group \"domain admins\" /domain\r\n\u003e\u003e \"C:\\Users\\victim\\AppData\\Local\\Temp\\rad613A2.tmp\"\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 3 of 11\n\n\"C:\\Windows\\System32\\cmd.exe\" /C cmdkey /list \u003e\u003e\r\n\"C:\\Users\\victim\\AppData\\Local\\Temp\\radF9A30.tmp\"\r\n\"C:\\Windows\\System32\\cmd.exe\" /C net user victim /domain \u003e\u003e\r\n\"C:\\Users\\victim\\AppData\\Local\\Temp\\rad6FDE0.tmp\"\r\n\"C:\\Windows\\System32\\cmd.exe\" /C nltest /domain_trusts \u003e\u003e\r\n\"C:\\Users\\victim\\AppData\\Local\\Temp\\rad8B102.tmp\"\r\n\"C:\\Windows\\System32\\cmd.exe\" /C cmdkey /list \u003e\u003e\r\n\"C:\\Users\\victim\\AppData\\Local\\Temp\\rad2A57D.tmp\"\r\n\"C:\\Windows\\System32\\cmd.exe\" /C nltest /dclist: \u003e\u003e\r\n\"C:\\Users\\victim\\AppData\\Local\\Temp\\rad3FBC3.tmp\"\r\n\"C:\\Windows\\System32\\cmd.exe\" /C whoami /all \u003e\u003e\r\n\"C:\\Users\\victim\\AppData\\Local\\Temp\\rad95E90.tmp\"\r\nThe malware then drops an additional .js file that executes a few other discovery commands. Finally, it downloads\r\nand executes the Cobalt Strike beacon, which is used to execute remote commands. Aside from the\r\naforementioned scripts, a few others were also dropped but were immediately mitigated by the product.\r\nFigure 3. Vision One showing the deployment of JavaScript and Cobalt Strike\r\nLow detections of Cobalt Strike and the BLISTER connection\r\nThe Cobalt Strike file was particularly interesting, because at the time of this investigation, it had a low detection\r\nrate. We wanted to see why that was and what evasion tactics it employed.\r\nDate Detection\r\nJan 19, 2022 2\r\nJan 20, 2022 3\r\nJan 26, 2022 3\r\nJan 31, 2022 2\r\nFeb 7, 2022 2\r\nFeb 10, 2022 2\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 4 of 11\n\nTable 1. VirusTotal detection history\r\nIndeed, further investigation showed that the Cobalt Strike file was a tampered versionopen on a new tab of a\r\nlegitimate DLL where an export function was modified to contain the Cobalt Strike. This is the first time we have\r\nobserved this in the SocGholish infrastructure.\r\nFigure 4. Comparison of the original DLL to the patched DLL\r\nThe sample, wimgapi.dll, will create a thread that will essentially put itself to sleep for 10 minutes before\r\ndecrypting and executing its shell code. It also pauses operations in order to evade detection — a well-documented\r\ndefense evasion techniqueopen on a new tab.\r\nIt also performs additional commands before decrypting and executing the shell code as an added evasion tactic.\r\nThese commands are the following:\r\nIt creates the folder C:\\\\ProgramData\\\\TermSvc.\r\nIt then drops drops the files C:\\\\ProgramData\\\\TermSvc\\TermSvc.exe, which is the copy of the file\r\n(Rundll32.exe in this case ) that executes the sample wimgapi.dll and the file %User\r\nStartup%\\\\TermSvc.lnk, which executes the aforementioned dropped copy (Rundll32.exe).\r\nIt then proceeds to decrypt, load, and execute the shell code that connects to the URL sikescomposite[.]com. It\r\nutilizes VirtualAlloc, VirtualProtect, and CreateThread to decrypt the shell code and execute in memory.\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 5 of 11\n\nWe also observed the harvesting of API functions, which are called only when needed as seen in their shell code\r\n(Figure 5). This is another tactic that obscures the shell code.\r\nFigure 5. The code for harvesting of API functions and calling them when needed\r\nAs a malleable Cobalt Strike C\u0026C stager, the behavior of wimgapi.dll might be dependent on what is downloaded\r\nfrom the accessed URL. With regard to this incident, we have observed the following after its deployment\r\nAccount discovery\r\nPass-the-hash for privilege escalation\r\nSpawned WerFault.exe process that generates the following activity: Network sniffing of port 135\r\nCopying of browser login data\r\nLateral movement via dropping Cobalt Strike copies into remote machines\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 6 of 11\n\nFigure 6. Dropping of Cobalt Strike to remote machines as seen in Vision One\r\nAside from the malicious behavior demonstrated by Cobalt Strike, one of the C\u0026C IP addresses\r\n(198[.]71[.]233[.]254) can be linked to Emotet and Dridex attacks. This IP address, which is used by multiple\r\nJavaScript C\u0026C domains, was found hosting and dropping Emotet and Dridex samples from the end of 2021 to\r\nthis year.\r\nThe way Cobalt Strike was used in this scenario (masking tampered DLLs as legitimate) is interesting, because we\r\nhave yet to observe it in other SocGholish campaigns. This indicates that the threat actors behind SocGholish are\r\nselling access to or are joining forces with a third party. Interestingly, another case investigated by the Trend\r\nMicro Managed XDR seems to show the third party to be the threat actors behind BLISTER.\r\nFrom SocGholish to BLISTER and LockBit\r\nWe also discovered the use of BLISTER loader a newer type of malware that was first identified in December\r\n2021, in deploying the LockBit ransomware. The delivery of BLISTER loader might be through malicious\r\ninstallers, specifically the SocGholish framework. It can also have an embedded Cobalt Strike or BitRat payload\r\nin its resource section.\r\nLockBitnews article is a ransomware-as-a-service (RaaS) cartel that has one of the most active ransomware\r\noperations today. The gang is infamous for its sophisticated malware capabilities and strong affiliate network. It\r\ntypically infects systems using unauthorized access to internet facing infrastructure.\r\nCuriously, the MDR team found that recent detections used BLISTER, which employs SocGholish’s tactic of\r\nusing fake browser updates to drop malicious files. It also uses several techniques such as the following to avoid\r\ndetection: \r\nUse of valid code signing certificates to persist in the system\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 7 of 11\n\nUse of direct system calls to avoid hooks of the antivirus Userland\r\nDelay of code execution for 10 minutes to evade sandbox detection\r\nInjection of the payload into a legitimate process such as werfault.exeopen on a new tab and renaming\r\nlegitimate DLLsopen on a new tab like Rundll32.exe to stay under the radar.\r\nLikely, through the drive-by download scheme of SocGholish, the file called ssql.exe was dropped. This file\r\nserves as a dropper that was created with NullSoft, an open-source system for creating Windows installers, as seen\r\nin Figure 7.\r\nFigure 7. The ssql.exe dropper created through NullSoft\r\nOnce ssql.exe is executed, it drops a BLISTER loader sample to %Temp%\\wimgapi_64\\wimgapi.dll. The file\r\nwimgapi.dll is then loaded in memory and the export WIMDeleteImageMounts is executed.\r\nFigure 8. BLISTER is dropped.\r\nFigure 9. WIMDeleteImageMounts is executed.\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 8 of 11\n\nThe DLL decodes the shell code found in its RCData resource and executes it. Similarly, the shellcode sleeps for\r\n10 minutes and then decrypts and decompresses the Cobalt Strike beacon.\r\nVision One generated an image (Figure 10) to show the infection chain based on our samples.\r\nFigure 10. Image of BLISTER loader’s infection chain generated through Vision One\r\nAfter the execution of the Cobalt Strike payload, the threat actors dropped and executed batch scripts to stop\r\nantivirus agents (KillAV) running in the environment and critical services (SQL, Veeam, Exchange, and others).\r\nThe script will also update the Group Policy Object (GPO) in the machine, add the computer host name to a\r\ncentralized text file, and creates scheduled task “updater” to execute the batch file on startup and finally clear the\r\nWindows Events logs.\r\nFigure 11. KillAV used by the LockBit ransomware group to try to stop antivirus agents\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 9 of 11\n\nFigure 12. Batch script used by the LockBit ransomware group to stop critical services and third-party antivirus software\r\nAfter successfully reaching this point, the LockBit sample would ultimately be executed.  Our detections of the\r\ndomains that were created and the SocGholish certificates that were used suggest the likelihood that the campaign\r\nbegan in November 2021 and has persisted up to the present.\r\nConclusion\r\nThese investigations gave us the opportunity to learn more about SocGholish and BLISTER loader. These cases\r\nhighlight the continued evolution of threats that are made to evade detection. Notably, we observed evasive tactics\r\nlike masking a tampered DLL as legitimate and placing shell code temporarily to sleep. Organizations should also\r\ntake note of the continuing trend of using Cobalt Strike in targeting victim entities and living-off-the-land binaries\r\n(LOLBins) to blend in with the environment.\r\nFor these cases, close monitoring and prompt detection prevented all that was described here from coming to pass.\r\nEarly containment and mitigation are essential to cut off more damaging attacks that compromise environments,\r\nsteal data, or deploy ransomware.\r\nOrganizations should remain vigilant and ensure that they have solid cybersecurity measures in place. These\r\nadditional security recommendations can also help them protect their assets from modern ransomware threats like\r\nLockBit: \r\nEnabling multifactor authentication (MFA) can prevent malicious actors from compromising user accounts\r\nas part of their infiltration process. \r\nUsers should be wary of opening unverified emails. Embedded links should never be clicked and attached\r\nfiles should never be opened without the proper precautions and verification as these can kickstart the\r\nransomware installation process. \r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 10 of 11\n\nOrganizations should always adhere to the 3-2-1 rulenews article: Create three backup copies on two\r\ndifferent file formats, with one of the backups in a separate location. \r\nPatching and updating software and other systems at the soonest possible time can address exploitable\r\nvulnerabilities that can lead to a ransomware infection. \r\nOrganizations can better protect themselves from ransomware attacks by implementing multilayered\r\nsecurity setups that combine elements such as the automated detection of files and other indicators with\r\nconstant monitoring for the presence of weaponized legitimate toolnews- cybercrime-and-digital-threatss in\r\ntheir IT environment.\r\nNew malware techniques are bound to emerge as threat actors attempt to breach more systems. Organizations can\r\ndefend themselves against such threats by using multilayered detection and response solutions such as Trend\r\nMicro Vision One™products, a purpose-built threat defense platform that provides added value and new benefits\r\nbeyond extended detection and response (XDR) solutions. This technology provides powerful XDR capabilities\r\nthat collect and automatically correlate data across multiple security layers — email, endpoints, servers, cloud\r\nworkloads, and networks — to prevent attacks via automated protection while also ensuring that no significant\r\nincidents go unnoticed. \r\nA list of the indicators of compromise (IOCs) can be found here. \r\nTags\r\nSource: https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nhttps://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html"
	],
	"report_names": [
		"Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791311,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c24e4426b95f2809df7bbdd83bfb414220efedb.pdf",
		"text": "https://archive.orkl.eu/3c24e4426b95f2809df7bbdd83bfb414220efedb.txt",
		"img": "https://archive.orkl.eu/3c24e4426b95f2809df7bbdd83bfb414220efedb.jpg"
	}
}