SocGholish, commonly tracked as FakeUpdates, is a JavaScript-based malware delivery framework that has operated since at least 2017 and remained consistently active through 2026. In June 2026, an international law enforcement operation disrupted its infrastructure — taking down over 100 servers and cleaning roughly 15,000 compromised websites — but the framework’s longevity and the ease of redeployment mean defenders cannot assume the threat has passed.

The attack chain starts with a legitimate website. The site has been compromised, usually via a CMS vulnerability or stolen admin credentials, and a JavaScript snippet injected into the page. When a visitor arrives, the injected script fingerprints the user agent, checks whether the visitor has already been served a payload, and displays a fake browser or software update notification. Clicking the notification downloads a .js or .zip file that launches via wscript.exe or powershell.exe, profiles the host, and beacons back to the SocGholish network for a second-stage payload.

Those second-stage payloads have included NETSUPPORT RAT, Cobalt Strike Beacon, WastedLocker, DoppelPaymer, LockBit, and RansomHub. The initial access stage is the point where detection is both feasible and highest value.

Detection Surface 1: Web Proxy / DNS

SocGholish staging domains follow recognisable patterns. The C2 infrastructure uses algorithmically generated subdomains on registered domains, with a common structure of <word>.<word>.<domain>.<tld>. The staging URIs often follow the pattern /<random-chars>/<js-filename>.js and the download content type is text/javascript or application/javascript over HTTP/S.

Proxy log detection — suspicious JavaScript downloads from non-CDN domains:

Look for JavaScript downloads from domains with high-entropy subdomains, no categorisation, or newly registered status. Key signals:

  • Content-Type: application/javascript or application/zip from uncategorised domains
  • File extension .js, .zip, or .msi downloads from domains with registration age under 30 days
  • User-agent strings matching the injected fingerprinting pattern (the JS collects UA info and passes it in the download URI)

KQL — Proxy logs, JavaScript downloads from new/uncategorised domains (Microsoft Defender for Endpoint):

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (".js", ".zip")
| where RemoteUrl !has_any ("cdn.", "static.", "ajax.", "assets.", "fonts.", "googleapis.com", "microsoft.com", "akamai")
| join kind=leftouter (
    DeviceNetworkEvents
    | where Timestamp > ago(30d)
    | summarize FirstSeen = min(Timestamp) by RemoteIPAddress
) on RemoteIPAddress
| where FirstSeen > ago(30d)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIPAddress, RemotePort, FirstSeen
| sort by Timestamp desc

Detection Surface 2: Endpoint — wscript / cscript / mshta Execution

The downloaded file is typically a .js file executed via wscript.exe or cscript.exe. On Windows, .js files are associated with Windows Script Host by default, making this execution path unusual for legitimate software but common for this malware.

Sigma rule — wscript.exe or cscript.exe spawned from a browser process:

title: SocGholish FakeUpdates JS Execution via Browser
id: 7c8f3a9d-1b4e-4c5f-8d2a-9e6b0f7a3c1d
status: production
description: Detects wscript.exe or cscript.exe spawned by a browser process, consistent
  with SocGholish drive-by download execution where a .js file is opened via Windows
  Script Host after being downloaded through a browser.
references:
  - https://attack.mitre.org/techniques/T1189/
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: SOC Analyst Hub
date: 2026-06-21
tags:
  - attack.initial_access
  - attack.t1189
  - attack.execution
  - attack.t1059.007
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\iexplore.exe'
      - '\brave.exe'
      - '\opera.exe'
  selection_child:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
  filter_legitimate:
    CommandLine|contains:
      - 'GoogleUpdate'
      - 'MicrosoftEdgeUpdate'
  condition: selection_parent and selection_child and not filter_legitimate
falsepositives:
  - Uncommon but possible from enterprise browser-integrated management tools
level: high

Detection Surface 3: PowerShell Profiling Commands

After initial execution via wscript, SocGholish runs a profiling stage — gathering information about the host, user, domain membership, and installed software before deciding whether to continue or abort. This profiling is distinctive because it uses specific command sequences in rapid succession.

Typical profiling commands observed in SocGholish infections:

cmd.exe /c whoami /all
cmd.exe /c net localgroup administrators
cmd.exe /c net user <username> /domain
cmd.exe /c systeminfo
cmd.exe /c tasklist
wmic csproduct get Name

Sigma rule — SocGholish post-execution profiling sequence:

title: SocGholish Host Profiling Command Sequence
id: 3a7f9c2b-5d8e-4b6a-9c1f-2e5d8a7b4c3e
status: production
description: Detects rapid execution of multiple system profiling commands from a
  scripting host, consistent with SocGholish's post-download enumeration phase.
  The combination of whoami, net user/group, and systeminfo within a short window
  is a high-fidelity indicator.
author: SOC Analyst Hub
date: 2026-06-21
tags:
  - attack.discovery
  - attack.t1033
  - attack.t1082
  - attack.t1069
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
      - '\powershell.exe'
      - '\cmd.exe'
  selection_commands:
    CommandLine|contains:
      - 'whoami'
      - 'net localgroup'
      - 'net user'
      - 'systeminfo'
      - 'tasklist'
  timeframe: 2m
  condition: selection_parent and selection_commands | count() by DeviceId > 3
falsepositives:
  - IT admin scripts that run discovery commands from scripting hosts (uncommon)
level: high

Detection Surface 4: Network Beacon Pattern

SocGholish’s second-stage beacon uses an HTTP GET with a specific URI structure carrying the profiling data. The URI typically takes the form /api/<base64-blob> or a short random path, with the host profile encoded in the URI or headers. JARM fingerprinting has historically identified SocGholish C2 servers, though operators rotate infrastructure frequently.

KQL — Outbound connections from wscript/cscript to internet hosts:

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("wscript.exe", "cscript.exe", "powershell.exe")
| where RemoteIPType == "Public"
| where RemotePort in (80, 443, 8080, 8443)
| summarize ConnectionCount = count(), DistinctURLs = dcount(RemoteUrl), 
    FirstSeen = min(Timestamp), LastSeen = max(Timestamp),
    RemoteURLs = make_set(RemoteUrl, 5)
    by DeviceName, InitiatingProcessFileName, RemoteIPAddress
| where ConnectionCount between (1..10)  // beaconing, not bulk download
| sort by FirstSeen desc

Detection Surface 5: Lateral Movement Post-Profiling

If SocGholish determines the host is domain-joined and meets its target criteria, it proceeds to second-stage delivery. The profiling data is sent to the C2, which decides whether to continue. When it does, the second stage often involves spawning powershell.exe with an encoded download cradle.

Sigma rule — Encoded PowerShell download cradle from scripting host:

title: PowerShell Encoded Download Cradle from Scripting Host
id: 9b2e4f7a-3c6d-5a1b-8e4f-1d7c9b2a5e8f
status: production
description: Detects PowerShell with an encoded or obfuscated command spawned by
  a scripting host. This pattern appears in SocGholish second-stage delivery where
  the initial .js stager launches an encoded PowerShell download cradle to fetch
  Cobalt Strike or other payloads.
author: SOC Analyst Hub
date: 2026-06-21
tags:
  - attack.execution
  - attack.t1059.001
  - attack.defense_evasion
  - attack.t1027
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
  selection_powershell:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-EncodedCommand'
      - '-enc '
      - '-e '
      - 'IEX'
      - 'Invoke-Expression'
      - 'DownloadString'
      - 'DownloadFile'
  condition: selection_parent and selection_powershell
falsepositives:
  - Legitimate software installers that use encoded PowerShell via wscript (rare)
level: critical

Tuning and Context

These rules will generate false positives in environments where scripting hosts are used for legitimate automation. Priority for tuning:

  1. Exclude known management tooling parent processes and their specific command patterns
  2. Allowlist CDN domains and known software update endpoints from proxy detections
  3. Correlate endpoint alerts with proxy logs — a true SocGholish infection will have both a .js download from an uncategorised domain and subsequent scripting host process execution within a short window
  4. Add the downloading browser process as context — if the user’s browser hit an uncategorised site in the two minutes before wscript.exe launched, confidence increases substantially

The June 2026 law enforcement operation removed the existing SocGholish infrastructure but did not eliminate the framework itself. New infrastructure was assessed as likely to appear within weeks. Detections based on execution behaviour rather than IOCs will remain effective regardless of infrastructure changes.