SocGholish.

A JavaScript-based fake-browser-update loader operated by TA569, served from thousands of compromised WordPress sites and used as the initial-access stage for ransomware affiliates including Evil Corp and BlackCat. 它属于网络安全的 恶意软件 分类。

A JavaScript-based fake-browser-update loader operated by TA569, served from thousands of compromised WordPress sites and used as the initial-access stage for ransomware affiliates including Evil Corp and BlackCat.

SocGholish (a Proofpoint name; also called FakeUpdates) is a JavaScript-based malware framework operated by the threat actor TA569, in continuous activity since 2018 and one of the most prolific initial-access vectors of 2023–2025. Operators compromise WordPress and other CMS-hosted sites at scale via plug-in vulnerabilities or credential reuse, then inject a small loader that profiles the visitor and, for matching targets, redirects to a fake browser-update page (Chrome, Firefox, Edge, Safari) hosting a malicious ZIP. The ZIP contains a JavaScript that fingerprints the host, optionally drops a stealer (NetSupport RAT, AsyncRAT, info-stealers), or hands off to ransomware affiliates including Evil Corp (WastedLocker, LockBit, BlackBasta) and BlackCat. SocGholish increasingly chains with ClickFix-style instructions in 2024–2025, asking the victim to paste a PowerShell command from the fake-update page. Defenses include browser-update warnings (modern browsers update silently and never display in-page update prompts), web-filtering on sites known to be SocGholish-served, blocking JavaScript execution from user-downloaded ZIPs, and EDR rules on the loader's PowerShell stages.

针对 SocGholish 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: FakeUpdates, TA569。