{ "id": "ce24d130-4793-41cf-ad63-fafb713866b3", "created_at": "2026-04-06T00:14:21.973917Z", "updated_at": "2026-04-10T03:33:16.465983Z", "deleted_at": null, "sha1_hash": "e31bb10d1d8f18cfa052dd3fd9b50a55e293e8ba", "title": "TA569 Threat Actor Overview: SocGholish \u0026 Beyond | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10319969, "plain_text": "TA569 Threat Actor Overview: SocGholish \u0026 Beyond | Proofpoint US\r\nBy February 26, 2023 Andrew Northern\r\nPublished: 2023-02-23 · Archived: 2026-04-05 15:03:31 UTC\r\nKey Takeaways\r\nTA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not\r\nlimited to, SocGholish.\r\nIn addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service\r\nTA569 may remove injections from compromised websites only to later re-add them to the same websites.\r\nThere are multiple opportunities for defense against TA569: educating users about the activity, using Proofpoint’s\r\nEmerging Threats ruleset to block the payload domains, and blocking .js files from executing in anything but a text\r\neditor.\r\nOverview\r\nTA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload\r\nknown as SocGholish. In the past few months Proofpoint researchers have observed changes in the tactics, techniques, and\r\nprocedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as\r\npayloads deviating from the standard SocGholish “Fake Update” JavaScript packages. Such changes, and the frequency of\r\nsaid changes, are likely in response to two things: efficacy data collected during the attack chain and profitability.\r\nIn our last report, we described the SocGholish threat and how it is delivered via email. \r\nThat is, the URLs that lead to the threat are typically legitimate and being distributed via benign automated emails and\r\nlead to otherwise \"friendly\" websites (those that were not designed with malicious intent). The emails can be newsletters\r\nor from aggregate services like Google Alerts or a URL that was sent from one user to another.\r\nTA569 is considered by Proofpoint to be an initial access broker (IAB), or an independent cybercriminal actor who\r\ninfiltrates major targets and then sells access to other groups to deliver follow-on payloads such as ransomware. In\r\naddition to being an IAB, TA569 is thought to leverage their extensive network of injections and infrastructure to offer a\r\npay-per-install (PPI) service to other threat actors. This PPI service solicits payloads from customers and facilitates\r\nserving the downloads and infecting victims.\r\nIn this report, Proofpoint researchers describe the injections used by TA569 to distribute various payloads, as well as what\r\nan end-user will see when visiting a compromised website.\r\nCampaign Details\r\nThe infection chain begins when a user visits a website compromised by a TA569 injection. This could be through\r\nclicking on a link delivered via email or visiting a website directly. The victim’s browser interprets the injected JavaScript\r\nand if the environment meets certain criteria, a lure will be presented. The most common lure – used to deliver SocGholish\r\nmalware – is a fake browser update that presents itself in full-screen format as if it were from the injected site itself.\r\nProofpoint has observed other lures used by TA569 to deliver other malware payloads including: distributed denial of\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 1 of 24\n\nservice (DDoS) protection, fake security software updates, captcha puzzles, and other “update” related themes. These\r\nlures are used to deliver various malware payloads including information stealers or remote access trojans (RATs). \r\nWhen the lure is clicked, a file is downloaded containing the malware payload. The filetype depends on the payload and\r\nincludes .js, .zip, or .iso files among others. A user must execute the file for the malware to run on the host. These various\r\nRATs and information stealers, like SocGholish, can set the stage for follow-on malware infections, including\r\nransomware.\r\nInjections\r\nWhat is an Injection?\r\nAn injection is a section of HTML, PHP, or JavaScript code that is placed onto a website by a threat actor to cause a\r\nvictim’s browser to render content, request assets from a local or remote resource, or redirect to another location. These\r\ninjections of code are placed in a variety of locations including: otherwise benign compromised websites, compromised\r\nthird-party assets used to render websites, and attacker controlled infrastructure. Proofpoint does not have evidence\r\nsupporting the initial access vector which occurs outside of mailflow. \r\nInjection Deployment\r\nVarious implementations of injections have been observed but these implementations can be broadly categorized into three\r\ndistinct categories that describe their flow.\r\nThe first category, referred to as Local (non-proxied), indicates that the entire injection is present on the page the victim is\r\nvisiting and is executed on page load without dependency on any additional assets.\r\nFigure 1: An example of an attack chain illustrating a local injection type resulting in SocGholish\r\nThe second category, referred to as Local Proxied, involves the storage of the injection in a local asset, such as a\r\nJavaScript library. When the browser is rendering the requested page, the local asset is called and the injection is executed.\r\nInjections have frequently been observed prepended to commonly used libraries like jQuery.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 2 of 24\n\nFigure 2: An example of an attack chain illustrating a local proxied injection type resulting in SocGholish\r\nThe third category, referred to as Remote Proxied, involves the fragmentation of the injection code over two or more\r\ndomains. This method is achieved through an asynchronous request to a separate domain that contains the complete\r\ninjection. The use of multiple domains makes this method more challenging for security measures to detect.\r\nFigure 3: An example of an attack chain illustrating a remote proxied injection type resulting in SocGholish\r\nStrobing\r\nTA569 has been frequently documented as reinfecting websites that have undergone remediation for malicious injections.\r\nIt is hypothesized that TA569 may use a technique referred to as \"strobing\" by Proofpoint researchers. Strobing involves\r\nthe cyclical removal and readdition of injections to previously compromised websites, with the duration of removal\r\nranging from hours to days and potentially repeating multiple times per day or over longer periods.\r\nThe underlying reason for this behavior remains uncertain, but it could be attributed to the workflow involved in the\r\naddition of new or differing injections to meet customer agreements or campaign goals, or to generate the illusion of a\r\n\"clean\" website and the possibility of false positive condemnations. This also presents challenges for incident response\r\nefforts, as the malicious injections may not be visible at all times.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 3 of 24\n\nFigure 4: Injection Strobing on a single host \r\nInjection Varieties\r\nThe threat actor TA569 has been observed to employ various injection methods for the deployment of its payloads. These\r\ninjections can be classified into two main categories, with occasional exceptions. The first category encompasses\r\ninjections that result in the delivery of SocGholish payloads. The second category includes injections that lead to the\r\ndeployment of payloads other than SocGholish, referred to as Scriptzzbn injections. It should be noted that Scriptzzbn\r\ninjections have also been used for the delivery of SocGholish injections, which in turn lead to SocGholish payloads.\r\nSocGholish Injection\r\nSocGholish type injections exhibit a higher degree of selective criteria compared to other payload injections. The delivery\r\nof the lure to the end-user is contingent upon the victim's environment meeting specific requirements. For instance, if the\r\nhost is not running on Windows, has already been served a lure (according to IP and other cookies), or if the user's\r\nbrowser contains a cookie indicating a Wordpress administrator login, the lure for the SocGholish \"Fake Update\" payload\r\nwill not be delivered, terminating the attack. This filtering is achieved through the utilization of a Traffic Directing Service\r\n(TDS) to guarantee that the payloads are delivered to suitable environments.\r\nThe injections employed by TA569 are routed through a diverse range of Traffic Distribution Services (TDS), also known\r\nas Traffic Directing System/Service. A TDS is a technology stack that enables its operators to develop complex and\r\ndynamic flows of web traffic, with both legitimate and malicious uses. TA569 leverages the capabilities of TDS platforms\r\nto direct victims through attacker-controlled infrastructure. TDS platforms are commercially available, open source,\r\npirated, or privately developed, each offering unique features. TA569 has been observed using multiple TDS platforms.\r\nThe use of TDS platforms by TA569 helps to further obscure their injections and provide versatility in the payloads\r\ndelivered. The malicious JavaScript injections serve as the entry point for the TDS. The TDS provides multiple functions\r\nin the attack chain, including defense against researchers and bots. The geographic filtering based on IP, a blocklist of\r\nknown bot IPs, and a ledger of served payloads make it challenging to identify payloads for analysis and to reproduce\r\ninfection chains for incident response teams. The TDS not only provides defense but also gathers valuable information\r\nabout the performance of injections, victim identification, and payload deployment efficacy. Due to the inherent nature of\r\nTDS platforms and their designed purpose, Proofpoint researchers hypothesize this information, combined with variations\r\nin payloads and download efficacy data, informs campaign design with the aim of maximizing infection and profitability.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 4 of 24\n\nSocGholish Injection Varieties\r\nSocGholish injections have leveraged a variety of obfuscation routines in an effort to thwart detection and complicate\r\nanalysis. Such varieties include single or double base64 encoding portions of the injection, reversing strings, padding\r\nstrings with extra characters resulting in a need to skip every other character to derive the true value, as well as several\r\ndifferent versions employing line breaks and variations in the size of variables. These coupled with the options afforded by\r\ninjection deployment categories create a formidable battery of possible combinations.\r\nOn 26 November 2022, Proofpoint researchers identified a new type of inject and follow-up chain of requests not\r\npreviously used by TA569. This chain led to the expected fake browser update and JavaScript executable that requires a\r\ngreater degree of scrutiny to confirm statically. The inject used a simple async script with a base64 encoded Uniform\r\nResource Identifier (URI) to make a request to the actor-controlled stage 2 shadowed domain. \r\nFigure 5: An example of the SocGholish injection format as of November 2022.\r\nFigure 6: An example of the SocGholish”mod2” injection. \r\nSocGholish Payload\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 5 of 24\n\nIn our previous report we discussed SocGholish and what an end-user can expect when encountering a “Fake Update”\r\npayload. The SocGholish payload is either a .js file or a .zip file containing the JavaScript file. A user must open these files\r\nmanually for the payload to detonate.\r\nSocGholish payloads are dynamically generated with data points about the victim being an input. This dynamic generation\r\nessentially locks each payload to each victim causing the payload to be rendered useless if it is moved to a different\r\nenvironment for analysis. Additionally, each payload is keyed to a specifically prefixed subdomain for command and\r\ncontrol (C2) communication. Attempting to interact with a previously observed C2 domain with a known prefix will result\r\nin a closed connection. \r\nThe first step of a SocGholish payload will reach out to the C2 server for further instructions. If a payload \"passes” the\r\ninitial challenges, it will get a response from the C2 server with instructions to “fingerprint” the host it is running on and\r\nrelay that information back. Depending on the host information, the C2 server will send another response to drop a RAT,\r\nexecute additional host analysis to later drop an intrusion framework, or terminate the running process.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 6 of 24\n\nFigure 7: The SocGholish Payload \r\nSczriptzzbn Injection\r\nThe name “Sczriptzzbn” is taken from a string present in the inject. The Sczriptzzbn injection is crude in comparison to\r\nthe SocGholish injection. It is used for deploying various types of commodity malware, including remote access Trojans\r\n(RATs) and information stealers. The lures employed by this technique are of are not as polished as those used by\r\nSocGholish and are generally less professional in appearance. The lures are diverse in subject matter, ranging from fake\r\nDDoS protection captchas, captchas that cannot be solved, to simple browser update pop-ups. The management of\r\ncampaigns and the evaluation of efficacy in the Sczriptzzbn injection technique is facilitated by a TDS namely zTDS, but\r\nonly a few of the defensive measures present in the platform have been incorporated.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 7 of 24\n\nFigure 8: A fake Cloudflare (distributed denial of service) DDOS protection popup distributed by a Sczriptzzbn inject.\r\nFigure 9: A notably lower quality variant of the “fake update” lure leading to NetSupport RAT distributed by the\r\nSczriptzzbn inject. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 8 of 24\n\nFigure 10: A portion of the captcha lure distributed by the Scriptbzzbn inject.\r\nFigure 11: Example of a TA569 telephone-oriented attack delivery (TOAD)-based fake security alert.\r\nSczriptzzbn Payloads\r\nTA569 has been observed engaging in the deployment of various forms of malware, including information stealers and\r\nRATs. This behavior is believed to be facilitated by TA569's Pay-Per-Install (PPI) business model. The commodity RATs\r\nand stealers that have been observed to be deployed by TA569 include, but are not limited to, NetSupport RAT, Redline\r\nStealer, SolarMarker, and IcedID. Furthermore, it has been documented that TA569 delivers telephone-oriented attack\r\ndelivery (TOAD) lures that are disguised as security alerts. The format of the delivered payloads can vary, with some\r\nbeing served as compressed executables and others being served as executables within an .iso file. The naming of these\r\nfiles often reflects a common theme of \"update.\"\r\nSince 26 November 2022, Sczriptzzbn injects have not delivered commodity malware as a first-stage payload, and all\r\ninjections now deliver a subsequent SocGholish injection ultimately leading to delivery of the SocGholish payload.\r\nMistakes, Co-deployment, and Attribution \r\nIn August 2022, Proofpoint observed that TA569 began deploying the NetSupport RAT as the initial payload through the\r\nSczriptzzbn injection method. The hosting infrastructure of the injection leading to the NetSupport RAT payload was also\r\nnoted to have simultaneously served SocGholish injections during this period.\r\nThis convergence of infrastructure created suspicion that the SocGholish and Sczriptzzbn clusters may both be attributed\r\nto TA569. Ultimately the shift from the delivery of commodity malware through Sczriptzzbn injections to the delivery of\r\nSocGholish as of November 2022 solidified this attribution.\r\nWith regards to motivation, Proofpoint researchers hypothesize that the use of Sczriptzzbn and its associated payloads\r\nmay be a strategic move by TA569 to expand their business offerings and establish themselves not only as an Initial\r\nAccess Broker (IAB) but also as a player in the Pay-Per-Install (PPI) market.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 9 of 24\n\nFigure 12: A diagram showing the two distinct business lines of TA569 and their applicable injects and payloads.\r\nFigure 13: On 09 August 2022, TA569 accidentally injected all their SocGholish injects and a new NetSupport RAT\r\nSczriptzzbn inject on the same domain. \r\nPrevention Opportunities\r\nThe Proofpoint Emerging Threats team has developed effective prevention strategies for TA569 and SocGholish\r\ninfections. The team publishes domain rules for actor-controlled domains, which can be used through Snort and Suricata\r\nor as standalone downloads for usage in other tools. By monitoring and blocking these domains, organizations can prevent\r\nthe download of malware payloads and thus disrupt the attack before it reaches end users.\r\nAn effective preventive measure against a SocGholish infection is the monitoring of .js files that are either downloaded or\r\nunzipped. Additionally, blocking .js files from executing in anything but a text editor will prevent the malicious files from\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 10 of 24\n\nexecuting once they have been downloaded. Implementing these simple yet powerful steps can help organizations protect\r\nthemselves from the harmful consequences of a SocGholish attack.\r\nConclusion \r\nTo protect against TA569 and its related malware, defenders should remain vigilant in their evaluation of alerts, even in\r\nthe face of what may appear to be false positives. This high-volume threat has the potential to infect a vast number of\r\nwebsites, including those belonging to high-traffic media outlets and other reputable, trusted sources.\r\nIt is crucial that organizations educate their end users about the tricks and lures used by this actor, and to maintain a\r\ncritical eye in the face of any suspicious activity.\r\nAppendix \r\nFigure 14: SocGholish Overview \r\nFigure 15: SocGholish Stage_1: TDS\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 11 of 24\n\nFigure 16: SocGholish Stage_1: Initial Domain \r\nFigure 17: SocGholish Stage_1 Injection \r\nFigure 18: SocGholish Stage_2: Payload Host\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 12 of 24\n\nFigure 19: SocGholish Stage_3: Payload Execution and C2 \r\nFigure 20: SocGholish Stage_4: Follow On\r\nIndicators of Compromise \r\nSocGholish:\r\nStatic Stage 1:\r\nsoendorg[.]top\r\nhxxps[://]jquery0[.]com/JkrJYcvQ\r\nStage 2 (Shadowed Domains):\r\nDomains:\r\naccounts.mynewtopboyfriend[.]store\r\nactive.aasm[.]pro\r\nactors.jcracing[.]com\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 13 of 24\n\namplifier.myjesusloves[.]me\r\nauction.wonderwomanquilts[.]com\r\nautomatic.tworiversboats[.]com\r\nbaget.godmessaged[.]me\r\nbasket.stylingtomorrow[.]com \r\nbrooklands.harteverything[.]com\r\nbusiness.mygshplus[.]com\r\ncanonical.fmunews[.]com\r\ncardo.diem-co[.]com \r\ncasting.austinonline[.]shop\r\ncasting.faeryfox[.]com\r\ncenter.blueoctopuspress[.]com\r\nchess.north-atlantic[.]com\r\nchicago.beboldskin[.]com\r\ncigars.pawscolours[.]com\r\nclean.godmessagedme[.]com\r\nclick.clickanalytics208[.]com\r\ncloud.bncfministries[.]org\r\ncollapse.tradingiswar.com\r\ncommon.dotviolationsremoval[.]com\r\ncommunity.backpacktrader[.]com\r\ncommunity.wbaperformance[.]com\r\nconnect.codigodebarra[.]co\r\nconsultant.meredithklemmblog[.]com\r\ncontractor.thecaninescholar[.]com\r\ncourse.netpickstrading[.]com\r\ncruize.updogtechnologies[.]com\r\ncustom.usmuchmedia[.]com\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 14 of 24\n\nd2j09jsarr75l2.cloudfront[.]net\r\ndashboard.skybacherslocker.com\r\ndesign.lawrencetravelco[.]com \r\ndeposit.coveprice[.]com\r\ndiamond.speaktomyheart[.]org\r\necar.allsunstates[.]com\r\nepisode.foxscales[.]com\r\nexclusive.milonopensky[.]store\r\nextcourse.zurvio[.]com\r\nexpense.brick-house[.]net\r\nexpert.stmhonline[.]net \r\nfactors.djbel.com\r\nfamily.1ablecommunity[.]com\r\nfestival.robingaster[.]com \r\nfittingroom.gibbsjewelry[.]com\r\nfootball.4tosocial[.]com\r\nfundraising.mystylingmylife.xyz\r\nfurniture.nothingordinarydesign[.]com\r\ngenesis.ibgenesis[.]org\r\ngohnson.advanceditsolutionsaz[.]com \r\ngoverning.beautynic[.]com\r\ngroup5.corralphacap[.]com\r\nhair.2topost[.]com\r\nhares.lacyberlab[.]net\r\nhavana.littlehavanacigarstore[.]com\r\nhemi.mamasbakery[.]net\r\nhook.adieh[.]com\r\nhope.point521[.]com\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 15 of 24\n\nhunter.libertylawaz[.]com\r\ninternship.ojul[.]com\r\nkinematics.starmidwest[.]com \r\nlibrary.covebooks[.]com\r\nloans.mistakenumberone[.]com\r\nlogistics.socialtrendsmanagement[.]com\r\nmafia.carverdesigngroup[.]com \r\nmask.covidturf[.]com\r\nmaster.ilsrecruitment[.]com\r\nmemorial.4tosocialprofessional[.]com \r\nmini.ptipexcel.com\r\nminion.maxxcorp[.]net\r\nmodernism.designpaw[.]com \r\nmontage.travelguidediva.commycontrol.alohaalsomeansgoodbye[.]com\r\nmyfood.silverspringfoodproject[.]org\r\nnatural.cpawalmyrivera[.]com \r\nnavyseal.bezmail[.]com\r\nnivea.dreamworkscdc[.]com\r\nnotes.fumcpittsburg[.]org\r\nnotify.aproposaussies[.]com\r\noffice.cdsigner[.]com\r\npaggy.parmsplace[.]com\r\npassphrase.singinganewsong[.]com\r\npastor.cntcog[.]org\r\npeople.fl2wealth[.]com\r\npeople.zonashoppers[.]com\r\nperformer.stmhonline[.]com\r\nperspective.abcbarbecue[.]xyz\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 16 of 24\n\nperspective.cdsignner[.]com\r\npodcasts.momsgrabcoffee[.]com\r\nportfolio.rainbowgraffixx[.]com\r\npredator.foxscalesjewelry[.]com\r\npremiere.4tosocialbeginners[.]com \r\nprogress.cashdigger[.]com\r\nprompt.zonashoppers[.]academy\r\npuzzle.tricityintranet[.]com\r\nquery.dec[.]works\r\nrecord.usautosaleslv[.]com\r\nrepair.annetamkin[.]com\r\nrepo.allgoodsnservices[.]com\r\nrepublic.beboldskincare[.]com\r\nrequests.pleaseactivate[.]me\r\nresale.adkelly[.]com\r\nresort.reliablecommunityservices[.]com\r\nrestructuring.breatheinnew[.]life\r\nrituals.fashionediter[.]com\r\nrocket2.new10k[.]com\r\nsdk.expresswayautopr[.]com\r\nsecond.pmservicespr[.]com\r\nsecretary.rentamimi[.]com\r\nshipwrecks.ggentile[.]com\r\nshock.creatingaharmoniouslife[.]net\r\nsmiles.cahl4u[.]org\r\nsodality.mandmsolicitors[.]com\r\nsonic.myr2b[.]me\r\nsquad.incumetrics[.]com\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 17 of 24\n\nstandart.sdtranspo[.]com\r\nstanley.planilla2021[.]com\r\nstuff.bonneltravel[.]com\r\nsubscribe.3gbling[.]com\r\ntaxes.rpacx[.]com\r\ntelemetry.usacyberpages[.]net\r\ntickets.kairosadvantage[.]com\r\ntrack.amishbrand[.]com\r\ntraining.c1ypsilanti[.]org\r\ntraining.ren-kathybermejo[.]com \r\ntravel.dianatokaji[.]com\r\ntutorials.girandolashutkindconstruction[.]com\r\nvacation.thebrightgift[.]com\r\nvacation.thebrightgift1[.]com\r\nwallpapers.uniquechoice-co[.]com\r\nwest.bykikarose[.]com\r\nwiki.clotheslane[.]com\r\nzoom.themyr2bpodcast[.]com\r\nIPs:\r\n45.10.42[.]26\r\n45.10.43[.]78\r\n91.208.197[.]151\r\n91.208.197[.]229\r\n91.219.238[.]223\r\n141.94.63[.]231\r\n141.136.35[.]148\r\n153.92.223[.]141\r\n159.69.101[.]84\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 18 of 24\n\n167.235.236[.]131\r\n176.124.215[.]97\r\n179.43.133[.]40\r\n179.43.141[.]196\r\n179.43.190[.]22\r\n185.185.87[.]126\r\n190.211.254[.]41\r\n195.123.246[.]184\r\n198.199.100[.]215\r\n217.25.95[.]182\r\nURIs:\r\n/report?r=dj01MDY1NDg3MTIwZTU2ZmQ1ZTZlNCZjaWQ9MjY0\r\n/report?r=dj03MDgyZTc5ZmNhN2EwY2M2YjA3NCZjaWQ9MjYz\r\n/report?r=dj03ZDdlM2JjMjNlY2E3Mzc0OTQxYSZjaWQ9MjUw\r\n/report?r=dj04YTFlYmI3OWRiZjZlN2VmNzgwYiZjaWQ9MjU1\r\n/report?r=dj0wMGJmNTEzY2M0YTJiODAwY2EzZSZjaWQ9Mjcw\r\n/report?r=dj0wOTlkY2ViYTJhMmVkMzgyZWMxZCZjaWQ9MjYw\r\n/report?r=dj0xYTAyMDFiNTJkN2NhOTk5NzE1MyZjaWQ9MjY4\r\n/report?r=dj0zYzEzNGU0YTk2MGU4YmMwZWRlZiZjaWQ9MjYx\r\n/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy\r\n/report?r=dj1iZjczNzgxMjU1N2YxNjgzMDI2MyZjaWQ9MjY5\r\n/report?r=dj1kMTRmZWQyZjUzNDc3N2JmMjIxYiZjaWQ9MjUx\r\n/s_code.js?cid=230\u0026v=56b0c8d8337c9f44fda2\r\n/s_code.js?cid=240\u0026v=73a55f6de3dee2a751c3\r\n/s_code.js?cid=247\u0026v=b83d055c53edad92676e\r\n/s_code.js?cid=251\u0026v=d14fed2f534777bf221b\r\nC2:\r\nDomains:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 19 of 24\n\n*.activation.thepowerofhiswhisper[.]com\r\n*.asset.tradingvein[.]xyz\r\n*.betting.cockroachracing[.]site\r\n*.campaign.tworiversboat[.]com\r\n*.demand.sageyogatherapies[.]com\r\n*.diary.lojjh[.]com\r\n*.discover.jsfconnections[.]com\r\n*.fate.truelance[.]com skybacherslocker\r\n*.fluctuations.trendylevels[.]com\r\n*.fork.topgeargroup[.]shop\r\n*.houses.in-vermont[.]com\r\n*.internal.blessedfoodshalalmeat[.]com\r\n*.jobs.registermegod[.]online\r\n*.market.dentureforfree[.]online\r\n*.moments.abledity[.]com\r\n*.offerings.love4lifewellness[.]com\r\n*.portraits.studio-94-photography[.]com\r\n*.rate.coinangel[.]online\r\n*.rendezvous.tophandsome[.]gay\r\n*.roles.thepowerofgodswhisper[.]com\r\n*.samples.muzikcitysound[.]com\r\n*.school.cherry-street-portrait-studios[.]com\r\n*.signing.unitynotarypublic[.]com\r\n*.state.thegshrevolution[.]com\r\n*.telegram.godsmightywhispers[.]com\r\n*.templates.victoryoverdieting[.]com\r\nIPs:\r\n45.9.190[.]217\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 20 of 24\n\n77.91.127[.]52\r\n82.180.154[.]113\r\n84.32.188[.]27\r\n159.69.101[.]84\r\n185.185.87[.]19\r\n185.185.87[.]24\r\n188.138.69[.]102\r\n195.133.88[.]19\r\nURIs:\r\n/updateResource\r\n/settingsCheck\r\n/ajaxTimeout\r\n/notifyCustomer\r\n/subscribeEvent\r\n/shareView\r\nTA569:\r\nDomains:\r\nadogeevent[.]com\r\nbest.theascent-group[.]com\r\nergpractice[.]com\r\ngloogletag[.]com\r\nfriscomusicgroup[.]com\r\nluxurycompare[.]com\r\nluxury-limousine[.]com\r\npastukhova[.]com\r\nshortsaledamagereports[.]com\r\nskambio-porte[.]com\r\ntrailerstrade[.]com\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 21 of 24\n\nyaritsavodka[.]com\r\nIPs:\r\n5.42.199[.]146\r\n91.228.56[.]183\r\n91.213.50[.]65\r\n193.149.176[.]135\r\nURIs:\r\n/browser-js\r\n/id\r\n/irs\r\n/js1\r\n/tagged/ajax.js\r\nURLs:\r\nhttps://gitlab.com/Binayak7/golden\r\nhttps://gitlab.com/GabrieleWlosinski32/new-good/\r\nhttps://gitlab.com/jojojacob/good/\r\nFile Hashes:\r\nNetSupport .exe\r\n8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64\r\nbad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b\r\n23b14288d49610a8eef61977b7fc49a963f1261fe29b1668b4443a04eaf493cb\r\n3d0bc49f6a4dc55286119be8ec8e24fd1a18f8e817fc4c7809ec018112349699\r\n202853bdbebfce4d5c86493abd168d25f5557be039af8fce58eeda47250083ce\r\na848e30ce1de8bb52766938f09c90a5c192096820e0890c787b7a352c59ec95b\r\ne05d89f9ab911a5dc7c18f1bae0f7030a2f1f158987551755c43638b917d9808\r\n 681ac78369f4d3688f67c3a363337e3eb855db248e92cff8a35e8abe6028ade5\r\n0d357a2440537e073c4eeb16a7d109d5eb367557674e8d16615fdb06fb9a2089\r\ne5d2e65fdcbf20894fbc525fdc15157c16ee8f936d433e27c9266764a40d7a85\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 22 of 24\n\nNetSupport .iso\r\nc1dadb7ed2a9ba97bd440dcfc18519da5887f473d9f635a0975d742fa3f80ee6\r\n76b3d17196dd9e99eadd46e8bc760ec8809a0c723f66fb687ab8576dd1299e34\r\n31d7d798d1cde0d978be8aece150160aa2e4da4ce9e5e85972dc2e15e8c8d03b\r\n09d3a3eab810cd5dc37641f4f74b6de7f634589d68f6a990b8f5296e4e48501d\r\n388bbd8b592cebe4a0a32351969fe2e19e454af24ff6683524c71f74e0320ac0\r\nefb0bb2fa8929e4889eb982d7351e844af05b7efd0d0b721a2911d89f0a66eea\r\n3dd172bf8a7e2985f8387ffc4b6f2fc3ee05435b69a43d714d3137d9a5147127\r\n36dbd2428d6ee76af1e5a4719058c28637963241579dd5aba716d79d26bd0543 \r\n7a1fd70d092ebad80ba298e80147eddcd115194848591c2c23ded266a4881b6e\r\nd0449da712948e6cac7a9b9c35a184b80d7127b9be2ac9b24e2fa3e7d4510e53\r\n9322965adfa126aa09811ed703da19f588688a65a29bc8cf31612c7b2217fd47\r\n23bea4bb6c911fa0d655a4fc2f13d237b19a2dc165b79e00f98919fd1a21b04f\r\n83cea606cc5d6c671b6b100b6dc3b93786a103b1faf106ce21b4ace02a8369fc\r\ne06a55623a52e7c8b0b3b46301a23ef00fb31e98a7d2b9eb5ab3ae513a199646\r\nNetSupport C2s:\r\nneashell1[.]com:3026\r\nneashell2[.]com:3026\r\nshetrn1[.]com:5511\r\nshetrn2[.]com:5511\r\n she32rn1[.]com:5511\r\nshe32rn2[.]com:5511\r\nSolarMarker\r\n18aeff0a97dfd33b6f0664f43ecafd18511af559002072f680a4e5929a9c7e4f\r\na82a9e1f6667350808a19219d586d10bcea85cf73b67024d8c58366981fe4993\r\nbb71d77ff7c7be3dc6957b08e57323092a43735df818b3150c41b8230c4d9be1\r\nRedline Stealer\r\n52b43d0f11bca924e2ef8d7863309c337910f6a542bf990446b8cd3f87b0800e\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 23 of 24\n\ne47a70734571d7c3f11375e6b41dfad08c9a0b712612c4b55b20f8e85551ceb9\r\n13d576dde555a93f8e5ec567e61a44cae663c83b9878bbed7f1e37ee47fb9ee8\r\nUnknown\r\ncbcf193959725222c09482cd5ff685b63c0a6b564e6e07fa7f605bc3bcc2ba6e\r\nReferences\r\n1. “sczriptzzbn inject pushes malware for NetSupport\r\nRAT” https://isc.sans.edu/diary/sczriptzzbn%20inject%20pushes%20malware%20for%20NetSupport%20RAT/29170 -\r\nBrad Duncan (@malware_traffic on twitter)\r\n2. “Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads” https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html - Ben Martin\r\n3. “To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade\r\nSanctions” https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions - Mandiant Intelligence\r\n4. “WastedLocker: A New Ransomware Variant Developed By The Evil Corp\r\nGroup” https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ -Stefano Antenucci\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond\r\nPage 24 of 24\n\n https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond \nFigure 8: A fake Cloudflare (distributed denial of service) DDOS protection popup distributed by a Sczriptzzbn inject.\nFigure 9: A notably lower quality variant of the “fake update” lure leading to NetSupport RAT distributed by the\nSczriptzzbn inject. \n Page 8 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "report_names": [ "ta569-socgholish-and-beyond" ], "threat_actors": [ { "id": "9aa9b489-a297-4dbd-8601-8fc0370201a6", "created_at": "2022-10-25T16:07:23.696796Z", "updated_at": "2026-04-10T02:00:04.71508Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "ETDA:Group5", "tools": [ "Atros2.CKPN", "Bladabindi", "DroidJack", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "cf0704ab-99e4-44d7-96d9-3cba91339229", "created_at": "2022-10-25T15:50:23.485375Z", "updated_at": "2026-04-10T02:00:05.332806Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "Group5" ], "source_name": "MITRE:Group5", "tools": [ "njRAT", "NanoCore" ], "source_id": "MITRE", "reports": null }, { "id": "094d8210-4c64-4457-ad97-a94fc7af7630", "created_at": "2023-01-06T13:46:38.98103Z", "updated_at": "2026-04-10T02:00:03.170376Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "MISPGALAXY:Group5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434461, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e31bb10d1d8f18cfa052dd3fd9b50a55e293e8ba.pdf", "text": "https://archive.orkl.eu/e31bb10d1d8f18cfa052dd3fd9b50a55e293e8ba.txt", "img": "https://archive.orkl.eu/e31bb10d1d8f18cfa052dd3fd9b50a55e293e8ba.jpg" } }