{ "id": "e7985ac3-797c-4d82-9059-4414951f24bc", "created_at": "2026-04-06T00:11:36.44524Z", "updated_at": "2026-04-10T03:33:15.471963Z", "deleted_at": null, "sha1_hash": "fb7221f1cbb2bc9b600156ebc2eedd93fbd1cd0a", "title": "SocGholish | Red Canary Threat Detection Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 129826, "plain_text": "SocGholish | Red Canary Threat Detection Report\r\nArchived: 2026-04-05 13:25:57 UTC\r\nAnalysis\r\nTake action\r\nDetection\r\nTesting\r\nAnalysis\r\nSocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial\r\naccess. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group\r\nEvil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in\r\n2025.\r\nLike previous years, SocGholish activity maintained a relatively constant background volume in 2025, with\r\nperiods of higher activity followed by a slow tapering. Throughout the year, activity peaked in January/February,\r\nMay, and September, with lower but steady volume during the remaining months in the year. As usual, the spikes\r\nin activity coincided with changes in lures.\r\nAlso known as “FakeUpdates,” SocGholish typically gains initial access by presenting visitors of a compromised\r\nwebsite with a lure indicating an update is needed for their browser or other common software. Silent Push\r\npublished a detailed summary of the traffic distribution systems (TDS) and web injects in early August. Red\r\nCanary visibility typically begins downstream of that activity, once a user has taken the bait. Unsuspecting users\r\nwho download the “update” are tricked into running a malicious JavaScript payload, launching the attack.\r\nHistorically SocGholish wrapped this JavaScript (JS) payload within a ZIP file, however, since late 2022 direct\r\ndelivery of the JS without the ZIP file has also been observed.\r\nAnalysis\r\nTake action\r\nDetection\r\nTesting\r\nhttps://redcanary.com/threat-detection-report/threats/socgholish/\r\nPage 1 of 6\n\nIn 2025, about one third of SocGholish infections detected by Red Canary involved\r\na ZIP file, while two thirds used a direct to JS lure.\r\nAnalysis\r\nTake action\r\nDetection\r\nTesting\r\nDo you С what I C ?\r\nOne of the distinguishing characteristics of SocGholish filename lures continues to be their use of homoglyphs.\r\nSocGholish began using these “lookalike” characters in 2022 to replace certain characters in filenames, likely in\r\nan attempt to evade detection based on filename patterns. For example, instead of the typical filename\r\nChrome.Update.zip , SocGholish would replace the letters C and a with their UTF-8 Cyrillic look-alike\r\ncharacters С ( 0xd0a1 ) and а ( 0xd0b0 ), to produce the filename Сhrome.Updаte.zip . While nearly\r\nidentical in appearance to the human eye, the filenames appear different to a computer comparing strings.\r\nSocGholish lures in 2025 picked up where they left off in 2024, using a direct JS download named Uрdate.js\r\nwith the homoglyph replacing the letter p . This lure continued through mid-January, at which point they made a\r\nsubtle change by switching to a homoglyph a and returning to the ASCII p ( Updаte.js ). This lure continued\r\nto be used through late March. Interspersed with these direct to JS homoglyph lures, we also encountered\r\nUpdate.zip lures containing an identically named Update.js file with no homoglyphs present.\r\nAfter a lull in activity, we observed a new lure in late April that introduced several previously unused\r\nhomoglyphs–the three-byte UTF-8 characters Ị (UTF-8 0xe1bb8a , in place of a capital letter i ) and Ụ\r\n(UTF-8 0xe1bba4 , in place of a capital letter u ), as well as the Cyrillic letter Palochka (UTF-8 0xd380 ) in\r\nplace of a lowercase L . These characters appeared in a ZIP lure containing a JS payload, alongside homoglyph\r\nр in both the ZIP and JS names and homoglyph а in the ZIP name only of the lure\r\nỤрdateỊnstаӀӀer.zip.\\Ụрdate.js .\r\nASCII\r\ncharacter\r\ndoppelgänger character\r\nUTF-8 hex\r\nencoding\r\nUTF-16 hex\r\nencoding\r\na а (Cyrillic Small Letter A) d0b0 0430\r\nC С (Cyrillic Capital Letter Es) d0a1 0421\r\ne е (Cyrillic Small letter le) d0b5 0435\r\nI (capital i)\r\nỊ (Latin Capitla Letter i with dot\r\nbelow)\r\ne1bb8a 1eca\r\nl (lower case\r\nL)\r\nӀ (Cyrillic Letter Palochka) d380 04c0\r\nhttps://redcanary.com/threat-detection-report/threats/socgholish/\r\nPage 2 of 6\n\no ο (Greek Small Letter Omicron) cebf 03bf\r\np р (Cyrillic Small Letter Er) d180 0440\r\nU\r\nỤ (Latin Capital Letter U with dot\r\nbelow)\r\ne1bba4 1ee4\r\nThis change was short-lived, by mid-May we were predominantly seeing direct to JS lures with the name\r\nChrοmeUрdаteInstаller.js , using homoglyphs in place of the letters o , p , and both a ’s. This lure\r\ncontinued for about a month until mid-June, at which point they returned to the new homoglyphs with the same\r\nZIP name from April ( ỤрdateỊnstаӀӀer ) coupled with various homoglyph-free names such as Installer.js or\r\nUpdater.js . By mid-July, they seemed to tire of the homoglyphs again and temporarily returned to some\r\nformerly used direct to JS lures with names like Chrome.js or Edge.js .\r\nActivity waned through August and early September, until a new version of the javascript appeared in late\r\nSeptember. Initially this version used the homoglyph-free lure name New Chrome available.js , however that\r\nwas quickly replaced with the classic browser-themed firefox.js lure name within a ZIP file named\r\nMozillaUpdater.zip.MozillaUpdater.zip [sic]. In early October, direct to JS lures appeared again under the\r\nname Click to Install New Version.js . This name was modified multiple times during October before finally\r\nsettling on New Version (CLICK).js , which continued to be used through the end of the year.\r\nThe next step: Reconnaissance\r\nRegardless of how it is delivered, upon execution the JavaScript payload connects back to SocGholish\r\ninfrastructure, where it shares details about the infected host and can retrieve additional malware. In most cases,\r\nwe observe reconnaissance activity that identifies the infected endpoint and user. In rare cases, Active Directory\r\nand domain enumeration follows user discovery. The majority of SocGholish infections we detect do not progress\r\npast the reconnaissance activity, sometimes due to existing mitigations or a rapid response to isolate the host,\r\nwhile in other cases it appears the adversary did not progress the compromise. This likely indicates selective\r\ntargeting of victims by the SocGholish adversary.\r\nSecondary payloads\r\nSimilar to 2024, Red Canary observed a second-stage payload in about one in four SocGholish incidents in 2025.\r\nContinuing a trend from the last few years, we observed SocGholish being leveraged to deliver multiple different\r\npayloads throughout the year, likely indicative of partnering with multiple affiliate groups. While we rarely see\r\nactivity beyond initial deployment of a payload, in 2025 two distinct activity clusters comprised the majority of\r\nlater-stage activity following SocGholish.\r\nMost commonly, we observed SocGholish delivering MintsLoader, which in turn deployed additional malware\r\nsuch as a persistent backdoor like ASyncRAT or a stealer like StealC. In addition to SocGholish, MintsLoader\r\nleveraged multiple other delivery affiliates for initial access and managed to claim its own place in the top 10\r\nthreats of 2025.\r\nhttps://redcanary.com/threat-detection-report/threats/socgholish/\r\nPage 3 of 6\n\nLess commonly, though perhaps of more concern, we observed SocGholish delivering a Python-based backdoor\r\nand conducting reconnaissance behaviors consistent with ransomware precursors. This activity overlaps with\r\nmultiple reports from other vendors linking SocGholish to RansomHub Ransomware, a payload linked to Evil\r\nCorp among other affiliate groups. Ransomhub hasn’t been observed since March 2025, according to ransomware\r\nleak site scrapers. However, the affiliates who typically deploy pre-encryption payloads are likely still operational\r\nand we assess with high confidence that, left undetected, these threats likely would have progressed to\r\nransomware.\r\nTake action\r\nOne of the best ways to mitigate risks associated with SocGholish, as well as Scarlet Goldfinch, Gootloader, and\r\nother threats that begin with with the malicious JavaScript execution files, is to change the default behavior in\r\nWindows to open JS files with Notepad or another editor rather than immediately executing them. Details on\r\nimplementing this control via GPO are available in our blog Open with Notepad: Protecting users from malicious\r\nJavaScript.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nShould SocGholish successfully execute, much of the reconnaissance conducted by the malicious JavaScript file\r\nhappens in memory, with data being exfiltrated directly via POST commands to the C2 domain. One good source\r\nof insight into this behavior comes from collecting script load content, if such telemetry is available from your\r\nhttps://redcanary.com/threat-detection-report/threats/socgholish/\r\nPage 4 of 6\n\nendpoint detection and response (EDR) sensor. Collecting this data provides key insight into the specific\r\ncommands executed and data exfiltrated.\r\nTo remove SocGholish components, stop any malicious instances of wscript.exe . Remove any malicious\r\nscheduled tasks for the victim user to remediate persistence on the host. If any payloads were stored within the\r\nWindows Registry or on disk, attempt to remove those payloads for full remediation.\r\nDetection opportunities\r\nWindows Script Host spawned from a browser and making external network connections\r\nWhile JavaScript is everywhere on the web, it is rather unusual for the browser to download a JavaScript file and\r\nexecute it via the Windows Script Host ( wscript.exe ). When this downloaded script starts communicating with\r\ndevices outside of your network, things get even more suspicious. That said, this detection analytic may be noisy\r\nin some environments, so be prepared to identify what scripts are normally run in this way to tune out the noise.\r\nparent_process == [a browser]\r\n\u0026\u0026\r\nprocess == wscript.exe\r\n\u0026\u0026\r\nhas_external_netconn\r\nEnumerating domain trust relationships with nltest.exe\r\nLeft unchecked, SocGholish may lead to domain discovery. This type of behavior can be precursor to ransomware\r\nactivity, and should be quickly quelled to prevent further progression of the threat.\r\nprocess == nltest.exe\r\n\u0026\u0026\r\ncommand_includes ('/domain_trusts' || '/all_trusts')\r\nAnalysis\r\nTake action\r\nDetection\r\nTesting\r\nhttps://redcanary.com/threat-detection-report/threats/socgholish/\r\nPage 5 of 6\n\nRELATED CONTENT\r\nSource: https://redcanary.com/threat-detection-report/threats/socgholish/\r\nhttps://redcanary.com/threat-detection-report/threats/socgholish/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://redcanary.com/threat-detection-report/threats/socgholish/" ], "report_names": [ "socgholish" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434296, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb7221f1cbb2bc9b600156ebc2eedd93fbd1cd0a.pdf", "text": "https://archive.orkl.eu/fb7221f1cbb2bc9b600156ebc2eedd93fbd1cd0a.txt", "img": "https://archive.orkl.eu/fb7221f1cbb2bc9b600156ebc2eedd93fbd1cd0a.jpg" } }