SocGholish.

A JavaScript-based fake-browser-update loader operated by TA569, served from thousands of compromised WordPress sites and used as the initial-access stage for ransomware affiliates including Evil Corp and BlackCat. It belongs to the Malware category of cybersecurity.

A JavaScript-based fake-browser-update loader operated by TA569, served from thousands of compromised WordPress sites and used as the initial-access stage for ransomware affiliates including Evil Corp and BlackCat.

SocGholish (a Proofpoint name; also called FakeUpdates) is a JavaScript-based malware framework operated by the threat actor TA569, in continuous activity since 2018 and one of the most prolific initial-access vectors of 2023–2025. Operators compromise WordPress and other CMS-hosted sites at scale via plug-in vulnerabilities or credential reuse, then inject a small loader that profiles the visitor and, for matching targets, redirects to a fake browser-update page (Chrome, Firefox, Edge, Safari) hosting a malicious ZIP. The ZIP contains a JavaScript that fingerprints the host, optionally drops a stealer (NetSupport RAT, AsyncRAT, info-stealers), or hands off to ransomware affiliates including Evil Corp (WastedLocker, LockBit, BlackBasta) and BlackCat. SocGholish increasingly chains with ClickFix-style instructions in 2024–2025, asking the victim to paste a PowerShell command from the fake-update page. Defenses include browser-update warnings (modern browsers update silently and never display in-page update prompts), web-filtering on sites known to be SocGholish-served, blocking JavaScript execution from user-downloaded ZIPs, and EDR rules on the loader's PowerShell stages.

Defences for SocGholish typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: FakeUpdates, TA569.