Operation Endgame vs. SocGholish Fake Updates
· Published 18/06/2026 16:53
Essential information
- Published
- 18/06/2026 16:53
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- bumblebee danabot domain shadowing doppelpaymer evilcorp fake updates hades icedid initial access broker lockbit operation endgame pikabot qakbot ransomhub rhadamanthys smokeloader socgholish traffic distribution system trickbot venomrat wastedlocker wordpress compromise
- Related entities
- 12 indicators, 12 observables, 1 intrusion sets (apt), 18 techniques (mitre), 17 malware
Description
A multinational law enforcement operation called Operation Endgame has successfully disrupted SocGholish, a malware framework operated by threat actor TA569 since 2017. The operation took down 106 servers and domains and remediated nearly 15,000 compromised WordPress websites. SocGholish uses fake browser update prompts on compromised websites to trick victims into downloading malicious JScript payloads, providing initial access to corporate networks for ransomware deployment and data breaches. Analysis revealed that 55% of Infoblox cloud customers were exposed to SocGholish in 2026, demonstrating widespread impact across multiple industries including government, education, and healthcare. The framework employs domain shadowing techniques and operates through a four-stage attack chain involving traffic acquisition, filtering, fake update lures, and on-device implant execution. SocGholish infrastructure has facilitated access for various ransomware families and has been extensively used by the notorious Evi...
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Indicators (12)
-
app-front.anmaradigital.com -
billing.roofnrack.us -
platform.exathomeswebuyarizona.com -
samples.addisgraphix.com -
shop.steadycompanion.com -
promo.summat10n.org -
storehouse.beautysupplysalonllc.com -
devel.asurans.com -
api-app.uppercrafteroom.com -
pa-portal.benningtonspringsmhp.com -
trademark.iglesiaelarca.com -
content.garretttrails.org
Observables (12)
platform.exathomeswebuyarizona.comcontent.garretttrails.orgbilling.roofnrack.usshop.steadycompanion.comtrademark.iglesiaelarca.comdevel.asurans.comsamples.addisgraphix.comapp-front.anmaradigital.compromo.summat10n.orgstorehouse.beautysupplysalonllc.comapi-app.uppercrafteroom.compa-portal.benningtonspringsmhp.com
Intrusion sets (APT) (1)
-
The MITRE Corporation Confidence 100
[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
Techniques (MITRE) (18)
-
Security Software Discovery
-
Permission Groups Discovery
-
Masquerading
-
JavaScript
-
Virtual Private Server
-
Web Protocols
-
Malicious File
-
Scheduled Task
-
Obfuscated Files or Information
-
Exfiltration to Cloud Storage
-
Domains
-
Account Discovery
-
Registry Run Keys / Startup Folder
-
Standard Encoding
-
System Owner/User Discovery
-
Drive-by Compromise
-
File and Directory Discovery
-
System Information Discovery
Malware (17)
-
FamilyPublished 03/06/2026 13:18 · Modified 03/06/2026 13:18
-
FamilyPublished 06/05/2026 10:26 · Modified 06/05/2026 10:26
-
FamilyPublished 08/06/2026 19:36 · Modified 08/06/2026 19:36
-
FamilyPublished 07/12/2025 14:07 · Modified 07/12/2025 14:07
-
FamilyPublished 21/10/2024 10:59 · Modified 21/10/2024 10:59
-
FamilyPublished 29/04/2026 02:24 · Modified 29/04/2026 02:24
-
FamilyPublished 16/05/2025 16:33 · Modified 16/05/2025 16:33
-
FamilyPublished 07/08/2025 18:57 · Modified 07/08/2025 18:57
-
FamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
-
FamilyPublished 01/04/2025 14:48 · Modified 01/04/2025 14:48
-
FamilyPublished 25/09/2025 09:21 · Modified 25/09/2025 09:21
-
FamilyPublished 30/09/2025 05:15 · Modified 30/09/2025 05:15
-
FamilyPublished 08/08/2025 07:53 · Modified 08/08/2025 07:53
-
FamilyPublished 01/04/2025 14:48 · Modified 01/04/2025 14:48
-
FamilyPublished 03/11/2025 14:28 · Modified 03/11/2025 14:28
-
FamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
-
FamilyPublished 16/09/2025 08:02 · Modified 16/09/2025 08:02