{ "id": "a01737ff-56ed-43dc-9ea3-ab2cbde99dbb", "created_at": "2026-04-06T00:20:18.578692Z", "updated_at": "2026-04-10T03:37:32.711334Z", "deleted_at": null, "sha1_hash": "962ad4dd487c3a44597fcae507458194c7a1d164", "title": "SocGholish Malware: Script Injections, Domain Shadowing, IPs \u0026 Obfuscation Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2475690, "plain_text": "SocGholish Malware: Script Injections, Domain Shadowing, IPs \u0026\r\nObfuscation Techniques\r\nBy Denis Sinegubko\r\nPublished: 2022-08-16 · Archived: 2026-04-05 20:49:11 UTC\r\nIn June 2022, we shared information about the ongoing NDSW/NDSX malware campaign which has been one of\r\nthe most common website infections detected and cleaned by our remediation team in the last few years.\r\nThis NDSW/NDSX malware — also referred to as FakeUpdates or SocGholish by other research groups — is\r\nresponsible for redirecting site visitors to malicious pages designed to trick victims into loading and installing fake\r\nbrowser updates.\r\nWe’re now seven months into the year and our team has already detected this malware on over 25,000 sites since\r\nthe beginning of January, 2022 — with another 61,000 infected websites detected last year alone.\r\nIn today’s post, we’ll be outlining the injections and URLs used in the website malware portion of the SocGholish\r\nattack outside of the NDSW/NDSX campaign — the components of the infection that are actually observable on\r\ncompromised sites.\r\nWe’ll also reveal how attackers employ domain shadowing to conceal malicious activity, document some of the\r\nmore recent domains and IPs used in these attacks, and describe the evolution of the malware injection.\r\nContents:\r\nWhat is SocGholish?\r\nSocGholish injection analysis\r\nComparison: NDSW/NDSX \u0026 SocGholish scripts\r\nSocGholish platform\r\nDomain shadowing\r\nSocGholish domains \u0026 IPs\r\nObfuscation techniques in SocGholish scripts\r\nImportance of securing your website\r\nWhat is SocGholish?\r\nSocGholish is a JavaScript malware framework that has been in use since at least 2017. It is distributed through a\r\nnumber of malicious sites claiming to provide critical browser updates. In reality, these sites are designed to trick\r\nvictims into downloading and installing malware — usually in the form of .zip or .js files (you can find samples\r\non MalwareBazaar).\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 1 of 13\n\nFake Update site screenshot courtesy of MalwareBytes\r\nOnce an end user has manually decompressed and executed the archive file by double-clicking the contents,\r\nvarious malware which may include remote access trojans (RATs), information stealers, and Cobalt Strike beacons\r\nare deployed. All this malware is just an intermediary step for targeted ransomware attacks against corporations\r\nand organizations, resulting in major disruptions of business operations and significant financial losses.\r\nThere is ample evidence that SocGholish and its infrastructure have close ties to prominent attacks and criminal\r\ngroups.\r\nFor example, PRODAFT attributed it to being used in the infamous SolarWinds attack and its connection to\r\nEvilCorp, a ransomware organization. And in Microsoft’s recent research “Ransomware-as-a-service:\r\nUnderstanding the cybercrime gig economy and how to protect yourself ” SocGholish was also attributed as a\r\nloader for other malware campaigns connected with EvilCorp and various other ransomware.\r\nAnalysis of recent SocGolish injections\r\nAs a preface, we recommend referring to this twitter thread by Andrew Northern if you want to understand the\r\nentirety of the SocGholish attack. His thread clearly outlines the different stages and infrastructure involved. We’ll\r\nbe describing stages 1 and 2 found in his observations; injections and URLs.\r\nFor researchers looking for immediate examples, you can find infected websites using this URLScan.io query.\r\nNDSW is the most prominent malware campaign redirecting visitors to fake update sites, but it’s not the only one.\r\nOther similar malware campaigns are also using different JavaScript injections to serve SocGholish’s fake updates\r\nfrom the same infrastructure. We’ve been tracking multiple waves of these campaigns since 2017.\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 2 of 13\n\nOur Sucuri SiteCheck scanner currently detects non-NDSW variations of SocGholish scripts on 500+ sites every\r\nweek.\r\nA SocGholish detection seen in Sucuri SiteCheck\r\nHere is a screenshot of the most recent type of injection we’ve found on compromised websites. It can be found\r\nlocated either right before the closing \u003c/head\u003e tag or at the top or bottom of random legitimate .js files.\r\nTypical SocGholish injection seen during August 2022\r\nThe script is pretty simple. After deobfuscation, it looks like this:\r\nAs you can see, this attack is only interested in a specific segment of user agents: those on Windows computers\r\ncoming from third party sites (search engines) for the first time.\r\nIf the visitor matches this criteria, a script (stage 2) is loaded. In this particular sample seen above, it originates\r\nfrom hxxps://natural.cpawalmyrivera[.]com/report?\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 3 of 13\n\nr=dj0xYTAyMDFiNTJkN2NhOTk5NzE1MyZjaWQ9MjY4, however these URLs have been changing quite often\r\nlately.\r\nThis type of injection is what we refer to as a vanilla SocGholish injection.\r\nComparison between NDSW/NDSX and vanilla SocGholish scripts\r\nOn a basic level, a vanilla SocGholish script is the same as the one that the NDSW/NDSX campaign serves on its\r\nthird layer (NDSX script from a TDS server) — just without the var ndsx = true; statement found in the\r\nbeginning of the code. The ndsw variable is also not referenced anywhere in vanilla SocGholish scripts.\r\nAdditionally, it appears that the NDSW/NDSX campaign creates a custom wrapper around SocGholish scripts that\r\ndynamically serves them through a PHP proxy found on the same site as the injected ndsw JavaScript.\r\nThis wrapper definitely adds a bit of complexity to the infection process — attackers are required to customize the\r\ninjection for each site, upload different types of malware (JS and PHP), and maintain a proxy. On the other hand,\r\nthis approach provides obvious benefits over the vanilla versions of these SocGholish injections — the\r\nNDSW/NDSX campaign doesn’t need to reinfect websites every time the SocGholish stage 2 URL changes\r\n(which happens pretty often lately). Instead, all the attacker needs to do is update the script on their own server\r\nand it will be automatically served via their proxy without any direct changes to the infected sites.\r\nInteresting side note:\r\nWebsite malware is usually poorly detected by conventional antivirus solutions, which focus more on the payloads\r\nwhen they actually reach the protected computer. However, sometimes antiviruses also warn web surfers when\r\nthey detect certain JavaScript injections and block browsers from executing them.\r\nIn the case of these SocGholish injections, antivirus detections are not consistent. For example, Microsoft\r\nDefender detected a few variations (~20%) of NDSW injections as Trojan:JS/Agent.AG!MSR but didn’t detect\r\nany of our vanilla SocGholish injection samples.\r\nSocGholish platform\r\nOne possible explanation for the existence of different malware campaigns leveraging the same SocGholish script\r\nis that SocGholish is actually a platform (scripts, servers) managed by one criminal group.\r\nIf this is the case, the SocGholish platform might provide scripts to affiliated third-party groups who drive traffic\r\nto fake update sites in exchange for share in the revenue. It would be up to third parties on how they drive traffic.\r\nFor example — malvertising, black hat SEO, or injecting malware into legitimate websites.\r\nSome hackers that use the website malware approach directly inject the scripts provided by SocGholish operators,\r\nwhile others (like NDSW) use an elaborate scheme with multiple layers and PHP proxies.\r\nSilverFish\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 4 of 13\n\nThe SocGholish infrastructure most likely belongs to a highly sophisticated group analyzed by PRODRAFT in\r\n2020-2021 whom they refer to as SilverFish.\r\nIn their report, we can find screenshots of a C\u0026C interface featuring SocGholish shadowed domains used in TDS\r\nweb panel. This C\u0026C server provides attackers with ready-to-use JavaScript and PHP code for injection into\r\ncompromised sites:\r\nScreenshot of the TDS panel analysis from the PRODAFT SilverFish report\r\nCID analysis\r\nHaving analyzed the numerous SocGholish URLs loaded by injected scripts from 2017 to present, we can see that\r\nthey all contain a cid parameter that likely helps SocGholish operators distinguish which third-party or campaign\r\nsent them a visitor.\r\nOriginally, these cid’s were passed in clear view to s_code.js scripts. However, newer versions of SocGholish’s\r\nURLs leverage the more sophisticated “report?r” URLs which require the r parameter to be base64 decoded in\r\norder to retrieve the cid.\r\nSocGholish URLs with CID parameters\r\nBelow are a number of examples for SocGholish URLs containing cid parameters. The first four items are URLs\r\nthat were leveraged by this malware campaign between 2017-2018.\r\nThis list is not exhaustive.\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 5 of 13\n\ntrack.amishbrand[.]com/s_code.js?cid=205\u0026v=c40bfeff70a8e1abc00f\r\nconnect.clevelandskin[.]com/s_code.js?cid=208\u0026v=e1acdea1ea51b0035267\r\ntrack.positiverefreshment[.]org/s_code.js?cid=220\u0026v=24eca7c911f5e102e2ba\r\nbackup.awarfaregaming[.]com/s_code.js?cid=217\u0026v=1cd8cd79dbccbc1c082b\r\nclick.clickanalytics208[.]com/s_code.js?cid=240\u0026v=73a55f6de3dee2a751c3\r\nlink.easycounter210.com/s_code.js?cid=206\u0026v=054499c5c1b815140c84\r\nsodality.mandmsolicitors[.]com/s_code.js?cid=247\u0026v=b83d055c53edad92676e\r\nsafeguard.couleurmutation[.]com/s_code.js?cid=248\u0026v=3c6bf61e28150eecf1ac\r\nnurse.dmvsvapekings[.]us/s_code.js?cid=249\u0026v=a96ede56c3b3ef83c9c2\r\nrocket2.new10k[.]com/s_code.js?cid=250\u0026v=7d7e3bc23eca7374941a\r\ncigars.pawscolours[.]com/report?r=dj03ZDdlM2JjMjNlY2E3Mzc0OTQxYSZjaWQ9MjUw\r\n(v=7d7e3bc23eca7374941a\u0026cid=250)\r\nstuff.bonneltravel[.]com/report?r=dj03ZDdlM2JjMjNlY2E3Mzc0OTQxYSZjaWQ9MjUw\r\n(v=7d7e3bc23eca7374941a\u0026cid=250)\r\ncardo.diem-co[.]com/report?r=dj03ZDdlM2JjMjNlY2E3Mzc0OTQxYSZjaWQ9MjUw\r\n(v=7d7e3bc23eca7374941a\u0026cid=250)\r\nexpense.brick-house[.]net/report?r=dj04YTFlYmI3OWRiZjZlN2VmNzgwYiZjaWQ9MjU1\r\nv=8a1ebb79dbf6e7ef780b\u0026cid=255\r\npaggy.parmsplace[.]com/report?r=dj0wOTlkY2ViYTJhMmVkMzgyZWMxZCZjaWQ9MjYw\r\n(v=099dceba2a2ed382ec1d\u0026cid=260)\r\ngenesis.ibgenesis[.]org/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy\r\n(v=b6249ab55b85a021fdcd\u0026cid=262)\r\nhavana.littlehavanacigarstore[.]com:443/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy\r\n(v=b6249ab55b85a021fdcd\u0026cid=262)\r\ncruize.updogtechnologies.com/report?r=dj03MDgyZTc5ZmNhN2EwY2M2YjA3NCZjaWQ9MjYz\r\n(v=7082e79fca7a0cc6b074\u0026cid=263) \r\npredator.foxscalesjewelry[.]com/report?r=Y2lkPTI2MyZ2PTRlYjk3YWU3MWI3NjZhYjEyMWU0\r\n(cid=263\u0026v=4eb97ae71b766ab121e4\r\nquery.dec[.]works/report?r=dj01MDY1NDg3MTIwZTU2ZmQ1ZTZlNCZjaWQ9MjY0\r\n(v=5065487120e56fd5e6e4\u0026cid=264)\r\nwallpapers.uniquechoice-co[.]com/report?r=dj01MDY1NDg3MTIwZTU2ZmQ1ZTZlNCZjaWQ9MjY0\r\n(v=5065487120e56fd5e6e4\u0026cid=264)\r\nnatural.cpawalmyrivera[.]com/report?r=dj0xYTAyMDFiNTJkN2NhOTk5NzE1MyZjaWQ9MjY4\r\n(v=1a0201b52d7ca9997153\u0026cid=268)\r\nmaster.ilsrecruitment[.]com/report?r=dj0xYTAyMDFiNTJkN2NhOTk5NzE1MyZjaWQ9MjY4\r\n(v=1a0201b52d7ca9997153\u0026cid=268)\r\nwest.bykikarose[.]com/report?r=dj1iZjczNzgxMjU1N2YxNjgzMDI2MyZjaWQ9MjY5\r\n(v=bf737812557f16830263\u0026cid=269)\r\nIn these cases, cid may be interpreted as a “campaign id” rather than “client id”. And several cid’s may belong to\r\nthe same third-party. For example, back in 2018, MalwareBytes associated different cid’s with different CMS’\r\ntargeted by FakeUpdates campaigns.\r\nFurthermore, each domain can be used with multiple different cid’s — and most cid’s can be observed on multiple\r\ndomains.\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 6 of 13\n\nOne interesting observation is that all cids found in these URLs begin with 200. In fact, we haven’t seen any cid’s\r\nlower than 205 with the top of the range extending only as far as 269 thus far (according to our data).\r\nIt’s also worth noting that NDSW malware has been using cid=250 and cid=255 for quite a long time, while\r\nSocGholish scripts loaded via the soendorg[.]top/jsquery.js injection always contain cid=269.\r\nThroughout the years, SocGholish has employed domain shadowing in combination with domains created\r\nspecifically for their campaign.\r\nDomain shadowing is a trick that hackers use to get a domain name with a good reputation for their servers for\r\nfree. To accomplish this, attackers leverage compromised domain registrars or DNS provider accounts and add an\r\nadditional CName or A-record for a randomly-named subdomain, then they point it to their own server.\r\nThis sort of malicious activity is very hard to notice if you don’t regularly inspect your DNS records — and many\r\npeople don’t, as it’s usually a “set it and forget it” scenario.\r\nFor example, many SocGholish scripts currently use the baget.godmessaged[.]me host. Godmessaged.me is a\r\nlegitimate site hosted on a server with IP 75.119.205.210. However, the baget.godmessaged[.]me subdomain is\r\nhosted on a completely different server with IP 141.94.63.238. To accomplish this, hackers created an additional\r\nA-record in the DNS settings of the godmessaged.me domain.\r\nDiG report for baget.godmessaged[.]meF\r\nHere are a few more examples of shadowed domains (not exhaustive). The first three items were leveraged by this\r\nmalware campaign between 2017-2018.\r\ntrack.positiverefreshment[.]org\r\nconnect.clevelandskin[.]com\r\ntrack.amishbrand[.]com\r\nnatural.cpawalmyrivera[.]com\r\nactive.aasm[.]pro\r\nvacation.thebrightgift[.]com\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 7 of 13\n\nrituals.fashionediter[.]com\r\ncasting.faeryfox[.]com\r\nWe have also identified some domains that appear to be created specifically for SocGholish.\r\nclickanalytics208[.]com/\r\neasycounter210[.com\r\nadsprofitnetwork[.]com\r\nstatclick[.]net\r\nclickstat360[.]com\r\nsyncadv[.]com\r\nwebcachespace[.]net\r\ncachespace[.]net\r\nstaticvisit[.]net\r\nwebcachestorage[.]com\r\nAWS Cloud URLs instead of domain shadowing\r\nAn exception to this pattern of using domain shadowing has recently emerged, however.\r\nInstead of attackers using shadowed domains or their own domains, a small segment of injected scripts use this\r\nAWS cloud URL: hxxps://d2j09jsarr75l2.cloudfront[.]net/report?\r\nr=dj0xYTAyMDFiNTJkN2NhOTk5NzE1MyZjaWQ9MjY4\r\nAt this point, it’s not clear why attackers temporarily shifted to AWS URLs.\r\nLatest SocGholish Domains and IPs\r\nInitially, SocGholish operators weren’t changing their domains very often. But lately, we’ve see attackers\r\nintroducing new domains on a weekly basis.\r\nHere are some of the domain names observed in SocGholish scripts found on infected sites from the past month\r\nalone.\r\nactive.aasm[.]pro/report\r\nactive.xomosagency[.]com/report\r\nactors.jcracing[.]com/report\r\namplifier.myjesusloves[.]me/report\r\nbaget.godmessaged[.]me/report\r\ncardo.diem-co[.]com/report\r\ncasting.faeryfox[.]com/report\r\ncats.johnbeach[.]us/report\r\ncenter.blueoctopuspress[.]com/report\r\ncigars.pawscolours[.]com/report\r\ncloud.bncfministries[.]org/report\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 8 of 13\n\ncommon.dotviolationsremoval[.]com/report\r\ncommunity.wbaperformance[.]com/report\r\nconnect.codigodebarra[.]co/report\r\ncruize.updogtechnologies[.]com/report\r\nd2j09jsarr75l2.cloudfront[.]net/report\r\ndesign.lawrencetravelco[.]com/report\r\nexpense.brick-house[.]net/report\r\ngenesis.ibgenesis[.]org/report\r\ngohnson.advanceditsolutionsaz[.]com/report\r\nhares.lacyberlab[.]net/report\r\nhavana.littlehavanacigarstore[.]com/report\r\nhemi.mamasbakery[.]net/report\r\nhope.point521[.]com/report\r\nhunter.libertylawaz[.]com/report\r\nmafia.carverdesigngroup[.]com/report\r\nmaster.ilsrecruitment[.]com/report\r\nmycontrol.alohaalsomeansgoodbye[.]com/report\r\nnatural.cpawalmyrivera[.]com/report\r\nnivea.dreamworkscdc[.]com/report\r\nperformer.stmhonline[.]com/report\r\npuzzle.tricityintranet[.]com/report\r\nquery.dec[.]works/report\r\nrecord.usautosaleslv[.]com/report\r\nrepublic.beboldskincare[.]com/report\r\nrituals.fashionediter[.]com/report\r\nsdk.expresswayautopr[.]com/report\r\nsecond.pmservicespr[.]com/report\r\nstanley.planilla2021[.]com/report\r\ntraining.ren-kathybermejo[.]com/report\r\nvacation.thebrightgift[.]com/report\r\nwallpapers.uniquechoice-co[.]com/report\r\nwallpapers.uniquechoice-co[.]com/report\r\nwest.bykikarose[.]com/report\r\nAlong with a list of recent IP addresses for SocGholish hosts (stage 2):\r\n141.94.63.231\r\n141.94.63.238\r\n146.19.188.108\r\n153.92.223.141\r\n195.123.246.184\r\n23.140.176.43\r\n45.10.42.26\r\n45.10.43.78\r\n79.142.69.149\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 9 of 13\n\nEvolution of obfuscation techniques used in SocGholish scripts\r\nDuring the last 5 years, SocGholish’s JavaScript injection hasn’t changed much — although we have seen distinct\r\nwaves using different obfuscation techniques to hide the tell tale strings.\r\nFirst known versions\r\nHere is an example of an injection used around 2017 – 2018.\r\nTypical SocGholish injection in 2017-2018\r\nIn this screenshot, you can see a bunch of obfuscated strings in green that look like gibberish. The decoding\r\nalgorithm is actually pretty simple — although it’s probably the most sophisticated when compared to newer\r\nvariations.\r\nTo recover the contents, you need to take every second character of the obfuscated string and then reverse the\r\nresult.\r\nFor example: if we take the “ss;w;o{d;nxi(W(” string and remove all odd numbered characters we’ll get\r\n“swodniW”. After reversing it, we’ll get “Windows” — this malware is interested in users on Windows\r\ncomputers and Android devices. (For fun, you can try to decode “5d;ijo(rqd,nrA(“ yourself).\r\nThe decoded URL of the SocGholish script that this particular sample loaded was:\r\nhxxps://track.amishbrand[.]com/s_code.js?cid=205\u0026v=c40bfeff70a8e1abc00f\r\nAnd furthermore, this particular variation of injection was used by many massive website infection campaigns,\r\nincluding the attacks following the infamous Drupalgeddon 2.\r\nBase64\r\nMoving ahead to 2021, the most common injection variation looked like this:\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 10 of 13\n\nTypical SocGholish injection with Base64 encoding\r\nThe only major difference from variants seen in 2018 is the string encoding algorithm. In this case, it’s simply\r\nBase64.\r\nFor example: “V2luZG93cw==” and “QW5kcm9pZA==” can be decoded to “Windows” and “Android”\r\nrespectively.\r\nThe decoded SocGholish script URL is hxxps://flowers.netplusplans[.]com/report?\r\nr=dj1lNTMyNTM4ZWM4Y2RiODExNmY0OCZjaWQ9MjU5\r\nAnd the decoded “r” URL parameter is “v=e532538ec8cdb8116f48\u0026cid=259”.\r\nThis SocGholish script variant can still be found on over 700 websites by querying PublicWWW.\r\nDouble Base64\r\nIn 2022, however, SocGholish introduced double Base64 encoding of their strings. Here’s an example for this\r\nvariant:\r\nSocGholish injection with double base64 encoded strings\r\nDecoding the target “Windows” string requires an additional step:\r\n“VjJsdVpHOTNjdz09” ➔ “V2luZG93cw==” ➔ “Windows”\r\nIt’s interesting to note that in this variation, they no longer check for Android user agents, indicating that target\r\nobjectives have become solely Windows users.\r\nThe decoded URL in this sample is hxxps://hunter.libertylawaz[.]com/report?\r\nr=dj03MDgyZTc5ZmNhN2EwY2M2YjA3NCZjaWQ9MjYz. The decoded “r” parameter is\r\n“v=7082e79fca7a0cc6b074\u0026cid=263”\r\nPublicWWW currently shows this variation of the script on over 560 sites.\r\nSkipping Odd-Numbered Characters\r\nThis summer, the obfuscation technique changed yet again.\r\nNow it resembles the original obfuscation seen 4-5 years ago, just a bit more simple. You need to remove every\r\nodd-numbered character from encoded strings without having to reverse them afterwards.\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 11 of 13\n\nTypical SocGholish injection in August 2022\r\nIn this sample found in August 2022, the word “Windows” is represented as ‘yWsihnpdjokwxse’.\r\nThe SocGholish script URL is hxxps://amplifier.myjesusloves[.]me/report?\r\nr=dj0xYTAyMDFiNTJkN2NhOTk5NzE1MyZjaWQ9MjY4 and the decoded “r” parameter is\r\n“v=1a0201b52d7ca9997153\u0026cid=268”\r\nWhile this obfuscation is less complex than the old 2018 version that included string reversal, it still has more\r\nbenefits for the SocGholish operators than the previous base64 encodings. Base64-encoded strings never change\r\nand, as demonstrated above with PublicWWW queries, it’s easy to detect them.\r\nThis new obfuscation approach gives SocGholish operators more control over the obfuscated strings. Every time\r\nthey update the script to serve a new URL, they also rename all variables and randomly change the filler\r\ncharacters in odd-numbered positions.\r\nFor example, here are some variations of the encoded “Windows” string that can currently be found in SocGholish\r\nscripts:\r\n'vWjirnjdgoawcsu'\r\n'qWnionvdeowwusp'\r\n‘qWdijnbdcoewysg’\r\n'eWmivnidbotwxsj'\r\n‘yWsihnpdjokwxse’\r\n‘wWnixnhdlodwysp’\r\n'kWhiynlddovwvsq'\r\nOther SocGholish variations\r\nThere are numerous other types of injections that eventually load SocGholish scripts, but I won’t be covering them\r\ntoday in this article. These variants can range from ultra wide-spread NDSW/DNSX infections to less prominent\r\ncampaigns like the ones found injecting soendorg[.]top/jsquery.js scripts to serve the SocGholish payload.\r\nThe importance of securing your website against SocGholish\r\nThese SocGholish infections remind us about the responsibility website owners have to maintain a clean\r\nenvironment along with the numerous dangers of website malware.\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 12 of 13\n\nJust a small piece of injected JavaScript code — which might be considered a mere nuisance for some webmasters\r\n— can lead to major business and operation disruptions if a person with access to corporate networks visits an\r\ninfected site and activates a download. Regular website visitors are also at risk, as SocGholish is known to install\r\nmalware that steals credentials from their online banks, cryptocurrency wallets, and social networks.\r\nUsers of our website monitoring services will be able to detect if their website has been infected with NDSW or\r\nSocGholish malware — and our alerting options will ensure timely response to any infection. However, since\r\nthere are multiple active campaigns that use a wide range of approaches to compromise and infect websites, I\r\ncan’t provide exact instructions on how to clean or secure your website against a SocGholish infection — but I\r\ncan offer general advice.\r\nThe most viable approach for webmasters is to decrease the attack surface at every possible opportunity. That\r\nincludes fully updating trusted software used in the environment, uninstalling unused or deprecated components\r\nand plugins, employing strong passwords, leveraging the principle of least privilege, and decluttering your\r\nservers. Equally as important is monitoring your websites for malware and unwanted changes. Clean, fresh\r\nbackups of your website will help you restore your site even after the most complex hacks.\r\nWebmasters can refer to our website security guide on best practices to harden and protect a website against\r\ninfection. And as always, if you believe your site has been compromised and you need a hand, we’re always\r\nhappy to help.\r\nResources\r\nNew SocGholish Malware Variant Uses Zip Compression \u0026 Evasive Techniques\r\nNew Wave of SocGholish cid=27x Injections\r\nAnalysis of the Massive NDSW / NDSX Malware Campaign\r\nSiteCheck Mid-Year 2023 Report\r\nXjquery Wave of WordPress SocGholish Injections\r\nSource: https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nhttps://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html" ], "report_names": [ "socgholish-5-years-of-massive-website-infections.html" ], "threat_actors": [ { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "821d8858-a784-4ab2-9ecb-56c7afeed7d7", "created_at": "2023-11-21T02:00:07.403629Z", "updated_at": "2026-04-10T02:00:03.479942Z", "deleted_at": null, "main_name": "SilverFish", "aliases": [], "source_name": "MISPGALAXY:SilverFish", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/962ad4dd487c3a44597fcae507458194c7a1d164.pdf", "text": "https://archive.orkl.eu/962ad4dd487c3a44597fcae507458194c7a1d164.txt", "img": "https://archive.orkl.eu/962ad4dd487c3a44597fcae507458194c7a1d164.jpg" } }