{ "id": "a6bf0786-000e-4884-8a37-65ccf17d5c36", "created_at": "2026-04-06T00:18:34.702633Z", "updated_at": "2026-04-10T03:27:57.406543Z", "deleted_at": null, "sha1_hash": "d8b2d8bb3c3cbe4184fe6d205ea369dbeb1b4bab", "title": "SocGholishs Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6756124, "plain_text": "SocGholishs Intrusion Techniques Facilitate Distribution of\r\nRansomHub Ransomware\r\nPublished: 2025-03-14 · Archived: 2026-04-05 19:04:16 UTC\r\nSummary\r\nThe complex intrusion set Water Scylla is composed of multiple stages that involves compromised\r\nwebsites, collaboration with threat actors operating malicious Keitaro TDS instances, SocGholish payload\r\ndelivery, and post-compromise activity that leads to RansomHub. As of the start of 2025, SocGholish\r\ndetections have been highest in the United States, with government organizations among the most affected.\r\nSocGholish is characterized by its obfuscated JavaScript loader, which uses various evasion techniques to\r\nbypass traditional detection methods, primarily propagating through compromised legitimate websites.\r\nBy infecting legitimate websites with malicious scripts, threat actors redirect visitors to fake browser\r\nupdate notifications, convincing them to download and execute a malicious file.\r\nWater Scylla collaborates with threat actors operating rogue Keitaro Traffic Distribution System (TDS)\r\ninstances to distribute SocGholish Payloads.\r\nThe SocGholish loader can download and execute malicious payloads, exfiltrate sensitive data, and execute\r\narbitrary commands, providing persistent access for further exploitation and payload deployment.\r\nDeploying extended detection and response solutions, hardening endpoints, enhancing logging and\r\nnetwork monitoring, using web reputation services, securing CMS and web applications, and retiring or\r\nisolating end-of-life systems are essential to protecting enterprises from SocGholish intrusions and\r\nsubsequent ransomware attacks on businesses.\r\nFirst observed in 2018, Trend Research has been closely monitoring the activities of the SocGholish – also known\r\nas FakeUpdates – malware-as-a-service (MaaS) framework. This particular intrusion set is tracked by Trend Micro\r\nunder the name Water Scylla, whose activities lead to RansomHubnews article ransomware deployment.\r\nSocGholish is characterised by its highly obfuscated JavaScript loader, which employs a range of evasion\r\ntechniques that enable it to bypass traditional signature-based detection methods effectively.\r\nThe primary method of propagation for SocGholish involves the compromise of legitimate websites. Threat actors\r\ninject malicious scripts into these sites to hijack user traffic. When users visit these compromised sites, they are\r\nredirected to deceptive webpages that masquerade as legitimate browser update notifications. Through social\r\nengineering tactics, users are convinced to download a malicious ZIP file. This file contains a JavaScript file,\r\nwhich is the SocGholish loader.\r\nThis blog entry focuses on a cluster that deploys backdoor components to enable initial access for RansomHub\r\nransomware-as-a-service (RaaS) affiliates. Ransomhub is a top ransomware player in terms of the number of\r\norganisations impacted by data breaches, just behind Akira in second place and CL0P in first, and SocGholish a\r\nkey enabler of these attacks.\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 1 of 24\n\nSocGholish’s key role in enabling initial access for ransomware warrants the attention of defenders to thwart\r\nattacks. The primary objective of SocGholish is to drop second-stage payloads, which include backdoor\r\ncomponents. These backdoors provide threat actors with persistent access to infected systems, facilitating further\r\nexploitation and payload deployment.\r\nSocGholish's loader is highly versatile and capable of executing arbitrary tasks as directed by its operators. It can:\r\nDownload and execute malicious payloads: including backdoor components, and stealer routines.\r\nExfiltrate sensitive information: It collects and sends data from infected systems back to its command-and-control (C\u0026C) infrastructure.\r\nExecute arbitrary commands: This allows threat actors to perform a wide range of malicious activities on the\r\ncompromised system.\r\nSince the start of the year, SocGholish detections have been highest in the US, followed by Japan, then Taiwan.\r\nGovernment entities top the list of most affected organizations, with those in the banking and consulting industries\r\ncoming in second and third, respectively. The persistent and evasive nature of SocGholish highlights its critical\r\nrole in the initial stages of ransomware attacks. This underscores the need for heightened awareness and robust\r\ncybersecurity measures to identify and mitigate such threats effectively.\r\nInitial access and execution\r\nThe primary mechanism for SocGholish distribution involves several components.\r\n1. A compromised website injected with a malicious script. (T1608.004 - Drive-by Target)\r\n2. A rogue Keitaro TDS instance (a commercial traffic distribution system) delivers SocGholish and filters\r\nunwanted traffic from sandboxes and researchers\r\n3. A fake update page to lure victims and serve the payload\r\n4. The ZIP file containing the SocGholish JavaScript payload\r\nFigure 1. SocGholish delivery flow from compromised website to payload delivery\r\nFigure 2. Malicious JavaScript injected into a compromised website\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 2 of 24\n\nFigure 3. Malicious script served by rogue Keitaro instances leading to SocGholish\r\nThreat actor-operated Keitaro TDS instances\r\nWater Scylla collaborates with threat actors who operate rogue Keitaro Traffic Direction System (TDS) servers\r\n(Figure 4) for the purpose of delivering FakeUpdate pages with the SocGholish payload.\r\nFigure 4. Threat actor-operated Keitaro TDS instances\r\nTrend Micro telemetry from 2025 alone has identified thousands of compromised websites injected with scripts\r\npointing to these malicious TDS domains, which may lead to SocGholish infections depending on the geolocation\r\nof the visitor. Figure 5 below highlights the scale of these compromises, which hijack users and facilitate malware\r\ndelivery.\r\nFigure 5. Number of threat actor compromised websites redirecting to rogue Keitaro TDS instances\r\nAmong the most frequently used TDS domains, “blackshelter[.]org” has at least 1,297 compromised websites\r\nredirecting to it, followed by “rednosehorse[.]com” with 932 and “newgoodfoodmarket[.]com” with 550.\r\nInitial execution\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 3 of 24\n\nWhen the user opens the JavaScript file (Figure 7) (T1204.002: User Execution: Malicious File), Windows\r\nScripting Host (wscript.exe) (T1059.007: Command and Scripting Interpreter: JavaScript) executes the loader,\r\nwhich proceeds to collect several pieces of information about the endpoint, as shown in Table 1. This information\r\nis sent to the C\u0026C server to profile the environment (Figure 6).\r\nFigure 6. SocGholish loader – initial automated environment profiling\r\nArtefact Description\r\nScriptFullName The full path of the script being executed\r\nComputerName The name of the computer\r\nUserName The currently logged-in user\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 4 of 24\n\nUserDomain The domain of the user\r\n'%userdnsdomain%\r\nThe DNS domain of the user via the Environment\r\nVariable UserDnsDomain\r\nWin32_ComputerSystem.Manufacturer The manufacturer of the computer\r\nWin32_ComputerSystem.Model The model of the computer\r\nWin32_BIOS.Version and Win32_BIOS.\r\nSerialNumber\r\nA concatenation of BIOS version and serial number\r\nAntiSpywareProduct.displayName The name of the installed antispyware products\r\nAntiVirusProduct.displayName The name of the installed antivirus products\r\nMACAddress The MAC address of the network adapter\r\nWin32_Process.Name The names of the running processes\r\nWin32_OperatingSystem.BuildNumber The build number of the operating system\r\nTable 1. Information collected by the SocGholish loader during environment profiling\r\nFigure 7. Trend Micro Vision One™ Root Cause Analysis (RCA) showing the execution of the\r\nJavaScript file\r\nCommand and control, defense evasion\r\nOur investigation identified dozens of tasks sent by the C\u0026C server to be executed by the loader. They range from\r\nreconnaissance commands to the deployment of backdoor components, to data exfiltration.\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 5 of 24\n\nTask execution is supported by helper functions. Such functions include:\r\n1. A deobfuscation function to extract every third character from a string (Figure 8)\r\na. Two strings related to the MSXML2.XMLHTTP ActiveXObject are deobfuscated by this function,\r\nlikely to evade scanning of content by the Anti Malware Scanning Interface (AMSI) (T1027.013:\r\nEncrypted/Encoded File)\r\ni. odkpjpehwnww = open\r\nii. swneqhnuedjy = send\r\nFigure 8. A deobfuscation function to extract every third character from a string\r\n2. Function to send data to the C\u0026C server (Figure 9)\r\na. Contains obfuscated function names belonging to ActiveXObject('MSXML2.XMLHTTP'), which\r\nare deobfuscated by the preceding ‘alfh’ function\r\nFigure 9. Function to send data to the C\u0026C server\r\nFunction to read a file from disk and then delete it (Figure 10) (T1070.004: Indicator Removal on Host:\r\nFile Deletion)\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 6 of 24\n\nFigure 10. Function to read a file from disk and then delete it\r\nA function to generate a temporary file path (Figure 11) (T1074.001: Data Staged: Local Data Staging)\r\nFigure 11. A function to generate a temporary file path\r\nA function to execute a command and capture the output from it (Figure 12) (T1059.003: Command and\r\nScripting Interpreter: Windows Command Shell)\r\nFigure 12. A function to execute a command and capture the output from it\r\nTask execution\r\nWhile SocGholish is running, it beacons to the C\u0026C server. Tasks are subsequently sent to SocGholish, which are\r\nthen executed by the loader. Each time the task is executed, the resulting output is piped to a temporary file and\r\nsent back to the C\u0026C server.  \r\nThe malicious tasks are executed in this order:\r\n1. Discovery and reconnaissance tasks\r\n2. Credential access followed exfiltration tasks\r\n3. Backdoor deployment and persistence tasks\r\n4. Reverse shell deployment tasks\r\n5. Follow on reconnaissance tasks and tasks to download and execute NIRCMD to collect a screenshot\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 7 of 24\n\nDiscovery tasks\r\n1. The discovery tasks (Figure 13) are as follow:\r\n2. Execute PowerShell command to list the contents of the APPDATA Microsoft Signatures directory\r\n(T1059.001: Command and Scripting Interpreter: PowerShell)\r\n3. Execute the net command to list domain users (T1087.002: Account Discovery: Domain Account)\r\n4. Execute the nltest command to list domain trusts (T1482: Domain Trust Discovery)\r\n5. Execute Active Directory Service Interfaces (ADSI) query via PowerShell command to retrieve AD\r\ninformation and interact with objects. The ADSI command will retrieve:  (T1069.002: Permission Groups\r\nDiscovery: Domain)\r\na. Usernames\r\nb. User emails\r\nc. List Windows 2003 servers\r\nd. List all servers\r\ne. Get the DNS hostnames of computers\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 8 of 24\n\nFigure 13. SocGholish discovery tasks\r\nCommand and control - backdoor deployment tasks\r\nThe following tasks were executed to deploy a Python-based backdoor in the compromised environment to gain\r\npersistent access and relay connections from the attacker-controlled server to machines inside of the compromised\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 9 of 24\n\nenvironment. We attribute this activity to RansomHub affiliates, where it is used by threat actors for command and\r\ncontrol, data exfiltration and ransomware deployment.\r\nThe tasks (Figure 14) are as follow:\r\n1. Download and install Python 3.12 (T1059.006: Command and Scripting Interpreter: Python)\r\n2. Install Python PIP\r\n3. Install dependencies and list the directory contents\r\n4. Create a scheduled task to achieve persistence (T1053.005: Scheduled Task/Job: Scheduled Task)\r\nFigure 14. Command and control - Python backdoor deployment tasks\r\nThe file pypa.py is a Python proxy client obfuscated with pyobfuscate (Figure 15).\r\nFigure 15. Obfuscated Python backdoor\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 10 of 24\n\nIt contains a hardcoded IP address and port for the RansomHub associated with the C\u0026C server (T1095 Non-Application Layer Protocol) (Figure 16). This is a change from previous versions of this malicious script, which\r\naccepted the IP address and port as command line arguments.\r\nFigure 16. Deobfuscated Python backdoor – C\u0026C configuration\r\nThe purpose of the backdoor is the create a connection to the hardcoded C\u0026C server and listen for commands\r\nfrom the attackers. Commands are connection commands, with supported targets in the format of an IP address or\r\na domain.\r\nThe start_transferring function, shown in Figure 17, unpacks the connection commands sent from the attacker\r\nserver and creates connections to the target inside of the compromised environment – effectively allowing threat\r\nactors to connect to any host (internal or on the internet) with a route from the compromised host.\r\nFigure 17. Python backdoor – start_transferring function\r\nCredential access and exfiltration tasks\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 11 of 24\n\nIn order to gather as much sensitive browser data as possible, the threat actors search for both default and\r\nadditional browser profiles - where the contents of browser stores are exfiltrated. Notably, app bound encryption\r\nkeys are extracted from browsers – in a likely effort to access encrypted at rest credentials located in browser\r\nstores. The impact of these tasks is the theft of sensitive credentials, leading to a potential broader compromise of\r\nbusiness and personal accounts.\r\nThe following tasks (Figures 18-21) were observed carrying out this behavior:\r\n1. Copy Microsoft Edge login data to a specified location (T1555.003 Credentials from Password Stores:\r\nCredentials from Web Browsers)\r\n2. Copy Google Chrome login data to a specified location (T1555.003 Credentials from Password Stores:\r\nCredentials from Web Browsers)\r\n3. Upload binary file \u003credacted\u003eedg.bin, which contains sensitive information including credentials, to server\r\n(T1041: Exfiltration Over C2 Channel)\r\n4. Upload binary file \u003credacted\u003echr.bin, which contains sensitive information including credentials, to server\r\nFigure 18. Credential access and exfiltration tasks (1-4)\r\n5. Extract app_bound_encrypted_key from Edge Local State\r\n6. Extract app_bound_encrypted_key encrypted key from Chrome Local State\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 12 of 24\n\nFigure 19. App Bound Encryption Key extraction\r\n7. List contents of Chrome user folder (to identify other browser profiles)\r\n8. List contents of Chrome User Data folder\r\nFigure 20. SocGholish login data discovery commands\r\n9. Exfiltrate the extracted data from additional user profile data to SocGholish C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 13 of 24\n\nFigure 21. Browser credential data exfiltration\r\nAdditionally, it was observed that the attacker utilized the certutil utility to extract the registry hives (SAM,\r\nSECURITY, SYSTEM) from a Volume Shadow Copy, saving the content to the %PROGRAMDATA% folder into\r\nfiles named s*1.txt, where * represents the identifier for the specific hive dumped (Figures 22-24). (T1003.002 OS\r\nCredential Dumping: Security Account Manager, S0160 : certutil, T1006 : Direct Volume Access)\r\nFigure 22. Trend Vision One logs the extraction of the SAM hive from a Volume Shadow Copy via\r\ncertutil.exe\r\nFigure 23. Trend Micro Vision One logs the extraction of the SECURITY hive from a Volume\r\nShadow Copy via certutil.exe\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 14 of 24\n\nFigure 24. Trend Micro Vision One logs the extraction of the SYSTEM hive from a Volume Shadow\r\nCopy via certutil.exe\r\nSSH reverse shell with port forwarding deployment\r\nMultiple tasks were executed to deploy a reverse shell that’s likely related to RansomHub for the purpose of\r\ncommand and control (T1572 Protocol Tunneling), and data exfiltration (T1041: Exfiltration Over C2 Channel)\r\n(Figure 25).\r\nThe tasks are as follow:\r\n1. List the contents of OpenSSH in the System32 directory\r\n2. Deploy a scheduled task to create the SSH reverse shell with remote port forwarding (-R) (T1021.004:\r\nRemote Services: SSH)\r\n3. A one-time execution of the scheduled task was performed to launch the reverse shell\r\nFigure 25. SSH reverse shell with port forwarding deployment\r\nHands-on keyboard interaction\r\nThe timing of these commands (Figures 26-30), along with the duplication of task execution and execution of a\r\ncommand with a syntax error, suggests that this phase involved manual hands-on keyboard interaction.\r\n1. Execute systeminfo command to collect detailed information about the host (T1082: System Information\r\nDiscovery).\r\n2. Execute ipconfing /all command to collect detailed network information about the host (T1016: System\r\nNetwork Configuration Discovery)\r\n3. Get members of local administrators group (T1069.001: Permission Groups Discovery: Local Groups)\r\n4. List network shares (T1135: Network Share Discovery).\r\n5. Get account policies (T1201: Password Policy Discovery).\r\n6. List user directories on the machine (T1083: File and Directory Discovery).\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 15 of 24\n\nFigure 26. Hands-on keyboard interaction – enumeration tasks\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 16 of 24\n\n7. Entered an erroneous command – net use \u003cusername\u003e /domain(T1087.002 Account Discovery: Domain\r\nAccount)\r\n8. Retrieve domain user information (T1069.002: Permission Groups Discovery: Domain Groups).\r\n9. Search for files containing the string ‘pass’ (looking for files containing  credentials) (T1083: File and\r\nDirectory Discovery, T1552.001 Unsecured Credentials: Credentials In Files).\r\nFigure 27. Further hands-on keyboard interaction tasks (7-10)\r\n10. Extract Wi-Fi profiles (SSID and key) (T1602.002: Data from Local System: Passwords from Wireless\r\nNetworks).\r\nFigure 28. Wi-Fi profile extraction\r\n11. Download and execute NIRCMD (T1105: Ingress Tool Transfer)\r\n12. Send screenshot to C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 17 of 24\n\nFigure 29. Exfiltration of screenshot\r\nFigure 30. Downloading and executing NirCmd to take a screenshot\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 18 of 24\n\nThe attacker also utilized the SMB protocol (T1021.002: Application Layer Protocol: SMB/Windows Admin\r\nShares) to connect to multiple hosts in the network using compromised credentials (T1078: Valid Accounts).\r\nSubsequently, a BAT file was transferred into the %PROGRAMDATA% folder of the remote hosts. Additionally,\r\na scheduled task was created to execute the BAT file every two hours on the remote hosts (Figure 31). However,\r\nthe task and the file were deleted a few seconds later after being forcibly executed by the adversary.\r\nFigure 31. Trend Vision One logs the creation of the scheduled task which executes a BAT file\r\nevery two hours on the remote hosts\r\nAlthough, the file being unavailable, the telemetry available on the host indicates the batch file appears to be\r\nattempting to extract encrypted keys from local state files associated with Microsoft Edge and Google Chrome\r\nbrowsers and save the results in the %PROGRAMDATA% folder as a *.log file.\r\nThe attacker manually searched for image files saved on the host and targeted files with names that potentially\r\nindicated they contained credentials related to cloud management services.\r\nTactic Technique Reference\r\nTA0042\r\nResource\r\nDevelopment\r\nT1608.004 Drive-By Target\r\nIn preparation for SocGholish delivery, threat\r\nactors compromise websites and inject malicious\r\ncode to Hijack Visitor Traffic to redirect users to\r\nFakeUpdates pages serving SocGholish\r\nTA0002\r\nExecution\r\nT1204.002 Malicious File\r\nActors rely on users to launch a malicious\r\nJavaScript file to gain execution\r\nT1059.007 Command and Scripting\r\nInterpreter: JavaScript\r\nSocGholish uses JavaScript to execute malicious\r\ncode with wscript.exe\r\nT1059.003 Windows Command\r\nShell Command and Scripting\r\nInterpreter: Windows Command\r\nShell\r\nSocGholish Tasks are executed via Windows\r\nCommand Shell (cmd.exe)\r\nT1059.001 Command and Scripting\r\nInterpreter: PowerShell\r\nSocGholish uses PowerShell run Reconnaissance\r\ncommands and deploy Backdoors\r\nT1059.006 Command and Scripting\r\nInterpreter: Python\r\nThreat Actors deploy a Python based Backdoor to\r\nproxy external connections to internal\r\ninformation assets\r\nTA0005 Defense\r\nEvasion\r\nT1027.013 Obfuscated Files or\r\nInformation: Encrypted/Encoded\r\nSocGholish uses heavy code obfuscation to make\r\nstatic file detection more challenging for\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 19 of 24\n\nFile defenders\r\nT1070.004 Indicator Removal: File\r\nDeletion\r\nSocGholish contains code to delete evidence of\r\nmalicious C\u0026C Server Task execution from disk\r\nT1006 Direct Volume Access\r\nThreat actors abuse certutil.exe to read from\r\nVolume Shadow Copies to access sensitive data\r\nstored by the Security Accounts Manager (SAM)\r\nTA0009\r\nCollection\r\nT1074.001 Data Staged: Local Data\r\nStaging\r\nSocGholish Tasks output data to a temporary\r\ndirectory generated by a function in the loader\r\nprior to exfiltration\r\nTA0007\r\nDiscovery\r\nT1069.001 Permission Groups\r\nDiscovery: Local Groups\r\nSocGholish Tasks were executed to determine the\r\nlocal administrators group membership \r\nT1087.002 Account Discovery:\r\nDomain Account\r\nSocGholish Tasks are used to gather Information\r\nabout Domain Accounts\r\nT1082 System Information\r\nDiscovery\r\nSocGholish Tasks obtain detailed information\r\nabout the environment during the initial loader\r\nexecution and through the execution of\r\nsysteminfo command\r\nT1482 Domain Trust Discovery\r\nSocGholish Tasks execute nltest to gather\r\ninformation about domain trust relationships\r\nT1069.002 Permission Groups\r\nDiscovery: Domain Groups\r\nSocGholish Tasks are executed to discover level\r\ngroups and permissions\r\nT1016 System Network\r\nConfiguration Discovery\r\nSocGholish Tasks executed ipconfig /all\r\ncommand to network configuration and settings\r\nT1135 Network Share Discovery\r\nSocGholish Tasks were executed to identify\r\nshared drives\r\nT1083 File and Directory\r\nDiscovery\r\nAdversaries executed the dir command to\r\ndiscover sensitive files and explore user\r\ndirectories\r\nTA0003\r\nPersistence\r\nT1053.005 Scheduled Task/Job:\r\nScheduled Task\r\nA Scheduled Task is used to achieve persistence\r\nwith the Python Based Backdoor\r\nTA0011\r\nCommand and\r\nControl\r\nT1095 Non-Application Layer\r\nProtocol\r\nThe Python Based backdoor establishes a TCP\r\nconnection towards an external host for the\r\npurpose of relaying connections to internal assets\r\nin the compromised environment\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 20 of 24\n\nT1572 Protocol Tunneling\r\nThreat actors use SSH to proxy communications\r\nfrom an External C\u0026C Server\r\nT1105 Ingress Tool Transfer\r\nAdversaries executed SocGholish Tasks to\r\ndownload tools such as NIRCMD.exe to collect\r\nscreenshots from the compromised environment\r\nTA0006\r\nCredential\r\nAccess\r\nT1555 Credentials from Password\r\nStores\r\nAdversaries abuse netsh wlan show profiles to\r\nextract sensitive information about Wireless\r\nNetwork Configurations\r\nT1555.003 Credentials from\r\nPassword Stores: Credentials from\r\nWeb Browsers\r\nSocGholish Tasks are executed to copy and\r\nexfiltrate credentials from Web Browser\r\nPassword Stores\r\nT1003.002 Security Account\r\nManager\r\nThreat actors abuse certutil.exe to read from\r\nVolume Shadow Copies to access sensitive data\r\nstored by the Security Accounts Manager (SAM)\r\nT1552 Unsecured Credentials:\r\nCredentials In Files\r\nAdversaries searched for files with the string\r\n‘pass’ in the name\r\nTA0010\r\nExfiltration\r\nT1041 Exfiltration Over C2\r\nChannel\r\nSocGholish Exfiltrates stolen data including\r\nCredentials, Screenshots and outputs from\r\nReconnaissance commands to its C\u0026C Server\r\nTA0008 Lateral\r\nMovement\r\nT1021.002 Remote Services:\r\nSMB/Windows Admin Shares\r\nAdversaries used Valid Accounts to access SMB\r\nprotocol to compromise hosts in the network\r\nSocGholish infrastructure\r\nOur most recent tracking of SocGholish C\u0026C infrastructure shows 18 active C\u0026C servers, whose domains are\r\nrotated at least once per week – with some fluctuations in the frequency of domain rotation (Figure 32). Fresh\r\ndomains may lead to a higher infection success rate.\r\nSocGholish operators use compromised domains for C\u0026C infrastructure, where a new subdomain is specifically\r\ncreated by the threat actors for use with SocGholish. This technique, known as domain shadowing, is desirable\r\nfrom a threat actor perspective, because it enables them to leverage the reputation of more mature domains which\r\nare less likely be blocked by automated detection systems.\r\nFigure 32. SocGholish C\u0026C infrastructure\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 21 of 24\n\nRansomHub infrastructure\r\nAs the objective of this cluster is to enable initial access for RansomHub, our intelligence teams have\r\ncontinuously tracked the malicious infrastructure as it is deployed for use in the post-SocGholish infection phase\r\n(Figure 33). We identified 22 IP addresses across a diverse range of Autonomous Systems (ASNs), predominantly\r\nlocated in the US, with just two located in the Netherlands and Germany, respectively.\r\nFigure 33. RansomHub python backdoor - C\u0026C server infrastructure\r\nSecurity recommendations\r\nSecurity and incident response teams must urgently address SocGholish infections as critical events and invoke\r\nincident response procedures to rapidly mitigate the impact of its malicious activity like backdoor deployment,\r\nunauthorized access to sensitive data, lateral movement, data exfiltration, and ransomware-driven data destruction.\r\nDefenders should also apply the following best practices:\r\nDeploying security operations solutions to rapidly identify, disrupt and correlate malicious activities such\r\nas those used in attacks with SocGholish\r\nReducing the attack surface for script-based malware like SocGholish by:\r\nHardening endpoints and servers by blocking suspicious Windows Scripting Host (wscript.exe) and\r\nPowerShell execution through policy-based controls like group policy objects\r\nTrend Vision One customers can apply “Attack Surface Reduction” by ensuring that “Behavior\r\nMonitoring and Predictive Machine Learning” are enabled in Endpoint and Server Policies\r\nEnabling logging of anti-malware scan interface events to support investigations\r\nTrend Vision One customers can investigate “TELEMETRY_AMSI_EXECUTE” events to recreate\r\nscript executions for incident response activities\r\nDeploying web reputation services (WRS) on endpoints, cloud workloads and proxy servers to detect and\r\nblock malicious and anomalous traffic\r\nUsing network intrusion detection and prevention solutions, and network detection and response (NDR), to\r\ngain visibility into network traffic\r\nRetiring or significantly hardening, segment or isolate end-of-life operating systems, as these are targeted\r\nby adversaries through reconnaissance and lateral movement tactics\r\nFor their part, website administrators and owners should be aware that vulnerable content management systems\r\n(CMS) and their plugin systems are frequently targeted by threat actors. This is because they enable\r\ncybercriminals to abuse websites to hijack visitor traffic, as is the case with SocGholish, and distribute malware.\r\nCompromised websites can have a significant impact on a business’ operations if their websites are being tagged\r\nas malicious by security solutions and web browser block lists. Website administrators can mitigate this by:\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 22 of 24\n\nMonitoring security announcements for Content Management Systems and applying mitigations and/or\r\npatching vulnerabilities\r\nMonitoring security announcements for content management system plugins and applying mitigations\r\nand/or patching vulnerabilities, which are exploited to gain initial access to webservers\r\nDeploying web application firewall to filter exploit traffic\r\nRestricting access to administration portals\r\nUsing multi-factor authentication (MFA) and complex passwords for administration panels\r\nUsing SSH keys for administration interfaces and avoiding exposing administration interfaces such as web\r\nhost management interfaces, control panels, and SSH interfaces to the internet\r\nIsolating and rebuilding compromised web servers to eradicate threat actors in the aftermath of a\r\ncompromise\r\nProactive security with Trend Vision One™\r\nTrend Vision Oneone-platform™ is an enterprise cybersecurity platform that simplifies security and helps\r\nenterprises detect and stop threats faster by consolidating multiple security capabilities, enabling greater command\r\nof the enterprise’s attack surface, and providing complete visibility into its cyber risk posture. The cloud-based\r\nplatform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the\r\nglobe to provide comprehensive risk insights, earlier threat detection, and automated risk and threat response\r\noptions in a single solution.\r\nAs we noted earlier, Trend Vision One customers can reduce their potential attack surface by ensuring that\r\n“Behavior Monitoring and Predictive Machine Learning” are enabled in Endpoint and Server Policies.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and\r\nThreat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to\r\nprepare for emerging threats by offering comprehensive information on threat actors, their malicious activities,\r\nand their techniques. By leveraging this intelligence, customers can take proactive steps to protect their\r\nenvironments, mitigate risks, and effectively respond to threats.\r\nTrend Vision One Intelligence Reports App [IOC Sweeping]\r\n[AIM/MDR/IR][Spot Report] Ghoulish Tactics: Unmasking the SocGholish to Ransomhub Attack Chain\r\nTrend Vision One Threat Insights App\r\nThreat Actors: Water Scylla\r\nEmerging Threats: Ghoulish Tactics: Unmasking the SocGholish to Ransomhub Attack Chain\r\nHunting Queries \r\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 23 of 24\n\nSearching for the initial dropper:\r\ntags: (“XSAE.F11697” OR “XSAE.F11689” OR “XSAE. F8637” OR “XSAE. F8636” OR “XSAE. F7176”) \r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement\r\nenabledproducts. \r\nConclusion\r\nSocGholish is a prevalent and evasive threat. The use of heavy obfuscation in the loader poses a challenge for\r\nstatic file detection technologies. The fileless execution of commands may pose a challenge for certain detection\r\ntechnologies.\r\nThe sheer volume of compromised websites leading to SocGholish, coupled with the use of a commercial TDS for\r\nsandbox and crawler evasion and the use of Anti-Sandbox routines may pose a challenge for certain automated\r\ndetection solutions like sandboxes, which may enable SocGholish to run in environments, leading to highly\r\nimpactful attacks.\r\nIts collaboration with prevalent and dangerous RaaS operations like RansomHub means that SocGholish poses a\r\nsignificant threat to enterprises. However, there are several detection opportunities, from suspect execution with\r\nsuspicious process chains that perform discovery, lateral movement, credential access and data exfiltration, to\r\noutbound connections to low reputation infrastructure, and anomalous internal connections from compromised\r\nhosts.\r\nIndicators of compromise (IOCs)\r\nDownload the list of IOCs here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\nPage 24 of 24\n\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html \nFigure 29. Exfiltration of screenshot \nFigure 30. Downloading and executing NirCmd to take a screenshot\n Page 18 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "report_names": [ "socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434714, "ts_updated_at": 1775791677, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8b2d8bb3c3cbe4184fe6d205ea369dbeb1b4bab.pdf", "text": "https://archive.orkl.eu/d8b2d8bb3c3cbe4184fe6d205ea369dbeb1b4bab.txt", "img": "https://archive.orkl.eu/d8b2d8bb3c3cbe4184fe6d205ea369dbeb1b4bab.jpg" } }