Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
日本語
Entry № 1181

SocGholish

SocGholish とは何ですか?

SocGholishA JavaScript-based fake-browser-update loader operated by TA569, served from thousands of compromised WordPress sites and used as the initial-access stage for ransomware affiliates including Evil Corp and BlackCat.

SocGholish (a Proofpoint name; also called FakeUpdates) is a JavaScript-based malware framework operated by the threat actor TA569, in continuous activity since 2018 and one of the most prolific initial-access vectors of 2023–2025. Operators compromise WordPress and other CMS-hosted sites at scale via plug-in vulnerabilities or credential reuse, then inject a small loader that profiles the visitor and, for matching targets, redirects to a fake browser-update page (Chrome, Firefox, Edge, Safari) hosting a malicious ZIP. The ZIP contains a JavaScript that fingerprints the host, optionally drops a stealer (NetSupport RAT, AsyncRAT, info-stealers), or hands off to ransomware affiliates including Evil Corp (WastedLocker, LockBit, BlackBasta) and BlackCat. SocGholish increasingly chains with ClickFix-style instructions in 2024–2025, asking the victim to paste a PowerShell command from the fake-update page. Defenses include browser-update warnings (modern browsers update silently and never display in-page update prompts), web-filtering on sites known to be SocGholish-served, blocking JavaScript execution from user-downloaded ZIPs, and EDR rules on the loader's PowerShell stages.

  1. 01

    A user visits a compromised WordPress recipe blog; SocGholish profiles the browser and serves a `chrome_update.js` payload that drops NetSupport RAT.

  2. 02

    A ransomware affiliate receives access from TA569 a few days after an initial SocGholish loader infection and deploys BlackBasta the following week.

よくある質問

SocGholish とは何ですか?

A JavaScript-based fake-browser-update loader operated by TA569, served from thousands of compromised WordPress sites and used as the initial-access stage for ransomware affiliates including Evil Corp and BlackCat. サイバーセキュリティの マルウェア カテゴリに属します。

SocGholish とはどういう意味ですか?

A JavaScript-based fake-browser-update loader operated by TA569, served from thousands of compromised WordPress sites and used as the initial-access stage for ransomware affiliates including Evil Corp and BlackCat.

SocGholish はどのように機能しますか?

SocGholish (a Proofpoint name; also called FakeUpdates) is a JavaScript-based malware framework operated by the threat actor TA569, in continuous activity since 2018 and one of the most prolific initial-access vectors of 2023–2025. Operators compromise WordPress and other CMS-hosted sites at scale via plug-in vulnerabilities or credential reuse, then inject a small loader that profiles the visitor and, for matching targets, redirects to a fake browser-update page (Chrome, Firefox, Edge, Safari) hosting a malicious ZIP. The ZIP contains a JavaScript that fingerprints the host, optionally drops a stealer (NetSupport RAT, AsyncRAT, info-stealers), or hands off to ransomware affiliates including Evil Corp (WastedLocker, LockBit, BlackBasta) and BlackCat. SocGholish increasingly chains with ClickFix-style instructions in 2024–2025, asking the victim to paste a PowerShell command from the fake-update page. Defenses include browser-update warnings (modern browsers update silently and never display in-page update prompts), web-filtering on sites known to be SocGholish-served, blocking JavaScript execution from user-downloaded ZIPs, and EDR rules on the loader's PowerShell stages.

SocGholish からどのように防御しますか?

SocGholish に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

SocGholish の別名は何ですか?

一般的な別名: FakeUpdates, TA569。

関連用語