{ "id": "954a02f0-c221-4238-b1b8-577180c4d8c5", "created_at": "2026-04-06T00:18:33.01748Z", "updated_at": "2026-04-10T13:12:19.641276Z", "deleted_at": null, "sha1_hash": "d47270843f5493c8474375a38a6ddef1eff43b26", "title": "Threat hunting case study: SocGholish", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1552839, "plain_text": "Threat hunting case study: SocGholish\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 18:05:35 UTC\r\nSocGholish is an ongoing malware campaign that started around 2017 and involves the distribution of malware\r\nvia hacked websites. These trusted sites, which surface organically in search results, are selected so as to not raise\r\nsuspicions and are used to trick users into downloading and installing malware disguised as legitimate software.\r\nSocGholish attackers have also been known to use domain shadowing, which involves compromising domain\r\nregistrar accounts and creating subdomains that they then incorporate into their attack chains. Again, this\r\ntechnique piggybacks on the trust in the main domain.\r\nThe SocGholish malware often poses as a browser update. When users visit sites that have been compromised,\r\nthey are prompted to install the update. A recent campaign warned a victim that they were using an older version\r\nof Microsoft’s Edge browser. The malware is delivered using a convoluted infection chain designed to thwart\r\nsecurity checks that might otherwise stop the malware. This can involve JavaScript, PowerShell and the use of\r\ncompressed (ZIP) files. Delivery typically requires user interaction, such as clicking on a file. The attacker can\r\nthen move to install a secondary payload. In the past, those payloads have ranged from WastedLocker ransomware\r\nto Cobalt Strike, the post-exploitation framework used by both attackers and red teams.\r\nAn illustration of the steps that lead to a SocGholish infection.\r\nAs part of distributing SocGholish at scale, its operators have used a sophisticated traffic distribution and\r\nredirecting system called Keitaro. It is intended for advertisers to optimize campaigns by being able to funnel\r\nusers to different kinds of content based on their location or browser type or device. Advertisers do this to create\r\nmore conversions. Malware operators use it for the same purpose: increasing the likelihood of successful\r\nhttps://intel471.com/blog/threat-hunting-case-study-socgholish\r\nPage 1 of 6\n\ninfections while attempting to mask campaigns from threat researchers. This sophisticated approach to victim\r\nselection showcases a strategic effort to optimize impact and financial returns. By concentrating on targets that are\r\nmore likely to pay ransom or where sensitive data can be exploited, SocGholish’s operators exhibit a deep\r\nunderstanding of the value of their potential victims.\r\nSocGholish infections have been primarily linked to the threat actor group Evil Corp aka Mustard\r\nTempest, DEV-0206, TA569, UNC1543. Members of this organized crime group have been sanctioned by the\r\nU.S. in 2019 and by the U.S., Australia and the U.K. in 2024 while other alleged members have been indicted\r\n(Maksim Yakubets and Aleksandr Ryzhenkov). The group has long-running cybercrime links going back to\r\nthe Zeus and Dridex banking malware programs and has been involved in money laundering and ransomware. The\r\nSocGholish campaigns are designed to gain initial access to a steady supply of computers that can then be\r\nmonetized in other ways, whether through data theft from those machines or ransomware. The campaigns have a\r\nsignificant reach. In one example, we identified a SocGholish campaign from October 2024 that generated more\r\nthan 1.5 million interactions in a one-week period.\r\nWe can threat hunt to uncover signs of possible SocGholish infections and remove malware before systems are\r\nexploited further. Intel 471 has written several hunt packages for our HUNTER471 threat hunting platform, which\r\ncan help security teams proactively detect possible malicious behavior. What follows is an example of how a\r\ntechnique commonly used by SocGholish operators can be detected.\r\nTask Scheduler (formerly known as Scheduled Tasks) is a native Windows binary that allows administrators to\r\nschedule various actions when certain conditions have been met, such as starting an application after the system\r\nhas been rebooted. Attackers abuse schtasks.exe often to ensure their malware executes or is persistent, and it is\r\none of the techniques listed in MITRE ATT\u0026CK — the catalog of attacker tactics, techniques and procedures\r\n(TTPs). Many malware campaigns and their accompanying threat groups use this technique, including\r\nSocGholish, GootLoader (see: “Threat hunting case study: Tracking down GootLoader), Spectre remote access\r\ntool (RAT), NetSupport RAT, Lumma information-stealing (infostealer) malware and the ransomware\r\ngroups MedusaLocker, Nokoyawa, Quantum and LockBit 3.0.\r\nRather than allow a malicious scheduled task to execute from the normal Windows directory, attackers often place\r\nit elsewhere in the file system to make it more difficult to find. Uncovering a scheduled task from an abnormal\r\nlocation can be a clue to a possible malware infection, and we can conduct a structured hunt for this behavior.\r\nFirst, we can often find evidence of a new scheduled task in Windows event logs if that level of auditing is\r\nenabled. Event code 4698 captures this and lists the task name, command used and task arguments, which are the\r\nmost interesting artifacts that can inform the threat hunt. Another avenue with which to find malicious scheduled\r\ntasks is through the process-create style event codes such as 4688, which is the native in Windows event logging\r\ncode for creating a new process. System Monitor (Sysmon) users will capture the same activity, and endpoint,\r\ndetection and response (EDR) security solutions may also record this activity. Additionally, adversaries may create\r\na scheduled task through the command line or a scripting interpreter such as PowerShell, offering another hunting\r\nopportunity to detect those commands an adversary ran. Now, let’s go to the hunt package in HUNTER471.\r\nhttps://intel471.com/blog/threat-hunting-case-study-socgholish\r\nPage 2 of 6\n\nA HUNTER471 hunt package that looks for scheduled tasks executing from abnormal locations.\r\nScrolling down, we can see a description of the hunt package:\r\nThis hunt package is designed to capture activity associated with a scheduled task which includes abnormal\r\nlocations in its details for execution. This is often a mark of persistence or malicious tasks created by malware or\r\nattackers.\r\nPersistence is one of the reasons attackers abuse scheduled tasks, but there are other methods used. Sometimes,\r\nattackers will create a scheduled task, use it to run arbitrary code and then delete itself. This behavior could\r\nindicate the second or third stage of an attack. These are the type of aspects that should be considered when\r\nlooking at artifacts of living-off-the-land binaries, which are native Windows tools that are used by attackers to\r\navoid detection.\r\nThe query logic table of this threat hunt as seen below broadly explains its aim. In this case, we can see a series of\r\nvalues. These locations may not necessarily be abnormal for your environment but are good starting points. Often,\r\nthese locations come from past intelligence and data forensics reports describing adversary activity. The\r\nUsers\\Public\\ directory is constantly abused by adversaries as well as \\Perflogs\\. which is short for Performance\r\nLogs, which are log files stored by Windows. “ProgramData” is used to store application data.\r\nhttps://intel471.com/blog/threat-hunting-case-study-socgholish\r\nPage 3 of 6\n\nThe query logic for uncovering scheduled tasks in abnormal locations.\r\nLet’s start hunting. This threat package covers numerous EDR and security incident and event management\r\n(SIEM) systems: CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale,\r\nElastic, Microsoft Defender, Microsoft Sentinel, Palo Alto Cortex XDR, QRadar Query SentinelOne, Splunk,\r\nTanium, Tanium Signal and Trend Micro Vision One.\r\nWe will conduct two different hunts, with the first using Sysmon logs. This query looks for scheduled tasks\r\nexecuting from abnormal locations using command-line arguments. \r\nA threat hunt query using Sysmon logs looking for scheduled tasks executed from abnormal locations using\r\ncommand-line arguments.\r\nhttps://intel471.com/blog/threat-hunting-case-study-socgholish\r\nPage 4 of 6\n\nIn the results, we can see that a username exists, and we see the attacker had system level privileges and ran\r\n“schtasks.exe.” We can also see the parent process was “command.exe.” Scrolling all the way to the right, we can\r\nsee the process command line contains the artifacts we’re looking for.\r\nA screenshot showing the command-line arguments related to a scheduled task event in Windows.\r\nWe see the task name, TN, is “Update.” The task requirements point to the user’s public directory and a bat file.\r\nThat file is scheduled to run every 10 minutes at the highest privileges. It’s unclear at this point if the bat file is\r\nmalicious, but since it is meeting the parameters of odd behavior, it’s worth investigating further.\r\nWe can also hunt another way using the scheduled task telemetry. If those command-line arguments above were\r\nsuccessful, we should also be able to tie those to event code 4698. In this hunt, we’ll switch to running a\r\ncommand-line telemetry query in Splunk.\r\nA query hunting for certain command-line events in Splunk.\r\nUnder the heading “New Search” is the query, which looks for event code 4698. The query is written to extract the\r\nevents of interest from the message field, including taskName, taskCommand and taskArguments. We can see the\r\nresults are the same as the first query, showing a scheduled task involving the “1.bat” file. Whether you start from\r\nhttps://intel471.com/blog/threat-hunting-case-study-socgholish\r\nPage 5 of 6\n\neither query, you'll find the same artifacts if the command-line argument was successful and the scheduled task\r\nwas created.\r\nWe hope this tutorial has been useful. A video version is available here. For more threat hunting content related to\r\nthe Evil Corp group, see our blog \"Threat hunting case study: Looking for Evil Corp.\" Register for a\r\nHUNTER471 Community Account, which contains sample free hunt packages along with a comprehensive\r\nlibrary of advanced threat hunting packages, detailed analyst notes and proactive recommendations. These\r\nresources are designed to strengthen your threat hunting capabilities and keep your organization secure. Happy\r\nhunting!\r\nSource: https://intel471.com/blog/threat-hunting-case-study-socgholish\r\nhttps://intel471.com/blog/threat-hunting-case-study-socgholish\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://intel471.com/blog/threat-hunting-case-study-socgholish" ], "report_names": [ "threat-hunting-case-study-socgholish" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434713, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d47270843f5493c8474375a38a6ddef1eff43b26.pdf", "text": "https://archive.orkl.eu/d47270843f5493c8474375a38a6ddef1eff43b26.txt", "img": "https://archive.orkl.eu/d47270843f5493c8474375a38a6ddef1eff43b26.jpg" } }