In early 2025, security analysts at Darktrace have observed a significant evolution in the SocGholish loader’s operational capabilities, with its deployment now directly facilitating RansomHub ransomware activity.
SocGholish, a JavaScript-based loader active since 2017 and notorious for distributing malicious payloads via fake browser updates, has been adapted to serve as a highly effective enabler for credential theft and lateral movement within enterprise environments.
Most notably, threat actors are abusing legacy protocols-including Web Distributed Authoring and Versioning (WebDAV) and Shell Command File (SCF) interactions over Server Message Block (SMB)-to harvest authentication credentials and pave the way for ransomware deployment.
Infection Chain and Initial Access
Attackers gain initial access by injecting malicious JavaScript into vulnerable websites, often built on outdated or poorly secured content management systems like WordPress.
Victims redirected to these compromised sites are served counterfeit browser update prompts, resulting in the download and execution of a ZIP file containing the SocGholish loader.
This infection sequence was observed with the watering-hole compromise of garagebevents[.]com (IP: 35.203.175[.]30), from which victims downloaded the initial payload.
Within milliseconds, the compromised host established multiple HTTPS sessions with Keitaro Traffic Distribution System (TDS) infrastructure-primarily at 176.53.147[.]97 (supporting domains such as packedbrick[.]com and blacksaltys[.]com)-which delivered the final-stage loader from virtual.urban-orthodontics[.]com.
SocGholish is engineered for stealth, leveraging obfuscated code and TDS redirection to mask its malicious origins.
Its loader fetches secondary payloads, including Python-based backdoors, supporting long-term persistence and facilitating further exploitation.
Credential Access: WebDAV and SCF File Abuse
A major innovation of this campaign is its dual-pronged credential theft approach, leveraging both WebDAV protocol abuse and SCF file deployment.
In the first technique, compromised hosts automatically issue authentication attempts-specifically NTLM hashes-via WebDAV to external, adversary-controlled endpoints (e.g., 161.35.56[.]33).
These requests utilize default Windows behaviors, wherein outbound connections to malicious WebDAV shares prompt NTLM authentication, handing over hashed credentials for potential offline cracking-even in cases where the session fails.
The second tactic involves the distribution of SCF files internally. Attackers deploy a crafted ‘Thumbs.scf’ file across SMB network shares.
When internal users browse affected directories, their systems automatically attempt to retrieve an icon file from the attacker’s UNC path, again leaking NTLM hashes.
According to Darktrace, this “forced authentication” requires no direct user interaction beyond navigation, making it a highly effective means for credential harvesting at scale.
Compromised devices are observed initiating outbound encrypted sessions on both standard and non-standard ports, including ephemeral ranges such as 2308, 2311, and 2313, to C2 nodes associated with RansomHub affiliates.
This port-hopping technique is designed to evade detection by circumventing traditional firewall and intrusion detection policies focused on common HTTP/HTTPS traffic.
The observed infrastructure points to active coordination between SocGholish operators and RansomHub, enabling streamlined deployment of ransomware following credential theft and lateral movement.
The integration of SocGholish with RansomHub operations marks a shift in ransomware affiliate tactics, emphasizing early-stage credential access and stealthy lateral movement through legacy Windows protocols.
By combining WebDAV and SCF abuse, attackers efficiently harvest credentials before ransomware detonation, complicating network defense and remediation efforts.
Security teams are urged to monitor for anomalous authentication events, audit exposure to legacy protocols, and act decisively on emerging indicators of compromise linked to these campaigns.
Indicators of Compromise (IoC)
| Indicator | IP Address | Description |
|---|---|---|
| garagebevents[.]com | 35.203.175[.]30 | Compromised website |
| packedbrick[.]com | 176.53.147[.]97 | Keitaro TDS domain (SocGholish delivery) |
| rednosehorse[.]com | 176.53.147[.]97 | Keitaro TDS domain (SocGholish delivery) |
| blackshelter[.]org | 176.53.147[.]97 | Keitaro TDS domain (SocGholish delivery) |
| blacksaltys[.]com | 176.53.147[.]97 | Keitaro TDS domain (SocGholish delivery) |
| virtual.urban-orthodontics[.]com | 185.76.79[.]50 | Loader distribution endpoint |
| msbdz.crm.bestintownpro[.]com | 166.88.182[.]126 | SocGholish C2 |
| files.pythonhosted[.]org | 151.101.1[.]223 | Possible Python backdoor download |
| 185.174.101[.]240 | 185.174.101[.]240 | RansomHub Python C2 |
| 185.174.101[.]69 | 185.174.101[.]69 | RansomHub Python C2 |
| 108.181.182[.]143 | 108.181.182[.]143 | RansomHub Python C2 |
| 161.35.56[.]33 | 161.35.56[.]33 | WebDAV/SCF credential harvesting endpoint |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
