{
	"id": "e0aa4f4d-188b-44b3-bd30-4e714b3c0b42",
	"created_at": "2026-04-06T00:09:05.350249Z",
	"updated_at": "2026-04-10T03:21:16.843526Z",
	"deleted_at": null,
	"sha1_hash": "d746d37f8923673b5745db6676cebd77a92b28af",
	"title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 912917,
	"plain_text": "SocGholish Diversifies and Expands Its Malware Staging\r\nInfrastructure to Counter Defenders\r\nBy Aleksandar Milenkoski\r\nPublished: 2022-11-07 · Archived: 2026-04-05 18:25:56 UTC\r\nExecutive Summary\r\nSince mid-2022, SocGholish operators have been significantly diversifying and expanding their\r\ninfrastructure for staging malware with new servers. This helps the operators to counter defensive\r\noperations against known servers and scale up their operation.\r\nSocGholish operators have been introducing on average 18 new malware-staging servers per month, with\r\nvarying server uptimes. This marks an increase of 334% relative to the same average calculated over the\r\nfirst half of 2022.\r\nThe majority of the new servers have been located in Europe, with the Netherlands, the United Kingdom,\r\nand France at the top of the list.\r\nOverview\r\nSocGholish is a JavaScript-based framework that threat actors have used to gain initial access to systems since\r\n2017. SocGholish uses social engineering to infect systems: it tricks users into running a malicious JavaScript\r\npayload that masquerades as a system or software update, such as a critical browser update.\r\nIn recent campaigns, SocGholish operators have infected legitimate websites by injecting a drive-by-download\r\nmechanism that triggers the download of the payload through a second-stage server. A recent notable example is\r\nthe infection of web assets of a media company used by multiple major news outlets.\r\nThe rate at which SocGholish operators infect websites to establish initial points of contact with victims is\r\nmassive, with reports of over 25000 newly infected websites since the beginning of 2022. We observe strong\r\nindications that SocGholish operators have been introducing new second-stage servers since mid-2022 at a very\r\nhigh rate as well.\r\nAttackers conduct a variety of activities after gaining access through SocGholish, such as system and network\r\nreconnaissance, establishing persistence, and deployment of additional tools and malware. This includes tools for\r\nremote access, such as Cobalt Strike and NetSupport, and ransomware, such as WastedLocker, which has been\r\nattributed to the threat actor EvilCorp.\r\nHow Does SocGholish Stage Malware?\r\nIn recent attack campaigns, SocGholish operators have infected legitimate websites by injecting malicious\r\nJavaScript code into them.\r\nhttps://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/\r\nPage 1 of 4\n\nInjected SocGholish JavaScript code\r\nThe JavaScript code loads another script from a second-stage server that triggers the download of the SocGholish\r\npayload, which in turn masquerades as a legitimate system or software update.\r\nThe SocGholish operators obfuscate the URL to the second-stage server using single or double Base-64 encoding.\r\nFor example,\r\nYUhSMGNITTZMeTlvWlcxcExtMWhiV0Z6WW1GclpYSjVMbTVsZEM5eVpYQnZjblEvY2oxa2FqRnBUbXBKTUU5WFJtbE9WRlpwVDBSV\r\nThe string is encoded in Base64 twice and decodes to\r\n hxxps:\r\nThere are currently two forms of URLs to second-stage SocGholish servers in circulation:\r\n[domain]/s_code.js?cid=[number]\u0026v=[string] . For example,\r\n hxxp:\r\n[domain]/report?r=[string] , such as\r\nhxxps:\r\nwhere the value of the query parameter r is a Base-64 encoded version of the URL portion cid=\r\n[number]\u0026v=[string] mentioned above.\r\nPrevious research discusses the values of the cid and v query parameters in greater detail.\r\nSocGholish Diversifies and Expands Its Server Infrastructure\r\nWe observe that SocGholish operators have been introducing new second-stage servers since mid-2022 at a much\r\nhigher rate than before – on average 18 servers per month.\r\nOver the first half of 2022, the SocGholish operators introduced 21 servers, an average of only 3.5 servers per\r\nmonth. Between July and October 2022, they introduced 73 new second-stage servers. This marks an increase of\r\n334% relative to the same average calculated over the first half of 2022. The servers have been operational over\r\ntime periods of different lengths spanning days, weeks, and months.\r\nhttps://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/\r\nPage 2 of 4\n\nNew SocGholish servers since mid-2022\r\nIn addition to scaling up the malware staging operation, introducing new second-stage servers helps SocGholish\r\noperators to counter defensive operations against known servers. This includes detection of network traffic to\r\nknown servers as well as follow-up actions, such as denylisting the servers at endpoint- or network-level.\r\nFrom a geographical perspective, the majority of the new servers have been located in Europe, with 28 out of 73\r\nservers being hosted in the Netherlands.\r\nhttps://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/\r\nPage 3 of 4\n\nGeographical distribution of the second-stage servers introduced since July 2022\r\nWe note that many of the servers are hosted at shadowed domains: attacker-created subdomains under\r\ncompromised legitimate domains. Domain shadowing allows the SocGholish operators to abuse the benign\r\nreputations of the compromised domains and make detection more difficult.\r\nA recent exception to the use of domain shadowing is a second-stage server hosted  on  the Amazon Web Services\r\ndomain d2j09jsarr75l2[.]cloudfront.net . It remains to be seen whether the use of public Cloud infrastructure\r\nbecomes a SocGholish trend.\r\nGiven the global impact of SocGholish, our observations are based on analyzing retrospective data (centered\r\naround URLs in the forms mentioned above) from the global submission-based databases urlscan.io and\r\nVirusTotal.\r\nConclusion\r\nSocGholish has been active since 2017. In 2022, SocGholish operators continue to infect websites at a massive\r\nscale and have been significantly expanding and diversifying their malware staging infrastructure since mid-2022.\r\nThe success of SocGholish in persisting on the threat landscape emphasizes the importance of regularly auditing\r\nthe security posture and integrity of web servers, websites, and DNS records to detect and protect against website\r\ninfections and domain shadowing.\r\nSource: https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/\r\nhttps://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/"
	],
	"report_names": [
		"socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders"
	],
	"threat_actors": [],
	"ts_created_at": 1775434145,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d746d37f8923673b5745db6676cebd77a92b28af.pdf",
		"text": "https://archive.orkl.eu/d746d37f8923673b5745db6676cebd77a92b28af.txt",
		"img": "https://archive.orkl.eu/d746d37f8923673b5745db6676cebd77a92b28af.jpg"
	}
}