{
	"id": "87265126-2cd2-4bf6-ac96-9e47011dd3b4",
	"created_at": "2026-04-06T00:06:29.774243Z",
	"updated_at": "2026-04-10T03:21:10.412783Z",
	"deleted_at": null,
	"sha1_hash": "da88a50bbb94a40b4e35a9e7084c56100dbace12",
	"title": "Fake browser update pages are",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4658334,
	"plain_text": "Fake browser update pages are\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 19:37:02 UTC\r\nIntroduction\r\nSocGholish is a term I first saw in signatures from the EmergingThreats Pro ruleset to describe fake browser\r\nupdate pages used to distribute malware like a NetSupport RAT-based malware package or Chthonic banking\r\nmalware.  Although this activity has continued into 2020, I hadn't run across an example until this week.\r\nShown above:  A recent infection chain from the SocGholish campaign.\r\nFake browser update pages\r\nThe beginning of an infection chain starts with a legitimate website with injected code from a file sent by of its\r\nURLs.  The URL most often ends with a .js.  The injected code is highly-obfuscated, and I was unable to figure\r\nout where it came from on the legitimate site when I generated an infection in my lab.  The end result looked like\r\nthe image below.\r\nhttps://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nPage 1 of 8\n\nShown above:  Fake browser update page seen after visiting a legitimate website.\r\nThe downloaded zip archive contained a JavaScript file with heavily obfuscated Javascript.  This happened when I\r\nused Firefox as my web browser.  If you use Google Chrome, the fake browser page sends an HTA file instead of\r\na zip archive.  In my example, the fake Firefox update page sent a zip archive containing a file named Firefox.js\r\nfor the malware downloader.\r\nhttps://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nPage 2 of 8\n\nShown above: The downloaded zip archive and extracted .js file.\r\nInfection traffic\r\nInfection traffic was typical of what I've seen before with this campaign.  The malware downloader is very picky. \r\nIt knows which machines I've infected before, so when I use a computer that I've infected once or twice before, it\r\nwon't deliver the follow-up malware.  Also, this .js-based downloader (or HTA-based downloader if you had a\r\nfake Chrome update page) is extremely VM-aware.  It's rare for me to get a full infection chain of events.  In this\r\ncase, I got the fake browser update page on one computer, then I switched to another computer to get Firefox.js to\r\ndeliver the follow-up malware.\r\nhttps://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nPage 3 of 8\n\nShown above:  Gate URLs and a fake Firefox update page from the SocGholish campaign shown in a Fiddler\r\ncapture.\r\nShown above:  Gate domain and fake Firefox update page from the SocGholish campaign from a pcap shown in\r\nWireshark.\r\nhttps://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nPage 4 of 8\n\nShown above: Traffic from infecting a host with the Firefox.js file.\r\nShown above:  Data returned from the server contacted after running Firefox.js on my lab host.\r\nThis NetSupport RAT-based malware package was sent as a 10MB ASCII text file consisting of hexadecimal\r\ncharacters.  This is encoded data, and the file was saved to my lab host and decoded to a zip archive containing the\r\nmalware package.  This ASCII data and decoded zip archive were deleted from my infected lab host by the time I\r\nperformed post-infection forensics.\r\nPost-infection forensics\r\nThe NetSupport RAT-based malware package was kept persistent through the Windows registry and stored in a\r\nfolder under the infected user's AppData\\Roaming directory.\r\nhttps://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nPage 5 of 8\n\nShown above:  NetSupport RAT-based malware package persistent on the infected windows host.\r\nShown above:  NetSupport RAT-based malware package stored under the infected user's AppData\\Roaming\r\ndirectory.\r\nIndicators from the infection\r\nGate activity leading to fake browser update page:\r\n130.0.234[.]134 port 443 - sodality.mandmsolicitors[.]com - URLs from gate domain (HTTPS)\r\nFake browser update page:\r\nhttps://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nPage 6 of 8\n\n188.120.239[.]154 port 443 - trace.mukandratourandtravels[.]com - initial URL sent as HTTPS\r\n188.120.239[.]154 port 80 - trace.mukandratourandtravels[.]com - follow-up URLs for fake browser\r\nupdate page\r\nNote: The domain name used for these fake update pages frequently changes.\r\nURLs caused by Firefox.js (malware downloader):\r\n130.0.233[.]178 port 80 - 2e2be1cd.auth.codingbit[.]co[.]in - POST /submit.aspx\r\nNote: The first part of the domain name (with the hex characters) is different for each infection.\r\nTraffic generated by NetSupport RAT-based malware package:\r\n81.17.21[.]98 port 443 - 81.17.21[.]98 - POST http://81.17.21[.]98/fakeurl.htm\r\n62.172.138[.]35 port 80 - geo.netsupportsoftware[.]com - GET /location/loca.asp (not inherently\r\nmalicious)\r\nSHA256 hash: 6b89a2c1650012d7953f04f39ef7ecd97341114480918602d041593a597442d7\r\nFile size: 32,231 bytes\r\nFile name: Firefox.Update.4ee488.zip\r\nFile description: Zip archive sent by fake browser update page\r\nNote: File name is different for each download (file hash might be as well)\r\nSHA256 hash: 69ea88be502bd00e87aef75e1f41da3e5e0bdb6946d18db5a4a52d919e2dc79b\r\nFile size: 90,690 bytes\r\nFile name: Firefox.js\r\nFile description: JavaScript-based malware downloader extracted from downloaded zip archive\r\nNote: File hash might be different on each occasion\r\nSHA256 hash: 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3\r\nFile size: 105,848 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\XDk7Fyz6\\presentationhost.exe\r\nFile description: NetSupport Manager RAT executable\r\nFinal words\r\nThis is a long-running campaign that continually evolves.  To get an idea how it has changed since last year, view\r\nmy previous ISC diary I wrote about this campaign in February 2019.\r\nComputers running Windows 10 with the latest updates and recommended security settings are not very\r\nvulnerable to this threat.  Default security settings for Chrome and Firefox usually block this activity.  However,\r\nthe criminals behind this campaign keep updating their tactics as they attempt to evade detection, and these fake\r\nbrowser pages sometimes slip through.  If someone clicked through enough security warnings, they might very\r\nwell infect a vulnerable Windows host.\r\nhttps://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nPage 7 of 8\n\nThe associated malware and a pcap of the traffic can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nhttps://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/"
	],
	"report_names": [
		"25774"
	],
	"threat_actors": [],
	"ts_created_at": 1775433989,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da88a50bbb94a40b4e35a9e7084c56100dbace12.pdf",
		"text": "https://archive.orkl.eu/da88a50bbb94a40b4e35a9e7084c56100dbace12.txt",
		"img": "https://archive.orkl.eu/da88a50bbb94a40b4e35a9e7084c56100dbace12.jpg"
	}
}