SocGholish
SocGholish, also known as FakeUpdates, is an e-crime initial access threat actor/service that uses compromised websites and fake browser update lures to trick users into executing malicious JavaScript. The activity is commonly associated with drive-by compromise and fake update prompts masquerading as browser or software updates, including lure names such as AutoUpdater.js, Update.js, download.js, and homoglyph variants such as Uрdate.js, as well as ZIP archives like Сhrome.Updаte.zip and UрdateInstаller.zip. After execution, the JavaScript payload performs host reconnaissance, reports host details to SocGholish infrastructure, and can retrieve additional malware. Reporting in the provided content indicates that many infections do not progress beyond reconnaissance, suggesting selective follow-on targeting. The content describes SocGholish as a leading initial access vector in 2025 and a top JavaScript downloader enabling ransomware deployments via drive-by downloads on compromised websites. It has been associated with delivery of NetSupport RAT, Cobalt Strike, Mimikatz, Blister, RomCom payloads, Mythic Agent, MintsLoader, GhostWeaver-related chains, StealC, modified BOINC clients, and in some cases ransomware. The content specifically notes that RansomHub partnered with SocGholish in Q1 2025 to deliver ransomware attacks, including against U.S. government organizations and some banking and consulting organizations, with attacks also occurring in Japan and Taiwan. One highlighted 2024 cluster involved installation of Python 3.12.0 for persistence, browser credential theft from Chrome and Edge, NTLM hash harvesting via forced authentication, and activity that in some cases reportedly led to RansomHub ransomware. SocGholish operators were early adopters of MintsLoader and adopted it around July 2024 as an alternative delivery chain. The content also states that KongTuke, an initial access broker/traffic distribution system, sold infections to SocGholish. Additional reporting in the content links SocGholish to malicious PowerShell and JavaScript activity affecting government organizations, and to PowerShell-based modification of Outlook signature files to embed remotely hosted images that could trigger credential-hash leakage when recipients open emails. Aliases directly supported by the content are SocGholish and FakeUpdates.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Observables
4 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Early adopter of MintsLoader, using drive-by compromise via fake browser update overlays on compromised websites to deliver MintsLoader instead of its native payload chain.
Referenced as a threat whose fake update lures served as a model or precursor for later activity clusters such as Scarlet Goldfinch.
Referenced as another initial access broker/customer receiving infections from KongTuke.
JavaScript-based downloader used as an initial access vector for ransomware and RATs, delivered via drive-by downloads and compromised websites.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.