TA0569

TA0569, also known as GOLD PRELUDE, is a financially motivated initial access broker. The provided content attributes a 2026-03-02 SocGholish (FakeUpdates) campaign wave to TA0569 with high confidence and states that the actor sells footholds to other threat actors, including Evil Corp affiliates and other ransomware operators. SocGholish has been active since at least 2017 according to the content. In the described operation, TA0569 used injected stage-1 JavaScript on compromised legitimate websites to load attacker-controlled scripts from malicious subdomains. The infrastructure performed browser fingerprinting and evaluated operating system, browser, plugins, and likely IP reputation before serving fake browser update lures. The fake update stage delivered ZIP archives containing .js or .lnk files for user execution via WScript. The content states that second-stage payloads historically associated with SocGholish include Cobalt Strike, NetSupport RAT, and Python-based backdoors. The campaign used 11 stage-1 JavaScript injectors across six C2 domains and infrastructure hosted in Panama, the United States, and Canada. The investigation identified four compromised organizations and noted certificate issuance patterns indicating DNS-level control over some victim domains, including wildcard certificates issued shortly before launch. The content also states that known downstream relationships for TA0569 include Evil Corp, also referred to as Indrik Spider, using WastedLocker and Hades ransomware, as well as other affiliates using Cobalt Strike and NetSupport RAT.