SYMBOLCOMMON_NAMEaka. SYNONYMS

GOLD PRELUDE  (Back to overview)

aka: TA569, UNC1543

GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.


Associated Families
js.fakeupdates

References
2024-12-15MalwarebytesJérôme Segura
Malicious ad distributes SocGholish malware to Kaiser Permanente employees
FAKEUPDATES
2024-11-21IntrinsecCTI Intrinsec, Intrinsec
PROSPERO & Proton66: Uncovering the links between bulletproof networks
Coper SpyNote FAKEUPDATES GootLoader EugenLoader
2024-11-20IntrinsecEquipe CTI
PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks
Coper SpyNote FAKEUPDATES GootLoader EugenLoader IcedID Matanbuchus Nokoyawa Ransomware Pikabot
2024-09-30X (@GenThreatLabs)Gen Threat Labs
Tweet on FAKEUPDATES pushing WARMCOOKIE backdoor via compromised websites targeting France
FAKEUPDATES WarmCookie
2024-07-17Huntress LabsAlden Schmidt, Greg Linares, Matt Anderson
Fake Browser Updates Lead to BOINC Volunteer Computing Software
FAKEUPDATES MintsLoader AsyncRAT
2024-07-09SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2024
Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver
2024-07-02Malsada TechAaron Samala, April Bucaneg, Casey Kuwada
The LandUpdate808 Fake Update Variant
FAKEUPDATES
2024-04-30IntrinsecIntrinsec
Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery
FAKEUPDATES Matanbuchus
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2023-12-12Check Point ResearchCheck Point
November 2023’s Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus
FAKEUPDATES AsyncRAT
2023-08-31Rapid7 LabsEvan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT
2023-02-26ProofpointAndrew Northern
TA569: SocGholish and Beyond
FAKEUPDATES RedLine Stealer solarmarker
2022-11-07SentinelOneAleksandar Milenkoski
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders
FAKEUPDATES
2022-10-27MicrosoftMicrosoft Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest
2022-10-27MicrosoftMicrosoft Security Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak
2022-08-19nccgroupRoss Inman
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
FAKEUPDATES Cobalt Strike LockBit
2022-08-16SUCURIDenis Sinegubko
SocGholish: 5+ Years of Massive Website Infections
FAKEUPDATES
2022-07-30The Hacker NewsRavie Lakshmanan
Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers
FAKEUPDATES Raspberry Robin
2022-06-13Jorge TestaJorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-08Malwarebytes LabsThreat Intelligence Team
MakeMoney malvertising campaign adds fake update template
FAKEUPDATES
2022-06-02MandiantMandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-25Medium walmartglobaltechJason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-06Twitter (@MsftSecIntel)Microsoft Security Intelligence
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit
2022-04-25CybereasonAleksandar Milenkoski, Loïc Castel, Yonatan Gidnian
THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
FAKEUPDATES Zloader
2022-04-10Digital Information WorldHura Anwar
Threatening Redirect Web Service Instills Malicious Campaigns In Over 16,500 Websites
FAKEUPDATES
2022-04-07Avast DecodedJan Rubín, Pavel Novák
Parrot TDS takes over web servers and threatens millions
FAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT
2022-04-05Trend MicroAbdelrhman Sharshar, Earle Maui Earnshaw, Ian Kenefick, Lucas Silva, Mohamed Fahmy, Ryan Maglaque
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
FAKEUPDATES Blister LockBit
2022-04-05Trend MicroAbdelrhman Sharshar, Earle Maui Earnshaw, Ian Kenefick, Lucas Silva, Mohamed Fahmy, Ryan Maglaque
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)
FAKEUPDATES Blister LockBit
2022-04-04LAC WATCHTakehiko Takagen
Confirmation of damage to domestic e-commerce sites, actual situation of Web skimming attacks and examples of countermeasures that Rack thinks (Water Pamola)
FAKEUPDATES
2022-03-22Red CanaryRed Canary
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT
2022-02-26MandiantMandiant
TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot
2021-07-22ExpelEvan Reichard, Kyle Pellett, Ryan Gott, Tyler Fornes
Incident report: Spotting SocGholish WordPress injection
FAKEUPDATES
2021-01-01SecureworksSecureWorks
GOLD PRELUDE
GOLD PRELUDE
2020-12-17Menlo SecurityKrishnan Subramanian
Increase In Attack: SocGholish
FAKEUPDATES
2020-03-16MandiantKelli Vanderlee
They Come in the Night: Ransomware Deployment Trends
FAKEUPDATES
2018-04-10Malwarebytes LabsJérôme Segura
‘FakeUpdates’ campaign leverages multiple website platforms
FAKEUPDATES

Credits: MISP Project