Submission declined on 8 May 2026 by Theroadislong (talk). This draft's references do not show that the subject meets Wikipedia's criteria for inclusion. The draft requires multiple published secondary sources that: provide significant coverage: discuss the subject in detail, not just brief mentions or routine announcements; are reliable: from reputable outlets with editorial oversight; are independent: not connected to the subject, such as interviews, press releases, the subject's own website, or sponsored content. Please add references that meet all three of these criteria. If none exist, the subject is not yet suitable for Wikipedia. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by Theroadislong 29 days ago. Last edited by Theroadislong 29 days ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

• Comment: Actually NONE of your sources verify the content, please read WP:REFB Theroadislong (talk) 18:19, 8 May 2026 (UTC)

• Comment: 20 cites to https://www.proofpoint.com/uk which are not detailed enough to verify Theroadislong (talk) 18:03, 8 May 2026 (UTC)

SocGholish, also known as FakeUpdates, is a JavaScript-based malware framework and malware loader associated with the cybercriminal threat actor TA569 (also known as *Mustard Tempest* by Microsoft).^[1][2]

First observed in active campaigns by at least 2017, SocGholish is primarily used to deliver secondary malware payloads through social engineering techniques involving fake browser or software update prompts.^[1]

It is most commonly distributed through compromised legitimate websites and functions as an initial access vector for downstream intrusions including ransomware, remote access trojans (RATs), and information-stealing malware.^[3]

---

SocGholish operates as an initial access malware loader rather than a standalone payload. Its primary objective is to compromise users visiting legitimate but infected websites and subsequently deploy additional malicious components after system profiling and victim filtering.^[1]

The malware commonly impersonates update prompts for widely used software, including:

• Google Chrome
• Mozilla Firefox
• Microsoft Edge
• Microsoft Teams
• Legacy Adobe Flash components^[1]

Victims are typically redirected to a fake update page that instructs them to download and execute a file disguised as a legitimate software update.^[1]

---

SocGholish activity is attributed primarily to the cybercriminal group TA569, which is classified as an Initial Access Broker (IAB).^[2] Initial Access Brokers specialize in gaining unauthorized access to victim networks and monetizing that access by selling it to other threat actors, including ransomware operators.^[1]

Microsoft tracks TA569 under the designation Mustard Tempest.^[2]

---

Infections begin with the compromise of legitimate websites, frequently through vulnerable WordPress plugins, outdated content management systems, or stolen administrative credentials.^[1] Attackers inject obfuscated JavaScript into website code.

---

When a victim visits the compromised website, the injected JavaScript executes automatically within the browser and initiates communication with attacker-controlled infrastructure.^[3]

---

SocGholish employs Traffic Distribution Systems (TDS), including infrastructure such as Keitaro and Parrot TDS, to filter and route traffic.^[1]

Victim profiling may include:

• IP reputation
• Geolocation
• Operating system
• Browser type
• Language and referrer metadata^[1]

This ensures that malicious payloads are delivered only to selected targets, typically Windows-based enterprise users.

---

If a victim is deemed a valid target, they are redirected to a fake browser update page designed to imitate legitimate software update interfaces.^[1] The page instructs the user to download and execute a file presented as a critical update.

---

Downloaded files typically include:

• JavaScript files (.js)
• Compressed archives (.zip)
• Disk images (.iso)^[1]

Execution results in system fingerprinting, persistence establishment, and communication with command-and-control (C2) infrastructure.^[3]

---

SocGholish is used to deliver a range of secondary malware, including:

• NetSupport RAT
• AsyncRAT
• RedLine Stealer
• Cobalt Strike framework components
• Ransomware loaders^[1][3]

These payloads are frequently used to facilitate lateral movement and full network compromise.

---

SocGholish is primarily implemented in JavaScript and executed via the Windows Script Host environment.^[1] The malware uses extensive obfuscation techniques, including:

• Base64 encoding
• String manipulation and reversal
• Dynamic variable generation
• Multi-stage execution chains^[1]

---

The malware frequently uses domain shadowing techniques, in which attackers create malicious subdomains under compromised legitimate domains.^[1] This improves legitimacy and helps evade domain-based detection systems.

---

SocGholish relies heavily on Traffic Distribution Systems (TDS) to control infection flow and victim targeting. These systems reduce exposure to researchers and security tooling while maximizing successful infections.^[1]

---

Researchers have identified recurring obfuscated JavaScript patterns in infected websites, including strings such as:

• ndsw
• ndsx

These are frequently associated with Parrot TDS-related campaigns.^[1]

---

Common indicators of compromise (IoCs) include:

• Unexpected browser update prompts
• Download prompts for “browser updates” outside official vendors
• Obfuscated JavaScript injected into webpages
• Suspicious `.js`, `.zip`, or `.iso` files
• Subdomain-based domain shadowing activity
• Outbound connections to unknown or suspicious command-and-control infrastructure^[1]

---

SocGholish has been used in intrusions affecting a wide range of sectors, including:

• Healthcare
• Education
• Government contractors
• Manufacturing
• Small and medium enterprises^[3]

Its reliance on legitimate website compromise significantly increases its effectiveness and makes detection difficult using traditional security controls.

---

Users should be trained to recognize that legitimate browsers do not require manual downloads from websites for updates. Updates should only be installed through official browser mechanisms or trusted vendor websites.^[4]

---

Organizations are advised to deploy Endpoint Detection and Response (EDR) solutions capable of identifying:

• Suspicious script execution
• Windows Script Host abuse
• PowerShell-based staging activity
• Unusual network beaconing^[1]

---

Website administrators should:

• Maintain up-to-date WordPress installations and plugins
• Remove unused or vulnerable extensions
• Monitor file integrity for unauthorized script changes
• Implement Web Application Firewalls (WAFs)^[1]

---

Additional mitigation strategies include:

• DNS filtering
• Script execution restrictions
• Monitoring anomalous outbound traffic patterns^[4]

---