UDTSecure SocGholish Malware Technical Security Alert

SocGholish has currently infected thousands of US businesses, government, academic, non-profit, and healthcare organizations, resulting in subsequent ransomware events with losses ranging between $1 million and $40 million per incident.

Technical Security Alert 032822001

Industries Affected:

  1. Financial Services
  2. Government Facilities

Risk Rating: HIGH


SocGholish (aka FakeUpdates) is a JavaScript-based malware that masquerades as a legitimate browser update delivered to victims via compromised websites. SocGholish establishes an initial foothold onto victim networks that threat actors use for further targeting with ransomware. Since 2020, the SocGholish malware is believed to be the most common initial intrusion vector across multiple variants of ransomware suspected to be operated by subjects associated with the Evil Corp cybercriminal organization, including BitPaymer, WastedLocker, Hades, Phoenix, PayloadBIN, and Macaw Locker.

SocGholish has currently infected thousands of US businesses, government, academic, non-profit, and healthcare organizations, resulting in subsequent ransomware events with losses ranging between $1 million and $40 million per incident.


SocGholish is delivered via compromised websites injected with JavaScript that redirects visitors to a series of malicious websites hosting SocGholish payloads. There are typically three stages to a SocGholish incident, with multiple browser redirects and obfuscated code used throughout to evade anti-virus detections.

The initial stage, SocGholish collects victim browser information upon visiting a compromised website. The malware initiates a series of HTTP redirects before prompting the victim to download a software update for their web browser.

The second stage executes if the victim downloads the fake browser update, upon which a zipped JavaScript malware payload is delivered and triggered with wscript.exe. The malware collects additional information via whoami and netuser/netgroup commands, as well as PowerShell scripts, and communicates the information back to a command and control (C2) server.

The final stage typically involves the delivery of a “Cobalt Strike Beacon” payload used by threat actors for further network reconnaissance and lateral movement that ultimately leads to ransomware deployment.

SocGholish C2 domains rotate regularly and often use hijacked subdomains of legitimate websites that can blend in with seemingly normal network traffic. Potential SocGholish C2 activity can be identified with the following domain patterns observed during various investigations:

[8 random hex characters].subdomain.domain.topleveldomain



Known IP Addresses


File Names and Hashes

















































C2 pattern — [8 random hex characters].subdomain.domain.topleveldomain

















  • Implement regular backups of Maintain backups offline, and ensure the data is encrypted and immutable.
  • Confirm that the Native Domain Admin account “Administrator” has a strong password and is in “Disabled” status. This account should not be used for day to day activities and should be placed under the protected group AD Group.
  • Store copies of data offline using multi-factor authentication with strong password
  • Disable command-line and scripting activities and
  • Install and regularly update antivirus software with real-time
  • Implement network segmentation to prevent accessibility across multiple machines on the network.
  • Keep computers, devices and applications patched and up to Prioritize patching known exploited vulnerabilities.
  • Safeguard the network by enacting administrative privileges and configuring access controls with the least privilege in mind.
  • Consider adding an email banner to emails received outside of your
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Disable hyperlinks in received
  • Use double authentication when logging into accounts or
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool.
  • Use Admin Disabling Tools to support identity and privileged access
  • Implement time-based access for accounts set at the admin-level and.



The following UDTSecure Cyber Security Services can help clients test and mitigate for this important vulnerability with the following services:

  • UDTSecure AD Threat & Compromise Assessment
  • UDTSecure Vulnerability Security Assessment and Patch Management as a Service
  • UDTSecure Managed Threat Hunting Service
  • UDTSecure Compromise Assessment
  • UDT Professional Services to help with all your mitigation needs.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

Crafting a Futureproof 1:1 Device Strategy for School Districts

In the evolving landscape of Education Technology, crafting a futureproof 1:1 device strategy is crucial. This strategy should link every student, teacher, and administrator experience with specific device specifications. The integration of educational apps into the curriculum can significantly enhance the learning environment. These apps, tailored to the needs of students, can provide interactive content, fostering a dynamic learning experience.

Optimizing Your K12 Tech Investments: Funding 1:1 Device Programs

This blog will guide school districts grappling with the financial and resource demands of implementing a successful 1:1 device program amid ongoing challenges of budget constraints and competing priorities. Our guided workbook, created in partnership with Intel, provides further support with personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.​

K12 Cybersecurity: How to Secure 1:1 Devices in Your School District

This blog post delves into the importance of security, cybersecurity, and data privacy in school districts implementing 1:1 device initiatives. It offers basic steps for evaluating, planning, and executing a security strategy. Our guided workbook, created in partnership with Intel, provides a personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

Lost & Stolen Devices are a Serious Data Security Threat—Here’s Why

Since the pandemic, remote and hybrid work has become the norm. While mobile devices and remote workstations have empowered great flexibility, it has also led to an increase in data security problems due to lost, misplaced, or stolen devices. Find out how remote and hybrid setups are contributing to this problem and how to protect yourself and your organization.​

Ransomware Gangs Adding Pressure with ‘Swatting’ Attacks—Here’s What You Need to Know

Ransomware gangs are implementing new extortion tactics to encourage victims to pay up. Swatting is becoming an increasingly popular tactic. It involves calling law enforcement to falsely report a serious, in-progress crime triggering an extreme response such as an armed raid from the SWAT team. Explore how cybercriminals are using this tactic and what you can do to prevent it from happening to you.​

Smishing Attacks are on the Rise—Here’s How To Keep Your Data Safe

Smishing attacks are on the rise, posing a significant threat to data security. Originating from a blend of SMS and Phishing, these attacks have seen a drastic increase since 2020. The widespread use of smishing attacks has persisted, with a lack of awareness being a major issue. Many view these as simple spam messages, unaware of the danger they pose. This blog aims to raise awareness about smishing and provide actionable insights to protect yourself and your organization.

Experiencing a security breach?

Get immediate assistance from our security operations center! Take the following recommended actions NOW while we get on the case:


  1. Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level or physically unplug the systems from the wired or wireless network.
  2. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected
  3. Initiate an immediate password reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well.

Just one more step

Please fill out the following form,