Security analysts at eSentire’s Threat Response Unit (TRU) discovered a highly coordinated cyberattack involving the SocGholish (also known as FakeUpdates) malware, with direct ties to the RansomHub ransomware-as-a-service (RaaS) syndicate.
RansomHub, which has rapidly gained notoriety since its emergence in 2024, operates as a criminal enterprise on the Russian Anonymous Market Place (RAMP), targeting high-value organizations and enabling affiliates with advanced attack toolkits.
This latest campaign highlights the complex technical strategies employed to breach corporate networks and plant advanced persistent malware.
Sophisticated Infection Chain Targets Enterprises via SocGholish
The initial infection vector was traced to a compromised WordPress website, “butterflywonderland[.]com,” which enticed victims to download a bogus Microsoft Edge update.
The downloaded file, “Update.zip,” contained a malicious JScript loader (“Update.js”) designed to communicate with a SocGholish-controlled command-and-control (C2) server.
Upon execution, the script exfiltrated key system metadata-such as domain, user, computer names, and processor details-over HTTP POST requests.
This reconnaissance not only enables threat actors to profile viable targets, but also helps them avoid detection by honeypots and sandbox environments.
To further map the victim’s environment, SocGholish leveraged Living-off-the-Land Binaries (LOLBins), including net.exe and systeminfo, to harvest network connection data and system details.
The attackers also executed PowerShell commands to enumerate Active Directory servers and exfiltrate browser credential stores from both Microsoft Edge and Google Chrome.
Notably, they extracted cryptographic keys required to decrypt saved credentials, cookies, and payment data, enabling comprehensive credential theft.
Python-Based Backdoor Enables Stealthy Lateral Movement and Credential Theft
Approximately 6.5 minutes after initial contact with the C2, SocGholish retrieved a secondary payload: a ZIP archive housing a Python-based backdoor.
The deployment utilized a series of PowerShell and batch commands, including renaming the archive, unpacking it via tar, and scheduling its execution through Windows Task Scheduler.
The unpacked directory contained the obfuscated backdoor (“fcrapvim.pyz”) alongside necessary socket and cryptographic modules.
The backdoor’s execution sequence reveals a sophisticated multi-stage decryption process.
A large, encrypted payload is passed to a decryption routine (“pc_start”), which checks for virtual machine artifacts and debugging attempts to evade analysis.
The next stages employ a chain of cryptographic operations-including Base85 decoding, AES-256 GCM, AES-128 CTR, ChaCha20, and Blake3-driven HKDF/XOR, followed by ZLIB decompression-to dynamically decrypt and execute further malicious code layers.
This modular encryption pipeline complicates reverse engineering efforts and reinforces operator stealth.
Once installed, the backdoor initiates outbound connections to an attacker-owned server (notably, IP “38.146.28[.]93”), granting the threat actors a full-featured SOCKS proxy into the victim’s network.
According to eSentire Report, this access allows for stealthy lateral movement, further reconnaissance, data exfiltration, and, ultimately, ransomware deployment against high-value assets.
The arsenal enables operators to tunnel malicious traffic, orchestrate internal pivots, and maintain persistent, covert access.
The campaign underscores the escalating technical sophistication of RaaS ecosystems like RansomHub, which continuously evolve infection chains and custom backdoors to bypass security controls and maximize monetization through targeted extortion.
Organizations are urged to strengthen endpoint detection, monitor for LOLBin abuse, and bolster credential hygiene to mitigate these threats.
Regular user awareness training and multi-layered defense strategies remain essential as adversaries continue to automate and streamline corporate compromise with unprecedented agility.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20discovered%20a%20highly%20coordinated%20cyberattack%20involving%20the%20SocGholish.){kind=link}